TecHIGhHLIGHTnING RAoYTHEON l’S oTECHNOgLOGY y Tod2a007 Issyue 2 Raytheon Secure Systems and Networks Delivering Mission Assurance in a Hostile Cyberspace Feature The Benefits of Multi-Level Security

ulti-level security (MLS) should be accessible to the individ - secret, confidential and unclassified has been a holy grail ever ual. To ameliorate this problem, data all can reside in a single MLS Msince the early days of high-speed guards requiring addi - domain. MLS provides the ability to applying computer systems to meet tional hardware and processing simultaneously receive, , Col. Roger was the automation needs of military overhead, or labor intensive proce - store and disseminate data of mul - the deputy director of and intelligence systems. In the dures such as manually reviewing tiple classifications within a domain the National Security 1970s, MITRE published a series of data, are commonly used when where not all users have the securi - Agency’s (NSA) papers (by Bell and LaPadua) that moving data between domains. ty clearance to access all the data National Computer describe the issues and rules of within the domain. MLS needs to Security Center (NCSC) determining access rights of individ - The single-level security domain permeate into the computing envi - as it was formed in the ual users to information, based on paradigm is not compatible with ronment (workstations, servers and early 1980s. Dr. Kenneth their credentials. In fact, in 1971, this time-sensitive collaborative pro - operating systems), the network, Kung joined NCSC in Dr. Roger Schell (then a U.S. Air cessing environment needed to the database and the mission appli - 1984 as one of the Force major) conducted his Ph.D. support net-centric operations and cations — all must work together system evaluators using research at MIT on the Multics OS the systems of element approach to maintain trust. MLS systems the famous Orange protection rings. where information is first published, must assure that users are granted access to all the data, systems and Book. He learned his then later subscribed. The concept of using single-level security services for which they are author - information assurance Although multiple initiatives in the domains results in over-clearing per - ized, while denying them access if techniques from 1980s and ‘90s were launched to sonnel, over-classifying data and they are not authorized. Dr. Shell and other tackle the MLS “problem,” the issue creating system inefficiencies and early pioneers in this is still with us today. This article addresses the background of the redundancies. To minimize or elimi - Figure 1 illustrates a traditional field (e.g., Steve Walker, issues involved in solving the gener - nate these problems, the concept configuration using guards between David Bell, Marv al MLS problem. It also describes of MLS systems was developed. security domains on the left and an Schaefer, Earl Boebert, both the security functionality and MLS enclave on the right. etc.). Dr. Kung is the the assurance needs of the MLS eliminates the need for these co-author and Multinational Department of Defense (DoD) com - separate domains. MLS systems contributor to several munity of users and possible solu - reduce the total cost of ownership Information Systems other Rainbow Series of tions to address those needs. by eliminating hardware and soft - The next major research milestone guidelines, while NSA ware redundancies. Top secret, is to tackle the issue of multination - remains the premier The DoD has a goal of fielding organization to learn Traditional: one domain per systems that provide the right infor - security classification Multi-level security (MLS) the latest information mation at the right time to the Data Store system and weapon right person. In many cases, this Unclassified Secret system protection Domain goal is difficult to achieve due to Computing Data Store techniques. the security classification of Environment the data. To properly safeguard Switch/Router information today, many DoD infor - High Speed Guard Top Secret Data Store mation systems are separated in Unclassified Data Store Data Store domains at the highest classifica - Secret Domain tion level of any data in the Computing domain. They are commonly Environment MLS Domain Switch/Router with referred to as “system high” Unclassified domains. If an individual does not High Speed Guard through Computing Environment possess a security clearance to Top Secret Data Store access a domain, they are denied Top Secret access to all information within the Domain Computing Switch/Router domain, even though some of the Environment information may have originated at Switch/Router a lower classification and thus Figure 1. Traditional vs. MLS Enclaves

8 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY al information systems (MNIS). difficulties, customers often prefer the trusted applications will not be MNIS are inherent in battle com - less trustworthy operating systems compromised or interfered with in mand to ensure the timely such as Windows. any way by the untrusted applica - exchange of information across all tions, (see Figure 2). Security policy coalition member domains and Multiple Independent Levels enforcement mediated by the sepa - government agencies. Raytheon is of Security ration kernel is non-bypassable, doing research with the DoD to Another approach being developed always invoked and tamper-proof, identify the issues and potential to provide MLS capability is called because it is the only software that solutions under a study contract. Multiple Independent Levels of runs in privileged mode on the With the proliferation of coalition Security (MILS). Raytheon has been processor. Thus, systems with appli - operations and joint operations, the working with the Air Force Research cations at different security Raytheon is fielding a issue of information separation Laboratory Information Directorate, levels/caveats require fewer pro - product called CHAIN becomes even more challenging. the Cryptographic Modernization cessing resources. (Compartmented High Not only must the information be Program and the National Security Assurance Information separated by clearance levels with Agency for several years on the The separation kernel’s security Network). CHAIN each country’s security policy, but foundational components for this requirements are specified in the permits the separation well-defined information must be high assurance architecture to sup - NSA’s U.S. Government Protection of the information by shared across multiple countries, port systems with MLS require - Profile for Separation Kernels in compartments (as the where agreements to share are on ments and/or Multiple Single Levels Environments Requiring High name implies). Until of Security (MSLS). a bilateral basis. Information Robustness, now in its final draft. A the true MLS system is releasable to certain countries is separation kernel can be evaluated available, Raytheon is The goal of the MILS program is to not releasable to other coalition to a high level of assurance fielding CHAIN in establish a viable commercial mar - partners. This complicated set of (Evaluation Assurance Level (EAL multiple systems to ket for high assurance, standards- access control rules makes the Bell- 6+), because it is very small — on separate information LaPadula hierarchical security model based commercial off-the-shelf the order of 4,000 lines of from different of “write up, read down” tradition - (COTS) products that can be used C-Language code. Although origi - domains using the ally used in MLS systems look sim - to produce NSA-accredited systems. nally targeted to real-time, embed - compartments ple. Raytheon is currently working By leveraging COTS products t hat ded systems, the Separation Kernel enforcement to solve this demanding challenge conform to the DO-178B safety Protection Profile (SKPP) has been mechanism. There are of sharing information in the pres - standard, it is anticipated that the generalized to provide the security multiple commercial ence of multiple compartments wider customer base for these prod - requirements for a high assurance operating systems that within single security levels. ucts will result in a lower cost to virtual machine on which operating allow this enforcement. DoD security customers. systems with medium or no assur - Trusted Operating Systems ance, such as Windows, can exe - To upgrade from There are several common MILS have a layered architecture cute in separate partitions without compartments to approaches when attempting to that enforces an information flow degrading the assurance of the multi-level security, the provide MLS capability. One is to and data isolation security policy. overall system. underlying operating use a trusted that At the bottom layer of the architec - system must meet the attaches sensitivity labels to all ture is a small but highly trusted The (GHS) functionality and trust objects within the domain. (Sun’s separation kernel. A separation ker - Integrity Separation Kernel is avail - discussed in this article. Trusted Solaris TM is an example of a nel executes on processors such as able commercially and is currently trusted operating system.) Pentiums and PowerPCs to provide undergoing evaluation at a high Sensitivity labels identify security a virtual machine upon which a robustness level by a National classification and handling restric - variety of COTS operating systems Information Assurance Partnership tions of the object. The sensitivity (e.g., Windows, Lynux, Solaris, etc.) (NIAP) accredited Common Criteria labels are compared to the user’s can be hosted. The separation ker - Testing Laboratory. It is targeted for security clearance and privileges to nel provides a high robustness ref - embedded and server applications determine if access to the object is erence monitor 1 to enable this sep - running on PowerPC and Intel ® allowed. These operating systems aration and to control communica - processors. The Integrity Separation are proprietary, tend to be very tion between untrusted applica - Kernel is being used in the difficult to administer, and are at tions and data objects at various Raytheon’s Space and Airborne times extremely cumbersome to levels of classification/caveats on a Systems NETSecure internal research use. Because of their size and com - single processor. It also enables plexity, they have typically been trusted applications to execute on Continued on page 10 evaluated only to a medium level of the same processor as untrusted 1IAEC 3285, NSA Infosec Design Course, robustness. Due to administrative applications, while ensuring that High Robustness Reference Monitors version 3, Michael Dransfield, W. Mark Vanfleet.

RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 9 Feature Benefits of Multi-Level Security

Continued from page 9 MILS - Multiple Independent Application (User Mode) Partitions Levels of Security and development effort to develop an MSL - Multi Single Level MLS network processor that can be incorpo - S S S MLS - Multi Level Secure rated in legacy platforms such as the F/A-18 SL - Single Level and B-2 to enable data fusion, sensor (SL) (SL) (SL) integration, dis tributed targeting and Trusted Path net-centric operations. Console Token File Network PCS Manager Service System Interface Two other COTS operating system vendors, Driver Driver Unit Guest OS/ Guest OS/ Guest OS/ LynuxWorks and Wind River, have also (MSL) (MSL) (MSL) (MSL) (MLS) Middleware Middleware Middleware developed separation kernels conforming to the SKPP that are available as Beta versions. RTOS Micro Kernal (MILS Separation Kernal) In addition, GHS has demonstrated a high Supervisor Mode assurance Windows workstation running MMU, Inter Partition Communications Processor on their Padded Cell TM technology, which is based on their separation kernel. Figure 2. Representative MILS Architecture Separation kernels from the three vendors have been demonstrated publicly running The PCS has been demonstrated publicly on a Raytheon application. What Is a Guard, Anyway? the GHS separation kernel running on Intel Current security policies require a “trusted” Raytheon has also conducted research in processors. A version of the PCS for entity to independently validate data being the area of Partitioning Communication PowerPC is currently under development. moved between top secret, secret and Systems (PCS), which enables trust relation - unclassified networks. These products are ships and data separation to be established Protection profiles and products for other commonly known as “trusted guards,” between processors in a MILS enclave. The MILS middleware components are in various “high assurance guards” or just “guards.” Guards typically function as proxies, provid - PCS is part of the middleware layer of the stages of development. As a subcontractor ing security separation between the two MILS architecture. In effect, the PCS func - to Raytheon under an AFRL CRAD program, systems being connected. There are three tions as a data flow guard by controlling SRI International has started work on a main functions for a guard: the information that flows between an MILS Network System Protection Profile. A application and the network. MILS and MILS CORBA protec - • Network separation tion profile have also been proposed. • Mandatory access control When running in a separate partition on Trusted components such as downgraders, • Data validation top of a high assurance separation kernel firewalls, virus protection, and intrusion Network Separation (see Figure 2), a PCS provides data separa - detection and protection are employed at A guard’s high-security (“high”) side net - tion and controls the flow of information the application level in the MILS architec - work interface has an IP address on the between processors in a manner that is ture. These efforts are expected to continue “high” side network while the guard’s low non-bypassable, always invoked and tamp - over the next several years. er-proof. The PCS also provides separation side network interface uses an IP address from the low side network. Thus, the guard by encrypting data before it is delivered to Guard Technology device drivers or the network interface. This provides network separation and typically Evaluated MILS products are still years away enforces source/destination IP via some enables the use of COTS network compo - from being available in general worksta - firewall mechanism in the guard. nents in secure environments and may also tions and servers. In the meantime, there is eliminate the need for some guards in cases Mandatory Access Control where downgrading is not required. a need to provide capabilities to connect systems composed of various security levels Another requirement for guards is to together, while granting access to only enforce Mandatory Access Control (MAC). With Objective Interface Systems (OIS) as a Per current security policy, a trusted operat - authorized users of the data. One of the subcontractor, Raytheon is responsible for ing system such as Trusted Solaris is key technologies that support data sharing the development of the security require - required to meet MAC requirements. In between security domains is the security ments documented in the Partitioning a trusted operating system, the operating Communications System Protection Profile guard that sits between different security system carries label information on all (PCSPP). OIS is independently developing domains. Raytheon has developed a prod - components on the system — memory, file the first PCS, working closely with the three uct called High Speed Guard to support the systems, network interfaces, etc., — and separation kernel vendors and intends to user community’s need for data sharing provides for systems such as guards have it evaluated at a high robustness level. between single-level domains. to move data between security levels.

10 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY PROFILE: KENNETH KUNG

Msg: ABCD Class: S Dataset ID: Y A principal engineering Current: Z Coordinates: fellow for Raytheon’s 12345N095432E Network Centric Systems (NCS) business, Kenneth Kung , Ph.D. has over 26 years of system Classification X and software engineering High Speed Guard experience, including Classification Y 22 years with Raytheon. Currently, he is leading Large File the architecture capability Message Transfer Msg: ABCD Data Transfer area for NCS on the Feed 1 Class: S Dataset ID: Y Enterprise Net-centric Integration Capability Current: Z (ENIC) initiative, which seeks to change the way Coordinates: we develop solutions and capabilities for Raytheon Data Data 12345N095432E Feed 2 Feed n customers. He leads the development of reference architectures, solution architectures and architec - Figure 3. The Raytheon High Speed Guard provides a high-bandwidth, low-latency cross- ture governance. This effort transforms our domain solution for most intelligence community and DoD data types. culture by enhancing our speed to market, speed to demo and ability to cost appropriately. Data Validation intelligence community. Key features of Kung represents NCS on the Corporate Guards must validate that the data passing our guard: Architecture Review Board. Some of the board’s through it is authorized. Guards typically functions include developing a strategy to train Performance: Currently achieves enforce different checks depending on the system architects, ensuring the interoperability of 850Mb/sec on 1 Gigabit networks and 4.5 direction the data is flowing. various systems, and recommending Raytheon Gb/sec on 10 Gigabit networks. architecture directions involving our customers. When data is passed from a high to low, the History: Our guard has been in use since He participates in several industry consortia and main focus of data validation is to ensure 1998 and has over 144 units operational. It standards committees, including the Net Centric that only data authorized at the lower net - has been certified by multiple agencies at Operations International Consortium, the Open work’s security level is passed. Several Director of Central Intelligence Directive Group Architecture Forum, the ISO/IEC JT1 options exist for performing this check: (DCID) 6/3 Protection Level 4. Subcommittee 27 on Cyber Security U.S. • Classification rules to independently Technical Advisory Group, and the Systems Flexibility: The Raytheon guard supports interrogate the data to determine its Architecture Forum. From these external boards, TCP/IP socket-based transfers, file-based classification Kung has been able to learn and exchange • Verify existi ng labels on data transfer, and has a Human Review capability lessons with others in the industry. • Verify upstre am system’s digital that utilizes digital signature validation. The From 2004–2005, Kung was the Architecture signature on data if provided guard is also rehostable to various trusted platforms. Raytheon’s current platform is Technology Area Director at Corporate The correct option depends on a particular Sun using Trusted Solaris 8. Raytheon also Engineering, where he led the initial develop - system’s data formats. supports Silicon Graphics Incorporated (SGI) ment of the taxonomy of the reference hardware running Trusted Irix, but that OS architectures and C2 reference architecture. The prevention of malicious content is the is being end-of-life’d in 2012. Raytheon primary concern when moving data from a Before coming to Raytheon, Kung worked plans to support SELinux in the next 12–18 at the Aerospace Corporation, supporting the lower network. For file-based transfers, months and may also support Solaris 10 National Security Agency on information secu - virus scanning is the primary mechanism for with Trusted Extensions. rity product evaluation. He has been lecturing meeting this requirement. For streaming in colleges for more than 30 years on topics data, virus scanning is problematic so data Ease of Use: The Raytheon guard comes such as information security and communica - validation can be used to verify that the with complete documentation and training, tion networks. He has also served on the content of the data is valid and there is enabling end users to maintain it, if desired. advisory boards of Harvey Mudd College no unknown content. The rules language is straightforward, but and California State University, Fullerton. very powerful and includes full XML parsing Raytheon High Speed Guard capability. • Kung received his bachelor’s degree in engineer - Figure 3 illustrates a typical use of the ing from UCLA. He later received his master’s Raytheon guard. Carolyn Boettcher, [email protected] and doctorate degrees in computer science also Kenneth Kung, [email protected] from UCLA. He is a Certified Raytheon Six Raytheon’s High Speed Guard was built Jerry Lebowitz, [email protected] Sigma Expert TM and Raytheon Certified Architect. for high bandwidth needs within the Kevin Cariker, [email protected]

RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 11 Do you have a great idea for an article? We are always looking for ways to connect with you — our engineering, technology and Mission Assurance professionals. If you have an article or an idea for an article regarding technical achievements, customer solutions, relationships, Mission Assurance, etc., send it along. If your topic aligns with a future issue of Technology Today or is appropriate for an online Copyright © 2007 Raytheon Company. All rights reserved. Approved for public release. Printed in the USA. article, we will be happy to consider it and will contact you for more information. Send your Customer Success Is Our Mission is a trademark of Raytheon Company. article ideas to [email protected]. We’re waiting to hear from you! Capability Maturity Model,CMM and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.