Pantograph: Secure, Cross-domain Object Models

Period of Performance: 01/01/2014 - 12/31/2014


Phase 1 STTR

Recipient Firm

Architecture Technology Corp.
9971 Valley View Road Array
Eden Prairie, MN 55344
Firm POC
Principal Investigator

Research Institution

Cornell University
426 Phillips Hall
Ithaca, NY 14853
Institution POC


ABSTRACT: Most cross-domain information flows require some human intervention to ensure that the requirements for releasability are met. Such intervention is expensive and slow, and can form a bottleneck in operations. Unfortunately, fully automated sharing of information across security domain boundaries is also fraught with difficulties due to problems with identifying releasable information, and the need to control covert channels. The result so far has been automated information flows that are one-directional or point solutions. ATC-NY and Cornell will develop the Pantograph software suite to address this problem. Pantograph will enable the nearly routine authoring of secure cross domain applicationsdistributed applications with state that is seamlessly shared, in a sanitized form, between the two domains. Building on Fabric, Cornell"s compiler for distributed applications with provable enforcement information flow security, applications compiled with Pantograph will enforce information-flow security between domains. The internal Pantograph protocol will mitigate potential covert channels by sanitizing the protocol messages. A security analyzer will quantify residual covert channel risks inherent in the application. BENEFIT: Cross domain applications developed with Pantograph will provide a very practical way to share information between security domains with very high assurance that information flow policies in both domains are enforced. Inexpensive and straightforward authoring of highly secure cross-domain applications will have three main benefits: (1) Better, more fluid coordination of activities between domains, (2) reduced pressure to"upgrade"all related tasks to the highest sensitivity level, and (3) reduced pressure to allow unsafe sharing to"get the job done". The primary market for Pantograph applications will be the many DoD and intelligence community installations with multiple security domains connected by guards. Critical infrastructure protection will be another market for Pantograph applications, potentially much larger, and with lower barriers to entry. Almost all of our national critical infrastructure is controlled by digital systems that are connected to corporate networks and are thus vulnerable to attack from the Internet. Pantograph applications can enable sharing of specific information between enterprise networks and critical infrastructure control systems, in both directions, with strong guarantees that spurious information flows cannot occur.