a multilevel secure testbed to support coalition operations 12 december 2005 cynthia irvine, phd...
TRANSCRIPT
A Multilevel Secure Testbed to Support Coalition Operations
12 December 2005
Cynthia Irvine, PhD
Department of Computer Science
Naval Postgraduate School
12 December 2005 3
General Taxonomy of Attacks
Attack Motive
Attack Strategy
Attack Resources
ThreatAssurance Required
Political-Military
Long-Term Planning
Well FundedSystem
SubversionHighest
Political-Military
Mid-Term Planning
Modest to High Funds
Trojan Horse High
Malicious Amusement
Short-Term Planning
Low to Modest
Flaw Exploitation
Moderate
Malicious Amusement
Ad Hoc LowInterface
ExploitationLow
12 December 2005 4
Trojan Horse vs. Subversion
Trojan Horse– Requires victim’s
cooperation• Adversary cannot
choose time of activation
– Constrained by security controls on the victim
– Executes in an application
Subversion– Does not require a
cooperating victim– By-passes security
controls– Usually triggered
activation and deactivation
• Time chosen by adversary
– May execute within the OS
12 December 2005 5
Trojan Horse: DAC Only System
Tim’sData
UID1 ---UID2 rw-
.
.
.UIDn rw-
ACL
Normal Conditions: No Access for EveTim Executes Software with Trojan Horse
Software Modifies ACLEve rw- Eve Accesses
Tim’s Dataextract informationmodify information
12 December 2005 6
Trojan Horse: DAC Only System
Tim’sData
UID1 ---UID2 rw-
.
.
.UIDn rw-
ACL
Normal Conditions: No Access for EveTim Executes Software with Trojan Horse
Trojan Horse writes Tim’s Data into Eve’s File.
Eve accesses Tim’sData, which has beenput into her file
Eve’sFile
12 December 2005 7
Trojan Horse fails in MLS System
Tim’sData
UID1 ---UID2 rw-
.
.
.UIDn rw-
ACL
Normal Conditions: No Access for EveTim Executes Software with Trojan Horse
Software Modifies ACLEve --- => Eve rw-
(Possible message to Enemy)
Eve attempts to accessTim’s Data
x
HIGH SecrecyMandatory
Label
Low SecrecyMandatory
Label
MLS system prevents Eve from reading up
12 December 2005 8
Trojan Horse fails in MLS System
Tim’sData
Normal Conditions: No Access for EveTim Executes Software with Trojan Horse
Software attempts to writeTim’s data to Eve’s file
x
HIGH SecrecyMandatory
Label
Low SecrecyMandatory
Label
MLS system prevents Tim from writing down
Eve’sFile
12 December 2005 9
Attacks: Means, Motive, Opportunity
• Means– Skill in system design and artifice construction
• Motive– Clandestine access to critical information
• Opportunity– Join development team for target system– Modify system design, specifications, or code– Insert artifice during distribution, configuration,
or maintenance
12 December 2005 10
Methods that Work
• To Address Subversion: Limit Opportunity
– Lifecycle assurance - high assurance– Protection via rigorous security engineering
• No unspecified functionality• Use of formal verification techniques
– When Applied in MLS Context• Bound information flow to prevent Trojan Horse
damage• Uses formal models
– Supports implementation assessment
12 December 2005 12
• Experimentation and Research Framework – High Assurance Solutions– Distributed Multilevel Functionality – Dynamic Security– Trusted Authentication– Open Architectures and Interfaces
• Currently Support:– MYSEA Research Project– Trusted Computing Exemplar Project– Dynamic Security Services Project– Basic GIG IA Architecture and Security Concepts
• Long Range Applicability– Additional GIG IA experiments– Other Complex Enterprise Networks
MYSEA Testbed Objectives
12 December 2005 13
Near-Term Testbed Experiments
• Secure connections to classified networks• Use COTS and legacy hardware and software components• Use open standards• Apply high assurance security technology to legacy elements• Centralize security management• Integrate high assurance multilevel security with existing
sensitive networks• Manage access to classified networks using high assurance
trusted communication channel techniques • Dynamic security services• Open architectures to incorporate new technologies• Use XML tags as security markings• Secure single sign-on across multiple MLS servers• Server cluster technologies
12 December 2005 15
Testbed Design
Coalition Clients
Coalition Enclave
Unclassified Clients
Unclassified Enclave
Firewall
Internet
Secret Clients
Secret Enclave
E
E
Thin Clients With TPE
Multilevel Enclave
TS S U
MLS Server
TP
AP
CR
CG
TP
AP
CR
CG
TCM TCM
E E
TP
AP
C TPE
C TPE
Encrypted
C2PC REPEAT ServerCR
AP App Server
C Client
CG C2PC Gateway
E Encryptor
TP Tarantella Portal Server
TCM Trusted Channel Module
TPE Trusted Path Extension
LEGEND
Coalition Clients
Coalition Enclave
Unclassified Clients
Unclassified Enclave
FirewallFirewall
InternetInternet
Secret Clients
Secret Enclave
Secret Clients
Secret Enclave
EE
EE
Thin Clients With TPE
Multilevel Enclave
TS S U
MLS Server
TP
AP
CR
CG
TP
APAP
CRCR
CGCG
TCM TCM
E EE E
TPTP
AP
C TPE
C TPE
EncryptedEncrypted
C2PC REPEAT ServerCR C2PC REPEAT ServerCR
AP App ServerAP App Server
C ClientC Client
CG C2PC GatewayCG C2PC Gateway
E EncryptorE Encryptor
TP Tarantella Portal ServerTP Tarantella Portal Server
TCM Trusted Channel ModuleTCM Trusted Channel Module
TPE Trusted Path ExtensionTPE Trusted Path Extension
LEGEND
12 December 2005 16
Demonstrated MYSEA Features
• Distributed Security Architecture
• Multilevel Policy Enforcement
• Unmodified Commercial Desktop Applications
• Trusted Path for Security-Critical Operations
• Reach-back to Single Level Networks– Aggregated Information Services
• Dynamic Policy Modulation of Security Services
12 December 2005 17
Testbed Components Secure Server
• True Multilevel Security Policy Enforcement– Coherent View: Users at HIGH see Information at LOW– Label-based Policy Enforcement
• Hierarchical and Categories– Support for Integrity-Based Separation
• Isolate cyber-trash from reliable users and programs– Flexible Label Management
• Existing Commercial MLS Base– Digital Net XTS-400– Evaluated at Class B3 under TCSEC (aka “Orange
Book”)– Currently Under Evaluation under Common Criteria– Support for Certification and Accreditation Goals
12 December 2005 18
Server Network Enhancements
• Multilevel “inetd”• Distributed High Assurance Authentication on MLS
LAN – Trusted Path Services at Server– Distributed TCB to Client Locations
• Trusted Path Extensions (TPE) at Clients– Controls TPE Activities
• Secure Session Services– Launch Applications at Corrected Session Level
• Dynamic Security Services – Policy Management Initiator
• Dedicated and Multiplexed Connections to Single Level Networks
12 December 2005 19
Server Application Enhancements
• Ports of Popular Applications– All Made “Multilevel Aware”– HTTP: Apache-like Web Server
• Base – standard Apache – minor modifications• WebDAV under development
– SMTP: Sendmail– IMAP: University of Washington– NFS: User-level port– Secure Shell: OpenSSH (Single Level Only)
• Remote Client-Side Applications Support
12 December 2005 20
High Assurance Trusted Path/Channel
• Trusted Path Extension Device– Ensure Communication with Trusted Server– Based on EAL7 Trusted Computing Exemplar (TCX)
Separation Kernel
• Remote Security Operations– Log-on, Session Level Negotiation, etc.
• Server Supports Session Suspension and Resumption
• Trusted Channel Module– Ensure Proper Security Level Assigned To Information
From Legacy Networks
• Dynamic Security Services Responders
12 December 2005 21
Commodity-Based Client
• Meet User Requirements– Web Browsing– Mail– Document Production
• Stateless To Address Object Reuse Requirements– Depot-level Configuration to Start Up in Useful State– Volatile Memory Only– Store State at Server at Appropriate Session Level– Working Prototypes:
• Knoppix Linux• Windows XP Embedded
12 December 2005 22
Web Portal Services
• Allow Reach-Back to Single Level Legacy Networks via Web Browser
• Part of MYSEA’s Stateless Client Strategy• Tarantella/enView product suite
– Allow Clients to Access Web-based Applications On Different Platforms (Windows, Linux, Unix)
– Present Integrated Portal View To Users
• Support GCCS– Command and Control Personal Computer System (C2PC)
12 December 2005 23
Testbed Phase I
Coalition Clients
Coalition Enclave
Unclassified Clients
Unclassified Enclave
Firewall
Internet
Secret Clients
Secret Enclave
E
E
Thin Clients With TPE
Multilevel Enclave
TS S U
MLS Server
TP
AP
CR
CG
TP
AP
CR
CG
E E
TP
AP
C TPE
C TPE
Encrypted
C2PC REPEAT ServerCR
AP App Server
C Client
CG C2PC Gateway
E Encryptor
TP Tarantella Portal Server
TPE Trusted Path Extension
LEGEND
Coalition Clients
Coalition Enclave
Unclassified Clients
Unclassified Enclave
FirewallFirewall
InternetInternet
Secret Clients
Secret Enclave
Secret Clients
Secret Enclave
EE
EE
Thin Clients With TPE
Multilevel Enclave
TS S U
MLS Server
TP
AP
CR
CG
TP
APAP
CRCR
CGCG
E EE E
TPTP
AP
C TPE
C TPE
EncryptedEncrypted
C2PC REPEAT ServerCR C2PC REPEAT ServerCR
AP App ServerAP App Server
C ClientC Client
CG C2PC GatewayCG C2PC Gateway
E EncryptorE Encryptor
TP Tarantella Portal ServerTP Tarantella Portal Server
TPE Trusted Path ExtensionTPE Trusted Path Extension
LEGEND
12 December 2005 24
Phase I Configuration (1 of 2)
• Hardware: 35 components– MLS Server, Handheld TPEs, Desktops,
Laptops, VPN Appliances, Network Switches, TACLANE Encryptors
• Operating Systems: Heterogeneous– Trusted OS: DigitalNet STOP– COTS OS: RedHat Linux, Microsoft Windows
2000 server, Microsoft Windows XP, Microsoft Windows XP Embedded, OpenBSD, Knoppix Linux and Familiar Project Linux
12 December 2005 25
• Custom MYSEA Trusted Software– Trusted Path Service, Secure Session Management
• Linux Applications: – PostgreSQL, Apache web server, Edge Technologies enPortal,
Tarantella Enterprise 3, imapd and sendmail
• Windows Applications: – Microsoft Terminal Services, Microsoft Office, Microsoft Project,
Internet Explorer, C2PC Gateway, C2PC Client, REPEAT 2004–RepeatWinXR and Creative WebCam PROeX
Phase I Configuration (2 of 2)
12 December 2005 26
Trusted Path Extension (TPE)
• Reference application for the TCX project• Operational Environment - MYSEA MLS LAN• Architecture will use separation
– Untrusted and Trusted processes
12 December 2005 27
TPE Form Factor
• PDA-like device• Isolation from COTS processor • Trusted Path functions control I/O to user
– Device Screen– Device Keyboard
• Secure Attention Key design is simpler• Encryption is on TPE• Alternative: examine complex interactions
between TPE and COTS system– Strong isolation is required for assurance
12 December 2005 28
Project Synergies
• Trusted Computing Exemplar
• Separation Kernel Protection Profile
• SecureCore
• RCSec
• CyberCIEGE
12 December 2005 29
Cynthia Irvine, Ph.D.
Center for Information Systems Security Studies and Research
Computer Science Department
Naval Postgraduate School, Monterey, CA 93943
[email protected], 831 656-2461
Questions and Contacts