Professional Documents
Culture Documents
Inside The Orange Book: SYCS 653 Fall 2010 Lecture 12 Notes Wayne Patterson
Inside The Orange Book: SYCS 653 Fall 2010 Lecture 12 Notes Wayne Patterson
Orange Book
If youre at all interested in computer security, youll need to know something about the Orange Book. As more organizations become security-conscious, as more vendors develop secure systems and products, and as more government requisitions stipulate that equipment purchases be tied to Orange Book certification, theres more of a need to understand the Orange Book.
References
References: The entire series of publications on computer security standards known as the Rainbow Series Library is on the web, through the National Computer Security Center (NCSC). The URL for the entire series is: http://www.radium.ncsc.mil/tpep/library/rainbow/ and in particular for the Orange Book (available also in text, PostScript, or PDF format): http://www.radium.ncsc.mil/tpep/library/rainbow/ 5200.28-STD.html
CSC-STD-002-85
DoD Password Management Guideline, 12 April 1985. (Green Book)
CSC-STD-003-85
Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)
CSC-STD-004-85
Technical Rational Behind CSC-STD-003-85: Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985. (Yellow Book)
NCSC-TG-001 Ver. 2
A Guide to Understanding Audit in Trusted Systems 1 June 1988, Version 2. (Tan Book)
NCSC-TG-002
Trusted Product Evaluations - A Guide for Vendors, 22 June 1990. (Bright Blue Book) see also TPEP Procedures which superceedes parts of this document.
NCSC-TG-003
A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987. (Neon Orange Book)
NCSC-TG-005
Trusted Network Interpretation of the TCSEC (TNI), 31 July 1987. (Red Book)
NCSC-TG-006
A Guide to Understanding Configuration Management in Trusted Systems, 28 March 1988. (Amber Book)
NCSC-TG-007
A Guide to Understanding Design Documentation in Trusted Systems, 6 October 1988. (Burgundy Book) see also Process Guidelines for Design Documentation which may supercede parts of this document.
NCSC-TG-009
Computer Security Subsystem Interpretation of the TCSEC 16 September 1988. (Venice Blue Book)
NCSC-TG-010
A Guide to Understanding Security Modeling in Trusted Systems, October 1992. (Aqua Book)
NCSC-TG-011
Trusted Network Interpretation Environments Guideline Guidance for Applying the TNI, 1 August 1990. (Red Book)
NCSC-TG-013 Ver.2
RAMP Program Document, 1 March 1995, Version 2 (Pink Book)
NCSC-TG-015
A Guide to Understanding Trusted Facility Management, 18 October 1989 (Brown Book)
NCSC-TG-016
Guidelines for Writing Trusted Facility Manuals, October 1992. (YellowGreen Book)
NCSC-TG-017
A Guide to Understanding Identification and Authentication in Trusted Systems, September 1991. (Light Blue Book)
NCSC-TG-018
A Guide to Understanding Object Reuse in Trusted Systems, July 1992. (Light Blue Book)
NCSC-TG-020-A
Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System, 7 July 1989. (Silver Book)
NCSC-TG-021
Trusted Database Management System Interpretation of the TCSEC (TDI), April 1991. (Purple Book)
NCSC-TG-022
A Guide to Understanding Trusted Recovery in Trusted Systems, 30 December 1991. (Yellow Book)
NCSC-TG-023
A Guide to Understanding Security Testing and Test Documentation in Trusted Systems (Bright Orange Book) see also Process Guidelines for Test Documentation which may supercede parts of this document.
NCSC-TG-025 Ver. 2
A Guide to Understanding Data Remanence in Automated Information Systems, September 1991, Version 2, (Supercedes CSC-STD-005-85). (Forest Green Book)
NCSC-TG-027
A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992. (Turquoise Book)
NCSC-TG-028
Assessing Controlled Access Protection, 25 May 1992. (Violet Book)
NCSC-TG-029
Introduction to Certification and Accreditation Concepts, January 1994. (Blue Book)
NCSC-TG-030
A Guide to Understanding Covert Channel Analysis of Trusted Systems, November 1993. (Light Pink Book)
Four Divisions
The Orange Book defines four broad hierarchical divisions of security protection. In increasing order of trust, they are: D Minimal security C Discretionary protection B Mandatory protection A Verified protection
Numbered Classes
Each division consists of one or more numbered classes, with higher numbers indicating a higher degree of security. For example, division C contains two distinct classes (C2 offers more security than C1); division B contains three classes ( B3 > B2 > B1 ); division A currently contains only one class.
Criteria
Each class is defined by a specific set of criteria that a system must be awarded a rating in that class. The criteria fall into four general categories: security policy, accountability, assurance, and documentation.
Measurement
The evaluation criteria for the Orange Book were developed with three basic objectives: Measurement: To provide users with a metric with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information. For example, a user can rely on a B2 system to be more secure than a C2 system.
Guidance
Guidance: To provide guidance to manufacturers as to what to build into their trusted commercial products to satisfy trust requirements for sensitive applications.
Acquisition
Acquisition: To provide a basis for specifying security requirements in acquisition specifications. Rather than specifying a hodgepodge of security requirements, and having vendors respond in piecemeal fashion, the Orange Book provides a clear way of specifying a coordinated set of security functions. A customer can be confident that the system he or she acquires has already been checked out for the needed degree of security.
Measuring Trust
How does the Orange Book measure trust? The book approaches security from two perspectives:
Security Policy
A security policy states the rules enforced by a systems security features; e.g. the rules governing whether a particular user is allowed to access a particular piece of information. Obviously, there are more security features in a highly secure system (B1 or higher) than in a less secure system (say, C1 or C2), although at the highest levels there are actually few differences in security features. Instead there is more assurance.
Assurance
Assurance is the trust that can be placed in a system, and the trusted ways the system can be proven to have been developed, tested, documented, maintained and delivered to a customer. At the higher levels of security, there are few changes in security features, but a definite increase in the degree of assurance a user can place in the systems architecture and security policies.
Assurance
As the Orange Book puts it, assurance begins [at the lowest class] with an operable access control mechanism and ends [at the highest class] with a mechanism that a clever and determined user cannot circumvent.In the lower classes (C1, C2, B1) assurance of correct and complete design and implementation is gained mostly through testing of the security-relevant portions of the system. In the higher classes (B2, B3, and A1), assurance is derived more from system design and implementation and, at the highest level (A1 only) from formal verification tools. Assurance is described in detail later in this lecture.
Reference Monitor
A reference monitor is a concept that enforces the authorized access relationships between subjects and objects of a system. James Anderson, the developer of this concept, lists three design requirements that must be met by a reference monitor mechanism: Isolation: the reference monitor must be tamperproof. Completeness: the reference monitor must be invoked for every access decision, and must be impossible to bypass. Verifiability: the reference monitor must be small enough to be able to be analyzed and tested, and it must be possible to ensure that the testing is complete.
Security Policy
A security policy is the set of rules and practices that regulate how an organization manages, protects, and distributes sensitive information. A security policy is typically stated in terms of subjects and objects. A subject is something active in the system; examples are users, processes, and programs. An object is something that a subject acts upon; examples of objects are files, directories, devices, sockets, and windows.
Security Policy
The Orange Book defines a security policy as follows: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Security Model
A security model expresses a systems security requirements precisely and without confusion. The Orange Book criteria are based on the state-machine model developed by David Bell and Leonard LaPadula in 1973. This is the first mathematical model of a multi-level secure computer system. The Orange Book describes the Bell-LaPadula model as follows:
Bell-LaPadula
A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving that the system is secure. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice.
Security Kernel
A security kernel, a concept developed by Roger Schell in 1972 (or was it a security shell developed by Colonel Rogers?) is the operating system mechanism that actually implements the reference monitor concept. The security kernel is the heart of the TCB --- the resource in the computing system that supervises all system activity in according with the systems security policy.
Simplicity
Simplicity is a very important characteristic of the TCB. As the Orange Book puts it, the TCB should be as simple as possible, consistent with the functions it has to perform.
Security Perimeter
The security kernel, as well as other security-related system functions, lies within the imaginary boundary of the TCB known as the security perimeter. In highly trusted systems, the TCB must be designed and implemented in such a way that system elements included in it are designed to perform security functions, while those elements excluded from the TCB need not be trusted.
C1
C1: Discretionary security protection
IBM: MVS/RACFAlthough ordinary UNIX systems have not been submitted for formal evaluation, many people feel that such systems would get a C1.
C2
C2: Controlled access protection
Computer Associates International: ACF2/MVS DEC: VAX/VMS 4.5 Gould: UTX/32SHewlett-Packard MPE V/E Wang Labs: SVS/OS CAP 1.0
B1
B1: Labeled security protection
AT&T: System V/MLS IBM: MVS/ESA SecureWare: CMW+ UNISYS: OS 1100
B2
B2: Structured protection
Honeywell Information Systems: Multics Trusted Information Systems: Trusted XENIX
B3
B3: Security domains
Honeywell Federal Systems: XTS-200
A1
A1: Verified design
Honeywell Information Systems: SCOMP Boeing Aerospace: SNS
C1 Discretionary Access Control Object Reuse Labels Label Integrity Exportation of Labeled Information Exportation of Multilevel Devices Exportation of Single-Level Devices Labeling Human-Readable Output
C2
B1
B2
B3
A1 SP
Lavender Book
Trusted Data Base Management System Interpretation
Green Book
Password Management Guideline
Tan Book
Guide to Understanding Audit in Trusted Systems
Purple Book
Guidelines for Formal Verification Systems
Burgundy Book
Guide to Understanding Design Documentation in Trusted Systems