top - download
⟦3cf340c99⟧ Wang Wps File
Length: 19146 (0x4aca)
Types: Wang Wps File
Notes: SECURITY FILTER STUDY
Names: »4130A «
Derivation
└─⟦2c1d27607⟧ Bits:30006216 8" Wang WCS floppy, CR 0284A
└─ ⟦this⟧ »4130A «
WangText
…00……00……00……00…>…0a……00……00…>…0b…>…0c…>…86…1 …02… …02… …02… …02…
SECURITY FILTER STUDY 1983-10-19
Executive Summary Page #
S E C U R I T Y F I L T E R S T U D Y…01……01……01…EXECUTIVE SUMMARY
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
1 GENEREL .......................................
3
1.1 SCOPE .....................................
3
1.2 REFERENCES ................................
3
2 INTRODUCTION ..................................
4
2.1 BACKGROUND ................................
4
2.2 OBJECTIVES ................................
4
3 SUMMARY OF THE RESULTS ........................
6
3.1 DEMONSTRATION OF FEASIBILITY ..............
6
3.2 IMPLEMENTATION METHODS ....................
9
3.3 SECURITY FILTER SPECIFICATION .............
10
3.4 MULTICHANNEL SECURITY FILTER ..............
12
3.5 CRITICAL AREAS ............................
17
3.6 ESTIMATES OF THE COST .....................
18
4 CONCLUSION ....................................
19
1̲ ̲ ̲G̲E̲N̲E̲R̲A̲L̲
1.1 S̲C̲O̲P̲E̲
This document is a summary of the results from the
Security Filter Study, performed under Contract No.
FK8219 between the Air Materiel Command of the RDAF
and Christian Rovsing A/S in the period June 1982 to
May 1983.
1.2 R̲E̲F̲E̲R̲E̲N̲C̲E̲S̲
This report provides the executive summary of the following
documents.
1. Functional Description
2. Functional Analysis SFS/TN/001
3. Security Filter Architectures SFS/TN/002
4. Phase 1 Report SFS/TR/001
5. Configuration Study SFS/TN/004
6. Security Filter Verification Methods SFS/TN/006
7. Filter Specification SFS/FS/001
8. Interface Flexibility SFS/TN/005
9. Cost Estimates SFS/TN/007
2̲ ̲ ̲I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
2.1 B̲A̲C̲K̲G̲R̲O̲U̲N̲D̲
A firm requirement exists for electronic information
transfer between individual ADP systems with different
level of security classification. Currently the problem
is alleviated by manual information transfer, by ignoring
the possible security problems, or by working with
all the interconnected systems at the same high classification
level
The conceptual function of an electronic security filter
is to enforce the security rules by guarding the classified
information and controlling the need to know principle.
The enforcement and control is done through monitoring
of the information transfer.
The electronic information transfer is in this study
restricted to message traffic between two ADP systems.
In the later documents, cost effective solutions are
discussed for more than two ADP system interconnections.
The filter function has in some cases been performed
by manual verification of the message traffic. However,
increasing traffic on the communication lines between
ADP systems containing classified data has resulted
in the demand for fully or partly automatisation of
the security monitoring in order to increase capacity
and reduce time delay and cost.
2.2 O̲B̲J̲E̲C̲T̲I̲V̲E̲S̲
The objective of the security filter is to automate
security administration of a dedicated communication
line between two ADP systems of unequal security classification.
The function of a security filter is described in terms
of the following main requirements.
o Operational Requirements
The security filter shall fulfil the following
requirements:
- receive and compile data into a message and
prevent transmission to the receiver prior
to validation
- compare the message with predefined patterns
and validate the classification for legality
of the message
- release messages passing the validation with
a positive result, and withhold all other messages.
- log illegal messages and alert duty officer
in case of high frequency of illegal messages.
- prevent unauthorized disclosure or any modification
of messages at the security filter.
o Performance Requirements
The funtions of the security filter shall be performed
under the following conditions:
- the preferred order of technology used is hardware,
firmware, and software.
- the filter operation shall be independent of,
and transparent to the ADP systems except for
minor delays.
- the filter must not degrade transmission capacity.
- the design shall accommodate certification
by an independent NATO authority.
- introduction of new predefined validation patterns
shall be facilitated.
3̲ ̲ ̲S̲U̲M̲M̲A̲R̲Y̲ ̲O̲F̲ ̲T̲H̲E̲ ̲R̲E̲S̲U̲L̲T̲S̲
The most important results of the study are:
1) Demonstration of feasibility of the Security Filter
2) Description of implementation methods which provides
the necessary basis for certification
3) Security Filter Specification
4) Multichannel Security Filters
5) Critical areas
6) Cost estimates.
A short description of the findings is given below
with references to the detailed documents.
3.1 D̲E̲M̲O̲N̲S̲T̲R̲A̲T̲I̲O̲N̲ ̲O̲F̲ ̲F̲E̲A̲S̲I̲B̲I̲L̲I̲T̲Y̲
The feasibility of the filter has been demonstrated
by establishing and discussing a conceptual design
of the Security Filter (ref. 3) as well as discussing
the Security Filter Verification Methods (ref. 6).
The idealized architecture presented in figure 3.1-1
is the result of a search for structures which in the
best possible way could support the security, taking
into account available technology and economy.
The following aspects have been of particular importance:
o The system may use non-trusted software and hardware,
provided it is surrounded by trusted "gate-keepers".
FIGURE 3.1-1
IDEALIZED ARCHITECTURE
o Hardware/Firmware/Software split should be decided
only after a careful trade-off between the required
robustness versus flexibility.
o Data paths should be as restrictive (preferably
by hardware) as possible.
The illustration shows a one way data transfer, i.e.
a simplex line.
The filter architecture is divided into four layers,
each with a conceptually clear, well defined and non-overlapping
task and with extremely simple interfaces.
Layer 1 provides the input termination function. This
includes the electrical protection, bit synchronization,
frame synchronization, serial to parallel conversion
and error detection. The layer is physically wired
to allow input function only. The interface to layer
2 is a one-way point-to-point interface, typically
eight bit wide with two control lines.
Layer 2 is a normal microprocessor system. The hardware
and software is non-trusted, but developed in a controlled
environment. Hence only non-vital functions are performed
here.
Non-vital functions could be logging, operator-aided
validation (if required), built-in test data generator,
and checker.
It should be noted that all input and output to/from
layer 2 are physically confined within areas authorized
for the clearance level of system high.
The interface to layer 3 is identical to the layer
1-2 interface, augmented with a single line reporting
back the validation result (positive/negative).
Layer 3 is the trusted, security-determining layer
which performs the automated validation of a message.
Layer 3 performs the validation by analyzing the format
and contents of the message and compare these to the
specifications, accessible in the form of tables and
decision logic in read-only memory.
The validation results in one of two actions: Release
for transfer or not. A signal is given to layer 2 if
the validation is negative. This will cause a logging
of the message and possibly an alert to the operator.
Optionally, layer 2 may have detected a message which
can not be (entirely) automatically validated.
This message will be routed to the operator terminal.
The operator terminal is a video monitor with refresh
memory. The refresh memory is updated from the multi-purpose
processor.
The physical connection to the processor is off during
the validation.
After the operator's validation of the proper field(s)
(this must be a trusted process), the message is passed
to the Gate-Keeper(2), augmented with the flag(s) indicating
the operator approval.
The Gate-Keeper then validates the remaining sets and
fields of the message before release to the output.
Layer 4 is the output layer which provides electrical
protection, parallel to serial conversion, formatting,
check pattern generation and output drive.
3.2 I̲M̲P̲L̲E̲M̲E̲N̲T̲A̲T̲I̲O̲N̲ ̲M̲E̲T̲H̲O̲D̲S̲
Methods has been identified for verifying that the
Security Filter performance complies with the requirements,
in particular for verifying the security.
Methods has also been identified for assuring continuous
security over the entire life cycle and in particular
the re-verification upon corrective maintenance and
updates.
The document on Security Filter Verification Methods
(ref. 6) provides a comprehensive description of the
methods.
3.3 S̲E̲C̲U̲R̲I̲T̲Y̲ ̲F̲I̲L̲T̲E̲R̲ ̲S̲P̲E̲C̲I̲F̲I̲C̲A̲T̲I̲O̲N̲
The security filter functions of validating the messages
are analysed and described in details in the specification
document (Ref.7). The baseline for the analysis is
the A DAT P-3 message format structure. The structure
is well suited for automatic validation both on security
classification and also on the need-to-know principle.
The document provides a detailed specification of the
filter functions and the auxiliary functions.
F̲i̲l̲t̲e̲r̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲
The filter characteristics are implemented by means
of a definition of all legal messages and their contents.
The security filter software (computer programs) shall
be so constructed that any foreseeable change in message
structure and contents can be handled without modification
of the software.
As a consequence of the definition of all legal traffic,
any message traffic deviating from the definition shall
be considered illegal and handled in accordance with
that condition.
Illegal messages shall be logged by the security filter
and may not be transmitted from the filter. In case
of frequent traffic of illegal messages (frequency
exceeding a prespecified maximum) an audible alert
shall be sounded in order to inform the security officer
of this fact.
To expand the useful scope of the security filter to
encompass lines where the traffic will contain messages
too complex for automatic validation, operator communication
facilities can be added. This will allow for human
validation of for instance free text messages. However,
message types or message contents demanding human validation
shall be defined to the filter. The display of a message
for an operator must never be triggered by the fact
that the message is considered illegal by the automatic
validation.
A̲u̲x̲i̲l̲i̲a̲r̲y̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲
The security filter shall be operative without any
human intervention, and it shall be possible to modify
neither software nor messages on site while the filter
operates.
Hence, any authorized modification must be performed
off-line and installed afterwards on the filter site
following a prespecified procedure.
The following auxiliary functions to be performed off-line
have been identified:
o Software Production and Maintenance
The computer programs necessary to perform the
security filter functions must be analyzed, planned,
documented, coded, compiled, tested and verified.
The security filter is not designed with the peripheral
equipment necessary for those purposes, therefore
the program development tasks must be performed
utilizing other hardware.
o Definition of Legal Messages
The filter function is based on computer programs
of stable character, which use a set of legal message
descriptions to judge the legality of any message
transmitted through the filter. The definition
of legal messages may vary from time to time and
among the various security filter sites.
In connection with the installation and start of
a security filter, and in connection with authorized
subsequent modifications, a system must be present
which can convert the man-made message descriptions
into computer-legible validation information (in
the form of tables built to fulfil the structure
requirements of the security filter software).
This conversion task must be performed on a computer
distinct from the subject security filter, preferably
on the computer system referred to as the Security
Filter Support System.
o Test and Verification
Whenever modifications have been made in the set
of legal messages for a security filter site the
modified part of the validation information shall
be thoroughly tested to ensure that it is cooperating
correctly with the security filter software.
The testing shall be sufficient to render probable
beyond any reasonable doubt that the security filter
will allow only legal messages to pass.
The validation of the modified message description
will be tested through a combination of analysis
and machine testing.
3.4 M̲U̲L̲T̲I̲C̲H̲A̲N̲N̲E̲L̲ ̲S̲E̲C̲U̲R̲I̲T̲Y̲ ̲F̲I̲L̲T̲E̲R̲
The study of only a connection between two ADP-systems
was amended to cover more systems. The idealised architecture
was used as the basis and a Multichannel Security Filter
(MCSF) architecture was derived. A switching function
for the MCSF is judged to be in violation with the
security requirements, and the basic architecture is
illustrated in figure 3.4-1 and figure 3.4-2.
FIGURE 3.4-1…01…MULTI CHANNEL SECURITY FILTER (MCSF)
FIGURE 3.4-2
MULTI CHANNEL SECURITY FILTER
COMMUNICATION PATHS
The Multichannel Security Filter (MCSF) is a multi-input/multi-output
configuration where all channels share the Multi Purpose
Processor (MPP), the Gate Keepers GK and the terminal,
see figure 3.4-3.
One Line Terminator is used for each channel, each
with storage capacity for two messages in each direction.
The received message is transferred to the MPP with
high speed over the Input Bus under supervision of
the Input control.
The message is preprocessed and validated in the same
way as if it were a single channel filter.
After validation, the message is transferred to the
buffer memory of the selected Line Terminator under
supervision of the Output Control. Finally, the Line
Terminator performs the transmission of the message.
The MCSF is a modular expansion of the single channel
filter using the same basic concept, only with a few
additional components to control the data paths.
The basic security is achieved by using a cellular
structure in several levels with both hardware and
software restrictions on the capabilities, in particular
the communication capabilities across the cell boundaries.
Messages from all input lines are received and stored
independently in the Line Terminators.
FIGURE 3.4-3
DETAILED CONFIGURATION OF MCSF
The Input Control interrogates the modules cyclically.
The interrogation is acknowledged if a full message
has been received, and the message is transferred in
byte-parallel to the MPP.
Message preprocessing and validation is performed exactly
as for the single channel security filter with the
remark that input and output channel identification
must be provided together with the message when logged
or displayed on the operators terminal for operator
assisted validation.
The validation message is transferred to the Line Terminator
addressed by the Output Control. The entire message
is transferreds to the memory of the Line Terminator
at high speed.
The Operator Assisted Validation is performed in parallel
with the automated validation. The entire message is
transferred to the GK for automated validation of the
remaining fields.
A replica of the message is retained in the Mag Tape
Interface of the MPP.
The buffer is erased if the message has been accepted.
Otherwise, the message is logged onto the tape before
erasure of the buffer.
3.5 C̲R̲I̲T̲I̲C̲A̲L̲ ̲A̲R̲E̲A̲S̲
The study revealed the message specification and message
validation procedures to be of key importance for the
security, practical useability and lifecycle cost.
This has resulted in a particularly detailed addressing
of all these aspects and a very detailed specification
in these areas (ref. 7).
3.6 E̲S̲T̲I̲M̲A̲T̲E̲S̲ ̲O̲F̲ ̲T̲H̲E̲ ̲C̲O̲S̲T̲
The cost estimates (ref. 9) are given for three different
configurations with medio 1983 prices as baseline:
a) Fully automated (no manual validation)
full duplex channel US $ 23,000
each
b) Full duplex channel with manual
validation facility US $ 33,500
each
c) Multi Channel (four channels) full
duplex with manual validation
facility US $ 51,000
each
The development efforts (non recurring cost) has been
estimated to
Hardware development 54 manmonths
Software development 7̲0̲ ̲m̲a̲n̲m̲o̲n̲t̲h̲s̲
̲
Total development effort 124 manmonths
4̲ ̲ ̲C̲O̲N̲C̲L̲U̲S̲I̲O̲N̲
A Security Filter is entirely a state of the art product
at a reasonable cost. It is the best possible interface
between ADP systems with different security levels
and different need-to-know. The filter must be extremely
reliable, with a high degree of availability and firmware
implemented critical logic. Filters for multiple connections
can share hardware components subject to security constraints.
The formatted messages such as A DAT P-3 messages are
ideally suited for automatic security filtering.
Analysis of possible security violations must be done
physically separate from the filter, and validation
criteria changes must be done on a separate support
system.
