Design and assurance strategy for the NRL pump

Developing a trustworthy system is difficult because the developer must construct a persuasive argument that the system conforms to its critical requirements. This assurance argument, as well as the software and hardware, must be evaluated by an independent certification team. We present the external requirements and logical design of a specific trusted device, the NRL Pump, and describe our plan, called the assurance strategy, to create the eventual assurance argument. Our assurance strategy exploits currently available graphical specification, simulation, formal proof, and testing coverage analysis tools. Portions of the design are represented by figures generated by the Statemate toolset, and we discuss how those tools, and covert channel analysis will be used to show that the logical design conforms to its external requirements. We conclude with some remarks on a possible physical architecture.

[1]  J. Voas,et al.  Software Testability: The New Verification , 1995, IEEE Softw..

[2]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[3]  John C. Wray,et al.  An analysis of covert timing channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[5]  Amnon Naamad,et al.  Statemate: a working environment for the development of complex reactive systems , 1988, ICSE '88.

[6]  Ira S. Moskowitz,et al.  A Network Pump , 1996, IEEE Trans. Software Eng..

[7]  Andrew P. Moore,et al.  An experience modeling critical requirements , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[8]  A. P. Moore,et al.  Increasing assurance with literate programming techniques , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[9]  Oliver Costich,et al.  A practical approach to high assurance multilevel secure computing service , 1994, Tenth Annual Computer Security Applications Conference.

[10]  Ira S. Moskowitz,et al.  Simple timing channels , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Ira S. Moskowitz,et al.  The channel capacity of a certain noisy timing channel , 1992, IEEE Trans. Inf. Theory.

[12]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[13]  Ira S. Moskowitz,et al.  A case study of two NRL Pump prototypes , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[14]  Sentot Kromodimoeljo,et al.  EVES: An Overview , 1991, VDM Europe.

[15]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[16]  Ira S. Moskowitz,et al.  An architecture for multilevel secure interoperability , 1997, Proceedings 13th Annual Computer Security Applications Conference.