Multilevel security or multiple levels of security ( MLS ) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearances and needs-to-know , and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.
123-478: The XTS-400 is a multilevel secure computer operating system . It is multiuser and multitasking that uses multilevel scheduling in processing data and information. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6 . The XTS-400 is a combination of Intel x86 hardware and the Secure Trusted Operating Program ( STOP ) operating system . XTS-400
246-684: A Mission Support Cryptographic Unit (MSCU) and Fortezza cards. The MSCU performs type 1 cryptography and has been separately scrutinized by the United States National Security Agency . The CC evaluation forces particular hardware to be used in the XTS-400. Though this places restrictions on the hardware configurations that can be used, several configurations are possible. The XTS-400 uses only standard PC, commercial off-the-shelf (COTS) components, except for an optional Mission Support Cryptographic Unit (MSCU). The hardware
369-516: A covert channel analysis. Because these certifications depend on CAPP, no Common Criteria certifications suggest this product is trustworthy for MLS. BAE Systems offers XTS-400 , a commercial system that supports MLS at what the vendor claims is "high assurance". Predecessor products (including the XTS-300) were evaluated at the TCSEC B3 level, which is MLS-capable. The XTS-400 has been evaluated under
492-561: A transparent process for replacing the outdated Data Encryption Standard (DES) by an Advanced Encryption Standard (AES). Cybersecurity policy expert Susan Landau attributes the NSA's harmonious collaboration with industry and academia in the selection of the AES in 2000—and the Agency's support for the choice of a strong encryption algorithm designed by Europeans rather than by Americans—to Brian Snow , who
615-405: A trusted environment for administrative work and for privileged applications. The untrusted environment is similar to traditional Unix environments. It provides binary compatibility with Linux applications running most Linux commands and tools as well as most Linux applications without the need for recompiling. This untrusted environment includes an X Window System GUI , though all windows on
738-546: A "wake-up call" for the need to invest in the agency's infrastructure. In the 1990s the defensive arm of the NSA—the Information Assurance Directorate (IAD)—started working more openly; the first public technical talk by an NSA scientist at a major cryptography conference was J. Solinas' presentation on efficient Elliptic Curve Cryptography algorithms at Crypto 1997. The IAD's cooperative approach to academia and industry culminated in its support for
861-695: A 2010 article in The Washington Post , "every day, collection systems at the National Security Agency intercept and store 1.7 billion e-mails, phone calls and other types of communications. The NSA sorts a fraction of those into 70 separate databases." Because of its listening task, NSA/CSS has been heavily involved in cryptanalytic research, continuing the work of predecessor agencies which had broken many World War II codes and ciphers (see, for instance, Purple , Venona project , and JN-25 ). In 2004, NSA Central Security Service and
984-459: A Top Secret process to transmit signals of any kind to a Secret or lower process. This includes side effects such as changes in available memory or disk space, or changes in process timing. When a process exploits such a side effect to transmit data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a practical computing system, and it may be impossible in practice. The process of identifying all covert channels
1107-646: A capability. The belief that MLS is non-existent is based on the belief that there are no products certified to operate in an MLS environment or mode and that therefore MLS as a capability does not exist. One does not imply the other. Many systems operate in an environment containing data that has unequal security levels and therefore is MLS by the Computer Security Intermediate Value Theorem (CS-IVT). The consequence of this confusion runs deeper. NSA-certified MLS operating systems, databases, and networks have existed in operational mode since
1230-519: A category in its baseline of DoD and Intelligence Community accredited systems, and this category can be seen as essentially analogous to MILS. Security models such as the Biba model (for integrity) and the Bell–LaPadula model (for confidentiality) allow one-way flow between certain security domains that are otherwise assumed to be isolated. MILS addresses the isolation underlying MLS without addressing
1353-408: A conclusion that they do not exist. This can lead to a crippling ignorance about COMPUSEC that manifests itself as whispers that "one cannot talk about MLS," and "There's no such thing as MLS." These MLS-denial schemes change so rapidly that they cannot be addressed. Instead, it is important to clarify the distinction between MLS-environment and MLS-capable. The original use of the term MLS applied to
SECTION 10
#17329020406641476-582: A file xkeyscorerules100.txt, sourced by German TV stations NDR and WDR , who claim to have excerpts from its source code) reveal that the NSA tracks users of privacy-enhancing software tools, including Tor ; an anonymous email service provided by the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts; and readers of the Linux Journal . Linus Torvalds ,
1599-496: A highly trustworthy information processing system often built on an MLS operating system (OS), but not necessarily. Most MLS functionality can be supported by a system composed entirely from untrusted computers, although it requires multiple independent computers linked by hardware security-compliant channels (see section B.6.2 of the Trusted Network Interpretation, NCSC-TG-005 ). An example of hardware enforced MLS
1722-527: A major effort to secure tactical communications among U.S. forces during the war with mixed success. The NESTOR family of compatible secure voice systems it developed was widely deployed during the Vietnam War , with about 30,000 NESTOR sets produced. However, a variety of technical and operational problems limited their use, allowing the North Vietnamese to exploit and intercept U.S. communications. In
1845-482: A matter of political controversy on several occasions, including its spying on anti–Vietnam War leaders and the agency's participation in economic espionage . In 2013, the NSA had many of its secret surveillance programs revealed to the public by Edward Snowden , a former NSA contractor. According to the leaked documents, the NSA intercepts and stores the communications of over a billion people worldwide, including United States citizens. The documents also revealed that
1968-575: A memorial at the National Cryptologic Museum in Fort Meade, Maryland. The memorial is a, "tribute to the pioneers and heroes who have made significant and long-lasting contributions to American cryptology". NSA employees must be retired for more than fifteen years to qualify for the memorial. NSA's infrastructure deteriorated in the 1990s as defense budget cuts resulted in maintenance deferrals. On January 24, 2000, NSA headquarters suffered
2091-591: A multilevel web application framework called MLWeb which integrates the Ruby on Rails framework with a multilevel database based on SQLite3 . Perhaps the greatest change going on in the multilevel security arena today is the convergence of MLS with virtualization. An increasing number of trusted operating systems are moving away from labeling files and processes, and are instead moving towards UNIX containers or virtual machines . Examples include zones in Solaris 10 TX , and
2214-453: A potentially complicated process of defining large sets of domains and data types (and the attendant access rules). To maintain the trustworthiness of the system, the XTS-400 must be installed, booted , and configured by trusted personnel. The site must also provide physical protection of the hardware components. The system, and software upgrades, are shipped from BAE Systems in a secure fashion. For customers who want them, XTS-400 supports
2337-477: A result of the boomerang routing of Canadian Internet service providers . A document included in NSA files released with Glenn Greenwald 's book No Place to Hide details how the agency's Tailored Access Operations (TAO) and other NSA units gain access to hardware. They intercept routers , servers , and other network hardware being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they are delivered. This
2460-414: A screen must be at the same sensitivity level. To support the trusted environment and various security features, STOP provides a set of proprietary APIs to applications. In order to develop programs that use these proprietary APIs, a special software development environment (SDE) is needed. The SDE is also needed in order to port some complicated Linux/Unix applications to the XTS-400. A new version of
2583-457: A secret filing system that was destroyed in 1974. Following the resignation of President Richard Nixon , there were several investigations into suspected misuse of FBI, CIA and NSA facilities. Senator Frank Church uncovered previously unknown activity, such as a CIA plot (ordered by the administration of President John F. Kennedy ) to assassinate Fidel Castro . The investigation also uncovered NSA's wiretaps on targeted U.S. citizens. After
SECTION 20
#17329020406642706-472: A separate untrusted domain. The absence of a medium of communication between the domains assures no interaction is possible. The mechanism for this isolation is usually physical separation in separate computers. This is often used to support applications or operating systems which have no possibility of supporting MLS such as Microsoft Windows . Infrastructure such as trusted operating systems are an important component of MLS systems, but in order to fulfill
2829-560: A single platform. MLS applications not currently part of the UCDMO baseline include several applications from BlueSpace . BlueSpace has several MLS applications, including an MLS email client, an MLS search application and an MLS C2 system. BlueSpace leverages a middleware strategy to enable its applications to be platform neutral, orchestrating one user interface across multiple Windows OS instances ( virtualized or remote terminal sessions ). The US Naval Research Laboratory has also implemented
2952-403: A total network outage for three days caused by an overloaded network. Incoming traffic was successfully stored on agency servers, but it could not be directed and processed. The agency carried out emergency repairs for $ 3 million to get the system running again. (Some incoming traffic was also directed instead to Britain's GCHQ for the time being.) Director Michael Hayden called the outage
3075-529: A trusted, MLS operating system. PitBull is currently offered only as an enhanced version of Red Hat Enterprise Linux , but earlier versions existed for Sun Microsystems Solaris, IBM AIX, and SVR4 Unix. PitBull provides a Bell LaPadula security mechanism, a Biba integrity mechanism, a privilege replacement for superuser , and many other features. PitBull has the security base for General Dynamics' Trusted Network Environment (TNE) product since 2009. TNE enables Multilevel information sharing and access for users in
3198-583: Is asymmetric isolation . If one computer is being used in MLS mode, then that computer must use a trusted operating system (OS). Because all information in an MLS environment is physically accessible by the OS, strong logical controls must exist to ensure that access to information is strictly controlled. Typically this involves mandatory access control that uses security labels, like the Bell–LaPadula model . Customers that deploy trusted operating systems typically require that
3321-500: Is a monolithic kernel operating system (as is Linux). Though it provides a Linux-compatible API, STOP is not derived from Unix or any Unix-like system. STOP is highly layered, highly modularized, and relatively compact and simple. These characteristics have historically facilitated high-assurance evaluations. STOP is layered into four rings and each ring is further subdivided into layers. The innermost ring has hardware privilege and applications, including privileged commands, run in
3444-444: Is a challenging one by itself. Most commercially available MLS systems do not attempt to close all covert channels, even though this makes it impractical to use them in high security applications. Bypass is problematic when introduced as a means to treat a system high object as if it were MLS trusted. A common example is to extract data from a secret system high object to be sent to an unclassified destination, citing some property of
3567-486: Is a project to create a labeled version of PostgreSQL , and there are also older labeled-database implementations such as Trusted Rubix . These MLS database systems provide a unified back-end system for content spanning multiple labels, but they do not resolve the challenge of having users process content at multiple security levels in one system while enforcing mandatory access controls. There are also several MLS end-user applications. The other MLS capability currently on
3690-468: Is a subject system that is required to accept secret IP packets from an untrusted source, encrypt the secret userdata and not the header and deposit the result to an untrusted network. The source lies outside the sphere of influence of the subject system. Although the source is untrusted (e.g. system high) it is being trusted as if it were MLS because it provides packets that have unclassified headers and secret plaintext userdata, an MLS data construct. Since
3813-609: Is also alleged to have been behind such attack software as Stuxnet , which severely damaged Iran's nuclear program . The NSA, alongside the CIA, maintains a physical presence in many countries across the globe; the CIA/NSA joint Special Collection Service (a highly classified intelligence team) inserts eavesdropping devices in high-value targets (such as presidential palaces or embassies). SCS collection tactics allegedly encompass "close surveillance, burglary, wiretapping, [and] breaking". Unlike
XTS-400 - Misplaced Pages Continue
3936-516: Is an intelligence agency of the United States Department of Defense , under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes, specializing in a discipline known as signals intelligence (SIGINT). The NSA is also tasked with
4059-457: Is avoidable. Avoidable bypass often results when system architects design a system before correctly considering security, then attempt to apply security after the fact as add-on functions. In that situation, bypass appears to be the only (easy) way to make the system work. Some pseudo-secure schemes are proposed (and approved!) that examine the contents of the bypassed data in a vain attempt to establish that bypassed data contains no secrets. This
4182-401: Is based on an Intel Xeon ( P4 ) central processing unit (CPU) at up to 2.8 GHz speeds, supporting up to 2 GB of main memory. A Peripheral Component Interconnect (PCI) bus is used for add-in cards such as Gigabit Ethernet . Up to 16 simultaneous Ethernet connections can be made, all of which can be configured at different mandatory security and integrity levels. A SCSI subsystem
4305-910: Is believed by Glenn Greenwald of The Guardian to be the model for the comprehensive worldwide mass archiving of communications which NSA is engaged in as of 2013. A dedicated unit of the NSA locates targets for the CIA for extrajudicial assassination in the Middle East. The NSA has also spied extensively on the European Union, the United Nations, and numerous governments including allies and trading partners in Europe, South America, and Asia. In June 2015, WikiLeaks published documents showing that NSA spied on French companies. WikiLeaks also published documents showing that NSA spied on federal German ministries since
4428-491: Is comprehensively integrated with a high assurance Protection Level Four (PL4) secure operating system, utilizing data labeling to disseminate near real-time data information on force activities and potential terrorist threats on and around the world's oceans. It is installed at locations in United States and Allied partner countries where it is capable of providing data from Top Secret/SCI down to Secret-Releasable levels, all on
4551-442: Is global to the system. Trusted system services (TSS) software executes in ring 1. TSS implements file systems, implements TCP/IP , and enforces the discretionary access control policy on file system objects. TSS's data is local to the process within which it is executing. Operating system services (OSS) executes in ring 2. OSS provides Linux-like API to applications as well as providing additional proprietary interfaces for using
4674-403: Is more achievable than accreditation of one, more complex MLS kernel. This question depends in part on the extent of the import/export interactions that the stakeholders require. In favour of MILS is the possibility that not all the export applications will require maximal assurance. There is another way of solving such problems known as multiple single-level . Each security level is isolated in
4797-545: Is no efficient, reliable mechanism by which a Top Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to users with Secret or lower clearances. In practice, MLS systems circumvent this problem via privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a file's security classification. However, the technique is not reliable . Covert channels pose another problem for MLS systems. For an MLS system to keep secrets perfectly, there must be no possible way for
4920-483: Is no way to know with certainty how much classified information is taken from our systems by exploitation of bypass. Some laypersons are designing secure computing systems and drawing the conclusion that MLS does not exist. An explanation could be that there is a decline in COMPUSEC experts and the MLS term has been overloaded by two different meanings / uses. These two uses are: MLS as a processing environment vs MLS as
5043-447: Is not possible without trusting something about the data such as its format, which is contrary to the assumption that the source is not trusted to preserve any characteristics of the source data. Assured "secure bypass" is a myth, just as a so-called High Assurance Guard (HAG) that transparently implements bypass. The risk these introduce has long been acknowledged; extant solutions are ultimately procedural, rather than technical. There
XTS-400 - Misplaced Pages Continue
5166-677: Is truly an MLS system or more a form of cross-domain transfer data guard. Mandatory access controls are maintained by a combination of XTS-400 and application-specific mechanisms. Joint Cross Domain eXchange (JCDX) is another example of an MLS capability currently on the UCDMO baseline. JCDX is the only Department of Defense (DoD), Defense Intelligence Agency (DIA) accredited Multilevel Security (MLS) Command, Control, Communication, Computers and Intelligence (C4I) system that provides near real-time intelligence and warning support to theater and forward deployed tactical commanders. The JCDX architecture
5289-530: Is used to allow a number of high-performance peripherals to be attached. One SCSI peripheral is a PC Card reader that can support Fortezza . Multiple SCSI host adapters can be included. The XTS-400 has been preceded by several evaluated ancestors, all developed by the same group: Secure Communications Processor (SCOMP), XTS-200, and XTS-300. All of the predecessor products were evaluated under Trusted Computer System Evaluation Criteria (TCSEC) (a.k.a. Orange Book ) standards. SCOMP completed evaluation in 1984 at
5412-674: The Department of State , the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI). In December 1951, President Harry S. Truman ordered a panel to investigate how AFSA had failed to achieve its goals. The results of the investigation led to improvements and its redesignation as the National Security Agency. The National Security Council issued a memorandum of October 24, 1952, that revised National Security Council Intelligence Directive (NSCID) 9 . On
5535-696: The Foreign Intelligence Surveillance Court when within U.S. borders. Alleged Echelon-related activities, including its use for motives other than national security, including political and industrial espionage , received criticism from countries outside the UKUSA alliance. The NSA was also involved in planning to blackmail people with " SEXINT ", intelligence gained about a potential target's sexual activity and preferences. Those targeted had not committed any apparent crime nor were they charged with one. To support its facial recognition program,
5658-703: The National Cyber Security Division of the Department of Homeland Security (DHS) agreed to expand the NSA Centers of Academic Excellence in Information Assurance Education Program. As part of the National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD 54), signed on January 8, 2008, by President Bush, the NSA became the lead agency to monitor and protect all of
5781-624: The U.S. Army cryptographic section of military intelligence known as MI-8, the U.S. government created the Cipher Bureau, also known as Black Chamber , in 1919. The Black Chamber was the United States' first peacetime cryptanalytic organization. Jointly funded by the Army and the State Department, the Cipher Bureau was disguised as a New York City commercial code company; it produced and sold such codes for business use. Its true mission, however,
5904-626: The US Court of Appeals . The court also added that the US intelligence leaders, who publicly defended it, were not telling the truth. NSA's eavesdropping mission includes radio broadcasting, both from various organizations and individuals, the Internet, telephone calls, and other intercepted forms of communication. Its secure communications mission includes military, diplomatic, and all other sensitive, confidential, or secret government communications. According to
6027-497: The United States Department of Defense data sensitivity classification model (i.e., "Unclassified," "Secret," "Top Secret"), but can be configured for commercial environments. Other security features include: STOP comes in only a single package, so that there is no confusion about whether a particular package has all security features present. Mandatory policies cannot be disabled. Policy configuration does not require
6150-459: The protection of U.S. communications networks and information systems . The NSA relies on a variety of measures to accomplish its mission, the majority of which are clandestine . The NSA has roughly 32,000 employees. Originating as a unit to decipher coded communications in World War II , it was officially formed as the NSA by President Harry S. Truman in 1952. Between then and the end of
6273-423: The 1970s and that MLS products are continuing to be built, marketed, and deployed. Laypersons often conclude that to admit that a system operates in an MLS environment (environment-centric meaning of MLS) is to be backed into the perceived corner of having a problem with no MLS solution (capability-centric meaning of MLS). MLS is deceptively complex and just because simple solutions are not obvious does not justify
SECTION 50
#17329020406646396-482: The 1990s. Even Germany's Chancellor Angela Merkel 's cellphones and phones of her predecessors had been intercepted. Edward Snowden revealed in June 2013 that between February 8 and March 8, 2013, the NSA collected about 124.8 billion telephone data items and 97.1 billion computer data items throughout the world, as was displayed in charts from an internal NSA tool codenamed Boundless Informant . Initially, it
6519-694: The API and require additional, proprietary interfaces, conformance is close enough that most applications will run on the XTS without recompilation. Some security features were added or improved as compared to earlier versions of the system and performance was also improved. As of July 2006, enhancements continue to be made to the XTS line of products. On September 5, 2006, the United States Patent Offices granted BAE Systems Information Technology, LLC. United States Patent # 7,103,914 "Trusted computer system". STOP
6642-509: The B3 level. XTS-300 also went through several ratings maintenance cycles (a.k.a. RAMP), very similar to an assurance continuity cycle under CC, ultimately ending up with version 5.2.E being evaluated in 2000. Development of the XTS-400 began in June 2000. The main customer-visible change was specific conformance to the Linux API . Though the security features of the XTS system put some restrictions on
6765-581: The Black Chamber access to cable traffic of foreign embassies and consulates. Soon, these companies publicly discontinued their collaboration. Despite the Chamber's initial successes, it was shut down in 1929 by U.S. Secretary of State Henry L. Stimson , who defended his decision by stating, "Gentlemen do not read each other's mail." During World War II , the Signal Intelligence Service (SIS)
6888-532: The CC evaluation of the XTS-400, but they can be accredited. The XTS-400 can be used as a desktop, server, or network gateway. The interactive environment, typical Unix command line tools , and a GUI are present in support of a desktop solution. Since the XTS-400 supports multiple, concurrent network connections at different sensitivity levels, it can be used to replace several single-level desktops connected to several different networks. In support of server functionality,
7011-484: The CIA and the Defense Intelligence Agency (DIA), both of which specialize primarily in foreign human espionage , the NSA does not publicly conduct human intelligence gathering . The NSA is entrusted with assisting with and coordinating, SIGINT elements for other government organizations—which are prevented by Executive Order from engaging in such activities on their own. As part of these responsibilities,
7134-658: The Church Committee hearings, the Foreign Intelligence Surveillance Act of 1978 was passed. This was designed to limit the practice of mass surveillance in the United States . In 1986, the NSA intercepted the communications of the Libyan government during the immediate aftermath of the Berlin discotheque bombing . The White House asserted that the NSA interception had provided "irrefutable" evidence that Libya
7257-470: The Cold War, it became the largest of the U.S. intelligence organizations in terms of personnel and budget, but information available as of 2013 indicates that the Central Intelligence Agency (CIA) pulled ahead in this regard, with a budget of $ 14.7 billion. The NSA currently conducts worldwide mass data collection and has been known to physically bug electronic systems as one method to this end. The NSA
7380-753: The Common Criteria at EAL5+ against the CAPP and LSPP protection profiles. CAPP and LSPP are both EAL3 protection profiles that are not inherently MLS-capable, but the security target for the Common Criteria evaluation of this product contains an enriched set of security functions that provide MLS capability. Sanitization is a problem area for MLS systems. Systems that implement MLS restrictions, like those defined by Bell–LaPadula model , only allow sharing when it obviously does not violate security restrictions. Users with lower clearances can easily share their work with users holding higher clearances, but not vice versa. There
7503-655: The Common Criteria decoupled TCSEC's pairing of assurance (EAL) and functionality (Protection Profile), the clear uniform mapping between security requirements and MLS security range capability documented in CSC-STD-004-85 has largely been lost when the Common Criteria superseded the Rainbow Series . Freely available operating systems with some features that support MLS include Linux with the Security-Enhanced Linux feature enabled and FreeBSD . Security evaluation
SECTION 60
#17329020406647626-616: The Department of Defense and Intelligence communities operating a varying classification levels. It's also the foundation for the Multilevel coalition sharing environment, the Battlefield Information Collection and Exploitation Systems Extended (BICES-X). Sun Microsystems , now Oracle Corporation , offers Solaris Trusted Extensions as an integrated feature of the commercial OSs Solaris and OpenSolaris . In addition to
7749-636: The LSPP and CAPP. The EAL5+ evaluation included analysis of covert channels and additional vulnerability analysis and testing by the National Security Agency . XTS-400 version 6.4.U4 completed evaluation in July 2008 at EAL5 augmented with ALC_FLR.3 and ATE_IND.3 (validation report CCEVS-VR-VID10293-2008), also still conforming to the LSPP and CAPP. Like its predecessor, it also included analysis of covert channels and additional vulnerability analysis and testing by
7872-581: The NSA is intercepting "millions of images per day". The Real Time Regional Gateway is a data collection program introduced in 2005 in Iraq by the NSA during the Iraq War that consisted of gathering all electronic communication, storing it, then searching and otherwise analyzing it. It was effective in providing information about Iraqi insurgents who had eluded less comprehensive techniques. This "collect it all" strategy introduced by NSA director, Keith B. Alexander ,
7995-447: The NSA that allowed the export of a version that supported stronger keys with 64 bits, but 24 of the bits were encrypted with a special key and included in the message to provide a "workload reduction factor" for the NSA. This strengthened the protection for users of Notes outside the US against private-sector industrial espionage , but not against spying by the US government. While it is assumed that foreign transmissions terminating in
8118-493: The NSA tracks hundreds of millions of people's movements using cell phones metadata . Internationally, research has pointed to the NSA's ability to surveil the domestic Internet traffic of foreign countries through " boomerang routing ". The origins of the National Security Agency can be traced back to April 28, 1917, three weeks after the U.S. Congress declared war on Germany in World War I . A code and cipher decryption unit
8241-493: The NSA was a trusted partner with academia and industry in the development of cryptographic standards started to come to an end when, as part of the change in the NSA in the post-September 11 era, Snow was replaced as Technical Director, Jacobs retired, and IAD could no longer effectively oppose proposed actions by the offensive arm of the NSA. In the aftermath of the September 11 attacks , the NSA created new IT systems to deal with
8364-522: The NSA was not known to the public at that time. Due to its ultra-secrecy, the U.S. intelligence community referred to the NSA as "No Such Agency". In the 1960s, the NSA played a key role in expanding U.S. commitment to the Vietnam War by providing evidence of a North Vietnamese attack on the American destroyer USS Maddox during the Gulf of Tonkin incident . A secret operation, code-named " MINARET ",
8487-560: The NSA's Tailored Access Operations (TAO) group implant catalog, after implanting Cottonmouth, the NSA can establish a network bridge "that allows the NSA to load exploit software onto modified computers as well as allowing the NSA to relay commands and data between hardware and software implants." NSA's mission, as outlined in Executive Order 12333 in 1981, is to collect information that constitutes "foreign intelligence or counterintelligence" while not "acquiring information concerning
8610-569: The National Security Agency. The official postings for all the XTS-400 evaluations can be seen on the Validated Product List. The main security feature that sets STOP apart from most operating systems is the mandatory sensitivity policy. Support for a mandatory integrity policy, also sets STOP apart from most MLS or trusted systems. While a sensitivity policy deals with preventing unauthorized disclosure, an integrity policy deals with preventing unauthorized deletion or modification (such as
8733-446: The STOP operating system, STOP 7 has since been introduced, with claims to have improved performance and new features such as RBAC . As a high-assurance, MLS system, XTS-400 can be used in cross-domain solutions , which typically need a piece of privileged software to be developed which can temporarily circumvent one or more security features in a controlled manner. Such pieces are outside
8856-651: The Secure Server needs to access the User Access Authentication database, kept at system high , while establishing a session for a user at a lower sensitivity level. The XTS-400 can provide a high level of security in many application environments, but trade-offs are made to attain it. Potential weaknesses for some customers may include: Multilevel security This distinction is important because systems that need to be trusted are not necessarily trustworthy. An MLS operating environment often requires
8979-591: The U.S. (such as a non-U.S. citizen accessing a U.S. website) subject non-U.S. citizens to NSA surveillance, recent research into boomerang routing has raised new concerns about the NSA's ability to surveil the domestic Internet traffic of foreign countries. Boomerang routing occurs when an Internet transmission that originates and terminates in a single country transits another. Research at the University of Toronto has suggested that approximately 25% of Canadian domestic traffic may be subject to NSA surveillance activities as
9102-629: The UCDMO baseline is called MLChat Archived 2013-03-17 at the Wayback Machine , and it is a chat server that runs on the XTS-400 operating system - it was created by the US Naval Research Laboratory . Given that content from users at different domains passes through the MLChat server, dirty-word scanning is employed to protect classified content, and there has been some debate about if this
9225-574: The United States National Institute of Standards and Technology (NIST), and the International Organization for Standardization (aka ISO). This memo appears to give credence to previous speculation by cryptographers at Microsoft Research . Edward Snowden claims that the NSA often bypasses encryption altogether by lifting information before it is encrypted or after it is decrypted. XKeyscore rules (as specified in
9348-465: The XTS-400 can be implemented in a rackmount configuration, accepts an uninterruptible power supply (UPS), allows multiple network connections, accommodates many hard disks on a SCSI subsystem (also saving disk blocks using a sparse file implementation in the file system ), and provides a trusted backup/save tool. Server software, such as an Internet daemon, can be ported to run on the XTS-400. A popular application for high-assurance systems like
9471-762: The XTS-400 is to guard information flow between two networks of differing security characteristics. Several customer guard solutions are available based on XTS systems. XTS-400 version 6.0.E completed a Common Criteria (CC) evaluation in March 2004 at EAL4 augmented with ALC_FLR.3 (validation report CCEVS-VR-04-0058.) Version 6.0.E also conformed with the protection profiles entitled Labeled Security Protection Profile (LSPP) and Controlled Access Protection Profile (CAPP), though both profiles are surpassed in functionality and assurance. XTS-400 version 6.1.E completed evaluation in March 2005 at EAL5 augmented with ALC_FLR.3 and ATE_IND.3 (validation report CCEVS-VR-05-0094), still conforming to
9594-504: The ability to monitor a large proportion of the world's transmitted civilian telephone, fax, and data traffic. During the early 1970s, the first of what became more than eight large satellite communications dishes were installed at Menwith Hill. Investigative journalist Duncan Campbell reported in 1988 on the " ECHELON " surveillance program, an extension of the UKUSA Agreement on global signals intelligence SIGINT , and detailed how
9717-517: The aftermath of the Watergate scandal , a congressional hearing in 1975 led by Senator Frank Church revealed that the NSA, in collaboration with Britain's SIGINT intelligence agency, Government Communications Headquarters (GCHQ), had routinely intercepted the international communications of prominent anti-Vietnam war leaders such as Jane Fonda and Dr. Benjamin Spock . The NSA tracked these individuals in
9840-761: The agency has a co-located organization called the Central Security Service (CSS), which facilitates cooperation between the NSA and other U.S. defense cryptanalysis components. To further ensure streamlined communication between the signals intelligence community divisions, the NSA Director simultaneously serves as the Commander of the United States Cyber Command and as Chief of the Central Security Service. The NSA's actions have been
9963-399: The box interaction among levels consistent with the hierarchical relations of Bell-La Padula, MILS is (almost deceptively) simple to implement initially but needs non-trivial supplementary import/export applications to achieve the richness and flexibility expected by practical MLS applications. Any MILS/MLS comparison should consider if the accreditation of a set of simpler export applications
10086-468: The breadth of the MLS security range. Historically few implementations have been certified capable of MLS processing with a security range of Unclassified through Top Secret. Among them were Honeywell 's SCOMP, USAF SACDIN, NSA 's Blacker , and Boeing 's MLS LAN, all under TCSEC, 1980s vintage and Intel 80386 -based. Currently, MLS products are evaluated under the Common Criteria . In late 2008,
10209-451: The controlled access protection profile (CAPP), and role-based access control (RBAC) protection profiles, Trusted Extensions have also been certified at EAL4 to the labeled security protection profile (LSPP). The security target includes both desktop and network functionality. LSPP mandates that users are not authorized to override the labeling policies enforced by the kernel and X Window System (X11 server). The evaluation does not include
10332-558: The controlled interaction between the domains addressed by the above models. Trusted security-compliant channels mentioned above can link MILS domains to support more MLS functionality. The MILS approach pursues a strategy characterized by an older term, MSL ( multiple single level ), that isolates each level of information within its own single-level environment ( System High ). The rigid process communication and isolation offered by MILS may be more useful to ultra high reliability software applications than MLS. MILS notably does not address
10455-538: The criteria required under the definition of MLS by CNSSI 4009 (paraphrased at the start of this article), the system must provide a user interface that is capable of allowing a user to access and process content at multiple classification levels from one system. The UCDMO ran a track specifically focused on MLS at the NSA Information Assurance Symposium in 2009, in which it highlighted several accredited (in production) and emergent MLS systems. Note
10578-549: The damage that a virus might attempt). Normal (i.e., untrusted) users do not have the discretion to change the sensitivity or integrity levels of objects. The Bell–LaPadula and Biba formal models are the basis for these policies. Both the sensitivity and integrity policies apply to all users and all objects on the system. STOP provides 16 hierarchical sensitivity levels, 64 non-hierarchical sensitivity categories, 8 hierarchical integrity levels, and 16 non-hierarchical integrity categories. The mandatory sensitivity policy enforces
10701-417: The data as trusted evidence that it is 'really' unclassified (e.g. 'strict' format). A system high system cannot be trusted to preserve any trusted evidence, and the result is that an overt data path is opened with no logical way to securely mediate it. Bypass can be risky because, unlike narrow bandwidth covert channels that are difficult to exploit, bypass can present a large, easily exploitable overt leak in
10824-526: The eavesdropping operations worked. On November 3, 1999, the BBC reported that they had confirmation from the Australian Government of the existence of a powerful "global spying network" code-named Echelon, that could "eavesdrop on every single phone call, fax or e-mail, anywhere on the planet" with Britain and the United States as the chief protagonists. They confirmed that Menwith Hill was "linked directly to
10947-516: The equivalent agencies in the United Kingdom ( Government Communications Headquarters ), Canada ( Communications Security Establishment ), Australia ( Australian Signals Directorate ), and New Zealand ( Government Communications Security Bureau ), otherwise known as the UKUSA group, was reported to be in command of the operation of the so-called ECHELON system. Its capabilities were suspected to include
11070-460: The federal government's computer networks from cyber-terrorism . A part of the NSA's mission is to serve as a combat support agency for the Department of Defense. Operations by the National Security Agency can be divided into three types: "Echelon" was created in the incubator of the Cold War . Today it is a legacy system , and several NSA stations are closing. NSA/CSS, in combination with
11193-526: The first operating system (more below) was certified to a high evaluated assurance level: Evaluation Assurance Level (EAL) - EAL 6+ / High Robustness, under the auspices of a U.S. government program requiring multilevel security in a high threat environment. While this assurance level has many similarities to that of the old Orange Book A1 (such as formal methods), the functional requirements focus on fundamental isolation and information flow policies rather than higher level policies such as Bell-La Padula. Because
11316-504: The flood of information from new technologies like the Internet and cell phones. ThinThread contained advanced data mining capabilities. It also had a "privacy mechanism"; surveillance was stored encrypted; decryption required a warrant. The research done under this program may have contributed to the technology used in later systems. ThinThread was canceled when Michael Hayden chose Trailblazer , which did not include ThinThread's privacy system. Trailblazer Project ramped up in 2002 and
11439-472: The founder of Linux kernel , joked during a LinuxCon keynote on September 18, 2013, that the NSA, who is the founder of SELinux , wanted a backdoor in the kernel. However, later, Linus' father, a Member of the European Parliament (MEP), revealed that the NSA actually did this. When my oldest son was asked the same question: "Has he been approached by the NSA about backdoors?" he said "No", but at
11562-607: The headquarters of the US National Security Agency (NSA) at Fort Meade in Maryland". NSA's United States Signals Intelligence Directive 18 (USSID 18) strictly prohibited the interception or collection of information about "... U.S. persons , entities, corporations or organizations...." without explicit written legal permission from the United States Attorney General when the subject is located abroad, or
11685-425: The hierarchical structure that is embodied by the notion of security levels. This requires the addition of specific import/export applications between domains each of which needs to be accredited appropriately. As such, MILS might be better called Multiple Independent Domains of Security (MLS emulation on MILS would require a similar set of accredited applications for the MLS applications). By declining to address out of
11808-496: The highest functional and assurance level then in place: A1. Since then the product has evolved from proprietary hardware and interfaces to commodity hardware and Linux interfaces. The XTS-200 was designed as a general-purpose operating system supporting a Unix-like application and user environment. XTS-200 completed evaluation in 1992 at the B3 level. The XTS-300 transitioned from proprietary, mini-computer hardware to COTS, Intel x86 hardware. XTS-300 completed evaluation in 1994 at
11931-438: The kernel and depend on the kernel to protect them from corruption and subversion. If the kernel is not evaluated to an MLS-capable protection profile, MLS features cannot be trusted regardless of how impressive the demonstration looks. It is particularly noteworthy that CAPP is specifically not an MLS-capable profile as it specifically excludes self-protection capabilities critical for MLS. General Dynamics offers PitBull ,
12054-452: The layperson's overemphasis of EAL level with over-certification, such as certifying an EAL 3 protection profile (like CAPP) to elevated levels, like EAL 4 or EAL 5. Another is adding and certifying MLS support features (such as role-based access control protection profile (RBACPP) and labeled security protection profile (LSPP)) to a kernel that is not evaluated to an MLS-capable protection profile. Those types of features are services run on
12177-642: The outermost. The inner three rings constitute the kernel . Software in an outer ring is prevented from tampering with software in an inner ring. The kernel is part of every process's address space and is needed by both normal and privileged processes. A security kernel occupies the innermost and most privileged ring and enforces all mandatory policies. It provides a virtual process environment, which isolates one process from another. It performs all low-level scheduling, memory management , and interrupt handling. The security kernel also provides I/O services and an IPC message mechanism. The security kernel's data
12300-484: The padded cell hypervisor in systems such as Green Hill's Integrity platform, and XenClient XT from Citrix. The High Assurance Platform from NSA as implemented in General Dynamics ' Trusted Virtualization Environment (TVE) is another example - it uses SELinux at its core, and can support MLS applications that span multiple domains. National Security Agency The National Security Agency ( NSA )
12423-427: The product complete a formal computer security evaluation. The evaluation is stricter for a broader security range, which are the lowest and highest classification levels the system can process. The Trusted Computer System Evaluation Criteria (TCSEC) was the first evaluation criteria developed to assess MLS in computer systems. Under that criteria there was a clear uniform mapping between the security requirements and
12546-504: The same day, Truman issued a second memorandum that called for the establishment of the NSA. The actual establishment of the NSA was done by a November 4 memo by Robert A. Lovett , the Secretary of Defense , changing the name of the AFSA to the NSA, and making the new agency responsible for all communications intelligence. Since President Truman's memo was a classified document, the existence of
12669-556: The same time he nodded. Then he was sort of in the legal free. He had given the right answer, everybody understood that the NSA had approached him. IBM Notes was the first widely adopted software product to use public key cryptography for client-server and server–server authentication and encryption of data. Until US laws regulating encryption were changed in 2000, IBM and Lotus were prohibited from exporting versions of Notes that supported symmetric encryption keys that were longer than 40 bits. In 1997, Lotus negotiated an agreement with
12792-468: The security environment, or mode. One solution to this confusion is to retain the original definition of MLS and be specific about MLS-capable when that context is used. Multiple Independent Levels of Security (MILS) is an architecture that addresses the domain separation component of MLS. Note that UCDMO (the US government lead for cross domain and multilevel systems) created a term Cross Domain Access as
12915-559: The security features of the system. OSS implements signals, process groups, and some memory devices. OSS's data is local to the process within which it is executing. Software is considered trusted if it performs functions upon which the system depends to enforce the security policy (e.g., the establishment of user authorization). This determination is based on integrity level and privileges. Untrusted software runs at integrity level 3, with all integrity categories, or lower. Some processes require privileges to perform their functions—for example
13038-413: The source is untrusted, it could be corrupt and place secrets in the unclassified packet header. The corrupted packet headers could be nonsense but it is impossible for the subject system to determine that with any reasonable reliability. The packet userdata is cryptographically well protected but the packet header can contain readable secrets. If the corrupted packets are passed to an untrusted network by
13161-426: The subject system they may not be routable but some cooperating corrupt process in the network could grab the packets and acknowledge them and the subject system may not detect the leak. This can be a large overt leak that is hard to detect. Viewing classified packets with unclassified headers as system high structures instead of the MLS structures they really are presents a very common but serious threat. Most bypass
13284-424: The system. Bypass often arises out of failure to use trusted operating environments to maintain continuous separation of security domains all the way back to their origin. When that origin lies outside the system boundary, it may not be possible to validate the trusted separation to the origin. In that case, the risk of bypass can be unavoidable if the flow truly is essential. A common example of unavoidable bypass
13407-518: The unit consisted of Yardley and two civilian clerks. It absorbed the Navy's cryptanalysis functions in July 1918. World War I ended on November 11, 1918 , and the army cryptographic section of Military Intelligence (MI-8) moved to New York City on May 20, 1919, where it continued intelligence activities as the Code Compilation Company under the direction of Yardley. After the disbandment of
13530-579: The use of MLS in SELinux . There are several databases classified as MLS systems. Oracle has a product named Oracle Label Security (OLS) that implements mandatory access controls - typically by adding a 'label' column to each table in an Oracle database . OLS is being deployed at the US Army INSCOM as the foundation of an "all-source" intelligence database spanning the JWICS and SIPRNet networks. There
13653-456: Was behind the bombing, which U.S. President Ronald Reagan cited as a justification for the 1986 United States bombing of Libya . In 1999, a multi-year investigation by the European Parliament highlighted the NSA's role in economic espionage in a report entitled 'Development of Surveillance Technology and Risk of Abuse of Economic Information'. That year, the NSA founded the NSA Hall of Honor ,
13776-678: Was created to intercept and decipher the communications of the Axis powers . When the war ended, the SIS was reorganized as the Army Security Agency (ASA), and it was placed under the leadership of the Director of Military Intelligence. On May 20, 1949, all cryptologic activities were centralized under a national organization called the Armed Forces Security Agency (AFSA). This organization
13899-515: Was described by an NSA manager as "some of the most productive operations in TAO because they preposition access points into hard target networks around the world." Computers seized by the NSA due to interdiction are often modified with a physical device known as Cottonmouth. Cottonmouth is a device that can be inserted in the USB port of a computer to establish remote access to the targeted machine. According to
14022-508: Was developed by BAE Systems , and originally released as version 6.0 in December 2003. STOP provides high-assurance security and was the first general-purpose operating system with a Common Criteria assurance level rating of EAL5 or above. The XTS-400 can host, and be trusted to separate, multiple, concurrent data sets, users, and networks at different sensitivity levels. The XTS-400 provides both an untrusted environment for normal work and
14145-507: Was established as the Cable and Telegraph Section, which was also known as the Cipher Bureau. It was headquartered in Washington, D.C., and was part of the war effort under the executive branch without direct congressional authorization. During the war, it was relocated in the army's organizational chart several times. On July 5, 1917, Herbert O. Yardley was assigned to head the unit. At that point,
14268-476: Was once thought to be a problem for these free MLS implementations for three reasons: Notwithstanding such suppositions, Red Hat Enterprise Linux 5 was certified against LSPP, RBACPP, and CAPP at EAL4+ in June 2007. It uses Security-Enhanced Linux to implement MLS and was the first Common Criteria certification to enforce TOE security properties with Security-Enhanced Linux. Vendor certification strategies can be misleading to laypersons. A common strategy exploits
14391-496: Was originally established within the U.S. Department of Defense under the command of the Joint Chiefs of Staff . The AFSA was tasked with directing the Department of Defense communications and electronic intelligence activities, except those of U.S. military intelligence units. However, the AFSA was unable to centralize communications intelligence and failed to coordinate with civilian agencies that shared its interests, such as
14514-520: Was reported that some of these data reflected eavesdropping on citizens in countries like Germany, Spain, and France, but later on, it became clear that those data were collected by European agencies during military missions abroad and were subsequently shared with NSA. In 2013, reporters uncovered a secret memo that claims the NSA created and pushed for the adoption of the Dual EC DRBG encryption standard that contained built-in vulnerabilities in 2006 to
14637-516: Was set up by the NSA to monitor the phone communications of Senators Frank Church and Howard Baker , as well as key leaders of the civil rights movement , including Martin Luther King Jr. , and prominent U.S. journalists and athletes who criticized the Vietnam War . However, the project turned out to be controversial, and an internal review by the NSA concluded that its Minaret program was "disreputable if not outright illegal". The NSA mounted
14760-527: Was the Technical Director of IAD and represented the NSA as cochairman of the Technical Working Group for the AES competition, and Michael Jacobs, who headed IAD at the time. After the terrorist attacks of September 11, 2001 , the NSA believed that it had public support for a dramatic expansion of its surveillance activities. According to Neal Koblitz and Alfred Menezes , the period when
14883-417: Was to be a realization of information processing at higher speeds in cyberspace. The massive extent of the NSA's spying, both foreign and domestic, was revealed to the public in a series of detailed disclosures of internal NSA documents beginning in June 2013. Most of the disclosures were leaked by former NSA contractor Edward Snowden . On 4 September 2020, the NSA's surveillance program was ruled unlawful by
15006-543: Was to break the communications (chiefly diplomatic) of other nations. At the Washington Naval Conference , it aided American negotiators by providing them with the decrypted traffic of many of the conference delegations, including the Japanese . The Black Chamber successfully persuaded Western Union , the largest U.S. telegram company at the time, as well as several other communications companies, to illegally give
15129-697: Was worked on by Science Applications International Corporation (SAIC), Boeing , Computer Sciences Corporation , IBM , and Litton Industries . Some NSA whistleblowers complained internally about major problems surrounding Trailblazer. This led to investigations by Congress and the NSA and DoD Inspectors General . The project was canceled in early 2004. Turbulence started in 2005. It was developed in small, inexpensive "test" pieces, rather than one grand plan like Trailblazer. It also included offensive cyber-warfare capabilities, like injecting malware into remote computers. Congress criticized Turbulence in 2007 for having similar bureaucratic problems as Trailblazer. It
#663336