Jump to content

Multiple Independent Levels of Security

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Noah Salzman (talk | contribs) at 00:08, 3 July 2008 (clean-up, wikification). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

MILS (Multiple Independent Levels of Security/Safety) represents a relatively new (15 years) approach to building secure systems in contrast to the older Bell and LaPadula theories on secure systems that represent the foundational theories of the DoD Orange Book.

MILS is a High Assurance Security Architecture based on the concepts of separation [1] and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked and tamperproof. A MILS solution allows for independent evaluation of security components and trusted composition [2,3].

A MILS system employs one or more separation mechanisms (e.g., separation kernel, separation communication system, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc).

Where:

Non-bypassable means that a component can not use another communication path, including lower level mechanisms to bypass the security monitor.

Evaluatable means that any trusted component can be evaluated to the level of assurance required of that component. This means the components are modular, well designed, well specified, well implemented, small, low complexity, etc.

Always-invoked means that each and every access/message is checked by the appropriate security monitors (i.e., a security monitor will not just check on a first access and then pass all subsequent accesses/messages through).

Tamperproof means that the system controls "modify" rights to the security monitor code, configuration and data; preventing unauthorized changes.

Trustworthy means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).

Untrusted means that we have no confidence that the system meets its specification with respect to the security policy.

A convenient acronym for these characteristics is NEAT.

References

[1] Dr. John Rushby "Design and Verification of Secure Systems", in Proc. 8th ACM Symposium on Operating System Principles, 1981, pp. 12-21. Paper Here

[2] W. S. Harrison, N. Hanebutte, P. Oman and J. Alves-Foss. "The MILS Architecture for a Secure Global Information Grid". Crosstalk: The Journal of Defense Software Engineering, 18(10):20-24, Oct. 2005. Paper Here

[3] J. Alves-Foss, W. S. Harrison, P. Oman and C. Taylor. "The MILS Architecture for High Assurance Embedded Systems". International Journal of Embedded Systems, in press 2007. Paper Here

Retrieved from "https://en.wikipedia.org/w/index.php?title=Multiple_Independent_Levels_of_Security&oldid=223194305"