Cross-domain communication using an XMPP chat guard

In current and future military operations the capability to communicate, distribute and share information is vital. Information superiority is achieved through the gathering, processing and sharing of data from sensors and humans. This requires that future information systems are interoperable and capable of sharing data and information with other systems. This includes instant messaging, also known as chat, which has become a popular alternative for informal message exchange between users. Military systems have traditionally relied upon the use of physically separated security domains to provide confidentiality protection. While serving the purpose of protecting the confidentiality of information it also heavily restricts sharing of information. This includes information that otherwise could be shared. A guard is an assured solution that may be used for connecting security domains. It protects the high domain from sharing information with the low domain that it is not allowed to share, i.e. information leakage. Guards inspect the confidentiality labels attached to the data in order to decide if it is releasable or not. It also contributes to the protection of the high domain from threats from the low side, like malware, thus protecting the integrity of systems. This report presents a guard solution developed as part of the multilateral research project Coalition Networks for Secure Information Sharing (CoNSIS) II for chat messaging using the XMPP protocol. It enables users in one security domain to interact and exchange chat messages with users in another domain. The Chat Guard is designed and implemented in cooperation with Thales Norway AS. It reuses the basic architecture and design from the Mail Guard under development by Thales and the prototype XML/SOAP Guard developed in cooperation between FFI and Thales. Reusing the security critical components of these guards facilitates certification. A prototype of the Chat Guard has been implemented by Thales Norway AS and tested. Through the testing it has been identified that the prototype may be too strict, stopping messages that are of use. Striking the right balance between protection and usability is important, and this report outlines how the finished guard may handle different types of messages. Also, lessons learned and experience drawn from the CD&E activity SMART on using chat in an operational scenario has been important input. The SMART initiative investigated whether the use of commercial smart technology, including chat messaging, could be used to provide situational awareness to units with little or no equipment today. This work has shown that it is possible to design and implement a guard for chat using the XMPP specification based on the existing guards in development. A working prototype has been established that may be developed into an operational system. The Chat Guard is designed with an aim of Common Criteria EAL 5 certification.