Arquitectura
Páginas: 28 (6777 palabras)
Publicado: 14 de abril de 2011
A Security Architecture for Transient Trust
Cynthia E. Irvine, Timothy E. Levin, Paul C. Clark, Thuy D. Nguyen
Naval Postgraduate School 1411 Cunningham road Monterey, CA 93943-5201 831-656-2395
{ irvine, levin, pcclark, tdnguyen}@nps.edu
ABSTRACT
In extraordinary situations, certain individuals may require access to information for which they are not normally authorized. For example, tofacilitate rescue of people trapped inside of a burning building, firefighters may need its detailed floor plan -information that may not typically be accessible to emergency responders. Thus, it is necessary to provide transient trust so that such sensitive information is available to selected individuals only during the emergency. The architecture presented here is designed to support transienttrust. It encompasses pre-positioned, updateable domains for use exclusively during emergencies along with a set of “normal” domains with different sensitivity levels. Allocated to partitions, these domains are entered via a high integrity trusted path service located in a separate trusted partition. Interaction among subjects in different partitions is controlled by a high assurance separationkernel, and efficient use of devices is achieved through the application of a three-part device model. The resulting architecture enforces mandatory security policies, yet ensures secure and revocable access to a class of information during declared emergencies.
information can be just as significant. Frustration with the inability to access information in recent armed conflicts and civilcatastrophes clarified for many decision-makers that the balance between information availability and protection is a risk management action that should not be constrained by a rigid security policy. Rather, it has become clear to many that the mechanisms for controlling and accessing information must incorporate multiple situational factors to ensure the risk/benefit tradeoff is correctly calculated,and that the decisions must be automated to ensure timely access. [29][40] We present a security architecture for supporting emergency access to information that incorporates and extends current separation kernel technology to provide high assurance of the confinement and revocation of sensitive information accessed during an emergency, such that the risk of allowing extraordinary access ismitigated. To achieve this assurance we confine emergency information temporally – it can only be accessed extraordinarily during a discrete emergency – and spatially – it is not allowed to leave a special “emergency partition” that is protected by a highly robust separation kernel.[28] The target platform for research and validation of our approach is a handheld computer, the E-device. Our securitysolutions in this form factor provide a mobile emergency-response capability that enables rapid, knowledgeable actions; promotes usability; and ensures sensitive emergency-support information is protected as it is communicated, processed and stored. The result is a trusted foundation for effective crisis management activities. To describe our architecture, we first highlight its major contributionsand provide background on access control, risk management and the tension between the need for information protection and flexibility. A brief description of emergency operations sets the stage for a presentation of the architecture, which describes its protection domains and the allocation of functionality and policies to those domains. Our analysis includes user interaction, transient trust, theuse of hardware, and our prototype. A comparison with related work is followed by a summary of this paper.
Categories and Subject Descriptors
D.2.11 [Software Engineering]: Software Architectures, D.4.6 [Operating Systems]: Security and Protection
General Terms
Design, Security.
Keywords
Virtualization, Multilevel Security, Emergency Management, Separation Kernel
1. INTRODUCTION
A...
Cynthia E. Irvine, Timothy E. Levin, Paul C. Clark, Thuy D. Nguyen
Naval Postgraduate School 1411 Cunningham road Monterey, CA 93943-5201 831-656-2395
{ irvine, levin, pcclark, tdnguyen}@nps.edu
ABSTRACT
In extraordinary situations, certain individuals may require access to information for which they are not normally authorized. For example, tofacilitate rescue of people trapped inside of a burning building, firefighters may need its detailed floor plan -information that may not typically be accessible to emergency responders. Thus, it is necessary to provide transient trust so that such sensitive information is available to selected individuals only during the emergency. The architecture presented here is designed to support transienttrust. It encompasses pre-positioned, updateable domains for use exclusively during emergencies along with a set of “normal” domains with different sensitivity levels. Allocated to partitions, these domains are entered via a high integrity trusted path service located in a separate trusted partition. Interaction among subjects in different partitions is controlled by a high assurance separationkernel, and efficient use of devices is achieved through the application of a three-part device model. The resulting architecture enforces mandatory security policies, yet ensures secure and revocable access to a class of information during declared emergencies.
information can be just as significant. Frustration with the inability to access information in recent armed conflicts and civilcatastrophes clarified for many decision-makers that the balance between information availability and protection is a risk management action that should not be constrained by a rigid security policy. Rather, it has become clear to many that the mechanisms for controlling and accessing information must incorporate multiple situational factors to ensure the risk/benefit tradeoff is correctly calculated,and that the decisions must be automated to ensure timely access. [29][40] We present a security architecture for supporting emergency access to information that incorporates and extends current separation kernel technology to provide high assurance of the confinement and revocation of sensitive information accessed during an emergency, such that the risk of allowing extraordinary access ismitigated. To achieve this assurance we confine emergency information temporally – it can only be accessed extraordinarily during a discrete emergency – and spatially – it is not allowed to leave a special “emergency partition” that is protected by a highly robust separation kernel.[28] The target platform for research and validation of our approach is a handheld computer, the E-device. Our securitysolutions in this form factor provide a mobile emergency-response capability that enables rapid, knowledgeable actions; promotes usability; and ensures sensitive emergency-support information is protected as it is communicated, processed and stored. The result is a trusted foundation for effective crisis management activities. To describe our architecture, we first highlight its major contributionsand provide background on access control, risk management and the tension between the need for information protection and flexibility. A brief description of emergency operations sets the stage for a presentation of the architecture, which describes its protection domains and the allocation of functionality and policies to those domains. Our analysis includes user interaction, transient trust, theuse of hardware, and our prototype. A comparison with related work is followed by a summary of this paper.
Categories and Subject Descriptors
D.2.11 [Software Engineering]: Software Architectures, D.4.6 [Operating Systems]: Security and Protection
General Terms
Design, Security.
Keywords
Virtualization, Multilevel Security, Emergency Management, Separation Kernel
1. INTRODUCTION
A...
Leer documento completo
Regístrate para leer el documento completo.