presented to: NAISNAIS October 2019. Enabling the Mission with Information Assurance Right...

presented to:

Enabling the Mission with Information Assurance

NAISOctober 2019


Right Information

Right Recipient

Right Time

2 Enabling the Mission with Information Assurance


Right Information

• Authentic

• Not malicious Known Good vs Known Bad



Right Information

Right Recipient

• Coalition partners

• Dynamic



Right Information

Right Recipient

Right Time

• Value expiration

• Latency vs Throughput vs Cost


Who is Tresys/Owl?We are a leader and trusted partner in cybersecurity. Our solutions are vital to helping defense, intelligence, and critical infrastructure customers meet ever-evolving cybersecurity threats.

What we doFrom network and perimeter defense to product security analysis to the practical application of SELinux, we deliver solutions that protect and connect the world’s most critical networks.


Information Exchange Gateway

What: Information sharing

Why: Coordination between stakeholders

Where/When/Who: Adaptability

How: Depends on data


IEG Categories Uni-directional: Diode

• Usually UDP based, proxies for bi-directional protocols• Minimal filtering, requirements increasing• Hardware separation: Optical cards, FPGA• Example: Owl Diode Cards, BAE, XD Guardian, etc.

Bi-Directional• TCP/UDP – protocol break required• Filtering critical• HW separation optional• Example: XD Guardian, Owl OCDS-1000, etc.


Filtering

Structured Data

• Normalize & validate

• Example: Link 16/STANAG 5516, VMF

• Threats: Data hidden within correct structure or outside allowed structure [picture]

• Mitigation: Normalize to XML XML filters Unparse

• Tools: DFDL, XML schema validation, XSLT, XPROC, etc.


Linear Pipeline

10

External Data

Internal Data

Syslog

Heartbeat and Status

HW enforced one-way transfer

PA SenderXSDDFDL NoneTBDXSLT

Syslog

StatusMonitor

Receiver PAXSDNone DFDLTBDSchematron

Syslog

StatusMonitor

ACK Filter

ACK Filter

Protocol Adaptors• JREAP-C (Link 16)• USMTF• VMF


DFDL Lifecycle

rLimit=5;rpngx=-7.1E8

DFDL

ImplementationDFDL

Schema

DFDL

Implementation

ElementName: rValues

ElementName: rpngxValue: -7.1E8Type: Double

ElementName: rLimit

Value: 5Type: Int

Parse Unparse

Infoset

Data


DFDL SchemasPublic(github)

MIL-STD-2045PCAPNITFPNGJPEGNACHAVCardQuasiXML

EDIFACT iCalendar**IBM4690-TLOG IMF**ISO8583BMPGIFPraat TextGridARINC429*JPEG2000**

planned: Exif, EP, DNG, WMF, EMF, ...planned: Asterisk, IPFIX

Restricted VMF (MIL-STD-6017)USMTF ATO (MIL-STD-6040)LINK 16 (NATO STANAG 5516/MIL-STD-6016) A-GNOSC REMEDY ARMY DRRS USCG UCOP CEF-R1965 GMTIF (STANAG 4607)

Commercial License $$$

SWIFT-MT (IBM)HIPAA-5010 (IBM)HL7-2.7 (IBM)

* = in development** = not yet published


Filtering

Complex Data

• Recursive Decomposition, validate components

• Example: Microsoft Office, PDF, images, archives

• Threats: Data hidden from sight

Data hidden within structure (unreferenced blocks)

Data hidden within data (steganography)

• Mitigation: Multiple filters to verify known good

• Tools: Oracle’s Clean Content, Peraton’s Purifile, Glasswall, etc.


Data Hidden from Sight

14

Sed ut perspiciatis unde omnis iste natuserror sit voluptatem accusantiumdoloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventoreveritatis et quasi architecto beatae vitaedicta sunt explicabo.

Nemo enim ipsam voluptatem quiavoluptas sit aspernatur aut odit aut fugit,sed quia consequuntur magni dolores eosqui ratione voluptatem sequi nesciunt.

Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur?

Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?

At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.

Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere

TOP SECRET

PATENTINFO

FINANCIALINFO

Sed ut perspiciatis unde omnis iste natuserror sit voluptatem accusantiumdoloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventoreveritatis et quasi architecto beatae vitaedicta sunt explicabo.

Nemo enim ipsam voluptatem quiavoluptas sit aspernatur aut odit aut fugit,sed quia consequuntur magni dolores eosqui ratione voluptatem sequi nesciunt.

Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem.

Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur?

Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, vel illum qui dolorem eum fugiat quo voluptas nulla pariatur?

At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.

Et harum quidem rerum facilis est et expedita distinctio. Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere


Filtering

Streaming/Full Motion Video

• Example: MPEG2/4

• Threats: Data stuffed between frames, within component streams

• Mitigation: Transcode, filter KLV/CC

• Tools: FFMPEG


Demux / Decode Inspect / Sanitize Encode / Mux

MPEG Transport

Stream

Input

Full Motion Video

Enabling the Mission with Information Assurance16

Remove or filter caption text

Pass or remove stream(s)

Video Data &Metadata

Caption Data

Audio Data

KLV Data

MPEG Transport

Stream

Output Check header fields & flags Video frame data checks, frame rate

Verify key in standard dictionary Compare length of value field Verify checksum Remove sensitive keys / values & frames

Sanitized Video Data & Metadata

Sanitized Captions

Sanitized Audio

Sanitized KLV Data

Filter Orchestration Engine supporting Recursive Degeneration• Purifile

• Clean Content

• DFDL

• Multiple AV scanners

• Image filters (clean & verify)

• Dirty word

• Zip/archive

• Add/remove other filters dynamically

17

DCI


18

Filter Orchestration

Engine (FOE)

19

Components of Filter Orchestration Engine (FOE)

20

Unknown File Enters the File Filter Pipeline

File Identified??

.zip

21

Next Filter

.zip

ABC.zip

22

Detail on the File Name Filter

.zipABC.zip

ABC.zip copy

Router IPC

Sched

uler IP

C

ABC.zip

IN WORK OUT

- File doesn’t contain prohibited text -

ABC.zip

copy

23

Archive File is Unzipped and Individual Files Enter the Filter Pipeline

.docx

.bin

ABC.zip

24

Unzipped Files Continue Through the Filter Pipeline

Whitelisted

Office Document

ABC

.zip

.bin.docx

25

No Prohibited Text

.docx .bin

ABC

.zip

ABC.

docx ABC

.bin

26

Passes Scan (Sophos)

ABC

.bin

ABC

.docx

ABC

.zip

27

Passes Scan (ClamAV)

ABC

.docx

ABC

.zip

ABC

.bin

Clean File Returns to Archive Filter

28

ABC

.docx

.png

ABC

.zip

ABC

.bin

Image File is Extracted From MS Word File

ABC

.docx

29

No Prohibited Text

.png

ABC

.png

2

Passes Scan (Sophos)

3

Passes Scan (ClamAV)

4 Steganography

disruption

Metadata removed

.pngABC

.png(filtered)

5 Steganography

disruption

Metadata removed

1

ABC

.zip

ABC

.bin

.png

Extracted Image File Enters the Filter Pipeline. Specific Pipeline Path is Based on the File Type.

30

ABC

.docx

ABC

.png(filtered)

PNG Image

Replaced by

Filtered PNG

ABC

.zip

ABC

.bin

MS Word File is Re-constructed and Continues Through Filter Pipeline

31

ABC

.docx

Checked and Scrubbed

ABC

.zip

ABC

.bin

32

ABC

.docx

ABC

.bin

ABC

.zipArchive File is Restored

33

ABC

.zip

Content Inspection and Filtering Processes are Complete

Design/Implementation Principles

Don’t rely on single filter• Multiple implementations with different programming

languages

Make sure filters can’t be bypassed

Isolate functions and ensure least privilege• Protocol adaptors

• Filters

• Supporting infrastructure

Management is a high-value target


Management/Adaptability

Select from pre-defined configurations

Secure update mechanism

Interoperability: Protocol Adaptors


Accreditation (Authorization)

Common Criteria• Protection Profile

• Security Target

• Evaluation Assurance Level (EAL)

US National Certification (Assessment)• National Institute of Standards and Technology (NIST) 800-53

• Committee on National Security Systems Instruction (CNSSI) No. 1253, “Security Categorization and Control Selection for National Security Systems"


Low-Latency Uni- or Bi- Directional Data Diode

Componentized Cross Domain Solution (CDS) (Information Exchange Gateway)

Low latency, high throughput

File transfer or streaming

Isolated compute environment in each domain

37

Overview


"The Example"


Right information, right recipient, right time

Complex yet needed

Mission success relies on trustworthy information

Mission Assurance through Information Assurance38

presented to: NAISNAIS October 2019. Enabling the Mission with Information Assurance Right...

Documents

Transcript of presented to: NAISNAIS October 2019. Enabling the Mission with Information Assurance Right...