Orange Book

advertisement
Orange Book - summary
The Orange Book or DoDD 5200.28-STD was canceled by DoDD 8500.1 in 2002.
Policy
The security policy must be explicit, well-defined and enforced by the computer system.
There are two basic security policies:



Mandatory Security Policy - Enforces access control rules based directly on an
individual's clearance, authorization for the information and the confidentiality level
of the information being sought. Other indirect factors are physical and environmental.
This policy must also accurately reflect the laws, general policies and other relevant
guidance from which the rules are derived.
Marking - Systems designed to enforce a mandatory security policy must store and
preserve the integrity of access control labels and retain the labels if the object is
exported.
Discretionary Security Policy - Enforces a consistent set of rules for controlling and
limiting access based on identified individuals who have been determined to have a
need-to-know for the information.
Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to
ensure the access of an authorized and competent agent which can then evaluate the
accountability information within a reasonable amount of time and without undue difficulty.
There are three requirements under the accountability objective:



Identification - The process used to recognize an individual user.
Authentication - The verification of an individual user's authorization to specific
categories of information.
Auditing - Audit information must be selectively kept and protected so that actions
affecting security can be traced to the authenticated individual.
Assurance
The computer system must contain hardware/software mechanisms that can be independently
evaluated to provide sufficient assurance that the system enforces the above requirements. By
extension, assurance must include a guarantee that the trusted portion of the system works
only as intended. To accomplish these objectives, two types of assurance are needed with
their respective elements:



Assurance Mechanisms
Operational Assurance: System Architecture, System Integrity, Covert Channel
Analysis, Trusted Facility Management and Trusted Recovery
Life-cycle Assurance : Security Testing, Design Specification and Verification,
Configuration Management and Trusted System Distribution

Continuous Protection Assurance - The trusted mechanisms that enforce these basic
requirements must be continuously protected against tampering and/or unauthorized
changes.
Documentation
Within each class there is additional documentation set which addresses the development,
deployment and management of the system rather than its capabilities. This documentation
includes:

Security Features User's Guide, Trusted Facility Manual, Test Documentation and
Design Documentation
Divisions and classes
The TCSEC defines four divisions: D, C, B and A where division A has the highest security.
Each division represents a significant difference in the trust an individual or organization can
place on the evaluated system. Additionally divisions C, B and A are broken into a series of
hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
Each division and class expands or modifies as indicated the requirements of the immediately
prior division or class.
D — Minimal protection

Reserved for those systems that have been evaluated but that fail to meet the
requirements for a higher division
C — Discretionary protection


C1 — Discretionary Security Protection
o Identification and authentication
o Separation of users and data
o Discretionary Access Control (DAC) capable of enforcing access limitations
on an individual basis
o Required System Documentation and user manuals
C2 — Controlled Access Protection
o More finely grained DAC
o Individual accountability through login procedures
o Audit trails
o Object reuse
o Resource isolation
B — Mandatory protection

B1 — Labeled Security Protection
o Informal statement of the security policy model
o Data sensitivity labels
o Mandatory Access Control (MAC) over selected subjects and objects
o
o
o


Label exportation capabilities
All discovered flaws must be removed or otherwise mitigated
Design specifications and verification
B2 — Structured Protection
o Security policy model clearly defined and formally documented
o DAC and MAC enforcement extended to all subjects and objects
o Covert storage channels are analyzed for occurrence and bandwidth
o Carefully structured into protection-critical and non-protection-critical
elements
o Design and implementation enable more comprehensive testing and review
o Authentication mechanisms are strengthened
o Trusted facility management is provided with administrator and operator
segregation
o Strict configuration management controls are imposed
B3 — Security Domains
o Satisfies reference monitor requirements
o Structured to exclude code not essential to security policy enforcement
o Significant system engineering directed toward minimizing complexity
o Security administrator role defined
o Audit security-relevant events
o Automated imminent intrusion detection, notification, and response
o Trusted system recovery procedures
o Covert timing channels are analyzed for occurrence and bandwidth
o An example of such a system is the XTS-300
A — Verified protection


A1 — Verified Design
o Functionally identical to B3
o Formal design and verification techniques including a formal top-level
specification
o Formal management and distribution procedures
o An example of such a system is Honeywell's Secure Communications
Processor SCOMP, a precursor to the XTS-400
Beyond A1
o System Architecture demonstrates that the requirements of self-protection and
completeness for reference monitors have been implemented in the Trusted
Computing Base (TCB).
o Security Testing automatically generates test-case from the formal top-level
specification or formal lower-level specifications.
o Formal Specification and Verification is where the TCB is verified down to the
source code level, using formal verification methods where feasible.
o Trusted Design Environment is where the TCB is designed in a trusted facility
with only trusted (cleared) personnel.
Download