The MILS component integration approach to secure information sharing

To achieve the vision of information superiority, secure and timely sharing of information is needed between geographically separated platforms and users. However, often the producers and consumers of the information, as well as the information itself are separated in different security domains. A COTS marketplace of composable, high assurance components would not only make the vision of cross-domain information sharing achievable, but could also help to make it much more affordable than is currently possible. As part of the Multiple Independent Levels of Security/Safety initiative, AFRL´s multi-year High Assurance Middleware for Embedded Systems (HAMES) program is conducting research in integrating trusted components in such a way that the security properties of the system can be predicted. MILS is characterized by a two-level approach to secure system design. At the policy level, a decomposition to a virtual architecture is performed while identifying the trusted components, the local policies and the communications channels. This is done in a way that minimizes complexity of trusted components and their policies. At the resource sharing level, implementation of components is considered, which includes the allocation of components to shared physical resources. MILS provides an implementation technology that enables virtual components of various types, and their intercommunication channels, to share physical resources without compromising the integrity of the policy level. Security is seldom identified with a single, simple policy; the two-level approach of MILS was introduced as a rational way to organize the multiple cooperating components and sub-policies that realize a complete secure system. A MILS system needs to provide assurance that this design and implementation strategy and, in particular, the separate sub-policies of its components and the resource-sharing properties of its physical subsystems, compose to guarantee the security policy required of the o- - verall system. This paper will describe the progress made so far in our research and some of the remaining challenges.