Zbigniew ZIELIŃSKI1, Andrzej STASIAK1, Włodzimierz DĄBROWSKI2,3 Military University of Technology (1), Warsaw Institute of Technology, ISEP (2), Polish-Japanese Institute of Information Technology (3) A Model Driven Method for Multilevel Security Systems Design Summary. The article presents the application of methods of simulation of UML models for analysis and designing specialized computer systems, processing data with multilevel security. The integration of security models with models of system described in UML enables their simulation, which allows identifying security problems at the stage of modeling. By using UML extensions and ALF language it is possible to build a topological model and perform efficient simulations of topological models. The authors used an IBM simulator for simulation. Streszczenie. W artykule przedstawiono zastosowanie metod symulacji modeli UML do analizy i projektowanie komputerowych systemów specjalizowanych przetwarzających danych z ochroną wielopoziomową. Integracja modeli bezpieczeństwa z modelami systemu opisanych w UML umożliwia ich symulację, która pozwala na identyfikację problemów związanych z bezpieczeństwem na etapie modelowania. Za pomocą rozszerzeń i języka UML ALF jest możliwe zbudowanie topologii modelu i efektywnego wykonywania symulacji modeli topologicznych. (Zastosowanie metod symulacji modeli UML do analizy i projektowanie komputerowych systemów specjalizowanych przetwarzających danych z ochroną wielopoziomową) Keywords: multilevel security systems, system modeling, UML models simulation, configuration topology Słowa kluczowe: systemy z ochroną wielopoziomową, modelowanie systemów, symulacja UML, topologia konfiguracji Introduction hardware, and a trustworthy monitor mechanism for The issue of building reliable specialized computer separating the activities of the virtual machines. Such systems (SCS) data processing at different levels of software should allow for the simultaneous launch of sensitivity is particularly topical, especially in regard to the several instances of special operating systems acting as uses of SCS in government, military or financial institutions. virtual machines on a single computer (workstation, server) The problem of processing information with different levels dedicated for data processing of various clauses of of sensitivity has been intensively studied since the early sensitivity (e.g., non-classified, restricted), or to process 70s of the twentieth century [1,2,3]. Formal basics of the so- data for which the separation is needed. This approach called multilevel security (MLS) are presented in the work of became fully possible thanks to modern Intel and AMD Bella-LaPaduli (B-LP) [2]. The computer system of processors hardware support for virtualization solutions and multilevel security (MLS) is necessary to define the so- COTS-type developed virtualization software package. called allowance of users to work with classified Currently widely used x86 architecture extensions are such information, as required by official duties carried out taking that support hardware virtualization [7,9] such as: Intel into account the principle of the "need to know basis" and Virtualization Technology, in particular VTx, VTD - x86 and classifying information, because of its level of sensitivity. VTi - for Intel IA-64 (Itanium) and AMD Virtualization (AMD - The most commonly implemented model is the B-LP or its V) for 64-bit x86 processors from AMD. These technologies very similar modifications (Biba [4], Clark-Wilson [5], etc.). also allow (in addition to virtual machine emulation According to this model, granting subjects access to hardware support) to build a trusted environment in which adequate resources is achieved by mandatory access separate virtual machines (which are separate security control (MAC), which means that any subject (or process) domains) exist in separate hardware partitions. and system resource (file data, communication channel, Implementation of such an MLS system project requires the etc.) is attributed a security context. In order to determine integration of the available virtualization technology the powers in MAC systems, labels are constructed with the (software and hardware), application of formal methods for security context, in particular the pair: <label sensitivity, both ensuring and monitoring the confidentiality and information category>. On the set of labels of subjects and integrity of data processing and user authentication objects the partial order relationship is determined, and techniques. The natural way of building such systems comparing the security level of a newly requested object to becomes a component approach, which assumes the use that of every object to which the subject currently has of prepared (available) hardware and software components, access is required [3]. An immutable rule must be imposed in particular, available open-source COTS virtualization on the subjects and resources (objects), such as [3] for read packages as Xen [10] or KVM [11]). accesses, the current security level had to be greater or The article proposes an innovative approach to equal to (or to “dominate”) that of the new object, for designing a secure MLS-type SCS systems, which main altering accesses, the current security level had to be less objective was to provide tools to verify the confidentiality than or equal to (or be dominated by) that of the new object. and integrity of data being processed on the basis of It should be noted, that to implement in systems and models, as well as a test of resistance of the whole system networks a set of such rules (i.e. to build a dependable built on various types of attacks at the stage of its system solely based on an operating system with multilevel development. information security) is extremely difficult and expensive. The MLS-type SCS developed method of production, This is mainly due to difficulties in building a reliable which we will define as the MDmls (Model Driven Multilevel reference monitor and the difficulty of ensuring that the Security) method, organizes the MLS-type SCS system will not "leak" of sensitive information due to the manufacturing process and derives from the MDA concept possible existence of so-called covert channels in the (Model Driven Architecture) and MDD (Model Driven operating system [6]. Development) [12,13]. A similar approach to building secure One of the possible approaches to the development software is shown in [14], but it does not include multilevel non-distributed a MLS computer system involves the use of security issues. The article presents the basic assumptions virtualization technology and building software that acts as of the method, but focuses mainly on describing the steps the manager of virtual machines [7,8]. For this approach to of the modeling process. This means that by using the be trustworthy requires both the use of strictly virtualizable concept of an executable model (xUML) [23] 120 PRZEGLĄD ELEKTROTECHNICZNY (Electrical Review), ISSN 0033-2097, R. 88 NR 2/2012 implementation processes as those that are always you to run and supervise activities of specialized operating associated with a specific platform (in accordance to the systems (SOSi), i∈1,..,n and user programs operating in MDA) in the manufacturing cycle are carried out as their environment {PU}, which constitutes a virtual machine implementation actions - independently for each PSM. VM ∶ SOS PU. Similarly, depending on the specificity of the system being Due to the ownership of the hardware design SWSA it built, usually it will be necessary to use a few domain was assumed that the proposed VMM software should languages (DSL), in the place of the universal language allow launching a few (of several possible) instances of (UML). The integration of security models with models of special versions of operating systems (VM) on a single systems described in UML enables their simulation, which computer providing access control, cryptographic allows identifying security problems of the SCS MLS-type protection, and strict control of data flow. For example (Fig. software at the stage of modeling. The presentation of the 2), TSP supervises the operation of n virtual machines, from proposed method shows the construction process of the which two operate simultaneously MV and MV and in metamodel, and profiles in compliance with UML version accordance, PU. is active on MV (which is described as 2.2, and the domain-specific modeling (DSM) process [24, 25]. VM PU.) and PU. is active on MV (i.e. VM PU.). VMM manages access to both virtual machines Method Origin and the hardware resources (physical and virtual). The method was developed for the project's research The project also assumes that working within a virtual and development called "Secure Workstation for Special machine (VM) the instance of a special version of the Applications (SWSA - Project funded by the Polish Ministry operating system (SSO) is a separate security domain of Science and Higher Education under grant OR00014011 MVSSO ∶ DB, and each of the domains allows data ; Polish project title: “Bezpieczna stacja do zastosowań processing, qualified to different security levels. Fig. 2 specjalnych”), developed by a consortium led by the Military shows the two security domains, and each of them is linked University of Technology in Warsaw. The aim of the project to one virtual machine. is to develop a trusted environment for processing of sensitive (or even classified) information from different security domains (either