The MILS Component Integration Approach to Secure Information Sharing

Carolyn Boettcher, Raytheon, El Segundo CA,
Rance DeLong, LynuxWorks, San Jose CA,
John Rushby, SRI International, Menlo Park CA, and
Wilmar Sifre, AFRL/RITB, Rome NY

Presented at the 27th IEEE/AIAA Digital Avionics Systems Conference (DASC), St. Paul MN, October 2008.

Recipient of "Best in Session," "Best in Track" and "Best in Conference" awards.


The US military has a vision of information superiority that requires secure and timely sharing of information between geographically separated platforms and users. Often, however, the producers and consumers of information, as well as the information itself, reside in different security domains, necessitating some form of Cross Domain Solution. A COTS marketplace of modular, high-assurance components with composable security properties would not only make this vision of cross-domain information sharing achievable, but could also help to make it much more affordable than is currently feasible. As part of the Air Force's Multiple Independent Levels of Security/Safety initiative, AFRL's multi-year High Assurance Middleware for Embedded Systems (HAMES) program is conducting research in integrating trusted components in such a way that the security properties of the system can be predicted.

MILS is characterized by a two-level approach to secure system design. At the policy level, a decomposition to a virtual architecture is performed while identifying the trusted components, the local policies and the communications channels. This is done in a way that minimizes complexity of trusted components and their policies. At the resource sharing level, implementation of components is considered, which includes the allocation of components to shared physical resources. MILS provides an implementation technology that enables virtual components of various types, and their intercommunication channels, to share physical resources without compromising the integrity of the policy level.

Security is seldom identified with a single, simple policy; the two-level approach of MILS was introduced as a rational way to organize the multiple cooperating components and sub-policies that realize a complete secure system. A MILS system needs to provide assurance that this design and implementation strategy and, in particular, the separate sub-policies of its components and the resource-sharing properties of its physical subsystems, compose to guarantee the security policy required of the overall system. This paper will describe the progress made so far in our research and some of the remaining challenges.

PDF only


PDF only

BibTeX Entry


Having trouble reading our papers?
Return to John Rushby's bibliography page
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page