MILS Introduction
-
Upload
thomas-dolby -
Category
Documents
-
view
233 -
download
0
description
Transcript of MILS Introduction
Whirlwind Tour of MILSWhirlwind Tour of MILS MILS is a MILS is a component-based approach to secure systems component-based approach to secure systems design and design and
implementation that encourages a marketplace of general-purpose COTS implementation that encourages a marketplace of general-purpose COTS components components
MILS can be understood as a MILS can be understood as a two phase approachtwo phase approach:: Design a Design a Policy ArchitecturePolicy Architecture
Abstract architecture diagram represented by Abstract architecture diagram represented by ““boxes and arrowsboxes and arrows”” Operational components Operational components and architecture achieve system purposeand architecture achieve system purpose Assumes architecture (components and connectors) strictly enforcedAssumes architecture (components and connectors) strictly enforced
Implement on a Implement on a robust resource-sharing platformrobust resource-sharing platform MILS foundational components MILS foundational components share physical resources, creating share physical resources, creating
strongly separated strongly separated ““exported resourcesexported resources”” Individually developed and assured according to protection profilesIndividually developed and assured according to protection profiles Compose Compose ““additivelyadditively”” to form a distributed trusted sharing substrate, to form a distributed trusted sharing substrate,
the the MILS PlatformMILS Platform Provides compositional approach to construction, assurance, and system Provides compositional approach to construction, assurance, and system
certificationcertification
2© 2013 D-MILS Project
MILS Policy ArchitectureMILS Policy Architecture
C2
C4C1
C3
C5
Circles representarchitecturalcomponents(subjects /objects)
Arrows representinteractions
Suitability of the architecture for some purposepresumes that the architect’s assumptions are metin the implementation of the architecture diagram.
C6
The absence of anarrow is as significantas the presence of one
This componenthas no interactionwith any other
Components areassumed to performthe functions specifiedby the architect(trustedcomponents enforcea local policy)
The architectureexpresses aninteraction policyamong a collectionof components
TrustedSubject
3© 2013 D-MILS Project
Assumptions Implicit in the ArchitectureAssumptions Implicit in the ArchitectureRepresent Two Primitive PoliciesRepresent Two Primitive Policies
C2C1
1. Isolation
Only explicitly permitted causality, or interference,is permitted. The architecturepermits this flow. Only C1 or C2can cause the flow, not C3. Theflow is directional and intransitive.
These components /connections haveno interaction witheach other
C2C1
2. InformationFlow Control
C3
4© 2013 D-MILS Project
The MILS Platform: Resource-Sharing Components
SWHW
SWMP
SWHW
SWHW
SK Net Con FS
ExportedResources
AdditiveComposition
EA Aud
SWHW
SWMP
additive compositionality – e.g., aPartitioning Kernel Partitioning Net = Partitioning (Kernel + Net)MP = MILS Platform
MP – MILS Platform
D-MILSDistributed MILS nodes
5© 2013 D-MILS Project
MILS Platform – Provides Straightforward MILS Platform – Provides Straightforward Realization of Policy ArchitectureRealization of Policy Architecture
Architecture
RealizationSK, with other MILSfoundational components,form the MILS Platformallowing operationalcomponents to sharephysical resources whileenforcing Isolation andInformation Flow Control
Validity of the architectureassumes that the onlyinteractions of the circles(operational components)is through the arrowsdepicted in the diagram
R 1
R 2
R 3R 5
R 4
MILS Platform
6© 2013 D-MILS Project
Policy Architecture with Isolated SubsystemsPolicy Architecture with Isolated Subsystems
R 1
R 2
MILS Platform
R 3R 5
R 4
Q 2
Q 5 R 3Q1
R 4
7© 2013 D-MILS Project
MILS Platform
Q 2
Q 5
R 4
Isolated Subsystems in Distinct “Operational” PlanesIsolated Subsystems in Distinct “Operational” Planes
R 1
R 2
R 3R 5
R 4
Q 2
Q 5 R 3Q1
R 4
MILS PlatformOPERATIONAL PLANE
R 1
R 2
R 3
R 4
R 5
MILS PlatformOPERATIONAL PLANE Q1 R 3
8© 2013 D-MILS Project
MILS Foundational, Operational, Monitoring, and MILS Foundational, Operational, Monitoring, and Configuration PlanesConfiguration Planes
P 1
P 2
Separation Kernel
P 3P 5
P 4
Configuration Data
Configuration Data
Configuration Data
CO
NFI
GU
RA
TIO
N P
LAN
E
FOUNDATIONAL PLANE
OPERATIONAL PLANE
MONITORING PLANE
MFSMNS
MEA
MCS
PERFORMANCEDEBUG
HEALTH
RESOURCE
MILS Platform
MILS Platform
9© 2013 D-MILS Project
MILS System Assurance Case Structure Compose assurance cases using Assume-Guarantee Reasoning MILS System assurance requires the validity of three sub-cases Assumptions from MILS System assurance case become obligations on the sub-cases
MILSSystemClaims
Sub-case
Sub-case
Sub-case
Policy Architecture
Environment
MILS System High-LevelAssurance Argument
MPClaims
P AClaims
Policy ArchitectureAssurance Argument
MILS PlatformAssurance Argument
EnvClaims
EnvironmentAssurance Argument
Assume GuaranteeGuarantee Assume
MILS Platform
10© 2013 D-MILS Project
MILS Platform Assurance Case The MILS Platform for D-MILS is composed of three major subsystems: MSK, MNS, MCS Assumptions from MILS Platform assurance case become obligations on the components Assured Claims from component assurance cases become evidence for MIPP sub-cases Evidence provides the ultimate justification for the assurance case
MPClaims
Sub-case
Sub-case
Sub-case
Inference rule
Inference rule
MILS PlatformAssurance Argument
MSKClaims
MNSClaims
MCSClaims
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
Inference rule
MILS Separation KernelAssurance Argument
MILS Network SysAssurance Argument
MILS Console SystemAssurance Argument
Assume GuaranteeGuarantee
EVID
ENCE
11© 2013 D-MILS Project
A B
C
Policy Architecture Assurance – IncrementalRely/Guarantee Compositional Reasoning
Relies Guarantees
S
AB
a)
b)
c)
AB
composite
composite’
R/G composition of A and B
A as part of a composite
B becomes part of new composite’which is then composed with C to form S
A ReliesGuarantees
12© 2013 D-MILS Project
Distributed MILSDistributed MILSA policy architecture may span nodesA policy architecture may span nodes
Node Hardware
SKMNS
Node Hardware
SKMNS
Node Hardware
SK MNSFoundational Plane+
Node Hardware
Subjects
13© 2013 D-MILS Project
Distributed MILS
A single policy architecture may span MILS nodes Guarantees similar to a single MILS node:
isolation, information flow control, determinism Determinism over network could be achieved in
various ways – in D-MILS we use Time-Triggered Ethernet (TTE)
Must configure and schedule the network and the processors of the nodes coherently
14© 2013 D-MILS Project
Distributed MILS Platform – Distributed MILS Platform – MILS nodes with deterministic communicationMILS nodes with deterministic communication
Node Hardware
SK MNSFoundational Plane
Node Hardware
SKMNS
SKMNS
SKMNS
SKMNS
TTEthernet
Node Hardware Node Hardware Node Hardware
Enables:
SKMNS
Realization ofdeterministicdistributed MILSarchitectures
Distributed MILS Platform:
15© 2013 D-MILS Project
MNS
Distributed MILS ElementsAADL ext’d
subset
Representations &
Transformations
Configuration Compiler
GSN Assur. Case
SKConfig’n
TTEConfig’n
Separation Kernel
TTEthernet
VerificationSystem
VerificationEvidence
Smart Microgrid
Voice Services
ResourceInventory
MCS
Artifact generation/useResource availabilityTechnology Application
Input / Output ArtifactTool
Modified or new componentApplication
D-MILSPlatform
Automation
SystemPurpose
SystemProperties
16© 2013 D-MILS Project
Distributed MILS – architecture-driven,Distributed MILS – architecture-driven,resource-constrained configuration compilationresource-constrained configuration compilation
Node Hardware
SKMNS
Node Hardware
SKMNS
Node Hardware
SK MNSFoundational Plane+
Node Hardware
Subjects Physicalresourceconstraints
Platformconfig(XML)
ConfigurationCompiler
Resourceconstraints,HW config
Components / Architecture
Resource Inventory
SK, TTEConfig Tools
Low-level resconfiguration
Hardware configuration
17© 2013 D-MILS Project