Improving Inter-Enclave Information Flow for a Secure Strike Planning Application

Abstract : DoD operates many system high enclaves with limited information flow between enclaves at different security levels. Too often, the result is duplication of operations and inconsistent and untimely data at different sites, which reduces the effectiveness of DoD decision support systems. This paper describes our solution to this problem as it arises in installations of the Joint Maritime Command Information System (JMCIS), an integrated C4I system. Our approach views databases in more classified enclaves as potential replica sites for data from less classified enclaves. Replicated data flows from lower enclaves to higher ones via one-way connections, yielding a high assurance MLS (multi-level secure) distributed system. The one-way connections are the only trusted components. This approach is based on our work on SINTRA (Secure Information Through Replicated Architecture), and applies generally to any collection of systems each running a database at system high. It complements and exploits modern system design methods, which separate data management from data processing, and enables effective, low-cost MLS operation within that paradigm. In addition to describing current JMCIS installations and our architectural approach, the paper presents our approach for justifying a system's security and our use of formal methods to increase assurance that security requirements are met.

[1]  Carl E. Landwehr,et al.  TOWARD A COMPREHENSIVE INFOSEC CERTIFICATION METHODOLOGY , 1993 .

[2]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[3]  Andrew P. Moore,et al.  An experience modeling critical requirements , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[4]  Oliver Costich,et al.  A practical approach to high assurance multilevel secure computing service , 1994, Tenth Annual Computer Security Applications Conference.

[5]  David M. Goldschlag Several secure store and forward devices , 1996, CCS '96.

[6]  Martín Abadi,et al.  Composing specifications , 1989, TOPL.

[7]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[8]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Oliver Costich,et al.  Maintaining Multilevel Transaction Atomicity in MLS Database Systems with Replicated Architecture , 1993, DBSec.

[10]  Oliver Costich,et al.  Achieving Database Security Through Data Replication: The Sintra Prototype , 1994 .

[11]  A. Pnueli,et al.  STATEMATE: a working environment for the development of complex reactive systems , 1988, [1988] Proceedings. The Third Israel Conference on Computer Systems and Software Engineering.

[12]  Myong H. Kang,et al.  An Implemen-tation of the Pump: Event Driven Pump , 1995 .

[13]  John P. McDermott The b²/c³ Problem: How Big Buffers Overcome Convert Channel Cynicism in Trusted Database Systems , 1994, DBSec.

[14]  Ira S. Moskowitz,et al.  The Modulated-Input Modulated-Output Model , 1995, DBSec.

[15]  Ira S. Moskowitz,et al.  A network version of the Pump , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[16]  Myong H. Kang,et al.  An Implementation of the Pump: The Event Driven Pump. , 1996 .

[17]  Amir Pnueli,et al.  On the Formal Semantics of Statecharts (Extended Abstract) , 1987, LICS.

[18]  Oliver Costich,et al.  A Practical Transaction Model and Untrusted Transaction Manager for a Multilevel-Secure Database System , 1992, DBSec.

[19]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.