CISR - Projects

CISR - Projects - RCSC

Research: Projects: RCSC

Required Components for Secure Computing (RCSC) Project
The purpose of the Required Components for Secure Computing (RCSC) project is to investigate the minimal set of specialized components (e.g., those that must be evaluated to meet high assurance requirements) necessary to construct a secure system.

Project Goals
This work will investigate techniques to define the minimal set of trustworthy elements required to construct a secure system. In support of this goal, the project seeks to empower system designers with a set of techniques, metrics, and methodologies for reasoning about and evaluating secure system design. More than a set of design principles, these techniques will allow designers to make informed, defendable choices during design, providing guidance to system development far earlier than system certification offers. For example, we hope to lend guidance in resolving questions such as, given two designs, which scales better in terms of handling more users or handling data at a variety of classification levels? If we suddenly require a system to be more trustworthy (i.e., handle more sensitive data than was originally intended), how will the design change? Given some essential functionality, can it be divided so those parts with no high-assurance requirements can be separately implemented and are spared from being subject to high-assurance evaluation?

We anticipate exploring a set of design trade-offs, in which the goal of minimizing a system's high assurance parts is related to other (fundamental and derived) system attributes , such as:

Redundancy of protection
Strength of mechanism
Scalability
Evolvability
Assurance level of key components
Dynamicity
Complexity of information policy
Allocation of policy to components
Lifecycle cost
Ease of management

The research approach for RCSC is to focus on systems evaluated to protect and handle highly valued data, maintaining the separation of that data into several domains where communication between domains is controlled through explicit channels in accordance with some policy. Our investigation will not seek to create new, economic frameworks for system certification nor will it seek to invent design methodologies which fail to connect with current high-assurance evaluation metrics. In particular, we are interested in frameworks for reasoning about designs for multilevel secure (MLS) systems capable of meeting their security requirements according to reasonable evaluation criteria.

We will base the investigation of required components for secure computing on the analysis of several systems, shown in Table 1, including some established secure systems and some hypothetical or emerging systems. Looking at emerging systems will provide up-to-date information about the systems and components that can be built today and tomorrow; whereas the analysis of established systems is intended to supply a “blind” perspective of the results of the analysis, supported by the extensive literature compiled bout the security of those systems over the years.

Table 1. System Types

Name	Type	Description
Seaview	Established	A research platform for an MLS relational database, which later provided the template for several commercial systems
Multics	Established	A commercial grade OS that was the focus of much of the early computer security research at MIT
MLS LAN	Established	An MLS LAN based on a central (and replicatable) secure server, featuring commercial workstations and applications.
Tactical Device	Hypothetical	A mobile computing and communications device (e.g., hand-held)
Partitioned Workstation	Hypothetical	A secure VMM-based computer
Enterprise Services	Hypothetical	An enterprise-scale cloud-based system for outsourcing computational resources from (e.g.) an enterprise to one or more remote locations.

Research Plan
The major components of the research will be performed in phases, as shown in Table 2. While the first three phases will be performed with each system, we will use one of the systems as a stalking horse to work through major parts of the process ahead of the other systems. This will allow us to at least partially fine tune the process before tackling all of the rest of the systems.

Table 2. Work Plan Phases

	Phase	Activities
1	System Definitions	Define the systems in terms of their attributes, usage scenario, security policy, and threats
2	System Architectures	Define the components and allocation of policy. Describe options and choices.
3	Decision metrics	Define methods and metrics for analysis of architectural options
4	Comparison methods	Develop techniques and methods for comparing systems and architectures.
5	Comparison Analytics	Apply the techniques to the analysis of the systems, extracting conclusions and recommendations about the minimal components required for secure computing

NPS Research Team

Cynthia Irvine

Tim Levin

Mark Gondree

Home / Webmaster / Privacy Policy / FOIA / Sitemap / NPS

This U.S. Government Web Site is provided by the Naval Postgraduate School's Center for Information Systems Security Studies and Research for official information regarding CISR's programs and research.