Multiple Independent Levels of Security

Multiple Independent Levels of Security

Multiple Independent Levels of Security/Safety (MILS) is a high-assurance security architecture based on the concepts of separation[1] and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked and tamperproof.

A MILS solution allows for independent evaluation of security components and trusted composition.[2][3] MILS represents a relatively new (15 years) approach to building secure systems in contrast to the older Bell and La Padula theories on secure systems that represent the foundational theories of the DoD Orange Book.

A MILS system employs one or more separation mechanisms (e.g., Separation kernel, Partitioning Communication System, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc).

Properties:

  • Non-bypassable: a component can not use another communication path, including lower level mechanisms to bypass the security monitor.
  • Evaluatable: any trusted component can be evaluated to the level of assurance required of that component. This means the components are modular, well designed, well specified, well implemented, small, low complexity, etc.
  • Always-invoked: each and every access/message is checked by the appropriate security monitors (i.e., a security monitor will not just check on a first access and then pass all subsequent accesses/messages through).
  • Tamperproof: the system controls "modify" rights to the security monitor code, configuration and data; preventing unauthorized changes.

A convenient acronym for these characteristics is NEAT.

'Trustworthy' means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).

'Untrusted' means that we have no confidence that the system meets its specification with respect to the security policy.

The following companies have MILS separation kernel products:

See also

  • Multiple Levels of Security

References

  1. ^ John Rushby (1981). "Design and Verification of Secure Systems". Proc. 8th ACM Symposium on Operating System Principles. pp. 12–21. http://www.csl.sri.com/papers/sosp81/sosp81.pdf. 
  2. ^ W. S. Harrison, N. Hanebutte, P. Oman and J. Alves-Foss (October 2005). "The MILS Architecture for a Secure Global Information Grid". CrossTalk 18 (10): 20–24. http://www.stsc.hill.af.mil/CrossTalk/2005/10/0510Harrisonetal.html. 
  3. ^ Alves-Foss, W. S. Harrison, P. Oman and C. Taylor (2007). "The MILS Architecture for High Assurance Embedded Systems". International Journal of Embedded Systems. http://www.csds.uidaho.edu/papers/Alves-Foss06a.pdf. 

Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Multiple Single-Level — or Multi Security Level (MSL) is a method of separating different levels of data by using separate PCs or virtual machines for each level. It aims to give some of the benefits of Multilevel security without needing special changes to the OS or… …   Wikipedia

  • Multilevel security — or Multiple Levels of Security (abbreviated as MLS) is the application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security… …   Wikipedia

  • Multiple Biometric Grand Challenge — (MBGC) is a biometric project. Contents 1 Background 2 Overview 3 Challenge Problem Structure …   Wikipedia

  • Multiple citizenship — Legal status of persons Concepts Citizenship Immigration Illegal immigration Nationality Naturalization Leave to Remain Statelessness Designations …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • Nested RAID levels — Levels of nested RAID,[1] also known as hybrid RAID,[2] combine two or more of the standard levels of RAID (redundant array of independent disks) to gain performance, additional redundancy, or both. Contents 1 Nesting 2 RAID 0+1 …   Wikipedia

  • Social Security (United States) — This article is about the retirement/disability program. For the general concept of providing welfare, see Social security. For other uses, see Social Security (disambiguation) …   Wikipedia

  • Nevada National Security Site — Nevada Test Site November 1951 nuclear test at Nevada Test Site. Test is shot Dog from Operation Buster, with a yield of 21 kilotonnes of TNT (88 TJ). It was the f …   Wikipedia

  • National Security Agency — NSA redirects here. For other uses, see NSA (disambiguation). For the Bahraini intelligence agency, see National Security Agency (Bahrain). National Security Agency Agency overview …   Wikipedia

  • Wireless security — An example wireless router, that can implement wireless security features Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Many laptop computers have wireless cards pre installed. The… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”