© 2002-2004 Objective Interface Systems, Inc.

A Partitioning Communication

System for the MILS Architecture

A Partitioning A Partitioning Communication Communication

System for the MILS System for the MILS ArchitectureArchitecture

OMG Real-time WorkshopJuly 2004

Jeff ChiltonObjective Interface Systems

Herndon, Virginia

© 2002-2004 Objective Interface Systems, Inc. 22

Project Funding SourcesProject Funding Sources

! US Air Force! Lockheed Martin! Objective Interface

© 2002-2004 Objective Interface Systems, Inc. 33

AgendaAgenda

! Security & Embedded Systems! Where a PCS fits in MILS! How Did We Get Here?! What the PCS is not! What the PCS is Similar to! The PCS & Real-Time! The PCS’s Environment! PCS Security Functions! “Challenges”

© 2002-2004 Objective Interface Systems, Inc. 44

Security & Embedded SystemsSecurity & Embedded Systems

! Australian Water Utility" Vitek Boden, 48, April 23rd, 2000, Queensland, Australia

# disgruntled ex-employee of equipment supplier# Vehicle became command center for sewage treatment# Controlled 300 SCADA water and sewage nodes# “was the central control system” during intrusions# Released millions of liters of sewage# Killed marine life, blackened creek water, bad stench

" Caught on 46th attempt# Was angling for a consulting job to “fix” the problems he caused

! Result of embedded systems without security

© 2002-2004 Objective Interface Systems, Inc. 55

MILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureU

ser Mode

S,TS

(MLS)

TS

(MSL)

S

(MSL)

MiddlewareOS Services

. . .

Application Partitions

MiddlewareOS Services

MiddlewareOS Services

Processor

RTOS Micro Kernel (MILS)Supervisor ModeMMU, Inter-Partition

Communications,Interrupts

TS

(MSL)MLS

DisplayDriverMLSKBDDriver

MiddlewareOS Services

© 2002-2004 Objective Interface Systems, Inc. 66

Where a PCS fits in MILSWhere a PCS fits in MILS

! The PCS is communications middleware for MILS! Always interposed in inter-node communications! Might be in some inter-partition comms. Too! Parallels Separation Kernel’s policies

© 2002-2004 Objective Interface Systems, Inc. 77

InterInter--node Communicationnode Communication

A

B

PCS

D

C

PCS F

© 2002-2004 Objective Interface Systems, Inc. 88

Basic Security PoliciesBasic Security Policies

! The PCS projects the Separation Kernel’s security policies throughout a distributed system" Information Flow" Data Isolation" Periods Processing" Damage Limitation

© 2002-2004 Objective Interface Systems, Inc. 99

Partitioning the ChannelPartitioning the Channel

A

E

C

F

D

B

© 2002-2004 Objective Interface Systems, Inc. 1010

Properties of ChannelsProperties of Channels

! Known or predictable capacity and latency! Reliability delivery, message integrity! Confidentiality protection! Observability protection

© 2002-2004 Objective Interface Systems, Inc. 1111

How Did We Get Here?How Did We Get Here?

! Started with CORBA for MILS! Conducted a threat collecting exercise! Presented multiple partitioning architectures! Problems with ORB-in-a-partition! Some parts must be in same partition as client! What’s left is a PCS

© 2002-2004 Objective Interface Systems, Inc. 1212

Where to Make the Cut?Where to Make the Cut?

Generated CORBAStubs/Skeletons

Application Client/Server

ORB Core

Threading Mgt.

Network TransportInterface

© 2002-2004 Objective Interface Systems, Inc. 1313

What the PCS is notWhat the PCS is not

! Not a Guard or Application Firewall" Doesn’t examine message content" Can’t enforce security policies delegated to the application

layer

© 2002-2004 Objective Interface Systems, Inc. 1414

What the PCS is Similar toWhat the PCS is Similar to

! Some functionality in common with Kang and Moskowitz’s “Pump” (1993)" “…to provide quantifiable security, acceptable reliability, and

minimal performance penalties by interposing a device (called the Pump) to push messages to the high system and provide a controlled stream of acknowledgements to the low system.”

© 2002-2004 Objective Interface Systems, Inc. 1515

The PCS & RealThe PCS & Real--TimeTime

! Real-Time and Anything…! One-way information flow policy means:

" No acknowledgements allowed;" Blind up-writing is unreliable... Unless;" We’re sure the receiving end will keep up.

© 2002-2004 Objective Interface Systems, Inc. 1616

The PCS’s EnvironmentThe PCS’s Environment

! Policies" P.DATA_ISOLATION" P.INFO_FLOW

! Threats" T.COVERT_COMM" T.EAVESDROP" T.MASQUERADE

! Assumptions" A.PARTIONING_KERNEL" A.REAL-TIME_KERNEL

© 2002-2004 Objective Interface Systems, Inc. 1717

PCS Security FunctionsPCS Security Functions

! Information Flow Policy enforcement! Channel capacity (bandwidth) management! End-point authentication! Message encryption (optional)

" For confidentiality on the wire" For down-grading ahead of a less-trustworthy device driver

! Traffic padding (optional)

© 2002-2004 Objective Interface Systems, Inc. 1818

More on Information Flows…More on Information Flows…

! “Crosstalk” – disallowed comm. between subjects! Subject to external entity! External entity to subject

© 2002-2004 Objective Interface Systems, Inc. 1919

Finally, CORBA AgainFinally, CORBA Again

! MILS" Implementation location as configuration" Result of rigorous analysis

! CORBA" Implementation location transparency" Focus is on flexibility

© 2002-2004 Objective Interface Systems, Inc. 2020

“Challenges”“Challenges”

! Synchronization of distributed configuration info.! Crypto key management! Interaction with kernel’s time-partitioning! Composition from assured components

© 2002-2004 Objective Interface Systems, Inc. 2121

Contact InformationContact Information

Objective Interface Systems, Inc

www.ois.com

+1 703 295 6500

Jeff.chilton@ois.com