Official levels of Computer Security•United States Government Department of Defense (DoD)•Trusted Computer System Evaluation Criteria (TCSEC)- “Orange Book”•Requirements:

1. Specific security requirements2. Assurance requirements

TCSEC /Orange Book

• 4 divisions- A,B,C,D– Specifies evaluation classes (D, C1, C2, B1, B2, B3, A1)– Specifies functionality and assurance requirements

for each class

• Each class defines 4 requirements– Policy– Accountability– Assurance– Documentation

TCSEC Classes

• D – Minimal Protection• C1 – Discretionary Security Protection– Identification and authentication and DAC– users processing data at common sensitivity level, separates

users from data– Minimal Assurance, may be based on features, not

evaluation• C2 – Control led access protection– Adds object reuse and auditing– More testing requirements– Windows NT 3.5 evaluated C2

TCSEC Classes• B1 – Labelled Security Protection

– Adds MAC for some objects• Controlled objects “labeled”, access control based on these

– Stronger testing requirements. Information model of security policy. Bell-La Padula model.

– Trusted Unix tended to be B1

• B2 – Structured protection– MAC for all objects, including devices. – Design and implementation must enable thorough testing & review

• “well-defined largely independent modules”– Trusted Path. Least privilege.– Covert channel analysis, configuration management, more

documentation, formal model of security policy

TCSEC Classes• B3 – Security Domains

– Requirements on code modularity, layering, simplicity.– Argument (short of proof) that implementation meets design

specifications– Tamper-proof implementation– More stringent testing and documentation.– XTS-200/STOP

• A1 – Verified protection– Same functional requirements as B3– Five criteria

• Formal model of protection and proofs of consistency/adequacy• Formal specification for protection system• Demonstration that specification corresponds to model of

protection• “proof” that implementation is consistent with specification• Formal analysis of covert channel

– Existence proof : Honeywell’s SCOMP

Trusted Computing Base• Trusted Computing Base

– Hardware and software for enforcing security rules process• Reference monitor

– Part of TCB Reference– All system calls go throughreference monitor for security checking– Most OS not designed thisway

Security Breaches

• Interception• Interruption• Modification• FabricationSecurity Hole - Software & hardware vulnerability– Holes that allow DoS– Holes that allow Local users unauthorized access– Holes that allow Remote users unauthorized access

• Other types:– FTP– Gopher– Telnet– Sendmail– ARP– Portmap