1 Technology Today HIGHLIGHTING RAYTHEON S TECHNOLOGY 2007 Issue 2 Raytheon Secure Systems and Networks Delivering Mission Assurance in a Hostile Cyberspace
2 Feature The Benefits of Multi-Level Security Col. Roger Shell was the deputy director of the National Security Agency s (NSA) National Computer Security Center (NCSC) as it was formed in the early 1980s. Dr. Kenneth Kung joined NCSC in 1984 as one of the system evaluators using the famous Orange Book. He learned his information assurance techniques from Dr. Shell and other early pioneers in this field (e.g., Steve Walker, David Bell, Marv Schaefer, Earl Boebert, etc.). Dr. Kung is the co-author and contributor to several other Rainbow Series of guidelines, while NSA remains the premier organization to learn the latest information system and weapon system protection techniques. Multi-level security (MLS) has been a holy grail ever since the early days of applying computer systems to meet the automation needs of military and intelligence systems. In the 1970s, MITRE published a series of papers (by Bell and LaPadua) that describe the issues and rules of determining access rights of individual users to information, based on their credentials. In fact, in 1971, Dr. Roger Schell (then a U.S. Air Force major) conducted his Ph.D. research at MIT on the Multics OS protection rings. Although multiple initiatives in the 1980s and 90s were launched to tackle the MLS problem, the issue is still with us today. This article addresses the background of the issues involved in solving the general MLS problem. It also describes both the security functionality and the assurance needs of the Department of Defense (DoD) community of users and possible solutions to address those needs. The DoD has a goal of fielding systems that provide the right information at the right time to the right person. In many cases, this goal is difficult to achieve due to the security classification of the data. To properly safeguard information today, many DoD information systems are separated in domains at the highest classification level of any data in the domain. They are commonly referred to as system high domains. If an individual does not possess a security clearance to access a domain, they are denied access to all information within the domain, even though some of the information may have originated at a lower classification and thus should be accessible to the individual. To ameliorate this problem, high-speed guards requiring additional hardware and processing overhead, or labor intensive procedures such as manually reviewing data, are commonly used when moving data between domains. The single-level security domain paradigm is not compatible with this time-sensitive collaborative processing environment needed to support net-centric operations and the systems of element approach where information is first published, then later subscribed. The concept of using single-level security domains results in over-clearing personnel, over-classifying data and creating system inefficiencies and redundancies. To minimize or eliminate these problems, the concept of MLS systems was developed. MLS eliminates the need for these separate domains. MLS systems reduce the total cost of ownership by eliminating hardware and software redundancies. Top secret, Traditional: one domain per security classification Unclassified Domain Secret Domain Top Secret Domain High Speed Guard High Speed Guard Figure 1. Traditional vs. MLS Enclaves secret, confidential and unclassified data all can reside in a single MLS domain. MLS provides the ability to simultaneously receive, process, store and disseminate data of multiple classifications within a domain where not all users have the security clearance to access all the data within the domain. MLS needs to permeate into the computing environment (workstations, servers and operating systems), the network, the database and the mission applications all must work together to maintain trust. MLS systems must assure that users are granted access to all the data, systems and services for which they are authorized, while denying them access if they are not authorized. Figure 1 illustrates a traditional configuration using guards between security domains on the left and an MLS enclave on the right. Multinational Information Systems The next major research milestone is to tackle the issue of multination- Top Secret MLS Domain with Unclassified through Top Secret Multi-level security (MLS) Secret Unclassified ISSUE 2 RAYTHEON TECHNOLOGY TODAY
3 al information systems (MNIS). MNIS are inherent in battle command to ensure the timely exchange of information across all coalition member domains and government agencies. Raytheon is doing research with the DoD to identify the issues and potential solutions under a study contract. With the proliferation of coalition operations and joint operations, the issue of information separation becomes even more challenging. Not only must the information be separated by clearance levels with each country s security policy, but well-defined information must be shared across multiple countries, where agreements to share are on a bilateral basis. Information releasable to certain countries is not releasable to other coalition partners. This complicated set of access control rules makes the Bell- LaPadula hierarchical security model of write up, read down traditionally used in MLS systems look simple. Raytheon is currently working to solve this demanding challenge of sharing information in the presence of multiple compartments within single security levels. Trusted Operating Systems There are several common approaches when attempting to provide MLS capability. One is to use a trusted operating system that attaches sensitivity labels to all objects within the domain. (Sun s Trusted Solaris TM is an example of a trusted operating system.) Sensitivity labels identify security classification and handling restrictions of the object. The sensitivity labels are compared to the user s security clearance and privileges to determine if access to the object is allowed. These operating systems are proprietary, tend to be very difficult to administer, and are at times extremely cumbersome to use. Because of their size and complexity, they have typically been evaluated only to a medium level of robustness. Due to administrative difficulties, customers often prefer less trustworthy operating systems such as Windows. Multiple Independent Levels of Security Another approach being developed to provide MLS capability is called Multiple Independent Levels of Security (MILS). Raytheon has been working with the Air Force Research Laboratory Information Directorate, the Cryptographic Modernization Program and the National Security Agency for several years on the foundational components for this high assurance architecture to support systems with MLS requirements and/or Multiple Single Levels of Security (MSLS). The goal of the MILS program is to establish a viable commercial market for high assurance, standardsbased commercial off-the-shelf (COTS) products that can be used to produce NSA-accredited systems. By leveraging COTS products that conform to the DO-178B safety standard, it is anticipated that the wider customer base for these products will result in a lower cost to DoD security customers. MILS have a layered architecture that enforces an information flow and data isolation security policy. At the bottom layer of the architecture is a small but highly trusted separation kernel. A separation kernel executes on processors such as Pentiums and PowerPCs to provide a virtual machine upon which a variety of COTS operating systems (e.g., Windows, Lynux, Solaris, etc.) can be hosted. The separation kernel provides a high robustness reference monitor 1 to enable this separation and to control communication between untrusted applications and data objects at various levels of classification/caveats on a single processor. It also enables trusted applications to execute on the same processor as untrusted applications, while ensuring that the trusted applications will not be compromised or interfered with in any way by the untrusted applications, (see Figure 2). Security policy enforcement mediated by the separation kernel is non-bypassable, always invoked and tamper-proof, because it is the only software that runs in privileged mode on the processor. Thus, systems with applications at different security levels/caveats require fewer processing resources. The separation kernel s security requirements are specified in the NSA s U.S. Government Protection Profile for Separation Kernels in s Requiring High Robustness, now in its final draft. A separation kernel can be evaluated to a high level of assurance (Evaluation Assurance Level (EAL 6+), because it is very small on the order of 4,000 lines of C-Language code. Although originally targeted to real-time, embedded systems, the Separation Kernel Protection Profile (SKPP) has been generalized to provide the security requirements for a high assurance virtual machine on which operating systems with medium or no assurance, such as Windows, can execute in separate partitions without degrading the assurance of the overall system. The Green Hills Software (GHS) Integrity Separation Kernel is available commercially and is currently undergoing evaluation at a high robustness level by a National Information Assurance Partnership (NIAP) accredited Common Criteria Testing Laboratory. It is targeted for embedded and server applications running on PowerPC and Intel processors. The Integrity Separation Kernel is being used in the Raytheon s Space and Airborne Systems NETSecure internal research Continued on page 10 1 IAEC 3285, NSA Infosec Design Course, High Robustness Reference Monitors version 3, Michael Dransfield, W. Mark Vanfleet. Raytheon is fielding a product called CHAIN (Compartmented High Assurance Information Network). CHAIN permits the separation of the information by compartments (as the name implies). Until the true MLS system is available, Raytheon is fielding CHAIN in multiple systems to separate information from different domains using the compartments enforcement mechanism. There are multiple commercial operating systems that allow this enforcement. To upgrade from compartments to multi-level security, the underlying operating system must meet the functionality and trust discussed in this article. RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 9
4 Feature Benefits of Multi-Level Security Continued from page 9 and development effort to develop an MLS network processor that can be incorporated in legacy platforms such as the F/A-18 and B-2 to enable data fusion, sensor integration, distributed targeting and net-centric operations. Two other COTS operating system vendors, LynuxWorks and Wind River, have also developed separation kernels conforming to the SKPP that are available as Beta versions. In addition, GHS has demonstrated a high assurance Windows workstation running on their Padded Cell TM technology, which is based on their separation kernel. Separation kernels from the three vendors have been demonstrated publicly running a Raytheon application. Raytheon has also conducted research in the area of Partitioning Communication Systems (PCS), which enables trust relationships and data separation to be established between processors in a MILS enclave. The PCS is part of the middleware layer of the MILS architecture. In effect, the PCS functions as a data flow guard by controlling the information that flows between an application and the network. When running in a separate partition on top of a high assurance separation kernel (see Figure 2), a PCS provides data separation and controls the flow of information between processors in a manner that is non-bypassable, always invoked and tamper-proof. The PCS also provides separation by encrypting data before it is delivered to device drivers or the network interface. This enables the use of COTS network components in secure environments and may also eliminate the need for some guards in cases where downgrading is not required. With Objective Interface Systems (OIS) as a subcontractor, Raytheon is responsible for the development of the security requirements documented in the Partitioning Communications System Protection Profile (PCSPP). OIS is independently developing the first PCS, working closely with the three separation kernel vendors and intends to have it evaluated at a high robustness level. MILS - Multiple Independent Levels of Security MSL - Multi Single Level MLS - Multi Level Secure SL - Single Level Trusted Path Console Manager Token Service Driver File System Driver Network Interface Unit Supervisor Mode MMU, Inter Partition Communications Interrupts Figure 2. Representative MILS Architecture The PCS has been demonstrated publicly on the GHS separation kernel running on Intel processors. A version of the PCS for PowerPC is currently under development. Protection profiles and products for other MILS middleware components are in various stages of development. As a subcontractor to Raytheon under an AFRL CRAD program, SRI International has started work on a MILS Network System Protection Profile. A MILS file system and MILS CORBA protection profile have also been proposed. Trusted components such as downgraders, firewalls, virus protection, and intrusion detection and protection are employed at the application level in the MILS architecture. These efforts are expected to continue over the next several years. Guard Technology Evaluated MILS products are still years away from being available in general workstations and servers. In the meantime, there is a need to provide capabilities to connect systems composed of various security levels together, while granting access to only authorized users of the data. One of the key technologies that support data sharing between security domains is the security guard that sits between different security domains. Raytheon has developed a product called High Speed Guard to support the user community s need for data sharing between single-level domains. Application (User Mode) Partitions PCS (MLS) S (SL) Guest OS/ Middleware RTOS Micro Kernal (MILS Separation Kernal) Processor What Is a Guard, Anyway? Current security policies require a trusted entity to independently validate data being moved between top secret, secret and unclassified networks. These products are commonly known as trusted guards, high assurance guards or just guards. Guards typically function as proxies, providing security separation between the two systems being connected. There are three main functions for a guard: Network separation Mandatory access control Data validation Network Separation A guard s high-security ( high ) side network interface has an IP address on the high side network while the guard s low side network interface uses an IP address from the low side network. Thus, the guard provides network separation and typically enforces source/destination IP via some firewall mechanism in the guard. Mandatory Access Control Another requirement for guards is to enforce Mandatory Access Control (MAC). Per current security policy, a trusted operating system such as Trusted Solaris is required to meet MAC requirements. In a trusted operating system, the operating system carries label information on all components on the system memory, file systems, network interfaces, etc., and provides APIs for systems such as guards to move data between security levels. S (SL) Guest OS/ Middleware S (SL) Guest OS/ Middleware ISSUE 2 RAYTHEON TECHNOLOGY TODAY
5 PROFILE: KENNETH KUNG Data Validation Data Feed 1 Large File Transfer Data Feed 2 Guards must validate that the data passing through it is authorized. Guards typically enforce different checks depending on the direction the data is flowing. When data is passed from a high to low, the main focus of data validation is to ensure that only data authorized at the lower network s security level is passed. Several options exist for performing this check: Classification rules to independently interrogate the data to determine its classification Verify existing labels on data Verify upstream system s digital signature on data if provided The correct option depends on a particular system s data formats. The prevention of malicious content is the primary concern when moving data from a lower network. For file-based transfers, virus scanning is the primary mechanism for meeting this requirement. For streaming data, virus scanning is problematic so data validation can be used to verify that the content of the data is valid and there is no unknown content. Raytheon High Speed Guard Figure 3 illustrates a typical use of the Raytheon guard. Raytheon s High Speed Guard was built for high bandwidth needs within the High Speed Guard Data Feed n Message Transfer Msg: ABCD Class: S Dataset ID: Y Current: Z Coordinates: 12345N095432E Classification X Classification Y Msg: ABCD Class: S Dataset ID: Y Current: Z Coordinates: 12345N095432E Figure 3. The Raytheon High Speed Guard provides a high-bandwidth, low-latency crossdomain solution for most intelligence community and DoD data types. intelligence community. Key features of our guard: Performance: Currently achieves 850Mb/sec on 1 Gigabit networks and 4.5 Gb/sec on 10 Gigabit networks. History: Our guard has been in use since 1998 and has over 144 units operational. It has been certified by multiple agencies at Director of Central Intelligence Directive (DCID) 6/3 Protection Level 4. Flexibility: The Raytheon guard supports TCP/IP socket-based transfers, file-based transfer, and has a Human Review capability that utilizes digital signature validation. The guard is also rehostable to various trusted platforms. Raytheon s current platform is Sun using Trusted Solaris 8. Raytheon also supports Silicon Graphics Incorporated (SGI) hardware running Trusted Irix, but that OS is being end-of-life d in Raytheon plans to support SELinux in the next months and may also support Solaris 10 with Trusted Extensions. Ease of Use: The Raytheon guard comes with complete documentation and training, enabling end users to maintain it, if desired. The rules language is straightforward, but very powerful and includes full XML parsing capability. Carolyn Boettcher, Kenneth Kung, Jerry Lebowitz, Kevin Cariker, A principal engineering fellow for Raytheon s Network Centric Systems (NCS) business, Kenneth Kung, Ph.D. has over 26 years of system and software engineering experience, including 22 years with Raytheon. Currently, he is leading the architecture capability area for NCS on the Enterprise Net-centric Integration Capability (ENIC) initiative, which seeks to change the way we develop solutions and capabilities for Raytheon customers. He leads the development of reference architectures, solution architectures and architecture governance. This effort transforms our culture by enhancing our speed to market, speed to demo and ability to cost appropriately. Kung represents NCS on the Corporate Architecture Review Board. Some of the board s functions include developing a strategy to train system architects, ensuring the interoperability of various systems, and recommending Raytheon architecture directions involving our customers. He participates in several industry consortia and standards committees, including the Net Centric Operations International Consortium, the Open Group Architecture Forum, the ISO/IEC JT1 Subcommittee 27 on Cyber Security U.S. Technical Advisory Group, and the Systems Architecture Forum. From these external boards, Kung has been able to learn and exchange lessons with others in the industry. From , Kung was the Architecture Technology Area Director at Corporate Engineering, where he led the initial development of the taxonomy of the reference architectures and C2 reference architecture. Before coming to Raytheon, Kung worked at the Aerospace Corporation, supporting the National Security Agency on information security product evaluation. He has been lecturing in colleges for more than 30 years on topics such as information security and communication networks. He has also served on the advisory boards of Harvey Mudd College and California State University, Fullerton. Kung received his bachelor s degree in engineering from UCLA. He later received his master s and doctorate degrees in computer science also from UCLA. He is a Certified Raytheon Six Sigma Expert TM and Raytheon Certified Architect. RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 11
6 Do you have a great idea for an article? We are always looking for ways to connect with you our engineering, technology and Mission Assurance professionals. If you have an article or an idea for an article regarding technical achievements, customer solutions, relationships, Mission Assurance, etc., send it along. If your topic aligns with a future issue of Technology Today or is appropriate for an online article, we will be happy to consider it and will contact you for more information. Send your article ideas to We re waiting to hear from you! Copyright 2007 Raytheon Company. All rights reserved. Approved for public release. Printed in the USA. Customer Success Is Our Mission is a trademark of Raytheon Company. Capability Maturity Model,CMM and CMMI are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.