Raytheon Secure Systems and Networks

Technology

_Today

Raytheon Secure Systems and Networks

Delivering Mission Assurance in a Hostile Cyberspace

2007 Issue 2

Feature

8 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY

M

ulti-level security (MLS)

has been a holy grail ever since the early days of applying computer systems to meet the automation needs of military and intelligence systems. In the 1970s, MITRE published a series of papers (by Bell and LaPadua) that describe the issues and rules of determining access rights of individ-ual users to information, based on their credentials. In fact, in 1971, Dr. Roger Schell (then a U.S. Air Force major) conducted his Ph.D. research at MIT on the Multics OS protection rings.

Although multiple initiatives in the 1980s and ‘90s were launched to tackle the MLS “problem,” the issue is still with us today. This article addresses the background of the issues involved in solving the gener-al MLS problem. It gener-also describes both the security functionality and the assurance needs of the Department of Defense (DoD) com-munity of users and possible solu-tions to address those needs. The DoD has a goal of fielding systems that provide the right infor-mation at the right time to the right person. In many cases, this goal is difficult to achieve due to the security classification of the data. To properly safeguard information today, many DoD infor-mation systems are separated in domains at the highest classifica-tion level of any data in the domain. They are commonly referred to as “system high” domains. If an individual does not possess a security clearance to access a domain, they are denied access to all information within the domain, even though some of the information may have originated at a lower classification and thus

should be accessible to the individ-ual. To ameliorate this problem, high-speed guards requiring addi-tional hardware and processing overhead, or labor intensive proce-dures such as manually reviewing data, are commonly used when moving data between domains. The single-level security domain paradigm is not compatible with this time-sensitive collaborative pro-cessing environment needed to support net-centric operations and the systems of element approach where information is first published, then later subscribed. The concept of using single-level security domains results in over-clearing per-sonnel, over-classifying data and creating system inefficiencies and redundancies. To minimize or elimi-nate these problems, the concept of MLS systems was developed. MLS eliminates the need for these separate domains. MLS systems reduce the total cost of ownership by eliminating hardware and soft-ware redundancies. Top secret,

secret, confidential and unclassified data all can reside in a single MLS domain. MLS provides the ability to simultaneously receive, process, store and disseminate data of mul-tiple classifications within a domain where not all users have the securi-ty clearance to access all the data within the domain. MLS needs to permeate into the computing envi-ronment (workstations, servers and operating systems), the network, the database and the mission appli-cations — all must work together to maintain trust. MLS systems must assure that users are granted access to all the data, systems and services for which they are author-ized, while denying them access if they are not authorized. Figure 1 illustrates a traditional configuration using guards between security domains on the left and an MLS enclave on the right.

Multinational

Information Systems

The next major research milestone is to tackle the issue of

multination-The Benefits of

Multi-Level Security

Col. Roger Shell was

the deputy director of the National Security Agency’s (NSA) National Computer Security Center (NCSC) as it was formed in the early 1980s. Dr. Kenneth Kung joined NCSC in 1984 as one of the system evaluators using the famous Orange Book. He learned his information assurance techniques from Dr. Shell and other early pioneers in this field (e.g., Steve Walker, David Bell, Marv Schaefer, Earl Boebert, etc.). Dr. Kung is the co-author and contributor to several other Rainbow Series of guidelines, while NSA remains the premier organization to learn the latest information system and weapon system protection techniques. Top Secret Data Store Secret Data Store Unclassified Data Store Unclassified Domain MLS Domain with Unclassified through Top Secret Traditional: one domain per

security classification Multi-level security (MLS)

Computing Environment Computing Environment Switch/Router Switch/Router High Speed Guard

Data Store Secret Domain Computing Environment Switch/Router

High Speed Guard Data Store Top Secret Domain Computing Environment Switch/Router Data Store F

al information systems (MNIS). MNIS are inherent in battle com-mand to ensure the timely exchange of information across all coalition member domains and government agencies. Raytheon is doing research with the DoD to identify the issues and potential solutions under a study contract. With the proliferation of coalition operations and joint operations, the issue of information separation becomes even more challenging. Not only must the information be separated by clearance levels with each country’s security policy, but well-defined information must be shared across multiple countries, where agreements to share are on a bilateral basis. Information releasable to certain countries is not releasable to other coalition partners. This complicated set of access control rules makes the Bell-LaPadula hierarchical security model of “write up, read down” tradition-ally used in MLS systems look sim-ple. Raytheon is currently working to solve this demanding challenge of sharing information in the pres-ence of multiple compartments within single security levels.

Trusted Operating Systems

There are several common approaches when attempting to provide MLS capability. One is to use a trusted operating system that attaches sensitivity labels to all objects within the domain. (Sun’s

Trusted SolarisTM_{is an example of a}

trusted operating system.) Sensitivity labels identify security classification and handling restric-tions of the object. The sensitivity labels are compared to the user’s security clearance and privileges to determine if access to the object is allowed. These operating systems are proprietary, tend to be very difficult to administer, and are at times extremely cumbersome to use. Because of their size and com-plexity, they have typically been evaluated only to a medium level of robustness. Due to administrative

difficulties, customers often prefer less trustworthy operating systems such as Windows.

Multiple Independent Levels

of Security

Another approach being developed to provide MLS capability is called Multiple Independent Levels of Security (MILS). Raytheon has been working with the Air Force Research Laboratory Information Directorate, the Cryptographic Modernization Program and the National Security Agency for several years on the foundational components for this high assurance architecture to sup-port systems with MLS require-ments and/or Multiple Single Levels of Security (MSLS).

The goal of the MILS program is to establish a viable commercial mar-ket for high assurance, standards-based commercial off-the-shelf (COTS) products that can be used to produce NSA-accredited systems. By leveraging COTS products that conform to the DO-178B safety standard, it is anticipated that the wider customer base for these prod-ucts will result in a lower cost to DoD security customers. MILS have a layered architecture that enforces an information flow and data isolation security policy. At the bottom layer of the architec-ture is a small but highly trusted separation kernel. A separation ker-nel executes on processors such as Pentiums and PowerPCs to provide a virtual machine upon which a variety of COTS operating systems (e.g., Windows, Lynux, Solaris, etc.) can be hosted. The separation ker-nel provides a high robustness ref-erence monitor1 to enable this sep-aration and to control communica-tion between untrusted applica-tions and data objects at various levels of classification/caveats on a single processor. It also enables trusted applications to execute on the same processor as untrusted applications, while ensuring that

the trusted applications will not be compromised or interfered with in any way by the untrusted applica-tions, (see Figure 2). Security policy enforcement mediated by the sepa-ration kernel is non-bypassable, always invoked and tamper-proof, because it is the only software that runs in privileged mode on the processor. Thus, systems with appli-cations at different security levels/caveats require fewer pro-cessing resources.

The separation kernel’s security requirements are specified in the NSA’s U.S. Government Protection

Profile for Separation Kernels in Environments Requiring High Robustness, now in its final draft. A

separation kernel can be evaluated to a high level of assurance (Evaluation Assurance Level (EAL 6+), because it is very small — on the order of 4,000 lines of C-Language code. Although origi-nally targeted to real-time, embed-ded systems, the Separation Kernel Protection Profile (SKPP) has been generalized to provide the security requirements for a high assurance virtual machine on which operating systems with medium or no assur-ance, such as Windows, can exe-cute in separate partitions without degrading the assurance of the overall system.

The Green Hills Software (GHS) Integrity Separation Kernel is avail-able commercially and is currently undergoing evaluation at a high

robustness level by a National

Information Assurance Partnership (NIAP) accredited Common Criteria Testing Laboratory. It is targeted for embedded and server applications

running on PowerPC and Intel®

processors. The Integrity Separation Kernel is being used in the

Raytheon’s Space and Airborne Systems NETSecure internal research

Continued on page 10

Raytheon is fielding a product called CHAIN (Compartmented High Assurance Information Network). CHAIN permits the separation of the information by compartments (as the name implies). Until the true MLS system is available, Raytheon is fielding CHAIN in multiple systems to separate information from different domains using the compartments enforcement mechanism. There are multiple commercial operating systems that allow this enforcement. To upgrade from compartments to multi-level security, the underlying operating system must meet the functionality and trust discussed in this article.

1IAEC 3285, NSA Infosec Design Course, High Robustness Reference Monitors version 3, Michael Dransfield, W. Mark Vanfleet.

10 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY

Feature

Benefits of Multi-Level Security

Continued from page 9

and development effort to develop an MLS network processor that can be incorpo-rated in legacy platforms such as the F/A-18 and B-2 to enable data fusion, sensor integration, distributed targeting and net-centric operations.

Two other COTS operating system vendors, LynuxWorks and Wind River, have also developed separation kernels conforming to the SKPP that are available as Beta versions. In addition, GHS has demonstrated a high assurance Windows workstation running

on their Padded CellTM_{technology, which}

is based on their separation kernel. Separation kernels from the three vendors have been demonstrated publicly running a Raytheon application.

Raytheon has also conducted research in the area of Partitioning Communication Systems (PCS), which enables trust relation-ships and data separation to be established between processors in a MILS enclave. The PCS is part of the middleware layer of the MILS architecture. In effect, the PCS func-tions as a data flow guard by controlling the information that flows between an

application and the network.

When running in a separate partition on top of a high assurance separation kernel (see Figure 2), a PCS provides data separa-tion and controls the flow of informasepara-tion between processors in a manner that is non-bypassable, always invoked and tamp-er-proof. The PCS also provides separation by encrypting data before it is delivered to device drivers or the network interface. This enables the use of COTS network compo-nents in secure environments and may also eliminate the need for some guards in cases where downgrading is not required. With Objective Interface Systems (OIS) as a subcontractor, Raytheon is responsible for the development of the security require-ments documented in the Partitioning Communications System Protection Profile (PCSPP). OIS is independently developing the first PCS, working closely with the three separation kernel vendors and intends to have it evaluated at a high robustness level.

The PCS has been demonstrated publicly on the GHS separation kernel running on Intel processors. A version of the PCS for PowerPC is currently under development. Protection profiles and products for other MILS middleware components are in various stages of development. As a subcontractor to Raytheon under an AFRL CRAD program, SRI International has started work on a MILS Network System Protection Profile. A MILS file system and MILS CORBA protec-tion profile have also been proposed. Trusted components such as downgraders, firewalls, virus protection, and intrusion detection and protection are employed at the application level in the MILS architec-ture. These efforts are expected to continue over the next several years.

Guard Technology

Evaluated MILS products are still years away from being available in general worksta-tions and servers. In the meantime, there is a need to provide capabilities to connect systems composed of various security levels together, while granting access to only authorized users of the data. One of the key technologies that support data sharing between security domains is the security guard that sits between different security domains. Raytheon has developed a prod-uct called High Speed Guard to support the user community’s need for data sharing between single-level domains.

What Is a Guard, Anyway?

Current security policies require a “trusted” entity to independently validate data being moved between top secret, secret and unclassified networks. These products are commonly known as “trusted guards,” “high assurance guards” or just “guards.” Guards typically function as proxies, provid-ing security separation between the two systems being connected. There are three main functions for a guard:

• Network separation

• Mandatory access control

• Data validation

Network Separation

A guard’s high-security (“high”) side net-work interface has an IP address on the “high” side network while the guard’s low side network interface uses an IP address from the low side network. Thus, the guard provides network separation and typically enforces source/destination IP via some firewall mechanism in the guard.

Mandatory Access Control

Another requirement for guards is to enforce Mandatory Access Control (MAC). Per current security policy, a trusted operat-ing system such as Trusted Solaris is required to meet MAC requirements. In a trusted operating system, the operating system carries label information on all components on the system — memory, file systems, network interfaces, etc., — and provides APIs for systems such as guards to move data between security levels.

F

Fiigguurree 22.. RReepprreesseennttaattiivvee MMIILLSS AArrcchhiitteeccttuurree

MILS - Multiple Independent Levels of Security MSL - Multi Single Level MLS - Multi Level Secure

SL - Single Level Token Service Driver (MSL) File System Driver (MSL) Network Interface Unit (MSL) PCS (MLS)

S

(SL)

Trusted Path

RTOS Micro Kernal (MILS Separation Kernal)

Processor Console Manager (MSL) Guest OS/ Middleware

S

(SL)

Guest OS/ Middleware

S

(SL)

Guest OS/ Middleware

Application (User Mode) Partitions

Supervisor Mode

Data Validation

Guards must validate that the data passing through it is authorized. Guards typically enforce different checks depending on the direction the data is flowing.

When data is passed from a high to low, the main focus of data validation is to ensure that only data authorized at the lower net-work’s security level is passed. Several options exist for performing this check:

• Classification rules to independently

interrogate the data to determine its classification

• Verify existing labels on data

• Verify upstream system’s digital

signature on data if provided

The correct option depends on a particular system’s data formats.

The prevention of malicious content is the primary concern when moving data from a lower network. For file-based transfers, virus scanning is the primary mechanism for meeting this requirement. For streaming data, virus scanning is problematic so data validation can be used to verify that the content of the data is valid and there is no unknown content.

Raytheon High Speed Guard

Figure 3 illustrates a typical use of the Raytheon guard.

Raytheon’s High Speed Guard was built for high bandwidth needs within the

intelligence community. Key features of our guard:

Performance: Currently achieves

850Mb/sec on 1 Gigabit networks and 4.5 Gb/sec on 10 Gigabit networks.

History: Our guard has been in use since 1998 and has over 144 units operational. It has been certified by multiple agencies at Director of Central Intelligence Directive (DCID) 6/3 Protection Level 4.

Flexibility: The Raytheon guard supports TCP/IP socket-based transfers, file-based transfer, and has a Human Review capability that utilizes digital signature validation. The guard is also rehostable to various trusted platforms. Raytheon’s current platform is Sun using Trusted Solaris 8. Raytheon also supports Silicon Graphics Incorporated (SGI) hardware running Trusted Irix, but that OS is being end-of-life’d in 2012. Raytheon plans to support SELinux in the next 12–18 months and may also support Solaris 10 with Trusted Extensions.

Ease of Use: The Raytheon guard comes with complete documentation and training, enabling end users to maintain it, if desired. The rules language is straightforward, but very powerful and includes full XML parsing

capability.

•

Carolyn Boettcher, [email protected] Kenneth Kung, [email protected] Jerry Lebowitz, [email protected] Kevin Cariker, [email protected]

Data Feed n

High Speed Guard

Large File

Transfer Message Transfer

Msg: ABCD Class: S Dataset ID: Y Current: Z Coordinates: 12345N095432E Data Feed 1 Data Feed 2 Classification X Classification Y Msg: ABCD Class: S Dataset ID: Y Current: Z Coordinates: 12345N095432E F

Fiigguurree 33.. TThhee RRaayytthheeoonn HHiigghh SSppeeeedd GGuuaarrdd pprroovviiddeess aa hhiigghh--bbaannddwwiiddtthh,, llooww--llaatteennccyy ccrro ossss--d

doommaaiinn ssoolluuttiioonn ffoorr mmoosstt iinntteelllliiggeennccee ccoommmmuunniittyy aanndd DDooDD ddaattaa ttyyppeess..

A principal engineering fellow for Raytheon’s Network Centric Systems (NCS) business,

Kenneth Kung

, Ph.D. has over 26 years of system and software engineering experience, including 22 years with Raytheon. Currently, he is leading the architecture capability area for NCS on the

Enterprise Net-centric Integration Capability (ENIC) initiative, which seeks to change the way we develop solutions and capabilities for Raytheon customers. He leads the development of reference architectures, solution architectures and architec-ture governance. This effort transforms our culture by enhancing our speed to market, speed to demo and ability to cost appropriately. Kung represents NCS on the Corporate Architecture Review Board. Some of the board’s functions include developing a strategy to train system architects, ensuring the interoperability of various systems, and recommending Raytheon architecture directions involving our customers. He participates in several industry consortia and standards committees, including the Net Centric Operations International Consortium, the Open Group Architecture Forum, the ISO/IEC JT1 Subcommittee 27 on Cyber Security U.S. Technical Advisory Group, and the Systems Architecture Forum. From these external boards, Kung has been able to learn and exchange lessons with others in the industry.

From 2004–2005, Kung was the Architecture Technology Area Director at Corporate Engineering, where he led the initial develop-ment of the taxonomy of the reference architectures and C2 reference architecture. Before coming to Raytheon, Kung worked at the Aerospace Corporation, supporting the National Security Agency on information secu-rity product evaluation. He has been lecturing in colleges for more than 30 years on topics such as information security and communica-tion networks. He has also served on the advisory boards of Harvey Mudd College and California State University, Fullerton. Kung received his bachelor’s degree in engineer-ing from UCLA. He later received his master’s and doctorate degrees in computer science also from UCLA. He is a Certified Raytheon Six

Sigma ExpertTM_{and Raytheon Certified Architect.}

Copyright © 2007 Raytheon Company. All rights reserved. Approved for public release. Printed in the USA.

Customer Success Is Our Mission is a trademark of Raytheon Company. Capability Maturity Model,CMM and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

Do you have a great idea for an article?

We are always looking for ways to connect with you — our engineering, technology and Mission Assurance professionals. If you have an article or an idea for an article regarding technical achievements, customer solutions, relationships, Mission Assurance, etc., send it

along. If your topic aligns with a future issue ofTechnology Today or is appropriate for an online

article, we will be happy to consider it and will contact you for more information. Send your article ideas to [email protected]. We’re waiting to hear from you!