Information Flow Control Between Partitions In MILS System

Embedded high assurance systems (such as integrated avionics system) putforward the higher demands for cross-platform, multi-user processing and sharing ofdifferent security levels of information.Aim at this request, Multiple Independent Levelsof Security/Safety architecture is proposed by academia. Based on the analysis of thearchitecture and partition mechanism of MILS system, the solution of information flowcontrol in MILS system is researched according to the problem of disclosure and tamperof sensitive information due to the lack of an effective information flow control method.Details are as follows:1. According to the characteristic of components combination and the goal ofinformation flow control of MILS system, an information flow control model betweenpartitions is proposed based on trusted components. To improve the efficiency andsecurity of information transmission, sharing memory is used to construct informationtransmission mechanism between partitions.2. In order to prevent classified information from being illegally obtained byunclassified partitions, Information flow control policies of trusted components aredesigned, including the MLS policy based on lattice model, trusted downgrading policyand downgrading-upgrading policy, which form the multi-layer information flowcontrol policy framework.3. Information flow control mechanisms are constructed, where separation kerneldefines authorized information flow and controls the direction of information flow,MMR (MILS Message Router) intercepts unauthorized information flow and routesbetween partitions, Guard executes content filtering on the basis of protocol andapplication, downgrades message as required. PCS (Partition Communication System)encrypts for downgrading and decrypts for upgrading to information flow betweenpartitions on different nodes of distributed MILS, to ensure confidentiality of data onthe network.4. The design is applied to control request messages of guest partition in amultilevel file system to ensure its confidentiality and integrity. Analysis andverification shows that the information flow control design can ensure that all of the information flow between partitions are legitimate messages authorized by separationkernel and filtered by trusted components.