Cross Domain Solutions
From Wikipedia, the free encyclopedia
Cross Domain Solutions: An information assurance solution that provides the ability to manually and/or automatically access and/or transfer between two or more differing security domains.[1] (CDS) are integrated systems of hardware and software that enable transfer of information among incompatible security domains or levels of classification. Because modern military, intelligence, and law enforcement operations critically depend on timely sharing of information, and because of the cost and forethought required for more rigorous approaches, CDS are often considered a "necessary evil". CDS is distinct from the more rigorous approaches because it supports transfer that would otherwise be precluded by established models of computer/network/data security (e.g. Bell-LaPadula and Clark-Wilson). CDS development, assessment, and deployment are based on risk management. Sharing information with CDS exposes the sharer to greater risk that his secrets may be unintentionally revealed.
Most CDS comprise specialized software applications that run in hardened "trusted" computer platforms that function as a guard between two security domains and allow only data that meets certain criteria to pass from one domain to another. Acceptance criteria for information transfer across domains may be simple (e.g. antivirus scanning before transfer from low to high security domains) or complex (e.g. multiple human reviewers must examine and approve a document before release from a high security domain). One way data transfer systems (OWT, Data Diodes, DualDiode) are often used to move information from low security domains to secret enclaves while assuring that information cannot escape.
Contents |
[edit] Unintended consequences
[edit] Skepticism about CDS
In previous decades, Multi-Level Security (MLS) technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced Mandatory Access Control (MAC) with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface. Automated Information Systems have enabled extensive information sharing that is sometimes contrary to sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called Discretionary Access Control (DAC). DAC is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some ways contrary to the original motivation for MAC because the unintended consequences of sharing can be extremely complex to analyze and should not necessarily be left to the discretionary of users who may have a narrow focus on their own critical need. In this sense, some argue that CDS is not deterministic enough to satisfy the MAC required to protect security levels.
Increased acceptance of CDS is not embraced by some because of acceleration of global information warfare capabilities enabled by today’s communication technology. Yet a disturbing shift in funding and research [2] has reduced emphasis on deterministic security technology that had focused on risk avoidance. A shift of responsibility for certification and accreditation from agencies without conflict of interest to agencies responsible for both security and cost is not helpful at reducing receptiveness to more subjective flexibility. This shift is partly due to the high expected cost of deterministic mechanisms and partly due to the reduced awareness of how to cost effectively implement these technologies. Those familiar with high strength technologies (that are sometimes less costly by the way) are more apt to be skeptical about the subversion resistance of less formal CDS. The assumption that there is no cost effective way to provide strong MAC protection often leads to the use of ‘best-effort’ alternatives. The differences in risk levels between the near-certainty with which MAC can be imposed and the managed risk view of less formal CDS is a matter of degree, but the degree is viewed by some to be extreme. For cases where access controls are clearly mandatory, formal methods are appropriate. Risk management differs from risk avoidance in mindset. CDS approaches security enforcement as not quite as mandatory as risk avoidance; accepting more discretion about security enforcement, (in some cases the discretion is left up to an automated system. This amounts to acceptance of DAC approaches where only MAC protections had been considered.
[edit] The need for CDS
The need for CDS often arises out of the need to share information that was previously mixed with sensitive information upstream. This happens when a decision is made not to trust the upstream system, usually because trust costs money. A system high system is less costly because it is not built with the strength to contribute to the protection of secrets. When the upstream system is system high, the assumption is made that information it contains will be treated as classified at the highest level, and therefore cannot be downgraded unless by reliable human review. Instead of revisiting the system high decision upstream, CDS seeks to reverse this decision downstream, at considerable risk. However, a downstream CDS is spanning the same multiple levels that the upstream MLS system would have spanned, and therefore the MLS avoided upstream recurs at the CDS. In that context, CDS fails to avoid costly MLS, it actually is MLS, but without the safety and sometimes at higher implementation cost.
[edit] Balancing security with information sharing
Uninformed decisions can be based on assumptions about the way systems are supposed to behave without understanding or acknowledging how they can misbehave. For example, lets say Joe’s location is not ‘really’ secret, it is just stored in a secret system high computer. If Joe’s location is disclosed as unclassified, he can be rescued. There is no intent to disclose anyone’s information except Joe’s. But we don’t know who will need rescue in advance. To disclose Joe’s location, we need to put a path in place to disclose anyone’s location. There is no intent for everyone’s location to go to the enemy but now the path exists and the mechanism that prevents it cannot protect itself from corruption. So in a shortsighted decision to rescue Joe the easy way, we may unknowingly be forfeiting lives of many others, maybe even unnecessarily. CDS claims lower cost alternative to disclose ‘specific’ information to avoid the need to originate location information in a multilevel database. A risk assessment is often offered that ‘formally’ assesses the risk of subversion based on a subjective assessment of insider attacks and program flaws. The actual risk cannot be objectively determined.
[edit] A Fundamental Flaw in Some CDS
Some CDS amounts to an ad-hoc approach to provide a quick fix for security problems; to just 'git 'er done!' The kind of CDS that allows information that would be unclassified if it were not contaminated by being trapped in a SECRET system high machine to be shared with other unclassified users sounds sensible, but illustrates why real security requires formal methods. The subject CDS approaches use a so-called 'trusted guard' to make the determination by examining the content of the bypass object. The guard algorithm relies on some feature of the bypass object, such as the format of the data, and verifies that specified fields contain specific values. The fallacy is that the feature relied on was produced by a system high source, defined as untrustworthy of preserving the integrity of the feature. The term system high means the source is not trustworthy to contribute anything to preventing disclosure of classified information, yet the guard depends completely on it. The loophole is that the guard and the source are two different systems, each separately approved under conflicting assumptions. Formal methods would reveal that there can be no secure cross domain solution for this case because no algorithm can be defined that can examine the contents of a file and reliably determine that it can be downgraded. In fact, it would take an omniscient human to make a reliable determination. Yet, many of our most critical national secrets are protected by these leaking CDSs. Certifiers should not be duped into issuing Approval To Operate for these systems as 'acceptable risk' or 'the best we can do' unless the risk can be quantified and experienced COMPUSEC experts can independently verify that no system of systems level solution can be used. It is also noteworthy that an engineered secure solution can sometimes be much less expensive than a CDS.
[edit] References
1. CJCSI 6211.02b, Defense Information System Network (DISN): Policy, Responsibilities and Processes.