Multiple Independent Levels of Security

Overview

A MILS solution allows for independent evaluation of security components and trusted composition.{{cite journal |archive-url=https://web.archive.org/web/20121203172008/http://www.crosstalkonline.org/storage/issue-archives/2005/200510/200510-Harrison.pdf |archive-date=2012-12-03 }}{{cite journal

A MILS system employs one or more separation mechanisms (e.g., Separation kernel, Partitioning Communication System, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc.).

NEAT

Properties:

• Non-bypassable: a component can not use another communication path, including lower level mechanisms to bypass the security monitor.
• Evaluatable: any trusted component can be evaluated to the level of assurance required of that component. This means the components are modular, well designed, well specified, well implemented, small, low complexity, etc.
• Always-invoked: each and every access/message is checked by the appropriate security monitors (i.e., a security monitor will not just check on a first access and then pass all subsequent accesses/messages through).
• Tamperproof: the system controls "modify" rights to the security monitor code, configuration and data; preventing unauthorized changes.

A convenient acronym for these characteristics is NEAT.

Trustworthiness

'Trustworthy' means that the component have been certified to satisfy well defined security policies to a level of assurance commensurate with the level of risk for that component (e.g., we can have single level access control guards evaluated at CC EAL4; separation mechanisms evaluated at High Robustness; two-level separation guards at EAL 5; and TYPE I crypto all in the same MILS system).

'Untrusted' means that we have no confidence that the system meets its specification with respect to the security policy.

Companies

The following companies have MILS separation kernel products:

• Green Hills Software
• LynuxWorks
• SYSGO
• Wind River Systems
• Bertin Technologies
• OK Labs

Companies with other separation methods creating MILS products:

• Thales

MILS Research and Technology

;The MILS Community

• The MILS Community https://mils.community/ is a global international, open membership, not-for-profit competence network on MILS architecture and technologies.

;Research Projects

• EURO-MILS: Secure European Virtualisation for Trustworthy Applications in Critical Domains https://zenodo.org/record/61251
• D-MILS: Distributed MILS for dependable information and communication infrastructures http://www.d-mils.org/.
• certMILS: Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats https://certmils.eu/

References

• Rushby, J., 2008. Separation and integration in MILS (The MILS constitution). Technical Report SRI-CSL-08-XX, SRI International.

References

1. https://archive.today/20140517220738/http://wiki.ok-labs.com/DevelopOKLinuxApp?highlight=(oklinux)
2. "SeL4 (Secure Embedded L4) {{pipe}} SSRG {{pipe}} NICTA".
3. "Martello".