Suchergebnisse

The pace of modern warfare requires tools that support intensive, ongoing collaboration between participants. Wiki technology provides a hypertext content-based collaborative authoring and information sharing environment that includes the ability to create links to other web contents, relative stability, ease of use, and logging features for tracking contributions and modifications. Military environments impose a requirement to enforce national policies regarding authorized access to classified information while satisfying the intent of wikis to provide an open context for content sharing. The Global Information Grid (GIG) vision calls for a highly flexible multilevel environment. The Monterey Security Architecture (MYSEA) Test-bed provides a distributed high assurance multilevel networking environment where authenticated users securely access data and services at different classification levels. The MYSEA approach is to provide users with unmodified commercial-off-the-shelf office productivity tools while enforcing a multilevel security (MLS) policy with high assurance. The extensible Test-bed architecture is designed with strategically placed trusted components that comprise the distributed TCB, while untrusted commercial clients support the user interface. We have extended the collaboration capabilities of MYSEA through the creation of a multilevel wiki. This wiki permits users who access the system at a particular sensitivity level to read and post information to the wiki at that level. Users at higher sensitivity levels may read wiki content at lower security levels and may post information at the higher security level. The underlying MLS policy enforcement mechanisms prevent low users from accessing higher sensitivity information. The multilevel wiki was created by porting a publicly available wiki engine to run on the high assurance system hosting the MYSEA server. A systematic process was used to select a wiki for the MYSEA environment. TWiki was chosen. To simplify identification of errors that might arise in the porting process, a three-stage porting methodology was used. Functional and security tests were performed to ensure that the wiki engine operates properly while being constrained by the underlying policy enforcement mechanisms of the server. An objective in designing the test plans was to ensure adequate test coverage, while avoiding a combinatoric explosion of test cases. Repeatable regression testing procedures were also produced. A conflict between the application-level DAC policy of the wiki and that of the MYSEA server was identified and resolved. ; Approved for public release; distribution is unlimited.

The development of a Common Criteria protection profile for high-robustness separation kernels requires explicit modifications of several Common Criteria requirements as well as extrapolation from existing (e.g., medium robustness) guidance and decisions. The draft U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is intended to be applicable to a class of products (the target of evaluation, or TOE) that includes, but is not limited to, real time and embedded systems. This paper describes certain SKPP concepts and requirements and provides underlying motivations and rationale for their inclusion in the SKPP. Primary areas of focus are the security requirements regarding information flow, dynamic configuration, and the application of the principle of least privilege to restrict actions of active entities. Keywords: common criteria, separation kernel, high robustness, dynamic configuration, least privilege. ; Approved for public release; distribution is unlimited.

The development of a protection profile for high-robustness separation kernels requires explicit modifications of several Common Criteria requirements as well as extrapolation from existing (e.g., medium assurance) guidance and decisions. The draft U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is intended to be applicable to a class of products (the target of evaluation, or TOE) that includes, but is not limited to, real time and embedded systems. Other characteristics are that the products would not include a runtime user interface, would have a static runtime security configuration (with exceptions allowed for exigencies), would be capable of trusted recovery, and would export, but would not be required to maintain, audit records. We describe the rationale for certain approaches and requirements that appear in the draft SKPP. Primary areas of focus are the information flow and dynamic configuration requirements. For highly robust security systems, the principle of least privilege (PoLP) is a significant factor that has not been explicitly addressed in the Common Criteria, to date. PoLP prescribes restrictions to actions of active entities including the internal modules and technical measures that comprise the TOE security functions, and the active subjects (e.g., application programs) in the TOE scope of control. In the SKPP, the restriction is that these entities must not have any more �privilege� (viz., access to resources) than is necessary to perform the actions for which they were designed. Exceptions to this requirement are allowed for certain degenerate designs. A completely static separation kernel would maintain during runtime the time and space resource allocations and allowed interactions (i.e., information flows) with which it was initialized. Its design and implementation could be relatively simple and small, while providing a fundamental security service (viz., separation) upon which more complex systems could be constructed. However, in some scenarios (e.g., the failure of a peripheral device in a mission critical application), it may be desirable for the TOE to be able to change its security configuration. Thus, the SKPP allows the TOE to change resource allocations and allowed interactions (etc.) during runtime to another, pre-loaded, configuration. ; Approved for public release; distribution is unlimited.

The technical vision of the emerging net-centric Global Information Grid (GIG) encompasses support for high assurance authentication and multilevel security (MLS) as well as flexible, dynamic security policies. The GIG is intended to address the inefficient exchange of information in current military and intelligence operations that utilize a variety of specialized (so-called "stove-piped") systems. In this context, secure information access problems are exacerbated by the need to share information from networks at different classifications (e.g., Unclassified, Secret, and Top Secret) and within multinational coalitions in episodic, ad hoc situations. These challenges provide the impetus for the creation of the Monterey Security Architecture (MYSEA) Testbed. The purpose of this Testbed is to support research in high assurance multilevel security (MLS) [1, 2] and dynamic security, two areas that are critical to the realization of the GIG's assured information sharing vision. ; Approved for public release; distribution is unlimited.

The Naval Postgraduate School Center for Information Systems Security (INFOSEC) Studies and Research (NPS CISR) is developing a comprehensive program in INFOSEC education and research that can become a resource for DoN/DoD and U.S Government in terms of educational materials and research. A security track within the Computer Science curriculum at the Naval Postgraduate School has been established. Building upon a foundation of computer science laid by the departments core curriculum, the security track conveys vital concepts and techniques associated with INFOSEC today. ; Approved for public release; distribution is unlimited.

This document describes the Life Cycle Management Plan for the development of a high assurance secure product. A high assurance product is one for which its users have a high level of confidence that its security policies will be enforced continuously and correctly. Such products are constructed so that they can be analyzed for these characteristics. Lifecycle activities ensure that the product reflects the intent to ensure that the product is trustworthy and that vigorous efforts have been made to ensure the absence of unspecified functionality, whether accidental or intentional. The purpose of this plan is to provide the policy necessary to ensure the physical protection of the product during its entire life cycle. Product integrity is the primary concern, though confidentiality is not disregarded. ; Prepared for United States Navy, OPNAV N2/N6 and funded in part by United States Navy, OPNAV N2/N6. A portion of the material presented here is based upon work supported by the National Science Foundation under Grant No. CNS-0430566 and CNS-0430598. ; Approved for public release; distribution is unlimited.

A variety of critical decisions were made during the development of the U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (the SKPP); in addition several errata that have come to light since its publication. This paper is intended to help future SKPP users to better understand the intent of the requirements. ; Approved for public release; distribution is unlimited.

The U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness (SKPP) is undergoing evaluation. During its authoring process, new extended functional and assurance requirements were introduced to resolve assurance issues associated with TOE hardware, trusted initialization and trusted recovery. For high robustness, domain separation and self-protection are architectural assurances only realistically achieved with hardware support. Since the Common Criteria does not include requirements for establishing assurance in security-relevant hardware mechanisms, a new Platform Assurance class was introduced. It provides a framework to determine the security relevance of commercially-available hardware based on its interfaces to software and to establish trust in those hardware mechanisms deemed security-relevant. Requirements for TOE initialization behavior and for establishing trust in that behavior are not prescribed in the CC Version 2.3. Although CC Version 3.1 does define secure initialization assurances, they are not sufficient for high robustness. A new Trusted Initialization assurance family was introduced to require a TOE initialization function that reliably establishes the TSF in an initial secure state, verifies TSF integrity during initialization, handles failures during initialization, does not arbitrarily interact with the TSF following TOE initialization, provides self-protection during initialization, and addresses the threat that the TSF is initialized by other components executing on the TOE.Existing trusted recovery requirements emphasize the means of failure handling (i.e., manual versus automated) instead of protecting against further compromise during a recovery from an insecure state to a secure state. Extended trusted recovery requirements were introduced to require the TSF to attempt self-recovery to a secure state when the TSF detects that it is in an insecure state. To avoid ambiguity, the TOE developer must enumerate pair-wise recovery conditions and their associated actions and provide appropriate evidence that secure state results from the identified action. ; Approved for public release; distribution is unlimited.

Annual Computer Security Applications Conference (ACSAC) ; A protection profile for high-robustness separation kernels has recently been validated and several implementations are under development. However, medium-robustness separation kernel development efforts have no protection profile, although the US Government has published guidance for authoring such a profile. As a step toward a protection profile, a set of security requirements for medium-robustness separation kernels is proposed. These requirements result from an informal, yet principled, approach. By bracketing the problem with appropriate reference points and elaborating a method for interpolating the requirements both a measure of uniformity and a basis for further discussion are achieved. Our reference points include the high robustness protection profile, the existing medium robustness consistency instruction, and our familiarity with the nuances of separation kernels. This practitioner-oriented study is intended to advance the prevailing practices for commercial software development, which presently falls far short of the rigor needed for either high-robustness or medium-robustness systems. These requirements represent an incremental improvement in the pursuit of secure software � and is intended to be a step forward on the road to higher assurance. ; Approved for public release; distribution is unlimited.

Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described. Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described. ; Approved for public release; distribution is unlimited.

Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well-defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described. ; Approved for public release; distribution is unlimited.

Large complex systems need to be analyzed prior to operation so that those depending upon them for the protection of their information have a well- defined understanding of the measures that have been taken to achieve security and the residual risk the system owner assumes during its operation. The U.S. military calls this analysis and vetting process certification and accreditation. Today there is a large, unsatisfied need for personnel qualified to conduct system certifications. An educational program to address those needs is described.

Despite an urgent need to protect information in computer systems critical to business and government, the inadequacy of many security products combined with overmarketing and overstated claims leaves information managers with nowhere to turn. Cyber security education is needed to provide a population of individuals who can make sound choices for the operation and acquisition of information protection. A prerequisite is an adequate population of educators. We describe workshops intended to help educators new to the area of Information Assurance. The multiple objectives are: to identify key foundational topics to educators, to teach lessons learned regarding topics difficult to convey to students, and to create a sense of community among Information Assurance educators. ; This material is based on work supported by the National Science Foundation under Grant DUE-0210762 ; Approved for public release; distribution is unlimited.

A high assurance architecture is described for the protection of distributed multilevel secure computing environments from malicious code and other attacks. Component security services and mechanisms extend and inter-operate with commodity PCs, commodity client software, applications, trusted components, and legacy single level networks, providing new capabilities for composing secure, distributed multilevel security. This architecture results from the realization that unless a secure system offers users comfortable and familiar interfaces for handling routine information, it will fail due to lack of user acceptability. Computer systems critical to business and government, the inadequacy of many security products combined with overmarketing and overstated claims leaves information managers with nowhere to turn. Cyber security education is needed to provide a population of individuals who can make sound choices for the operation and acquisition of information protection. A prerequisite is an adequate population of educators. We describe workshops intended to help educators new to the area of Information Assurance. The multiple objectives are: to identify key foundational topics to educators, to teach lessons learned regarding topics difficult to convey to students, and to create a sense of community among Information Assurance educators. ; Approved for public release; distribution is unlimited.