© 2001 objective interface systems, inc. common expressions/languages for protection profiles bill...
TRANSCRIPT
© 2001 Objective Interface Systems, Inc.
Common Expressions/Languagesfor
Protection Profiles
Common Expressions/Languagesfor
Protection Profiles
Bill [email protected]
Objective Interface Systems, Inc.13873 Park Center Road, Suite 360
Herndon, VA 20171-3247703/295-6500 (voice)703/295-6501 (fax)
http://www.ois.com/[email protected]
© 2003 Objective Interface Systems, Inc. 2
AgendaAgenda
Objectives Background on Common Criteria Objectives Arena for Common Expression MILS Example
© 2003 Objective Interface Systems, Inc. 3
Background on Common CriteriaBackground on Common Criteria
Common Criteria Used as the basis for evaluation of security properties of IT Permit comparability between independent security evaluations By providing a common set of requirements for the security functions And for assurance measures applied to them during a security
evaluation Evaluation process establishes a level of confidence Target audience: consumers, developers, evaluators, et al
Protection Profile An implementation-independent set of security requirements
For a category of TOEs That meet specific consumer needs
A warning to standards authors: PPs have no APIs, no wire formats, …
© 2003 Objective Interface Systems, Inc. 4
EAL: Evaluated Assurance LevelEAL: Evaluated Assurance Level
EAL 1 = functionally tested EAL 2 = structurally tested EAL 3 = methodically tested and checked EAL 4 = methodically designed, tested, and reviewed
analysis of security functions informal model of security policy & independent testing vulnerability analysis for low attack potential attackers
EAL 5 = semiformally designed and tested semiformal functional spec & HL design + semiformal correspondence covert channel analysis vulnerability analysis for moderate attack potential attackers
EAL 6 = semiformally verified design and tested structured development process & more structured architecture vulnerability analysis for high attack potential attackers structured presentation + semiformal LL design systematic covert channel analysis more comprehensive vulnerability analysis improved CM and development environment controls
EAL 7 = formally verified design and tested formal functional spec and HL design + formal correspondence comprehensive testing
© 2003 Objective Interface Systems, Inc. 5
ObjectivesObjectives
Reduce time-to-understand new PPs Develop and leverage common knowledge
Improve consistency of PPs Common definitions Common approach Common creation and vetting process
Ease creation of high quality PPs Template Reference example
Assure composition of components Facilitate layering of PPs Facilitate specification of layered security architectures Facilitate evaluation of layered security architecture implementations
© 2003 Objective Interface Systems, Inc. 6
Arena for Common ExpressionArena for Common Expression
© 2001 Objective Interface Systems, Inc.
MILS Security:Example Architecture
© 2003 Objective Interface Systems, Inc. 8
Security Evolution Fail-first Patch-later (cont.)
Security Evolution Fail-first Patch-later (cont.)
Questions:
How many PC anti-virus programs can detect or repair handle malicious device drivers?
None!
What can an Active-X web download do to your PC?
Anything!
© 2003 Objective Interface Systems, Inc. 9
PrivilegeMode
Processing
NetworkData
Wild Creatures of the Net, Worms, Virus, . . .
Foundational ThreatsFoundational Threats
BufferOverflow
?
© 2003 Objective Interface Systems, Inc. 10
PrivilegeMode
Processing
NetworkData
Under MILS Network Data and Privilege Mode Processing is Separated
Paradigm Shift
Foundational Threats(That MILS Protects Against)
Foundational Threats(That MILS Protects Against)
© 2001 Objective Interface Systems, Inc.
MILSMILS
MultipleIndependentLevels ofSecurity
© 2003 Objective Interface Systems, Inc. 12
The Whole Point of MILSThe Whole Point of MILS
Really simple:
Dramatically reduce the amount of security critical code
Dramatically increase the scrutiny of security critical code
© 2003 Objective Interface Systems, Inc. 13
MILS ObjectiveMILS Objective
Enable the Application Layer Entities to Enforce, Manage, and Control
Application Level Security Policies
where the Application Level Security Policies are Non-Bypassable, Evaluatable, Always-Invoked, and Tamper-proof.
An architecture that allows the Security Kernel to share the RESPONSIBILITY of Security with the Application.
© 2003 Objective Interface Systems, Inc. 14
Required Characteristics ofMILS Reference MonitorsRequired Characteristics ofMILS Reference Monitors
Partitioning Kernel & trusted Middleware must be:
Non-bypassable Security functions cannot be circumvented
Evaluatable Security functions are small enough and simple enough for
mathematically verification
Always Invoked Security functions are invoked each and every time
Tamperproof Subversive code cannot alter the security functions
By exhausting resources, over-running buffers, or other ways of making the security software fail
© 2003 Objective Interface Systems, Inc. 15
MILS ArchitectureMILS Architecture
Three distinct layers (John Rushby, PhD) Partitioning Kernel must
Separate process spaces (partitions) Provide secure transfer of control between partitions
MILS Middleware provides Application component creation Secure inter-object message flow e.g., ORB, device driver, file system
Applications provide Application specific security functions e.g., firewalls, crypto services
© 2003 Objective Interface Systems, Inc. 16
CSCI(Main Program)Monolithic Applications
Partitioning Kernel
Middleware
Orange Book vs.MILS ArchitectureOrange Book vs.MILS Architecture
Kernel
Privilege Mode
Monolithic KernelInformation FlowPeriods Processing
MathematicalVerification
UserMode
Device drivers
Auditing
File systems
MA
C
DA
C
Network I/OFault Isolation
Data isolation
© 2003 Objective Interface Systems, Inc. 17
MILS:Like a JVM for All ApplicationsMILS:Like a JVM for All Applications
The Java Virtual Machine contains Internet Java
To a confined set of operations In each JVM
Result: Potential for damage is limited
The MILS architecture contains All executable code
To a confined set of operations In each partition
Result: Potential for damage is bounded + Information flow is bounded
ApplicationandData
MILS Partition
© 2003 Objective Interface Systems, Inc. 18
MILS Network Security Policy ExampleMILS Network Security Policy Example
MILS provides End-to-End:
D1
D2
D3
BSRV
RPM
E1
E2
E3
RS BV
BPM
Red Data Black Data
Information Flow Data Isolation Periods Processing Damage Limitation
CPU & NetworkRegistersSwitches, DMA, …
Policy Enforcement Independent of Node Boundaries
System
© 2003 Objective Interface Systems, Inc. 19
Partitioning Kernel:Just a Start …Partitioning Kernel:Just a Start …
Partitioning Kernel provides Secure foundation for secure middleware
Secure Middleware provides Most of traditional O/S capabilities
File system Device drivers (not in the kernel, not special privileges) Etc.
Secure intersystem communication (PCS) Secure foundation for building secure applications
Secure Applications can Be built! Be trusted to enforce application-level security policies!!!
© 2003 Objective Interface Systems, Inc. 20
Layer ResponsibilitiesLayer Responsibilities
MILS Partitioning Kernel Functionality
Time and Space Partitioning Data Isolation Inter-partition Communication Periods Processing Minimum Interrupt Servicing Semaphores Timers Instrumentation
MILS Middleware Functionality
RTOS Services Display Drivers Keyboard Drivers File System
Partitioned Communication System Inter-processor Communication
Traditional Middleware Real-time CORBA Data Distribution Services Web Services
And nothing else!