By Rance J. DeLong and Ekaterina Rudina
MILS builds on and extends a long tradition of work on architectural approaches to security to provide methods and tools to create high-assurance architectures for secure information sharing and dependable systems. These approaches aim to leverage system architecture to prohibit an unauthorized subject from accessing or modifying sensitive information while ensuring authorized subjects are able to do so. A thoughtful architecture may also limit the damage that can result from a compromised or failed subject.
The origin of the term ‘MILS’ was an acronym standing for ‘Multiple Independent Levels of Security/Safety’. Today it is used as a proper name for the approach that starts with partitioning the system under design into isolated compartments, or security domains.
At the heart of MILS is domain separation, though the focus today has shifted from hierarchical domains (as in multilevel security) to flexible domain structures that support many kinds of security policies, including ones that are not layered or constrained by strict levels.
Need for Trustworthy System Operation
The raison d’être of MILS over the past four decades has been the need for assuredly secure systems, and also for assured safety and other critical properties. Our understanding of how to achieve assurance and how to construct and present assurance artifacts for increasingly challenging use cases has advanced as a byproduct of pushing MILS forward to new capabilities.
MILS sets forth a bold vision for building and evaluating critical systems from separately constructed and evaluated components. The intuitive security architectural design proceeds by decomposing a system into a “circles and arrows” diagram and to continue splitting big circles into other circles and arrows so that security depends on only a few trusted circles, and that those are trusted to do relatively simple things.
The arrows represent the needed communication channels among the circles. The behavior of each trusted circle exhibits the local policy that it is trusted to enforce. This policy architecture is then implemented on mechanisms that enable trusted and untrusted circles to share physical resources securely. It is presumed that circles and arrows are cheap so that decomposition may be used liberally to simplify the trusted circles and their associated policies.
MILS today
The MILS architectural approach is a strategy for the cost-effective construction of systems requiring dependability with high assurance. It is a component-based approach to the construction, assurance and certification of trustworthy systems. In the design and implementation of systems, MILS emphasizes decomposition, policy architecture, separation, component integration, secure sharing of computing resources, and compositional assurance.
MILS is appropriate for systems requiring a high level of assurance for security, safety or other key characteristics in sectors such as automotive, avionics, industrial automation, defense and critical infrastructures.
Popularly, MILS is often characterized (simply) as the use of a separation kernel to run applications belonging to diverse security domains, or having different levels of safety requirements (safety criticalities), on the same computer. However, there is much more to the MILS architectural approach.
The MILS Idea[1] is in designing an intuitive logical architecture to achieve a purpose and then creating an implementation structured to faithfully reflect that architecture.
An Excellent Platform for IIoT
A set of standardized MILS foundational components have been defined to compose with a separation kernel to create the MILS Platform. The contemporary MILS Platform, supporting scalable distributed and heterogeneous environments and dynamically changing configurations, can provide an excellent platform for IIoT, enhancing trustworthiness of the five critical characteristics featured in the Industrial Internet Security Framework (IISF).[2]
A key MILS objective is to encourage a competitive commercial marketplace of off-the-shelf high-assurance components. The technologies underlying the MILS Platform and the tool chain supporting MILS system development must enable reasoning about the interaction of the components, their differential criticalities and the resulting functionality and trustworthiness characteristics of the composition of the components. Many details of the elaboration of MILS and efforts to establish MILS standards have been driven by consideration of this objective.
Rance J. DeLong is a security and assurance consultant and Staff Scientist at The Open Group. Ekaterina Rudina is a Security Analysis Group Manager at Kaspersky. This blog is excerpted from the IIC whitepaper, “MILS Architectural Approach Supporting Trustworthiness of the IIoT Solutions.“
[1] [Rus07] John Rushby. Compositional Certification for MILS. HCSS, 2007
[2] [IIS16] Industrial Internet Security Framework Technical Report