Download The Pump: 10 Years of Covertness

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wake-on-LAN wikipedia , lookup

IEEE 1355 wikipedia , lookup

Hacker wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
The Pump: 10 Years of Covertness
Myong H. Kang
Ira S. Moskowitz
Stanley Chincheck
Center for High Assurance Computer Systems
US Naval Research Laboratory
Code 5540
Washington, DC
[email protected]
1
A Brief History
!
Started in 1993 addressing data replication from
Low database to High database
–
M. H. Kang and I. S. Moskowitz, “A Pump for rapid,
reliable, secure communication,” Proceedings of the
First ACM Conference on Computer and
Communications Security, 1993
!
!
!
Network Pump algorithm was developed in 1995
Hardware version of the Pump
–
!
Completed January 2004 by NRL 5540
Navy Type accredited
–
–
As a critical security component of a cross-domain
solution
Installed in various DoD facilities
!
!
!
About 60 in use
$3K for DoD customers
Many papers later
–
–
–
2
Wanted to replace XTS-200
US Patent filed, Navy Case #84,150, 25 July 2003
Applied for international rights
Trademarked “Network Pump™” name
!
!
!
17.5"W x 1.75"H x 10.5"D
19” rack mount
Ethernet 100BaseT interface
Design Requirements
!
Assurance
–
–
!
Reliability
–
–
!
No loss of messages
No duplication of messages
Performance
–
3
Simple and easy to understand to facilitate accreditation
Protocol neutral
No reduction of data transfer rate due to security reasons
Design Requirements (cont’d)
!
Covert channel
–
!
Fairness
–
!
Fair rates among many senders and many receivers
Denial of service attack
–
4
Reduce covert channel capacity as much as possible
without compromising performance
Resist denial of service attacks
Basic Pump
Low
LAN
High
LAN
Low system
Data
Low
Low
application wrapper
5
Stochastic
ACK
High system
Pump
Data
Non-volatile
buffer
ACK
High
High
wrapper application
Basic Pump
!
(cont’d)
The Pump’s confidentiality properties depend solely on the Pump
itself, not on the wrappers - Assurance
–
–
Separates MLS functions from other functions
Wrappers make the Pump a generic device that is independent of a
specific application
!
!
Provide ACKs to a sender - Reliability
Provide non-volatile buffer - Reliability
–
–
6
Decoupled Low ACKs from High ACKs - Covert Channel
Low ACKs are stochastic ACKs based upon a moving average of
the past m High ACK times - Performance
Network PumpTM
H1
L1
Receiver 1
link1
.
J{
.
.
.
.
Receiver I
J{
7
I{
.
.
THP1
linkI
.
.
.
.
scheduler
Trusted
Low
Process
.
LI
Output buffer 1
ROUTING
.
.
Output buffer J
I{
.
.
THPJ
scheduler
HJ
Network PumpTM
!
!
Share output buffers among different sessions efficiency
Acting as a router between receiving buffers and
output buffers
–
–
8
(cont’d)
Round robin scheme - fairness and denial of service attack
Fair size - keep the queue length at a certain level - covert
channel and denial of service attack
Hardware Pump
High Ethernet
Interface
High
RAM
High Microprocessor
Serial
Interface
High
EEPROM
Security
Monitor
Administrator
Interface
Fault
Control
Dual Port RAM
(Bypass Channel)
Reset
Power_Fail
9
8
VCC_5
VCC_12
VCC_3.3
Low
RAM
Power & Reset
Control
Power
Interface
VCC_RAM
Low
EEPROM
Battery
Low Microprocessor
Low Ethernet
Interface
9
High LAN
Interface
Low LAN
Interface
Hardware Pump
!
Provides an interface to an administrator workstation
- configuration and receiving error and performance
reports
–
!
Specify Low and High IP addresses and port numbers for
opening connections
Equipped with a built-in backup battery - Reliability
–
–
10
(cont’d)
Power failure: All messages in the volatile RAM will be
saved into non-volatile flash memory
Pump start up: All undelivered messages will be restored to
the RAM and redelivery to the High IP addresses will
commence
Related Ideas
11
!
J. McDermott, “The B2/C3 problem: How Big Buffers Overcome Covert Channel
Cynicism in Trusted Database Systems,” in Biskup, J., M. Morgenstern, and C. E.
Landwehr, eds. Database Security, VIII: Status and Prospects. IFIP Transactions A-60,
Elsevier Science B.V., Amsterdam, 1994.
!
R. Mraz, “Secure Directory File Transfer System”, Proc. 12th Annual Canadian
Information Technology Security Symposium, 2000.
!
N. Ogurtsov, H. Orman, R. Schroeppel, S. O'Malley, O. Spatscheck, “Experimental
results of covert channel limitation in one-way communication systems,” Network and
Distributed System Security, 1997.
!
“Owl Computing Data Diode,” Common Criteria Security Target (EAL2),
http://niap.nist.gov/cc-scheme/st/ST_VID4000-ST.pdf
!
US Patent 5,703,562, Method for Transferring Data from an Unsecured Computer to a
Secured Computer, C.A. Nilsen Dec 30, 1997.
!
M. Bobbitt, “(Un)bridging the Gap,” Information Security, July 2000.
Pump Relevant (non NRL)
12
!
V. Anantharam, and S.Verdu, “Bits through queues,” Information Theory, IEEE
Transactions on , Volume: 42 , Issue: 1 , Jan. 1996.
!
V. Anantharam and S. Verdú, ``Reflections on the 1998 Information Theory Society
Paper Award: Bits through Queues,'' IEEE Information Theory Society Newsletter vol.
49, no. 4, Dec. 1999.
!
J. S. Holmgren and R. P. Rich, Metric Methodology for the Creation of Environments
and Processes to Certif Component: The NRL Pump, Naval Postgraduate School
Monterey CA, March 2003.
!
A. Aldini and M. Bernado, “An Integrated View of Security Analysis and Performance
Evaluation: Trading QoS with Covert Channel Bandwidth” to appear: SAFECOMP
2004.
!
A. Aldini and M. Bernado, Measuring the Covert Channel Bandwidth in the NRL Pump,
technical report 2004, http://mefisto.web.cs.unibo.it/PubblSedeC0.html
!
R. Lanotte, A. Maggiolo-Schettini, S. Tini, A. Troina, and E. Tronci, Automatic Analysis
of the NRL Pump, preprint, 2004 www.di.unipi.it/~troina/mefisto/drafts/NRLdraft.pdf
Pump Relevant (NRL)
13
!
M. H. Kang and I. S. Moskowitz, “A Pump for rapid, reliable, secure
communication,” Proceedings of the first ACM Conference on Computer and
Communications Security, 1993.
!
I. S. Moskowitz and M. H. Kang, “Discussion of a statistical channel,” Proceedings of
IEEE-IMS Workshop on Information Theory and Statistics, Alexandria, VA, 1994.
!
I. Moskowitz and M.H. Kang, “The Modulated-Input Modulated-Output Model,” Proc.
IFIP WG11.3 Workshop on Database Security, NY, August 1995.
!
J. Froscher, D. M. Golschlag, M. H. Kang,C. Landwehr, A. P. Moore, I. S. Moskowitz, and
C. Payne, “Improving Inter-Enclave Information Flow for a Secure Strike Planning
Application,” Proceedings of the 11th Annual Computer Security Applications Conference,
pp.89 – 98,1995.
!
M.H. Kang and I. Moskowitz, “A data Pump for communication,” NRL Memorandum
Report, 5540-95-7771, 1995.
!
M. H. Kang, I. S. Moskowitz and D. C. Lee, “A Network Version of the Pump,” Proc. 1995
IEEE Computer Society Symposium on Research in Security and Privacy. May 1995.
!
M. H. Kang, J. Froscher, and I. S. Moskowitz, “A Framework for MLS Interoperability,”
Proc. HASE’96, Niagara-on-the-Lake, Canada, October 1996.
Pump Relevant (NRL)
14
!
M. H. Kang, I. S. Moskowitz, B. E. Montrose, and J. J. Parsonese, “A Case Study of Two
NRL Pump Prototypes,” 12th Annual Computer Applications Security Conference 1996.
!
M. H. Kang, I. S. Moskowitz. and D. C. Lee, “A Network Pump,” IEEE Transactions on
Software Engineering, vol. 22, no. 5, 1996.
!
M. H. Kang, A. P. Moore, and I. S. Moskowitz, “Design and Assurance Strategy for the
NRL Pump,” 2nd IEEE High-Assurance System Engineering Workshop (1997). IEEE
Computer Magazine, Vol. 31, No 4, 1998.
!
US Patent application, 10/627,102, Navy Case #84,150, July 25, 2003.
Lessons Learned
!
!
!
15
Bridge funding: Transitioning the product from
research and development to a certified real-world
product
Patient and flexible customers: Customers whose
patience and understanding afford some latitude in
getting the product established
Perseverance: The quality that the researchers and
developers had to exhibit to make this product a
reality
Related documents
Heart failure is a condition in which the heart can no longer pump
Heart failure is a condition in which the heart can no longer pump
accelerometer ” heart pump ”
accelerometer ” heart pump ”
Slide 1
Slide 1
Human Body System --- A Pre
Human Body System --- A Pre
Heart Unit PowerPoint Demo
Heart Unit PowerPoint Demo
MOS Charge Pump for Sub-2.0V Operation A new charge
MOS Charge Pump for Sub-2.0V Operation A new charge
Pulsating pump circuit
Pulsating pump circuit
Cell membrane transport white board activity
Cell membrane transport white board activity
Heart Failure Fact Sheet
Heart Failure Fact Sheet
Heart Failure Fact Sheet
Heart Failure Fact Sheet
11 Shocking Heart Facts
11 Shocking Heart Facts
Pumptec Plus
Pumptec Plus