Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© 2002-2004 Objective Interface Systems, Inc.
A Partitioning Communication
System for the MILS Architecture
A Partitioning A Partitioning Communication Communication
System for the MILS System for the MILS ArchitectureArchitecture
OMG Real-time WorkshopJuly 2004
Jeff ChiltonObjective Interface Systems
Herndon, Virginia
© 2002-2004 Objective Interface Systems, Inc. 22
Project Funding SourcesProject Funding Sources
! US Air Force! Lockheed Martin! Objective Interface
© 2002-2004 Objective Interface Systems, Inc. 33
AgendaAgenda
! Security & Embedded Systems! Where a PCS fits in MILS! How Did We Get Here?! What the PCS is not! What the PCS is Similar to! The PCS & Real-Time! The PCS’s Environment! PCS Security Functions! “Challenges”
© 2002-2004 Objective Interface Systems, Inc. 44
Security & Embedded SystemsSecurity & Embedded Systems
! Australian Water Utility" Vitek Boden, 48, April 23rd, 2000, Queensland, Australia
# disgruntled ex-employee of equipment supplier# Vehicle became command center for sewage treatment# Controlled 300 SCADA water and sewage nodes# “was the central control system” during intrusions# Released millions of liters of sewage# Killed marine life, blackened creek water, bad stench
" Caught on 46th attempt# Was angling for a consulting job to “fix” the problems he caused
! Result of embedded systems without security
© 2002-2004 Objective Interface Systems, Inc. 55
MILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureMILS ArchitectureU
ser Mode
S,TS
(MLS)
TS
(MSL)
S
(MSL)
MiddlewareOS Services
. . .
Application Partitions
MiddlewareOS Services
MiddlewareOS Services
Processor
RTOS Micro Kernel (MILS)Supervisor ModeMMU, Inter-Partition
Communications,Interrupts
TS
(MSL)MLS
DisplayDriverMLSKBDDriver
MiddlewareOS Services
© 2002-2004 Objective Interface Systems, Inc. 66
Where a PCS fits in MILSWhere a PCS fits in MILS
! The PCS is communications middleware for MILS! Always interposed in inter-node communications! Might be in some inter-partition comms. Too! Parallels Separation Kernel’s policies
© 2002-2004 Objective Interface Systems, Inc. 77
InterInter--node Communicationnode Communication
A
B
PCS
D
C
PCS F
© 2002-2004 Objective Interface Systems, Inc. 88
Basic Security PoliciesBasic Security Policies
! The PCS projects the Separation Kernel’s security policies throughout a distributed system" Information Flow" Data Isolation" Periods Processing" Damage Limitation
© 2002-2004 Objective Interface Systems, Inc. 99
Partitioning the ChannelPartitioning the Channel
A
E
C
F
D
B
© 2002-2004 Objective Interface Systems, Inc. 1010
Properties of ChannelsProperties of Channels
! Known or predictable capacity and latency! Reliability delivery, message integrity! Confidentiality protection! Observability protection
© 2002-2004 Objective Interface Systems, Inc. 1111
How Did We Get Here?How Did We Get Here?
! Started with CORBA for MILS! Conducted a threat collecting exercise! Presented multiple partitioning architectures! Problems with ORB-in-a-partition! Some parts must be in same partition as client! What’s left is a PCS
© 2002-2004 Objective Interface Systems, Inc. 1212
Where to Make the Cut?Where to Make the Cut?
Generated CORBAStubs/Skeletons
Application Client/Server
ORB Core
Threading Mgt.
Network TransportInterface
© 2002-2004 Objective Interface Systems, Inc. 1313
What the PCS is notWhat the PCS is not
! Not a Guard or Application Firewall" Doesn’t examine message content" Can’t enforce security policies delegated to the application
layer
© 2002-2004 Objective Interface Systems, Inc. 1414
What the PCS is Similar toWhat the PCS is Similar to
! Some functionality in common with Kang and Moskowitz’s “Pump” (1993)" “…to provide quantifiable security, acceptable reliability, and
minimal performance penalties by interposing a device (called the Pump) to push messages to the high system and provide a controlled stream of acknowledgements to the low system.”
© 2002-2004 Objective Interface Systems, Inc. 1515
The PCS & RealThe PCS & Real--TimeTime
! Real-Time and Anything…! One-way information flow policy means:
" No acknowledgements allowed;" Blind up-writing is unreliable... Unless;" We’re sure the receiving end will keep up.
© 2002-2004 Objective Interface Systems, Inc. 1616
The PCS’s EnvironmentThe PCS’s Environment
! Policies" P.DATA_ISOLATION" P.INFO_FLOW
! Threats" T.COVERT_COMM" T.EAVESDROP" T.MASQUERADE
! Assumptions" A.PARTIONING_KERNEL" A.REAL-TIME_KERNEL
© 2002-2004 Objective Interface Systems, Inc. 1717
PCS Security FunctionsPCS Security Functions
! Information Flow Policy enforcement! Channel capacity (bandwidth) management! End-point authentication! Message encryption (optional)
" For confidentiality on the wire" For down-grading ahead of a less-trustworthy device driver
! Traffic padding (optional)
© 2002-2004 Objective Interface Systems, Inc. 1818
More on Information Flows…More on Information Flows…
! “Crosstalk” – disallowed comm. between subjects! Subject to external entity! External entity to subject
© 2002-2004 Objective Interface Systems, Inc. 1919
Finally, CORBA AgainFinally, CORBA Again
! MILS" Implementation location as configuration" Result of rigorous analysis
! CORBA" Implementation location transparency" Focus is on flexibility
© 2002-2004 Objective Interface Systems, Inc. 2020
“Challenges”“Challenges”
! Synchronization of distributed configuration info.! Crypto key management! Interaction with kernel’s time-partitioning! Composition from assured components
© 2002-2004 Objective Interface Systems, Inc. 2121
Contact InformationContact Information
Objective Interface Systems, Inc
www.ois.com
+1 703 295 6500