Difference between revisions of "Developer Summit 2009/Abstracts/Tricca Pending"

From SELinux Wiki
Jump to: navigation, search
(Topic)
(Abstract)
Line 9: Line 9:
 
== Abstract ==
 
== Abstract ==
  
''(Pending Approval)''
+
Traditional cross-domain data dissemination systems in military environments have
 +
relied heavily on text and structured message parsing. Due to technical, budgetary and
 +
political hurdles data labeling has never been fully adopted on many networks. Thus
 +
data residing in a network domain does not carry any indication as to its integrity or
 +
sensitivity level. Data sensitivity is instead proven through inspection at the point of
 +
dissemination where a "go / no-go" decision is made. All data then is assumed to be
 +
at "system-high" until proven otherwise upon each dissemination request.
 +
 
 +
This approach is acceptable for simple textual data but for data objects with complex structures the inspection burden is signi�cantly higher or even impractical. We
 +
argue that, given current trends toward increasing complexity in media formats, automated sensitivity detection at the network boundary won't scale. More complex formats drive increased complexity and cost (CPU cycles) into inspection engines. This
 +
causes the latency of data dissemination operations to be severely increased. It may
 +
even result in the requirement for manual human review of the data if no automated
 +
inspection mechanisms exist.
 +
 
 +
As an alternative we propose leveraging current labeling and MAC information
 +
ow
 +
enforcement technologies to provide protected paths between labeled sources and their
 +
destination. We construct these paths as processing pipelines using the GStreamer
 +
framework across multiple SELinux hosts. As these pipelines may span sensitivity
 +
domains in either direction, one-way information
 +
ow semantics are particularly im-
 +
portant in some cases. We discuss these cases, our e�orts to preserve these semantics
 +
where possible and the difficulties we have encountered.
 +
 
 +
GStreamer also presents an interesting challenge in that it is itself a complex pipelin-
 +
ing architecture. We present our work to decompose GStreamer pipelines into separate
 +
processes for increased policy granularity and look to discuss the pros and cons of this
 +
approach. Speci�c metrics and architectures will be presented, and discussion around
 +
integration with policy development tools like the CDS Framework would be bene�cial.
 +
 
 +
This talk will be short: approximately 20 minutes. Additional time may be neces-
 +
sary for questions.

Revision as of 23:49, 21 July 2009

Author

Philip Tricca

Topic

Video Streaming in Policy Confined Environments

Abstract

Traditional cross-domain data dissemination systems in military environments have relied heavily on text and structured message parsing. Due to technical, budgetary and political hurdles data labeling has never been fully adopted on many networks. Thus data residing in a network domain does not carry any indication as to its integrity or sensitivity level. Data sensitivity is instead proven through inspection at the point of dissemination where a "go / no-go" decision is made. All data then is assumed to be at "system-high" until proven otherwise upon each dissemination request.

This approach is acceptable for simple textual data but for data objects with complex structures the inspection burden is signi�cantly higher or even impractical. We argue that, given current trends toward increasing complexity in media formats, automated sensitivity detection at the network boundary won't scale. More complex formats drive increased complexity and cost (CPU cycles) into inspection engines. This causes the latency of data dissemination operations to be severely increased. It may even result in the requirement for manual human review of the data if no automated inspection mechanisms exist.

As an alternative we propose leveraging current labeling and MAC information ow enforcement technologies to provide protected paths between labeled sources and their destination. We construct these paths as processing pipelines using the GStreamer framework across multiple SELinux hosts. As these pipelines may span sensitivity domains in either direction, one-way information ow semantics are particularly im- portant in some cases. We discuss these cases, our e�orts to preserve these semantics where possible and the difficulties we have encountered.

GStreamer also presents an interesting challenge in that it is itself a complex pipelin- ing architecture. We present our work to decompose GStreamer pipelines into separate processes for increased policy granularity and look to discuss the pros and cons of this approach. Speci�c metrics and architectures will be presented, and discussion around integration with policy development tools like the CDS Framework would be bene�cial.

This talk will be short: approximately 20 minutes. Additional time may be neces- sary for questions.