MYSEA Technology Demonstration Presented by, Sai Charan Obuladinne References 1) Cynthia E.Irvine, David J. Shifflett, Paul C. Clark, Timothy, George “MYSEA Security Architecture” 2) Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy, George “MYSEA Technology Demonstration” 3) Cynthia E. Irvine, David J. Shifflett, Paul C. Clark, Timothy, George “MYSEA: The Monetary Security Architecture” 4) http://cisr.nps.edu/projects/mysea.html Contents Introduction MYSEA characteristics and capabilities MYSEA Domain Separation and Trusted Path Demo Quality of Security Service Demo Conclusion Introduction Purposea) Trusted distributed operating environment for enforcing multi-domain security policies. b) To develop high assurance security services and integrated operating system mechanisms -protect distributed multi-domain computing environments from malicious code and other attacks. C) Capabilities- composing secure distributed systems using commercial off-the-shelf (COTS) components. MYSEA characteristics and capabilities Use of add-on components in client-server systems which can magnify the impact of trusted open source systems. Protection of multiple protection domains, such that malicious code may neither ex-filtrate confidentially sensitive data, nor corrupt information of higher integrity(Malicious Software in PCMultiple PC’s) Open source trusted path mechanism for assured and unambiguous user communication with the trusted computing base Vertical integration-dynamic security policy control functions in a QOSS framework MYSEA Domain Separation and Trusted Path Demo MYSEA is a distributed client-server architecture, the major physical components 1) Security enhanced servers- For security policy enforcement and host various open source or commercial application protocol servers. 2) Security enhanced workstations-commercial-class PCs executing popular commercial software products(Trusted Path Extensions) thus permit server-enforced security policy to be distributed across the network. MYSEA Server enforces the security policy and controls access to information. Its is a security enhanced version of the OpenBSD operating system (MYSEOS). MYSEOS + Untrusted Connection(Policy Constrained) = MYSEA MYSEOS is combined with untrusted, but policy constrained (and, in some instances, policy aware) application protocol servers, the result is the MYSEA Server MYSEOS Untrusted-3rd Party Policy Contrained MYSEA workstation each PC -Trusted Path Extension device that provides MYSEA policy support at the workstation. The MYSEA Server’s and the Trusted Path Extension’s connected directly to the physical network. Demonstration of Concepts Trusted Path Extension- users can log on to the MYSEA system in a trusted path,Audit and Access controls- Invokes and establish Session Attributes like current sensitivity level. Similarly, the user can also log on to his own PC and use standard commercial client software (e.g., web browser or e-mail program) to access applications supported by the MYSEA Again to Modify any Session Attributes, again the Trusted Path Extension is invoked.(Sensitivity level, modify password, use name etc..) Multi-Domain Policy Enforcement The MYSEOS kernel associates security attributes with active and passive. An important policy for the MYSEOS kernel to enforce is that malicious code may neither exfiltrate confidentially sensitive data nor corrupt information of higher integrity, to support this, the MYSEOS kernel provides multi-domain file system support, Trusted path extension TPS Multiple Terminal PC’s Maintains the State of UserMYSEA Interaction Multiple Work Stations Ex: user may be logged in with default security attributes, but may not have started a session executing untrusted application code. Trusted Path Services provides an interface to the Security Support Services component to support identification and authentication MYSEA SERVER Supports following services: Secure Attention Key Trusted Path Services Controlled LAN Access Communications and cryptographic services Negotiated Session Services Control of Security Critical Activities MYSEA SERVER Supports following services: Secure Attention Key- Initiate unambiguous communication with MYSEOS , cause a state change in the Trusted Path Extension such that an unforgeable communications path (viz. a trusted path) to MYSEOS Trusted Path Services –When Invoked input security critical information(Password) Controlled LAN Access- Controlled access to the LAN. Malicious software cannot bypass the Trusted Path. Communications and cryptographic services- protected communication channels between Server and TPS(based upon protocols that supports establishment and maintenance TPS) Negotiated Session Services- Ensure trusted object reuse, Change Domains(user), information associated with previous domain must be removed from the untrusted PC, Note: Previous session info cannot be reused by subsequent sessions(Violation of Distributed Security Policy). Control of Security Critical Activities- Controls client and resources at the time of boot and control security critical actions over the client session. MYSEA QoSS Manager -external QoSS interface to MYSEA, and governs security and performance factors of the various MYSEA components. QoSS manager on the MYSEA serverSecurity manages the QoSS security and connectivity database. and Performa nce MYSEA Component MYSEA QOSS Manager Conclusion: MYSEA is a trusted distributed operating environment for enforcing multi-domain security policies. Supports critical applications: 1) A distributed trusted architecture that utilizes commercial and open source applications. 2) An open source trusted path mechanism. 3) Techniques for vertical integration of security policy control functions. THANKS- ధన్యవాదాలు