THE ORANGE BOOK
Ravi Sandhu
1
ORANGE BOOK CLASSES
HIGH SECURITY
A1 Verified Design
B3 Security Domains
B2 Structured Protection
B1 Labeled Security Protection
C2 Controlled Access Protection
C1 Discretionary Security Protection
D
Minimal Protection
NO SECURITY
2
ORANGE BOOK CRITERIA
SECURITY POLICY
ACCOUNTABILITY
ASSURANCE
DOCUMENTATION
3
SECURITY POLICY
Discretionary Access Control
Object Reuse
Labels
Label Integrity
Exportation of Labeled Information
Labeling Human-Readable Output
Mandatory Access Control
Subject Sensitivity Labels
Device Labels
C1
C2
B1
B2
B3
A1
+
0
0
0
0
0
0
0
0
+
+
0
0
0
0
0
0
0
nc
nc
+
+
+
+
+
0
0
nc
nc
+
nc
nc
nc
+
+
+
+
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
nc
0 no requirement
+ added requirement
nc no change
4
ACCOUNTABILITY
Identification and Authentication
Audit
Trusted Path
C1
C2
B1
B2
B3
A1
+
0
0
+
+
0
+
+
0
nc
+
+
nc
+
+
nc
nc
nc
0 no requirement
+ added requirement
nc no change
5
ASSURANCE
System Architecture
System Integrity
Security Testing
Design Specification and Verification
Covert Channel Analysis
Trusted Facility Management
Configuration Management
Trusted Recovery
Trusted Distribution
C1
C2
B1
B2
B3
A1
+
+
+
0
0
0
0
0
0
+
nc
+
0
0
0
0
0
0
+
nc
+
+
0
0
0
0
0
+
nc
+
+
+
+
+
0
0
+
nc
+
+
+
+
nc
+
0
nc
nc
+
+
+
nc
+
nc
+
0 no requirement
+ added requirement
nc no change
6
DOCUMENTATION
Security Features User's Guide
Trusted Facility Manual
Test Documentation
Design Documentation
C1
C2
B1
B2
B3
A1
+
+
+
+
nc
+
nc
nc
nc
+
nc
+
nc
+
+
+
nc
+
nc
+
nc
nc
+
+
0 no requirement
+ added requirement
nc no change
7
COVERT CHANNEL
ANALYSIS
B1
No requirement
B2
Covert storage channels
B3
Covert channels (i.e. storage
and timing channels)
A1
Formal methods
8
SYSTEM ARCHITECTURE
C1
C2
B1
B2
B3
A1
The TCB shall maintain a domain for its own
execution that protects it from tampering
The TCB shall isolate the resources to be
protected
The TCB shall maintain process isolation
The TCB shall be internally structured into
well-defined largely independent modules
The TCB shall incorporate significant use of
layering, abstraction and data hiding
No change
9
DESIGN SPECIFICATION
AND VERIFICATION
C2
B1
No requirement
Informal or formal model of the security policy
B2
Formal model of the security policy that is proven consistent
with its axioms
DTLS (descriptive top-level specification) of the TCB
A convincing argument shall be given that the DTLS is
consistent with the model
B3
A1
FTLS (formal top-level specification) of the TCB
A combination of formal and informal techniques shall be
used to show that the FTLS is consistent with the model
A convincing argument shall be given that the DTLS is
consistent with the model
10
ORANGE BOOK CLASSES
UNOFFICIAL VIEW
C1, C2
B1
B2
B3
A1
Simple enhancement of existing systems.
No breakage of applications
Relatively simple enhancement of existing
systems. Will break some applications.
Relatively major enhancement of existing
systems. Will break many applications.
Failed A1
Top down design and implementation of a
new system from scratch
11
NCSC RAINBOW SERIES
SELECTED TITLES
Orange
Trusted Computer System Evaluation Criteria
Yellow
Guidance for Applying the Orange Book
Red
Trusted Network Interpretation
Lavender
Trusted Database Interpretation
12
ORANGE BOOK
CRITICISMS
•
Mixes various levels of abstraction in a single
document
•
Does not address integrity of data
•
Combines functionality and assurance in a
single linear rating scale
13
•
functionality is multidimensional
•
assurance has a
linear progression
functionality
FUNCTIONALITY VS
ASSURANCE
B3 A1
B2
B1
C2
C1
assurance
14