DOD security software: good year for COTS

DOD security software: good year for COTS

The new policy shift embodied in a new Defense Message System architecture is opening the door to commercially developed software for secure applications where a short time ago only proprietary solutions would meet requirements

By Charlotte Adams

Despite their traditional distrust of commercial off-the-shelf (COTS) security software, leaders in the U.S. Defense Department find themselves using more and more of it. And, given current budget directions, this trend will only increase.

Of course, DOD officials continue to develop custom security software not only to meet special threats such as the very large-scale attacks envisioned in information warfare scenarios, but also to add security to military-only architectures such as command and control systems.

The name of the game is COTS, and we`re committed to addressing the government market with commercial products.

Frank Hecker, lead systems engineer, Netscape`s Government Sales Group, Mountain View, Calif.

But given future trends in the growing use of COTS software, experts at the Pentagon`s research organization, the Defense Advanced Research Projects Agency (DARPA), are dedicating resources to develop tools called wrappers that they intend to compensate for the possible shortcomings of using COTS security software. In addition to the numerous wrapper projects already funded, officials in DARPA`s Information Survivability (IS) program have issued another Broad Agency Announcement involving this technology.

Researchers describe wrapper software as thin layers of code that system integrators can place at the boundaries of an operating system or program that offers them a high degree of control over software interactions and data flows. Wrappers promise advances in access control, intrusion detection, encryption, auditing, and data labeling - especially for COTS or legacy software - but they have yet to be proven.

Although much of the DOD`s internally developed security arsenal holds little attraction for the commercial world, the defense electronics designers are turning to industry for products such as firewalls - the computers that filter traffic coming from an external network. Firewalls are an example of dual-use technology defined by defense researchers but then applied widely beyond the defense domain. Firewalls may also profit from wrapper research.

Multilevel-secure (MLS) and compartmented-mode workstation (CMW) technologies operating system software based on off-the-shelf, but reengineered Unix products are another DOD security staple, although rare in the commercial world. Techniques to leapfrog or at least complement this approach with more flexible technology may also develop from wrapper work.

Despite cross-fertilization, there is still resistance to COTS security. "We`ve seen the government paying contractors to do things like develop network security scanners," technology that is widely available commercially, says Steve Smaha, vice president of technology for Trusted Information Systems in Glenwood, Md.

There is good reason for the uniqueness of much DOD security technology, says Steve Sundman, acting business manager for the Santa Cruz Operation Inc. Government Area in Reston, Va. Military requirements are more rigorous than are commercial requirements, he explains, and concern national security. The military has had the time to delineate a set of control mechanisms for data management and security standards that manufacturers and integrators can develop solutions to, he says.

Defense Message System

Nevertheless, many describe 1997 as a great year for COTS security - the year of the massive Defense Message System (DMS) program and its originally self-contained, homogeneous, and hardware-based security architecture. By deploying the DMS, DOD leaders finally acknowledged that they cannot afford, and do not even need to have expensive crypto hardware and associated software at every desktop.

The decision last spring to allow a "flexible local architecture" is a major victory for COTS advocates within the program, which is expected to embrace as many as 2 million users over the next decade and eventually be worth as much as $1.6 billion.

Framers of the DMS originally envisioned it as a "closed enclave of users with only DMS products" and only interfacing with the outside world through a series of multifunction interpreters, or gateways, explains P.J. Purnell, DMS director of marketing for Lockheed Martin Corp. in Mannassas, Va. But, with the policy change, users will be able to mix "plain vanilla" and DMS versions of the same product at the same installation.

DMS was already using Fortezza-enabled versions of commercial e-mail packages from the Lotus Development Corp. cc:Mail Division in Mountain View, Calif., Microsoft Corp. of Redmond, Wash., and Enterprise Solutions Ltd. in Reston, Va. But each had to be modified to perform in the DMS environment.

The driver of the program`s evolution was cost. At $69 per Fortezza card, "a lot of people thought that was overkill for the more informal kind of messaging," says Wayne De Loria, director of government systems for Enterprise Solutions.

The significance of the new flexible local architecture policy is the "recognition that DMS is not a turnkey solution in any short time frame," Purnell says. There will be a long "transitional period," during which a vendor`s commercial and DMS e-mail products will have to coexist, he says

COTS advocates, however, see the flexible local architecture policy move as only the beginning of a long-term trend. The move "breathes new life into the program," says Mitra Azizirad, DMS program manager for Microsoft Federal Systems in Washington.

Browsers as a DMS option

Others COTS proponents are even more enthusiastic about the new flexible local architecture policy than is Azizirad. Those at Netscape Communications Corp. in Mountain View, Calif., for example, see DMS`s architectural flexibility as an opening for their Fortezza-enabled browser. Thanks to the flexible local architecture, "we`re an option for DOD users for non-organizational messaging," or for the vast majority of traffic, says John Menkart, regional sales manager for Netscape`s Federal Division in Bethesda, Md.

The company has "tens of thousands of users who have implemented Netscape 3.0 with Fortezza in the intelligence space," and its new Communicator release, which accepts a Fortezza software module, Menkart says. What is more, the Pentagon contracted with Netscape in October for client and server software in a license that could cover as many as 2 million users.

Netscape leaders view Communicator 4.0 with Fortezza as essentially the commercial product, with a Fortezza "crypto module," explains Frank Hecker, lead systems engineer with Netscape`s Government Sales Group. "A lot of customers have gotten stovepipe products that only work in a special context," he says. But, these days, "the name of the game is COTS, and we`re committed to addressing the government market with commercial products."

"We see ourselves as almost the target architecture for DMS in the long run," Menkart says. "Even classic DMS, over the longer term, will migrate to use Internet standards."

He says Netscape is getting "tons of calls" from people who want to set up Netscape-based messaging and "don`t want all Fortezza cards" because they want to communicate with their contractors and with commercial suppliers that are using Internet standards.

Still, DMS program officials were unhappy with the massive Netscape buy, insiders say. "When you buy a Netscape Communicator, you get e-mail capability," De Loria says. "What`s going to prevent people from using that?" There is a lot of disagreement about how that will work out, he says.

Microsoft has also followed suit. Company officials expect to release a "Fortezza-enabled" Internet Explorer browser and Internet Information (Web) Server code by the first half of 1998, Azizirad says. In fact, the National Security Agency and defense contractor, Mitre Corp., have had alpha code since May, she says.

Fortezza e-mail clients

For those who will employ official DMS-enabled e-mail software, Lotus and Microsoft minimize the differences from their commercial products. Microsoft`s commercial and DMS Exchange servers are virtually identical, Azizirad says. And Lotus does not have a specifically DMS Domino server, says Keith Attenborough, the company`s product manager for DMS in Cambridge, Mass.

On the client side, Microsoft employs a DMS "bolt-on," Azizirad says, with Fortezza security and the military messaging type. Ditto for Lotus. Officials from both companies claim large segments of users. Microsoft Exchange is already the Air Force standard, and Lotus has sold 15,000 seats at the Naval Supply Command and 4,000 seats at the Defense Information Systems Agency.

The server version of Microsoft Exchange 5.5 already supports the commercial S/MIME (Secure/Multipurpose Internet Mail Extensions) standard, a protocol allowing for digital signatures and encryption. Company officials want to see DMS move in the direction of S/MIME. "They`re not moving fast enough to COTS," Azizirad says. Lotus Notes will ship with S/MIME in the second half of 1998.

The DMS program, however, still uses numerous special-purpose platforms, such as BBN`s Certificate Authority Workstation, which software engineers built on top of modified commercial operating system software - in this case the operating system from Santa Cruz Operation. NSA officials, at the same time, also sponsoring Fortezza software development, although the destination of such a product may not be DMS, developers say.

Wrappers ...

Meanwhile, work on wrapper code that insulates programs from each other may make it possible to impose security on large, patchwork applications containing COTS elements. If successful, this would represent a radically different approach from DOD`s past determination to build security into software from the ground up.

"The problem with COTS is that when you plug the components together, you don`t know what you`ve got," says Lee Badger, a principal computer scientist with Trusted Information. People typically link pieces of software together by putting the pieces on the same network or by grouping them on a single computer system, stitched together by means of system application programmer interfaces, network protocols, or dynamic libraries.

The trouble, however, is that these component boundaries can be weak and threaten an entire system through a failure in just one element. "General-purpose systems like Unix and Windows don`t provide the controls for restricting and controlling interactions" between software components, Badger says. And software modules often depend on data produced by others.

Enter wrappers, which Trusted Information experts describe as "lightweight, portable software ... that can be applied to generic software components." Wrappers potentially can perform access control, encrypt data flows, detect intrusions, and carry out data labeling and auditing schemes, Badger explains. Under DARPA`s IS program, Trusted Information engineers are developing a Wrapper Definition Language for specifying security policies.

What is new about the latest crop of wrapper research is the idea of a small, "kernel-loadable" module that is put into the operating system at runtime, says Dick O`Brien, a principal research scientist with Secure Computing Corp. in Roseville, Minn. Secure Computing engineers have developed a prototype browser wrapper, a "replication hypervisor" wrapper, and a server wrapper so far under DARPA`s IS initiative.

Wrappers are particularly promising in pieces of executable Internet software called mobile code such as Microsoft ActiveX controls and software agents, that can be designed to steal data and undermine systems.

Such activity is not entirely theoretical, says Anup Ghosh, a research scientist with Reliable Software Technology Corp. in Sterling, Va., another IS contractor. German hackers known as the Computer Chaos Club have already demonstrated a Web page on German TV that could use ActiveX controls to schedule financial transactions through a surfer`s Quicken home financial software. Software developers could limit the damage such malicious code might cause if they could wrap a browser, Ghosh says.

Secure Computing experts already have crafted prototype code for the Netscape browser. The idea, company officials say, is to prevent access by rogue Java applets, JavaScripts, Netscape plug-ins, and ActiveX components to "portions of the system that the user has declared off-limits to them." Secure Computing designers have also built a Java GUI front-end to the browser, which enables users to describe what files the browser will be allowed to access. Such a wrapper, which checks the validity of incoming traffic, could function like a "micro-firewall," Trusted Information`s Badger says.

Wrappers could also "harden firewalls," O`Brien says. In this case, wrappers could help limit the damage if a firewall service is overrun.

Trusted Information experts are also developing a "runtime support system" that loads into the operating system kernel before the wrapper loads.

DARPA officials are also studying how to evaluate the robustness of security wrappers through evaluating the strength of wrapped software. Under the IS program, Reliable Software designers are looking at the Windows NT operating system, utilities, dynamic link libraries, and applications for vulnerabilities, Ghosh says.

Reliable Software officials are concentrating on executable, or "black box" code, as COTS vendors typically do not reveal their source code. Company engineers are focusing on individual pieces of software, he says, to develop "a tool which implements testing techniques" aimed at evaluating security. Security developers previously have concentrated on the network as the main source of security problems, so that current software test tools are limited to generic functions such as debugging.

Pros and cons

Among the advantages of the kernel-loadable approach to wrappers is the difficulty it poses to bypassing security, compared to putting wrappers in a library, for example. Yet the operating system kernel does not have to be changed, so that the amount of "trusted" code is kept to a minimum and security is easier to develop.

Another advantage is that, once a program such as a user`s log-in shell is wrapped, "all its progeny are wrapped also," Badger explains. Potentially, wrappers could provide multilevel security, he adds, although not at levels B2 and above. These layers of code can "enclose `black box` components and to mediate, control, and restrict component interactions."

Wrappers also promise the capability of fine-tuning security controls. Wrappers, for example could be turned on and off at any time, any place, and to any intensity in an environment, Badger says.

But, despite their potential, wrappers have a way to go before the software is allowed out of the lab. Adding wrappers to running systems is doubtless easier said than done. If something goes awry, the OS kernel could be damaged.

There could also be a performance hit of 30 percent or more associated with security wrappers, O`Brien says, although only a small percentage of an application`s total system calls need be affected. In developing their Netscape browser wrapper, however, designers at Secure Computing found that the security checks to system calls which happen when browser files first open are to blame for most of the overhead. These checks would not repeat when operations read or write to the files, O`Brien explains.

Another shortcoming is their inability to prevent covert channels, Ghosh says. These are hidden pathways through a computer`s software that can leave it vulnerable to attacks. "Black box wrapping can only work with the interfaces given," he says.

MLS Meets Wrappers

Traditionally addressing the problem of insider access control has been multilevel-secure (MLS) technology, implemented on versions of Unix for high-end workstations from vendors such as Digital Equipment Corp. of Marlborough, Mass., and Hewlett-Packard Co. of Palo Alto, Calif. Building on that approach but adding features such as secure windowing, are compartmented-mode workstations, or CMWs.

The trouble with MLS and CMWs has been that, lacking commercial appeal, they are expensive and exact a performance penalty, compared to pure commercial software. The process of obtaining the National Security Agency`s blessing, moreover, in the form of a rating from the agency`s National Computer Security Center (NCSC) could take many years; a system would be obsolete by the time it received certification.

Officials of the Santa Cruz Operation Inc. in Santa Cruz, Calif., has been luckier than most with their CMW+. They attacked pricing by building their secure operating system based on their commercial product on commodity Intel hardware. And, rather than wait out the NCSC process, Santa Cruz Operation`s customers have chosen to obtain "program-level accreditation," says Steve Sundman, acting business manager for the Santa Cruz Operation Government Area, in Reston, Va. Company software engineers are also on the verge of completing a faster-moving U.K. certification, he says.

Because of these strengths, Santa Cruz Operation is the basis for the Defense Message System (DMS) program`s Certificate Authority Workstation, as well as for the F-22 future advanced tactical fighter maintenance system. Santa Cruz Operation CMW+ is also the foundation of a commercial firewall product by Norman Data Defense Systems Inc. of Fairfax, Va.

Alternatives?

With the advent of wrappers, the veneers of code layered between applications or on an operating system, it may be possible to achieve MLS functionality at the lower end of the security spectrum for less overhead and lower cost than is presently possible. But wrappers remain to be proven, and would be inappropriate, in any case, to high-end MLS requirements.

Unlike wrappers, MLS software typically resides "all through the operating system, down to the device drivers and up through the kernel," says Lee Badger, a principal computer scientist with Trusted Information Systems Inc. in Glenwood, Md.

Although wrapper developers admit that their technology cannot address covert channels, they could use wrappers to provide access control, intrusion detection, auditing, and data labeling functions, especially to COTS and legacy software applications.

For MLS, "you need to label objects and make access control decisions," says Dick O`Brien, a principal research scientist with Secure Computing Corp. in Roseville, Minn. Wrappers are capable of intercepting system calls and making access control decisions, but it is not clear how they should label files and processes. There is no question, however, that the software can be made to do it, he says.

Of course, you have to remember that wrappers would "only add the ability to label data," O`Brien says. When all is said and done, wrappers, dealing with the "boundary" of the OS, "can only control a limited amount of it." The wrapper cannot really know what is going on deep inside the operating system. So there are assurance issues to be addressed, as well.

Building on the potential of wrappers to provide MLS controls is the Secure Access Wrapper (SAW) project by SRI International in Menlo Park, Calif., under the Defense Advanced Research Projects Agency`s Information Survivability (IS) program. Trusted Information and Secure Computing are also IS participants.

SAW aims to build an access-control wrapper to moderate external access to very large-scale COTS and legacy databases. The effort presumes that the environment is already protected, so that SAW would act in a complementary role, says Steve Dawson, an SRI computer scientist. The task`s main motivation, he says, is "to enable organizations to share data with each other in a secure way, without affecting internal operations." He says he believes the best wrappers can do today in securing a "composed" system is to obtain the rating of the lowest-rated component.

Potentially, SAW would also keep the amount of "trusted code" small, Dawson says. "That way, a composed system of different wrapped components can achieve a high assurance rate without an expensive [certification] process." - C.A.

Wrappers - old and new

The idea of wrappers is not new. Shareware or freeware TCP/IP wrappers have existed for some time as very low-level point solutions, says Dorin Miller, vice president with Memco Software Inc., an Israeli security software firm that has developed boot-time, latch-on security software for numerous Unix flavors.

Memco officials say their solution, SeOS, is nothing at all like a wrapper. Indeed, Miller defines wrappers as inherently bypassable. In the case of simple TCP/IP wrappers, for example, one need only write a program that issues its own TCP/IP calls, she says. "Wrappers, by definition, don`t talk at the system-call level at all." A wrapper is simply a replacement of an application program.

But the way company officials describe their product sounds similar to what wrapper researchers are working on today. If engineers can visualize Unix as a series of concentric circles, Memco`s SeOS product, when attached itself to the operating system, lives in the innermost ring - the kernel - Miller says.

By a technique known as "dynamic soft hooks," Miller says, the company`s product attaches itself to the operating system at boot time and extends it. "It becomes part of the operating system without changing the code permanently." SeOS can be used to secure AIX, HP-UX, Sun Solaris, Sun OS, IRIX, DGUX, and AT&T Unix, she says.

SeOS works, moreover, by making sure that calls to "sensitive" operating system functions reroute "to pass through the SeOS interception engine," which, in turn, connects to a "decision-making engine" that enforces security policy. Miller claims a maximum 5 percent overhead added by the checking process.

New wrappers

The answer to the paradox is probably that the notion of wrappers is changing, especially with the introduction of the kernel-loadable variety, which have access to kernel data structures and can intercept and redirect system calls to run checks, says Dick O`Brien, a principal research scientist with Secure Computing Corp. in Roseville, Minn. After completing the checks, the wrappers reroute the calls back to the kernel.

The Defense Advanced Research Projects Agency`s Information Survivability (IS) program, sponsor of much wrapper research, is an engine behind the expanding conception of wrappers. "DARPA`s program is focused on taking the notion of intercepting interactions" and developing it, says Lee Badger, a principal computer scientist with Trusted Information Systems in Glenwood, Md.

Companies such as Trusted Information are "exploring additional capability," which may be "different from and broader than what people had thought of a few years ago," Badger adds. Inevitably, these projects will break the constraints of simple wrapper definitions. Thus, he describes wrappers as code that functions as "operating system extensions that are inserted while the system is running," Wrappers, with the help of a "runtime support system" Trusted Information is also developing, intercept "system calls in the kernel." -C.A.