MILS and a path towards Distributed MILS

1 © 2013 D-MILS Project

Whirlwind Tour of MILS

MILS is a component-based approach to secure systems design and implementation that encourages a marketplace of general-purpose COTS components

MILS can be understood as a two phase approach:

Design a Policy Architecture

• Abstract architecture diagram represented by “boxes and arrows”

• Operational components and architecture achieve system purpose

• Assumes architecture (components and connectors) strictly enforced

Implement on a robust resource-sharing platform

• MILS foundational components share physical resources, creating strongly separated “exported resources”

• Individually developed and assured according to protection profiles

• Compose “additively” to form a distributed trusted sharing substrate, the MILS Platform

Provides compositional approach to construction, assurance, and system certification

© 2013 D-MILS Project 2

MILS Policy Architecture

C2

C4 C1

C3

C5

Circles represent

architectural

components

(subjects /

objects)

Arrows represent

interactions

Suitability of the architecture for some purpose

presumes that the architect’s assumptions are met

in the implementation of the architecture diagram.

C6

The absence of an

arrow is as significant

as the presence of one

This component

has no interaction

with any other

Components are

assumed to perform

the functions specified

by the architect

(trusted

components enforce

a local policy)

The architecture

expresses an

interaction policy

among a collection

of components

Trusted

Subject

© 2013 D-MILS Project 3

Assumptions Implicit in the Architecture Represent Two Primitive Policies

C2 C1

1. Isolation

Only explicitly permitted

causality, data flow, or interference,

is permitted. The architecture

permits this flow. Only C1 or C2

can cause the flow, C3 can not. The

flow is directional and intransitive.

These components /

connections have

no interaction with

each other

C2 C1

2. Information

Flow Control

C3

© 2013 D-MILS Project 4

The MILS Platform: Resource-Sharing Components

Exported

Resources

Additive

Composition

additive compositionality – e.g., Partitioning Kernel Partitioning Net

= Partitioning (Kernel + Net) MP = MILS Platform + D-MILS includes limited versions of Net(work) and Con(sole)

* D-MILS does not include MILS FS, EA and Aud components

SW HW

SW MP

SW HW

SW HW

SK Net+ Con+ FS*

EA* Aud*

SW HW

SW MP

D-MILS Distributed MILS node

© 2013 D-MILS Project 5

MILS Platform – Provides Straightforward Realization of Policy Architecture

Architecture

Realization

SK, with other MILS

foundational components,

form the MILS Platform

allowing operational

components to share

physical resources while

enforcing Isolation and

Information Flow Control

Validity of the architecture

assumes that the only

interactions of the circles

(operational components)

is through the arrows

depicted in the diagram

R 1

R 2

R 3

R 5

R 4

MILS Platform

© 2013 D-MILS Project 6

A Policy Architecture with Isolated Subsystems

R 1

R 2

MILS Platform

R 3

R 5

R 4

Q 2

Q 5 R 3 Q1

R 4

© 2013 D-MILS Project 7

Isolated Subsystems in Distinct “Operational” Planes

MILS Platform

Q 2

Q 5

R 4

R 1

R 2

R 3 R 5

R 4

Q 2

Q 5 R 3 Q1

R 4

MILS Platform OPERATIONAL PLANE

R 1

R 2

R 3

R 4

R 5

MILS Platform OPERATIONAL PLANE Q1 R 3

© 2013 D-MILS Project 8

MILS Foundational, Operational, Monitoring, and Configuration Planes

P 1

P 2

Separation Kernel

P 3

P 5

P 4

Configuration Data

Configuration Data

Configuration Data

CO

NF

IGU

RA

TIO

N P

LA

NE

FOUNDATIONAL PLANE

OPERATIONAL PLANE

MONITORING PLANE

MFS MNS

MEA

MCS

PERFORMANCE DEBUG

HEALTH

RESOURCE

MILS Platform

MILS Platform

© 2013 D-MILS Project 9

MILS System Assurance Case Structure

Compose assurance cases using Assume-Guarantee Reasoning

MILS System assurance requires the validity of three sub-cases

Assumptions from MILS System assurance case become obligations on the sub-cases

MILS

System

Claims

Sub-case

Sub-case

Sub-case

Policy Architecture

Environment

MILS System High-Level

Assurance Argument

MP

Claims

P A

Claims

Policy Architecture

Assurance Argument

MILS Platform

Assurance Argument

Env

Claims

Environment

Assurance Argument

Assume Guarantee Guarantee Assume

MILS Platform

© 2013 D-MILS Project 10

MILS Platform Assurance Case

The MILS Platform for D-MILS is composed of three major subsystems: MSK, MNS, MCS

Assumptions from MILS Platform assurance case become obligations on the components

Assured Claims from component assurance cases become evidence for MIPP sub-cases

Evidence provides the ultimate justification for the assurance case

MP

Claims

Sub-case

Sub-case

Sub-case

Inference rule

Inference rule

MILS Platform

Assurance Argument

MSK

Claims

MNS

Claims

MCS

Claims

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

MILS Separation Kernel

Assurance Argument

MILS Network Sys

Assurance Argument

MILS Console System

Assurance Argument

Assume Guarantee Guarantee

EV

ID

EN

CE

© 2013 D-MILS Project 11

Policy Architecture Assurance – Incremental

Rely/Guarantee Compositional Reasoning

A B

C

Relies Guarantees

S

A B

a)

b)

c)

A B

composite

composite’

R/G composition of A and B

A as part of a composite

B becomes part of new composite’

which is then composed with C to form S

A Relies Guarantees

© 2013 D-MILS Project 12

Distributed MILS A policy architecture may span nodes

Node Hardware

SK

MNS

Node Hardware

SK

MNS

Node Hardware

SK MNS

Foundational Plane +

Node Hardware

Subjects Subjects Subjects

© 2013 D-MILS Project 13

Distributed MILS

A single policy architecture may span MILS nodes

Guarantees similar to a single MILS node: isolation, information flow control, determinism

Determinism over network could be achieved in various ways – in D-MILS we use Time-Triggered Ethernet (TTE)

Must configure and schedule the network and the processors of the nodes coherently

© 2013 D-MILS Project 14

Distributed MILS Platform – MILS nodes with deterministic communication

TTEthernet

Enables: Realization of deterministic distributed MILS architectures

A Distributed MILS Platform:

Node Hardware

SK MNS

Foundational Plane

Node Hardware

SK

MNS

SK

MNS

SK

MNS

SK

MNS

Node Hardware Node Hardware Node Hardware

SK

MNS

TTE Switch TTE Switch

TTE Switch

© 2013 D-MILS Project 15

Distributed MILS Project Elements

Artifact generation/use

Resource availability

Technology Application

Input / Output Artifact

Tool

Modified or new component

Application

MNS

AADL ext’d subset

Representations &

Transformations

Configuration Compiler

GSN Assur. Case

SK Config’n

TTE Config’n

Separation Kernel

TT Ethernet

Verification System

Verification Evidence

Smart Microgrid

Voice Services

Resource Inventory

MCS

D-MILS Platform

Automation

System Purpose

System Properties

© 2013 D-MILS Project 16

Distributed MILS – architecture-driven, resource-constrained configuration compilation

Node Hardware

SK

MNS

Node Hardware

SK

MNS

Node Hardware

SK MNS

Foundational Plane + Node Hardware

Subjects Subjects Physical resource constraints

Platform config / sched (XML)

Configuration Compiler

Resource constraints, node HW & TTE net description

Components / Architecture

Resource Inventory

SK, TTE Config Tools

SK Low-level res configuration,

TTE Net/dev config

Hardware configuration

S

u

b

j

e

c

t

s

© 2013 D-MILS Project 17