1 / 29

A Multilevel Secure Testbed to Support Coalition Operations

A Multilevel Secure Testbed to Support Coalition Operations. 12 December 2005 Cynthia Irvine, PhD Department of Computer Science Naval Postgraduate School. Outline. Technical Problem MYSEA Testbed Related Work. General Taxonomy of Attacks. Trojan Horse Requires victim’s cooperation

zoie
Download Presentation

A Multilevel Secure Testbed to Support Coalition Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Multilevel Secure Testbed to Support Coalition Operations 12 December 2005 Cynthia Irvine, PhD Department of Computer Science Naval Postgraduate School

  2. Outline • Technical Problem • MYSEA Testbed • Related Work

  3. General Taxonomy of Attacks

  4. Trojan Horse Requires victim’s cooperation Adversary cannot choose time of activation Constrained by security controls on the victim Executes in an application Subversion Does not require a cooperating victim By-passes security controls Usually triggered activation and deactivation Time chosen by adversary May execute within the OS Trojan Horse vs. Subversion

  5. Trojan Horse: DAC Only System Normal Conditions: No Access for Eve Tim Executes Software with Trojan Horse • Software Modifies ACL • Eve rw- Eve Accesses Tim’s Data extract information modify information Tim’s Data ACL UID1 --- UID2 rw- . . . UIDn rw-

  6. Trojan Horse: DAC Only System Normal Conditions: No Access for Eve Tim Executes Software with Trojan Horse Trojan Horse writes Tim’s Data into Eve’s File. Eve accesses Tim’s Data, which has been put into her file Tim’s Data ACL Eve’s File UID1 --- UID2 rw- . . . UIDn rw-

  7. Trojan Horse fails in MLS System Normal Conditions: No Access for Eve Tim Executes Software with Trojan Horse Software Modifies ACL Eve --- => Eve rw- (Possible message to Enemy) Eve attempts to access Tim’s Data x Tim’s Data Low SecrecyMandatory Label ACL UID1 --- UID2 rw- . . . UIDn rw- HIGH SecrecyMandatory Label MLS system prevents Eve from reading up

  8. Trojan Horse fails in MLS System Normal Conditions: No Access for Eve Tim Executes Software with Trojan Horse Software attempts to write Tim’s data to Eve’s file MLS system prevents Tim from writing down Tim’s Data Eve’s File x HIGH SecrecyMandatory Label Low SecrecyMandatory Label

  9. Attacks: Means, Motive, Opportunity • Means • Skill in system design and artifice construction • Motive • Clandestine access to critical information • Opportunity • Join development team for target system • Modify system design, specifications, or code • Insert artifice during distribution, configuration, or maintenance

  10. Methods that Work • To Address Subversion: Limit Opportunity • Lifecycle assurance - high assurance • Protection via rigorous security engineering • No unspecified functionality • Use of formal verification techniques • When Applied in MLS Context • Bound information flow to prevent Trojan Horse damage • Uses formal models • Supports implementation assessment

  11. MYSEA Testbed

  12. MYSEA Testbed Objectives • Experimentation and Research Framework • High Assurance Solutions • Distributed Multilevel Functionality • Dynamic Security • Trusted Authentication • Open Architectures and Interfaces • Currently Support: • MYSEA Research Project • Trusted Computing Exemplar Project • Dynamic Security Services Project • Basic GIG IA Architecture and Security Concepts • Long Range Applicability • Additional GIG IA experiments • Other Complex Enterprise Networks

  13. Near-Term Testbed Experiments • Secure connections to classified networks • Use COTS and legacy hardware and software components • Use open standards • Apply high assurance security technology to legacy elements • Centralize security management • Integrate high assurance multilevel security with existing sensitive networks • Manage access to classified networks using high assurance trusted communication channel techniques • Dynamic security services • Open architectures to incorporate new technologies • Use XML tags as security markings • Secure single sign-on across multiple MLS servers • Server cluster technologies

  14. Testbed Architecture

  15. Testbed Design

  16. Demonstrated MYSEA Features • Distributed Security Architecture • Multilevel Policy Enforcement • Unmodified Commercial Desktop Applications • Trusted Path for Security-Critical Operations • Reach-back to Single Level Networks • Aggregated Information Services • Dynamic Policy Modulation of Security Services

  17. Testbed Components Secure Server • True Multilevel Security Policy Enforcement • Coherent View: Users at HIGH see Information at LOW • Label-based Policy Enforcement • Hierarchical and Categories • Support for Integrity-Based Separation • Isolate cyber-trash from reliable users and programs • Flexible Label Management • Existing Commercial MLS Base • Digital Net XTS-400 • Evaluated at Class B3 under TCSEC (aka “Orange Book”) • Currently Under Evaluation under Common Criteria • Support for Certification and Accreditation Goals

  18. Server Network Enhancements • Multilevel “inetd” • Distributed High Assurance Authentication on MLS LAN • Trusted Path Services at Server • Distributed TCB to Client Locations • Trusted Path Extensions (TPE) at Clients • Controls TPE Activities • Secure Session Services • Launch Applications at Corrected Session Level • Dynamic Security Services • Policy Management Initiator • Dedicated and Multiplexed Connections to Single Level Networks

  19. Server Application Enhancements • Ports of Popular Applications • All Made “Multilevel Aware” • HTTP: Apache-like Web Server • Base – standard Apache – minor modifications • WebDAV under development • SMTP: Sendmail • IMAP: University of Washington • NFS: User-level port • Secure Shell: OpenSSH (Single Level Only) • Remote Client-Side Applications Support

  20. High Assurance Trusted Path/Channel • Trusted Path Extension Device • Ensure Communication with Trusted Server • Based on EAL7 Trusted Computing Exemplar (TCX) Separation Kernel • Remote Security Operations • Log-on, Session Level Negotiation, etc. • Server Supports Session Suspension and Resumption • Trusted Channel Module • Ensure Proper Security Level Assigned To Information From Legacy Networks • Dynamic Security Services Responders

  21. Commodity-Based Client • Meet User Requirements • Web Browsing • Mail • Document Production • Stateless To Address Object Reuse Requirements • Depot-level Configuration to Start Up in Useful State • Volatile Memory Only • Store State at Server at Appropriate Session Level • Working Prototypes: • Knoppix Linux • Windows XP Embedded

  22. Web Portal Services • Allow Reach-Back to Single Level Legacy Networks via Web Browser • Part of MYSEA’s Stateless Client Strategy • Tarantella/enView product suite • Allow Clients to Access Web-based Applications On Different Platforms (Windows, Linux, Unix) • Present Integrated Portal View To Users • Support GCCS • Command and Control Personal Computer System (C2PC)

  23. Testbed Phase I

  24. Phase I Configuration (1 of 2) • Hardware: 35 components • MLS Server, Handheld TPEs, Desktops, Laptops, VPN Appliances, Network Switches, TACLANE Encryptors • Operating Systems: Heterogeneous • Trusted OS: DigitalNet STOP • COTS OS: RedHat Linux, Microsoft Windows 2000 server, Microsoft Windows XP, Microsoft Windows XP Embedded, OpenBSD, Knoppix Linux and Familiar Project Linux

  25. Phase I Configuration (2 of 2) • Custom MYSEA Trusted Software • Trusted Path Service, Secure Session Management • Linux Applications: • PostgreSQL, Apache web server, Edge Technologies enPortal, Tarantella Enterprise 3, imapd and sendmail • Windows Applications: • Microsoft Terminal Services, Microsoft Office, Microsoft Project, Internet Explorer, C2PC Gateway, C2PC Client, REPEAT 2004–RepeatWinXR and Creative WebCam PROeX

  26. Trusted Path Extension (TPE) • Reference application for the TCX project • Operational Environment - MYSEA MLS LAN • Architecture will use separation • Untrusted and Trusted processes

  27. TPE Form Factor • PDA-like device • Isolation from COTS processor • Trusted Path functions control I/O to user • Device Screen • Device Keyboard • Secure Attention Key design is simpler • Encryption is on TPE • Alternative: examine complex interactions between TPE and COTS system • Strong isolation is required for assurance

  28. Project Synergies • Trusted Computing Exemplar • Separation Kernel Protection Profile • SecureCore • RCSec • CyberCIEGE

  29. Questions and Contacts Cynthia Irvine, Ph.D. Center for Information Systems Security Studies and Research Computer Science Department Naval Postgraduate School, Monterey, CA 93943 irvine@nps.edu, 831 656-2461

More Related