Multi-level secure (MLS) systems are composed of low systems and high systems. Low systems can transmit data to a high system, but high systems cannot transmit data to a low system. That is called write down and it is not allowed by multi-level security models, not even to acknowledge (ACK) receipt of data from the low system. This rule exists to prevent a covert timing channel from the high system to the low system. If data integrity and reliable communications are to occur in a system, then messages must be acknowledged. MLS one way guard with random ACK is a form of information flow controls to be imbedded in operational systems that provides a means of acknowledging data without providing a covert path. This technology was first developed (theoretically) in 1993 as an interface between one source and one destination. In 1995 the concept was expanded to address a network of several source low and destination high systems.
This technology employs a one way guard that buffers a message from a low system and passes it on to the high system. When the high system ACKs the message, the one way guard holds the ACK for a bounded random length of time until passing the ACK to the low system. This destroys any possible covert timing channel as the high system has no control of the timing to the low system. The algorithm to determine the length of time to delay the ACK considers the effect on throughput of delaying multiple sources of data for each destination and the combined throughput to the destination. The algorithm therefore becomes more complex as more sources and destinations are considered. There will be a small negative performance influence on individual messages that could require upgraded interfaces if they are close to capacity. A benefit of this technology is that it allows reliable transmission over an MLS network because messages that are not ACKed are recognized as not received and can then be retransmitted by the sending system.
Sending processes using this technology must account for the maximum possible delay in an ACK before retransmitting a message. Increased buffer space must be provided in the one way guard to hold messages until they can be ACKed. The amount of time and amount of buffer space required are a function of the number of sources and destinations involved and the size and rate of messages. Using this technology in a network of mixed security systems provides for no lost messages and no duplication of messages.
This technology is new but is an incremental development of one way security guards that have been in use since the 1960s. This technology has been modeled and prototyped but has not been used in an operational system.
Using this technology will require knowledge of security architectures, the
recognition of covert timing channels and means to eliminate them, and
Designated Approving Authority (DAA) requirements for assurance.1
Successful use of this technology in a system requires that an ACK protocol be employed by the nodes that sends another message only after the last transmitted message has been ACKed.
Other approaches to transferring data through a one way guard to enhance reliability involve multiple transmissions of a message without acknowledging receipt or manual accounting of messages and requests for transmission. These alternatives lead to increased traffic over the network because of duplicate messages or increased operator interaction.
1
The DAA is the security official with the authority to say a system is secure
and is permitted to be used.
The Software
Engineering Institute (SEI) is a federally funded research and
development center sponsored by the U.S. Department of Defense
and operated by Carnegie Mellon University.
Copyright
2007
by Carnegie Mellon University Terms of Use
URL: http://www.sei.cmu.edu/str/descriptions/mlsone_body.html
Last Modified: 11 January 2007
