View
1
Download
0
Category
Preview:
Citation preview
© 2001 Objective Interface Systems, Inc.
MILS Middleware:High Assurance Security
forReal-time, Distributed Systems
MILS Middleware:High Assurance Security
forReal-time, Distributed Systems
Bill Beckwithbill.beckwith@ois.com
Objective Interface Systems, Inc.13873 Park Center Road, Suite 360
Herndon, VA 20171-3247703/295-6500 (voice)
703/295-6501 (fax)http://www.ois.com/
info@ois.com
© 2003 Objective Interface Systems, Inc. 2
AgendaAgenda
IntroductionSponsorsObjectiveReal-time Security ChallengeDistributed Security Requirements
Partitioned Communications SystemReal-time MILS CORBAMILS Middleware Realization
© 2001 Objective Interface Systems, Inc.
IntroductionIntroduction
© 2003 Objective Interface Systems, Inc. 4
SponsorsSponsors
Sponsors for PKPP and RT CORBA PP effortWright-Patterson AFB (WSSTS Project)Air Force – F22 and JSF (via LM Ft. Worth)Objective Interface
© 2003 Objective Interface Systems, Inc. 5
ObjectiveObjective
An applications and communications infrastructure that provides:
Safety high correctness(does what it is supposed to do)
Security high integrity(… and nothing else!)
High performance low latency/high bandwidthFault resilience high reliabilityReal-time high predictabilityStandards-based high independence
© 2003 Objective Interface Systems, Inc. 6
Real-time Security Challenge Requires New ThinkingReal-time Security Challenge Requires New Thinking
Old approaches to security don’t work for real-timeMonolithic security kernels
Too largeToo slowUnpredictableDon’t support inherent distribution of embedded systemsCan’t get above EAL 4 (medium assurance)
CORBA SecurityWeak trust modelToo largeToo slowUnpredictableCan’t get above EAL 4 (medium assurance)
New thinking requiredMILS: Multiple Independent Levels of Security
© 2003 Objective Interface Systems, Inc. 7
Distributed Security RequirementsDistributed Security Requirements
Rely upon partitioning kernel to enforce middleware security policies on a given node
Information FlowData IsolationPeriods ProcessingDamage Limitation
Application specific security requirementsmust not creep down into the middleware (or kernel)ensure the system remains supportable and evaluatable
Optimal inter-partition communicationMinimizing added latency (first byte)Minimizing bandwidth reduction (per byte)
Fault resilienceNo single point of failure
© 2003 Objective Interface Systems, Inc. 8
Distributed SystemDistributed System
Distributed object communicationPartition Local – same address space, same machineMachine Local – different address space, same machineRemote – different address space, on a different machine
RACEway
VME
ATM1394
TCP/IP
MulticastSharedMemory
Rapid IO
© 2003 Objective Interface Systems, Inc. 9
Inter-object CommunicationInter-object Communication
Unrestricted information flow between objects creates a significant security concernThree types of inter-object communication
Intra-partition: between objects in same partitionleft to application
Inter-partition: between objects in partitions on the same nodeNode = one CPU or tightly coupled group of CPUsUnencrypted communicationMiddleware controls
Inter-partition: between objects in partitions on different nodesEncrypted communicationMiddleware controls
© 2003 Objective Interface Systems, Inc. 10
Secure Communications FrameworkSecure Communications Framework
Security concerns include:The correct processes occur within an application
e.g., the correct waveform and applications are instantiatedInter-object messages flow between the correct objects
Information flow security policy“Trusted” objects are capable of instantiating and tearing down applicationsPermissions enforced on read, write, & execution of filesBoots correctly with integrity
Implementation dependentAre all of the puzzle pieces present and correct?Is my piece of the puzzle correct?
Audit records are understandableImplementation dependent
Audit record protected from unauthorized changes or reading
© 2003 Objective Interface Systems, Inc. 11
Why CORBA Security Is Not UsedWhy CORBA Security Is Not Used
Can’t accommodate MLSProvides a overly wide trust model
Commercially available CORBA security implementations place CORBASEC within the ORB and applicationORBs reside within the application components’ process spacesSecurity mechanisms can be modified by other software objects within process space (e.g. application)Security mechanisms can be bypassedSecurity becomes an application option
CORBA Security servicesMore of a collection of security APIs than a security architecture
CORBASEC implementations too large to evaluateNon-security issues related to message latencyNot appropriate for medium or high assurance systems
© 2003 Objective Interface Systems, Inc. 12
Layer ResponsibilitiesLayer Responsibilities
MILS Partitioning Kernel Functionality
Time and Space PartitioningData IsolationInter-partition CommunicationPeriods ProcessingMinimum Interrupt ServicingSemaphoresTimersInstrumentation
MILS Middleware Functionality
RTOS ServicesDevice DriversCORBAFile System…
Partitioned Communication System
Inter-processor Communication
© 2001 Objective Interface Systems, Inc.
Partitioned Communication
System
Partitioned Communication
System
© 2003 Objective Interface Systems, Inc. 14
PCS:Partitioned Communication SystemPCS:Partitioned Communication System
Partitioned Communication SystemA portion of MILS MiddlewareResponsible for all communication between MILS nodes
PurposeExtend the protected environment of MILS kernel to multiple nodes
Similar philosophy to MILS Partitioning KernelMinimalist:
Only that functionality needed to enforce end-to-end versions of policies
End-to-end Information FlowEnd-to-end Data IsolationEnd-to-end Periods ProcessingEnd-to-end Damage Limitation
Designed for EAL level 7 evaluation
© 2003 Objective Interface Systems, Inc. 15
PCS Objective – What?PCS Objective – What?
Just like MILS:Enable the Application Layer Entities to
Enforce, Manage, and Control their own
Application Level Security Policies in such a manner that the Application Level Security Policies are
Non-Bypassable, Evaluatable,Always-Invoked, andTamper-proof.
Desire is an architecture that allows the Security Kernel and PCS to share the RESPONSIBILITY of Security with the Application.
Extended:To all inter-partition communication within a group of MILS nodes (enclave)
© 2003 Objective Interface Systems, Inc. 16
PCS RequirementsPCS Requirements
PCS must provideStrong identity of nodes within enclaveSeparation of Levels
Need cryptographic separationSeparation of Communities of Interest
Need cryptographic separationBandwidth Provisioning & Partitioning Secure Configuration of all Nodes in Enclave
Federated informationDistributed (compared) vs. Centralized (signed)
Secure Clock SynchronizationSecure Loading
Signed partition imagesPCS must eliminate
Covert channelsNetwork resources (bandwidth, hardware resources, buffers, …)
© 2003 Objective Interface Systems, Inc. 17
MILS PCS Security Policy Application ExampleMILS PCS Security Policy Application Example
PCS Provides:End-to-end Information FlowEnd-to-end Data IsolationEnd-to-end Periods ProcessingEnd-to-end Damage Limitation
D1
D2
D3
BSRV
RPM
E1
E2
E3
RS BV
BPM
Red Data Black Data
Policy Enforcement Independent of Node Boundaries
© 2003 Objective Interface Systems, Inc. 18
S,TS
(MLS)
TS
(MSL)
S
(MSL)
RTCORBA
PCS
High Assurance MILS ArchitectureHigh Assurance MILS Architecture
Processor
User M
ode
...
Application Partitions
RTCORBA
PCS
RTCORBA
PCS
RTOS Micro Kernel (MILS)
Supervisor ModeMMU, Inter-Partition
CommunicationsInterrupts
MILS - Multiple IndependentLevels of Security
MSL - Multi Single LevelMLS - Multi Level Secure
© 2003 Objective Interface Systems, Inc. 19
Confines Malicious CodeConfines Malicious Code
With MILS Partitioning Kernel Architecture we knowWhere inputs came from for each objectWhere outputs are going for each objectData for each object remains private
Impossible to TEST security system for all possible user applicationsIn addition to testing, high-assurance communication system requires
Rigorous design methodsProven software engineering process methodsRigorous use of mathematics
© 2001 Objective Interface Systems, Inc.
Real-time MILS CORBA
Real-time MILS CORBA
© 2003 Objective Interface Systems, Inc. 21
Real-Time MILS CORBAReal-Time MILS CORBA
Real-time CORBA can take advantage of PCS capabilitiesReal-time CORBA + PCS = Real-time MILS CORBAAdditional application-level security policies are enforceable because of MILS PK and PCS foundation
Real-time MILS CORBA represents a single enabling application infrastructureCan address the following key cross-cutting system requirements:
High-assurance, MILS-based distributed security(with high-integrity support required for safety critical systems)Real-time(fixed priority as well as dynamically scheduled)High performance distributed object communications(low latency, high bandwidth)
© 2003 Objective Interface Systems, Inc. 22
Security Policies for RT CORBASecurity Policies for RT CORBA
Unauthorized Discloser of Data - > Information FlowCritical tasks not bypassed
Compromise/Corruption of Sensitive Data->Data IsolationData segments not read or corrupted by unauthorized entities
Covert Storage Channels - > Periods ProcessingORB is not a covert storage channel on separate messages
Presence of Unevaluated Code - > Damage LimitationUnevaluated code will not compromise processing or data
© 2003 Objective Interface Systems, Inc. 23
Threat ExamplesThreat Examples
T.CONFIG_CORRUPTA malicious or faulty subject may attempt to modify or corrupt configuration data used by the ORB to enforce information flow policy by accessing the contents of an ORB.A malicious or faulty subject may attempt to bypass the information flow policy enforced by an ORB by using configuration data that, while valid, differs from that being used by another ORB.
T.DOSA malicious or faulty subject may attempt to block other subjects from sending or receiving communications by exhausting or monopolizing shared resources or the resources of another ORB.
© 2001 Objective Interface Systems, Inc.
MILS Middleware Realization
MILS Middleware Realization
© 2003 Objective Interface Systems, Inc. 25
MILS PartneringMILS Partnering
Objective Interface is partnered withBoeingLockheed-MartinMITRENational Security AgencyRockwell CollinsU. S. Air ForceUniversity of Idaho
To integrateSeveral MILS security partitioning kernels withA Real-time CORBA middleware implementation, ORBexpress RT
© 2003 Objective Interface Systems, Inc. 26
Business DependenciesBusiness Dependencies
Success depends onStrong business and technical commitment by RTOS vendors
So far so greatCustomer need
There’s a difference between wanting security and buying securityPerformance, size, and predictability are keyEase of use is essential
Logistics of standards groupsReconciliation of business and technical perspectives
SecureApplications
Secure CommunicationsInfrastructure (PCS & RTCORBA)
Secure RTOS (PK)
© 2003 Objective Interface Systems, Inc. 27
MILS ImplementorsMILS Implementors
Hardware Based KernelAAMP7 Rockwell-Collins
Software Based KernelIntegrity-178 Green Hills SoftwareLynuxOS LynuxWorksVxWorks AE Wind River Systems
MiddlewareORBexpress Objective Interface
© 2003 Objective Interface Systems, Inc. 28
SummarySummary
MILS =High-assuranceMulti-levelEvaluatableDistributed
PCS provides distribution for MILS RTOSesDoD needs multi-level systems for the war-fighterPartitioning kernel provides the lowest risk, quickest development time to provide high-assurance MILS systemsMILS + PCS + Real-time CORBA =
A secure deployment platform for distributed, real-time applications
Recommended