• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Secure Execution Environments

DTE DARPA/ITO Project Summary

Objective:
Develop and prototype improved network protection technology by combining Internet firewall techniques and cryptography with Domain and Type Enforcement (DTE), a strong but flexible operating system access control mechanism. Demonstrate and evaluate increased protection for advanced network applications and services.

Approach:
Extend Internet firewalls and selected hosts to include fundamental protection mechanisms that contain threats posed by currently unsafe services. These mechanisms will provide a framework in which clients and servers can protect themselves and establish mutual and appropriate levels of trust. These mechanisms will be developed in three phases:

Phase 1: Add Domain and Type Enforcement (DTE) to an industry-standard Internet firewall and to selected hosts behind the firewall security perimeter. DTE provides access controls similar to those described initially by Boebert and Kain. In addition to implementing standard firewall service barriers, a DTE firewall will associate DTE access control information with communicated information and encapsulate network service proxies and applications (e.g., Mosaic, gopher, WAIS, NFS) in small DTE domains. This phase will demonstrate increased safety and reliability of network applications and services by preventing errors in or attacks on one service from damaging other services or supporting hosts.

Phase 2: Extend DTE firewalls to employ cryptographic mechanisms for remote authentication, exchange of high-integrity DTE attributes, and protection of firewall-to-firewall communications. Further extend DTE firewalls to support interoperability of multiple DTE access control configurations. Extended DTE firewalls will unload local hosts from cryptographic overheads and implement a protected environment unifying multiple LANs. In addition, they will provide a policy framework with which human administrators can express procedures for safeguarding information shared between LANs and organizations. Demonstrate geographically distributed enterprise applications protected by extended DTE firewalls.

Phase 3: Develop a Domain and Type Authority (DTA) network service, a globally available, fault-tolerant, distributed, trusted service that will distribute DTE policy information to DTE firewalls and hosts. The DTA will allow large numbers of clients and servers to dynamically and automatically configure DTE protection mechanisms to contain errors and control risks inherent in collaboration between organizations using complex network applications. The DTA will significantly increase the safety with which distributed services are produced and consumed, thereby enabling advanced applications such as Digital Libraries and Electronic Commerce.

Recent Accomplishments:
Augmented TIS Firewall ToolKit proxy applications to pass DTE attributes between hosts communicating through a DTE Firewall. Developed an NFS proxy to pass the NFS protocol through a DTE firewall. These proxies enable safe DTE-controlled sharing via the supported protocols.

Significantly optimized the DTE Firewall prototype's handling of standard protocols such as FTP, rlogin, TELNET, and HTTP. This has resulted in performance overheads of less than one percent for FTP, rlogin, and TELNET.

Developed an alpha release of the DTE prototype system, with documentation. This release is organized for consumption by outside researchers, and is now available.

Implemented dynamic DTE policy modules that can be loaded and unloaded from the DTE system's kernel. These modules allow a DTE Firewall to dynamically adjust its security posture to enable protected collaboration between DTE Firewall enclaves. The loading mechanism augments the system's security policy with new domains and types (and also augments existing domains in a controlled fashion); the unloading mechanism removes these types and also cleans up programs and files labeled with the removed security attributes.

Integrated IP-layer cryptography into the DTE version of the BSD/OS kernel. IP-layer cryptography provides communications secrecy and integrity for communications between DTE Firewalls. This integration relates DTE mechanisms (e.g., policy modules, domains, types) with cryptographic services such as message secrecy and integrity to ensure that cryptographic mechanisms support sharing as specified by DTE policies.

Developed a demonstration of dynamic DTE modularity showing how different organizations can dynamically establish DTE policies for controlled sharing of information across wide-area networks.

Current Plan:

• Design and implement the Domain and Type Authority (DTA), a fault-tolerant, distributed trustworthy network service for distributing DTE policy modules. DTE firewalls will consult DTA servers to negotiate firewall-to-firewall
• DTE policy agreements and to set up safe DTE security environments for communicating DTE end hosts. "Constrained" DTE policy modules may only alter a base policy in prescribed ways, and (currently) are prohibited from direct interaction with each other.
• DTE policy modules to be more protective of base policy elements.
• Demonstrate and evaluate dynamic and automatic loading of new modules from the DTA.
• Programs interacting with external systems may run in multiple security associations (as expressed by DTE policy modules) either sequentially or concurrently. Explore system mechanisms and policy properties for preventing unauthorized accesses resulting from such security context merging.

Technology Transition:
Technology transfer activities have focused primarily on presentations in public fora, and demonstrations and briefings to relevant organizations, and discussions with other research groups that might like to use the DTE prototype.

We have presented DTE Firewalls concepts in a number of public fora, including: demonstrations at the 19th National information Systems Security Conference, a presentation at the 1997 Network Security Framework Forum, and a 5-minute talk at the 1997 IEEE Symposium on Security and Privacy.

Additionally, we have briefed DTE Firewalls concepts and given demonstrations to a variety of organizations: NSA V, NSA V1, NSA V2, NSA V3, NSA V4, NSA R23, NSA C43, NSA ADDI, NCSC, IDA, Boeing, TRW, Harris, Sun Microsystems Federal, Northrop Grumman, Sybase Federal, UK Government, CSC, and ISI.

Finally, we have made the DTE prototype system available to outside researchers, and expect DTE to be picked up by the SPIN group at the University of Washington.