You are here

Secure Efficient Cross-domain Protocols


OBJECTIVE: Develop cross-domain protocols and design methodologies to enable distributed applications to operate securely when split between two security domains. DESCRIPTION: Coordination of activities between different security domains remains a thorny and yet crucial problem. Cross domain data flows impeded by time-consuming release procedures prevent fluid and effective operations. The situation also encourages the entire activity to be carried out at the highest security level to avoid sharing the data between security domains. This solicitation envisions a future information architecture in which distributed applications can be split between domains, with the parts communicating via a trusted automated guard. Such applications would serve to coordinate activities and maintain data consistency between domains. Such split applications would also reduce the need for ad hoc forms of communication between the domains, whose security is difficult to ensure. Critically, such applications must not enable unintended flows of information between domains. Thus, this solicitation focuses on the design of the protocol which ties the two parts of the application together as the key challenge. As an example, consider a workflow that requires some tasks to be performed in each domain. Automation of such a workflow would require communication between domains for control flow (to coordinate the tasks) and data flow (to transfer results from one task performer to another). The cross domain guard will be a third participant in these protocols, examining each message, with the capability of blocking or altering messages and even generating fresh messages. Thus, software for the protocol (or class of protocols) must be incorporated into the guard. This solicitation seeks two kinds of developments: 1. Protocols or classes of protocols of practical interest to the Air Force that can be securely operated between security domains, and/or 2. Practical means for determining that instances and implementations of such cross domain protocols are secure and correct. The two main parts of the application should run without special privileges in their domains. However, the module that interprets the protocol within the guard is highly privileged, and therefore the highest degree of trust in its correctness and security is of key importance. This component of the system must either be very simple so that manual inspection is feasible, or there must be some other means or strategy for ensuring correctness. Assume that the straightforward operation of the distributed application for its intended purpose is well within the security policy. This solicitation focuses on ensuring that the protocol cannot also serve as a conduit for covert communications, or that the bandwidth of such covert channels is limited. Respondents should describe what kind of protocol their system will support, what sorts of cross-domain applications that protocol will enable, and what the overall usefulness of such applications would be in a cross domain setting. Respondents should also indicate why it is at least plausible that their selected class of protocols will be secure in the sense described here. Of particular interest will be theoretical advances that enable larger classes of protocols to be handled securely or that enable automated analysis of protocols to ensure that they are secure with mathematical accuracy. PHASE I: Define class of protocols operating across domain boundary with strategy for protecting protocol as it passes through a guard. Provide security argument/analysis that shows a bandwidth limit on covert channel that could be supported by this protocol. Alternatively, determine if selected member of protocols class has limited/0 covert channel capacity. Prove class of such protocols is nonempty. PHASE II: Based on the work of Phase I, implement tools to support the class of protocols selected including the guard component, and any automated protocol analysis that is necessary to ensure security. Construct a sample cross domain application using a protocol from that class that meets security requirements. Illustrate the security argument in concrete form for this application. PHASE III: Solve multi-domain coordination problem for a military customer. Work with automated guard vendor to install and test protocol checking module. Apply technique to protect communications between E-systems & cloud services. Integrate guard component using firewall appliance. REFERENCES: 1. John McHugh, Covert Channel Analysis, in Handbook for the Computer Security Certification of Trusted Systems. Available at 2. Susan Older and Shiu-Kai Chin, Formal Methods for Assuring Security of Protocols, The Computer Journal, Vol. 45, No. 1 2002. Available at 3. Nikhil Swamy, Michael Hicks, and Simon Tsang, Verified Enforcement of Security Policies for Cross-domain Information Flows, Proceedings of the Military Communications Conference, 2007 (MILCOM 2007) Orlando, FL, pp. 1-7. Available at
US Flag An Official Website of the United States Government