180 likes | 302 Views
MYSEA Technology Demonstration. Presented by, Sai Charan Obuladinne. References. Cynthia E.Irvine , David J. Shifflett , Paul C. Clark, Timothy, George “MYSEA Security Architecture” Cynthia E. Irvine, David J. Shifflett , Paul C. Clark, Timothy, George “MYSEA Technology Demonstration”
E N D
MYSEA Technology Demonstration Presented by, SaiCharanObuladinne
References • Cynthia E.Irvine, David J. Shifflett, Paul C. Clark, Timothy, George “MYSEA Security Architecture” • Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy, George • “MYSEA Technology Demonstration” • Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy, George “MYSEA: The Monetary Security Architecture” • http://cisr.nps.edu/projects/mysea.html
Contents • Introduction • MYSEA characteristics and capabilities • MYSEA Domain Separation and Trusted Path Demo • Qualityof Security Service Demo • Conclusion
Introduction Purpose- a) Trusted distributed operating environment for enforcing multi-domain security policies.b) To develop high assurance security services and integrated operating system mechanisms -protect distributed multi-domain computing environments from malicious code and other attacks.C) Capabilities- composing secure distributed systems using commercial off-the-shelf (COTS) components.
MYSEA characteristics and capabilitiesUse of add-on components in client-server systems which can magnify the impact of trusted open source systems.Protection of multiple protection domains, such that malicious code may neither ex-filtrate confidentially sensitive data, nor corrupt information of higher integrity(Malicious Software in PC-Multiple PC’s)Open source trusted path mechanism for assured and unambiguous user communication with the trusted computing baseVertical integration-dynamic security policy control functions in a QOSS framework
MYSEA Domain Separation and Trusted Path DemoMYSEA is a distributed client-server architecture, the major physical components1) Security enhanced servers- For security policy enforcement and host various open source or commercial application protocol servers.2) Security enhanced workstations-commercial-class PCs executing popular commercial software products(Trusted Path Extensions) thus permit server-enforced security policy to be distributed across the network.
MYSEA Server enforces the security policy and controls access to information.Its is a security enhanced version of the OpenBSD operating system (MYSEOS).MYSEOS + Untrusted Connection(Policy Constrained) = MYSEAMYSEOS is combined with untrusted, but policy constrained (and, in some instances, policy aware) application protocol servers, the result is the MYSEA Server Untrusted-3rd Party MYSEOS Policy Contrained
MYSEA workstation each PC -Trusted Path Extension device that provides MYSEA policy support at the workstation. The MYSEA Server’s and the Trusted Path Extension’s connected directly to the physical network.
Demonstration of ConceptsTrusted Path Extension- users can log on to the MYSEA system in a trusted path,Audit and Access controls- Invokes andestablish Session Attributes like current sensitivity level.Similarly, the user can also log on to his own PC and use standard commercial client software (e.g., web browser or e-mailprogram) to access applications supported by the MYSEAAgain to Modify any Session Attributes, again the Trusted Path Extension is invoked.(Sensitivity level, modify password, use name etc..)
Multi-Domain Policy EnforcementThe MYSEOS kernel associates security attributes with activeand passive.An important policy for the MYSEOS kernel to enforce isthat malicious code may neither exfiltrateconfidentially sensitive data nor corrupt information of higher integrity, to support this, the MYSEOS kernel provides multi-domain file system support,
Trusted path extension Maintains the State of User-MYSEA Interaction TPS Multiple Terminal PC’s Multiple Work Stations Ex:user may be logged in with default security attributes, but may not have started a session executing untrusted application code. Trusted Path Services provides an interface to the Security Support Services component to support identification and authentication
MYSEA SERVER Supports following services: Secure Attention Key Trusted Path Services Controlled LAN AccessCommunications and cryptographic servicesNegotiated Session ServicesControl of Security Critical Activities
MYSEA SERVER Supports following services: Secure Attention Key- Initiate unambiguous communication with MYSEOS , cause a state change in the Trusted Path Extension such that an unforgeable communications path (viz. a trusted path) to MYSEOS Trusted Path Services – When Invoked input security critical information(Password) Controlled LAN Access- Controlled access to the LAN. Malicious software cannot bypass the Trusted Path. Communications and cryptographic services- protected communication channels between Server and TPS(based upon protocols that supports establishment and maintenance TPS)
Negotiated Session Services- Ensure trusted object reuse,Change Domains(user), information associated with previous domain must be removed from the untrusted PC,Note: Previous session info cannot be reused by subsequent sessions(Violation of Distributed Security Policy).Control of Security Critical Activities- Controls client and resources at the time of boot and control security critical actions over the client session.
Quality of Security Service:MYSEA- Integrated with external resource or QoSmanager to provide a means of dynamically managing its security and performance characteristics.MYSEA QoSS Manager -external QoSS interface toMYSEA, and governs security and performance factors ofthe various MYSEA components.QoSS manager on the MYSEA server- manages the QoSS security and connectivity database. Security and Performance MYSEA QOSS Manager MYSEA Component
Conclusion:MYSEA is a trusted distributed operating environmentfor enforcing multi-domain security policies.Supports critical applications:1) A distributed trusted architecture that utilizes commercial and open source applications.2) An open source trusted path mechanism.3) Techniques for vertical integration of securitypolicy control functions.