Trusted Computer System Evaluation Criteria
Encyclopedia
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
Government Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
(DoD) standard that sets basic requirements for assessing the effectiveness of computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information
Classified information
Classified information is sensitive information to which access is restricted by law or regulation to particular groups of persons. A formal security clearance is required to handle classified documents or access classified data. The clearance process requires a satisfactory background investigation...
.
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series
Rainbow Series
The Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...
publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
, and then updated in 1985, TCSEC was replaced by the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
international standard originally published in 2005.
Fundamental objectives and requirements
The Orange Book or DoDD 5200.28-STD was canceled by DoDD 8500.1 on October 24, 2002.Policy
The security policy must be explicit, well-defined and enforced by the computer system. There are two basic security policies:- Mandatory Security Policy - Enforces access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived. - Marking - Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
- Discretionary Security Policy - Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. There are three requirements under the accountability objective:- Identification - The process used to recognize an individual user.
- Authentication - The verification of an individual user's authorization to specific categories of information.
- Auditing - AuditAudit trailAudit trail is a sequence of steps supported by proof documenting the real processing of a transaction flow through an organization, a process or a system.....
information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
Assurance
The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:- Assurance Mechanisms
- Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery
- Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management and Trusted System Distribution
- Continuous Protection Assurance - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.
Documentation
Within each class there is additional documentation set which addresses the development, deployment and management of the system rather than its capabilities. This documentation includes:- Security Features User's Guide, Trusted Facility Manual, Test Documentation and Design Documentation
Divisions and classes
The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
D — Minimal protection
- Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division
C — Discretionary protection
- C1 — Discretionary Security Protection
- Identification and authentication
- Separation of users and data
- Discretionary Access Control (DAC)Discretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
capable of enforcing access limitations on an individual basis - Required System Documentation and user manuals
- C2 — Controlled Access Protection
- More finely grained DAC
- Individual accountability through login procedures
- Audit trails
- Object reuse
- Resource isolation
B — Mandatory protection
- B1 — Labeled Security Protection
- Informal statement of the security policy model
- Data sensitivity labels
- Mandatory Access Control (MAC)Mandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
over selected subjects and objects - Label exportation capabilities
- All discovered flaws must be removed or otherwise mitigated
- Design specifications and verification
- B2 — Structured Protection
- Security policy modelComputer security modelA computer security model is a scheme for specifying and enforcing security policies.A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical grounding at all....
clearly defined and formally documented - DAC and MAC enforcement extended to all subjects and objects
- Covert storage channelsCovert channelIn computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
are analyzed for occurrence and bandwidth - Carefully structured into protection-critical and non-protection-critical elements
- Design and implementation enable more comprehensive testing and review
- Authentication mechanisms are strengthened
- Trusted facility management is provided with administrator and operator segregation
- Strict configuration management controls are imposed
- Security policy model
- B3 — Security Domains
- Satisfies reference monitorReference monitorIn operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' ability to perform operations on objects on a system...
requirements - Structured to exclude code not essential to security policy enforcement
- Significant system engineering directed toward minimizing complexity
- Security administrator role defined
- Audit security-relevant events
- Automated imminent intrusion detectionIntrusion detectionIn Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention...
, notification, and response - Trusted system recovery procedures
- Covert timing channelsCovert channelIn computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy...
are analyzed for occurrence and bandwidth - An example of such a system is the XTS-300, a precursor to the XTS-400XTS-400The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
- Satisfies reference monitor
A — Verified protection
- A1 — Verified Design
- Functionally identical to B3
- Formal design and verification techniques including a formal top-level specification
- Formal management and distribution procedures
- An example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400XTS-400The XTS-400 is a multi-level secure computer operating system. It is multi-user and multitasking. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6....
- Beyond A1
- System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing BaseTrusted computing baseThe trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system...
(TCB). - Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
- Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
- Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.
- System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base
Matching classes to environmental requirements
Army Regulation 380-19 is an example of a guide to determining which system class should be used in a given situation.See also
- AR 380-19 superseded by AR 25-2
- Common CriteriaCommon CriteriaThe Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
- ITSECITSECThe Information Technology Security Evaluation Criteria is a structured set of criteria for evaluating computer security within products and systems. The ITSEC was first published in May 1990 in France, Germany, the Netherlands, and the United Kingdom based on existing work in their respective...
- Trusted Platform ModuleTrusted Platform ModuleIn computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
- Rainbow SeriesRainbow SeriesThe Rainbow Series is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S...