TecHIGhHLIGHTnING RAoYTHEON l’S oTECHNOgLOGY y Tod2a007 Issyue 2 Raytheon Secure Systems and Networks Delivering Mission Assurance in a Hostile Cyberspace Feature The Benefits of Multi-Level Security ulti-level security (MLS) should be accessible to the individ - secret, confidential and unclassified has been a holy grail ever ual. To ameliorate this problem, data all can reside in a single MLS Msince the early days of high-speed guards requiring addi - domain. MLS provides the ability to applying computer systems to meet tional hardware and processing simultaneously receive, process, Col. Roger Shell was the automation needs of military overhead, or labor intensive proce - store and disseminate data of mul - the deputy director of and intelligence systems. In the dures such as manually reviewing tiple classifications within a domain the National Security 1970s, MITRE published a series of data, are commonly used when where not all users have the securi - Agency’s (NSA) papers (by Bell and LaPadua) that moving data between domains. ty clearance to access all the data National Computer describe the issues and rules of within the domain. MLS needs to Security Center (NCSC) determining access rights of individ - The single-level security domain permeate into the computing envi - as it was formed in the ual users to information, based on paradigm is not compatible with ronment (workstations, servers and early 1980s. Dr. Kenneth their credentials. In fact, in 1971, this time-sensitive collaborative pro - operating systems), the network, Kung joined NCSC in Dr. Roger Schell (then a U.S. Air cessing environment needed to the database and the mission appli - 1984 as one of the Force major) conducted his Ph.D. support net-centric operations and cations — all must work together system evaluators using research at MIT on the Multics OS the systems of element approach to maintain trust. MLS systems the famous Orange protection rings. where information is first published, must assure that users are granted access to all the data, systems and Book. He learned his then later subscribed. The concept of using single-level security services for which they are author - information assurance Although multiple initiatives in the domains results in over-clearing per - ized, while denying them access if techniques from 1980s and ‘90s were launched to sonnel, over-classifying data and they are not authorized. Dr. Shell and other tackle the MLS “problem,” the issue creating system inefficiencies and early pioneers in this is still with us today. This article addresses the background of the redundancies. To minimize or elimi - Figure 1 illustrates a traditional field (e.g., Steve Walker, issues involved in solving the gener - nate these problems, the concept configuration using guards between David Bell, Marv al MLS problem. It also describes of MLS systems was developed. security domains on the left and an Schaefer, Earl Boebert, both the security functionality and MLS enclave on the right. etc.). Dr. Kung is the the assurance needs of the MLS eliminates the need for these co-author and Multinational Department of Defense (DoD) com - separate domains. MLS systems contributor to several munity of users and possible solu - reduce the total cost of ownership Information Systems other Rainbow Series of tions to address those needs. by eliminating hardware and soft - The next major research milestone guidelines, while NSA ware redundancies. Top secret, is to tackle the issue of multination - remains the premier The DoD has a goal of fielding organization to learn Traditional: one domain per systems that provide the right infor - security classification Multi-level security (MLS) the latest information mation at the right time to the Data Store system and weapon right person. In many cases, this Unclassified Secret system protection Domain goal is difficult to achieve due to Computing Data Store techniques. the security classification of Environment the data. To properly safeguard Switch/Router information today, many DoD infor - High Speed Guard Top Secret Data Store mation systems are separated in Unclassified Data Store Data Store domains at the highest classifica - Secret Domain tion level of any data in the Computing domain. They are commonly Environment MLS Domain Switch/Router with referred to as “system high” Unclassified domains. If an individual does not High Speed Guard through Computing Environment possess a security clearance to Top Secret Data Store access a domain, they are denied Top Secret access to all information within the Domain Computing Switch/Router domain, even though some of the Environment information may have originated at Switch/Router a lower classification and thus Figure 1. Traditional vs. MLS Enclaves 8 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY al information systems (MNIS). difficulties, customers often prefer the trusted applications will not be MNIS are inherent in battle com - less trustworthy operating systems compromised or interfered with in mand to ensure the timely such as Windows. any way by the untrusted applica - exchange of information across all tions, (see Figure 2). Security policy coalition member domains and Multiple Independent Levels enforcement mediated by the sepa - government agencies. Raytheon is of Security ration kernel is non-bypassable, doing research with the DoD to Another approach being developed always invoked and tamper-proof, identify the issues and potential to provide MLS capability is called because it is the only software that solutions under a study contract. Multiple Independent Levels of runs in privileged mode on the With the proliferation of coalition Security (MILS). Raytheon has been processor. Thus, systems with appli - operations and joint operations, the working with the Air Force Research cations at different security Raytheon is fielding a issue of information separation Laboratory Information Directorate, levels/caveats require fewer pro - product called CHAIN becomes even more challenging. the Cryptographic Modernization cessing resources. (Compartmented High Not only must the information be Program and the National Security Assurance Information separated by clearance levels with Agency for several years on the The separation kernel’s security Network). CHAIN each country’s security policy, but foundational components for this requirements are specified in the permits the separation well-defined information must be high assurance architecture to sup - NSA’s U.S. Government Protection of the information by shared across multiple countries, port systems with MLS require - Profile for Separation Kernels in compartments (as the where agreements to share are on ments and/or Multiple Single Levels Environments Requiring High name implies). Until of Security (MSLS). a bilateral basis. Information Robustness, now in its final draft. A the true MLS system is releasable to certain countries is separation kernel can be evaluated available, Raytheon is The goal of the MILS program is to not releasable to other coalition to a high level of assurance fielding CHAIN in establish a viable commercial mar - partners. This complicated set of (Evaluation Assurance Level (EAL multiple systems to ket for high assurance, standards- access control rules makes the Bell- 6+), because it is very small — on separate information LaPadula hierarchical security model based commercial off-the-shelf the order of 4,000 lines of from different of “write up, read down” tradition - (COTS) products that can be used C-Language code. Although origi - domains using the ally used in MLS systems look sim - to produce NSA-accredited systems. nally targeted to real-time, embed - compartments ple. Raytheon is currently working By leveraging COTS products t hat ded systems, the Separation Kernel enforcement to solve this demanding challenge conform to the DO-178B safety Protection Profile (SKPP) has been mechanism. There are of sharing information in the pres - standard, it is anticipated that the generalized to provide the security multiple commercial ence of multiple compartments wider customer base for these prod - requirements for a high assurance operating systems that within single security levels. ucts will result in a lower cost to virtual machine on which operating allow this enforcement. DoD security customers. systems with medium or no assur - Trusted Operating Systems ance, such as Windows, can exe - To upgrade from There are several common MILS have a layered architecture cute in separate partitions without compartments to approaches when attempting to that enforces an information flow degrading the assurance of the multi-level security, the provide MLS capability. One is to and data isolation security policy. overall system. underlying operating use a trusted operating system that At the bottom layer of the architec - system must meet the attaches sensitivity labels to all ture is a small but highly trusted The Green Hills Software (GHS) functionality and trust objects within the domain. (Sun’s separation kernel. A separation ker - Integrity Separation Kernel is avail - discussed in this article. Trusted Solaris TM is an example of a nel executes on processors such as able commercially and is currently trusted operating system.) Pentiums and PowerPCs to provide undergoing evaluation at a high Sensitivity labels identify security a virtual machine upon which a robustness level by a National classification and handling restric - variety of COTS operating systems Information Assurance Partnership tions