© 2001 Objective Interface Systems, Inc.

Common Expressions/Languagesfor

Protection Profiles

Common Expressions/Languagesfor

Protection Profiles

Bill Beckwithbill.beckwith@ois.com

Objective Interface Systems, Inc.13873 Park Center Road, Suite 360

Herndon, VA 20171-3247703/295-6500 (voice)703/295-6501 (fax)

http://www.ois.com/info@ois.com

© 2003 Objective Interface Systems, Inc. 2

AgendaAgenda

Objectives Background on Common Criteria Objectives Arena for Common Expression MILS Example

© 2003 Objective Interface Systems, Inc. 3

Background on Common CriteriaBackground on Common Criteria

Common Criteria Used as the basis for evaluation of security properties of IT Permit comparability between independent security evaluations By providing a common set of requirements for the security functions And for assurance measures applied to them during a security

evaluation Evaluation process establishes a level of confidence Target audience: consumers, developers, evaluators, et al

Protection Profile An implementation-independent set of security requirements

For a category of TOEs That meet specific consumer needs

A warning to standards authors: PPs have no APIs, no wire formats, …

© 2003 Objective Interface Systems, Inc. 4

EAL: Evaluated Assurance LevelEAL: Evaluated Assurance Level

EAL 1 = functionally tested EAL 2 = structurally tested EAL 3 = methodically tested and checked EAL 4 = methodically designed, tested, and reviewed

analysis of security functions informal model of security policy & independent testing vulnerability analysis for low attack potential attackers

EAL 5 = semiformally designed and tested semiformal functional spec & HL design + semiformal correspondence covert channel analysis vulnerability analysis for moderate attack potential attackers

EAL 6 = semiformally verified design and tested structured development process & more structured architecture vulnerability analysis for high attack potential attackers structured presentation + semiformal LL design systematic covert channel analysis more comprehensive vulnerability analysis improved CM and development environment controls

EAL 7 = formally verified design and tested formal functional spec and HL design + formal correspondence comprehensive testing

© 2003 Objective Interface Systems, Inc. 5

ObjectivesObjectives

Reduce time-to-understand new PPs Develop and leverage common knowledge

Improve consistency of PPs Common definitions Common approach Common creation and vetting process

Ease creation of high quality PPs Template Reference example

Assure composition of components Facilitate layering of PPs Facilitate specification of layered security architectures Facilitate evaluation of layered security architecture implementations

© 2003 Objective Interface Systems, Inc. 6

Arena for Common ExpressionArena for Common Expression

© 2001 Objective Interface Systems, Inc.

MILS Security:Example Architecture

© 2003 Objective Interface Systems, Inc. 8

Security Evolution Fail-first Patch-later (cont.)

Security Evolution Fail-first Patch-later (cont.)

Questions:

How many PC anti-virus programs can detect or repair handle malicious device drivers?

None!

What can an Active-X web download do to your PC?

Anything!

© 2003 Objective Interface Systems, Inc. 9

PrivilegeMode

Processing

NetworkData

Wild Creatures of the Net, Worms, Virus, . . .

Foundational ThreatsFoundational Threats

BufferOverflow

?

© 2003 Objective Interface Systems, Inc. 10

PrivilegeMode

Processing

NetworkData

Under MILS Network Data and Privilege Mode Processing is Separated

Paradigm Shift

Foundational Threats(That MILS Protects Against)

Foundational Threats(That MILS Protects Against)

© 2001 Objective Interface Systems, Inc.

MILSMILS

MultipleIndependentLevels ofSecurity

© 2003 Objective Interface Systems, Inc. 12

The Whole Point of MILSThe Whole Point of MILS

Really simple:

Dramatically reduce the amount of security critical code

Dramatically increase the scrutiny of security critical code

© 2003 Objective Interface Systems, Inc. 13

MILS ObjectiveMILS Objective

Enable the Application Layer Entities to Enforce, Manage, and Control

Application Level Security Policies

where the Application Level Security Policies are Non-Bypassable, Evaluatable, Always-Invoked, and Tamper-proof.

An architecture that allows the Security Kernel to share the RESPONSIBILITY of Security with the Application.

© 2003 Objective Interface Systems, Inc. 14

Required Characteristics ofMILS Reference MonitorsRequired Characteristics ofMILS Reference Monitors

Partitioning Kernel & trusted Middleware must be:

Non-bypassable Security functions cannot be circumvented

Evaluatable Security functions are small enough and simple enough for

mathematically verification

Always Invoked Security functions are invoked each and every time

Tamperproof Subversive code cannot alter the security functions

By exhausting resources, over-running buffers, or other ways of making the security software fail

© 2003 Objective Interface Systems, Inc. 15

MILS ArchitectureMILS Architecture

Three distinct layers (John Rushby, PhD) Partitioning Kernel must

Separate process spaces (partitions) Provide secure transfer of control between partitions

MILS Middleware provides Application component creation Secure inter-object message flow e.g., ORB, device driver, file system

Applications provide Application specific security functions e.g., firewalls, crypto services

© 2003 Objective Interface Systems, Inc. 16

CSCI(Main Program)Monolithic Applications

Partitioning Kernel

Middleware

Orange Book vs.MILS ArchitectureOrange Book vs.MILS Architecture

Kernel

Privilege Mode

Monolithic KernelInformation FlowPeriods Processing

MathematicalVerification

UserMode

Device drivers

Auditing

File systems

MA

C

DA

C

Network I/OFault Isolation

Data isolation

© 2003 Objective Interface Systems, Inc. 17

MILS:Like a JVM for All ApplicationsMILS:Like a JVM for All Applications

The Java Virtual Machine contains Internet Java

To a confined set of operations In each JVM

Result: Potential for damage is limited

The MILS architecture contains All executable code

To a confined set of operations In each partition

Result: Potential for damage is bounded + Information flow is bounded

ApplicationandData

MILS Partition

© 2003 Objective Interface Systems, Inc. 18

MILS Network Security Policy ExampleMILS Network Security Policy Example

MILS provides End-to-End:

D1

D2

D3

BSRV

RPM

E1

E2

E3

RS BV

BPM

Red Data Black Data

Information Flow Data Isolation Periods Processing Damage Limitation

CPU & NetworkRegistersSwitches, DMA, …

Policy Enforcement Independent of Node Boundaries

System

© 2003 Objective Interface Systems, Inc. 19

Partitioning Kernel:Just a Start …Partitioning Kernel:Just a Start …

Partitioning Kernel provides Secure foundation for secure middleware

Secure Middleware provides Most of traditional O/S capabilities

File system Device drivers (not in the kernel, not special privileges) Etc.

Secure intersystem communication (PCS) Secure foundation for building secure applications

Secure Applications can Be built! Be trusted to enforce application-level security policies!!!

© 2003 Objective Interface Systems, Inc. 20

Layer ResponsibilitiesLayer Responsibilities

MILS Partitioning Kernel Functionality

Time and Space Partitioning Data Isolation Inter-partition Communication Periods Processing Minimum Interrupt Servicing Semaphores Timers Instrumentation

MILS Middleware Functionality

RTOS Services Display Drivers Keyboard Drivers File System

Partitioned Communication System Inter-processor Communication

Traditional Middleware Real-time CORBA Data Distribution Services Web Services

And nothing else!