Many Levels of Security
GOVERNMENT AND INDUSTRY EXPLORE
HIGH-ASSURANCE INFORMATION ARCHITECTURE.
The National Security Agency (NSA) and the Air Force Research Laboratory (ARFL) are working in a joint initiative with software vendors, defense contractors and academia to develop products based on a highly secure information architecture known as Multiple Independent Levels of Security (MILS).
Backers say the high-assurance security architecture, developed for COTS technology in mission-critical aviation and defense applications, offers huge potential benefits for military and intelligence organizations by enabling the secure and safe separation of classified, highly classified and top-secret information.
The MILS initiative is a joint effort among the AFRL Information Directorate; NSA; the Open Systems Joint Task Force within the Office of the Secretary of Defense; COTS software suppliers such as Green Hills Software, LynuxWorks, Objective Interface Systems and Wind River Systems; academia; and defense contractors, including Raytheon, Lockheed Martin, Boeing and Rockwell Collins.
The MILS standard is already slated for incorporation in the F-22A and F-35 air platforms, and is being considered for a number of other weapons systems as well.
With the MILS architecture, it is easy for the first time to create “communities of interest” that are allowed to see particular information on a real-time basis. Data belonging to multiple communities can pass over one wire and be sent only to authorized recipients with strong authentication. Access to that data or the network can be dynamically configured and controlled.
SECURITY BY DESIGN
The need for a new approach to security design arose from the fact that early operating system architectures did not incorporate security as a design requirement, resulting in inevitable failures and security breaches. With the Internet and high-speed communications, information networks are now far more vulnerable to catastrophic failures and deliberate attacks than ever before.
The National Institute of Standards has identified 30 distinct categories of threats to information infrastructures, ranging from operator errors to hacker intrusions to viruses. Such security breaches have the potential to cause catastrophic loss of life, especially in the military and intelligence communities.
Most computer software and operating systems are fundamentally insecure because they were not originally designed with security in mind. They were designed for performance, size or other aspects. Security issues have been managed with a fail first/patch later approach used to plug security holes. Security was added on in the form of patches or fixes.
In addition, the cost of evaluating and certifying security at the highest levels has been prohibitive because the size and complexity of the software code to be evaluated were too large, making the process too slow and expensive for all but the most missioncritical systems. An evaluation might cost over $100 million and take a decade to complete.
For every 1,000 lines of code, 50,000 lines of mathematical proofs were required to certify them as secure at the highest assurance levels. The challenge has been to provide high-assurance security that reduces the duration, schedule risk and cost of designing, evaluating, accrediting and deploying highly secure systems.
In the early 1980’s, John Rushby of SRI International developed a concept of a secure systems architecture that was foundational. His concept, MILS, was a departure from operating system architectures that were designed prior to the Internet, when there was very little risk of network attacks.
The idea behind MILS is to partition a system in such a way that a failure or breach in one area cannot affect any other part of the system or network. In addition, each partition must be able to be evaluated and certified separately. MILS was designed with the idea that a securitycritical system should have a few, small core components that could be mathematically proven to be trustworthy.
However, this operating system security concept was before its time. The idea of partitioning would have required more processing power than was available in 1980. More than two decades later, however, the tremendous increase in microprocessor performance has enabled new standards of security.
SEPARATION KERNEL
Soon, operating-system vendors such as Green Hills, LynuxWorks and Wind River got involved. A very low overhead, real-time operating system was needed that could simultaneously support commercial applications and a variety of mission-critical or high-assurance applications. MILS separates security functions into manageable components. Processes are isolated into partitions, which can then be evaluated separately.
MILS is divided into three layers: separation kernel, middleware and applications. The function of the separation kernel is to divide the computer into separate address spaces and scheduling intervals, guarantee the isolation of the partitions and control the communications among them.
“The separation kernel is quite simple in terms of what it is trying to enforce,” stated David Kleidermacher, chief technology officer of Green Hills Software. Because the separation kernel performs only these functions, the source code can be small. “These small pieces of code do only a few things, but they do them extraordinarily well.”
In addition, this makes the code fast and more practical to verify using formal mathematical methods. The separation kernel requires the highest level of assurance and is the only piece of software that runs in privileged mode. Green Hills says its operating system is the first COTS operating system to undergo Common Criteria Evaluation Assurance Level 6+ certification that allows different security domains to run concurrently and coexist on the same processor, guaranteeing the separation of those domains and the security and transfer of sensitive data to the highest level of assurance.
“The most fundamental problem is how to keep information separated, and how you build better capabilities onto this foundation securely. We believe that with the Integrity operating system utilizing the MILS architecture, we have solved one of the world’s most important security problems, if not the key problem, that currently prevents people from building secure computer systems,” stated Kleidermacher.
“Integrity provides the foundational security for systems ranging from Type-1 NSA-certified cryptographic communications devices all the way up to fully functional PC workstations and servers that can run high assurance applications such as guards, and a multi-level secure window manager alongside legacy operating systems such as Windows and Linux, whose execution is securely partitioned from the critical applications by the kernel.”
CROSS-DOMAIN SOLUTION
MILS promises an architecture that can support secure partitioning, commercial or legacy applications, multi-level communication, secure user authentication and trusted path, and secure cross-domain information transfer in a single processor.
“The MILS architecture is a foundational component for a cross-domain solution,” said Jahn Luke, senior program manager, Embedded Information Systems Branch, within the AFRL Information Directorate. The security of MILS is “baked in, not bolted on,” he added.
MILS provides the foundation upon which very complex applications can be run more securely. It is available to anyone who has a need for “high robustness,” which is the highest functional and assurance level that is required when multiple levels of classified data and, potentially unclassified data, reside on the same node.
The AFRL and NSA also worked with Objective Interface Systems on MILS middleware, Luke said. The ARFL approached the company to come up with a MILS version of a protection profile for Common Object Request Broker Architecture (CORBA).
But Objective Interface Systems responded with a different approach, according to Joe Jacob, senior vice president for sales and marketing. “You want a core communications piece of middleware that extends the benefits of the separation kernel to an entire network,” he said. “It should not be limited to just one type of middleware.”
Objective Interface Systems developed the partitioning communications system (PCS) in response to this need. PCS provides end-to-end enforcement of the basic MILS separation kernel security policies and extends this secure environment to an enclave of computers. It guarantees the separation, protection and secure transfer of sensitive data to the highest level of assurance.
Several PCS core benefits are especially appealing to the military. For the first time, all the information, no matter what security domain, can coexist on the same distributed system. With the extensive evaluation and certification, data separation is guaranteed.
Secondly, the PCS encrypts data before it is ever put into the custody of a communications stack or protocols. So even if an attacker can gain control over either end of the circuit, the data is still encrypted. The PCS counters these intrusions through strong authentication of the other computer and application before allowing the data to flow. In addition, PCS enforces bandwidth allocations, traffic limitations, message length and timing control, and end-to-end security policy configuration verification.
Third, PCS can communicate to multiple domains and ensure that data will not be mixed and matched unless you are authorizing it to be so. It keeps data with multiple security levels and communities of interest separated, making it no longer necessary to have multiple data links to guarantee data separation. These multiple security levels of information can communicate over a single connection. The system architect designs the system with specific authorized information flow restrictions, and it is these restrictions that the middleware layer enforces.
Finally, PCS can guarantee that, should an unauthorized user gain access to the system, the security breach will not cascade into the other parts of the network.
GIG FOUNDATION
MILS is a security foundation on which application developers can then build their application-level security. It is not a total end-to-end security solution. It guarantees separation of partitions unless interaction is explicitly authorized in programming. Residing in each partition is an application for a security domain that is integrated when the system is built.
As a result there can be several versions of a Linux operating system software running—one in a top secret partition, one in a secret partition, and one in an unclassified partition. PCS guarantees separation in the network but does nothing about what goes on in each partition, so firewalls, guards and application security are still needed. The application level security becomes a partner with MILS security in creating a highly secure system, but the application developer is still responsible for what goes on within the application.
Security policies are configured for communication between security domains and applications within those domains. While this configuration is initially static, the user can build on top of that a more dynamic system where access to devices and applications can be set up on a real-time basis. The system can be set up to be as fully dynamic or static as desired.
“The best way to set up the network is to give a user the least amount of privilege they need and only give more privilege to authorized entities as they need them,” according to Kleidermacher.
The concept, known as the “principle of least privilege,” is especially important in a battlefield environment.
MILS work has evolved into a cooperative effort between government and industry in an attempt to dramatically increase the scrutiny of security-critical code and create a secure foundation for the Global Information Grid. ♦
