Figure 3. CSfC approach within Samsung KNOX Hypervisor
An example CSfC replacement for Type-1 encryptors is a dual-layer VPN, as described in the CSfC program’s Virtual Private Network (VPN) Capability Package. In this approach, classified information is encrypted twice, using two commercial VPNs, each of which must be certified to commercial quality standards (e.g. FIPS 140-2 certification) and supplied by different vendors (Figure 2).

The individual products used in CSfC-composed solutions are developed for the larger commercial enterprise and therefore are much lower-cost and not dependent upon or subject to the same government funding and certification overhead used for traditional Type-1 systems. For example, a dual CSfC VPN solution might be composed of standard enterprise Cisco and open source StrongSwan products.

Separation Kernel-Based Hypervisors

Commercial, off-the-shelf bare metal mobile hypervisors have been deployed in standard consumer smartphones and tablets for several years, and the USMC (via its Trusted Handheld, or TH2, program) recently took a leadership role in applying them to improve mission capability while reducing total cost of mobile computing for the government. Mobile hypervisors provide strong isolation between the mobile OS (e.g. Android) and other execution environments (e.g. security components or even a second Android instance) that must be protected even if the Android OS itself is vulnerable and exploited by malware or remote attacks.

Figure 4. Example dual domain TH2 Architecture
TH2 worked with mobile hypervisor technology from Green Hills Software, whose virtualization approach leverages high assurance INTEGRITY separation kernel technology that has been deployed for many years in critical commercial embedded systems, such as medical equipment, industrial controls, and avionics. The hypervisor enables multi-domain use of a single device as well as application of CSfC-compliant data protection. Green Hills’ technology powers the basis of Samsung’s commercial enterprise mobile hypervisor offering called Samsung KNOX Hypervisor. Figure 3 shows how dual-layer data-at-rest (DAR) and data-in-transit (DIT) can both be implemented using the Samsung KNOX hypervisor to provide a layer of isolated security beyond the mobile operating system itself.

Samsung KNOX Hypervisor can host two mobile OS instances. Under the auspices of the TH2 program, this solution became the first commercial solution to be approved for simultaneous access to the open Internet as well as sensitive government networks (Figure 4), in late 2013.

Applying TH2 to Tactical Radio Communications

USMC recognized that Samsung KNOX Hypervisor provides an extensible execution environment for other critical processing. Developers from Green Hills are now working on an application of this environment to offload some of the tactical radio processing onto the powerful mobile device. The mobile device can then be conjoined with a reduced footprint tactical radio to create a single unit that has the power and flexibility of the modern smartphone or tablet, yet communicates seamlessly on traditional military tactical networks.

Figure 5. Traditional red-black radio architecture
A standard tactical military radio, such as the rifleman, includes three main processing environments: a redside subsystem, a cryptographic subsystem, and a black-side subsystem. Human voice (push-to-talk) enters into and is processed by the red-side subsystem. This data is then encrypted by the cryptographic subsystem before it is transmitted by the black-side subsystem, responsible for all link layer functions. Figure 5 shows the traditional red-black tactical radio architecture.