Multilevel Security - Naval Postgraduate School

arghtalentΔιαχείριση Δεδομένων

31 Ιαν 2013 (πριν από 4 χρόνια και 6 μήνες)

128 εμφανίσεις

A Multilevel Secure Testbed to

Support Coalition Operations


12 December 2005

Cynthia Irvine, PhD

Department of Computer Science

Naval Postgraduate School

12 December 2005

2

Outline


Technical Problem


MYSEA Testbed


Related Work

12 December 2005

3

General Taxonomy of Attacks

Attack Motive

Attack
Strategy

Attack
Resources

Threat

Assurance
Required

Political
-
Military

Long
-
Term
Planning

Well Funded

System
Subversion

Highest

Political
-
Military

Mid
-
Term
Planning

Modest to High
Funds

Trojan Horse

High

Malicious
Amusement

Short
-
Term
Planning

Low to Modest

Flaw
Exploitation

Moderate

Malicious
Amusement

Ad Hoc

Low

Interface
Exploitation

Low

12 December 2005

4

Trojan Horse vs. Subversion

Trojan Horse


Requires victim’s
cooperation


Adversary cannot choose
time of activation


Constrained by security
controls on the victim


Executes in an
application



Subversion


Does not require a
cooperating victim


By
-
passes security
controls


Usually triggered
activation and
deactivation


Time chosen by adversary


May execute within the
OS

12 December 2005

5

Trojan Horse: DAC Only System

Tim’s

Data

UID1
---

UID2 rw
-

.

.

.

UIDn rw
-

ACL

Normal Conditions: No Access for Eve

Tim Executes Software with Trojan Horse

Software Modifies ACL


Eve rw
-

Eve Accesses

Tim’s Data


extract information


modify information

12 December 2005

6

Trojan Horse: DAC Only System

Tim’s

Data


UID1
---

UID2 rw
-

.

.

.

UIDn rw
-

ACL

Normal Conditions: No Access for Eve

Tim Executes Software with Trojan Horse

Trojan Horse writes Tim’s

Data into Eve’s File.

Eve accesses Tim’s

Data, which has been

put into her file

Eve’s

File

12 December 2005

7

Trojan Horse fails in MLS System

Tim’s

Data

UID1
---

UID2 rw
-

.

.

.

UIDn rw
-

ACL

Normal Conditions: No Access for Eve

Tim Executes Software with Trojan Horse

Software Modifies ACL

Eve
---

=> Eve rw
-

(Possible message to Enemy)

Eve attempts to access

Tim’s Data

x

HIGH Secrecy

Mandatory

Label

Low Secrecy

Mandatory

Label

MLS system prevents

Eve from reading up

12 December 2005

8

Trojan Horse fails in MLS System

Tim’s

Data

Normal Conditions: No Access for Eve

Tim Executes Software with Trojan Horse

Software attempts to write

Tim’s data to Eve’s file

x

HIGH Secrecy

Mandatory

Label

Low Secrecy

Mandatory

Label

MLS system prevents

Tim from writing down

Eve’s

File

12 December 2005

9

Attacks: Means, Motive, Opportunity


Means


Skill in system design and artifice construction


Motive


Clandestine access to critical information


Opportunity


Join development team for target system


Modify system design, specifications, or code


Insert artifice during distribution, configuration,
or maintenance

12 December 2005

10

Methods that Work


To Address Subversion: Limit Opportunity



Lifecycle assurance
-

high assurance


Protection via rigorous security engineering


No unspecified functionality


Use of formal verification techniques


When Applied in MLS Context


Bound information flow to prevent Trojan Horse
damage


Uses formal models


Supports implementation assessment

MYSEA Testbed

12 December 2005

12


Experimentation and Research Framework


High Assurance Solutions


Distributed Multilevel Functionality


Dynamic Security


Trusted Authentication


Open Architectures and Interfaces


Currently Support:


MYSEA Research Project


Trusted Computing Exemplar Project


Dynamic Security Services Project


Basic GIG IA Architecture and Security Concepts



Long Range Applicability


Additional GIG IA experiments


Other Complex Enterprise Networks

MYSEA Testbed Objectives

12 December 2005

13

Near
-
Term Testbed Experiments


Secure connections to classified networks


Use COTS and legacy hardware and software components


Use open standards


Apply high assurance security technology to legacy elements


Centralize security management


Integrate high assurance multilevel security with existing
sensitive networks


Manage access to classified networks using high assurance
trusted communication channel techniques


Dynamic security services


Open architectures to incorporate new technologies


Use XML tags as security markings


Secure single sign
-
on across multiple MLS servers


Server cluster technologies

12 December 2005

14

Testbed Architecture

T
o
p

S
e
c
r
e
t

C
l
i
e
n
t
s
N
I
P
R
N
e
t

C
l
i
e
n
t
s
N
I
P
R
N
e
t

E
n
c
l
a
v
e
S
I
P
R
N
e
t

C
l
i
e
n
t
s
S
I
P
R
N
e
t

E
n
c
l
a
v
e
T
o
p

S
e
c
r
e
t

E
n
c
l
a
v
e
M
u
l
t
i
l
e
v
e
l

C
l
i
e
n
t
s

W
i
t
h

T
P
E
T
C
M
T
C
M
F
i
r
e
w
a
l
l
M
u
l
t
i
l
e
v
e
l

E
n
c
l
a
v
e
T
S

S

U
I
n
t
e
r
n
e
t
E
n
c
r
y
p
t
e
d
T
C
M
C
o
a
l
i
t
i
o
n

E
n
c
l
a
v
e
C
o
a
l
i
t
i
o
n

C
l
i
e
n
t
s
D
y
S
e

T
e
s
t
b
e
d

A
r
c
h
i
t
e
c
t
u
r
e
12 December 2005

15

Testbed Design

Coalition
Clients
Coalition
Enclave
Unclassified
Clients
Unclassified
Enclave
Firewall
Internet
Secret
Clients
Secret
Enclave
E
E
Thin Clients
With TPE
Multilevel
Enclave
TS
S
U
MLS
Server
TP
AP
CR
CG
TP
AP
CR
CG
TCM
TCM
E
E
TP
AP
C
TPE
C
TPE
Encrypted
C2PC REPEAT Server
CR
AP
App Server
C
Client
CG
C2PC Gateway
E
Encryptor
TP
Tarantella Portal Server
TCM
Trusted Channel Module
TPE
Trusted Path Extension
LEGEND
Coalition
Clients
Coalition
Enclave
Unclassified
Clients
Unclassified
Enclave
Firewall
Firewall
Internet
Internet
Secret
Clients
Secret
Enclave
Secret
Clients
Secret
Enclave
E
E
E
E
Thin Clients
With TPE
Multilevel
Enclave
TS
S
U
MLS
Server
TP
AP
CR
CG
TP
AP
AP
CR
CR
CG
CG
TCM
TCM
E
E
E
E
TP
TP
AP
C
TPE
C
TPE
Encrypted
Encrypted
C2PC REPEAT Server
CR
C2PC REPEAT Server
CR
AP
App Server
AP
App Server
C
Client
C
Client
CG
C2PC Gateway
CG
C2PC Gateway
E
Encryptor
E
Encryptor
TP
Tarantella Portal Server
TP
Tarantella Portal Server
TCM
Trusted Channel Module
TCM
Trusted Channel Module
TPE
Trusted Path Extension
TPE
Trusted Path Extension
LEGEND
12 December 2005

16

Demonstrated MYSEA Features


Distributed Security Architecture


Multilevel Policy Enforcement


Unmodified Commercial Desktop
Applications


Trusted Path for Security
-
Critical Operations


Reach
-
back to Single Level Networks


Aggregated Information Services


Dynamic Policy Modulation of Security
Services

12 December 2005

17

Testbed Components Secure Server


True Multilevel Security Policy Enforcement


Coherent View: Users at HIGH see Information at LOW


Label
-
based Policy Enforcement


Hierarchical and Categories


Support for Integrity
-
Based Separation


Isolate cyber
-
trash from reliable users and programs


Flexible Label Management


Existing Commercial MLS Base


Digital Net XTS
-
400


Evaluated at Class B3 under TCSEC (aka “Orange
Book”)


Currently Under Evaluation under Common Criteria


Support for Certification and Accreditation Goals

12 December 2005

18

Server Network Enhancements


Multilevel “inetd”


Distributed High Assurance Authentication on MLS
LAN


Trusted Path Services at Server


Distributed TCB to Client Locations


Trusted Path Extensions (TPE) at Clients


Controls TPE Activities


Secure Session Services


Launch Applications at Corrected Session Level


Dynamic Security Services


Policy Management Initiator


Dedicated and Multiplexed Connections to Single
Level Networks

12 December 2005

19

Server Application Enhancements


Ports of Popular Applications


All Made “Multilevel Aware”


HTTP: Apache
-
like Web Server


Base


standard Apache


minor modifications


WebDAV under development


SMTP: Sendmail


IMAP: University of Washington


NFS: User
-
level port


Secure Shell: OpenSSH (Single Level Only)


Remote Client
-
Side Applications Support

12 December 2005

20

High Assurance Trusted Path/Channel


Trusted Path Extension Device


Ensure Communication with Trusted Server


Based on EAL7 Trusted Computing Exemplar (TCX)
Separation Kernel


Remote Security Operations


Log
-
on, Session Level Negotiation, etc.


Server Supports Session Suspension and
Resumption


Trusted Channel Module


Ensure Proper Security Level Assigned To Information
From Legacy Networks


Dynamic Security Services Responders

12 December 2005

21

Commodity
-
Based Client


Meet User Requirements


Web Browsing


Mail


Document Production


Stateless To Address Object Reuse Requirements


Depot
-
level Configuration to Start Up in Useful State


Volatile Memory Only


Store State at Server at Appropriate Session Level


Working Prototypes:


Knoppix Linux


Windows XP Embedded

12 December 2005

22

Web Portal Services


Allow Reach
-
Back to Single Level Legacy Networks via
Web Browser


Part of MYSEA’s Stateless Client Strategy


Tarantella/enView product suite


Allow Clients to Access Web
-
based Applications On Different
Platforms (Windows, Linux, Unix)


Present Integrated Portal View To Users


Support GCCS


Command and Control Personal Computer System (C2PC)


12 December 2005

23

Testbed Phase I

Coalition
Clients
Coalition
Enclave
Unclassified
Clients
Unclassified
Enclave
Firewall
Internet
Secret
Clients
Secret
Enclave
E
E
Thin Clients
With TPE
Multilevel
Enclave
TS
S
U
MLS
Server
TP
AP
CR
CG
TP
AP
CR
CG
E
E
TP
AP
C
TPE
C
TPE
Encrypted
C2PC REPEAT Server
CR
AP
App Server
C
Client
CG
C2PC Gateway
E
Encryptor
TP
Tarantella Portal Server
TPE
Trusted Path Extension
LEGEND
Coalition
Clients
Coalition
Enclave
Unclassified
Clients
Unclassified
Enclave
Firewall
Firewall
Internet
Internet
Secret
Clients
Secret
Enclave
Secret
Clients
Secret
Enclave
E
E
E
E
Thin Clients
With TPE
Multilevel
Enclave
TS
S
U
MLS
Server
TP
AP
CR
CG
TP
AP
AP
CR
CR
CG
CG
E
E
E
E
TP
TP
AP
C
TPE
C
TPE
Encrypted
Encrypted
C2PC REPEAT Server
CR
C2PC REPEAT Server
CR
AP
App Server
AP
App Server
C
Client
C
Client
CG
C2PC Gateway
CG
C2PC Gateway
E
Encryptor
E
Encryptor
TP
Tarantella Portal Server
TP
Tarantella Portal Server
TPE
Trusted Path Extension
TPE
Trusted Path Extension
LEGEND
12 December 2005

24

Phase I Configuration (1 of 2)


Hardware: 35 components


MLS Server, Handheld TPEs, Desktops,
Laptops, VPN Appliances, Network Switches,
TACLANE Encryptors


Operating Systems: Heterogeneous


Trusted OS: DigitalNet STOP


COTS OS: RedHat Linux, Microsoft Windows
2000 server, Microsoft Windows XP, Microsoft
Windows XP Embedded, OpenBSD, Knoppix
Linux and Familiar Project Linux

12 December 2005

25


Custom

MYSEA

Trusted

Software


Trusted

Path

Service,

Secure

Session

Management


Linux

Applications
:



PostgreSQL,

Apache

web

server,

Edge

Technologies

enPortal,

Tarantella

Enterprise

3
,

imapd

and

sendmail


Windows

Applications
:



Microsoft

Terminal

Services,

Microsoft

Office,

Microsoft

Project,

Internet

Explorer,

C
2
PC

Gateway,

C
2
PC

Client,

REPEAT

2004

RepeatWinXR

and

Creative

WebCam

PROeX

Phase I Configuration (2 of 2)

12 December 2005

26

Trusted Path Extension (TPE)


Reference application for the TCX project


Operational Environment
-

MYSEA MLS LAN


Architecture will use separation


Untrusted and Trusted processes

12 December 2005

27

TPE Form Factor


PDA
-
like device


Isolation from COTS processor


Trusted Path functions control I/O to user


Device Screen


Device Keyboard


Secure Attention Key design is simpler


Encryption is on TPE


Alternative: examine complex interactions
between TPE and COTS system


Strong isolation is required for assurance

12 December 2005

28

Project Synergies



Trusted Computing Exemplar


Separation Kernel Protection Profile


SecureCore


RCSec


CyberCIEGE

12 December 2005

29

Cynthia Irvine, Ph.D.

Center for Information Systems Security Studies and Research

Computer Science Department

Naval Postgraduate School, Monterey, CA 93943


irvine@nps.edu, 831 656
-
2461

Questions and Contacts