Wave Systems Corp. (fka WAVXQ)

[reach567]

Monterey Security Architecture (MYSEA)


http://cisr.nps.navy.mil/projects/mysea.html

The purpose of this research project is to develop high assurance security services and integrated operating system mechanisms that will protect distributed multi-domain computing environments from malicious code and other attacks. These security services and mechanisms will extend and interoperate with existing applications and open source operating systems, providing new capabilities for composing secure distributed systems using commercial off-the-shelf (COTS) components. The latter objective results from the realization that unless a secure system offers users the same sort of convenient interfaces they use when handling routine information, the secure system will fail due to lack of user acceptability.

The Monterey Security Architecture (MYSEA) project is constructing a prototype demonstration of a potential high assurance distributed operating environment for enforcing multi-domain security policies, composed of a combination of many low-assurance commercial components and relatively few specialized (e.g., high assurance) multi-domain components, based upon a security-enhanced version of the OpenBSD operating system, that supports unmodified COTS productivity applications. The demonstration architecture permits the on-going DoD and U.S. Government investment in commodity PC operating systems and applications to be integrated into a high assurance environment where enforcement of critical security policies is assigned to more trusted elements. The modularity of the architecture permits alternate configurations, for example to include an A1-evaluated high assurance multi-domain enforcement component.
Our goals are to demonstrate extended file system attributes to enforce multi-domain access controls in existing open operating systems and to demonstrate trusted interoperability for these extended capabilities with open source and COTS workstations, and office productivity applications.

For this project, we have chosen OpenBSD as the open source base which we will extend. However, the modifications we have defined are modular and conceptually simple enough that they could be accomplished on a variety of open source or evaluated high assurance platforms (e.g., Linux). We intend to demonstrate techniques for vertical integration of application security requirements with underlying security services, and we will apply an existing Quality of Security Service model and framework to the integrated security structure to better understand the overall effects on security policy, security service, and security mechanism interactions. Additionally, the MYSEA system will support trusted path communications between the user and the trusted OS, and will also support single sign-on for interaction with multiple trusted servers.

We expect that this project will result in significant new and improved security functionality for existing open source operating systems and will provide the capability to significantly reduce vulnerabilities in mission critical information systems and networks. Specifically we plan for concrete results in the following fundamental areas:

Configurable security attributes for multi-domain data
Extensions to file security attributes in an open source operating system (OpenBSD) support equivalence class domain assignments for both objects and active subjects. The rule set of the security manager can be modified to support a wide range of policies with respect to these assignments.

User access via unmodified commercial OS and applications
Users on commercial workstations will be able to access multi-domain information managed by the remote trusted OS, without modification of workstation operating systems or applications.

Transparent session-level access to multiple domains
Users can access data at and below their session level, providing simultaneous access to multiple data domains, as authorized by policy. This feature is provided by policy-aware protocol servers. A significant feature of our approach is that protocol servers for popular application protocols can be added to the system with only the minimal modification required for a typical platform port or can be made policy-aware with minimal additional effort.

Trusted path for open source multi-domain operating system
User authentication and session security attribute negotiation with the enhanced multi-domain open source OS (OpenBSD) occurs by way of a trusted path between the user and the trusted OS. Users are assured that the authentication and negotiations are with the trusted OS and not with masquerading malicious software executing on the trusted OS.

Remote trusted path access to multi-domain operating system
User authentication and session security attribute negotiation with the multi-domain open source OS (OpenBSD) occurs by way of a trusted path between the user and the trusted OS extension, as well as between the trusted OS extension and the trusted OS. Users are assured that the authentication and negotiations are with the trusted OS and not with masquerading malicious software executing in other systems on the network, on the workstation, or the trusted OS.

Policy-driven dynamic network security services
Policy changes at the middleware or application level, for example as the result of changes in network situational mode or Quality of Service considerations, are automatically manifested in network connectivity maps and communication security settings (e.g., IPsec) managed with in the trusted OS.

Single sign-on to access multiple trusted servers
From a single session, the user can access multiple application servers on different trusted OSs, without needing to reauthenticate to each of the OSs.