Trusted Computer Systems
Trusted Computer Systems
- Information system security is increasingly important
- have varying degrees of sensitivity of information
- subjects (people or programs) have varying rights of access to objects
(information)
- hence:
Information system security is the application of managerial and
administrative procedures and technical and physical safeguards to ensure not
only the confidentiality, integrity and availability of
information which is processed by an information system, but also of the
information system itself, together with its environment. Such procedures and
safeguards not only need to deter and delay improper access to information
systems, they must also ensure that any improper access is detected; that is,
individuals have to be made accountable for their actions. [Secman 3 -
103]
- need to consider among other issues:
- system security
- physical security
- communications security
- are most concerned here with system security and how we can be assured of
its correctness
Evaluation Concepts and Relationships
- evaluation -> assurance so that
- owners -> have confidence -> that countermeasures -> minimise
risk -> to assets
- hence evaluation on "trusted computer systems" is key
- two key aspects evaluated
- Functionality
- functions in system which enforce security
- Assurance
- effectiveness and correctness of systems construction and implementation
- systems are evaluated against an evaluation standard
- concept of a Trusted Computing Base is central
- includes the hardware and software security-relevant portions of the
system,
- mediates all access between subjects and objects
- is tamperproof
- is validated
Types of Secure Computing Systems
- Dedicated (Single-Level) Systems
- handles subjects and objects with same classification
- relies on other security procedures (eg physical)
- System-High
- only provides need-to-know protection between users
- entire system operates at highest classification level
- all users must be cleared for that level of information
- Compartmented
- varaition of System-High which can process two or more types of
compartmented information
- not all users are cleared for all compartments, but all must be cleared to
the highest level of information processed
- Multi-Level Systems
- is validated for handling subjects and objects with different rights and
levels of security simultaneously
- major features of such systems include:
- user identification and authentication
- resource access control and object labelling
- audit trails of all security relevant events
- external validation of the systems security
Evaluation Process
- parties in evaluation are
- sponsor of system (TOE) being developed
- developer of system (may be sponsor)
- evaluation facility which performs evaluation (in Australia a commercial
evaluator - Admiral Computing)
- certification body (in Australia - DSD)
- phases of evaluation
- pre-evaluation
- defines security target & deliverables
- evaluation
- fulfil required evaluation tasks
- re-evaluation
- following correction of faults of changes
- certification
- confirmation & acceptance of evaluation
Risk Analysis and Selection of Mode of Operation
- guiding priciple is that recommended rating of a system depends on
differential between user & info levels
- Risk Index (defined in Yellow book) is given by:
- Risk Index = Max Info Sensitivity - Min User Clearance
- Rating Level Table:
Rating Info Sensitivity User Clearance
0 Unclassified Uncleared
1 Restricted Restricted
2 Restricted (categories) Confidential Confidential
3 Confidential (categories) Secret Secret
4 Secret (1+ categories) Top Secret
5 Secret (2+ categories) Top Secret Top Secret
6 Top Secret (1+ categories) Top Secret - 1 category
7 Top Secret (2+ categories) Top Secret - many categories
- recommended type of system required:
Risk Security Mode Min Class Open Env Min Class Closed
Index Env
0 dedicated none none
0 system high C2 C2
1 limited access, controlled, B1 B1
compartmented, multi-level
2 limited access, controlled, B2 B2
compartmented, multi-level
3 controlled, multi-level B3 B3
4 multi-level A1 B3
5 multi-level beyond A1 A1
>=6 multi-level beyond A1 beyond A1
Phases in Security Evaluation
- Defining Security Requirements
- system specification
- standards/criteria
- experience
- Threat Analysis
- standards/criteria
- experience
- Theoretical Evaluation
- Practical Testing
- Examination of the Source Code
- Penetration
-
TCSEC standard
- TCSEC is the Trusted Computer System Evaluation Criteria ("Orange Book")
for single computer systems with terminal access
- first standard definition of a trusted computer system and how to
evaluate and ensure them
- original spec Aug 83, revised Dec 85
- has tight coupling between functionality & assurance
- TCSEC defines a number of criteria within broad categories of:
- Security Policy
- must have an explicit, enforced security policy; objects in system need
access control labels
- Accountability
- access to information must be controlled by rights of subjects vs class of
information; audit trails must be kept
- Assurance
- system must contain mechanisms which can be independently evaluated to
provide sufficient assurance that they enforce the stated requirements
- also in the Rainbow series is:
- Red Book
- Trusted Network Interpretation
- Yellow Book
- Methodology for Security Risk Assessment
- Lavendar Book
- Database Security Evaluation
- evaluation criteria classes
Class Description
D Minimal Protection
C1 Discretionary Security Protection
C2 Controlled Access Protection
B1 Labelled Security Protection
B2 Structured Protection
B3 Security Domains
A1 Verified Design
- in Australia DSD maintains an "Evaluated Products List" for systems
evaluated to a particular class
- for example, evaluated O/S (as of May 94):
- 1 A1
- - a brick, Honeywell SCOMP STOP 2.1
- 1 B3
- - Honeywell XTS-200 STOP 3/1/E
- 3 B2
- - incl Trusted Xenix, Multics
- 8 B1
- - incl Secureware CMW+ v1, AT&T UNIX SysV/MLS , IBM MVS/ESA/RACF
- is a slow and costly process to have a system evaluated
ITSEC standard
- Information Technology Security Evaluation Criteria (ITSEC) is the
harmonised European trusted evaluation standard
- unlike TCSEC it is designed for both single and multiple networked
computer systems
- Target Of Evaluation (TOE) is the evaluated system
- structured around two key concepts - assurance and functionality
- also details the evaulation process by an independent evaulator working
with developer and sponser
- evaluator checks the test and analysis results supplied by sponser and
performs aditional tests to audit and supplement these [1]
Assurance
- concerned with confidence in both correctness and effectiveness of
security functions and mechanisms
- have 7 evaluation levels defined:
- E0
- inadequate
- E1
- statement of security objects, informal description of security architecture
- E2
- +informal description of detailed design, testing, configuration control
and controlled distribution
- E3
- +detailed design and source code evaulated
- E4
- +formal security policy model, rigourous architectural and detailed design,
vulnerability analysis
- E5
- +close correspondence between detailed design and source code,
vulnerability analysis on source code
- E6
- +formal description of TOE consistent with formal security model,
evaluation of object code against source
- correctness is addressed both from:
- development process & environment in building TOE
- operation of the TOE
- TOE must also be assessed for:
- suitability and binding of functionality
- consequences of known and discovered vulnerabilities
- strength of security mechanisms against direct attack
Functionality
- considered in terms of its security objectives, security functions and
security mechanisms
- must define security objectives for TOE either as a natural language
security policy or a formal model
- each functionality class is defined by a number of descriptive categories
including:
- identification & authentication, access control, accountability,
audit, object reuse, accuracy, reliability of service and data exchange
- ten functionality classes are defined in two groups
- F1-F5
- map onto TCSEC classes C1 to A1, with appropriate assurance levels [2]
- F6
- high integrity systems (eg financial)
- F7
- high availability/mission critical systems
- F8
- high integrity data communications systems
- F9
- high confidentiality data communications systems
- F10
- high confidentiality and integrity networks
-
Common Criteria
- Common Criteria is being developed as an ISO standard (JTC1.SC27), based
on existing TCSEC, ITSEC, CTCPEC (Canadian), Federal (US) standards
- concerned with standards for
- evaluation criteria
- methodology for application of criteria
- administrative procedures for evaluation, certification and accreditation
schemes
- CC Part 1 covers
- IT Security
- "reduction of risks associated with threats to the information arising
directly or indirectly from human error or deliberate subversion"
- Threat Analysis
- to discover conceivable threats
- Risk Analysis
- to determine countermeasures
- defines
- Protection Profile
- set of generic security requirements for some applications sector
- Security Target
- a particular instance of a PP
- Target of Evaluation
- actual system evaluated
Functional Class Set
- identification & authentication
- trusted path
- security audit
- TOE entry
- user data protection
- resource utilisation & availability
- protection of TOE security functions
- physical protection
- privacy
- communications
Assurance Levels
- AL0
- unassured
- AL1
- tested
- AL2
- structurally tested
- AL3
- methodically tested & checked
- AL4
- methodically tested & reviewed
- AL5
- semiformal design
- AL6
- semiformal verified design
- AL7
- formally verified design
SECMAN standards
- are prepared by the Defence Security Branch
- are the Defence Security manuals
- are unclassified, hence available to anyone interested
- comprise the following:
- SECMAN 1
- Security Policy
- SECMAN 2
- Industrial Security
- SECMAN 3
- Information System Security
- SECMAN 4
- Protective Security
- SECMAN 5
- Personel Security
- SECMAN 6
- Project Security
- SECMAN 7
Facility Security (Security Design and Contruction Guidelines)
- provide checklists and procedures to assist in implementing security in
various situations
- SECMAN 3 is of most interest to us
- defines Protection for a Typical System against
Typical Threats to achieve an Acceptable Risk
- is in two parts
-
- part A Introduction, Checklist, Guides
-
- part B Policy, Standards
- is concerned with all the following security aspects:
- Personnel, Environment, Management
- Hardware, Software, Media, Networking
- Communications, TEMPEST, Cabling
- can negotiate concessions
- eg may be possible to use a lower certified system than recommended in
return for higher physical site security
- system has to be certified by appropriate authority, which depends on
level of information being handled
[1] follow with Ward, MInfSci 91 thesis - Fig 7 p39
[2] follow with Ward, MInfSci 91 thesis - Table 3 p41
[CSC Info]
Lawrie.Brown@adfa.oz.au / 31-May-96