A Cloud-Oriented Cross-Domain Security Architecture

The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and network-layer quality of security service. This new cross domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for interagency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEA's approach to provide an MLS-constrained cloud computing environment.Approved for public release; distribution is unlimited

Implementation of a parameterization framework for cybersecurity laboratories

Computer Science courses often include laboratory exercises to make sure certain concepts are experienced hands-on by the students. These courses sometimes are taken by a large number of students and each assignment needs to be graded. Instructors or teaching assistants responsible for grading assignments are presented with the tedious task of verifying students' work. Besides making sure that each student performs the assignment correctly, the assignment grader may also be concerned that students do not cheat on the assignment by copying and submitting work from other students. The objective of this thesis is to investigate and develop a framework for Linux-based cybersecurity laboratory exercises performed on individual student computers. The purpose of the framework is to provide the designer of laboratory exercises with tools to parameterize labs for each student, and automate some aspects of the grading of laboratory exercises. A prototype of this framework was implemented by making use of the Linux Containers, which provide an additional benefit of standardizing execution environments utilized by students and instructors.http://archive.org/details/implementationof1094552998Civilian, Department of the NavyApproved for public release; distribution is unlimited

Re-mastering Knoppix for the MYSEA testbed

When a computing environment is operating in a multilevel mode, where users have different clearances, and data exists at multiple levels of classification, supporting commercial-grade operating systems and applications is a major challenge. The Monterey Security Architecture (MYSEA) at the Naval Postgraduate School is a proposed solution. A testbed has been developed to research and prototype the architecture. One part of the architecture requires thin clients -- workstations with no ability to save data or state locally. One approach to provide a reasonable thin client in the short term is to boot an operating system from optical media, such as a CD or DVD. Knoppix is an open source effort that provides a pre-packaged bootable Linux operating system on CD. However, the current version of Knoppix does not provide the configuration and applications required for the MYSEA testbed. This document provides a generic process for re-mastering (or re-packaging) the Knoppix CD, as well as the specific steps for producing a Knoppix CD that is usable in the MYSEA architecture.Approved for public release; distribution is unlimited

Labtainers: a framework for parameterized cybersecurity labs using containers

We have created a framework to simplify creation, deployment, and assessment of stand-alone cyber security lab exercises, intended for use on individual student computers. We are implementing this framework using Linux Docker containers. Each lab has one or more associated containers that ensure an execution environment consistent with the requirements of the soft ware elements and activities within the lab. Lab-specifi c containers are automatically installed and confi gured on the student’s Linux computing platform, (e.g., a VM) when the student starts the lab. Results of student lab activity are automatically collected and packaged when the student completes the lab, and these results are automatically evaluated on an instructor’s computer, using similar Docker containers. Automated assessment of student labs makes it practical, (from an instructor’s perspective), to individualize every instance of each lab such that students cannot easily submit results either created by another student or mined from the Internet.National Science FoundationNSF Grant DUE-114093

Labtainers: a Docker-based framework for cybersecurity labs

Successful lab designs are a valuable resource that should be re-used and shared among educators and between institutions. A collaborative, community-sourced design effort maximizes the benefit of the effort and expertise required to build and test an effective lab exercise. Unfortunately, infrastructure requirements, heterogeneous operating environments, and the desire to incentivize individual student work pose significant challenges that necessitate frequent updating, redesigning and retesting of assignments, creating a significant maintenance burden. To address these challenges, we present Labtainers: a container-based framework for the development, deployment and assessment of Linux-based cyber security lab exercises. Docker containers present a consistent environment that reduces the need for frequent updates, but with considerably less overhead than VM-based approaches. This enables a modest laptop to host labs consisting of multiple networked components. As such, the Labtainers framework is able to simulate a variety of security-relevant scenarios on a standalone student machine, without the need for elaborate infrastructure. Moreover, Labtainers’ scripting support allows exercises to be customized on a per-student basis, then collected and evaluated automatically on the instructor machine. This capability enables the instructor to assign exercises where each solution is unique to the student with little or no increase in complexity of lab setup or assessment.National Science FoundationNSF Grant DUE-114093

Towards A Cross-Domain MapReduce Framework

The Apache™ Hadoop® framework provides parallel processing and distributed data storage capabilities that data analytics applications can utilize to process massive sets of raw data. These Big Data applications typically run as a set of MapReduce jobs to take advantage of Hadoop’s ease of service deployment and large-scale parallelism. Yet, Hadoop has not been adapted for multilevel secure (MLS) environments where data of different security classifications co-exist. To solve this problem, we have used the Security Enhanced Linux (SELinux) Linux kernel extension in a prototype cross-domain Hadoop on which multiple instances of Hadoop applications run at different sensitivity levels. Their accesses to Hadoop resources are constrained by the underlying MLS policy enforcement mechanism. To solve this problem, we have used the Security Enhanced Linux (SELinux) Linux kernel extension in a prototype cross-domain Hadoop on which multiple instances of Hadoop applications run at different sensitivity levels. Their accesses to Hadoop resources are constrained by the underlying MLS policy enforcement mechanism. To solve this problem, we have used the Security Enhanced Linux (SELinux) Linux kernel extension in a prototype cross-domain Hadoop on which multiple instances of Hadoop applications run at different sensitivity levels. Their accesses to Hadoop resources are constrained by the underlying MLS policy enforcement mechanism. To solve this problem, we have used the Security Enhanced Linux (SELinux) Linux kernel extension in a prototype cross-domain Hadoop on which multiple instances of Hadoop applications run at different sensitivity levels. Their accesses to Hadoop resources are constrained by the underlying MLS policy enforcement mechanism. A benefit of our prototype is its extension of the Hadoop Distributed File System to provide a cross-domain read-down capability for Hadoop applications without requiring complex Hadoop server components to be trustworthy

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

Ground System Architectures Workshop (GSAW 2013), Los Angeles, California, USA, March 201

A Cloud-Oriented Cross-Domain Security Architecture

The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and network-layer quality of security service. This new cross domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for interagency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEA's approach to provide an MLS-constrained cloud computing environment.Approved for public release; distribution is unlimited