Jump to content

Cross-domain solution

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by JA.Davidson (talk | contribs) at 19:16, 28 October 2006 (Creation). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Cross Domain Solutions (CDS) are processes that function as a guard between two security domains and allow only data that meets certain criteria to pass from one domain to another. Some processes viewed as CDS supports one way flow of information from a low classification to a high classification in a truly secure manner. These are not distinguishable from Multilevel Secure systems provided their robustness is worthy of the trust placed in them. CDS that is distinct from Multilevel Security addresses the need to extract data of a lower classification from data of a higher classification (flow in the non-secure direction) without the rigor, cost and safety of Multilevel Security.

Consider an example where an Unclassified file is placed in a Secret System High system, it becomes classified at the System High level, or Secret. A typical objective of CDS would be to pass the Unclassified file from the Secret System High system to an Unclassified destination.

Foundations

The following are some of the typical assumptions implicit in CDS approaches:

1. The source of the Unclassified file is an untrusted Secret System High system.

2. The Secret System High system does not need to be trusted because it has no path to Unclassified destinations, so there is no motivation for an adversary to subvert it so it follows that it is not subverted or corrupted, so it must be worthy of some essential trust.

3. The Secret System High system can therefore be viewed as trusted to the extent that it actually can separate the Unclassified file from the Secret data, like MLS.

4. It is therefore acceptable for a path from the Secret System High system to pass the Unclassified file to an Unclassified destination if it is passed through a CDS.

5. Just in case the Secret System High system does send Secret data in addition to Unclassified file, the CDS will examine the file to be sure it is all Unclassified

6. The criteria for examining the file depends on some feature (like format) that is preserved by the Secret System High system in a trustworthy manner.

7. The logical implementation of the CDS will be verified and flawlessly implemented with high assurance methods (i.e. MLS) and the high assurance of the CDS will make up for any potential problems introduced by the Secret System High system.

8. All of these measures taken together create a “defense in depth” that is adequate.

9. Even if these measures are not secure, need to share information trumps security concerns anyway.

Problem Areas

Some of these assumptions are not valid, and consequently CDS based on these is not reliable. One fundamental problem is that no valid criteria can logically exist on which CDS can base its decision unless the CDS has a true copy of the Unclassified file before it was placed in the System High System for comparison. However, for cases where the problems with CDS’s foundation is not noticeable, or where security engineering principles are viewed as esoteric technicalities and the need for access to data is paramount, CDS is viewed as an easier alternative to MLS.

CDS advocates are sometimes not familiar with alternative architectures and view CDS as the only option. Sometimes justification for CDS is psychological. CDS is popular among laymen who find it hard to imagine adversarial subversion could really make a system behave in a malicious manner. There is a natural tendency for all of us to believe processes work the way they are supposed to. This makes it natural to overlook the fact that a System High system is really untrusted. Since it is not obvious how system penetration takes place, concern for subversion seems unrealistic and radical, and when information access is urgent, CDS can ‘just do it.’ The fact is that if the System High system were really worthy of trust to separate the data classifications, it would not be System High, it would be MLS. Contrary to fact, CDS is based on the notion that the need to pass the data across the domain should be ‘balanced’ against (what may be a naive view of the) risk of disclosure of classified data.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Cross-domain_solution&oldid=84283439"