An introduction to D-MILS
-
Upload
thomas-dolby -
Category
Documents
-
view
245 -
download
2
description
Transcript of An introduction to D-MILS
MILS and a path towards Distributed MILS
1 © 2013 D-MILS Project
Whirlwind Tour of MILS
MILS is a component-based approach to secure systems design and implementation that encourages a marketplace of general-purpose COTS components
MILS can be understood as a two phase approach:
Design a Policy Architecture
• Abstract architecture diagram represented by “boxes and arrows”
• Operational components and architecture achieve system purpose
• Assumes architecture (components and connectors) strictly enforced
Implement on a robust resource-sharing platform
• MILS foundational components share physical resources, creating strongly separated “exported resources”
• Individually developed and assured according to protection profiles
• Compose “additively” to form a distributed trusted sharing substrate, the MILS Platform
Provides compositional approach to construction, assurance, and system certification
© 2013 D-MILS Project 2
MILS Policy Architecture
C2
C4 C1
C3
C5
Circles represent
architectural
components
(subjects /
objects)
Arrows represent
interactions
Suitability of the architecture for some purpose
presumes that the architect’s assumptions are met
in the implementation of the architecture diagram.
C6
The absence of an
arrow is as significant
as the presence of one
This component
has no interaction
with any other
Components are
assumed to perform
the functions specified
by the architect
(trusted
components enforce
a local policy)
The architecture
expresses an
interaction policy
among a collection
of components
Trusted
Subject
© 2013 D-MILS Project 3
Assumptions Implicit in the Architecture Represent Two Primitive Policies
C2 C1
1. Isolation
Only explicitly permitted
causality, data flow, or interference,
is permitted. The architecture
permits this flow. Only C1 or C2
can cause the flow, C3 can not. The
flow is directional and intransitive.
These components /
connections have
no interaction with
each other
C2 C1
2. Information
Flow Control
C3
© 2013 D-MILS Project 4
The MILS Platform: Resource-Sharing Components
Exported
Resources
Additive
Composition
additive compositionality – e.g., Partitioning Kernel Partitioning Net
= Partitioning (Kernel + Net) MP = MILS Platform + D-MILS includes limited versions of Net(work) and Con(sole)
* D-MILS does not include MILS FS, EA and Aud components
SW HW
SW MP
SW HW
SW HW
SK Net+ Con+ FS*
EA* Aud*
SW HW
SW MP
D-MILS Distributed MILS node
© 2013 D-MILS Project 5
MILS Platform – Provides Straightforward Realization of Policy Architecture
Architecture
Realization
SK, with other MILS
foundational components,
form the MILS Platform
allowing operational
components to share
physical resources while
enforcing Isolation and
Information Flow Control
Validity of the architecture
assumes that the only
interactions of the circles
(operational components)
is through the arrows
depicted in the diagram
R 1
R 2
R 3
R 5
R 4
MILS Platform
© 2013 D-MILS Project 6
A Policy Architecture with Isolated Subsystems
R 1
R 2
MILS Platform
R 3
R 5
R 4
Q 2
Q 5 R 3 Q1
R 4
© 2013 D-MILS Project 7
Isolated Subsystems in Distinct “Operational” Planes
MILS Platform
Q 2
Q 5
R 4
R 1
R 2
R 3 R 5
R 4
Q 2
Q 5 R 3 Q1
R 4
MILS Platform OPERATIONAL PLANE
R 1
R 2
R 3
R 4
R 5
MILS Platform OPERATIONAL PLANE Q1 R 3
© 2013 D-MILS Project 8
MILS Foundational, Operational, Monitoring, and Configuration Planes
P 1
P 2
Separation Kernel
P 3
P 5
P 4
Configuration Data
Configuration Data
Configuration Data
CO
NF
IGU
RA
TIO
N P
LA
NE
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MONITORING PLANE
MFS MNS
MEA
MCS
PERFORMANCE DEBUG
HEALTH
RESOURCE
MILS Platform
MILS Platform
© 2013 D-MILS Project 9
MILS System Assurance Case Structure
Compose assurance cases using Assume-Guarantee Reasoning
MILS System assurance requires the validity of three sub-cases
Assumptions from MILS System assurance case become obligations on the sub-cases
MILS
System
Claims
Sub-case
Sub-case
Sub-case
Policy Architecture
Environment
MILS System High-Level
Assurance Argument
MP
Claims
P A
Claims
Policy Architecture
Assurance Argument
MILS Platform
Assurance Argument
Env
Claims
Environment
Assurance Argument
Assume Guarantee Guarantee Assume
MILS Platform
© 2013 D-MILS Project 10
MILS Platform Assurance Case
The MILS Platform for D-MILS is composed of three major subsystems: MSK, MNS, MCS
Assumptions from MILS Platform assurance case become obligations on the components
Assured Claims from component assurance cases become evidence for MIPP sub-cases
Evidence provides the ultimate justification for the assurance case
MP
Claims
Sub-case
Sub-case
Sub-case
Inference rule
Inference rule
MILS Platform
Assurance Argument
MSK
Claims
MNS
Claims
MCS
Claims
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
MILS Separation Kernel
Assurance Argument
MILS Network Sys
Assurance Argument
MILS Console System
Assurance Argument
Assume Guarantee Guarantee
EV
ID
EN
CE
© 2013 D-MILS Project 11
Policy Architecture Assurance – Incremental
Rely/Guarantee Compositional Reasoning
A B
C
Relies Guarantees
S
A B
a)
b)
c)
A B
composite
composite’
R/G composition of A and B
A as part of a composite
B becomes part of new composite’
which is then composed with C to form S
A Relies Guarantees
© 2013 D-MILS Project 12
Distributed MILS A policy architecture may span nodes
Node Hardware
SK
MNS
Node Hardware
SK
MNS
Node Hardware
SK MNS
Foundational Plane +
Node Hardware
Subjects Subjects Subjects
© 2013 D-MILS Project 13
Distributed MILS
A single policy architecture may span MILS nodes
Guarantees similar to a single MILS node: isolation, information flow control, determinism
Determinism over network could be achieved in various ways – in D-MILS we use Time-Triggered Ethernet (TTE)
Must configure and schedule the network and the processors of the nodes coherently
© 2013 D-MILS Project 14
Distributed MILS Platform – MILS nodes with deterministic communication
TTEthernet
Enables: Realization of deterministic distributed MILS architectures
A Distributed MILS Platform:
Node Hardware
SK MNS
Foundational Plane
Node Hardware
SK
MNS
SK
MNS
SK
MNS
SK
MNS
Node Hardware Node Hardware Node Hardware
SK
MNS
TTE Switch TTE Switch
TTE Switch
© 2013 D-MILS Project 15
Distributed MILS Project Elements
Artifact generation/use
Resource availability
Technology Application
Input / Output Artifact
Tool
Modified or new component
Application
MNS
AADL ext’d subset
Representations &
Transformations
Configuration Compiler
GSN Assur. Case
SK Config’n
TTE Config’n
Separation Kernel
TT Ethernet
Verification System
Verification Evidence
Smart Microgrid
Voice Services
Resource Inventory
MCS
D-MILS Platform
Automation
System Purpose
System Properties
© 2013 D-MILS Project 16
Distributed MILS – architecture-driven, resource-constrained configuration compilation
Node Hardware
SK
MNS
Node Hardware
SK
MNS
Node Hardware
SK MNS
Foundational Plane + Node Hardware
Subjects Subjects Physical resource constraints
Platform config / sched (XML)
Configuration Compiler
Resource constraints, node HW & TTE net description
Components / Architecture
Resource Inventory
SK, TTE Config Tools
SK Low-level res configuration,
TTE Net/dev config
Hardware configuration
S
u
b
j
e
c
t
s
© 2013 D-MILS Project 17