Inside the Orange Book
SYCS 653 Fall 2010
Lecture 12 Notes
Wayne Patterson
Orange Book
If you’re at all interested in computer
security, you’ll need to know something
about the Orange Book. As more
organizations become security-conscious,
as more vendors develop secure systems
and products, and as more government
requisitions stipulate that equipment
purchases be tied to Orange Book
certification, there’s more of a need to
understand the Orange Book.
References
 References: The entire series of publications on
computer security standards known as the
“Rainbow Series Library” is on the web, through
the National Computer Security Center (NCSC).
The URL for the entire series is:
 http://www.radium.ncsc.mil/tpep/library/rainbow/
 and in particular for the Orange Book (available
also in text, PostScript, or PDF format):
 http://www.radium.ncsc.mil/tpep/library/rainbow/
5200.28-STD.html
Rainbow Series Library
 Rainbow Series Library
 Document Format Information
 5200.28-STD
 DoD Trusted Computer System Evaluation Criteria, 26 December 1985
(Supercedes CSC-STD-001-83, dtd 15 Aug 83). (Orange Book)
 CSC-STD-002-85
 DoD Password Management Guideline, 12 April 1985. (Green Book)
 CSC-STD-003-85
 Computer Security Requirements -- Guidance for Applying the DoD
TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)
 CSC-STD-004-85
 Technical Rational Behind CSC-STD-003-85: Computer Security
Requirements -- Guidance for Applying the DoD TCSEC in Specific
Environments, 25 June 1985. (Yellow Book)
Rainbow Series Library
 NTISSAM COMPUSEC/1-87
 Advisory Memorandum on Office Automation Security
Guidelines
 NCSC-TG-001 Ver. 2
 A Guide to Understanding Audit in Trusted Systems 1 June
1988, Version 2. (Tan Book)
 NCSC-TG-002
 Trusted Product Evaluations - A Guide for Vendors, 22 June
1990. (Bright Blue Book)
see also TPEP Procedures which superceedes parts of this
document.
 NCSC-TG-003
 A Guide to Understanding Discretionary Access Control in
Trusted Systems, 30 September 1987. (Neon Orange Book)
Rainbow Series Library
 NCSC-TG-004
 Glossary of Computer Security Terms, 21 October 1988. (Teal
Green Book) (NCSC-WA-001-85 is obsolete)
 NCSC-TG-005
 Trusted Network Interpretation of the TCSEC (TNI), 31 July
1987. (Red Book)
 NCSC-TG-006
 A Guide to Understanding Configuration Management in Trusted
Systems, 28 March 1988. (Amber Book)
 NCSC-TG-007
 A Guide to Understanding Design Documentation in Trusted
Systems, 6 October 1988. (Burgundy Book)
see also Process Guidelines for Design Documentation which
may supercede parts of this document.
Rainbow Series Library
 NCSC-TG-008
 A Guide to Understanding Trusted Distribution in Trusted
Systems 15 December 1988. (Dark Lavender Book)
 NCSC-TG-009
 Computer Security Subsystem Interpretation of the TCSEC 16
September 1988. (Venice Blue Book)
 NCSC-TG-010
 A Guide to Understanding Security Modeling in Trusted
Systems, October 1992. (Aqua Book)
 NCSC-TG-011
 Trusted Network Interpretation Environments Guideline Guidance for Applying the TNI, 1 August 1990. (Red Book)
 NCSC-TG-013 Ver.2
 RAMP Program Document, 1 March 1995, Version 2 (Pink Book)
Rainbow Series Library
 NCSC-TG-014
 Guidelines for Formal Verification Systems, 1 April 1989. (Purple Book)
 NCSC-TG-015
 A Guide to Understanding Trusted Facility Management, 18 October
1989 (Brown Book)
 NCSC-TG-016
 Guidelines for Writing Trusted Facility Manuals, October 1992. (YellowGreen Book)
 NCSC-TG-017
 A Guide to Understanding Identification and Authentication in Trusted
Systems, September 1991. (Light Blue Book)
 NCSC-TG-018
 A Guide to Understanding Object Reuse in Trusted Systems, July 1992.
(Light Blue Book)
Rainbow Series Library
 NCSC-TG-019 Ver. 2
 Trusted Product Evaluation Questionaire, 2 May 1992, Version 2. (Blue
Book)
 NCSC-TG-020-A
 Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access
Control List Features for the UNIX® System, 7 July 1989. (Silver Book)
 NCSC-TG-021
 Trusted Database Management System Interpretation of the TCSEC
(TDI), April 1991. (Purple Book)
 NCSC-TG-022
 A Guide to Understanding Trusted Recovery in Trusted Systems, 30
December 1991. (Yellow Book)
 NCSC-TG-023
 A Guide to Understanding Security Testing and Test Documentation in
Trusted Systems (Bright Orange Book)
see also Process Guidelines for Test Documentation which may
supercede parts of this document.
Rainbow Series Library
 NCSC-TG-024 Vol. 1/4
 A Guide to Procurement of Trusted Systems: An Introduction to Procurement
Initiators on Computer Security Requirements, December 1992. (Purple Book)
 NCSC-TG-024 Vol. 2/4
 A Guide to Procurement of Trusted Systems: Language for RFP Specifications
and Statements of Work - An Aid to Procurement Initiators, 30 June 1993.
(Purple Book)
 NCSC-TG-024 Vol. 3/4
 A Guide to Procurement of Trusted Systems: Computer Security Contract Data
Requirements List and Data Item Description Tutorial, 28 February 1994. (Purple
Book)
 NCSC-TG-024 Vol. 4/4
 A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's
Proposal Document - An Aid to Procurement Initiators and Contractors (Purple
Book) (publication TBA)
 NCSC-TG-025 Ver. 2
 A Guide to Understanding Data Remanence in Automated Information Systems,
September 1991, Version 2, (Supercedes CSC-STD-005-85). (Forest Green
Book)
Rainbow Series Library
 NCSC-TG-026
 A Guide to Writing the Security Features User's Guide for Trusted
Systems, September 1991. (Hot Peach Book)
 NCSC-TG-027
 A Guide to Understanding Information System Security Officer
Responsibilities for Automated Information Systems, May 1992.
(Turquoise Book)
 NCSC-TG-028
 Assessing Controlled Access Protection, 25 May 1992. (Violet Book)
 NCSC-TG-029
 Introduction to Certification and Accreditation Concepts, January 1994.
(Blue Book)
 NCSC-TG-030
 A Guide to Understanding Covert Channel Analysis of Trusted Systems,
November 1993. (Light Pink Book)
Rainbow Series Library
 Other NCSC Publications
 C1 Technical Report 001
 Technical Report, Computer Viruses: Prevention, Detection, and
Treatment, 12 March 1990
 C Technical Report 79-91
 Technical Report, Integrity in Automated Information Systems,
September 1991.
 C Technical Report 32-92
 The Design and Evaluation of INFOSEC systems: The Computer
Security Contribution to the Composition Discussion, June 1992.
 C Technical Report 111-91
 Integrity-Oriented Control Objectives: Proposed Revisions to the
TCSEC, October 1991.
Rainbow Series Library
 NCSC Technical Report 002
Use of the TCSEC for Complex, Evolving, Mulitpolicy
Systems
 NCSC Technical Report 003
Turning Multiple Evaluated Products Into Trusted
Systems
 NCSC Technical Report 004
A Guide to Procurement of Single Connected Systems Language for RFP Specifications and Statements of
Work - An Aid to Procurement Initiators - Includes
Complex, Evolving, and Multipolicy Systems
Rainbow Series Library
 NCSC Technical Report 005 Volume 1/5
 Inference and Aggregation Issues In Secure Database
Management Systems
 NCSC Technical Report 005 Volume 2/5
 Entity and Referential Integrity Issues In Multilevel Secure
Database Management
 NCSC Technical Report 005 Volume 3/5
 Polyinstantiation Issues In Multilevel Secure Database
Management Systems
 NCSC Technical Report 005 Volume 4/5
 Auditing Issues In Secure Database Management Systems
 NCSC Technical Report 005 Volume 5/5
 Discretionary Access Control Issues In High Assurance Secure
Database Management Systems
Four Divisions
The Orange Book defines four broad
hierarchical divisions of security
protection. In increasing order of trust,
they are:

D Minimal security
C Discretionary protection
B Mandatory protection
A Verified protection
Numbered Classes
Each division consists of one or more
numbered classes, with higher numbers
indicating a higher degree of security. For
example, division C contains two distinct
classes (C2 offers more security than C1);
division B contains three classes ( B3 > B2
> B1 ); division A currently contains only
one class.
Criteria
Each class is defined by a specific set of
criteria that a system must be awarded a
rating in that class. The criteria fall into
four general categories: security policy,
accountability, assurance, and
documentation.
Measurement
 The evaluation criteria for the Orange Book were
developed with three basic objectives:
 Measurement: To provide users with a metric
with which to assess the degree of trust that can
be placed in computer systems for the secure
processing of classified or other sensitive
information. For example, a user can rely on a
B2 system to be “more secure” than a C2
system.
Guidance
Guidance: To provide guidance to
manufacturers as to what to build into their
trusted commercial products to satisfy
trust requirements for sensitive
applications.
Acquisition
 Acquisition: To provide a basis for specifying
security requirements in acquisition
specifications. Rather than specifying a hodgepodge of security requirements, and having
vendors respond in piecemeal fashion, the
Orange Book provides a clear way of specifying
a coordinated set of security functions. A
customer can be confident that the system he or
she acquires has already been checked out for
the needed degree of security.
What’s a Trusted System?
The Orange Book defines it as:
A system that employs sufficient hardware
and software integrity measures to allow
its use for processing simultaneously a
range of sensitive or classified information.
Measuring Trust
How does the Orange Book measure
trust? The book approaches security from
two perspectives:
Security Policy
 A security policy states the rules enforced by a
system’s security features; e.g. the rules
governing whether a particular user is allowed to
access a particular piece of information.
Obviously, there are more security features in a
highly secure system (B1 or higher) than in a
less secure system (say, C1 or C2), although at
the highest levels there are actually few
differences in security features. Instead there is
more “assurance.”
Assurance
 Assurance is the trust that can be placed in a
system, and the trusted ways the system can be
proven to have been developed, tested,
documented, maintained and delivered to a
customer. At the higher levels of security, there
are few changes in security features, but a
definite increase in the degree of assurance a
user can place in the system’s architecture and
security policies.
Assurance
 As the Orange Book puts it, assurance “begins [at the
lowest class] with an operable access control
mechanism and ends [at the highest class] with a
mechanism that a clever and determined user cannot
circumvent.”In the lower classes (C1, C2, B1) assurance
of correct and complete design and implementation is
gained mostly through testing of the security-relevant
portions of the system. In the higher classes (B2, B3,
and A1), assurance is derived more from system design
and implementation and, at the highest level (A1 only)
from formal verification tools. Assurance is described in
detail later in this lecture.
Trusted Computing Base
The concept of the trusted computing base
(TCB) is central to the notion of a trusted
system. The Orange Book uses the term
TCB to refer to the mechanisms that
enforce security in a system. The book
defines the TCB as follows:
Trusted Computing Base
 The totality of protection mechanisms within a
computer system -- including hardware,
firmware, and software -- the combination of
which is responsible for enforcing a security
policy. A TCB consists of one or more
components that together enforce a unified
security policy over a product or system. The
ability of a trusted computing base to correctly
enforce a security policy depends solely on the
mechanisms within the TCB and on the correct
input by system administrative personnel of
parameters (e.g., a user's clearance) related to
the security policy.
Defining the TCB
Not every part of an operating system
needs to be trusted. An important part of
an evaluation of a computer system is to
identify the architecture, assurance
mechanisms, and security features that
comprise the TCB, and to show how the
TCB is protected from interference and
tampering.
Reference Monitor
 A “reference monitor” is a concept that “enforces the
authorized access relationships between subjects and
objects of a system.” James Anderson, the developer of
this concept, lists three design requirements that must
be met by a reference monitor mechanism:
 Isolation: the reference monitor must be tamperproof.
 Completeness: the reference monitor must be invoked
for every access decision, and must be impossible to
bypass.
 Verifiability: the reference monitor must be small enough
to be able to be analyzed and tested, and it must be
possible to ensure that the testing is complete.
Security Policy
 A security policy is the set of rules and practices
that regulate how an organization manages,
protects, and distributes sensitive information. A
security policy is typically stated in terms of
subjects and objects. A subject is something
active in the system; examples are users,
processes, and programs. An object is
something that a subject acts upon; examples of
objects are files, directories, devices, sockets,
and windows.
Security Policy
The Orange Book defines a security policy
as follows:
The set of laws, rules, and practices that
regulate how an organization manages,
protects, and distributes sensitive
information.
Policy --- Informal or Formal
At the lower levels of trust (C1, C2, B1) an
informally stated policy is acceptable. At
the higher levels of trust (B2, B3, A1), a
formally stated, mathematically precise
policy is required.
Security Model
 A security model expresses a system’s security
requirements precisely and without confusion.
 The Orange Book criteria are based on the
state-machine model developed by David Bell
and Leonard LaPadula in 1973. This is the first
mathematical model of a multi-level secure
computer system. The Orange Book describes
the Bell-LaPadula model as follows:
Bell-LaPadula
 A formal state transition model of computer security policy that
describes a set of access control rules. In this formal model, the
entities in a computer system are divided into abstract sets of
subjects and objects. The notion of a secure state is defined and it
is proven that each state transition preserves security by moving
from secure state to secure state; thus, inductively proving that the
system is secure. A system state is defined to be "secure" if the
only permitted access modes of subjects to objects are in
accordance with a specific security policy. In order to determine
whether or not a specific access mode is allowed, the clearance of a
subject is compared to the classification of the object and a
determination is made as to whether the subject is authorized for the
specific access mode. The clearance/classification scheme is
expressed in terms of a lattice.
Security Kernel
A security kernel, a concept developed by
Roger Schell in 1972 (or was it a security
shell developed by Colonel Rogers?) is
the operating system mechanism that
actually implements the reference monitor
concept. The security kernel is the heart of
the TCB --- the resource in the computing
system that supervises all system activity
in according with the system’s security
policy.
Simplicity
Simplicity is a very important characteristic
of the TCB. As the Orange Book puts it,
“the TCB should be as simple as possible,
consistent with the functions it has to
perform.”
Security Perimeter
The security kernel, as well as other
security-related system functions, lies
within the imaginary boundary of the TCB
known as the security perimeter. In highly
trusted systems, the TCB must be
designed and implemented in such a way
that system elements included in it are
designed to perform security functions,
while those elements excluded from the
TCB need not be trusted.
Orange Book Evaluation Classes
Class, Name, Examples
D: Minimal security
None. Reserved for systems that are submitted
to evaluation but fail. Basic operating systems
for personal computers such as Windows, Mac,
and MS-DOS would probably fall into this
category if they were evaluated.
C1
C1: Discretionary security protection
IBM: MVS/RACFAlthough ordinary UNIX
systems have not been submitted for formal
evaluation, many people feel that such systems
would get a C1.
C2
C2: Controlled access protection
Computer Associates International: ACF2/MVS
DEC: VAX/VMS 4.5
Gould: UTX/32SHewlett-Packard MPE V/E
Wang Labs: SVS/OS CAP 1.0
B1
B1: Labeled security protection
AT&T: System V/MLS
IBM: MVS/ESA
SecureWare: CMW+
UNISYS: OS 1100
B2
B2: Structured protection
Honeywell Information Systems: Multics
Trusted Information Systems: Trusted XENIX
B3
B3: Security domains
Honeywell Federal Systems: XTS-200
A1
A1: Verified design
Honeywell Information Systems: SCOMP
Boeing Aerospace: SNS
Complaints About the Orange Book
 Here are some of the main claims about the inadequacies of Orange:
 The Orange Book model works only in a government classified
environment, and the higher levels of security aren’t appropriate for the
protection of commercial data, where data integrity is the chief concern.

 The Orange Book focuses on only one aspect of security --- secrecy --while paying little attention to the principles of accuracy, availability, and
authenticity.
 The Orange Book emphasizes protection from unauthorized access, while
most security attacks actually involve insiders.
 The Orange Book doesn’t address networking issues. (But the Red Book
does.)
 The Orange Book contains a relatively small number of security ratings. A
system that offers a subset of Orange Book security features, plus some
very strong features in other areas not addressed by the Orange Book (for
example, integrity) wouldn’t fit into any of the current ratings.
C1
Discretionary Access Control
C2
B1
B2
B3
A1
SP
Object Reuse
Labels
Label Integrity
Exportation of Labeled Information
Exportation of Multilevel Devices
Exportation of Single-Level Devices
Labeling Human-Readable Output
Mandatory Access Control
Subject Sensitivity Labels
Device Labels
Identification and Authentication
AC
The Rainbow Series and Other
Sources
The government has produced a number
of other volumes interpreting Orange Book
requirements. These are known
collectively as the Rainbow Series, since
each has a different cover color.
Colors of the Rainbow
 These include:
 Red Book
 Trusted Network Interpretation
 Lavender Book
 Trusted Data Base Management System Interpretation
 Green Book
 Password Management Guideline
 Tan Book
 Guide to Understanding Audit in Trusted Systems
 Purple Book
 Guidelines for Formal Verification Systems
 Burgundy Book
 Guide to Understanding Design Documentation in Trusted Systems