Multiple Independent Levels of Security
Encyclopedia
Multiple Independent Levels of Security/Safety (MILS) is a high-assurance security
architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked and tamperproof.
A MILS solution allows for independent evaluation of security components and trusted composition. MILS represents a relatively new (15 years) approach to building secure systems in contrast to the older Bell and La Padula theories on secure systems that represent the foundational theories of the DoD Orange Book
.
A MILS system employs one or more separation mechanisms (e.g., Separation kernel
, Partitioning Communication System
, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc).
Properties:
A convenient acronym for these characteristics is NEAT.
'Trustworthy' means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).
'Untrusted' means that we have no confidence that the system meets its specification with respect to the security policy.
The following companies have MILS separation kernel products:
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
architecture based on the concepts of separation and controlled information flow; implemented by separation mechanisms that support both untrusted and trustworthy components; ensuring that the total security solution is non-bypassable, evaluatable, always invoked and tamperproof.
A MILS solution allows for independent evaluation of security components and trusted composition. MILS represents a relatively new (15 years) approach to building secure systems in contrast to the older Bell and La Padula theories on secure systems that represent the foundational theories of the DoD Orange Book
Trusted Computer System Evaluation Criteria
Trusted Computer System Evaluation Criteria is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system...
.
A MILS system employs one or more separation mechanisms (e.g., Separation kernel
Separation kernel
A separation kernel is a type of security kernel used to simulate a distributed environment. The concept was introduced by John Rushby in a 1981 paper...
, Partitioning Communication System
Partitioning Communication System
Partitioning Communication System is an high-assurance computer security architecture based on an information flow separation policy. The PCS extends the four foundational security policies of a MILS separation kernel to the network:* End-to-end Information Flow* End-to-end Data Isolation*...
, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc).
Properties:
- Non-bypassable: a component can not use another communication path, including lower level mechanisms to bypass the security monitor.
- Evaluatable: any trusted component can be evaluated to the level of assurance required of that component. This means the components are modular, well designed, well specified, well implemented, small, low complexity, etc.
- Always-invoked: each and every access/message is checked by the appropriate security monitors (i.e., a security monitor will not just check on a first access and then pass all subsequent accesses/messages through).
- Tamperproof: the system controls "modify" rights to the security monitor code, configuration and data; preventing unauthorized changes.
A convenient acronym for these characteristics is NEAT.
'Trustworthy' means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).
'Untrusted' means that we have no confidence that the system meets its specification with respect to the security policy.
The following companies have MILS separation kernel products:
- Green Hills SoftwareGreen Hills SoftwareGreen Hills Software is a privately owned company that builds operating systems and development tools for embedded systems. The company was founded in 1982 by Dan O'Dowd and Carl Rosenberg...
- LynuxWorksLynuxWorksLynuxWorks, Inc. is a San Jose, California software company founded in 1988. LynuxWorks produces embedded operating systems and tools for using full virtualization and paravirtualization in embedded systems...
- SYSGOSYSGOSYSGO AG is a German company oriented in embedded software since its founding in 1991. The company is focused on the basic software building blocks for embedded systems used in critical environments such as airplanes, medical instruments or industrial automation...
- Wind River SystemsWind River SystemsWind River Systems, Inc. is a company providing embedded systems, development tools for embedded systems, middleware, and other types of software. The company was founded in Berkeley, California in 1981 by Jerry Fiddler and David Wilner. On June 4, 2009, Wind River announced that Intel had bought...