Trusted Computer Systems

• Information system security is increasingly important
• have varying degrees of sensitivity of information
• subjects (people or programs) have varying rights of access to objects (information)
• hence:

• need to consider among other issues:
  • system security
  • physical security
  • communications security
• are most concerned here with system security and how we can be assured of its correctness

• evaluation -> assurance so that
• owners -> have confidence -> that countermeasures -> minimise risk -> to assets

• hence evaluation on "trusted computer systems" is key

• two key aspects evaluated

  Functionality

  functions in system which enforce security

  Assurance

  effectiveness and correctness of systems construction and implementation

• systems are evaluated against an evaluation standard

• concept of a Trusted Computing Base is central
  • includes the hardware and software security-relevant portions of the system,
  • mediates all access between subjects and objects
  • is tamperproof
  • is validated

Types of Secure Computing Systems

• Dedicated (Single-Level) Systems
  • handles subjects and objects with same classification
  • relies on other security procedures (eg physical)
• System-High
  • only provides need-to-know protection between users
  • entire system operates at highest classification level
  • all users must be cleared for that level of information
• Compartmented
  • varaition of System-High which can process two or more types of compartmented information
  • not all users are cleared for all compartments, but all must be cleared to the highest level of information processed
• Multi-Level Systems
  • is validated for handling subjects and objects with different rights and levels of security simultaneously
  • major features of such systems include:
    • user identification and authentication
    • resource access control and object labelling
    • audit trails of all security relevant events
    • external validation of the systems security

Evaluation Process

• parties in evaluation are
  • sponsor of system (TOE) being developed
  • developer of system (may be sponsor)
  • evaluation facility which performs evaluation (in Australia a commercial evaluator - Admiral Computing)
  • certification body (in Australia - DSD)

• phases of evaluation

  pre-evaluation

  defines security target & deliverables

  evaluation

  fulfil required evaluation tasks

  re-evaluation

  following correction of faults of changes

  certification

  confirmation & acceptance of evaluation

Risk Analysis and Selection of Mode of Operation

• guiding priciple is that recommended rating of a system depends on differential between user & info levels
• Risk Index (defined in Yellow book) is given by:
  • Risk Index = Max Info Sensitivity - Min User Clearance
• Rating Level Table:

Rating           Info Sensitivity                          User Clearance                 
0                Unclassified                              Uncleared                      
1                Restricted                                Restricted                     
2                Restricted (categories) Confidential      Confidential                   
3                Confidential (categories) Secret          Secret                         
4                Secret (1+ categories)                    Top Secret                     
5                Secret (2+ categories) Top Secret         Top Secret                     
6                Top Secret (1+ categories)                Top Secret - 1 category        
7                Top Secret (2+ categories)                Top Secret - many categories   

• recommended type of system required:

Risk       Security Mode                   Min Class Open Env   Min Class Closed     
Index                                                           Env                  
0          dedicated                       none                 none                 
0          system high                     C2                   C2                   
1          limited access, controlled,     B1                   B1                   
           compartmented, multi-level                                                
2          limited access, controlled,     B2                   B2                   
           compartmented, multi-level                                                
3          controlled,       multi-level   B3                   B3                   
4          multi-level                     A1                   B3                   
5          multi-level                     beyond A1            A1                   
>=6        multi-level                     beyond A1            beyond A1            

Phases in Security Evaluation

Defining Security Requirements

• system specification
• standards/criteria
• experience

Threat Analysis

• standards/criteria
• experience

Theoretical Evaluation

• functionality
• assurance

Practical Testing

Examination of the Source Code

Penetration

TCSEC standard

• TCSEC is the Trusted Computer System Evaluation Criteria ("Orange Book") for single computer systems with terminal access
• first standard definition of a trusted computer system and how to evaluate and ensure them
• original spec Aug 83, revised Dec 85
• has tight coupling between functionality & assurance
• TCSEC defines a number of criteria within broad categories of:

  Security Policy

  must have an explicit, enforced security policy; objects in system need access control labels

  Accountability

  access to information must be controlled by rights of subjects vs class of information; audit trails must be kept

  Assurance

  system must contain mechanisms which can be independently evaluated to provide sufficient assurance that they enforce the stated requirements

• also in the Rainbow series is:

  Red Book

  Trusted Network Interpretation

  Yellow Book

  Methodology for Security Risk Assessment

  Lavendar Book

  Database Security Evaluation

• evaluation criteria classes

       Class                             Description                      
         D           Minimal Protection                                   
        C1           Discretionary Security Protection                    
        C2           Controlled Access Protection                         
        B1           Labelled Security Protection                         
        B2           Structured Protection                                
        B3           Security Domains                                     
        A1           Verified Design                                      

• in Australia DSD maintains an "Evaluated Products List" for systems evaluated to a particular class
• for example, evaluated O/S (as of May 94):

  1 A1

  - a brick, Honeywell SCOMP STOP 2.1

  1 B3

  - Honeywell XTS-200 STOP 3/1/E

  3 B2

  - incl Trusted Xenix, Multics

  8 B1

  - incl Secureware CMW+ v1, AT&T UNIX SysV/MLS , IBM MVS/ESA/RACF

• is a slow and costly process to have a system evaluated

• Information Technology Security Evaluation Criteria (ITSEC) is the harmonised European trusted evaluation standard
• unlike TCSEC it is designed for both single and multiple networked computer systems
• Target Of Evaluation (TOE) is the evaluated system
• structured around two key concepts - assurance and functionality
• also details the evaulation process by an independent evaulator working with developer and sponser
• evaluator checks the test and analysis results supplied by sponser and performs aditional tests to audit and supplement these [1]

Assurance

• concerned with confidence in both correctness and effectiveness of security functions and mechanisms
• have 7 evaluation levels defined:

  E0

  inadequate

  E1

  statement of security objects, informal description of security architecture

  E2

  +informal description of detailed design, testing, configuration control and controlled distribution

  E3

  +detailed design and source code evaulated

  E4

  +formal security policy model, rigourous architectural and detailed design, vulnerability analysis

  E5

  +close correspondence between detailed design and source code, vulnerability analysis on source code

  E6

  +formal description of TOE consistent with formal security model, evaluation of object code against source

• correctness is addressed both from:
  • development process & environment in building TOE
  • operation of the TOE
• TOE must also be assessed for:
  • suitability and binding of functionality
  • consequences of known and discovered vulnerabilities
  • strength of security mechanisms against direct attack

Functionality

• considered in terms of its security objectives, security functions and security mechanisms
• must define security objectives for TOE either as a natural language security policy or a formal model
• each functionality class is defined by a number of descriptive categories including:
  • identification & authentication, access control, accountability, audit, object reuse, accuracy, reliability of service and data exchange
• ten functionality classes are defined in two groups

  F1-F5

  map onto TCSEC classes C1 to A1, with appropriate assurance levels [2]

  F6

  high integrity systems (eg financial)

  F7

  high availability/mission critical systems

  F8

  high integrity data communications systems

  F9

  high confidentiality data communications systems

  F10

  high confidentiality and integrity networks

Common Criteria

• Common Criteria is being developed as an ISO standard (JTC1.SC27), based on existing TCSEC, ITSEC, CTCPEC (Canadian), Federal (US) standards
• concerned with standards for
  • evaluation criteria
  • methodology for application of criteria
  • administrative procedures for evaluation, certification and accreditation schemes
• CC Part 1 covers

  IT Security

  "reduction of risks associated with threats to the information arising directly or indirectly from human error or deliberate subversion"

  Threat Analysis

  to discover conceivable threats

  Risk Analysis

  to determine countermeasures

• defines

  Protection Profile

  set of generic security requirements for some applications sector

  Security Target

  a particular instance of a PP

  Target of Evaluation

  actual system evaluated

Functional Class Set

• identification & authentication
• trusted path
• security audit
• TOE entry
• user data protection
• resource utilisation & availability
• protection of TOE security functions
• physical protection
• privacy
• communications

Assurance Levels

AL0

unassured

AL1

tested

AL2

structurally tested

AL3

methodically tested & checked

AL4

methodically tested & reviewed

AL5

semiformal design

AL6

semiformal verified design

AL7

formally verified design

SECMAN standards

• are prepared by the Defence Security Branch
• are the Defence Security manuals
• are unclassified, hence available to anyone interested
• comprise the following:

  SECMAN 1

  Security Policy

  SECMAN 2

  Industrial Security

  SECMAN 3

  Information System Security

  SECMAN 4

  Protective Security

  SECMAN 5

  Personel Security

  SECMAN 6

  Project Security

  SECMAN 7

  Facility Security (Security Design and Contruction Guidelines)

• provide checklists and procedures to assist in implementing security in various situations
• SECMAN 3 is of most interest to us
• defines Protection for a Typical System against Typical Threats to achieve an Acceptable Risk
• is in two parts

  part A Introduction, Checklist, Guides

  part B Policy, Standards

• is concerned with all the following security aspects:
  • Personnel, Environment, Management
  • Hardware, Software, Media, Networking
  • Communications, TEMPEST, Cabling
• can negotiate concessions
  • eg may be possible to use a lower certified system than recommended in return for higher physical site security
• system has to be certified by appropriate authority, which depends on level of information being handled