Post on 18-Mar-2020
presented to:
Enabling the Mission with Information Assurance
NAISOctober 2019
Enabling the Mission with Information Assurance
Right Information
Right Recipient
Right Time
2 Enabling the Mission with Information Assurance
Enabling the Mission with Information Assurance
Right Information
• Authentic
• Not malicious Known Good vs Known Bad
3 Enabling the Mission with Information Assurance
Enabling the Mission with Information Assurance
Right Information
Right Recipient
• Coalition partners
• Dynamic
4 Enabling the Mission with Information Assurance
Enabling the Mission with Information Assurance
Right Information
Right Recipient
Right Time
• Value expiration
• Latency vs Throughput vs Cost
5 Enabling the Mission with Information Assurance
Who is Tresys/Owl?We are a leader and trusted partner in cybersecurity. Our solutions are vital to helping defense, intelligence, and critical infrastructure customers meet ever-evolving cybersecurity threats.
What we doFrom network and perimeter defense to product security analysis to the practical application of SELinux, we deliver solutions that protect and connect the world’s most critical networks.
6 Enabling the Mission with Information Assurance
Information Exchange Gateway
What: Information sharing
Why: Coordination between stakeholders
Where/When/Who: Adaptability
How: Depends on data
7 Enabling the Mission with Information Assurance
IEG Categories Uni-directional: Diode
• Usually UDP based, proxies for bi-directional protocols• Minimal filtering, requirements increasing• Hardware separation: Optical cards, FPGA• Example: Owl Diode Cards, BAE, XD Guardian, etc.
Bi-Directional• TCP/UDP – protocol break required• Filtering critical• HW separation optional• Example: XD Guardian, Owl OCDS-1000, etc.
8 Enabling the Mission with Information Assurance
Filtering
Structured Data
• Normalize & validate
• Example: Link 16/STANAG 5516, VMF
• Threats: Data hidden within correct structure or outside allowed structure [picture]
• Mitigation: Normalize to XML XML filters Unparse
• Tools: DFDL, XML schema validation, XSLT, XPROC, etc.
9 Enabling the Mission with Information Assurance
Linear Pipeline
10
External Data
Internal Data
Syslog
Heartbeat and Status
HW enforced one-way transfer
PA SenderXSDDFDL NoneTBDXSLT
Syslog
StatusMonitor
Receiver PAXSDNone DFDLTBDSchematron
Syslog
StatusMonitor
ACK Filter
ACK Filter
Protocol Adaptors• JREAP-C (Link 16)• USMTF• VMF
Enabling the Mission with Information Assurance
DFDL Lifecycle
rLimit=5;rpngx=-7.1E8
DFDL
ImplementationDFDL
Schema
DFDL
Implementation
ElementName: rValues
ElementName: rpngxValue: -7.1E8Type: Double
ElementName: rLimit
Value: 5Type: Int
Parse Unparse
Infoset
Data
11 Enabling the Mission with Information Assurance
DFDL SchemasPublic(github)
MIL-STD-2045PCAPNITFPNGJPEGNACHAVCardQuasiXML
EDIFACT iCalendar**IBM4690-TLOG IMF**ISO8583BMPGIFPraat TextGridARINC429*JPEG2000**
planned: Exif, EP, DNG, WMF, EMF, ...planned: Asterisk, IPFIX
Restricted VMF (MIL-STD-6017)USMTF ATO (MIL-STD-6040)LINK 16 (NATO STANAG 5516/MIL-STD-6016) A-GNOSC REMEDY ARMY DRRS USCG UCOP CEF-R1965 GMTIF (STANAG 4607)
Commercial License $$$
SWIFT-MT (IBM)HIPAA-5010 (IBM)HL7-2.7 (IBM)
* = in development** = not yet published
12 Enabling the Mission with Information Assurance
Filtering
Complex Data
• Recursive Decomposition, validate components
• Example: Microsoft Office, PDF, images, archives
• Threats: Data hidden from sight
Data hidden within structure (unreferenced blocks)
Data hidden within data (steganography)
• Mitigation: Multiple filters to verify known good
• Tools: Oracle’s Clean Content, Peraton’s Purifile, Glasswall, etc.
13 Enabling the Mission with Information Assurance
Data Hidden from Sight
14
Sed ut perspiciatis unde omnis iste natuserror sit voluptatem accusantiumdoloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventoreveritatis et quasi architecto beatae vitaedicta sunt explicabo.
Nemo enim ipsam voluptatem quiavoluptas sit aspernatur aut odit aut fugit,sed quia consequuntur magni dolores eosqui ratione voluptatem sequi nesciunt.
Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.
Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur?
Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?
At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.
Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere
TOP SECRET
PATENTINFO
FINANCIALINFO
Sed ut perspiciatis unde omnis iste natuserror sit voluptatem accusantiumdoloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventoreveritatis et quasi architecto beatae vitaedicta sunt explicabo.
Nemo enim ipsam voluptatem quiavoluptas sit aspernatur aut odit aut fugit,sed quia consequuntur magni dolores eosqui ratione voluptatem sequi nesciunt.
Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.
Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur?
Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?
At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.
Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere
Enabling the Mission with Information Assurance
Filtering
Streaming/Full Motion Video
• Example: MPEG2/4
• Threats: Data stuffed between frames, within component streams
• Mitigation: Transcode, filter KLV/CC
• Tools: FFMPEG
15 Enabling the Mission with Information Assurance
Demux / Decode Inspect / Sanitize Encode / Mux
MPEG Transport
Stream
Input
Full Motion Video
Enabling the Mission with Information Assurance16
Remove or filter caption text
Pass or remove stream(s)
Video Data &Metadata
Caption Data
Audio Data
KLV Data
MPEG Transport
Stream
Output Check header fields & flags Video frame data checks, frame rate
Verify key in standard dictionary Compare length of value field Verify checksum Remove sensitive keys / values & frames
Sanitized Video Data & Metadata
Sanitized Captions
Sanitized Audio
Sanitized KLV Data
Filter Orchestration Engine supporting Recursive Degeneration• Purifile
• Clean Content
• DFDL
• Multiple AV scanners
• Image filters (clean & verify)
• Dirty word
• Zip/archive
• Add/remove other filters dynamically
17
DCI
Enabling the Mission with Information Assurance
18
Filter Orchestration
Engine (FOE)
19
Components of Filter Orchestration Engine (FOE)
20
Unknown File Enters the File Filter Pipeline
File Identified??
.zip
21
Next Filter
.zip
ABC.zip
22
Detail on the File Name Filter
.zipABC.zip
ABC.zip copy
Router IPC
Sched
uler IP
C
ABC.zip
IN WORK OUT
- File doesn’t contain prohibited text -
ABC.zip
copy
23
Archive File is Unzipped and Individual Files Enter the Filter Pipeline
.docx
.bin
ABC.zip
24
Unzipped Files Continue Through the Filter Pipeline
Whitelisted
Office Document
ABC
.zip
.bin.docx
25
No Prohibited Text
.docx .bin
ABC
.zip
ABC.
docx ABC
.bin
26
Passes Scan (Sophos)
ABC
.bin
ABC
.docx
ABC
.zip
27
Passes Scan (ClamAV)
ABC
.docx
ABC
.zip
ABC
.bin
Clean File Returns to Archive Filter
28
ABC
.docx
.png
ABC
.zip
ABC
.bin
Image File is Extracted From MS Word File
ABC
.docx
29
No Prohibited Text
.png
ABC
.png
2
Passes Scan (Sophos)
3
Passes Scan (ClamAV)
4 Steganography
disruption
Metadata removed
.pngABC
.png(filtered)
5 Steganography
disruption
Metadata removed
1
ABC
.zip
ABC
.bin
.png
Extracted Image File Enters the Filter Pipeline. Specific Pipeline Path is Based on the File Type.
30
ABC
.docx
ABC
.png(filtered)
PNG Image
Replaced by
Filtered PNG
ABC
.zip
ABC
.bin
MS Word File is Re-constructed and Continues Through Filter Pipeline
31
ABC
.docx
Checked and Scrubbed
ABC
.zip
ABC
.bin
32
ABC
.docx
ABC
.bin
ABC
.zipArchive File is Restored
33
ABC
.zip
Content Inspection and Filtering Processes are Complete
Design/Implementation Principles
Don’t rely on single filter• Multiple implementations with different programming
languages
Make sure filters can’t be bypassed
Isolate functions and ensure least privilege• Protocol adaptors
• Filters
• Supporting infrastructure
Management is a high-value target
34 Enabling the Mission with Information Assurance
Management/Adaptability
Select from pre-defined configurations
Secure update mechanism
Interoperability: Protocol Adaptors
35 Enabling the Mission with Information Assurance
Accreditation (Authorization)
Common Criteria• Protection Profile
• Security Target
• Evaluation Assurance Level (EAL)
US National Certification (Assessment)• National Institute of Standards and Technology (NIST) 800-53
• Committee on National Security Systems Instruction (CNSSI) No. 1253, “Security Categorization and Control Selection for National Security Systems"
36 Enabling the Mission with Information Assurance
Low-Latency Uni- or Bi- Directional Data Diode
Componentized Cross Domain Solution (CDS) (Information Exchange Gateway)
Low latency, high throughput
File transfer or streaming
Isolated compute environment in each domain
37
Overview
Enabling the Mission with Information Assurance
"The Example"
Enabling the Mission with Information Assurance
Right information, right recipient, right time
Complex yet needed
Mission success relies on trustworthy information
Mission Assurance through Information Assurance38