13 research outputs found
A Cloud-Oriented Cross-Domain Security Architecture
The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow
policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within
a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and
network-layer quality of security service. This new cross domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for interagency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEA's approach to provide an MLS-constrained cloud computing environment.Approved for public release; distribution is unlimited
Implementation of a parameterization framework for cybersecurity laboratories
Computer Science courses often include laboratory exercises to make sure certain concepts are experienced hands-on by the students. These courses sometimes are taken by a large number of students and each assignment needs to be graded. Instructors or teaching assistants responsible for grading assignments are presented with the tedious task of verifying students' work. Besides making sure that each student performs the assignment correctly, the assignment grader may also be concerned that students do not cheat on the assignment by copying and submitting work from other students. The objective of this thesis is to investigate and develop a framework for Linux-based cybersecurity laboratory exercises performed on individual student computers. The purpose of the framework is to provide the designer of laboratory exercises with tools to parameterize labs for each student, and automate some aspects of the grading of laboratory exercises. A prototype of this framework was implemented by making use of the Linux Containers, which provide an additional benefit of standardizing execution environments utilized by students and instructors.http://archive.org/details/implementationof1094552998Civilian, Department of the NavyApproved for public release; distribution is unlimited
Re-mastering Knoppix for the MYSEA testbed
When a computing environment is operating in a multilevel mode, where users have different clearances, and data exists at multiple levels of classification, supporting commercial-grade operating systems and applications is a major challenge. The Monterey Security Architecture (MYSEA) at the Naval Postgraduate School is a proposed solution. A testbed has been developed to research and prototype the architecture. One part of the architecture requires thin clients -- workstations with no ability to save data or state locally. One approach to provide a reasonable thin client in the short term is to boot an operating system from optical media, such as a CD or DVD. Knoppix is an open source effort that provides a pre-packaged bootable Linux operating system on CD. However, the current version of Knoppix does not provide the configuration and applications required for the MYSEA testbed. This document provides a generic process for re-mastering (or re-packaging) the Knoppix CD, as well as the specific steps for producing a Knoppix CD that is usable in the MYSEA architecture.Approved for public release; distribution is unlimited
Labtainers: a framework for parameterized cybersecurity labs using containers
We have created a framework to simplify creation, deployment, and assessment of stand-alone cyber security lab exercises, intended for use on individual student computers. We are implementing this framework using Linux Docker containers. Each lab has one or more associated containers that ensure an execution environment consistent with the requirements of the soft ware elements and activities within the lab. Lab-specifi c containers are automatically installed and confi gured on the student’s Linux computing platform, (e.g., a VM) when the student starts the lab. Results of student lab activity are automatically collected and packaged when the student completes the lab, and these results are automatically evaluated on an instructor’s computer, using similar Docker containers. Automated assessment of student labs makes it practical, (from an instructor’s perspective), to individualize every instance of each lab such that students cannot easily submit results either created by another student or mined from the Internet.National Science FoundationNSF Grant DUE-114093
Labtainers: a Docker-based framework for cybersecurity labs
Successful lab designs are a valuable resource that should be re-used and shared among educators and between institutions. A collaborative, community-sourced design effort maximizes the benefit of the effort and expertise required to build and test an effective lab exercise. Unfortunately, infrastructure requirements, heterogeneous operating environments, and the desire to incentivize individual student work pose significant challenges that necessitate frequent updating, redesigning and retesting of assignments, creating a significant maintenance burden. To address these challenges, we present
Labtainers: a container-based framework for the development, deployment and assessment of Linux-based cyber security lab exercises. Docker containers present a consistent environment that reduces the need for frequent updates, but with considerably less overhead than VM-based approaches. This enables a modest laptop to host labs consisting of multiple networked components. As such, the Labtainers framework is able to simulate a variety of security-relevant scenarios on a standalone student
machine, without the need for elaborate infrastructure. Moreover, Labtainers’ scripting support allows exercises to be customized on a per-student basis, then collected and evaluated automatically on the instructor machine. This capability enables the instructor to assign exercises where each solution is unique to the student with little or no increase in complexity of lab setup or assessment.National Science FoundationNSF Grant DUE-114093
Towards A Cross-Domain MapReduce Framework
The Apache™ Hadoop® framework provides parallel
processing and distributed data storage capabilities that data
analytics applications can utilize to process massive sets of raw
data. These Big Data applications typically run as a set of
MapReduce jobs to take advantage of Hadoop’s ease of service
deployment and large-scale parallelism. Yet, Hadoop has not
been adapted for multilevel secure (MLS) environments where
data of different security classifications co-exist. To solve this problem, we have used the Security Enhanced Linux
(SELinux) Linux kernel extension in a prototype cross-domain
Hadoop on which multiple instances of Hadoop applications run
at different sensitivity levels. Their accesses to Hadoop resources
are constrained by the underlying MLS policy enforcement
mechanism. To solve this problem, we have used the Security Enhanced Linux
(SELinux) Linux kernel extension in a prototype cross-domain
Hadoop on which multiple instances of Hadoop applications run
at different sensitivity levels. Their accesses to Hadoop resources
are constrained by the underlying MLS policy enforcement
mechanism. To solve this problem, we have used the Security Enhanced Linux
(SELinux) Linux kernel extension in a prototype cross-domain
Hadoop on which multiple instances of Hadoop applications run
at different sensitivity levels. Their accesses to Hadoop resources
are constrained by the underlying MLS policy enforcement
mechanism. To solve this problem, we have used the Security Enhanced Linux
(SELinux) Linux kernel extension in a prototype cross-domain
Hadoop on which multiple instances of Hadoop applications run
at different sensitivity levels. Their accesses to Hadoop resources
are constrained by the underlying MLS policy enforcement
mechanism. A benefit of our prototype is its extension of the Hadoop Distributed File System to provide a cross-domain read-down capability for Hadoop applications without requiring complex Hadoop server components to be trustworthy
A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud
Ground System Architectures Workshop (GSAW 2013), Los Angeles, California, USA, March 201
A Cloud-Oriented Cross-Domain Security Architecture
The Monterey Security Architecture addresses the need to share high-value data across multiple domains of different classification levels while enforcing information flow
policies. The architecture allows users with different security authorizations to securely collaborate and exchange information using commodity computers and familiar commercial client software that generally lack the prerequisite assurance and functional security protections. MYSEA seeks to meet two compelling requirements, often assumed to be at odds: enforcing critical, mandatory security policies, and allowing access and collaboration in a familiar work environment. Recent additions to the MYSEA design expand the architecture to support a cloud of cross-domain services, hosted within
a federation of multilevel secure (MLS) MYSEA servers. The MYSEA cloud supports single-sign on, service replication, and
network-layer quality of security service. This new cross domain, distributed architecture follows the consumption and delivery model for cloud services, while maintaining the federated control model necessary to support and protect cross domain collaboration within the enterprise. The resulting architecture shows the feasibility of high-assurance, cross-domain services hosted within a community cloud suitable for interagency, or joint, collaboration. This paper summarizes the MYSEA architecture and discusses MYSEA's approach to provide an MLS-constrained cloud computing environment.Approved for public release; distribution is unlimited