MYSEA Technology Demonstration

advertisement
MYSEA Technology Demonstration
Presented by,
Sai Charan Obuladinne
References
1)
Cynthia E.Irvine, David J. Shifflett, Paul C. Clark, Timothy,
George “MYSEA Security Architecture”
2)
Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy,
George
“MYSEA Technology Demonstration”
3)
Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy,
George “MYSEA: The Monetary Security Architecture”
4)
http://cisr.nps.edu/projects/mysea.html
Contents
Introduction
MYSEA characteristics and capabilities
MYSEA Domain Separation and Trusted Path
Demo
Quality of Security Service Demo
Conclusion
Introduction
Purposea)
Trusted distributed operating environment for enforcing
multi-domain security policies.
b)
To develop high assurance security services and integrated
operating system mechanisms -protect distributed multi-domain
computing environments from malicious code and other attacks.
C)
Capabilities- composing secure distributed systems using
commercial off-the-shelf (COTS) components.
MYSEA characteristics and capabilities
Use of add-on components in client-server systems which can
magnify the impact of trusted open source systems.
Protection of multiple protection domains, such that malicious
code may neither ex-filtrate confidentially sensitive data, nor
corrupt information of higher integrity(Malicious Software in PCMultiple PC’s)
Open source trusted path mechanism for assured and
unambiguous user communication with the trusted computing
base
Vertical integration-dynamic security policy control functions in
a QOSS framework
MYSEA Domain Separation and Trusted Path Demo
MYSEA is a distributed client-server architecture, the major
physical components
1) Security enhanced servers- For security policy
enforcement and host various open source or
commercial application protocol servers.
2) Security enhanced workstations-commercial-class PCs
executing popular commercial software products(Trusted Path
Extensions) thus permit server-enforced security policy to be
distributed across the network.
MYSEA Server enforces the security policy and controls access
to information.
Its is a security enhanced version of the OpenBSD operating
system (MYSEOS).
MYSEOS + Untrusted Connection(Policy Constrained) =
MYSEA
MYSEOS is combined with untrusted, but policy constrained
(and, in some instances, policy aware) application protocol
servers, the result is the MYSEA Server
MYSEOS
Untrusted-3rd Party
Policy
Contrained
MYSEA workstation each PC -Trusted Path Extension device that provides
MYSEA policy support at the workstation.
The MYSEA Server’s and the Trusted Path Extension’s connected directly to the
physical network.
Demonstration of Concepts
Trusted Path Extension- users can log on to the MYSEA system
in a trusted path,Audit and Access controls- Invokes and
establish Session Attributes like current sensitivity level.
Similarly, the user can also log on to his own PC and use standard
commercial client software (e.g., web browser or e-mail
program) to access applications supported by the MYSEA
Again to Modify any Session Attributes, again the Trusted Path
Extension is invoked.(Sensitivity level, modify password, use
name etc..)
Multi-Domain Policy Enforcement
The MYSEOS kernel associates security attributes with active
and passive.
An important policy for the MYSEOS kernel to enforce is
that malicious code may neither exfiltrate confidentially
sensitive data nor corrupt information of higher integrity, to
support this, the MYSEOS kernel provides multi-domain file
system support,
Trusted path extension
TPS
Multiple Terminal
PC’s
Maintains the
State of UserMYSEA
Interaction
Multiple Work
Stations
Ex: user may be logged in with default security attributes, but may not have started
a session executing untrusted application code. Trusted Path Services provides an
interface to the Security Support Services component to support identification and
authentication
MYSEA SERVER Supports following services:
Secure Attention Key
Trusted Path Services
Controlled LAN Access
Communications and cryptographic services
Negotiated Session Services
Control of Security Critical Activities
MYSEA SERVER Supports following services:
Secure Attention Key- Initiate unambiguous communication with
MYSEOS , cause a state change in the Trusted Path Extension such that an
unforgeable communications path (viz. a trusted path) to MYSEOS
Trusted Path Services –When Invoked input security critical
information(Password)
Controlled LAN Access- Controlled access to the LAN. Malicious
software cannot bypass the Trusted Path.
Communications and cryptographic services- protected
communication channels between Server and TPS(based upon protocols that
supports establishment and maintenance TPS)
Negotiated Session Services- Ensure trusted object reuse,
Change Domains(user), information associated with previous
domain must be removed from the untrusted PC,
Note: Previous session info cannot be reused by subsequent
sessions(Violation of Distributed Security Policy).
Control of Security Critical Activities- Controls client and
resources at the time of boot and control security critical
actions over the client session.
MYSEA QoSS Manager -external QoSS interface to
MYSEA, and governs security and performance factors of
the various MYSEA components.
QoSS manager on the MYSEA serverSecurity manages the QoSS
security and connectivity database.
and
Performa
nce
MYSEA Component
MYSEA QOSS
Manager
Conclusion:
MYSEA is a trusted distributed operating environment
for enforcing multi-domain security policies.
Supports critical applications:
1) A distributed trusted architecture that utilizes commercial
and open source applications.
2) An open source trusted path mechanism.
3) Techniques for vertical integration of security
policy control functions.
THANKS- ధన్యవాదాలు
Download