Multilevel security
Encyclopedia
Multilevel security or Multiple Levels of Security (abbreviated as MLS) is the application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security clearance
s and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. This is a paraphrase of the CNSSI
4009 glossary definition for Multi-Level Security. Note that the UCDMO (the US government lead for cross domain and multi-level secure systems) created a Cross Domain Multi-Level category on its baseline of accredited systems, which is synonymous with multi-level security.
MLS allows easy access to less-sensitive information by higher-cleared individuals, and it allows higher-cleared individuals to easily share sanitized
documents with less-cleared individuals. A sanitized document is one that has been edited to remove information that the less-cleared individual is not allowed to see.
often requires a highly trustworthy information processing system often built on an MLS operating system, but not necessarily. Most MLS functionality can be supported by a system composed entirely from untrusted computers, although it requires multiple independent computers linked by hardware security-compliant channels (see section B.6.2 of the Trusted Network Interpretation, NCSC-TG-005). An example of hardware enforced MLS is Asymmetric Isolation. If a single computer is being used in MLS mode, then that computer must use a trusted operating system (OS). Because all information in an MLS environment is physically accessible by the OS, strong logical controls must exist to ensure that access to information is strictly controlled. Typically this involves mandatory access control
that uses security labels, like the Bell-La Padula model.
Customers that deploy trusted operating systems typically require that the product complete a formal computer security evaluation. The evaluation is stricter for a broader security range, which are the lowest and highest classification levels the system can process. The Trusted Computer System Evaluation Criteria (TCSEC) was the first evaluation criteria developed to assess MLS in computer systems. Under that criteria there was a clear uniform mapping between the security requirements and the breadth of the MLS security range. Historically few implementations have been certified capable of MLS processing with a security range of Unclassified through Top Secret. Among them were Honeywell
's SCOMP, USAF SACDIN, NSA Blacker, and Boeing
's MLS LAN, all under TCSEC, 1980s vintage and Intel 80386
-based. Currently, MLS products are evaluated under the Common Criteria
. In late 2008, the first operating system (more below) was certified to a high evaluated assurance level (EAL) - EAL 6+ / High Robustness, under the auspices of a U.S. government program requiring multi-level security in a high threat environment. While this assurance level has many similarities to that of the old Orange Book A1 (such as formal methods), the functional requirements focus on fundamental isolation and information flow policies rather than higher level policies such as Bell-La Padula. Because the Common Criteria decoupled TCSEC's pairing of assurance (EAL
) and functionality (Protection Profile), the clear uniform mapping between security requirements and MLS security range capability documented in CSC-STD-004-85 has largely been lost when the Common Criteria superseded the Rainbow Series
.
Freely available operating systems with some features that support MLS include Linux with the Security-Enhanced Linux
feature enabled and FreeBSD
. Security evaluation was once thought to be a problem for these free MLS implementations for three reasons:
Notwithstanding such suppositions, Red Hat Enterprise Linux 5 was certified against LSPP, RBACPP, and CAPP at EAL4+ in June 2007. It uses Security-Enhanced Linux to implement MLS and was the first Common Criteria certification to enforce TOE security properties with Security-Enhanced Linux.
Vendor certification strategies can be misleading to laypersons. A common strategy exploits the layperson's overemphasis of EAL level with over-certification, such as certifying an EAL 3 protection profile (like CAPP) to elevated levels, like EAL 4 or EAL 5. Another is adding and certifying MLS support features (such as Role-Based Access Control
Protection Profile (RBACPP) and Labeled Security Protection Profile (LSPP)) to a kernel that is not evaluated to an MLS-capable protection profile. Those types of features are services run on the kernel and depend on the kernel to protect them from corruption and subversion. If the kernel is not evaluated to an MLS-capable protection profile, MLS features cannot be trusted regardless of how impressive the demonstration looks. It is particularly noteworthy that CAPP is specifically not an MLS-capable profile as it specifically excludes self-protection capabilities critical for MLS.
Sun Microsystems
offers Solaris Trusted Extensions
, as an integrated feature of the commercial Solaris Operating System
as well as OpenSolaris
. In addition to the Controlled Access Protection Profile (CAPP), and Role-Based Access Control
(RBAC) protection profiles, Trusted Extensions has also been certified at EAL4 to the Labeled Security Protection Profile (LSPP). The security target includes both desktop and network functionality. LSPP mandates that users are not authorized to override the labeling polices enforced by the kernel and X11 server. The evaluation does not include a covert channel
analysis. Because these certifications depend on CAPP, no Common Criteria certifications suggest this product is trustworthy for MLS.
BAE Systems
offers XTS-400
, a commercial system that supports MLS at what the vendor claims is "high assurance". Predecessor products (including the XTS-300) were evaluated at the TCSEC B3 level, which is MLS-capable. The XTS-400 has been evaluated under the Common Criteria at EAL5+ against the CAPP and LSPP protection profiles. CAPP and LSPP are both EAL3 protection profiles that are not inherently MLS-capable, but the security target for the Common Criteria evaluation of this product contains an enriched set of security functions that provide MLS capability.
is a problem area for MLS systems. Systems that implement MLS restrictions, like those defined by Bell-La Padula model, only allow sharing when it does not obviously violate security restrictions. Users with lower clearances can easily share their work with users holding higher clearances, but not vice versa. There is no efficient, reliable mechanism by which a Top Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to users with Secret or lower clearances. In practice, MLS systems circumvent this problem via privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a file's security classification. However, the technique is not reliable
.
Covert channel
s pose another problem for MLS systems. For an MLS system to keep secrets perfectly, there must be no possible way for a Top Secret process to transmit signals of any kind to a Secret or lower process. This includes side effects such as changes in available memory or disk space, or changes in process timing. When a process exploits such a side effect to transmit data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a practical computing system, and it may be impossible in practice. The process of identifying all covert channels is a challenging one by itself. Most commercially available MLS systems do not attempt to close all covert channels, even though this makes it impractical to use them in high security applications.
Bypass
is problematic when introduced as a means to treat a system high object as if it were MLS trusted. A common example is to extract data from a secret system high object to be sent to an unclassified destination, citing some property of the data as trusted evidence that it is 'really' unclassified (e.g. 'strict' format). A system high system cannot be trusted to preserve any trusted evidence, and the result is that an overt data path is opened with no logical way to securely mediate it. Bypass can be risky because, unlike narrow bandwidth covert channels that are difficult to exploit, bypass can present a large, easily exploitable overt leak in the system. Bypass often arises out of failure to use trusted operating environments to maintain continuous separation of security domains all the way back to their origin. When that origin lies outside the system boundary, it may not be possible to validate the trusted separation to the origin. In that case, the risk of bypass can be unavoidable if the flow truly is essential.
A common example of unavoidable bypass is a subject system that is required to accept secret IP packets from an untrusted source, encrypt the secret userdata and not the header and deposit the result to an untrusted network. The source lies outside the sphere of influence of the subject system. Although the source is untrusted (e.g. system high) it is being trusted as if it were MLS because it provides packets that have unclassified headers and secret plaintext userdata, an MLS data construct. Since the source is untrusted, it could be corrupt and place secrets in the unclassified packet header. The corrupted packet headers could be nonsense but it is impossible for the subject system to determine that with any reasonable reliability. The packet userdata is cryptographically well protected but the packet header can contain readable secrets. If the corrupted packets are passed to an untrusted network by the subject system they may not be routable but some cooperating corrupt process in the network could grab the packets and acknowledge them and the subject system may not detect the leak. This can be a large overt leak that is hard to detect. Viewing classified packets with unclassified headers as system high structures instead of the MLS structures they really are presents a very common but serious threat.
Most bypass is avoidable. Avoidable bypass often results when system architects design a system before correctly considering security, then attempt to apply security after the fact as add-on functions. In that situation, bypass appears to be the only (easy) way to make the system work. Some pseudo-secure schemes are proposed (and approved!) that examine the contents of the bypassed data in a vain attempt to establish that bypassed data contains no secrets. This is not possible without trusting something about the data such as its format, which is contrary to the assumption that the source is not trusted to preserve any characteristics of the source data. Assured "secure bypass" is a myth, just as a so-called High Assurance Guard
(HAG) that transparently implements bypass. The risk these introduce has long been acknowledged; extant solutions are ultimately procedural, rather than technical. There is no way to know with certainty how much classified information is taken from our systems by exploitation of bypass.
experts, more laypersons who are not COMPUSEC-astute are designing secure computing systems and are mistakenly drawing this conclusion because the term MLS is being overloaded
. These two uses are: MLS as a processing environment vs MLS as a capability. The false conclusion is based on a belief that since no products are certified to operate in an MLS environment or mode, that the MLS as a capability does not exist. One does not imply the other. Many systems operate in an environment containing data that has unequal security levels and therefore is MLS by the Computer Security Intermediate Value Theorem (CS-IVT). The consequence of this confusion runs deeper.
Laypersons often conclude that to admit that a system operates in an MLS environment (environment-centric meaning of MLS) is to be backed into the perceived corner of having a problem with no MLS solution (capability-centric meaning of MLS). MLS is deceptively complex and just because simple solutions are not obvious does not justify a conclusion that they do not exist. This can lead to a crippling ignorance about COMPUSEC that manifests itself as whispers that "one can not talk about MLS," and "There's no such thing as MLS." These MLS-denial schemes change so rapidly that they cannot be addressed. Instead, it is important to clarify the distinction between MLS-environment and MLS-capable.
The original use of the term MLS applied to the security environment, or mode. One solution to this confusion is to retain the original definition of MLS and be specific about MLS-capable when that context is used.
(multiple independent levels of security) is an architecture that addresses the domain separation component of MLS. Note that UCDMO (the US government lead for cross domain and multi-level systems) created a term Cross Domain Access
as a category in its baseline of DoD
and Intelligence Community
accredited systems, and this category can be seen as essentially analogous to MILS.
Security models such as the Biba model
(for integrity) and the Bell-La Padula model (for confidentiality) allow one-way flow between certain security domains that are otherwise assumed to be isolated. MILS addresses the isolation underlying MLS without addressing the controlled interaction between the domains addressed by the above models. Trusted security-compliant channels mentioned above can link MILS domains to support more MLS functionality.
The MILS approach pursues a strategy characterized by an older term, MSL (multiple single level), that isolates each level of information within its own single-level environment (System High
).
The rigid process communication and isolation offered by MILS may be more useful to ultra high reliability software applications than MLS. MILS notably does not address the hierarchical structure that is embodied by the notion of security levels. This requires the addition of specific import/export applications between domains each of which needs to be accredited appropriately. As such, MILS might be better called Multiple Independent Domains of Security (MLS emulation on MILS would require a similar set of accredited applications for the MLS applications). By declining to address out of the box interaction among levels consistent with the hierarchical relations of Bell-La Padula, MILS is (almost deceptively) simple to implement initially but needs non-trivial supplementary import/export applications to achieve the richness and flexibility expected by practical MLS applications.
Any MILS/MLS comparison should consider whether the accreditation of a set of simpler export applications is more achievable than accreditation of a single, more complex MLS kernel. This question depends in part on the extent of the import/export interactions that the stakeholders require. In favour of MILS is the possibility that not all the export applications will require maximal assurance.
. Each security level is isolated in a separate untrusted domain. The absence of medium of communication between the domains assures no interaction is possible. The mechanism for this isolation is usually physical separation in separate computers. This is often used to support applications or operating system
s which have no possibility of supporting MLS such as Microsoft Windows
.
4009 (paraphrased at the start of this article), the system must provide a user interface that is capable of allowing a user to access and process content at multiple classification levels from a single system. The UCDMO ran a track specifically focused on MLS at the NSA Information Assurance Symposium in 2009, in which it highlighted several accredited (in production) and emergent MLS systems.
There are several databases classified as MLS systems. Oracle
has a product named Oracle Label Security (OLS) that implements Mandatory Access Controls
- typically by adding a 'label' column to each table in the database. OLS is being deployed at the US Army INSCOM as the foundation of an 'all source' intelligence database spanning the JWICS and SIPRNet
networks. There is a project to create a labeled version of PostgreSQL, and there are also older labeled database implementations such as Trusted Rubix. These MLS database systems provide a unified backend system for content spanning multiple labels, but they do not resolve the challenge of having users process content at multiple security levels in a single system while enforcing Mandatory Access Controls.
There are also several MLS end user applications. One of the best known is the Trusted Network Environment (TNE) by General Dynamics
. TNE is currently accredited and in production, and it is classified on the UCDMO's baseline as a Cross Domain Multi-Level system. TNE was originally created on Trusted Solaris 8, though it has recently been migrated to Solaris 10. It provides a file manager and email client among other capabilities. The other MLS capability currently on the UCDMO baseline is called MLChat, and it is a chat server that runs on the XTS-400
operating system - it was created by the US Naval Research Laboratory. Given that content from users at different domains passes through the MLChat server, dirty word scanning is employed to protect classified content, and there has been some debate as to whether this is truly an MLS system or really a form of cross domain transfer
data guard. Mandatory Access Controls
are maintained by a combination of XTS-400
mechanisms and application-specific mechanisms.
MLS applications not currently part of the UCDMO baseline include the Joint Cross Domain eXchange (JCDX), and several applications from BlueSpace
. JCDX is a multi-level command and control (C2) system developed by the US Navy. Originally built on HP UX, it was recently ported to SE Linux by SPAWAR
and Accenture
. BlueSpace
has several MLS applications, including an MLS email client, an MLS search application and an MLS C2 system. BlueSpace leverages a middleware strategy to enable its applications to be platform neutral, orchestrating a single user interface across multiple Windows OS instances (virtualized
or remote terminal sessions). The US Naval Research Laboratory has also implemented a multilevel web application framework called MLWeb which integrates the Ruby on Rails
framework with a multlevel database based on SQLite3.
or virtual machine
s. Examples include zones in Solaris 10 TX, and the padded cell hypervisor
in systems such as Green Hill's
Integrity
platform. The High Assurance Platform from NSA as implemented in General Dynamics'
Trusted Virtualization Environment (TVE) is another example - it uses SE Linux at its core, and can support MLS applications that span multiple domains.
or "Red Book"). http://csrc.nist.gov/secpubs/rainbow/tg005.txt ISBN 0-471-64832-9.
Security clearance
A security clearance is a status granted to individuals allowing them access to classified information, i.e., state secrets, or to restricted areas after completion of a thorough background check. The term "security clearance" is also sometimes used in private organizations that have a formal...
s and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. This is a paraphrase of the CNSSI
Committee on National Security Systems
The Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
4009 glossary definition for Multi-Level Security. Note that the UCDMO (the US government lead for cross domain and multi-level secure systems) created a Cross Domain Multi-Level category on its baseline of accredited systems, which is synonymous with multi-level security.
MLS allows easy access to less-sensitive information by higher-cleared individuals, and it allows higher-cleared individuals to easily share sanitized
Sanitization (classified information)
Sanitization is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience. When dealing with classified information, sanitization attempts to reduce the document's classification level, possibly yielding an unclassified...
documents with less-cleared individuals. A sanitized document is one that has been edited to remove information that the less-cleared individual is not allowed to see.
Trusted operating systems
An MLS operating environmentOperating environment
The operating environment in engineering describes the circumstances surrounding and potentially affecting something that is operating. For example electronic or mechanical equipment may be affected by high temperatures, vibration, dust, and other parameters which comprise the operating...
often requires a highly trustworthy information processing system often built on an MLS operating system, but not necessarily. Most MLS functionality can be supported by a system composed entirely from untrusted computers, although it requires multiple independent computers linked by hardware security-compliant channels (see section B.6.2 of the Trusted Network Interpretation, NCSC-TG-005). An example of hardware enforced MLS is Asymmetric Isolation. If a single computer is being used in MLS mode, then that computer must use a trusted operating system (OS). Because all information in an MLS environment is physically accessible by the OS, strong logical controls must exist to ensure that access to information is strictly controlled. Typically this involves mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
that uses security labels, like the Bell-La Padula model.
Customers that deploy trusted operating systems typically require that the product complete a formal computer security evaluation. The evaluation is stricter for a broader security range, which are the lowest and highest classification levels the system can process. The Trusted Computer System Evaluation Criteria (TCSEC) was the first evaluation criteria developed to assess MLS in computer systems. Under that criteria there was a clear uniform mapping between the security requirements and the breadth of the MLS security range. Historically few implementations have been certified capable of MLS processing with a security range of Unclassified through Top Secret. Among them were Honeywell
Honeywell
Honeywell International, Inc. is a major conglomerate company that produces a variety of consumer products, engineering services, and aerospace systems for a wide variety of customers, from private consumers to major corporations and governments....
's SCOMP, USAF SACDIN, NSA Blacker, and Boeing
Boeing
The Boeing Company is an American multinational aerospace and defense corporation, founded in 1916 by William E. Boeing in Seattle, Washington. Boeing has expanded over the years, merging with McDonnell Douglas in 1997. Boeing Corporate headquarters has been in Chicago, Illinois since 2001...
's MLS LAN, all under TCSEC, 1980s vintage and Intel 80386
Intel 80386
The Intel 80386, also known as the i386, or just 386, was a 32-bit microprocessor introduced by Intel in 1985. The first versions had 275,000 transistors and were used as the central processing unit of many workstations and high-end personal computers of the time...
-based. Currently, MLS products are evaluated under the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
. In late 2008, the first operating system (more below) was certified to a high evaluated assurance level (EAL) - EAL 6+ / High Robustness, under the auspices of a U.S. government program requiring multi-level security in a high threat environment. While this assurance level has many similarities to that of the old Orange Book A1 (such as formal methods), the functional requirements focus on fundamental isolation and information flow policies rather than higher level policies such as Bell-La Padula. Because the Common Criteria decoupled TCSEC's pairing of assurance (EAL
Evaluation Assurance Level
The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
) and functionality (Protection Profile), the clear uniform mapping between security requirements and MLS security range capability documented in CSC-STD-004-85 has largely been lost when the Common Criteria superseded the Rainbow Series
Rainbow Series
The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
.
Freely available operating systems with some features that support MLS include Linux with the Security-Enhanced Linux
Security-Enhanced Linux
Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules in the Linux kernel...
feature enabled and FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
. Security evaluation was once thought to be a problem for these free MLS implementations for three reasons:
- It is always very difficult to implement kernel self protection strategy with the precision needed for MLS trust, and these examples were not designed to or certified to an MLS protection profile so they may not offer the self protection needed to support MLS.
- Aside from EAL levels, the Common Criteria lacks an inventory of appropriate high assurance protection profiles that specify the robustness needed to operate in MLS mode.
- Even if (1) and (2) were met, the evaluation process is very costly and imposes special restrictions on configuration control of the evaluated software.
Notwithstanding such suppositions, Red Hat Enterprise Linux 5 was certified against LSPP, RBACPP, and CAPP at EAL4+ in June 2007. It uses Security-Enhanced Linux to implement MLS and was the first Common Criteria certification to enforce TOE security properties with Security-Enhanced Linux.
Vendor certification strategies can be misleading to laypersons. A common strategy exploits the layperson's overemphasis of EAL level with over-certification, such as certifying an EAL 3 protection profile (like CAPP) to elevated levels, like EAL 4 or EAL 5. Another is adding and certifying MLS support features (such as Role-Based Access Control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
Protection Profile (RBACPP) and Labeled Security Protection Profile (LSPP)) to a kernel that is not evaluated to an MLS-capable protection profile. Those types of features are services run on the kernel and depend on the kernel to protect them from corruption and subversion. If the kernel is not evaluated to an MLS-capable protection profile, MLS features cannot be trusted regardless of how impressive the demonstration looks. It is particularly noteworthy that CAPP is specifically not an MLS-capable profile as it specifically excludes self-protection capabilities critical for MLS.
Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
offers Solaris Trusted Extensions
Solaris Trusted Extensions
Solaris Trusted Extensions is a set of security extensions incorporated in the Solaris 10 operating system by Sun Microsystems, featuring a mandatory access control model...
, as an integrated feature of the commercial Solaris Operating System
Solaris Operating System
Solaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
as well as OpenSolaris
OpenSolaris
OpenSolaris was an open source computer operating system based on Solaris created by Sun Microsystems. It was also the name of the project initiated by Sun to build a developer and user community around the software...
. In addition to the Controlled Access Protection Profile (CAPP), and Role-Based Access Control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) protection profiles, Trusted Extensions has also been certified at EAL4 to the Labeled Security Protection Profile (LSPP). The security target includes both desktop and network functionality. LSPP mandates that users are not authorized to override the labeling polices enforced by the kernel and X11 server. The evaluation does not include a covert channel
Covert channel
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
analysis. Because these certifications depend on CAPP, no Common Criteria certifications suggest this product is trustworthy for MLS.
BAE Systems
BAE Systems
BAE Systems plc is a British multinational defence, security and aerospace company headquartered in London, United Kingdom, that has global interests, particularly in North America through its subsidiary BAE Systems Inc. BAE is among the world's largest military contractors; in 2009 it was the...
offers XTS-400
XTS-400
The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
, a commercial system that supports MLS at what the vendor claims is "high assurance". Predecessor products (including the XTS-300) were evaluated at the TCSEC B3 level, which is MLS-capable. The XTS-400 has been evaluated under the Common Criteria at EAL5+ against the CAPP and LSPP protection profiles. CAPP and LSPP are both EAL3 protection profiles that are not inherently MLS-capable, but the security target for the Common Criteria evaluation of this product contains an enriched set of security functions that provide MLS capability.
MLS problem areas
SanitizationSanitization (classified information)
Sanitization is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience. When dealing with classified information, sanitization attempts to reduce the document's classification level, possibly yielding an unclassified...
is a problem area for MLS systems. Systems that implement MLS restrictions, like those defined by Bell-La Padula model, only allow sharing when it does not obviously violate security restrictions. Users with lower clearances can easily share their work with users holding higher clearances, but not vice versa. There is no efficient, reliable mechanism by which a Top Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to users with Secret or lower clearances. In practice, MLS systems circumvent this problem via privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a file's security classification. However, the technique is not reliable
Sanitization (classified information)
Sanitization is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience. When dealing with classified information, sanitization attempts to reduce the document's classification level, possibly yielding an unclassified...
.
Covert channel
Covert channel
In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
s pose another problem for MLS systems. For an MLS system to keep secrets perfectly, there must be no possible way for a Top Secret process to transmit signals of any kind to a Secret or lower process. This includes side effects such as changes in available memory or disk space, or changes in process timing. When a process exploits such a side effect to transmit data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a practical computing system, and it may be impossible in practice. The process of identifying all covert channels is a challenging one by itself. Most commercially available MLS systems do not attempt to close all covert channels, even though this makes it impractical to use them in high security applications.
Bypass
Bypass (road)
A bypass is a road or highway that avoids or "bypasses" a built-up area, town, or village, to let through traffic flow without interference from local traffic, to reduce congestion in the built-up area, and to improve road safety....
is problematic when introduced as a means to treat a system high object as if it were MLS trusted. A common example is to extract data from a secret system high object to be sent to an unclassified destination, citing some property of the data as trusted evidence that it is 'really' unclassified (e.g. 'strict' format). A system high system cannot be trusted to preserve any trusted evidence, and the result is that an overt data path is opened with no logical way to securely mediate it. Bypass can be risky because, unlike narrow bandwidth covert channels that are difficult to exploit, bypass can present a large, easily exploitable overt leak in the system. Bypass often arises out of failure to use trusted operating environments to maintain continuous separation of security domains all the way back to their origin. When that origin lies outside the system boundary, it may not be possible to validate the trusted separation to the origin. In that case, the risk of bypass can be unavoidable if the flow truly is essential.
A common example of unavoidable bypass is a subject system that is required to accept secret IP packets from an untrusted source, encrypt the secret userdata and not the header and deposit the result to an untrusted network. The source lies outside the sphere of influence of the subject system. Although the source is untrusted (e.g. system high) it is being trusted as if it were MLS because it provides packets that have unclassified headers and secret plaintext userdata, an MLS data construct. Since the source is untrusted, it could be corrupt and place secrets in the unclassified packet header. The corrupted packet headers could be nonsense but it is impossible for the subject system to determine that with any reasonable reliability. The packet userdata is cryptographically well protected but the packet header can contain readable secrets. If the corrupted packets are passed to an untrusted network by the subject system they may not be routable but some cooperating corrupt process in the network could grab the packets and acknowledge them and the subject system may not detect the leak. This can be a large overt leak that is hard to detect. Viewing classified packets with unclassified headers as system high structures instead of the MLS structures they really are presents a very common but serious threat.
Most bypass is avoidable. Avoidable bypass often results when system architects design a system before correctly considering security, then attempt to apply security after the fact as add-on functions. In that situation, bypass appears to be the only (easy) way to make the system work. Some pseudo-secure schemes are proposed (and approved!) that examine the contents of the bypassed data in a vain attempt to establish that bypassed data contains no secrets. This is not possible without trusting something about the data such as its format, which is contrary to the assumption that the source is not trusted to preserve any characteristics of the source data. Assured "secure bypass" is a myth, just as a so-called High Assurance Guard
High Assurance Guard
A High Assurance Guard is a Multilevel security computer device which is used to communicate between different Security Domains, such as NIPRNet to SIPRNet. A HAG is one example of a Controlled Interface between security levels...
(HAG) that transparently implements bypass. The risk these introduce has long been acknowledged; extant solutions are ultimately procedural, rather than technical. There is no way to know with certainty how much classified information is taken from our systems by exploitation of bypass.
"There is no such thing as MLS"
With the decline in COMPUSECComputer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
experts, more laypersons who are not COMPUSEC-astute are designing secure computing systems and are mistakenly drawing this conclusion because the term MLS is being overloaded
Overloaded expression
In computer science, especially the languages Ada and C++, overloaded expression means that an ambiguous operator expression can only be understood based on the context: see overloading....
. These two uses are: MLS as a processing environment vs MLS as a capability. The false conclusion is based on a belief that since no products are certified to operate in an MLS environment or mode, that the MLS as a capability does not exist. One does not imply the other. Many systems operate in an environment containing data that has unequal security levels and therefore is MLS by the Computer Security Intermediate Value Theorem (CS-IVT). The consequence of this confusion runs deeper.
Laypersons often conclude that to admit that a system operates in an MLS environment (environment-centric meaning of MLS) is to be backed into the perceived corner of having a problem with no MLS solution (capability-centric meaning of MLS). MLS is deceptively complex and just because simple solutions are not obvious does not justify a conclusion that they do not exist. This can lead to a crippling ignorance about COMPUSEC that manifests itself as whispers that "one can not talk about MLS," and "There's no such thing as MLS." These MLS-denial schemes change so rapidly that they cannot be addressed. Instead, it is important to clarify the distinction between MLS-environment and MLS-capable.
- MLS as a security environment or security modeSecurity modesGenerally, Security modes refer to information systems security modes of operations used in mandatory access control systems. Often, these systems contain information at various levels of security classification...
: A community whose users have differing security clearances may perceive MLS as a data-sharing capability: users can share information with recipients whose clearance allows receipt of that information. A system is operating in MLS Mode when it has (or could have) connectivity to a destination that is cleared to a lower security level than any of the data the MLS system contains. This is formalized in the CS-IVT. Determination of security mode of a system depends entirely on the system's security environment; the classification of data it contains, the clearance of those who can get direct or indirect access to the system or its outputs or signals, and the system's connectivity and ports to other systems. Security mode is independent of capabilities, although a system should not be operated in a mode for which it is not worthy of trust.
- MLS as a capability: Developers of products or systems intended to allow MLS data sharing tend to loosely perceive it in terms of a capability to enforce data-sharing restrictions or a security policy, like mechanisms that enforce the Bell-La Padula model. A system is MLS-capable if it can be shown to robustly implement a security policy.
The original use of the term MLS applied to the security environment, or mode. One solution to this confusion is to retain the original definition of MLS and be specific about MLS-capable when that context is used.
MILS architecture
MILSMultiple Independent Levels of Security
Multiple Independent Levels of Security/Safety is a high-assurance security architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is...
(multiple independent levels of security) is an architecture that addresses the domain separation component of MLS. Note that UCDMO (the US government lead for cross domain and multi-level systems) created a term Cross Domain Access
Cross Domain Solutions
Cross-Domain Solutions are solutions for information assurance that provides the ability to manually or automatically access or transfer between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible...
as a category in its baseline of DoD
United States Department of Defense
The United States Department of Defense is the U.S...
and Intelligence Community
United States Intelligence Community
The United States Intelligence Community is a cooperative federation of 16 separate United States government agencies that work separately and together to conduct intelligence activities considered necessary for the conduct of foreign relations and the protection of the national security of the...
accredited systems, and this category can be seen as essentially analogous to MILS.
Security models such as the Biba model
Biba model
The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
(for integrity) and the Bell-La Padula model (for confidentiality) allow one-way flow between certain security domains that are otherwise assumed to be isolated. MILS addresses the isolation underlying MLS without addressing the controlled interaction between the domains addressed by the above models. Trusted security-compliant channels mentioned above can link MILS domains to support more MLS functionality.
The MILS approach pursues a strategy characterized by an older term, MSL (multiple single level), that isolates each level of information within its own single-level environment (System High
Security modes
Generally, Security modes refer to information systems security modes of operations used in mandatory access control systems. Often, these systems contain information at various levels of security classification...
).
The rigid process communication and isolation offered by MILS may be more useful to ultra high reliability software applications than MLS. MILS notably does not address the hierarchical structure that is embodied by the notion of security levels. This requires the addition of specific import/export applications between domains each of which needs to be accredited appropriately. As such, MILS might be better called Multiple Independent Domains of Security (MLS emulation on MILS would require a similar set of accredited applications for the MLS applications). By declining to address out of the box interaction among levels consistent with the hierarchical relations of Bell-La Padula, MILS is (almost deceptively) simple to implement initially but needs non-trivial supplementary import/export applications to achieve the richness and flexibility expected by practical MLS applications.
Any MILS/MLS comparison should consider whether the accreditation of a set of simpler export applications is more achievable than accreditation of a single, more complex MLS kernel. This question depends in part on the extent of the import/export interactions that the stakeholders require. In favour of MILS is the possibility that not all the export applications will require maximal assurance.
MSL systems
There is another way of solving such problems known as Multiple Single-LevelMultiple Single-Level
Multiple Single-Level or Multi-Security Level is a method of separating different levels of data by using separate PCs or virtual machines for each level...
. Each security level is isolated in a separate untrusted domain. The absence of medium of communication between the domains assures no interaction is possible. The mechanism for this isolation is usually physical separation in separate computers. This is often used to support applications or operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s which have no possibility of supporting MLS such as Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
.
MLS Applications
Infrastructure such as trusted operating systems are an important component of MLS systems, but in order to fulfill the criteria required under the definition of MLS by CNSSICommittee on National Security Systems
The Committee on National Security Systems is a United States intergovernmental organization that sets policy for the security of the US security systems.-Charter, mission, and leadership:...
4009 (paraphrased at the start of this article), the system must provide a user interface that is capable of allowing a user to access and process content at multiple classification levels from a single system. The UCDMO ran a track specifically focused on MLS at the NSA Information Assurance Symposium in 2009, in which it highlighted several accredited (in production) and emergent MLS systems.
There are several databases classified as MLS systems. Oracle
Oracle Corporation
Oracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
has a product named Oracle Label Security (OLS) that implements Mandatory Access Controls
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
- typically by adding a 'label' column to each table in the database. OLS is being deployed at the US Army INSCOM as the foundation of an 'all source' intelligence database spanning the JWICS and SIPRNet
SIPRNet
The Secret Internet Protocol Router Network is "a system of interconnected computer networks used by the United States Department of Defense and the U.S. Department of State to transmit classified information by packet switching over the TCP/IP protocols in a 'completely secure' environment"...
networks. There is a project to create a labeled version of PostgreSQL, and there are also older labeled database implementations such as Trusted Rubix. These MLS database systems provide a unified backend system for content spanning multiple labels, but they do not resolve the challenge of having users process content at multiple security levels in a single system while enforcing Mandatory Access Controls.
There are also several MLS end user applications. One of the best known is the Trusted Network Environment (TNE) by General Dynamics
General Dynamics
General Dynamics Corporation is a U.S. defense conglomerate formed by mergers and divestitures, and as of 2008 it is the fifth largest defense contractor in the world. Its headquarters are in West Falls Church , unincorporated Fairfax County, Virginia, in the Falls Church area.The company has...
. TNE is currently accredited and in production, and it is classified on the UCDMO's baseline as a Cross Domain Multi-Level system. TNE was originally created on Trusted Solaris 8, though it has recently been migrated to Solaris 10. It provides a file manager and email client among other capabilities. The other MLS capability currently on the UCDMO baseline is called MLChat, and it is a chat server that runs on the XTS-400
XTS-400
The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
operating system - it was created by the US Naval Research Laboratory. Given that content from users at different domains passes through the MLChat server, dirty word scanning is employed to protect classified content, and there has been some debate as to whether this is truly an MLS system or really a form of cross domain transfer
Cross Domain Solutions
Cross-Domain Solutions are solutions for information assurance that provides the ability to manually or automatically access or transfer between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible...
data guard. Mandatory Access Controls
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
are maintained by a combination of XTS-400
XTS-400
The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
mechanisms and application-specific mechanisms.
MLS applications not currently part of the UCDMO baseline include the Joint Cross Domain eXchange (JCDX), and several applications from BlueSpace
Bluespace
BlueSpace is an enterprise software company serving the defense and intelligence communities, primarily in the US. Today it is based in Austin, Texas, but it was founded in the UK in 2001. BlueSpace is focused on the Multi-Level Security arena, creating mashup applications that can span multiple...
. JCDX is a multi-level command and control (C2) system developed by the US Navy. Originally built on HP UX, it was recently ported to SE Linux by SPAWAR
SPAWAR
The Space and Naval Warfare Systems Command , based in San Diego, is an echelon II organization within the United States Navy and Navy’s technical authority and acquisition command for C4ISR , business information technology and space systems.Team SPAWAR supports over 150 programs...
and Accenture
Accenture
Accenture plc is a global management consulting, technology services and outsourcing company headquartered in Dublin, Republic of Ireland. It is the largest consulting firm in the world and is a Fortune Global 500 company. As of September 2011, the company had more than 236,000 employees across...
. BlueSpace
Bluespace
BlueSpace is an enterprise software company serving the defense and intelligence communities, primarily in the US. Today it is based in Austin, Texas, but it was founded in the UK in 2001. BlueSpace is focused on the Multi-Level Security arena, creating mashup applications that can span multiple...
has several MLS applications, including an MLS email client, an MLS search application and an MLS C2 system. BlueSpace leverages a middleware strategy to enable its applications to be platform neutral, orchestrating a single user interface across multiple Windows OS instances (virtualized
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
or remote terminal sessions). The US Naval Research Laboratory has also implemented a multilevel web application framework called MLWeb which integrates the Ruby on Rails
Ruby on Rails
Ruby on Rails, often shortened to Rails or RoR, is an open source web application framework for the Ruby programming language.-History:...
framework with a multlevel database based on SQLite3.
MLS Future
Perhaps the greatest change going on in the multi-level security arena today is the convergence of MLS with virtualization. An increasing number of trusted operating systems are moving away from labeling files and processes, and are instead moving towards UNIX containersOperating system-level virtualization
Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
or virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s. Examples include zones in Solaris 10 TX, and the padded cell hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
in systems such as Green Hill's
Green Hills Software
Green Hills Software is a privately owned company that builds operating systems and development tools for embedded systems. The company was founded in 1982 by Dan O'Dowd and Carl Rosenberg...
Integrity
Integrity (operating system)
INTEGRITY is a real-time operating system produced and marketed by Green Hills Software. It is royalty-free, POSIX-certified, and intended for use in embedded systems needing reliability, availability, and fault tolerance. It is built atop the velOSity microkernel and is intended mainly for modern...
platform. The High Assurance Platform from NSA as implemented in General Dynamics'
General Dynamics
General Dynamics Corporation is a U.S. defense conglomerate formed by mergers and divestitures, and as of 2008 it is the fifth largest defense contractor in the world. Its headquarters are in West Falls Church , unincorporated Fairfax County, Virginia, in the Falls Church area.The company has...
Trusted Virtualization Environment (TVE) is another example - it uses SE Linux at its core, and can support MLS applications that span multiple domains.
See also
- Bell-La Padula model
- Mandatory Access ControlMandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
- MAC - Discretionary Access ControlDiscretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
- DAC - Role-based access controlRole-Based Access ControlIn computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
- RBAC - Biba Integrity ModelBiba modelThe Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1977, is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity...
- Take-Grant Model
- The Clark-Wilson Integrity Model
- Graham-Denning ModelGraham-Denning modelThe Graham-Denning Model is a computer security model that shows how subjects and objects should be securely created and deleted.It also addresses how to assign specific access rights...
- Security Modes of OperationSecurity modesGenerally, Security modes refer to information systems security modes of operations used in mandatory access control systems. Often, these systems contain information at various levels of security classification...
- System High ModeSystem High ModeSystem High Mode is a mode of using an automated information system that pertains to an environment that contains restricted data that is classified in a hierarchical scheme, such as Top Secret, Secret and Unclassified...
- Multi categories security abbreviated as MCSMulti categories securityMulti Categories Security is an access control method in Security-Enhanced Linux that uses categories attached to objects and granted to subjects at the operating system level. The current implementation in Fedora Core 5 is advisory because there is nothing stopping a process from increasing its...
- Non-Interference ModelNon-interferenceNon-interference is a strict multilevel security policy model, first described by Goguen and Meseguer in 1982, and amplified further in 1984.-Introduction:In simple terms, a computer is modeled as a machine with inputs and outputs...
- Multifactor authentication
- Evaluation Assurance LevelEvaluation Assurance LevelThe Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
(EAL) - Trustifier TCB overview
- First RTOS Integrity 178B certified to support MILS
- INTEGRITY 178B product Page
Further reading
. (a.k.a. the TCSEC or "Orange Book"). (a.k.a. the TNITNI
TNI stands for:* Satna Airport, IATA code TNI* Tahitian Noni International, Inc.* Taqramiut Nipingat Inc., an Inuit broadcasting organization in Quebec, Canada* Telephone Network Interface; see Network Interface Device...
or "Red Book"). http://csrc.nist.gov/secpubs/rainbow/tg005.txt ISBN 0-471-64832-9.
- P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998. http://csrc.nist.gov/nissc/1998/proceedings/paperF1.pdf.