MILS Architectural Approach Supporting Trustworthiness of the IIoT Solutions An Industrial Internet Consortium Whitepaper Rance J. DeLong (The Open Group); Ekaterina Rudina (Kaspersky) MILS Architectural Approach Context and Overview 1 Context and Overview ...................................................................................................... 4 1.1 Need for Trustworthy System Operation ............................................................................. 5 1.2 What is MILS today .............................................................................................................. 6 1.3 How MILS Addresses Safety ................................................................................................. 7 1.4 How MILS Addresses Security .............................................................................................. 8 1.5 How MILS Supports Reliability, Resilience, and Privacy ........................................................ 9 2 MILS Concepts .................................................................................................................. 9 2.1 Centralized vs Distributed Security Architecture .................................................................. 9 2.1.1 Domain Isolation .................................................................................................................................. 10 2.1.2 Isolation and Information Flow Control ............................................................................................... 11 2.1.3 Separation as a Basis for the MILS Architectural Approach................................................................. 11 2.2 MILS Policy Architecture .................................................................................................... 12 2.2.1 Policy Architecture ............................................................................................................................... 12 2.2.2 Distributed Policy Architectures .......................................................................................................... 14 2.2.3 Static and Dynamic MILS Policy Architectures ..................................................................................... 15 2.2.4 Realization of a Policy Architecture ..................................................................................................... 16 2.3 MILS Platform .................................................................................................................... 18 2.3.1 Separation Kernel ................................................................................................................................ 18 2.3.1.1 Partitioning Resources into Domains ......................................................................................... 19 2.3.1.2 Support for Interdomain Communication .................................................................................. 20 2.3.1.3 Security Policy Enforcement ...................................................................................................... 21 2.3.1.4 Memory Management ............................................................................................................... 22 2.3.1.5 Scheduling .................................................................................................................................. 23 2.3.1.6 Periods Processing ...................................................................................................................... 23 2.3.1.7 Minimal Interrupt Servicing ....................................................................................................... 24 2.3.1.8 Minimal Synchronization Primitives, Timers and Watchdogs .................................................... 24 2.3.1.9 Instrumentation ......................................................................................................................... 24 2.3.2 Separation-Supporting Hardware ........................................................................................................ 24 2.3.2.1 CPU ............................................................................................................................................. 25 2.3.2.2 Memory Management Unit ....................................................................................................... 26 2.3.2.3 IOMMU ....................................................................................................................................... 28 2.3.3 MILS Platform Foundational Components ........................................................................................... 29 2.3.3.1 MILS Separation Kernel (MSK) ................................................................................................... 31 2.3.3.2 MILS Network System (MNS) ..................................................................................................... 31 2.3.3.3 MILS Console System (MCS) ....................................................................................................... 32 2.3.3.4 MILS File System (MFS) .............................................................................................................. 32 2.3.3.5 MILS Extended Attributes System (MEAS) ................................................................................. 32 2.3.3.6 MILS Audit System (MAS) ........................................................................................................... 33 2.3.3.7 MILS Platform Interface ............................................................................................................. 33 3 MILS Assurance and Trustworthiness for IIoT ................................................................. 34 2 MILS Architectural Approach Context and Overview 3.1 Assurance .......................................................................................................................... 34 3.1.1 Assurance for the MILS Platform and a MILS Policy Architecture ....................................................... 35 3.1.2 Compositional Assurance .................................................................................................................... 36 3.1.3 Assurance Case .................................................................................................................................... 37 3.2 Trust by design .................................................................................................................. 38 3.3 Trust by assurance ............................................................................................................. 40 3.3.1 Reasoning about Noninterference....................................................................................................... 41 3.3.2 Reasoning about Static and Dynamic MILS Policy Architectures ......................................................... 42 3.3.3 Compositional Verification for MILS-based systems ........................................................................... 45 3.4 Assurable Kernel and MILS Platform Components ............................................................. 47 4 MILS Evolution, Examples and Case Studies ................................................................... 47 4.1 MILS Evolution and Key Directions for the Future .............................................................. 47 4.1.1 A Whirlwind Tour of MILS 1980-Present ............................................................................................. 47 4.1.1.1 Pre-MILS Era 1980 ~ 1999 .......................................................................................................... 48 4.1.1.2 Classic MILS Era 2000 ~ 2007 ..................................................................................................... 49 4.1.1.3 Modern MILS Era 2008 ~ 2012 ................................................................................................... 49 4.1.1.4 Progressive MILS Era 2012 ~ Present ......................................................................................... 50 4.1.2 Variations on the MILS Platform .......................................................................................................... 50 4.1.2.1 Distributed MILS Platform .......................................................................................................... 50 4.1.2.2 Dynamic MILS Platform .............................................................................................................. 52 4.1.2.3 Adaptive MILS Framework ......................................................................................................... 53 4.1.2.4 Heterogeneous MILS Platform ................................................................................................... 55 4.2 MILS Case Studies for IIoT .................................................................................................. 56 4.2.1 MILS-based security platform for railway command and control systems ......................................... 56 4.2.2 Distributed MILS Platform for Secure Smart Grids .............................................................................. 60 4.2.3 Adaptive MILS for Resilient ATC Remote Tower Communications ...................................................... 64 4.2.4 Trusted Smart Phone for Enterprise and Personal Communications .................................................. 68 4.3 Next Steps for MILS in IIoT ................................................................................................