Inside the Orange Book

SYCS 653 Fall 2010 Lecture 12 Notes Wayne Patterson

Orange Book
If youre at all interested in computer security, youll need to know something about the Orange Book. As more organizations become security-conscious, as more vendors develop secure systems and products, and as more government requisitions stipulate that equipment purchases be tied to Orange Book certification, theres more of a need to understand the Orange Book.

References
References: The entire series of publications on computer security standards known as the Rainbow Series Library is on the web, through the National Computer Security Center (NCSC). The URL for the entire series is: http://www.radium.ncsc.mil/tpep/library/rainbow/ and in particular for the Orange Book (available also in text, PostScript, or PDF format): http://www.radium.ncsc.mil/tpep/library/rainbow/ 5200.28-STD.html

Rainbow Series Library

Rainbow Series Library Document Format Information 5200.28-STD
DoD Trusted Computer System Evaluation Criteria, 26 December 1985 (Supercedes CSC-STD-001-83, dtd 15 Aug 83). (Orange Book)

CSC-STD-002-85
DoD Password Management Guideline, 12 April 1985. (Green Book)

CSC-STD-003-85
Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)

CSC-STD-004-85
Technical Rational Behind CSC-STD-003-85: Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985. (Yellow Book)

Rainbow Series Library

NTISSAM COMPUSEC/1-87
Advisory Memorandum on Office Automation Security Guidelines

NCSC-TG-001 Ver. 2
A Guide to Understanding Audit in Trusted Systems 1 June 1988, Version 2. (Tan Book)

NCSC-TG-002
Trusted Product Evaluations - A Guide for Vendors, 22 June 1990. (Bright Blue Book) see also TPEP Procedures which superceedes parts of this document.

NCSC-TG-003
A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987. (Neon Orange Book)

Rainbow Series Library

NCSC-TG-004
Glossary of Computer Security Terms, 21 October 1988. (Teal Green Book) (NCSC-WA-001-85 is obsolete)

NCSC-TG-005
Trusted Network Interpretation of the TCSEC (TNI), 31 July 1987. (Red Book)

NCSC-TG-006
A Guide to Understanding Configuration Management in Trusted Systems, 28 March 1988. (Amber Book)

NCSC-TG-007
A Guide to Understanding Design Documentation in Trusted Systems, 6 October 1988. (Burgundy Book) see also Process Guidelines for Design Documentation which may supercede parts of this document.

Rainbow Series Library

NCSC-TG-008
A Guide to Understanding Trusted Distribution in Trusted Systems 15 December 1988. (Dark Lavender Book)

NCSC-TG-009
Computer Security Subsystem Interpretation of the TCSEC 16 September 1988. (Venice Blue Book)

NCSC-TG-010
A Guide to Understanding Security Modeling in Trusted Systems, October 1992. (Aqua Book)

NCSC-TG-011
Trusted Network Interpretation Environments Guideline Guidance for Applying the TNI, 1 August 1990. (Red Book)

NCSC-TG-013 Ver.2
RAMP Program Document, 1 March 1995, Version 2 (Pink Book)

Rainbow Series Library

NCSC-TG-014
Guidelines for Formal Verification Systems, 1 April 1989. (Purple Book)

NCSC-TG-015
A Guide to Understanding Trusted Facility Management, 18 October 1989 (Brown Book)

NCSC-TG-016
Guidelines for Writing Trusted Facility Manuals, October 1992. (YellowGreen Book)

NCSC-TG-017
A Guide to Understanding Identification and Authentication in Trusted Systems, September 1991. (Light Blue Book)

NCSC-TG-018
A Guide to Understanding Object Reuse in Trusted Systems, July 1992. (Light Blue Book)

Rainbow Series Library

NCSC-TG-019 Ver. 2
Trusted Product Evaluation Questionaire, 2 May 1992, Version 2. (Blue Book)

NCSC-TG-020-A
Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System, 7 July 1989. (Silver Book)

NCSC-TG-021
Trusted Database Management System Interpretation of the TCSEC (TDI), April 1991. (Purple Book)

NCSC-TG-022
A Guide to Understanding Trusted Recovery in Trusted Systems, 30 December 1991. (Yellow Book)

NCSC-TG-023
A Guide to Understanding Security Testing and Test Documentation in Trusted Systems (Bright Orange Book) see also Process Guidelines for Test Documentation which may supercede parts of this document.

Rainbow Series Library

NCSC-TG-024 Vol. 1/4
A Guide to Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements, December 1992. (Purple Book)

NCSC-TG-024 Vol. 2/4

A Guide to Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators, 30 June 1993. (Purple Book)

NCSC-TG-024 Vol. 3/4

A Guide to Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description Tutorial, 28 February 1994. (Purple Book)

NCSC-TG-024 Vol. 4/4

A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document - An Aid to Procurement Initiators and Contractors (Purple Book) (publication TBA)

NCSC-TG-025 Ver. 2
A Guide to Understanding Data Remanence in Automated Information Systems, September 1991, Version 2, (Supercedes CSC-STD-005-85). (Forest Green Book)

Rainbow Series Library

NCSC-TG-026
A Guide to Writing the Security Features User's Guide for Trusted Systems, September 1991. (Hot Peach Book)

NCSC-TG-027
A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992. (Turquoise Book)

NCSC-TG-028
Assessing Controlled Access Protection, 25 May 1992. (Violet Book)

NCSC-TG-029
Introduction to Certification and Accreditation Concepts, January 1994. (Blue Book)

NCSC-TG-030
A Guide to Understanding Covert Channel Analysis of Trusted Systems, November 1993. (Light Pink Book)

Rainbow Series Library

Other NCSC Publications C1 Technical Report 001
Technical Report, Computer Viruses: Prevention, Detection, and Treatment, 12 March 1990

C Technical Report 79-91

Technical Report, Integrity in Automated Information Systems, September 1991.

C Technical Report 32-92

The Design and Evaluation of INFOSEC systems: The Computer Security Contribution to the Composition Discussion, June 1992.

C Technical Report 111-91

Integrity-Oriented Control Objectives: Proposed Revisions to the TCSEC, October 1991.

Rainbow Series Library

NCSC Technical Report 002
Use of the TCSEC for Complex, Evolving, Mulitpolicy Systems

NCSC Technical Report 003

Turning Multiple Evaluated Products Into Trusted Systems

NCSC Technical Report 004

A Guide to Procurement of Single Connected Systems Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators - Includes Complex, Evolving, and Multipolicy Systems

Rainbow Series Library

NCSC Technical Report 005 Volume 1/5
Inference and Aggregation Issues In Secure Database Management Systems

NCSC Technical Report 005 Volume 2/5

Entity and Referential Integrity Issues In Multilevel Secure Database Management

NCSC Technical Report 005 Volume 3/5

Polyinstantiation Issues In Multilevel Secure Database Management Systems

NCSC Technical Report 005 Volume 4/5

Auditing Issues In Secure Database Management Systems

NCSC Technical Report 005 Volume 5/5

Discretionary Access Control Issues In High Assurance Secure Database Management Systems

Four Divisions
The Orange Book defines four broad hierarchical divisions of security protection. In increasing order of trust, they are: D Minimal security C Discretionary protection B Mandatory protection A Verified protection

Numbered Classes
Each division consists of one or more numbered classes, with higher numbers indicating a higher degree of security. For example, division C contains two distinct classes (C2 offers more security than C1); division B contains three classes ( B3 > B2 > B1 ); division A currently contains only one class.

Criteria
Each class is defined by a specific set of criteria that a system must be awarded a rating in that class. The criteria fall into four general categories: security policy, accountability, assurance, and documentation.

Measurement
The evaluation criteria for the Orange Book were developed with three basic objectives: Measurement: To provide users with a metric with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information. For example, a user can rely on a B2 system to be more secure than a C2 system.

Guidance
Guidance: To provide guidance to manufacturers as to what to build into their trusted commercial products to satisfy trust requirements for sensitive applications.

Acquisition
Acquisition: To provide a basis for specifying security requirements in acquisition specifications. Rather than specifying a hodgepodge of security requirements, and having vendors respond in piecemeal fashion, the Orange Book provides a clear way of specifying a coordinated set of security functions. A customer can be confident that the system he or she acquires has already been checked out for the needed degree of security.

Whats a Trusted System?

The Orange Book defines it as: A system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information.

Measuring Trust
How does the Orange Book measure trust? The book approaches security from two perspectives:

Security Policy
A security policy states the rules enforced by a systems security features; e.g. the rules governing whether a particular user is allowed to access a particular piece of information. Obviously, there are more security features in a highly secure system (B1 or higher) than in a less secure system (say, C1 or C2), although at the highest levels there are actually few differences in security features. Instead there is more assurance.

Assurance
Assurance is the trust that can be placed in a system, and the trusted ways the system can be proven to have been developed, tested, documented, maintained and delivered to a customer. At the higher levels of security, there are few changes in security features, but a definite increase in the degree of assurance a user can place in the systems architecture and security policies.

Assurance
As the Orange Book puts it, assurance begins [at the lowest class] with an operable access control mechanism and ends [at the highest class] with a mechanism that a clever and determined user cannot circumvent.In the lower classes (C1, C2, B1) assurance of correct and complete design and implementation is gained mostly through testing of the security-relevant portions of the system. In the higher classes (B2, B3, and A1), assurance is derived more from system design and implementation and, at the highest level (A1 only) from formal verification tools. Assurance is described in detail later in this lecture.

Trusted Computing Base

The concept of the trusted computing base (TCB) is central to the notion of a trusted system. The Orange Book uses the term TCB to refer to the mechanisms that enforce security in a system. The book defines the TCB as follows:

Trusted Computing Base

The totality of protection mechanisms within a computer system -- including hardware, firmware, and software -- the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance) related to the security policy.

Defining the TCB

Not every part of an operating system needs to be trusted. An important part of an evaluation of a computer system is to identify the architecture, assurance mechanisms, and security features that comprise the TCB, and to show how the TCB is protected from interference and tampering.

Reference Monitor
A reference monitor is a concept that enforces the authorized access relationships between subjects and objects of a system. James Anderson, the developer of this concept, lists three design requirements that must be met by a reference monitor mechanism: Isolation: the reference monitor must be tamperproof. Completeness: the reference monitor must be invoked for every access decision, and must be impossible to bypass. Verifiability: the reference monitor must be small enough to be able to be analyzed and tested, and it must be possible to ensure that the testing is complete.

Security Policy
A security policy is the set of rules and practices that regulate how an organization manages, protects, and distributes sensitive information. A security policy is typically stated in terms of subjects and objects. A subject is something active in the system; examples are users, processes, and programs. An object is something that a subject acts upon; examples of objects are files, directories, devices, sockets, and windows.

Security Policy
The Orange Book defines a security policy as follows: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.

Policy --- Informal or Formal

At the lower levels of trust (C1, C2, B1) an informally stated policy is acceptable. At the higher levels of trust (B2, B3, A1), a formally stated, mathematically precise policy is required.

Security Model
A security model expresses a systems security requirements precisely and without confusion. The Orange Book criteria are based on the state-machine model developed by David Bell and Leonard LaPadula in 1973. This is the first mathematical model of a multi-level secure computer system. The Orange Book describes the Bell-LaPadula model as follows:

Bell-LaPadula
A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving that the system is secure. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice.

Security Kernel
A security kernel, a concept developed by Roger Schell in 1972 (or was it a security shell developed by Colonel Rogers?) is the operating system mechanism that actually implements the reference monitor concept. The security kernel is the heart of the TCB --- the resource in the computing system that supervises all system activity in according with the systems security policy.

Simplicity
Simplicity is a very important characteristic of the TCB. As the Orange Book puts it, the TCB should be as simple as possible, consistent with the functions it has to perform.

Security Perimeter
The security kernel, as well as other security-related system functions, lies within the imaginary boundary of the TCB known as the security perimeter. In highly trusted systems, the TCB must be designed and implemented in such a way that system elements included in it are designed to perform security functions, while those elements excluded from the TCB need not be trusted.

Orange Book Evaluation Classes

Class, Name, Examples D: Minimal security
None. Reserved for systems that are submitted to evaluation but fail. Basic operating systems for personal computers such as Windows, Mac, and MS-DOS would probably fall into this category if they were evaluated.

C1
C1: Discretionary security protection
IBM: MVS/RACFAlthough ordinary UNIX systems have not been submitted for formal evaluation, many people feel that such systems would get a C1.

C2
C2: Controlled access protection
Computer Associates International: ACF2/MVS DEC: VAX/VMS 4.5 Gould: UTX/32SHewlett-Packard MPE V/E Wang Labs: SVS/OS CAP 1.0

B1
B1: Labeled security protection
AT&T: System V/MLS IBM: MVS/ESA SecureWare: CMW+ UNISYS: OS 1100

B2
B2: Structured protection
Honeywell Information Systems: Multics Trusted Information Systems: Trusted XENIX

B3
B3: Security domains
Honeywell Federal Systems: XTS-200

A1
A1: Verified design
Honeywell Information Systems: SCOMP Boeing Aerospace: SNS

Complaints About the Orange Book

Here are some of the main claims about the inadequacies of Orange: The Orange Book model works only in a government classified environment, and the higher levels of security arent appropriate for the protection of commercial data, where data integrity is the chief concern. The Orange Book focuses on only one aspect of security --- secrecy --while paying little attention to the principles of accuracy, availability, and authenticity. The Orange Book emphasizes protection from unauthorized access, while most security attacks actually involve insiders. The Orange Book doesnt address networking issues. (But the Red Book does.) The Orange Book contains a relatively small number of security ratings. A system that offers a subset of Orange Book security features, plus some very strong features in other areas not addressed by the Orange Book (for example, integrity) wouldnt fit into any of the current ratings.

C1 Discretionary Access Control Object Reuse Labels Label Integrity Exportation of Labeled Information Exportation of Multilevel Devices Exportation of Single-Level Devices Labeling Human-Readable Output

C2

B1

B2

B3

A1 SP

Mandatory Access Control

Subject Sensitivity Labels Device Labels Identification and Authentication AC

The Rainbow Series and Other Sources

The government has produced a number of other volumes interpreting Orange Book requirements. These are known collectively as the Rainbow Series, since each has a different cover color.

Colors of the Rainbow

These include: Red Book
Trusted Network Interpretation

Lavender Book
Trusted Data Base Management System Interpretation

Green Book
Password Management Guideline

Tan Book
Guide to Understanding Audit in Trusted Systems

Purple Book
Guidelines for Formal Verification Systems

Burgundy Book
Guide to Understanding Design Documentation in Trusted Systems