LynxSecure is an ideal security foundation for software guard technologies. Using LynxSecure’s memory and process isolation, and information flow control capabilities, system architects are equipped to build secure, low-cost, scalable, software-based message guard technologies.
Message guards (Figure 1) are programmable data filters that are used to safely transfer authorized data across security domains. Because message guards bridge across security domains, both the correctness of the filter policy and the control of information flow is critical to prohibit unauthorized information from leaking across security domains. Current message guards design strategies can be categorized as either hardware-centric or software-centric. Each strategy offers unique benefits but both have their drawbacks. LynxSecure offers a new simpler approach to building message guards that captures the best of both hardware-based and software-based solutions.
Hardware-based message guards (Figure 2) provide strong assurance that flow-control and filter policies are enforced using discrete physical hardware components and physically protected firmware configurations. However, hardware-based guards are considered stove-piped solutions, developed for a very particular purpose and lack scalability and general-purpose use. They are limited to number of available physical network interfaces and have limited flexibility in both policy configuration management options and integration options with feature rich data mining and dissemination tools.
Software-based solutions (Figure 3) offer great flexibility in updating filter policies, and provide plug-in architectures for data management tools. However, software solutions are heavily scrutinized for the lack of security assurance they provide. Many of these solutions are based on commercial operating systems such as Linux and Solaris coupled with a complex mandatory access control system such as SELinux and Solaris Trusted Extensions. The security foundation of these solutions have large attack surfaces including the correctness and protection of the mandatory access control policy, and the vulnerabilities of the underlying operating system’s kernel and device drivers. Typically this attack surface is mitigated by layering more hardware components around the software guard for added protection as a hybrid solution. This approach, however, increases system complexity and cost.
LynxSecure offers the best of both words by providing security assurance through its provable process isolation and information flow control, as well as the flexibility of hosting feature rich software solutions with its OS virtualization support all on a single hardware platform. LynxSecure gives system architects the simple yet powerful ability to create protection boundaries around security-critical software components and explicitly control the flow of information between these boundaries. Within a protection boundary, software can be as simple as a message buffer or as complex as a fully virtualized instance of Windows. The ability to create arbitrary protection boundaries and information flows on a single computing platform supplies the building blocks for composing scalable security-critical systems while drastically reducing the complexity of the security architecture. The illustration below (Figure 4) depicts a sample multi-domain message guard architecture using LynxSecure.