Separation and Integration in MILS (The MILS Constitution)

We describe the MILS approach to design, construction, integration, and evaluation of secure systems. The crucial feature of the MILS approach is that it separates the problems of enforcing security policy from those of securely sharing resources. MILS design proceeds in two steps: first, we develop a logical security policy architecture in which the system is deconstructed into interacting components in such a way that the trusted components are as simple as possible; second, we allocate components of the policy architecture to resources that are securely shared through mechanisms for logical separation. MILS identifies certain standard resources such as processors, networks, consoles, and file systems and publishes protection profiles for their logical separation; a COTS marketplace is developing that provides components evaluated to these profiles. Standard protection profiles and a marketplace for evaluated policy components (such as guards and filters) are also anticipated. Top-down design of a MILS system pays attention to existing protection profiles and strives to target these where appropriate. MILS construction can then incorporate COTS products evaluated to these protection profiles. MILS integration takes COTS and bespoke policy components and allocates them to physical resources that may be shared using COTS and bespoke components for separation in a way that is faithful to the original policy architecture. Security assurance and evaluation in MILS are assembled in the same way. That is so say, MILS security assurance is compositional : assurance for an overall system is derived from that of its components, integrated according to the specific policy architecture and resource allocation of the system concerned. Compositional design and assurance for a system property such as security is a radical innovation; we outline the justification for the MILS approach to accomplishing this.

[1]  T. Anderson Kernels for Safety ? , 1989 .

[2]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[3]  Rushby John,et al.  Partitioning in Avionics Architectures: Requirements, Mechanisms, and Assurance , 1999 .

[4]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[5]  Marshall D. Abrams,et al.  Tutorial computer and network security , 1986 .

[6]  J. L. Lions ARIANE 5 Flight 501 Failure: Report by the Enquiry Board , 1996 .

[7]  I Where We Have Been Where We Are Going Mils:architecture for High-assurance Embedded Computing , .

[8]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[9]  Ira S. Moskowitz,et al.  The Pump: a decade of covert fun , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Hermann Kopetz,et al.  Elementary versus composite interfaces in distributed real-time systems , 1999, Proceedings. Fourth International Symposium on Autonomous Decentralized Systems. - Integration of Heterogeneous Systems -.

[11]  Jim Alves-Foss,et al.  A high assurance MLS file server , 2007, OPSR.

[12]  H. R. Simpson Four-slot fully asynchronous communication mechanism , 1990 .

[13]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[14]  Brian Randell,et al.  Distributed Secure Systems: Then and Now , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).