Multilevel Security by rcvqFJ

VIEWS: 0 PAGES: 29

									A Multilevel Secure Testbed to
Support Coalition Operations


         12 December 2005
         Cynthia Irvine, PhD
   Department of Computer Science
     Naval Postgraduate School
                      Outline

• Technical Problem
• MYSEA Testbed
• Related Work




12 December 2005           2
                         General Taxonomy of Attacks


                     Attack         Attack                      Assurance
Attack Motive                                      Threat
                    Strategy      Resources                      Required

  Political-       Long-Term                      System
                                 Well Funded                     Highest
  Military          Planning                     Subversion



  Political-       Mid-Term     Modest to High
                                                 Trojan Horse     High
  Military         Planning        Funds



  Malicious        Short-Term                       Flaw
                                Low to Modest                   Moderate
 Amusement          Planning                     Exploitation

  Malicious                                       Interface
                    Ad Hoc           Low                          Low
 Amusement                                       Exploitation


12 December 2005                                                            3
                       Trojan Horse vs. Subversion

          Trojan Horse                    Subversion
    – Requires victim’s              – Does not require a
      cooperation                      cooperating victim
         • Adversary cannot choose   – By-passes security
           time of activation          controls
    – Constrained by security        – Usually triggered
      controls on the victim           activation and
    – Executes in an                   deactivation
      application                       • Time chosen by adversary
                                     – May execute within the
                                       OS



12 December 2005                                                4
                     Trojan Horse: DAC Only System


Normal Conditions: No Access for Eve
Tim Executes Software with Trojan Horse


    Software Modifies ACL
         Eve rw-                  Eve Accesses
                                   Tim’s Data
                                          extract information
         ACL                              modify information
          UID1 ---
          UID2 rw-
              .
                       Tim’s
              .
              .        Data
          UIDn rw-




12 December 2005                                          5
                    Trojan Horse: DAC Only System


Normal Conditions: No Access for Eve
Tim Executes Software with Trojan Horse


Trojan Horse writes Tim’s         Eve accesses Tim’s
   Data into Eve’s File.          Data, which has been
                                  put into her file

         ACL
         UID1 ---     Tim’s
         UID2 rw-
             .
             .
                      Data                Eve’s
             .
         UIDn rw-
                                           File

12 December 2005                                    6
                     Trojan Horse fails in MLS System
 Normal Conditions: No Access for Eve
 Tim Executes Software with Trojan Horse
     Software Modifies ACL
    Eve --- => Eve rw-                Eve attempts to access
(Possible message to Enemy)                 Tim’s Data


   ACL
                             x                    Low Secrecy
 UID1 ---
 UID2 rw-    Tim’s                                 Mandatory
     .
     .                                               Label
     .       Data
 UIDn rw-
                      HIGH Secrecy
                       Mandatory
                         Label       MLS system prevents
                                     Eve from reading up

  12 December 2005                                         7
                   Trojan Horse fails in MLS System
Normal Conditions: No Access for Eve
Tim Executes Software with Trojan Horse

Software attempts to write
 Tim’s data to Eve’s file          MLS system prevents
                                   Tim from writing down


           Tim’s           x
                                       Eve’s
           Data
                                        File
                    HIGH Secrecy               Low Secrecy
                     Mandatory                  Mandatory
                       Label                      Label

12 December 2005                                        8
            Attacks: Means, Motive, Opportunity

• Means
   – Skill in system design and artifice construction
• Motive
   – Clandestine access to critical information
• Opportunity
   – Join development team for target system
   – Modify system design, specifications, or code
   – Insert artifice during distribution, configuration,
     or maintenance

12 December 2005                                           9
                                      Methods that Work

• To Address Subversion: Limit Opportunity

   – Lifecycle assurance - high assurance
   – Protection via rigorous security engineering
        • No unspecified functionality
        • Use of formal verification techniques
   – When Applied in MLS Context
        • Bound information flow to prevent Trojan Horse
          damage
        • Uses formal models
            – Supports implementation assessment

12 December 2005                                           10
MYSEA Testbed
                            MYSEA Testbed Objectives

• Experimentation and Research Framework
     –   High Assurance Solutions
     –   Distributed Multilevel Functionality
     –   Dynamic Security
     –   Trusted Authentication
     –   Open Architectures and Interfaces
• Currently Support:
     –   MYSEA Research Project
     –   Trusted Computing Exemplar Project
     –   Dynamic Security Services Project
     –   Basic GIG IA Architecture and Security Concepts
• Long Range Applicability
     – Additional GIG IA experiments
     – Other Complex Enterprise Networks


12 December 2005                                           12
                       Near-Term Testbed Experiments

•     Secure connections to classified networks
•     Use COTS and legacy hardware and software components
•     Use open standards
•     Apply high assurance security technology to legacy elements
•     Centralize security management
•     Integrate high assurance multilevel security with existing
      sensitive networks
•     Manage access to classified networks using high assurance
      trusted communication channel techniques
•     Dynamic security services
•     Open architectures to incorporate new technologies
•     Use XML tags as security markings
•     Secure single sign-on across multiple MLS servers
•     Server cluster technologies
    12 December 2005                                        13
                                                   Testbed Architecture

                                                              TS
     Multilevel                                               S
                                            Multilevel
      Clients                                                 U
                                            Enclave
     With TPE




    Top Secret         Top Secret
                                      TCM
      Clients           Enclave




     SIPRNet           SIPRNet                                      Coalition   Coalition
                                            TCM               TCM                Clients
     Clients           Enclave                                      Enclave




     NIPRNet           NIPRNet
                                                   Firewall
     Clients           Enclave




                                                   Internet
           Encrypted




                                    DySe Testbed Architecture
12 December 2005                                                                            14
                                                                                 Testbed Design

                                                      TS                         Multilevel
                                                      S
                                                      U
                                                                                 Enclave
           C     TPE

                                                     MLS
                                                    Server             TCM        TCM
           C     TPE
                                                                  TP                     TP                   TP

           Thin Clients                                      AP                               AP
            With TPE
                                                                                                              AP
                                                                  CG                     CG

                                                             CR                               CR

                                                                        E          E




                              Coalition   Coalition
                               Clients                                  E
                                          Enclave




                               Secret      Secret                                  E
                               Clients    Enclave

  LEGEND
     AP App Server
     C Client                                  Unclassified       Unclassified
                                                                                                   Firewall
                                                 Clients            Enclave
     CG    C2PC Gateway
     CR    C2PC REPEAT Server
      E    Encryptor
     TP    Tarantella Portal Server
                                                                                                   Internet
    TCM    Trusted Channel Module
    TPE    Trusted Path Extension
           Encrypted




12 December 2005                                                                                                   15
                   Demonstrated MYSEA Features

• Distributed Security Architecture
• Multilevel Policy Enforcement
• Unmodified Commercial Desktop
  Applications
• Trusted Path for Security-Critical Operations
• Reach-back to Single Level Networks
   – Aggregated Information Services
• Dynamic Policy Modulation of Security
  Services
12 December 2005                             16
                   Testbed Components Secure Server

• True Multilevel Security Policy Enforcement
   – Coherent View: Users at HIGH see Information at LOW
   – Label-based Policy Enforcement
        • Hierarchical and Categories
   – Support for Integrity-Based Separation
        • Isolate cyber-trash from reliable users and programs
   – Flexible Label Management
• Existing Commercial MLS Base
   – Digital Net XTS-400
   – Evaluated at Class B3 under TCSEC (aka “Orange
     Book”)
   – Currently Under Evaluation under Common Criteria
   – Support for Certification and Accreditation Goals

12 December 2005                                                 17
                    Server Network Enhancements

• Multilevel “inetd”
• Distributed High Assurance Authentication on MLS
  LAN
   – Trusted Path Services at Server
   – Distributed TCB to Client Locations
        • Trusted Path Extensions (TPE) at Clients
   – Controls TPE Activities
• Secure Session Services
   – Launch Applications at Corrected Session Level
• Dynamic Security Services
   – Policy Management Initiator
• Dedicated and Multiplexed Connections to Single
  Level Networks
12 December 2005                                      18
                   Server Application Enhancements

• Ports of Popular Applications
   – All Made “Multilevel Aware”
   – HTTP: Apache-like Web Server
        • Base – standard Apache – minor modifications
        • WebDAV under development
   – SMTP: Sendmail
   – IMAP: University of Washington
   – NFS: User-level port
   – Secure Shell: OpenSSH (Single Level Only)
• Remote Client-Side Applications Support
12 December 2005                                         19
                   High Assurance Trusted Path/Channel

• Trusted Path Extension Device
   – Ensure Communication with Trusted Server
   – Based on EAL7 Trusted Computing Exemplar (TCX)
     Separation Kernel
• Remote Security Operations
   – Log-on, Session Level Negotiation, etc.
• Server Supports Session Suspension and
  Resumption
• Trusted Channel Module
   – Ensure Proper Security Level Assigned To Information
     From Legacy Networks
• Dynamic Security Services Responders
12 December 2005                                        20
                           Commodity-Based Client

• Meet User Requirements
   – Web Browsing
   – Mail
   – Document Production
• Stateless To Address Object Reuse Requirements
   –   Depot-level Configuration to Start Up in Useful State
   –   Volatile Memory Only
   –   Store State at Server at Appropriate Session Level
   –   Working Prototypes:
        • Knoppix Linux
        • Windows XP Embedded

12 December 2005                                               21
                                     Web Portal Services

• Allow Reach-Back to Single Level Legacy Networks via
  Web Browser
• Part of MYSEA’s Stateless Client Strategy
• Tarantella/enView product suite
    – Allow Clients to Access Web-based Applications On Different
      Platforms (Windows, Linux, Unix)
    – Present Integrated Portal View To Users
• Support GCCS
    – Command and Control Personal Computer System (C2PC)




 12 December 2005                                                   22
                                                                                 Testbed Phase I

                                                      TS                         Multilevel
                                                      S
                                                      U
                                                                                 Enclave
           C     TPE

                                                     MLS
                                                    Server
           C     TPE
                                                                  TP                     TP                   TP

           Thin Clients                                      AP                               AP
            With TPE
                                                                                                              AP
                                                                  CG                     CG

                                                             CR                               CR

                                                                        E          E




                              Coalition   Coalition
                               Clients                                  E
                                          Enclave




                               Secret      Secret                                  E
                               Clients    Enclave

  LEGEND
     AP App Server
     C Client                                  Unclassified       Unclassified
                                                                                                   Firewall
                                                 Clients            Enclave
     CG    C2PC Gateway
     CR    C2PC REPEAT Server
      E    Encryptor
     TP    Tarantella Portal Server
                                                                                                   Internet
    TPE    Trusted Path Extension
           Encrypted




12 December 2005                                                                                                   23
                   Phase I Configuration (1 of 2)

• Hardware: 35 components
   – MLS Server, Handheld TPEs, Desktops,
     Laptops, VPN Appliances, Network Switches,
     TACLANE Encryptors
• Operating Systems: Heterogeneous
   – Trusted OS: DigitalNet STOP
   – COTS OS: RedHat Linux, Microsoft Windows
     2000 server, Microsoft Windows XP, Microsoft
     Windows XP Embedded, OpenBSD, Knoppix
     Linux and Familiar Project Linux
12 December 2005                                  24
                       Phase I Configuration (2 of 2)

• Custom MYSEA Trusted Software
    – Trusted Path Service, Secure Session Management
• Linux Applications:
    – PostgreSQL, Apache web server, Edge Technologies enPortal,
      Tarantella Enterprise 3, imapd and sendmail
• Windows Applications:
    – Microsoft Terminal Services, Microsoft Office, Microsoft Project,
      Internet Explorer, C2PC Gateway, C2PC Client, REPEAT 2004–
      RepeatWinXR and Creative WebCam PROeX




 12 December 2005                                                   25
                   Trusted Path Extension (TPE)
• Reference application for the TCX project
• Operational Environment - MYSEA MLS LAN
• Architecture will use separation
    – Untrusted and Trusted processes




12 December 2005                              26
                                     TPE Form Factor

• PDA-like device
• Isolation from COTS processor
• Trusted Path functions control I/O to user
   – Device Screen
   – Device Keyboard
• Secure Attention Key design is simpler
• Encryption is on TPE
• Alternative: examine complex interactions
  between TPE and COTS system
   – Strong isolation is required for assurance

12 December 2005                                  27
                              Project Synergies

•     Trusted Computing Exemplar
•     Separation Kernel Protection Profile
•     SecureCore
•     RCSec
•     CyberCIEGE




    12 December 2005                          28
                              Questions and Contacts




                     Cynthia Irvine, Ph.D.
Center for Information Systems Security Studies and Research
                Computer Science Department
      Naval Postgraduate School, Monterey, CA 93943

                    irvine@nps.edu, 831 656-2461




 12 December 2005                                        29

								
To top