Colloquium: Current Research and Implementation of MILS

Mr. W. Mark Vanfleet, US National Security Agency

Hosts: Professors V.W. Marek and M. Singhal

Venue: Windstream Room, Hardymon Blg

(Refreshments at 3.30 p.m., Hardymon Blg, 2nd floor Commons).


In order to verify with a high degree of assurance that a layered least privilege security policy is enforced and properly managed, the implementation (architecture as well as software and VHDL) needs to be verified to be compliant with the N.E.A.T. and T.I.M.E. design concept. The architecture (infrastructure and critical functions) shall guarantee that critical components and protection mechanisms are: 
(a) Non-bypassable, in A -> B -> C, the infrastructure must guarantee that A cannot in fact communicate with C except through B; 
(b) Evaluatable, the infrastructure must separate and protect critical applications so that the critical applications can be evaluated by itself and not require the evaluation of the entire monolithic system to make any claims; 
(c) Always-invoked, if an application is a critical function, e.g., an application level reference monitor, then the critical function will be responsible for enforcing its own application level security policy, the application and infrastructure must partner together to ensure that the composed security policy is enforced; 
(d) Tamper-proof, the infrastructure must guarantee that cyber threats directed against the infrastructure have been mitigated, and it must enable the application to similarly guarantee in conjunction with the infrastructure protections that the application can defend itself against cyber threats.

The architecture (infrastructure and critical functions) shall guarantee that there shall be no unauthorized:
(i)Type-safety violations (executable stacks, writeable code and libraries, buffer overflows, return address modification, activation of inactivated or dead code, recasting etc)
(ii) Infiltration across a Key Interface
(iii) Mediation (permission for a privileged entity to act in behalf of another) (iv) Exfiltration across a Key Interface

The architecture shall be consistent with a Least Privilege Design. This presentation shall show how a MILS systems is designed and how a MILS infrastructure would be evaluated. The presentation will demonstrate a security policy for Separation. N.E.A.T. and T.I.M.E. is about sharing the security burden that once was the exclusive domain of the Security Kernel with the Application. LOCK, an old TCSEC A-1 LOT, R&D project had the concept of kernel extensions. In LOCK terminology an application level NEAT Reference Monitor is just an instantiation of the LOCK Kernel Extension Concept. MILS/MSLS/MLS did not abandon the concepts and lessons learned from the past rather it builds on and extents the concepts of the past.

(Joint colloquium with Departmental Security Colloquium)

Speaker's short bio:

Mr. W. Mark Vanfleet has worked for the National Security Agency (NSA) Information Assurance Directorate for over 23 years as an Information Systems Security Analyst, Crypto Mathematician, and Global network Analyst. He holds NSA certifications in crypto-mathematics, communication and information systems security, and software engineering process and practice. Mr. Vanfleet has been involved in high-assurance software architecture, design, and evaluation for 32 years. He has bachelor's degrees in mathematics and computer science, and a master's degree in mathematics and statistics from the University of Utah. Mr. Vanfleet leads Formal Methods evaluations for infrastructures requiring high robustness in the US Department of Defense.