Modeling of communication systems using optimization network flow models and recent developments in composition theory for modeling large, complex communication systems are critical to information survivability. Lockheed Martin Western Development Laboratories (WDL) is actively developing these technologies to address aspects of survivability for several domain specific infrastructures. Additionally, we have developed several software components which provide off-the-shelf building blocks for creating completely trusted distributed system solutions. The Trusted Web Server and Trusted Gateway components, when used in conjunction with a commercially available trusted operating system, such as Trusted Solaris, and an appropriate system architecture, are able to secure both new and existing legacy systems.

We have found that an important set of information survivability issues can be addressed by analyzing a communication system using network flow optimization models. By assuming that the network flow is continuous enables these issues to be solved as optimization problems. Network optimization is good at addressing concerns that involve the scalability and connectivity of the network. These are difficult problems for simulation because of their combinatorial nature. Thus, network optimization is a good complement to network simulation. In this way, the adequacy of bandwidth resources, their deployment, and their interconnections can be analyzed. Optimization techniques can also be used to identify bottlenecks and provide sensitivity analysis for exhausted resources. A tool has been developed that allows a network to be drawn with various defining attributes, such as the capacity and distance of the links. The network topology and attributes are analyzed by the tool, using linear and integer programming models.

An example of the relevant problems that we have analyzed is the evaluation of the vulnerability of a critical infrastructure and assess its ability to survive attack given known opponent resources. Consider that it is critical to maintain at least a specified amount of capacity between a major bank and its clearing house, even when the network is under attack. We would first determine the maximum flow possible between these two points for the existing network. Then, by knowing the adversary’s collection of resources that can be used to disrupt our network (e.g., aircraft, jammers, hackers with viruses, etc.) it can be determined where these resources could be deployed to maximally disrupt our communications ability. By identifying the adversary’s optimal strategy needed to minimize our maximum flow, we can identify network elements that need to be protected against attack, and where appropriate, evaluate alternative network configurations. This enables us to ensure that the specified amount of capacity that we need is maintained. Other aspects of the problem that we are considering is the probabilistic destruction of a network, the network being only partially known, and the routing and interdiction being made probabilistic.

The WDL composition theory, treating both a communication system and its components as black boxes, develops black box information flow models. Using the developed models of a system, the WDL composition theory can determine the system’s functionality, at an architectural level, based on the functionality of its components and the system architecture. In another application of the theory, the information control policy of a system can be determined, provided that the system architecture and the information control policy of each of its components is known. Equally important, the impact on the system functionality due to changes to its architecture or components can be determined through application of the composition theory. Thus, the WDL composition theory allows the evaluation of different architectures and different component functionality in the design and modification of a system.

The Trusted Web Server is a "multilevel" device that supports access at different labels. The use of Trusted Solaris allows many different and complex labeling structures. Using the Trusted Web Server, an organization can maintain a set of Web pages on one machine and provide protected access to different classes of users. That is, users on a "Public" machine can only access the "Public" pages, while users who access the Web Server at a "Proprietary" level can access "Public" pages, as well as "Proprietary" pages. Since access control is enforced by the operating system, and not by the Web Server, CGI scripts, or Java applets, it is much more difficult to fool the Web environment into releasing information inappropriately. Thus, the level of security is potentially much higher with this system than with the usual router and firewall implementations.

The Trusted Gateway provides the ability to geographically distribute a secure labeled network and to interconnect labeled networks with uni-level networks. The Trusted Gateway correctly labels packets that come from uni-level networks and "delabels" packets delivered to those networks. The Gateway provides assurance at the operating system level that network packets are correctly routed with respect to security labels. Encryption is used to protect the confidentiality and integrity of a packet that is transported between gateways across a network with a lower label than that of the packet.

References:
L. Benzinger, Applying the WDL Composition Theory to Analyze Security Architectures, Composition Software Architecture Workshop, Monterey, CA, January 1998.

G. Dinolt, L. Benzinger, and M. Yatabe, Combining Components and Policies, Proceedings of the Computer Security Foundations Workshop VII, 1994, pp. 22-33, IEEE Computer Society, Los Alamitos, CA.

Back to the Table of Contents
   [22]