The MILS Component Integration Approach to Secure Information Sharing
Carolyn Boettcher, Raytheon, El Segundo CA,
Rance DeLong, LynuxWorks, San Jose CA,
John Rushby, SRI International, Menlo Park CA, and
Wilmar Sifre, AFRL/RITB, Rome NY
Presented at the 27th IEEE/AIAA Digital Avionics Systems
Conference (DASC), St. Paul MN, October 2008.
Recipient of "Best in Session," "Best in Track"
and "Best in Conference"
The US military has a vision of information superiority that requires
secure and timely sharing of information between geographically
separated platforms and users. Often, however, the producers and
consumers of information, as well as the information itself, reside in
different security domains, necessitating some form of Cross Domain
Solution. A COTS marketplace of modular, high-assurance components
with composable security properties would not only make this vision of
cross-domain information sharing achievable, but could also help to
make it much more affordable than is currently feasible. As part of
the Air Force's Multiple Independent Levels of Security/Safety
initiative, AFRL's multi-year High Assurance Middleware for Embedded
Systems (HAMES) program is conducting research in integrating trusted
components in such a way that the security properties of the system
can be predicted.
MILS is characterized by a two-level approach to secure system design.
At the policy level, a decomposition to a virtual architecture is
performed while identifying the trusted components, the local policies
and the communications channels. This is done in a way that minimizes
complexity of trusted components and their policies. At the resource
sharing level, implementation of components is considered, which
includes the allocation of components to shared physical resources.
MILS provides an implementation technology that enables virtual
components of various types, and their intercommunication channels, to
share physical resources without compromising the integrity of the
Security is seldom identified with a single, simple policy; the
two-level approach of MILS was introduced as a rational way to
organize the multiple cooperating components and sub-policies that
realize a complete secure system. A MILS system needs to provide
assurance that this design and implementation strategy and, in
particular, the separate sub-policies of its components and the
resource-sharing properties of its physical subsystems, compose to
guarantee the security policy required of the overall system. This
paper will describe the progress made so far in our research and some
of the remaining challenges.
Having trouble reading our papers?
Return to John Rushby's bibliography page
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page