MILS Introduction

© 2013 D-MILS Project

MILS and a path towards Distributed MILS

Whirlwind Tour of MILSWhirlwind Tour of MILS MILS is a MILS is a component-based approach to secure systems component-based approach to secure systems design and design and

implementation that encourages a marketplace of general-purpose COTS implementation that encourages a marketplace of general-purpose COTS components components

MILS can be understood as a MILS can be understood as a two phase approachtwo phase approach:: Design a Design a Policy ArchitecturePolicy Architecture

Abstract architecture diagram represented by Abstract architecture diagram represented by ““boxes and arrowsboxes and arrows”” Operational components Operational components and architecture achieve system purposeand architecture achieve system purpose Assumes architecture (components and connectors) strictly enforcedAssumes architecture (components and connectors) strictly enforced

Implement on a Implement on a robust resource-sharing platformrobust resource-sharing platform MILS foundational components MILS foundational components share physical resources, creating share physical resources, creating

strongly separated strongly separated ““exported resourcesexported resources”” Individually developed and assured according to protection profilesIndividually developed and assured according to protection profiles Compose Compose ““additivelyadditively”” to form a distributed trusted sharing substrate, to form a distributed trusted sharing substrate,

the the MILS PlatformMILS Platform Provides compositional approach to construction, assurance, and system Provides compositional approach to construction, assurance, and system

certificationcertification

2© 2013 D-MILS Project

MILS Policy ArchitectureMILS Policy Architecture

C2

C4C1

C3

C5

Circles representarchitecturalcomponents(subjects /objects)

Arrows representinteractions

Suitability of the architecture for some purposepresumes that the architect’s assumptions are metin the implementation of the architecture diagram.

C6

The absence of anarrow is as significantas the presence of one

This componenthas no interactionwith any other

Components areassumed to performthe functions specifiedby the architect(trustedcomponents enforcea local policy)

The architectureexpresses aninteraction policyamong a collectionof components

TrustedSubject


Assumptions Implicit in the ArchitectureAssumptions Implicit in the ArchitectureRepresent Two Primitive PoliciesRepresent Two Primitive Policies

C2C1

1. Isolation

Only explicitly permitted causality, or interference,is permitted. The architecturepermits this flow. Only C1 or C2can cause the flow, not C3. Theflow is directional and intransitive.

These components /connections haveno interaction witheach other

C2C1

2. InformationFlow Control

C3


The MILS Platform: Resource-Sharing Components

SWHW

SWMP

SWHW

SWHW

SK Net Con FS

ExportedResources

AdditiveComposition

EA Aud

SWHW

SWMP

additive compositionality – e.g., aPartitioning Kernel Partitioning Net = Partitioning (Kernel + Net)MP = MILS Platform

MP – MILS Platform

D-MILSDistributed MILS nodes


MILS Platform – Provides Straightforward MILS Platform – Provides Straightforward Realization of Policy ArchitectureRealization of Policy Architecture

Architecture

RealizationSK, with other MILSfoundational components,form the MILS Platformallowing operationalcomponents to sharephysical resources whileenforcing Isolation andInformation Flow Control

Validity of the architectureassumes that the onlyinteractions of the circles(operational components)is through the arrowsdepicted in the diagram

R 1

R 2

R 3R 5

R 4

MILS Platform


Policy Architecture with Isolated SubsystemsPolicy Architecture with Isolated Subsystems

R 1

R 2

MILS Platform

R 3R 5

R 4

Q 2

Q 5 R 3Q1

R 4


MILS Platform

Q 2

Q 5

R 4

Isolated Subsystems in Distinct “Operational” PlanesIsolated Subsystems in Distinct “Operational” Planes

R 1

R 2

R 3R 5

R 4

Q 2

Q 5 R 3Q1

R 4

MILS PlatformOPERATIONAL PLANE

R 1

R 2

R 3

R 4

R 5

MILS PlatformOPERATIONAL PLANE Q1 R 3


MILS Foundational, Operational, Monitoring, and MILS Foundational, Operational, Monitoring, and Configuration PlanesConfiguration Planes

P 1

P 2

Separation Kernel

P 3P 5

P 4

Configuration Data

Configuration Data

Configuration Data

CO

NFI

GU

RA

TIO

N P

LAN

E

FOUNDATIONAL PLANE

OPERATIONAL PLANE

MONITORING PLANE

MFSMNS

MEA

MCS

PERFORMANCEDEBUG

HEALTH

RESOURCE

MILS Platform

MILS Platform


MILS System Assurance Case Structure Compose assurance cases using Assume-Guarantee Reasoning MILS System assurance requires the validity of three sub-cases Assumptions from MILS System assurance case become obligations on the sub-cases

MILSSystemClaims

Sub-case

Sub-case

Sub-case

Policy Architecture

Environment

MILS System High-LevelAssurance Argument

MPClaims

P AClaims

Policy ArchitectureAssurance Argument

MILS PlatformAssurance Argument

EnvClaims

EnvironmentAssurance Argument

Assume GuaranteeGuarantee Assume

MILS Platform


MILS Platform Assurance Case The MILS Platform for D-MILS is composed of three major subsystems: MSK, MNS, MCS Assumptions from MILS Platform assurance case become obligations on the components Assured Claims from component assurance cases become evidence for MIPP sub-cases Evidence provides the ultimate justification for the assurance case

MPClaims

Sub-case

Sub-case

Sub-case

Inference rule

Inference rule

MILS PlatformAssurance Argument

MSKClaims

MNSClaims

MCSClaims

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

Inference rule

MILS Separation KernelAssurance Argument

MILS Network SysAssurance Argument

MILS Console SystemAssurance Argument

Assume GuaranteeGuarantee

EVID

ENCE


A B

C

Policy Architecture Assurance – IncrementalRely/Guarantee Compositional Reasoning

Relies Guarantees

S

AB

a)

b)

c)

AB

composite

composite’

R/G composition of A and B

A as part of a composite

B becomes part of new composite’which is then composed with C to form S

A ReliesGuarantees


Distributed MILSDistributed MILSA policy architecture may span nodesA policy architecture may span nodes

Node Hardware

SKMNS

Node Hardware

SKMNS

Node Hardware

SK MNSFoundational Plane+

Node Hardware

Subjects


Distributed MILS

A single policy architecture may span MILS nodes Guarantees similar to a single MILS node:

isolation, information flow control, determinism Determinism over network could be achieved in

various ways – in D-MILS we use Time-Triggered Ethernet (TTE)

Must configure and schedule the network and the processors of the nodes coherently


Distributed MILS Platform – Distributed MILS Platform – MILS nodes with deterministic communicationMILS nodes with deterministic communication

Node Hardware

SK MNSFoundational Plane

Node Hardware

SKMNS

SKMNS

SKMNS

SKMNS

TTEthernet

Node Hardware Node Hardware Node Hardware

Enables:

SKMNS

Realization ofdeterministicdistributed MILSarchitectures

Distributed MILS Platform:


MNS

Distributed MILS ElementsAADL ext’d

subset

Representations &

Transformations

Configuration Compiler

GSN Assur. Case

SKConfig’n

TTEConfig’n

Separation Kernel

TTEthernet

VerificationSystem

VerificationEvidence

Smart Microgrid

Voice Services

ResourceInventory

MCS

Artifact generation/useResource availabilityTechnology Application

Input / Output ArtifactTool

Modified or new componentApplication

D-MILSPlatform

Automation

SystemPurpose

SystemProperties


Distributed MILS – architecture-driven,Distributed MILS – architecture-driven,resource-constrained configuration compilationresource-constrained configuration compilation

Node Hardware

SKMNS

Node Hardware

SKMNS

Node Hardware

SK MNSFoundational Plane+

Node Hardware

Subjects Physicalresourceconstraints

Platformconfig(XML)

ConfigurationCompiler

Resourceconstraints,HW config

Components / Architecture

Resource Inventory

SK, TTEConfig Tools

Low-level resconfiguration

Hardware configuration


MILS Introduction

Documents

Transcript of MILS Introduction