Secrecy classifications and access policies have been used to promote security in information systems. Secrecy is usually defined as the prevention of unauthorized access to information. Generally, a system designed for security follows a set of access rules that prevent unauthorized access to and tampering with sensitive information.
The National Computer Security Center (NCSC) was a U.S. government organization within the National Security Agency (NSA) that evaluates information systems for high security applications to ensure that facilities processing classified or other sensitive material use trusted computer systems and components. The NCSC's evaluation program was carried out by another NSA organization called the Trusted Product Evaluation Program (TPEP), which tests commercial products against a comprehensive set of security-related criteria. The NCSC issued the first Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC) in August of 1983. The document, more commonly referred to as the “orange book,” was reissued in 1985 as a DoD standard that included the stated goals of providing security-related standards for processing sensitive material.
However, information security development processes in various countries (e.g., in the US, Canada and Europe) has led to the pooling of resources, experiences and wisdom for creating a Common Criteria (CC) for a flexible approach to the standardization of security functionality and evaluation assurance. Generally, the CC defines a set of requirements of known validity, which can be used in establishing security requirements for prospective products and systems. Using the CC, consumers and other parties can specify the security functionality of a product in terms of standard Protection Profiles (PP) and independently select an Evaluation Assurance Level (EAL). More specifically, a PP defines an “implementation independent” set of security requirements and objectives for a category of products or systems which meet similar needs for security. Currently, PPs have been developed for firewalls, relational databases and other system components to enable compatibility with various ratings from a defined set of seven increasing EALs, i.e., EAL1-EAL7.
Usually, the PP contains the rules that govern interactions between processes that attempt to access information (also known as subjects) and processes that are the objects of attempted accesses (known as objects). The exchange between these processes is usually classified by security identifiers that reflect the sensitivity of the data. Such identifiers are referred to as “secrecy levels.” For example, “top secret” information may have the highest secrecy level where only those with highest level of secrecy would have access permission. Information within a given secrecy level may also be “categorized” for further restriction in terms of access. Access to each secrecy category may be restricted to those having not only the requisite clearance for the secrecy level, e.g., “top secret,” but also clearance for the particular secrecy category, e.g., “need-to-know.” The combinations of the secrecy levels and secrecy categories are known as “secrecy classes.” In mediating access to information, a secure system compares the secrecy class of the subject to the secrecy class of the object and determines if the subject is allowed to access the object.
Security in a system can also be characterized by the existence of “overt” or “covert” channels. An overt channel is a communication path that is intended to be part of the system in compliance with the security policy. A covert channel on the other hand is an illicit path that uses shared system resources in violation of the system's security policy. For example, a corrupt process designed to operate illicitly within the system, such as a “Trojan Horse”, may gain access to high-value data and use the shared resources as a covert channel to facilitate illicit transmission of information to a “spy agent,” which would otherwise not have access to it. Some examples of covert channels can be found in “Transmission Schedules To Prevent Traffic Analysis,” 9th Annual Computer Security and Applications Conference, 1993, Orlando, Fla., B. R. Venkatraman and R. E. Newman-Wolfe.
There are two types of convert channels: covert timing channels and covert storage channels. Covert timing channels arise as a result of the availability or unavailability of particular system resources during particular time intervals. “Cache-type” and “scheduler-type” covert channels are two examples of covert timing channels. A “scheduler-type” covert channel illicitly exploits the timing of scheduler functions, which serve to allocate CPU time as a resource among various processes. A “cache-type” covert channel uses high-speed cache storage to illicitly transmit information by modulating the time required to complete a cache operation. Covert storage channels usually involve direct or indirect modification of storage memory by one process (the sender of a covert message) and the direct and indirect reading of the memory location by another process (the receiver of the covert message).
One requirement for higher EAL ratings is the closure of most if not all of the covert channels. Lower EAL ratings require reducing the rate at which information can be transferred, i.e., the bandwidth of the covert channels. One means for closing a cache-type covert channel is to clear the cache storage when control of the CPU is transferred from one process to another. A scheduler-type covert channel can be closed by assigning each running process a fixed quantum of CPU time and to idle away any remainder of the assigned time if the running process does not use it. However, it is known that these methods for closing the covert channels could exact a high performance penalty that degrades system performance. It has also been recognized that avoiding resource sharing can eliminate covert channels, the implementation of which is often impractical.
U.S. Pat. No. 5,923,849 discloses a method for auditing and controlling overt and covert communication traffic in a communication system. The method identifies and uses certain parameters to characterize system communication traffic, including the volume of communication between a given pair of nodes, the frequency of communication between a given pair of nodes, the order of communication between a set of nodes, the (extrinsic) nature of communication between a given pair of nodes, and the length (or duration) of transmission. Using one or a combination of these parameters, the method determines “baseline” system conditions and audits the behavior and operations of overt and covert communication activity to detect “out-of-baseline” traffic patterns.
The concept of separation has also been used for construction, analysis and evaluation of secure systems. Separation can be physical or logical. Logical separation usually involves logical entities, such as software programs or processes. If two logical entities are truly separate, then one can not influence the operation of the other, and vice versa. If the operation of one entity is important to the security of the system, the separation of the two from each other allows the operation of one to be ignored when evaluating how the other supports the security of the system. However, if the two logical entities are not separate, then both must be considered in evaluating how each supports the security of the system. The necessity of evaluating both entities increases the difficulty and cost of the security evaluation, and usually yields a lower assurance of security.
U.S. Pat. No. 6,772,416 discloses a computer system that supports a high degree of separation between processing elements. The computer-implemented system executes an operating system having a kernel and includes a plurality of cells. Each cell has one or more processing elements, a domain of execution and a collection of “strands” or tasks, where each strand or task is a stream of programmable machine instructions executable by the kernel of the operating system. A separation specification governs communication between the processing elements and administers the communication between the processing elements in accordance with the separation specification such that one processing element can influence the operation of another processing element only as set forth by the separation specification.
The NSA has also published a PP entitled “U.S. Government Protection Profile for Separation Kernels in Environment Requiring High Robustness” (SKPP), which is hereby incorporated by reference. The SKPP specifies the security functional and assurance requirements for a class of Separation Kernels (SKs). Unlike the traditional security kernels that perform all trusted functions for a secure operating system, a SK's primary function is to partition or otherwise separate resources into policy-based equivalence classes and to control information flows between subjects and resources assigned to the partitions according to the SK's configuration data.
Physical separation in a system is implemented by a set of physically separate devices, nodes, or network components interconnected by separate wires. For example, it is known to have physically separate networks that are assigned to correspondingly separate security classifications. For example, one network can be assigned to support “top secret” classification, while a separate network is assigned to support “unclassified” classification. This arrangement, however, leads to expensive redundancy and could be cumbersome to procure, operate, and maintain.
Therefore, there exists a need for communication system that is simple and effective in conforming to high security assurance levels.