Multiple Degrees of Separation
Written by Adam Badelley
With its promise of enhanced security,
MILS information architecture gains
ground among defense users.
The advance of MILS, developed by a coalition of government agencies, contractors and software vendors in recent years, reflects the convergence in the MILS world of separation and virtualization technology, which gives the user multiple secure operating system environments on the same computer.
MILS is all about separation. The MILS architectural approach is a way of isolating critical pieces of processes, functionality, domains and data. Quite simply, MILS takes the software that you really have to trust, separates it from everything else and then applies very advanced techniques to scrutinize that trusted software.
The Open Group, an industry consortium that has been advocating MILS, defines the technology and its benefits this way: “The MILS architecture partitions application programs, data and communications in distributed systems and enables development of systems where multiple levels of security domains exist on a single processor, making it possible to replace several traditional, federated computers. By using the MILS architecture, high assurance systems development, certification, accreditation, purchase, deployment and operation are more efficient, more affordable and lower risk.”
The spread of MILS is evident in a number of developments. At the MILCOM conference last fall, for example, a number of companies staged demonstrations of how MILS could be implemented to protect highly sensitive military and intelligence communications networks, showing its use in scenarios involving a suppression of enemy air defenses/destruction of enemy air defenses mission; offensive counter-air mission, time-sensitive targeting mission; and combat search and rescue mission. In addition, key companies continue to develop and certify MILS products and programs. Following are updates for some of the major players in the field.
GHOST IN THE MACHINE
General Dynamics calls its MILS product portfolio for trusted computing products General Dynamics High Assurance Open Scalable Technology (GHOST). An “ingredient brand,” the Trusted Virtual Environment (TVE) is one of the latest additions.
“With GHOST, we build in the security mechanism and the security features in a transparent fashion, such that it does not deteriorate or impact negatively operational considerations,” said Bill Ross, business director, information assurance systems and programs for General Dynamics C4 Systems. “TVE is just one of the products in the GHOST suite; the others are Trusted Network Environment, and the third is Trusted Embedded Environment.”
The fundamental premise behind TVE is that it doesn’t violate the life cycle cost advantages of COTS solutions. Ross said, “What we have done is taken some of the most mainstream COTS capabilities, hardened them and effectively implemented a trusted computing solution that allows you to host multiple security classifications on a single commercial desktop computer with a minimal government off-the-shelf footprint.”
For TVE, General Dynamics C4 Systems has partnered with a number of the big DoD suppliers of commercial computing technology, including Dell, Intel and VMware. With the latter, TVE takes VMware’s virtualization capabilities and “bakes in” security requirements into their virtual desktop product to pass the MILS certification process on a Dell computer, right off the factory floor.
“Before TVE, to protect the core computer you had to write a significant chunk of security critical code that needed to be assured and analyzed and that was both difficult to assess and difficult to evaluate to a high level of assurance. Trusted embedded platforms had also always required a very custom embedded operating system that really did not have broad application and was very focused on a specific embedded requirement and did not have general broad mainstream commercial support. One of the key elements to consider is how your MILS solution intersects with your existing enterprise infrastructure. Nobody wants to come in with forklift and rip out your enterprise infrastructure,” Ross said.
“We are certified, we have been accredited by the National Security Agency, we are currently coming out with new releases,” explained Ross. “You can buy it right off the Dell Website.”
Users include DoD and intelligence community customers, with Ross describing U.S. Special Operations Command as the initial pilot. “They were one of the chief proponents and key users that have adopted TVE, and they are the furthest along in terms of their utilization and deployment of this technology.”
Other customers are assessing how this new technology and capability will fit within their overall business process. Ross estimates that as many as a dozen agencies are at various stages of piloting trials or initial deployment today. Release 2 for TVE, which implements improved manageability, information assurance and performance capabilities, is scheduled for late this year.
The value proposition for MILS is possibly greatest in armored vehicles seeking to reduce their computing infrastructure. Ross said, “The Future Combat System program is considering use of derivative capabilities and technology for the weight and power constrained environment at the tactical far edge.”
Ross sees TVE as a continuously improving system. “We continue to invest in ways to make it easier to integrate into existing enterprises, and we are always moving up the assurance scale. We are taking advantage of some of the new security features that some of the chip set manufacturers are making. As opportunities arise to take advantage of hardware improvements, we continue to look for opportunities to enhance performance.”
ROBUST SECURITY
Green Hills Software’s work on MILS actually predates the latter’s emergence as a fully fledged concept, according to David Kleidermacher, chief technology officer at the company.
“In the mid-1990s, our company realized that there was a major technology gap in the operating systems that controlled devices,” he said. “People were using old technology that wasn’t designed to partition software and keep it more reliable. That is why we came up with Integrity, our flagship realtime operating system, to control systems which demanded the highest levels of reliability, availability and security. Integrity’s first project was the Boeing B-1B in 1997. That gives you an idea of how we designed it to meet the highest levels of safety and security from day one.”
Integrity quickly became successful across a variety of industries, including medical devices, industrial control systems and telecommunications. Under the F-35 Joint Strike Fighter (JSF) program, the Integrity technology began an evaluation under Common Criteria Evaluated Assurance Level (EAL) 6+, which was completed late last year.
“EAL 6+ high robustness is defined as the security level required to protect high value information against even the most sophisticated of hackers. No software on the planet has ever been certified above EAL 5,” Kleidermacher noted.
In 2004, NSA called on Green Hills to explore the application of Integrity’s software separation kernel for desktop PCs. “They had a big problem, not just within NSA, but in the intelligence community and across DoD, of requiring multiple desktops, attached to different networks, for each user, which was a nightmare in terms of maintenance and usability,” he recalled. “They wanted us to run multiple instances of Windows on top of Integrity, partitioning them using the MILS concept. While NSA’s High Assurance Platform program has a vision of eventually deploying high-assurance solutions, we proved that solution exists today with Integrity.”
Kleidermacher explained how this was done. “We developed virtualization technology that allows us to run any ‘guest’ operating system—whether Linux, Windows or anything else—in such a way that the visualization component doesn’t violate the security policies enforced by Integrity. Thus, the mathematically proven separation, required as part of our EAL 6+ certification, is still intact even though we are running Windows.”
The base model for Integrity is that information simply cannot be transferred between environments unless the system security policy explicitly allows it. The Integrity kernel is not providing any encryption, just resource management of the computer. What the system needs on top of that, such as middleware with its own client-server communication policy, is above the kernel.
What is arguably as important as the operating system certification itself, however, is the affirmation of the company’s high assurance software development process, which has now been applied to a number of additional MILS components—including file systems, Web servers and window managers— that live above the operating system kernel.
“Let’s say you want to implement a policy to transfer, maybe in one direction but not the other,” Kleidermacher said. “Now you have another application that lives on top of the Integrity kernel that must be developed using our high assurance MILS process.”
Others have been getting their hands on Integrity as well. The software has been included as part of the Coalition Warrior Interoperability Demonstration, deployed at a number of military and intelligence sites, and accepted as a Joint Capability Technology Demonstration (JCTD) for U.S. Central Command. The JCTD is called OB1, which stands for “one box, one wire.”
“The goal is to collapse the different networks and computers down to one computer and one network,” Kleidermacher said. “CENTCOM has commanders who must manage numerous different networks with separate computers for each one. This technology gives them the ability to reduce size, weight, power and maintenance costs. In fact, a recent study of the JCTD by the Naval Postgraduate School reports that OB1 has the potential to save CENTCOM $2.7 billion over the course of a 23-year life cycle—a 96 percent savings over the current architecture.”
MILS is not just a technical or hardware issue; human factors are coming increasingly into play as the solution proliferates across users. This is obliging providers to better understand people’s usage patterns, which will help drive MILS’s evolutionary path.
“Users don’t like change. What if the world is not willing to have two Windows environments? How do we provide them something that is as usable as possible yet still provides a high-assurance separation and control of sensitive information? For example, we have some people who don’t want a PC on their desk; they want their desktops managed in the data center and a thin or semithin client on their desk. We have adapted to support this configuration as well,” said Kleidermacher.
DATA DISTRIBUTION SERVICE
The Real-Time Innovations (RTI)- Wind River MILS solution combines Wind River’s top-performing MILS kernel with RTI’s messaging middleware. The combination complies with the Object Management Group’s Data Distribution Service (DDS) for Real Time Systems standard, which is rapidly gaining acceptance in the military and beyond.
RTI and Wind River are long-term partners. Several government and industry customers selected their MILS-DDS solution, and the two companies recently announced their first defense user in that category, Boeing.
“MILS separation kernels partition applications on the same machine, allowing interaction in only controlled ways. Running DDS in a secure partition with other applications under the VxWorks MILS kernel brings many benefits,” explained Joe Schlesselman, director of market development for military/aerospace at Real-Time Innovations.
“DoD has mandated the use of DDS, so many existing programs and applications already use it and many new programs are adopting it. As these programs evolve higher security or information assurance requirements, VxWorks MILS products can add security. There are very large development efforts and millions of dollars invested in distributed applications using DDS. This technology gives those applications a path to better security.”
Alex Wilson, senior program manager at Wind River, explained that VxWorks MILS Platform’s other recent news was its listing on the National Information Assurance Partnership CCEVS “Products in Evaluation” Website. Completion of evaluation is scheduled for December 2011, and if successful, the VxWorks MILS solution will achieve certification to Common Criteria EAL 6+.
This VxWorks MILS has been built to conform to the Separation Kernel Protection Profile (SKPP), which defines the security requirements of a separation kernel in environments requiring high robustness. Wilson said, “The SKPP guides vendors in development of a COTS MILS operating system, on which you in turn can build a multilevel secure system.”
Wilson was talking immediately after the Open Group, which promotes open standards, held a conference this spring on the future of MILS. “One of the big discussions is how you can use MILS to build defenses against some of the cybersecurity threats. The current infrastructure is either proprietary or built around Windows or Linux. The security techniques used to build these types of systems are now woefully inadequate for the kind of things they are being asked to do.”
Wilson cited a recent cybersecurity breach in the JSF program as evidence of this. “Several terabytes of data related to design and electronics systems of JSF was downloaded from Pentagon IT systems. This was a breach not of the aircraft itself, nor its systems. It is nonetheless ironic that while the aircraft itself is incredibly well protected, the systems that build it are not.”
“MILS gives people a natural path, in some cases, using the same hardware family, to add a layer of protection,” added Schlesselman. “At this point, that isn’t really widely known or understood, but it has great potential going forward. MILS will impact not only embedded and real-time systems like the combat management systems, and military avionics, but also day-to-day infrastructure like telecommunications, medical devices and public utilities.
“By separating potentially interacting parts, the MILS concept will enable designers to put together software components rapidly without being overwhelmed by the whole complex system,” Schlesselman continued.
NETWORK TURNSTILE
The first device ever to be certified as a MILS device was the Rockwell Collins AAMP7G microprocessor, which was validated in 2005 by NSA as a device capable of processing unclassified through Top Secret codewords simultaneously.
Originally designed for safety critical use, to meet the FAA’s DO-178B avionics standard for software safety development, the AAMP7 processor is targeted for a range of low power, deeply embedded uses. A variant of the AAMP for example, is installed in handheld DAGR GPS devices. In contrast, other software separation kernels, such as that of Green Hills and VXworks, are software, designed to run on variety of COTS platforms, both porting their separation products to different platforms.
“AAMP7 was a building block—a hardware- based separation kernel. We have since embedded that in two products so far, the JANUS crypto engine and a high assurance guard called Turnstile,” said Ray Richards, principal engineering manager in the Information Assurance Section of Rockwell Collins Advanced Technology Center.
A guard such as Turnstile is a network appliance used to mediate the flow of information between security domains. If they have a trusted network and an untrusted network, users would put a guard between them to check the traffic going through in a very deep way to make sure that the information flow respected the security polices.
“The benefit that the warfighter gets from a device like that is it increases the ability to share information, even when the information shared is on networks of different classifications,” said Nancy Schroeder of the Information Assurance Division at Rockwell Collins Government Systems.
“For example, they are able to have access to information sharing, between a network that is top secret and one that is secret or unclassified. Normally information on the top secret network could not flow down and be shared on the secret or unclassified side. However, if you insert one of these devices, a cross-domain solution like the Turnstile guard, into the architecture, it is trusted to make the decision on what information can flow down or flow up between those two different networks.”
In addition to work on its own, Rockwell Collins has teamed with LynuxWorks and other companies in regards to MILS. Richards explained what was involved: “We use a very advanced copy of the Linux work separation kernel, and we did some R&D work to develop a thin client to display different data from different security domains on one display.” Demonstrated at the MILCOM conference last fall, this internally funded project solution has yet to be formally launched.
Rockwell Collins worked with Green Hills on their separation kernel for JSF and formally analyzed it to EAL 6+ level, using a discipline of analysis called formal methods. This involves applying very strict mathematical analysis to digital systems to build high-fidelity models in a mathematical language of the systems under evaluation.
Security certification includes the target hardware that the software is hosting, typically but necessarily limiting the speed at which the same software can be moved to additional differing hardware platforms.
In the JSF certification, the company has made a decisive move toward a more generic solution, Richards said. “The initial certification of Green Hills was done on a Rockwell Collins processor card. However, our marching order was to make the analysis independent of the target platform as much as possible. We did the formal analysis above the hardware abstraction layer analyzing the targetindependent portions of the kernel.”
There are two new separation kernels and another kernel in evaluation, and a number of companies are building other MILS products. Rockwell Collins believes this is necessary before the MILS marketplace can take off, as it will enable a broad base of developers to certify MILS components that can be layered on top of each other and interoperate.
“There are a lot of companies developing MILS building blocks,” Schroeder said. “In short, we want to see more people developing MILS architectures. As a systems integrator, Rockwell Collins wants industry to create these building blocks, so we can utilize them to create systems that will increase information sharing for the warfighter on the tactical edge.” ♦
