2007 Issue 2 - Raytheon
2007 Issue 2 - Raytheon
2007 Issue 2 - Raytheon
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
al information systems (MNIS).<br />
MNIS are inherent in battle command<br />
to ensure the timely<br />
exchange of information across all<br />
coalition member domains and<br />
government agencies. <strong>Raytheon</strong> is<br />
doing research with the DoD to<br />
identify the issues and potential<br />
solutions under a study contract.<br />
With the proliferation of coalition<br />
operations and joint operations, the<br />
issue of information separation<br />
becomes even more challenging.<br />
Not only must the information be<br />
separated by clearance levels with<br />
each country’s security policy, but<br />
well-defined information must be<br />
shared across multiple countries,<br />
where agreements to share are on<br />
a bilateral basis. Information<br />
releasable to certain countries is<br />
not releasable to other coalition<br />
partners. This complicated set of<br />
access control rules makes the Bell-<br />
LaPadula hierarchical security model<br />
of “write up, read down” traditionally<br />
used in MLS systems look simple.<br />
<strong>Raytheon</strong> is currently working<br />
to solve this demanding challenge<br />
of sharing information in the presence<br />
of multiple compartments<br />
within single security levels.<br />
Trusted Operating Systems<br />
There are several common<br />
approaches when attempting to<br />
provide MLS capability. One is to<br />
use a trusted operating system that<br />
attaches sensitivity labels to all<br />
objects within the domain. (Sun’s<br />
Trusted SolarisTM is an example of a<br />
trusted operating system.)<br />
Sensitivity labels identify security<br />
classification and handling restrictions<br />
of the object. The sensitivity<br />
labels are compared to the user’s<br />
security clearance and privileges to<br />
determine if access to the object is<br />
allowed. These operating systems<br />
are proprietary, tend to be very<br />
difficult to administer, and are at<br />
times extremely cumbersome to<br />
use. Because of their size and complexity,<br />
they have typically been<br />
evaluated only to a medium level of<br />
robustness. Due to administrative<br />
difficulties, customers often prefer<br />
less trustworthy operating systems<br />
such as Windows.<br />
Multiple Independent Levels<br />
of Security<br />
Another approach being developed<br />
to provide MLS capability is called<br />
Multiple Independent Levels of<br />
Security (MILS). <strong>Raytheon</strong> has been<br />
working with the Air Force Research<br />
Laboratory Information Directorate,<br />
the Cryptographic Modernization<br />
Program and the National Security<br />
Agency for several years on the<br />
foundational components for this<br />
high assurance architecture to support<br />
systems with MLS requirements<br />
and/or Multiple Single Levels<br />
of Security (MSLS).<br />
The goal of the MILS program is to<br />
establish a viable commercial market<br />
for high assurance, standardsbased<br />
commercial off-the-shelf<br />
(COTS) products that can be used<br />
to produce NSA-accredited systems.<br />
By leveraging COTS products that<br />
conform to the DO-178B safety<br />
standard, it is anticipated that the<br />
wider customer base for these products<br />
will result in a lower cost to<br />
DoD security customers.<br />
MILS have a layered architecture<br />
that enforces an information flow<br />
and data isolation security policy.<br />
At the bottom layer of the architecture<br />
is a small but highly trusted<br />
separation kernel. A separation kernel<br />
executes on processors such as<br />
Pentiums and PowerPCs to provide<br />
a virtual machine upon which a<br />
variety of COTS operating systems<br />
(e.g., Windows, Lynux, Solaris, etc.)<br />
can be hosted. The separation kernel<br />
provides a high robustness reference<br />
monitor 1 to enable this separation<br />
and to control communication<br />
between untrusted applications<br />
and data objects at various<br />
levels of classification/caveats on a<br />
single processor. It also enables<br />
trusted applications to execute on<br />
the same processor as untrusted<br />
applications, while ensuring that<br />
the trusted applications will not be<br />
compromised or interfered with in<br />
any way by the untrusted applications,<br />
(see Figure 2). Security policy<br />
enforcement mediated by the separation<br />
kernel is non-bypassable,<br />
always invoked and tamper-proof,<br />
because it is the only software that<br />
runs in privileged mode on the<br />
processor. Thus, systems with applications<br />
at different security<br />
levels/caveats require fewer processing<br />
resources.<br />
The separation kernel’s security<br />
requirements are specified in the<br />
NSA’s U.S. Government Protection<br />
Profile for Separation Kernels in<br />
Environments Requiring High<br />
Robustness, now in its final draft. A<br />
separation kernel can be evaluated<br />
to a high level of assurance<br />
(Evaluation Assurance Level (EAL<br />
6+), because it is very small — on<br />
the order of 4,000 lines of<br />
C-Language code. Although originally<br />
targeted to real-time, embedded<br />
systems, the Separation Kernel<br />
Protection Profile (SKPP) has been<br />
generalized to provide the security<br />
requirements for a high assurance<br />
virtual machine on which operating<br />
systems with medium or no assurance,<br />
such as Windows, can execute<br />
in separate partitions without<br />
degrading the assurance of the<br />
overall system.<br />
The Green Hills Software (GHS)<br />
Integrity Separation Kernel is available<br />
commercially and is currently<br />
undergoing evaluation at a high<br />
robustness level by a National<br />
Information Assurance Partnership<br />
(NIAP) accredited Common Criteria<br />
Testing Laboratory. It is targeted for<br />
embedded and server applications<br />
running on PowerPC and Intel ®<br />
processors. The Integrity Separation<br />
Kernel is being used in the<br />
<strong>Raytheon</strong>’s Space and Airborne<br />
Systems NETSecure internal research<br />
Continued on page 10<br />
1 IAEC 3285, NSA Infosec Design Course,<br />
High Robustness Reference Monitors version 3,<br />
Michael Dransfield, W. Mark Vanfleet.<br />
<strong>Raytheon</strong> is fielding a<br />
product called CHAIN<br />
(Compartmented High<br />
Assurance Information<br />
Network). CHAIN<br />
permits the separation<br />
of the information by<br />
compartments (as the<br />
name implies). Until<br />
the true MLS system is<br />
available, <strong>Raytheon</strong> is<br />
fielding CHAIN in<br />
multiple systems to<br />
separate information<br />
from different<br />
domains using the<br />
compartments<br />
enforcement<br />
mechanism. There are<br />
multiple commercial<br />
operating systems that<br />
allow this enforcement.<br />
To upgrade from<br />
compartments to<br />
multi-level security, the<br />
underlying operating<br />
system must meet the<br />
functionality and trust<br />
discussed in this article.<br />
RAYTHEON TECHNOLOGY TODAY <strong>2007</strong> ISSUE 2 9