home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
coloredbooks
/
LavenderBookv2.sit.hqx
/
Lavender Book v2
Wrap
Text File
|
1997-11-17
|
268KB
|
7,159 lines
Trusted Database Management System Interpretation
Trusted Database Management System Interpretation
NCSC-TG-021
Library
No. S235,625
FOREWORD
The National Computer Security Center is issuing the Trusted Database
Management System Interpretation as part of the Technical Guidelines
Program, through which we produce the "Rainbow Series."
In the Rainbow Series, we discuss in detail the features of
the Trusted Computer System Evaluation Criteria (DoD 5200.28-STD)
and provide guidance for meeting each requirement. The National
Computer Security Center, through its Trusted Product Evaluation
Program, analyzes the security features of commercially produced
and supported computer systems. Together, these programs
ensure that organizations are capable of protecting their important
data with trusted computer systems.
The Trusted Database Management System Interpretation
extends the evaluation classes of the Trusted Computer System
Evaluation Criteria to trusted applications in general, and
database management systems in particular. It serves as an
adjunct to the Trusted Computer System Evaluation Criteria
by providing a technical context for the consideration of entire
systems constructed of parts and by presenting database-specific
interpretation of topics that require direct comment. Thus,
it is relevant to applications which support sharing of
computer services and resources, and which enforce access
control policies. More specifically, it provides insight into
the the design, implementation, evaluation, and accreditation
of database management systems.
This document will be used for at least one year after the
date of signature. During this period the NCSC will gain
experience using the Trusted Database Management Systems
Interpretation in several evaluations and continue to receive
comments on issues of technical accuracy, clarity of exposition,
and utility. After this trial period, necessary changes will
be made and a revised version issued.
PATRICK R. GALLAGHER, JR.
April 1991
Director National Computer Security Center
ACKNOWLEDGMENTS
This document represents the combined effort of participants
from the research community, industry, and government working
over several years. Three major drafts and numerous intermediary
versions were produced, reviewed, and commented upon. To
name all the contributors would be impossible. To single out
a few would be to slight a host of others who gave unstintingly
of their time and talent. To all those who contributed to
the development and refinement of the fundamental concepts,
contributed to the development of the several predecessor
versions, and who contributed valuable personal time and invaluable
experience in reviewing and commenting on the previous versions,
thanks is extended.
TABLE OF CONTENTS
FOREWORD i
ACKNOWLEDGMENTS iii
INTRODUCTION 1
HISTORICAL PERSPECTIVE 1
SCOPE 2
PURPOSE 2
STRUCTURE OF THE DOCUMENT 4
PART 1 TECHNICAL CONTEXT 7
TC-1 INTRODUCTION 9
TC-2 REFERENCE MONITOR PERSPECTIVE 10
TC-3 NEED FOR EVALUATION BY PARTS 11
TC-4 TCB SUBSETS 11
TC-4.1 INTRODUCTION 12
TC-4.2 TCB SUBSETS CONTEXT 13
TC-4.2.1 DEFINITION OF TCB SUBSETS 13
TC-4.2.2 MOTIVATION 13
TC-4.3 CONDITIONS FOR EVALUATION BY PARTS
14
TC-4.3.1 CANDIDATE TCB SUBSETS 14
TC-4.3.2 POLICY ALLOCATION 15
TC-4.3.3 TRUSTED SUBJECTS INCLUDED 15
TC-4.3.4 TCB SUBSET STRUCTURE 15
TC-4.3.5 SEPARATE SUBSET-DOMAINS 16
TC-4.3.6 SUPPORT FOR RVM ARGUMENTS 16
TC-4.4 EVALUATION ALTERNATIVES 17
TC-5 GENERAL INTERPRETED REQUIREMENTS 18
TC-5.1 OVERVIEW 18
TC-5.2 DETAILED REQUIREMENTS 18
TC-5.2.1 SECURITY POLICY 18
TC-5.2.1.1 Discretionary Access Control 18
TC-5.2.1.2 Object Reuse 18
TC-5.2.1.3 Labels 19
TC-5.2.1.4 Mandatory Access Control 20
TC-5.2.2 ACCOUNTABILITY 20
TC-5.2.2.1 Identification and Authentication
20
TC-5.2.2.2 Audit 21
TC-5.2.3 ASSURANCE 22
TC-5.2.3.1 Operational Assurance 22
TC-5.2.3.2 Life-Cycle Assurance 23
TC-5.2.4 DOCUMENTATION 24
TC-5.2.4.1 Security Features User's Guide
24
TC-5.2.4.2 Trusted Facility Manual 25
TC-5.2.4.3 Test Documentation 26
TC-5.2.4.4 Design Documentation 26
TC-5.3 SUMMARY OF THE REQUIREMENTS 26
TC-5.3.1 LOCAL REQUIREMENTS 26
TC-5.3.2 GLOBAL REQUIREMENTS 27
TC-6 DESIGN CHOICES 28
TC-6.1 OVERVIEW 28
TC-6.2 A SINGLE TCB SUBSET 28
TC-6.2.1 ANALYSIS OF THE CONDITIONS 28
TC-6.2.1.1 Condition 1: Candidate TCB Subsets
28
TC-6.2.1.2 Condition 2: Policy Allocation
29
TC-6.2.1.3 Condition 3: Trusted Subjects Included 29
TC-6.2.1.4 Condition 4: TCB Subset Structure
29
TC-6.2.1.5 Condition 5: Separate Subset-Domains
29
TC-6.2.1.6 Condition 6: Support for RVM Arguments 29
TC-6.2.2 EVALUATION CONSEQUENCES 29
TC-6.3 TWO TCB SUBSETS,MEETING THE CONDITIONS
30
TC-6.3.1 ANALYSIS OF THE CONDITIONS 30
TC-6.3.1.1 Condition 1: Candidate TCB Subsets
30
TC-6.3.1.2 Condition 2: Policy Allocation
31
TC-6.3.1.3 Condition 3: Trusted Subjects Included 31
TC-6.3.1.4 Condition 4: TCB Subset Structure
31
TC-6.3.1.5 Condition 5: Separate Subset-Domains
31
TC-6.3.1.6 Condition 6: Support for RVM Arguments 31
TC-6.3.2 EVALUATION CONSEQUENCES 32
TC-6.4 TWO TCB SUBSETS, NOT MEETING THE CONDITIONS 33
TC-6.4.1 ANALYSIS OF THE CONDITIONS 34
TC-6.4.1.1 Condition 1: Candidate TCB Subsets
34
TC-6.4.1.2 Condition 2: Policy Allocation
34
TC-6.4.1.3 Condition 3: Trusted Subjects Included 34
TC-6.4.1.4 Condition 4: TCB Subset Structure
35
TC-6.4.1.5 Condition 5: Separate Subset-Domains
35
TC-6.4.1.6 Condition 6: Support for RVM Arguments 35
TC-6.4.2 EVALUATION CONSEQUENCES 35
TC-6.5 SUMMARY 36
PART 2 INTERPRETED REQUIREMENTS 37
IR-1 OVERVIEW AND CONTEXT 39
IR-2 SUMMARY OF THE INTERPRETATIONS 39
IR-2.1 SECURITY POLICY 39
IR-2.1.1 DISCRETIONARY ACCESS CONTROL 39
IR-2.1.2 OBJECT REUSE 40
IR-2.1.3 LABELS 40
IR-2.1.4 MANDATORY ACCESS CONTROL 40
IR-2.2 ACCOUNTABILITY 40
IR-2.2.1 IDENTIFICATION AND AUTHENTICATION
40
IR-2.2.2 AUDIT 40
IR-2.3 ASSURANCE 40
IR-2.3.1 OPERATIONAL ASSURANCE 40
IR-2.3.1.1 System Architecture 40
IR-2.3.1.2 System Integrity 40
IR-2.3.1.3 Covert Channel Analysis 41
IR-2.3.1.4 Trusted Facility Management 41
IR-2.3.1.5 Trusted Recovery 41
IR-2.3.2 LIFE CYCLE ASSURANCE 41
IR-2.3.2.1 Security Testing 41
IR-2.3.2.2 Design Specification and Verification 41
IR-2.3.2.3 Configuration Management 41
IR-2.3.2.4 Trusted Distribution 41
IR-2.4 DOCUMENTATION 42
IR-2.4.1 SECURITY FEATURES USER'S GUIDE 42
IR-2.4.2 TRUSTED FACILITY MANUAL 42
IR-2.4.3 TEST DOCUMENTATION 42
IR-2.4.4 DESIGN DOCUMENTATION 42
IR-3 LABELS 42
IR-3.1 GENERAL DISCUSSION 42
IR-3.2 SPECIFIC INTERPRETATIONS 43
IR-4 AUDIT 44
IR-4.1 GENERAL DISCUSSION 44
IR-4.2 SPECIFIC INTERPRETATIONS 45
IR-5 SYSTEM ARCHITECTURE 47
IR-5.1 GENERAL DISCUSSION 47
IR-5.2 SPECIFIC INTERPRETATIONS 47
IR-6 DESIGN SPECIFICATION AND VERIFICATION
48
IR-6.1 GENERAL DISCUSSION 48
IR-6.2 SPECIFIC INTERPRETATIONS 52
IR-7 DESIGN DOCUMENTATION 55
IR-7.1 GENERAL DISCUSSION 55
IR-7.2 SPECIFIC INTERPRETATIONS 56
APPENDIX A 59
CLASS (C1): 62
C1-1 SECURITY POLICY 62
C1-2 ACCOUNTABILITY 62
C1-3 ASSURANCE 62
C1-4 DOCUMENTATION 63
CLASS (C2): 66
C2-1 SECURITY POLICY 66
C2-2 ACCOUNTABILITY 66
C2-3 ASSURANCE 67
C2-4 DOCUMENTATION 68
CLASS (B1): 70
B1-1 SECURITY POLICY 70
B1-2 ACCOUNTABILITY 71
B1-3 ASSURANCE 73
B1-4 DOCUMENTATION 74
CLASS (B2): 77
B2-1 SECURITY POLICY 77
B2-2 ACCOUNTABILITY 79
B2-3 ASSURANCE 81
B2-4 DOCUMENTATION 85
CLASS (B3): 89
B3-1 SECURITY POLICY 89
B3-2 ACCOUNTABILITY 91
B3-3 ASSURANCE 93
B3-4 DOCUMENTATION 98
CLASS (A1): 102
A1-1 SECURITY POLICY 102
A1-2 ACCOUNTABILITY 104
A1-3 ASSURANCE 106
A1-4 DOCUMENTATION 112
APPENDIX B 117
1. PERSPECTIVE ON ASSURANCE 119
2. PROCUREMENT OPTIONS 120
3. ALTERATION OF PREVIOUSLY EVALUATED TCB
122
4. SATISFYING RVM REQUIREMENTS 125
5. SUBSET DEPENDENCY 127
6. TAMPER RESISTANCE ARGUMENTS 131
7. RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS
132
8 CONTENT-DEPENDENT AND CONTEXT-DEPENDENT
ACCESS CONTROL 136
9. BULK LOADING OF A DATABASE 137
10. LOCAL ANALYSIS IN SYSTEM ASSESSMENT
137
11. RATING MORE COMPLEX SYSTEMS 139
GLOSSARY 141
BIBLIOGRAPHY 145
INTRODUCTION
HISTORICAL PERSPECTIVE
The Department of Defense Trusted Computer System Evaluation
Criteria (TCSEC), published in 1983 as CSC-STD-001-83, consolidates
knowledge about the degree of trust one can place in a computer
system to protect sensitive information and organizes this knowledge
into usable criteria for system evaluation. The TCSEC was republished
as a DoD standard, DoD-5200.28-STD, in December 1985 to provide
a means of evaluating specific security features and assurances
available in "trusted, commercially available automatic data
processing system The TCSEC's rating scale extends from
a minimal to a high level of trust with advanced security features
and sophisticated assurance measures. Specific criteria
determine each rating level and guide system builders and evaluators
in determining the level of trust provided by specific systems.
When the rating levels are combined with environmental guidelines
and minimum security protection requirements, accreditation decisions
for specific installations can be made.
The philosophy of protection embodied in the TCSEC requires
that the access of subjects (i.e., processes in a domain)
to objects (i.e., containers of information) be mediated in accordance
with an explicit and well-defined security policy. At the
higher criteria classes, the "reference monitor concept"
[1] is an essential part of the system and the security policy
is modeled. There are several security policy models that
represent the desired behavior of a reference monitor.
The Bell-La Padula model [4-6] and its Multics interpretation
[3] are commonly used, but not mandated.
The computer security research and development that
underpin the TCSEC began in the late 1960s and concentrated
on secure operating systems. By the early 1970s initial worked
examples had provided a substantial amount of information about
building trust into operating systems. Research continued throughout
the 1970s to refine mechanisms, features, and assurances
needed to provide trusted operating systems.
Multilevel database management security received far less
research and development attention than did secure operating
systems. This was primarily due to the perception that
one could not credibly implement a multilevel secure database
management system (DBMS) on top of an untrusted operating system
base. However, some research in multilevel secure DBMSs
(mostly theoretical) was conducted during the 1970s [15-16],
and research has continued to the present [9-14, 17-19,
22, 25-28]. By the mid 1980s, commercially developed, trusted
operating systems were becoming available that could provide
the basis for hosting secure applications such as multilevel
secure DBMSs.
In June 1986, the National Computer Security Center (NCSC)
initiated its efforts to address the
evaluation of trusted database management systems with an Invitational
Workshop in Baltimore, Maryland. Representatives from the
research, commercial, and government communities met to address
issues of database management security. The met to discuss aspects
of trust (defined by the that were sufficiently well defined
and capable producing repeatable and objective assessments.
The NCSC invited issue papers and prepared a agenda. The
issue papers and the subcommittee summaries were published
as the Proceedings of the National Computer Security Center
Invitational Workshop on Database Security [20].
As an outgrowth of this workshop, the NCSC undertook the task
of preparing this Trusted Database Management System Interpretation
(TDI) of the TCSEC to focus on the special problems posed
by DBMSs. A working group was assembled to draft this Interpretation.
Three drafts were produced, with extensive community review and
public discussion. This Interpretation is the result of the
interaction within the general computer security and database
management communities.
SCOPE
The interpretations in this document are intended to be
used in conjunction with the TCSEC itself; they apply to
application-oriented software systems in general, and database
management systems (DBMSs) in particular. Although the interpretations,
as noted, are general enough to apply to any software system
which supports sharing and needs to enforce access control
(e.g., transaction processing systems, electronic mail systems),
in the interest of simplicity, the discussion, and thus
the terminology, will be directed toward DBMSs.
The interpretations are intended to be applied primarily
to commercially developed trusted DBMSs, but can also be
applied to the evaluation of existing non-commercial DBMSs
and to the specification of security requirements for DBMS acquisitions.
PURPOSE
This Interpretation of the TCSEC has been prepared for the
following purposes:
To provide a standard to manufacturers for security features
to build into their new and planned commercial products in order
to provide widely available systems that satisfy trust requirements
(with particular emphasis on preventing the disclosure of data)
for sensitive applications,
To provide a metric with which to evaluate the degree
of trust that can be placed in computer systems for the secure
processing of classified and other sensitive information, and
To provide a basis for specifying security requirements
in acquisition specifications.
With respect to the second purpose for development of the
criteria, i.e., providing a security evaluation metric, evaluations
can be delineated into two types: (1) evaluations performed
on a computer product from a perspective that excludes
the application environment; or, (2) evaluations to assess whether
appropriate security measures have been taken to permit the
system to be used operationally in a specific environment.
The former type of evaluation is done by the National Computer
Security Center (NCSC) through the Trusted Product Evaluation
Program and is called "formal product evaluation."
The latter type of evaluation, that is, one done for the purpose
of assessing a system's security attributes with respect to
a specific operational mission, is known as a "certification
evaluation." A formal product evaluation does not
constitute certification or accreditation for the system
to be used in any specific application environment. The
system security certification and the formal approval/accreditation
procedure, done in accordance with the applicable policies
of the issuing agencies, must still be followed before a system
can be approved for use in processing or handling sensitive
or classified information. Designated Approving Authorities
(DAAs) remain ultimately responsible for specifying the security
of systems they The TCSEC and this Interpretation will be
used directly and indirectly in the certification process.
Along with applicable policy, they will be used directly
as technical guidance for evaluation of the total system and
for specifying system security and certification requirements
for new acquisitions. Where a system being evaluated for certification
employs a product that has undergone a formal product evaluation,
reports from that process will be used as input to the certification
evaluation. Moreover, the National Security Agency plans
to publish additional guidelines to assist certifiers and help
ensure consistency in certifications of systems processing
national security informantion.
STRUCTURE OF THE DOCUMENT
The remainder of the TDI is divided into two parts, plus two
appendices and a glossary.
PART 1, TECHNICAL CONTEXT, "presents general information
about the evaluation of trusted systems that are constructed
of several parts. This discussion is critical to trusted
DBMSs built upon trusted operating systems, but is not limited
to DBMSs only. It is included in the TDI because it is not
currently available in any previously published document. This
section reviews the central reference monitor concept, explains
the need to evaluate a system built of well-defined parts,
and develops the concept of TCB subsets. TCB subsets provide
a way of splitting a total TCB along access control policy
lines such that an evaluation by parts can be undertaken.
PART 1 concludes with an interpretation of those TCSEC
requirements which are relevant to an evaluation by parts,
and a description of the process of evaluation by parts.
PART 2, INTERPRETED REQUIREMENTS, "provides interpretions
of those TCSEC requirements that are either specific to DBMSs
(or applications in general), or are particularly relevant to
DBMSs. The number of requirements that are treated explicitly
is relatively small, because many of the TCSEC requirements apply
as stated to database management systems. The requirements
treated explicitly are labels, audit, system architecture,
design specification and verification, and design documentation.
Appendix A summarizes the interpreted requirements for
each TCSEC class and is intended to provide an easy reference
for those requiring a listing of requirements for a specific
class (e.g., B2). Appendix B provides discussion of several
topics not directly tied to the requirements levied on trusted
DBMSs by the interpretation of the TCSEC requirements.
The TDI proper will be supplemented by a Companion Document
Series (CDS). The CDS will address a wide spectrum of issues
related to trusted DBMSs but which are beyond the scope of this
document. Community debate about on-going topics of interest
will probably result in gradual extensions of what is known
about trusted DBMSs. Thus, volumes in the CDS will be issued
both regularly (to document the state of the community debate)
and by exception (to record new problems and new solutions).
PART 1 TECHNICAL CONTEXT
TC-1 INTRODUCTION
Modern computing systems are rarely conceived and built by a
single organization. Rather, the rule is that systems
are constructed by assembling parts?hardware, firmware,
and software?produced independently by various organizations
or vendors.
This fact introduces a fundamental difficulty into the task
of evaluating a "system" for conformance to the trust
requirements of the Trusted Computer System Evaluation Criteria
(TCSEC). [8] This difficulty stems from the fact that assessment
(either evaluation of a product or certification of a system)
entails a global perspective of the entire system under consideration.
There are not yet widely accepted methods of factoring the
various aspects of a trust assessment and then reassembling
the results into a statement about the whole.
These conflicting perspectives of local production and global
evaluation analysis are particularly evident in the field of
database management, but they are by no means limited to that
field. Thus the publication of this Interpretation requires
consideration of how to deal with systems built in parts
in the absence of a general treatment of the topic. On the
other hand, any treatment of the issue in the context of
trusted database management will have significant influence
in other fields where the same or similar problems arise,
just because of community review and NCSC publication. The
approach taken in this document is to address the issues
of evaluating systems built of parts in a way that is independent
of the field of trusted database management. This
conscious attitude of generality is intended to make clear
the distinction between the larger system-of-parts issues
and the more specific DBMS issues.
PART 1, "TECHNICAL CONTEXT," is divided into six sections.
Section TC-2, "Reference Monitor Perspective," summarizes
the role of the reference monitor concept in both the TCSEC
and the assessing of a system for its trust characteristics.
Section TC-3, "Need for Evaluation by Parts," deals
with the need to extend the reference monitor perspective slightly
to begin to address the evaluation of systems constructed of
separate parts. Section TC-4, "TCB Subsets," is the
heart of PART 1. That section introduces a conservative
extension to the reference validation mechanism, TCB subsets.
This extension provides the basis for being able to undertake
evaluation of systems built in parts in a way that allows re-use
of the results of separate evaluations (whether those evaluations
were performed before the current evaluation was begun or whether
the separate evaluations overlap in time). Section TC-5, "General
Interpreted Requirements," outlines the application of the
TCSEC requirements to individual TCB subsets when an evaluation
by parts is being done. Section TC-6, "Design Choices"
describes the general process of applying TCB subsets and
meeting the conditions for evaluation by parts. The treatment
in this section is general and not limited to DBMSs; DBMS-specific
issues are discussed in the appendices.
TC-2 REFERENCE MONITOR PERSPECTIVE
Building or evaluating a system for compliance with
the requirements of a particular class in the TCSEC is based
on the perspective of the Trusted Computing Base (TCB). The notion
of the TCB is central to the entire concept of assessing systems
for trust. The reference monitor described in the Anderson report
[1] is the basis of the notion of a TCB, as described in the
TCSEC:
For convenience, these evaluation criteria use the term Trusted
Computing Base to refer to the reference validation mechanism,
beit a security kernel, front-end security filter, or the
entire trusted computer system. [8, p. 67] Even in those lower
classes (below B2) where the reference monitor concept and reference
validation mechanisms are not mentioned explicitly, the perspective
of the reference monitor and its implementation as a reference
validation mechanism is present. Specifically, there are requirements
for (1) identifying the policy being enforced, (2) identifying
subjects and objects, (3) providing evidence that the operation
of the reference validation mechanism matches the high-level
description of the user interface, and (4) demonstrating isolation
of the TCB.
Therefore, all TCSEC evaluations share the initial conceptual
steps of identifying the mediation policy, the subjects, and
the objects. Starting from a global system perspective, the
initial step is to identify the access mediation policy
that will be enforced. One must then identify those active
system entities that are candidates for being the "subjects"
whose access to objects the TCB will mediate. Similarly,
one must identify those passive entities, those data repositories,
that are candidates for being the "objects," access
to which the TCB will mediate.
As usual, the existence of an abstraction within a system does
not make it necessarily a reference-monitor object, i.e., one
visible at the TCB interface. This is because the TCB will
make use of system abstractions for both its internal processes
and its storage requirements. Those entities, while being stored
in system "objects," will not be available to untrusted
processes (that is, they are not exported by the TCB). Thus
the analytical, iterative step is the separation of candidate
subjects and objects into those that are mediated by the TCB and
those that are not.
The various trust classes include requirements, at varying
levels of completeness and rigor, that the basic reference monitor
perspective of mediating access of subjects to objects be implemented
in a correct, self-protecting, and non-bypassable manner.
The core requirements of the TCSEC classes focus on these
reference monitor imperatives. The increasingly strict requirements
for visibility into the system design and implementation
(structure, documentation, testing, configuration, and distribution
requirements) all support the notion of checking the system's
conformance to its identified intent with regard to the subjects,
objects, and policy.
TC-3 NEED FOR EVALUATION BY PARTS
The need to be able to evaluate and certify systems built in
parts is increasingly evident. This need is seen in a variety
of contexts:
The need to evaluate and certify systems built out of parts
sold by different vendors, a situation especially prevalent
in the field of trusted DBMSs.
The need to re-assess systems that have undergone either small-
or large-scale improvements and are already evaluated and
placed on the Evaluated Products List (EPL).
The general problem of "families of systems," systems
that exist on a spectrum of hardware bases or that can be customized
for a user's specific needs.
In all such cases, two related versions of a system are largely
similar. It should be possible to undertake evaluations and
certifications in such a way that the entire assessment does
not have to be re-done for every slight variation that appears.
The current state of technology, however, places limitations
on what can be accomplished in this regard; it is not currently
possible to determine the trust characteristics of a system
on the basis of an arbitrary collection of subparts. The
overall task of trust assessment entails so many interrelated
subtasks that the ability to separate and reassemble is not well
understood.
In this circumstance of needing to be able to accommodate evaluation
of a system built in parts and the lack of consensus about
how this can be done in a technically sound fashion, a conservative
approach must be adopted. The following are required: (1)
a clear description of what "parts" will be considered
for separate evaluation; (2) a clear description of the conditions
under which such an evaluation by parts will be undertaken;
and (3) a general interpretation of TCSEC requirements as they
would apply when a system is being evaluated by parts. The
"parts" that will be considered by separate evaluation
are called "TCB subsets," the topic of Section TC-4
below.
TC-4 TCB SUBSETS
TC-4.1 INTRODUCTION
To attempt an evaluation of a TCB by splitting it into
parts, there must be available a precise definition of what
parts are candidates for separate evaluation (that is, for
evaluation by parts) as well as any other conditions that must
be satisfied before an evaluation by parts will be undertaken.
This section defines "TCB subset" as a strict
and conservative extension of the traditional concept of
the reference validation mechanism (RVM) as a method of delineating
which parts of a TCB can be candidates for separate evaluation.
The definition of TCB subsets, as well as explanatory and
motivational material, is included below in Section TC-4.2,
"TCB Subsets Context." Section TC-4.3 addresses
the conditions that must be satisfied by a TCB divided into
a set of TCB subsets before evaluation by parts will be undertaken.
These conditions assure that the structure of and relationships
among TCB subsets will satisfy TCSEC requirements, especially
those derived from the reference monitor concept.
TC-4.2 TCB SUBSETS CONTEXT
TC-4.2.1 DEFINITION OF TCB SUBSETS
A TCB subset M is a set of software, firmware, and hardware
(where any of these three could be absent) that mediates the
access of a set S of subjects to a set O of objects on the
basis of a stated access control policy P and satisfies the properties:
• 1) M mediates every access to objects in O by subjects in
S;
• 2) M is tamper resistant; and
• 3) M is small enough to be subject to analysis and
tests, the completeness of which can be assured.
• M uses resources provided by an explicit set of more primitive
TCB subsets to create the objects of O, create and manage its
data structures, and enforce the policy P. If there are
no TCB subsets more primitive than M, then M uses only hardware
resources to instantiate its objects, to create and manage
its own data structures, and to enforce its policy.
• The above definition does not explicitly prohibit an
access control policy P that allows trusted subjects. The implications
for the evaluation process when a TCB subset's policy allows
or does not allow such trusted subjects are substantial and are
discussed in Section TC-6.4. As described in TC-4.3, one of
the conditions for an evaluation by parts of a TCB made up of
TCB subsets is that all the trusted subjects of each TCB subset
be included in that TCB subset.
•
TC-4.2.2 MOTIVATION
The definition of "TCB subset" is intended to parallel
the definitions of the reference monitor and reference validation
mechanism found in the Anderson report [1] and included in the
TCSEC itself. "The term Trusted Computing Base [refers]
to the reference validation mechanism, be it security kernel,
front-end security filter, or the entire trusted computer
system." [8, p. 67] "TCB subset" is defined
exactly like a reference validation mechanism, with only one
difference, that it does not necessarily extend to the hardware.
Rather, a TCB subset uses either hardware resources or the
resources provided by other, more primitive TCB subsets.
Thus TCB subsets build on abstract machines, either physical
hardware machines or other TCB subsets. Just like reference
validation mechanisms, a TCB subset must enforce a defined access
control policy.
TC-4.3 CONDITIONS FOR EVALUATION BY PARTS
Building or evaluating a system using the definition of TCB
subsets in the section above requires meeting six conditions
in addition to demonstrating that the candidate TCB subsets
satisfy the properties appropriate to the evaluation target
class. The conditions are as follows:
The candidate TCB subsets are identified;
The system policy is allocated to the candidate TCB subsets;
Each candidateTCB subset M[i] includes all the trusted subjects
with respect to its technical policies P[i];
The TCB subset structure or architecture is explicitly
described;
Each TCB subset occupies distinct subset-domains; and
The more primitive TCB subsets provide support for the RVM
arguments for less primitve TCB subsets.
These conditions are described below.
TC-4.3.1 CANDIDATE TCB SUBSETS
The first condition is that the relevant elements of each
candidate TCB subset M[i] be identified. The hardware,
firmware, and software which compose the TCB subset need to
be clearly identified, along with the subjects and objects.
In terms of Section TC-4.2.1, this condition is the identification
of M[i], S[i], and O[i]. There may be no objects mediated
by more than one TCB subset. That is, there cannot be an object
O that is both in O[i] and O[j].
TC-4.3.2 POLICY ALLOCATION
The next condition is policy allocation, the description of
the technical policy P[i] for each identified M[i] along
with the relation of these policies to the system policy
P. The policies P[i] will be expressed in terms of subjects
in S[i] and objects in O[i]. Thus, to satisfy the
TCSEC requirement that the (composite) TCB enforce its stated
policy P, each rule in P must be traceable through the structure
of the candidate TCB subsets to the TCB subset(s) where
that enforcement occurs. See Sections TC-5.2.1.1 and TC-5.2.1.4.
TC-4.3.3 TRUSTED SUBJECTS INCLUDED
Every trusted subject with respect to P[i] must be part of
the TCB subset M[i]. This condition makes possible separate
evaluation of TCB subsets with respect to "local"
requirements. When this condition is not met, evaluation of
candidate TCB subsets cannot be guaranteed on an evaluation
by parts basis. This situation is treated in Section 6.4.
TC-4.3.4 TCB SUBSET STRUCTURE
The TCB subsets will exhibit a structure based on the
ordering implied by dependency. TCB subset A is less primitive
than TCB subset B if (a) A directly depends on B or (b) a
chain of TCB subsets from A to B exists such that each element
of the chain directly depends on its successor in the chain.
In this case we use the phrase "TCB subset B is more
primitive than TCB subset A" synonymously.
The sense of "directly depend" in (a) is exactly
the following: it is not possible to verify the implementation
of A with respect to its specification without a statement about
the specification of B.
More precisely, for a candidate TCB subset M, let sM denote the
specification of M. The specification will include, as a minimum,
the statement of the technical policy P of M. Further, let vM
denote the (engineering) demonstrations of the correctimplementation
of M with respect to its specification.
A (candidate) TCB subset A depends (for its correctness)"
on (candidate) TCB subset B if and only if the arguments of
vA assume, wholly or in part, that sB has been implemented correctly.
(See Appendix B, item 5 for additional discussion.)
The proposed structure of TCB subsets has to be identified.
The order must be a partial order. (Without a partial order,
there could be circular chains of dependencies that would
inhibit separate evaluations of the TCB subsets.)
TC-4.3.5 SEPARATE SUBSET-DOMAINS
The candidate TCB subsets must operate in near isolation from
each other, with the only interaction between them being that
explicitly asserted as part of the interface. In the case
of reference monitors, many existing implementations have relied
on the domain concept [23] which supports the assertions of
non-bypassability and self protection. A natural extension
of the domain concept will be required for isolation of TCB
subsets from each other and from non-TCB entities.
A subset-domain is a set of system domains.
Each candidate TCB subset must occupy a distinct subset-domain
such that modify-access to a TCB subset's subset-domain is permitted
only to that TCB subset and (possibly) to more primitive TCB
subsets. This requirement ensures that the structure of subset-domains
with respect to access is consonant with the dependency relation
among TCB subsets.
TC-4.3.6 SUPPORT FOR RVM ARGUMENTS
Candidate TCB subsets must satisfy the three RVM properties
included in the definition in TC-4.2.1 in order to complete
evaluation by parts successfully. TCB subsets that build on
resources and functionality provided by more primitive TCB
subsets must rely on assured and evaluatable characteristics
of those more primitive TCB subsets. A convincing argument
must be advanced that the features, characteristics, and
assurances provided by the more primitive TCB subsets are capable
of supporting RVM arguments for the less primitive TCB subsets.
The first property (mediating every access) requires that
there is no way of bypassing the mediation provided by
TCB subset M for its objects, either directly or by unexpected
side-effects of interactions with other TCB subsets. A
variety of approaches could suffice for demonstrating
this property.
The second property (tamper resistance) requires that the
policy-critical code and data for the less primitive TCB subset
be protected from any alteration not specifically allowed
by the TCB subset. A variety of approaches could suffice for
demonstrating this property.
The third property (completeness of testing and analysis for
correctness) requires the (engineering) demonstrations vM[i] of
the correctnessof each less primitive candidate TCB subset
M[i]. Aconvincing argument must therefore be advanced that the
specifications sM[k] for all of the more primitive TCB subsets
M[k] on which M[i] depends will suffice for establishing vM[i].
TC-4.4 EVALUATION ALTERNATIVES
As noted earlier, the need to evaluate systems whose elements
are developed separately, possibly by independent developers,
results in the need to define TCB subsets. That is not to
say, however, that design by TCB subsetting and the subsequent
evaluation by parts are the only alternatives. Rather, there
are three distinct possibilities.
A system TCB, regardless of any internal structure, may be
viewed as a single entity. In such a case, the evaluation
may proceed essentially as an evaluation against the TCSEC.
This case is examined in Section TC-6.2.
A system TCB may be presented as a subsetted architecture composed
of a number of candidate TCB subsets. Given that each of
the candidate TCB subsets satisfies the conditions set forth
in Section TC-4.3, an evaluation by parts is possible.
This case is described in Section TC-6.3.
It may be possible to satisfy only some of the conditions for
evaluation by parts. This situation might arise when a previously
evaluated TCB or TCB subset is modified to accommodate the
policy-enforcing elements of a new application layer. A special
case of this situation is described in Section TC-6.4. In such
cases, depending upon the particulars, it may be possible
to realize some of the savings in evaluation effort. However,
no general statements can be made for these cases.
TC-5 GENERAL INTERPRETED REQUIREMENTS
TC-5.1 OVERVIEW
This section provides specific interpretations of those TCSEC
requirements that are particularly relevant for subsetted architectures
and evaluation by parts. Its organization is derived from the
structure of the TCSEC requirements. For each relevant TCSEC
requirement there is a discussion of how that requirement is
interpreted in an evaluation by parts.
For conciseness, only the requirements headings applicable
for A1 systems are included below. Thus, the interpretation
guidance below should be applied only as demanded by the
requirements for the target class of the candidate trusted
system. For a system targeted at an evaluation class below
A1, only those requirements that pertain to the target class
apply to the TCB subsets making up that system.
A listing of the requirements and interpretations
by TCSEC class is presented in Appendix A. The rationale for
the applicability of the TCSEC requirements to TCB subsets
alone or to the TCB as an entirety is described in Appendix B,
item 7.]
TC-5.2 DETAILED REQUIREMENTS
TC-5.2.1 SECURITY POLICY
TC-5.2.1.1 Discretionary Access Control
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
TC-5.2.1.2 Object Reuse
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB.
TC-5.2.1.3 Labels
This requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory access control of
its subjects to its objects. Any TCB subset whose policy does
not include such mandatory access control is exempt from
this requirement.
Label Integrity
This requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory access control of its
subjects to its objects. Any TCB subset whose policy does not
include such mandatory access control is exempt from this
requirement.
Exportation of Labeled Information
This requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory access control of its
subjects to its objects. Any TCB subset whose policy does not
include such mandatory access control is exempt from this
requirement.
Subject Sensitivity Labels
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
Device Labels
This requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory access control of its
subjects to its objects and has attached physical or virtual
devices. Any TCB subset whose policy does not include such
mandatory access control or has no attached physical or virtual
devices is exempt from this requirement. This requirement
can be satisifed by the cooperative action of more than one TCB
subset.
TC-5.2.1.4 Mandatory Access Control
This requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory access control of
its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
TC-5.2.2 ACCOUNTABILITY
TC-5.2.2.1 Identification and Authentication
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to ensure that the security
level of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by the clearance
and authorization of that user. Each TCB subset may maintain
its own identification and authentication data or one
central repository may be maintained. If each TCB subset has
its own data, then the information for each individual user
must be consistent among all subsets.
Trusted Path
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
When TCB subsets are used, the requirement for trusted path
at levels B2 and above remains applicable to the entire
TCB. The need for trusted path "when positive TCB-to-user
connection is required (e.g., login, change subject security
level)" can require user interaction with virtually any
TCB subset within the TCB. The implementation of trusted
path could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one TCB subset
if the separate implementations together comply with the system
security policy.
TC-5.2.2.2 Audit
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
A TCB subset may maintain its own security audit log, distinct
from that maintained by more primitive TCB subsets, or it
may use an audit interface provided by a different TCB subset
allowing the audit records it generates to be processed
by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or later.
Any TCB subset wherein events may occur that require notification
of the security administrator
shall be able to do the following: (1) detect the occurrence
of these events, (2) initiate the recording of the audit
trail entry, and (3) initiate the notification of the security
administrator. The ability to terminate events (2) and (3)
above may be provided either in the TCB subset within which
they occur, or in the TCB subset(s) where actions that lead to
the event were initiated.
The monitoring and notification requirements may require cooperation
between multiple distinct TCB subsets or multiple instantiations
of the same TCB subset. For example, to detect the accumulation
of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the same user. As another example, there may be a single
TCB subset that collects events from a number of other TCB
subset instantiations and, based on its analysis of them, notifies
the security administrator.
TC-5.2.3 ASSURANCE
TC-5.2.3.1 Operational Assurance
System Architecture
This requirement applies as stated in the TCSEC to every
TCB subset, with the following
additional interpretations.The TCB must provide domains for
execution that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts. A most
primitive TCB subset must provide domains for execution. A
less primitive TCB subset must make use of domains provided
by a more primitive TCB subset. A less primitive TCB subset
may provide further execution domains but is not required to do
so.
Similarly, the TCB must provide distinct address spaces
for untrusted processes. A most primitive TCB subset
must provide distinct address spaces for its subjects. A
less primitive TCB subset must make use of the distinct address
space provided by a more primitive TCB subset. A less primitive
TCB subset may provide more fine-grained distinct address spaces,
but is not required to do so.
In general, requirements specifically referring to hardware
or firmware apply only to TCB subsets that include hardware
or firmware. The exception is the requirement that the
TCB make effective use of available hardware. This requirement
applies to those TCB subsets that use resources provided
by more primitive TCB subsets in lieu of hardware. Those
TCB subsets are required to make effective use of the
protection-relevant features exported to it by the more primitive
TCB subsets (e.g., execution domains, support for distinct address
spaces) to separate those elements that are protection-critical
from those that are not.
System Integrity
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
Covert Channel Analysis
This requirement applies as stated in the TCSEC to the entire
TCB. When the TCB is made up entirely of TCB subsets
meeting the conditions for evaluation by parts, analysis of
the individual TCB subsets satisfies this requirement. Otherwise,
covert channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the individual
TCB subsets were available).
Trusted Facility Management
This requirement applies as stated in the TCSEC to the entire
TCB. Any "operator" or "administrator"
functions intrinsic to an individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
Trusted Recovery
This requirement applies as stated in the TCSEC to the entire
TCB and to the individual TCB subsets. The cooperative recovery
actions of the TCB subsets making up the TCB must provide trusted
recovery for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the individual
TCB subsets meet the trusted recovery requirements).
TC-5.2.3.2 Life-Cycle Assurance
Security Testing
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB. Otherwise, security testing of the entire TCB
must be performed (even if the results of testing the
individual TCB subsets were available).
Design Specification and Verification
This requirement applies as stated in the TCSEC to every TCB
subset, with the following specific additional interpretations.
It must be demonstrated that the securitypolicy enforced by
the composite TCB is represented by the collection of policy
models for the individual TCB subsets.
The argument that the descriptive top level specification (DTLS)
and formal top level specification (FTLS) are consistent with
the TCB interface applies to the entire TCB. There is required
an explicit and convincing description of how the set of
top level specifications (one for each TCB subset) describes
the TCB interface in terms of exceptions, errors, and effects.
Configuration Management
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB, with the following additional interpretation.
Because subsets of the TCB may be developed independently, a
single configuration management system may not be feasible.
However, the combination of configuration management systems
used to support all the TCB subsets must meet all the stated
requirements. The information describing the interrelations
between separate TCB subsets and separate security policy
models falls into the category of "all documentation and
code associated with the current version of the TCB"
in the TCSEC requirements.
Trusted Distribution
This requirement applies as stated in the TCSEC to the entire
TCB. It can be met by satisfying the requirements for each
TCB subset if procedures exist for assuring that all TCB subsets
upon which a particular TCB subset depends (that is, the
more primitive TCB subsets) are exactly the same version as
specified for the TCB subset in question.
TC-5.2.4 DOCUMENTATION
TC-5.2.4.1 DOCUMENTATION
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
TC-5.2.4.2 Trusted Facility Manual
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB.
This requirement can be met by providing a set of manuals,
one for each distinct (non-replicated) TCB subset. Each manual
shall address the functions and privileges to be controlled
for the associated TCB subset. Additionally, it must clearly
show the interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall identify
the functions and privileges of the TCB subsets on which
the associated TCB subset depends. Also, the TCB subset's
manual shall identify which, if any, configuration options
of the more primitive TCB subsets are to be used for the composite
TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed.
The means for correlating multiple audit logs and synonymous
user identifications from multiple TCB subsets (if such exist)
shall also be addressed. The trusted facility manual shall
describe the composite TCB so that the interactions among
the TCB subsets can be readily determined. Other manuals may
be referenced in this determination. The manuals that address
the distinct modules of the TCB and the generation of the
TCB need to be integrated with the other trusted facility manuals
only to the extent that they are affected by the use and operation
(versus the development) of the composite TCB.
The TCB modules that contain the reference validation mechanism
must be associated with the TCB subset to which they belong.
The procedure for generating a new TCB after modifying
only one (or several) TCB subsets must be described. This
may be accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the affected
TCB subsets.
TC-5.2.4.3 Test Documentation
This requirement applies as stated in the TCSEC to the composite
TCB.
TC-5.2.4.4 Design Documentation
This requirement applies as stated in the TCSEC to the composite
TCB, with the following specific additional interpretations:
Requirements concerning models, FTLS and DTLS, apply to individual
TCB subsets.
The requirement concerning the description of interfaces between
modules of the TCB includes the interfaces between TCB subsets.
The documentation of the implementation of a reference validation
mechanism must include justification for meeting the conditions
for evaluation by parts.
The A1 requirement to describe clearly non-FTLS internals of
the TCB applies to TCB subsets.
TC-5.3 SUMMARY OF THE REQUIREMENTS
The requirements interpretations in Section TC-5.2 above can
be grouped into two categories: those that apply to individual
TCB subsets and those that apply totally or in part to the
overall TCB. For purposes of exposition, the former category
will be termed "local requirements," that is, those
for which separate analysis of the individual TCB subsets
suffices to determine compliance for the composite TCB. The latter
are termed "global requirements," that is, those which
require analysis of the entire system and for which separate
analysis of the individual TCB subsets does not suffice.
TC-5.3.1 LOCAL REQUIREMENTS
• Discretionary Access Control;
• Object Reuse;
• Labels (except Subject Sensitivity Labels);
• Mandatory Access Control;
• System Architecture (except domains for
execution and distinct address spaces);
• System Integrity;
• Configuration Management;
• Security Features User's Guide;
• Design Documentation
• models,
• DTLSs,
• FTLSs, and
• non-FTLS internals.
TC-5.3.2 GLOBAL REQUIREMENTS
Subject Sensitivity Labels;
Identification and Authentication;
Trusted Path;
Audit;
System Architecture domains for execution, and distinct address
spaces;
Covert Channel Analysis;
Trusted Facility Management;
Trusted Recovery (also applies to
individual TCB subsets); Security Testing; Design Specification
and Verification correspondence between system policy and the
set of TCB subset models consistency of TCB interface with the
set of TCB subset DTLSs, and consistency ofTCB interface with
the set of TCB subset FTLSs; Trusted Distribution; Trusted
Facility Manual (also applies to individual TCB subsets);
Test Documentation; and Design Documentation (except models,
DTLSs, FTLSs, and non-FTLS internals).
TC-6 DESIGN CHOICE
TC-6.1 OVERVIEW
This section examines the several design choices available
for constructing systems in parts and the consequences of each
when attempting to perform an evaluation by parts. The first
case described is that of a TCB evaluated under the TCSEC without
benefit of TCB subset structuring. This case is of value
for several reasons: it serves as a reference point; it can
be considered the degenerate case of subsetting; and it is
always an option to evaluate any TCB, regardless of internal
structure, as a monolith. The second and third cases are
presented in terms of a
configuration of exactly two subsets; the
generalization to more than two TCB subsets
is
straightforward. The second case is that of
a
subsetted architecture that exactly satisfies
the
conditions for evaluation by parts. The third case represents
a special case of an altered TCB, one which is implemented using
trusted subjects.
Note that no evaluation using TCB subsets and evaluation by parts
results in a TCB subset receiving an evaluation rating. Rather,
the entire system, with its composite TCB, is evaluated and
receives a rating.
However, evaluation by parts is intended to allow the
results of local analysis of individual TCB subsets to be distinguishable
and separately referencable. For further discussion of this
topic, see Appendix B, item 10.
TC-6.2 A SINGLE TCB SUBSET
The evaluation of a TCB consisting of a single TCB subset
is equivalent to a straightforward evaluation against the
TCSEC. The conditions for evaluation by parts (Section
TC-4.3) reduce to requirements found in the TCSEC itself.
TC-6.2.1 ANALYSIS OF THE CONDITIONS
TC-6.2.1.1 Condition 1: Candidate TCB Subsets
The TCB (hardware, software, and firmware), as distinguished
from the rest of the computing system, must be identified. This
is a basic requirement for TCSEC evaluation. Similarly, the
subjects and objects within the system must be identified. The
requirement that no more than one TCB subset mediate access to
any particular object is satisfied, because there is only one
TCB subset.
TC-6.2.1.2 Condition 2: Policy Allocation
The policy P enforced by the TCB (subset) must be identified.
The demonstration that the TCB (subset) enforces that policy
will be a description of how the TCB performs access mediation
between the system's subjects and objects according a system-level
description of limitations on access (the technical policy
P[i] of the definition). The tracing of the policy to the
system design and behavior is part of the stated TCSEC requirements.
TC-6.2.1.3 Condition 3: Trusted Subjects Included
This condition is satisfied in the same manner as it
is in evaluations under the TCSEC. Specifically, the TCB
boundary is shown to be the interface that is presented to
untrusted subjects.
TC-6.2.1.4 Condition 4: TCB Subset Structure
Satisfaction of this condition (TC-4.3.4) is immediate, because
there is only one TCB subset.
TC-6.2.1.5 Condition 5: Separate Subset-Domains
Satisfaction of the separate subset-domain condition (TC-4.3.5)
is identical to the C1 through A1 requirement that "the
TCB maintain a domain for its own execution that protects it
from external interference or tampering." [8, p. 13 et
al.]
TC-6.2.1.6 Condition 6: Support for RVM Arguments
Satisfaction of this condition (TC-4.3.6) is immediate, inasmuch
as there are no less primitive TCB subsets that must be demonstrated
to satisfy RVM requirements.
TC-6.2.2 EVALUATION S CONSEQUENCE
In this case, the evaluation of the (single) TCB subset proceeds
exactly like an evaluation under the TCSEC. Demonstration
that the candidate system meets all the global and local
requirements (as they apply to the target evaluation class)
includes the consideration of each requirement as it applies system's
philosophy of protection, design, documentation, and implementation.
The system must be shown to exhibit the properties of
a reference validation mechanism, appropriate to the target
class.
TC-6.3 TWO TCB SUBSETS, MEETING THE CONDITIONS
This case is of a TCB that consists of two candidate TCB subsets,
A and B, where A is the most primitive TCB subset. That is,
B uses the abstractions provided by A (the objects, in particular)
as its resource for the construction and exportation of its
own abstractions. B also uses the abstractions provided
by A for its metadata (that is, internal data structures) that
make it possible for B to instantiate its exported abstractions
as well as keep records that enable it to correctly enforce
its stated policy. In terms of the discussion of Section TC-4.3.4,
TCB subset B directly depends on TCB subset A. It will be assumed
that TCB subset A enforces mandatory and discretionary policies
on its objects and that TCB subset B enforces a discretionary
policy on the objects it exports. Additionally, all trusted
subjects of A are contained within A. Thus, every subject of
A (including all the active entities that make up the logic
of B) operates at a single sensitivity level. It will further
be assumed for th is example that the mechanisms for domains
and thus for subset-domains are independent of the mandatory
and discretionary access control policy enforcement mechanisms.
TC-6.3.1 ANALYSIS OF THE CONDITIONS
TC-6.3.1.1 Condition 1: Candidate TCB subsets
The TCB (hardware, software, and firmware), as distinguished
from the rest of the computing system, must be identified. This
is a basic requirement for TCSEC evaluation. Similarly, the
subjects and objects within the system must be identified.
In this case, all the hardware, software, and firmware that make
up the TCB must be identified as being part of either TCB subset
A or TCB subset B. The subjects and objects mediated by
A (call them the "A-subjects" and "A-objects"
for this discussion) must be identified. Similarly the B-subjects
and B-objects must also be identified.
The additional requirement in Section TC-4.3.1 that "there
may not be any objects mediated by more than one TCB subset"
means that there can be no B-object that is also an A-object.
TC-6.3.1.2 Condition 2: Policy Allocation
The policy P enforced by the whole TCB must be identified.
In addition, the policy enforced by A (call it the A-policy),
stated in terms of the A-subjects and the A-objects,
must be identified. Similarly, the B-policy, stated in
terms of the B-subjects and the B-objects, must be identified.
TC-6.3.1.3 Condition 3: Trusted Subjects included
As was stated above, TCB Subset A contains all its own trusted
subjects. There may be trusted subjects with respect to the
policy of A, but all such subjects execute in the subset-domain
of A.
TC-6.3.1.4 Condition 4: TCB Subset Structure
Because B directly uses the A-objects and its logic is embodied
in A-subjects, the structure of the TCB subsets is precisely
"TCB subset A is more primitive than TCB subset B."
This is a partial order.
TC-6.3.1.5 Condition 5: Separate Subset-Domains
Satisfaction of the separate subset-domain condition requires
that a set of domains provided by the system be identified
as being the domains "occupied" by A and B.
The domain, or domains, occupied by A is exactly the
"domain for its own execution" found in the TCSEC
requirements. The domain or domains occupied by TCB subset
B must not be modifiable by any code or other system entity
except possibly by TCB subset A.
TC-6.3.1.6 Condition 6: Support for RVM Arguments
Satisfying the condition for RVM arguments requires demonstrating
the plausibility of being able to establish the three requisite
properties of an RVM. The first property requires that no
B-subject be allowed to access B-objects without those
accesses being mediated by TCB subset B. The tamper resistance
property requires that TCB subset A provide a way that TCB subset
B can be designed and implemented such that A-subjects that
are not part of B's implementation cannot tamper with B's
policy-critical code or data. The third RVM property must
be satisfied by the individual TCB subsets. The degree to
which each TCB subset must satisfy this property is commensurate
with the evaluation class of the TCB.
TC-6.3.2 EVALUATION CONSEQUENCES
In this case, the evaluation of the two TCB subsets requires
that each meet TCSEC requirements applicable to each TCB
subset viewed individually and that the two TCB subsets combine
in a way to meet all the TCSEC requirements stated for the target
class.
All local requirements are imposed on the two TCB subsets, A and
B, individually. If each TCB subset can meet the requirements
of the target class, viewed as if it were a separate TCB,
the only areas where additional evaluation or accreditation
work might be required are those areas where the sum of the
analysis of the parts is not necessarily complete and convincing.
Those areas requiring additional work are exactly the set
of global requirements described in Section TC-5.3.2.
Demonstrating that the candidate system meets the
TCSEC requirements (as they apply to the target evaluation
class) requires that both A and B be evaluated with respect
to the local requirements of the target class and that the
composite TCB be evaluated for global requirements. In this
case, full testing of TCB subset A against all the requirements
(both local and global) simplifies the task of demonstrating
satisfaction of the global requirements, both for B and for the
entire TCB.
Suppose, for example, that TCB subset A has been subjected
to security testing appropriate to the target class and has
been shown to be adequately resistant to penetration attacks.
This means that within the confidence level provided by
the testing requirement, no A-subject can subvert A's enforcement
of its policy. In this situation, every active entity in B is
an A-subject and hence B can neither penetrate A nor be induced
to do so by any B-subject. Thus, no further testing of A
will be required to determine whether the entire TCB is resistant
to penetration; any additional penetration testing can be
limited to determining the ability of B to withstand assault.
Similarly, if A has been searched for covert channels (as required
for its target class requirements), then no further search
for covert channels will be required, either in the analysis
of B or in the overall consideration of the entire TCB.
Note that if B implements a mandatory access control policy
(e.g., integrity), then it would be necessary to perform a covert
channel analysis on B, but no further covert channel analysis
of A would be required.
The ability of users to determine the current sensitivity level
of B-subjects operating on their behalf will have to be
shown by considering the TCB subsets A and B together. This
requirement is satisfied immediately if the argument relies
exclusively on A meeting the requirement.
TC-6.4 TWO TCB SUBSETS, NOT MEETING THE CONDITIONS
This case also concerns a TCB that consists of two candidate
TCB subsets, C and D. C is the most primitive TCB subset.
That is, D uses the abstractions provided by C (the objects,
in particular) as its resource for the construction and exportation
of its own abstractions. D also uses the abstractions
provided by C for its metadata (that is, internal data structures)
that make it possible for D to instantiate its exported abstractions
as well as keep records that enable it to correctly enforce
its stated policy. In terms of the discussion of Section TC-4.3.4,
TCB subset D directly depends on TCB subset C. Additionally,
D is trusted with respect to C. That is, some of the C-subjects
which make up TCB subset D execute as trusted processes
of C. Here also, as in the previous example, it is assumed
that C implements mandatory and discretionary policies over its
objects. Further, the intent of D is to implement a discretionary
policy over the objects it exports. However, because D includes
subjects which are trusted relative to C's policy demonstration
of the full and correct enforcement of the mandatory policy
requires analysis of both C and D and is no longer localized
to TCB subset C. It will be assumed that the mechanisms for
domains and thus for subset-domains are independent of the
mandatory and discretionary access control policy enforcement
mechanisms.
This case can be viewed as a special case of a previously evaluated
TCB which has been altered. However, the alteration takes
the form of a less primitive subset which is implemented,
at least in part, with trusted subjects (i.e., some of
the C-subjects are trusted subjects which execute in the subset-domain
of D). Although this case may appear, intuitively, to be
different from that of arbitrary alteration of a previously
evaluated TCB, the example demonstrates that such an approach
makes it impossible to perform an evaluation by parts.
TC-6.4.1 ANALYSIS OF THE CONDITIONS
TC-6.4.1.1 Condition 1: Candidate TCB Subsets
The identification of the TCB (hardware, software, and firmware)
as distinguished from the rest of the computing system is
a basic requirement for TCSEC evaluation. Likewise, the subjects
and objects within the system must be identified.
In this case, all the hardware, software, and firmware that make
up the TCB must be identified as being part of either TCB subset
C or TCB subset D. The C-subjects and C-objects mediated
by C have to be identified. Similarly the D-subjects and
D-objects must also be identified.
The additional requirement in Section TC-4.3.1 that "there
may not be any objects mediated by more than one TCB subset"
means there can be no D-object that is also a C-object.
TC-6.4.1.2 Condition 2: Policy Allocation
The policy P enforced by the whole TCB must be identified.
In addition, the individual policy enforced by C (call it
the C-policy) must be identified in terms of the C-subjects
and the C-objects. Similarly, the D-policy, stated in terms
of theD-subjects and the D-objects, must be stated. In this
case, the C-policy will include the strict enforcement of a
mandatory access control policy that allows trusted subjects
to execute in the subset-domains which compose TCB subset D.
TC-6.4.1.3 Condition 3: Trusted Subjects
Included This condition is not satisfied because D includes
at least one subject that is trusted with respect to C.
Hence a subject that is trusted with respect to the policy
of C is outside C, and evaluation by parts is not an option.
If TCB subset C had previously been evaluated, then this
is an example of an altered TCB, albeit a special case.
The change consists of the addition of one or more trusted
C-subjects in D whose effect on the behavior of C cannot
be predicted a priori. An assessment of the impact of D
on the behavior of C cannot be made strictly by an examination
of the trusted subjects and the definition of C's interface.
A global assessment of C and D is required.
TC-6.4.1.4 Condition 4: TCB Subset Structure
Because D directly uses the C-objects and its logic is embodied
in C-subjects, the structure of the TCB subsets is precisely
"TCB subset C is more primitive than TCB subset D."
This is a partial order.
TC-6.4.1.5 Condition 5: Separate Subset-Domains
Satisfying the separate subset-domain condition (TC-4.3.5)
requires identifying the set of system domains (likely administered
by the most primitive TCB subset C) as the domains "occupied"
by C and D. The domain, or domains, occupied by C is exactly
the "domain for its own execution" found in the TCSEC
requirements. The domain or domains occupied by TCB subset
D must not be modifiable by any code or other system entity
except possibly by a part of TCB subset C.
TC-6.4.1.6 Condition 6: Support for RVM Arguments
Satisfying the condition for RVM arguments requires demonstrating
the plausibility of being able to establish the three requisite
properties of an RVM. The first property requires that no
B-subject be allowed to access B-objects without those
accesses being mediated by TCB subset B. The tamper resistance
property requires that TCB subset A provide a way that TCB subset
B can be designed and implemented such that A-subjects that
are not part of B's implementation cannot tamper with B's
policy-critical code or data. The third RVM property must
be satisfied by the individual TCB subsets. The degree to
which each TCB subset must satisfy this property is commensurate
with the evaluation class of the TCB.
TC-6.4.2 EVALUATION CONSEQUENCES
In this example, the conditions for evaluation by parts
are not satisfied and thus, thef ull potential for savings
in evaluation effort cannot, in general, be realized. A clear
option in such cases is to view the system as a monolithic TCB
and proceed accordingly. However, because this case represents
an example of an altered TCB, it admits of a wide spectrum of
specific sub-cases. Thus, if the analysis of the system proceeds
in parallel to that required for evaluation by parts it
may be possible, in special cases, to identify elements of
the analysis of the more primitive candidate TCB subset which
can be successfully argued to be unaffected by the alterations.
Some evaluation effort, often significant, can be saved, but
unlike evaluation by parts, how much can only be estimated
by consideration of the implementation specifics. For example,
in this specific case, the local analysis of TCB subset
C represents a reasonable candidate for analysis that need
not be redone.
TC-6.5 SUMMARY
The three cases described above illustrate the effects of
various TCB subsetting situations as they relate to the evaluation
requirements. A monolithic evaluation proceeds exactly as described
in the TCSEC, with requirements being applied to the entire TCB.
When all the conditions for evaluation by parts are satisfied,
considerable savings in evaluation effort are realized. The
evaluation of a new system configuration that includes exactly
the same TCB subset that was previously evaluated (such as the
TCB subsets A and B in the Section TC-6.3) is limited to (a)
local analysis of the individual TCB subsets (by reference to
earlier analysis, if available) and (b) a simpler global
analysis, because each TCB subset is an exact analog of a TCB.
When the conditions for evaluation by parts are not satisfied,
no general statements can be made about the factorability of
analysis or the reusability of previous analysis. The extent
to which previous evaluation evidence and results remain
valid can be determined only on a case-by-case basis.
PART 2 INTERPRETED REQUIREMENTS
IR-1 OVERVIEW AND CONTEXT
Part 2, "INTERPRETED REQUIREMENTS," provides specific
interpretations of those TCSEC requirements which are deemed
to be either DBMS-specific (or, more generally, application-specific)
or particularly relevant to DBMSs. All of the requirements
in the TCSEC apply in any case.
For the topics included below, the interpretations
provide clarification of the TCSEC requirements. As is
the case for the TCSEC, the interpreted requirements at
any class include those specified for that class in addition
to interpretations for lower classes that have not been superseded
or altered.
Section IR-2 presents an overall summary of the TCSEC requirements,
as interpreted in the more detailed sections that follow.
Sections IR-3 through IR-7 address individual requirements
interpretations for labels, audit, system architecture, design
specification and verification, and design documentation, respectively.
The format is an initial discussion of the topic in general,
followed by specific requirements and interpretations that apply
to database management systems. A listing of the requirements
and interpretations organized by TCSEC class is presented
in Appendix A.
IR-2 SUMMARY OF THE INTERPRETATIONS
This section provides specific interpretations
of those TCSEC requirements that are particularly relevant
for subsetted architectures and evaluation by parts. Its organization
is derived from the structure of the TCSEC requirements.
For each relevant TCSEC requirement there is a discussion of
how that requirement is interpreted for a DBMS.
IR-2.1 SECURITY POLICY
IR-2.1.1 DISCRETIONARY ACCESS CONTROL
The requirement for discretionary access control is not changed
in the context of this document and therefore applies as stated
in the TCSEC.
IR-2.1.2 OBJECT REUSE
The requirement for object reuse is not changed in the
context of this document and therefore applies as stated in the
TCSEC.
IR-2.1.3 LABELS
The requirement for labels is treated in Section IR-3 of
this document.
IR-2.1.4 MANDATORY ACCESS CONTROL
The requirement for mandatory access control is not changed
in the context of this document and therefore applies as
stated in the TCSEC. However, there are several subtle
ramifications of this requirement of which a developer or
evaluator should be aware. A brief discussion can be found in
Appendix B, item 8, "Content-Dependent and Context-Dependent
Access Control."
IR-2.2 ACCOUNTABILITY
IR-2.2.1 IDENTIFICATION AND AUTHENTICATION
The requirement for identification and authentication
is not changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.2.2 AUDIT
The requirement for audit is treated in Section IR-4 of
this document.
IR-2.3 ASSURANCE
IR-2.3.1 OPERATIONAL ASSURANCE
IR-2.3.1.1 System Architecture
The requirement for system architecture is treated in Section
IR-5 of this document.
IR-2.3.1.2 System Integrity
The requirement for system integrity is not changed in the
context of this document and therefore applies as stated in the
TCSEC.
IR-2.3.1.3 Covert Channel Analysis
The requirement for covert channel analysis is not changed
in the context of this document and therefore applies as stated
in the TCSEC.
IR-2.3.1.4 Trusted Facility Management
The requirement for trusted facility management is
not changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.3.1.5 Trusted Recovery
The requirement for trusted recovery is not changed in the
context of this document and therefore applies as stated in the
TCSEC.
IR-2.3.2 LIFE CYCLE ASSURANCE
IR-2.3.2.1 Security Testing
The requirement for security testing is not changed in the
context of this document and therefore applies as stated in the
TCSEC. IR-2.3.2.2 Design Specification and Verification
The requirement for design specification and verification is
treated in Section IR-6 of this document.
IR-2.3.2.3 Configuration Management
The requirement for configuration management is not changed
in the context of this document and therefore applies as stated
in the TCSEC.
IR-2.3.2.4 Trusted Distribution
The requirement for trusted distribution is not changed in
the context of this document and therefore applies as stated
in the TCSEC.
IR-2.4 DOCUMENTATION
IR-2.4.1 SECURITY FEATURES USER'S GUIDE
The requirement for a security features user's guide is
not changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.4.2 TRUSTED FACILITY MANUAL
The requirement for a trusted facility manual is not changed
in the context of this document and therefore applies as stated
in the TCSEC.
IR-2.4.3 TEST DOCUMENTATION
The requirement for test documentation is not changed in the
context of this document and therefore applies as stated in the
TCSEC.
IR-2.4.4 DESIGN DOCUMENTATION
The requirement for design documentation is treated in Section
IR-7 of this document.
IR-3 LABELS
IR-3.1 GENERAL DISCUSSION
The labels requirements of the TCSEC are entirely applicable
to database management systems. The basic difference between
the TCSEC labeling requirements as they apply to operating
systems and DBMSs involves which storage objects are labeled
rather than how the labels are handled. This section
discusses special considerations in implementing and evaluating
labeling mechanisms in database management systems. Of particular
importance is the selection of the storage objects that are to
be labeled.
Beginning at the B1 evaluation class, trusted database management
systems are required to associate labels with all storage
objects under their control. The granularity of storage
objects to be protected shall be chosen by the DBMS designer.
Stored view definitions (that is, named query commands) that are
visible at the TCB boundary must be stored in labeled objects.
The TCB must mediate access both to the view definition
and to the view instantiation (that is, the set of
labeled objects accessed as the result of executing the query
command contained in the view definition).
It has been proposed in several designs that views be used as
a mechanism to implement context- or content-dependent labeling.
The intuitive attractiveness of this approach is undeniable,
but the implementation details must be carefully worked out to
achieve a sound implementation. A brief discussion of this
topic can be found in Appendix B, item 8, "Content-Dependent
and Context-Dependent Access Control." TCB designers and
evaluators may make distinctions between objects that are explicitly
labeled or implicitly labeled. Such distinctions are meaningful
only within the confines of the TCB; all storage objects are
explicitly labeled from a point of view outside the TCB. For
example, consider an object of one type (e.g., table or file)
within the TCB that "contains" many (reference monitor)
objects of another type (e.g., tuples and records). The file
could have an explicit label associated with it, and some of
the records could have explicit labels associated with them.
Those records that have no explicit label would be implicitly
labeled by the label of the file.
For database management systems, the objects that store the base
data of the database (e.g., files, records, relations, and
tuples), as well as those objects that store the metadata (e.g.,
directories, indices, schemas, data dictionaries, discretionary
authorization tables, recovery logs, and transaction logs),
must be labeled. Objects that need not be labeled include
internal resources that are not user visible (e.g., printer
daemon scratch files and resource allocation tables). The requirement
for importing data (labeled and unlabeled) is the same as in
the TCSEC. For additional information, see Appendix B, item 9,
"Bulk Loading of a Database."
IR-3.2 SPECIFIC INTERPRETATIONS
CLASS (B1): LABELED SECURITY PROTECTION
There are no interpretations for this class.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
Sensitivity labels associated with each ADP system resource
. . . that is directly or indirectly accessible by subjects
external to the TCB shall be maintained by the TCB.
Interpretation
Internal TCB variables that are not visible to untrusted subjects
need not be labeled, provided that they are not directly or
indirectly accessible by subjects external to the TCB. However,
it is important to understand that such internal variables can
function as covert signaling channels when untrusted subjects
are able to detect changes in these variables by observing
system behavior.
CLASS (B3): SECURITY DOMAINS
There are no additional requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-4 AUDIT
IR-4.1 GENERAL DISCUSSION
The audit requirements of the TCSEC apply to database management
systems. This section discusses special considerations in
designing and evaluating audit mechanisms in database management
systems. The TCB must be capable of maintaining an audit trail
of accesses and attempted accesses to the objects protected
by the mandatory and discretionary security policies. Two
examples are given to illustrate auditing techniques for
discretionary access control decisions.
Example 1. Consider a DBMS TCB providing discretionary controls
on defined views of the database. Because the named object presented
at the TCB interface is the view definition (not the records
instantiated through the view), all that needs to be auditable
is the use of the view by any untrusted subject.
Example 2.Consider a DBMS TCB that enforces discretionary access
control on individual data records. When a user enters
a query, the construction of a response may involve a search
over many records that are not returned to the user because
they did not satisfy the query. Records that do satisfy the
query but to which the user does not have access should be
auditable. Records that do not satisfy the query need not be
auditable. That is, in the context of audit, access permission
to the user and satisfaction of a query are to be kept separate.
There is no need to audit operations that are strictly internal
to the TCB. Separate security audit logs may be maintained by
the operating system and the database management system.
Likewise, separate identifications for the same user may
be maintained by the operating system and the database
management system. The correlation of separate audit logs may
be done either at the time they are generated or at some later
time.
The emphasis of the audit criterion is to provide individual
accountability for actions by users. This goal is not the
same as that for a backup and recovery log. There is no requirement
to integrate the audit log with the backup and recovery log,
although such an integrated log is not prohibited. At the designer's
discretion, there may be a selectable capability to reduce
the number of audit records generated in response to queries
that involve many access control decisions.
IR-4.2 SPECIFIC INTERPRETATIONS CLASS (C2): CONTROLLED ACCESS
PROTECTION
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, and inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to users. That is, each discretionary
access control policy decision shall be auditable. Individual
operations performed by trusted software, if totally transparent
to the user, need not be auditable. If the total audit requirement
is met by the use of more than one audit log, a method
of correlation must be available.
CLASS (B1): LABELED SECURITY PROTECTION
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, and inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
CLASS (B2): STRUCTURED PROTECTION
There is no interpretation for the additional requirements.
CLASS (B3): SECURITY DOMAINS
There is no interpretation for the additional requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-5 SYSTEM ARCHITECTURE
IR-5.1GENERAL DISCUSSION
The system architecture requirements of the TCSEC apply to database
management systems. The interpretations provided are a duplication
of the general interpreted requirements that apply to an
evaluation by parts. They are included because DBMS evaluations
often involve multiple TCB subsets.
IR-5.2 SPECIFIC INTERPRETATIONS
CLASS (C1): DISCRETIONARY SECURITY PROTECTION
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
CLASS (C2): CONTROLLED ACCESS PROTECTION
There is no interpretation for the additional requirements.
CLASS (B1): LABELED SECURITY PROTECTION
There is no interpretation for the additional requirements.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
The user interface to the TCB shall be completely defined
and all elements of the TCB identified.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
the user interface to the whole TCB.
Statement from TCSEC
It shall make effective use of available hardware to
separate those elements that are protection-critical from
those that are not.
Interpretation
If the TCB is composed of multiple subsets, each TCB subset
must make use of facilities provided to it by more primitive
TCB subsets, such as support for execution domains and for distinct
address spaces, to achieve the required separation.
CLASS (B3): SECURITY DOMAINS
There is no interpretation for the additional requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-6 DESIGN SPECIFICATION AND VERIFICATION
IR-6.1 GENERAL DISCUSSION
The design specification and verification requirements of
the TCSEC, with the related documentation requirements, apply
to database management systems. The interpretations provided
include a duplication of general interpreted requirements that
apply to an evaluation by parts. They are included because
of the likelihood that a DBMS evaluation will involve multiple
TCB subsets.
In the database context, the set of candidates for
"subject" and "object" can be larger than
normally encountered in trusted operating systems. Where a database
system builds on an underlying trusted operating system, for
example, the set of candidate subjects for the two TCB
subsets includes both the active entities created by the operating
system and those active entities created by the trusted portion
of the DBMS. The set of candidates for objects is large.
Examples are files, segments, buffers, structures, pages, relations,
tables, tuples, rows, columns, elements, entities, relationships,
procedures, metadata, system tables, query trees, query plans,
locking mechanisms, rollback mechanisms, indices, recovery and
backupmechanisms, precalculated operations (such as joins),
view definitions, view instantiations, constraints, authorization
tables, data dictionary tables, and audit logs.
The requirements in the TCSEC for showing how the various representations
of the system being evaluated fit together can be represented
as in Figure IR-1. For monolithic TCBs, the policy must be stated;
the model must be developed, maintained, and shown to be sufficient
to enforce the policy; and the DTLS (FTLS for A1) must be constructed
and shown to correspond both to the model and to the TCB implementation.
These steps allow a chain of reasoning to proceed from the
stated policy to the assertion that the system in question
actually enforces the policy.
In the case of multiple TCB subsets, the intent is the same.
Tracing all policy requirements to
the actual system implementation must be possible, and vice versa.
The current dilemma is that the theory and techniques for subdividing
a model into a set of models (or a top level specification into
a set of top level specifications) have not yet been established.
Likewise neither theory or techniques have been established for
composing a set of models or top level specifications into
a unified model or top level specification. The absence
of rigorous methods does not preclude an evaluation using a
subsetted TCB.
The process of mapping policy to implementation is possible for
each TCB subset, using the same techniques required for a monolithic
TCB. For subsetted TCBs, designers and evaluators must explicitly
show how the policy, model and specifications for each TCB
subset meet the TCSEC requirements. In addition, convincing
informal arguments must be given to show how the collection
of TCB subsets enforces the policy of the composite TCB.
Because morerigorous composition methods are unavailable, convincing
informal arguments are appropriate for evaluation of TCBs up
to and including Class A1.
The TCSEC requirements concerning the mapping from policy to
implementation for a TCB composed of multiple TCB subsets raise
these crucial topics:
The allocation of policy to the TCB subsets,
The relation of the models for the TCB subsets to the overall
system policy, and
The relation of the top level specification for each
TCB subset to the entire system.
Allocation of policy to the TCB subsets is a precise division
of the policy for the entire system, as addressed in the
policy allocation condition of Section TC-4.3.
The second topic, above, requires that the policy for each
TCB subset be stated. Additionally, it is required that there
be an informal convincing argument that the collection of
models represents the policy enforced by the entire system.
The third topic, the way in which the set of top level specifications
for the individual TCB subsets describes the composite TCB interface
with respect to exceptions, errors and effects, is treated in
a similar fashion. The top level specifications for each
TCB subset must meet the requirement. There is, in addition,
a requirement for an informal, convincing description of how
the set of top level specifications describes the TCB interface
with respect to exceptions, errors, and effects. At the A1
level, there is no requirement for additional formal specification
or formal proofs beyond the specification and proofs specific
to the individual TCB subsets.
Rather than formally composing the policies, models, and specifications
and performing a single monolithic evaluation, a series of
separate evaluations may be performed (one for each TCB
subset). The evaluations are then tied together by presentation
of sufficient informal arguments that the individual policies
collectively represent the policy enforced by the entire system,
that the individual models collectively represent the
system's policy, that the individual specifications represent
the TCB interface, and that the source code of each TCB
subset is consistent with its top level specification.
Note that satisfactory completion of these requirements is
logically equivalent to demonstrating that a "unified"
model for the entire TCB is consistent with the policy enforced
by the system, that a "unified" top level specification
corresponds to the model, and that the "unified"
top level specification(s) corresponds to the source code.
These interpreted requirements, which do not mandate a
"unified" top level specification, are technically
achievable interpretations of the policy-tracing requirements
in the case of multiple TCB subsets.
IR-6.2 SPECIFIC INTERPRETATIONS
CLASS (B1): LABELED SECURITY PROTECTION
Statement from TCSEC
An informal or formal model of the security
policy supported by the TCB shall be maintained over the life
cycle of the ADP system and demonstrated to be consistent with
its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security policy
of each TCB subset. An informal argument that the set of
policy models represents the "security policy supported
by the [composite] TCB" must be provided.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
A formal model of the security policy supported by the
TCB shall be maintained over the life cycle of the ADP system
and demonstrated to be consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security policy
of each TCB subset. An informal argument that the set of
policy models represents the "security policy supported
by the [composite] TCB" must be provided.
Statement from TCSEC
A descriptive top-level specification (DTLS) of the TCB shall
be maintained that completely and accurately describes the
TCB in terms of exceptions, error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the DTLS of each TCB subset.
An informal argument that the set of DTLSs accurately describes
the TCB must be provided. If there is a multifaceted policy (e.g.,
both mandatory access control and discretionary access control
policies) in a particular TCB subset, then all facets must be
represented in the DTLS and in the TCB subset's model.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
CLASS (B3): SECURITY DOMAINS
Statement from TCSEC
A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to individual TCB subsets. Enforcement of all policies
must be shown to occur in all situations (e.g., state transitions)
required by the formal security policy model. In the case
of a discretionary access control policy, the presence of
the access control check at all identified state transitions
is the total of what is required for demonstrating consistency
between the DTLS and the model. This may be verified by
inspection of the DTLS (that is, by visually checking that
exception checks required by the model are present in the DTLS).
For the mandatory access control policy, the DTLS must be shown
by a convincing argument to be consistent with the model.
CLASS (A1): VERIFIED DESIGN
Statement from TCSEC
A formal top-level specification (FTLS) of the TCB shall be
maintained that accurately describes the TCB in terms of exceptions,
error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to the FTLS of each TCB subset. An informal argument
that the set of FTLSs accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both mandatory access
control and discretionary access control policies) in a
particular TCB subset, then all facets must be represented in
the FTLS and in the TCB subset's model.
Statement from TCSEC
The FTLS shall be shown to be an accurate description of the
TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
. . . a combination of formal and informal techniques shall
be used to show that the FTLS is consistent with the model.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB subsets.
Enforcement of all policies must be shown to occur in all
situations (e.g., state transitions) required by the formal
security policy model at the required occasions. In the case
of a discretionary access control policy, the presence
of the access control check at all identified state transitions
is the total of what is required for demonstrating consistency
between the FTLS and the model. This may be verified by inspection
of the FTLS (that is, by visually checking that exception checks
required by the model are present in the FTLS). For the
mandatory access control policy, the FTLS must be shown by
a combination of formal and informal techniques to be consistent
with the model.
IR-7 DESIGN DOCUMENTATION
IR-7.1 GENERAL DISCUSSION
The design documentation requirement of the
TCSEC applies to database management systems.
The interpretations provided are a duplication of
the general interpreted requirements that apply to an evaluation
by parts. They are included because DBMS evaluations
often involve multiple TCB subsets.
IR-7.2 SPECIFIC INTERPRETATIONS
CLASS (C1): DISCRETIONARY SECURITY PROTECTION
Statement from TCSEC
If the TCB is composed of distinct modules, the interfaces
between these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION
There are no additional requirements.
CLASS (B1): LABELED SECURITY PROTECTIONStatement from TCSEC
The specific TCB protection mechanisms shall be identified and
an explanation given to show that they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and shall include the protection
mechanisms which support the conditions for TCB subset
structure and separate subset-domains.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
The interfaces between the TCB modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between different
TCB subsets.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB implements the
reference monitor concept and give an explanation of why it
is tamper resistant, cannot be bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to each TCB subset with respect to
its specific technical policy. In addition, there must be
documented an informal argument that the cooperative action
of the TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is structured to facilitate
testing and to enforce least privilege.
Interpretation
If the TCB is composed of multiple subsets, this requirement
is interpreted to apply to individual TCB subsets as well as
to the overall TCB.
CLASS (B3): SECURITY DOMAINS
Statement from TCSEC
The TCB implementation shall be informally shown to be consistent
with the DTLS.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to individual TCB subsets.
CLASS (A1): VERIFIED DESIGN
Statement from TCSEC
The TCB implementation shall be informally shown to be consistent
with the FTLS.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to individual TCB subsets.
SUMMARY OF THE INTERPRETATIONS BY CLASS Appendix A
This section is a presentation of all the interpreted requirements
organized by TCSEC class. It includes all the requirements which
are either relevant to subsetted architectures or are DBMS-specific.
Any TCSEC requirements not explicitly identified herein apply
as stated in the TCSEC.
CLASS (C1): DISCRETIONARY SECURITY PROTECTION
C1-1 SECURITY POLICY
C1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
C1-2 ACCOUNTABILITY
C1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Each TCB subset may maintain its own identification
and authentication data or one central repository may be maintained.
If each TCB subset has its own data, then the information
for each individual user must be consistent among all subsets.
C1-3 ASSURANCE
C1-3.1 OPERATIONAL ASSURANCE
C1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the TCSEC to every
TCB subset, with the following additional interpretations.
The TCB must provide domains for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains forexecution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
C1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
C1-3.2 LIFE CYCLE ASSURANCE
C1-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB. Otherwise, security testing of the entire TCB
must be performed (even if the results of testing the
individual TCB subsets were available).
C1-4 DOCUMENTATION
C1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
C1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed.
The means for correlating multiple audit logs and synonymous
user identifications from multiple TCB subsets (if such exist)
shall also be addressed. The trusted facility manual shall
describe the composite TCB so that the interactions among
the TCB subsets can be readily determined. Other manuals may
be referenced in this determination. The manuals that address
the distinct modules of the TCB and the generation of the
TCB need to be integrated with the other trusted facility manuals
only to the extent that they are affected by the use and operation
(versus the development) of the composite TCB.
C1-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
C1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
Statement from TCSEC
If the TCB is composed of distinct modules, the interfaces
between these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION
C2-1 SECURITY POLICY
C2-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
C2-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB.
C2-2 ACCOUNTABILITY
C2-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Each TCB subset may maintain its own identification
and authentication data or one central repository may be maintained.
If each TCB subset has its own data, then the information
for each individual user must be consistent among all subsets.
C2-2.2 AUDIT
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
A TCB subset may maintain its own security audit log, distinct
from that maintained by more primitive TCB subsets, or it
may use an audit interface provided by a different TCB subset
allowing the audit records it generates to be processed
by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or later.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of access to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by users (e.g., updates,
retrievals, and inserts), not just the invocation of the database
management system. The auditing mechanism shall have the capability
of auditing all mediated accesses which are visible to users.
That is, each discretionary access control policy decision
shall be auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not be auditable.
If the total audit requirement is met by the use of more
than one audit log, a method of correlation must be available.
C2-3 ASSURANCE
C2-3.1 OPERATIONAL ASSURANCE
C2-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the TCSEC to every
TCB subset, with the following additional interpretations.
The TCB must provide domains for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains for execution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
C2-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
C2-3.2 LIFE CYCLE ASSURANCE
C2-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB. Otherwise, security testing of the entire TCB
must be performed (even if the results of testing the
individual TCB subsets were available).
C2-4 DOCUMENTATION
C2-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
C2-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed.
The means for correlating multiple audit logs and synonymous
user identifications from multiple TCB subsets (if such exist)
shall also be addressed.
The trusted facility manual shall describe the composite TCB
so that the interactions among the TCB subsets can be readily
determined. Other manuals may be referenced in this determination.
The manuals that address the distinct modules of the TCB
and the generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that they are
affected by the use and operation (versus the development) of
the composite TCB.
C2-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
C2-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
Statement from TCSEC
If the TCB is composed of distinct modules, the interface between
these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
CLASS (B1): LABELED SECURITY PROTECTION SECURITY POLICY
B1-1 SECURITY POLICY
B1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
B1-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB.
B1-1.3 LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B1-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B1-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B1-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B1-2 ACCOUNTABILITY
B1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement. If the TCB is composed
of TCB subsets, one TCB subset may either rely on a mechanism
in another TCB subset to provide identification and authentication
services or provide the services directly. Similarly, that TCB
subset may rely on a mechanism in another more primitive TCB subset
to ensure that the security level of subjects external to the
TCB that may be created to act on behalf of the individual user
are dominated by the clearance and authorization of that user.
Each TCB subset may maintain its own identification
and authentication data or one central repository may be maintained.
If each TCB subset has its own data, then the information
for each individual user must be consistent among all subsets.
B1-2.2 AUDIT
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
A TCB subset may maintain its own security audit log, distinct
from that maintained by more primitive TCB subsets, or it
may use an audit interface provided by a different TCB subset
allowing the audit records it generates to be processed
by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or later.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of access to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted users
(e.g., updates, retrievals, and inserts), not just the invocation
of the database management system. The auditing mechanism shall
have the capability of auditing all mediated accesses which
are visible to users. That is, each discretionary access
control policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted users (e.g.,
updates, retrievals, and inserts), not just the invocation
of the database management system. The auditing mechanism shall
have the capability of auditing all mediated accesses which
are visible to the user. That is, each discretionary access
control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
B1-3 ASSURANCE
B1-3.1 OPERATIONAL ASSURANCE
B1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the TCSEC to every
TCB subset, with the following additional interpretations.
The TCB must provide domains for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains for execution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Similarly, the TCB must provide distinct address spaces
for untrusted processes. A most primitive TCB subset
must provide distinct address spaces for its subjects. A
less primitive TCB subset must make use of the distinct address
space provided by a more primitive TCB subset. A less primitive
TCB subset may provide more fine-grained distinct address spaces,
but is not required to do so.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
B1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
B1-3.2 LIFE CYCLE ASSURANCE
B1-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB. Otherwise, security testing of the entire TCB
must be performed (even if the results of testing the
individual TCB subsets were available).
B1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the TCSEC to every TCB
subset, with the following specific additional interpretations.
It must be demonstrated that the security policy enforced
by the composite TCB is represented by the collection of policy
models for the individual TCB subsets.
Statement from TCSEC
An informal or formal model of the security policy supported
by the TCB shall be maintained over the life cycle of the ADP
system and demonstrated to be consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB subsets, this
requirement applies to the security policy of each TCB subset.
An informal argument that the set of policy models represents
the "security policy supported by the [composite] TCB"
must be provided.
B1-4 DOCUMENTATION
B1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed.
The means for correlating multiple audit logs and synonymous
user identifications from multiple TCB subsets (if such exist)
shall also be addressed.
The trusted facility manual shall describe the composite TCB
so that the interactions among the TCB subsets can be readily
determined. Other manuals may be referenced in this determination.
The manuals that address the distinct modules of the TCB
and the generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that they are
affected by the use and operation (versus the development) of
the composite TCB.
B1-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
B1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB, with the following specific additional interpretation:
Requirements concerning models and DTLSs apply to individual
TCB subsets.
Statement from TCSEC
If the TCB is composed of distinct modules, the interface between
these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall be identified and
an explanation given to show that they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and shall include the protection
mechanisms which support the conditions for TCB subset structure
and separatesubset-domains.
CLASS (B2): STRUCTURED PROTECTION
B2-1 SECURITY POLICY
B2-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
B2-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB.
B2-1.3 LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP system resource
. . . that is directly or indirectly accessible by subjects
external to the TCB shall be maintained by the TCB
Interpretation
Internal TCB variables that are not visible to untrusted subjects
need not be labeled, provided that they are not directly or
indirectly accessible by subjects external to the TCB. However,
it is important to understand that such internal variables can
function as covert signaling channels when untrusted subjects
are able to detect changes in these variables by observing
system behavior.
B2-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B2-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B2-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
B2-1.3.4 DEVICE LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects and has attached physical or virtual
devices. Any TCB subset whose policy does not include such
mandatory access control or has no attached physical or virtual
devices is exempt from this requirement. This requirement
can be satisifed by the cooperative action of more than one TCB
subset.
B2-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B2-2 ACCOUNTABILITY
B2-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to ensure that the security
level of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by the clearance
and authorization of that user. Each TCB subset may maintain
its own identification and authentication data or one
central repository may be maintained. If each TCB subset has
its own data, then the information for each individual user
must be consistent among all subsets.
B2-2.1.1 TRUSTED PATH
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement. When TCB subsets
are used, the requirement for trusted path at levels B2
and above remains applicable to the entire TCB. The implementation
of trusted path could be localized in a single TCB subset. Alternatively,
it could be implemented in more than one TCB subset if the
separate implementations together comply with the system security
policy.
B2-2.2 AUDIT
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
A TCB subset may maintain its own security audit log, distinct
from that maintained by more primitive TCB subsets, or it
may use an audit interface provided by a different TCB subset
allowing the audit records it generates to be processed
by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or later.
Any TCB subset wherein events may occur that require notification
of the security administrator shall be able to:
(1) detect the occurrence of these events,
(2) initiate the recording of the audit trail entry, and
(3) initiate the notification of the security administrator.
The ability to terminate events (2) and (3) above may be
provided either in the TCB subset within which they occur,
or in the TCB subset(s) where actions that lead to the event
were initiated.
The monitoring and notification requirements may require cooperation
between multiple distinct TCB subsets or multiple instantiations
of the same TCB subset. For example, to detect the accumulation
of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the same user. As another example, there may be a single
TCB subset that collects events from a number of other TCB
subset instantiations and, based on its analysis of them, notifies
the security administrator.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted users (e.g.,
updates, retrievals, and inserts), not just the invocation
of the database management system. The auditing mechanism shall
have the capability of auditing all mediated accesses which
are visible to the user. That is, each discretionary access
control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
B2-3 ASSURANCE
B2-3.1 OPERATIONAL ASSURANCE
B2-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the TCSEC to every TCB
subset, with the following additional interpretations.
The TCB must provide domains for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains for execution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Similarly, the TCB must provide distinct address spaces
for untrusted processes. A most primitive TCB subset
must provide distinct address spaces for its subjects. A
less primitive TCB subset must make use of the distinct address
space provided by a more primitive TCB subset. A less primitive
TCB subset may provide more fine-grained distinct address spaces,
but is not required to do so.
In general, requirements specifically referring to hardware
or firmware apply only to TCB subsets that include hardware
or firmware. The exception is the requirement that
the TCB make effective use of available hardware. This requirement
applies to those TCB subsets that use resources provided
by more primitive TCB subsets in lieu of hardware. Those
TCB subsets are required to make effective use of the
protection-relevant features exported to it by the more primitive
TCB subsets (e.g., execution domains, support for distinct address
spaces) to separate those elements that are protection-critical
from those that are not.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be completely defined
and all elements of the TCB identified.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
the user interface to the whole TCB.
Statement from TCSEC
It shall make effective use of available hardware to
separate those elements that are protection-critical from
those that are not.
Interpretation
If the TCB is composed of multiple subsets, each TCB subset
must make use of facilities provided to it by more primitive
TCB subsets, such as support for execution domains and for distinct
address spaces, to achieve the required separation.
B2-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
B2-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the TCSEC to the entire
TCB. When the TCB is made up entirely of TCB subsets
meeting the conditions for evaluation by parts, analysis of
the individual TCB subsets satisfies this requirement. Otherwise,
covert channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the individual
TCB subsets were available).
B2-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the TCSEC to the
entire TCB. Any "operator" or "administrator"
functions intrinsic to an individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
B2-3.2 LIFE CYCLE ASSURANCE
B2-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB. Otherwise, security testing of the entire TCB
must be performed (even if the results of testing the
individual TCB subsets were available).
B2-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the TCSEC to every TCB
subset, with the following specific additional interpretations.
It must be demonstrated that the security policy enforced
by the composite TCB is represented by the collection of
policy models for the individual TCB subsets.
The argument that the descriptive top level specification (DTLS)
is consistent with the TCB interface applies to the entire
TCB. There is required an explicit and convincing description
of how the set of top level specifications (one for each TCB
subset) describes the TCB interface in terms of exceptions,
errors, and effects.
Statement from TCSEC
A formal model of the security policy supported by the
TCB shall be maintained over the life cycle of the ADP system
and demonstrated to be consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB subsets, this
requirement applies to the security policy of each TCB subset.
An informal argument that the set of policy models represents
the "security policy supported by the [composite] TCB"
must be provided.
Statement from TCSEC
A descriptive top-level specification (DTLS) of the TCB shall
be maintained that completely and accurately describes the
TCB in terms of exceptions, error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to the DTLS of each TCB subset. An informal argument
that the set of DTLSs accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both mandatory access
control and discretionary access control policies) in a
particular TCB subset, then all facets must be represented in
the DTLS and in the TCB subset's model.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
B2-3.2.3 Configuration Management
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB, with the following additional interpretation.
Because subsets of the TCB may be developed independently,
a single configuration management system may not be feasible.
However, the combination of configuration management systems
used to support all the TCB subsets must meet all the stated
requirements. The information describing the interrelations
between separate TCB subsets and separate security policy
models falls into the category of "all documentation and
code associated with the current version of the TCB"
in the TCSEC requirements.
B2-4 DOCUMENTATION
B2-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B2-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed. The means for correlating
multiple audit logs and synonymous user identifications from
multiple TCB subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe the composite TCB
so that the interactions among the TCB subsets can be readily
determined. Other manuals may be referenced in this determination.
The manuals that address the distinct modules of the TCB
and the generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that they are
affected by the use and operation (versus the development) of
the composite TCB.
The TCB modules that contain the reference validation mechanism
must be associated with the TCB subset to which they belong.
The procedure for generating a new TCB after modifying
only one (or several) TCB subsets must be described. This
may be accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the affected
TCB subsets.
B2-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
B2-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB, with the following specific addditional interpretations.
Requirements concerning models and DTLSs apply to individual
TCB subsets. The requirement concerning the description of interfaces
between modules of the TCB includes the interfaces between
TCB subsets. The documentation of the implementation of a reference
validation mechanism must include justification for
meeting the conditions for evaluation by parts.
Statement from TCSEC
The interfaces between the TCB modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall be identified and
an explanation given to show that they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and shall include the protection
mechanisms which support the conditions for TCB subset structure
and separate subset-domains.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB implements the
reference monitor concept and give an explanation of why it
is tamper resistant, cannot be bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to each TCB subset with respect to
its specific technical policy. In addition, there must be
documented an informal argument that the cooperative action
of the TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is structured to facilitate
testing and to enforce least privilege.
Interpretation
If the TCB is composed of multiple subsets, this requirement
is interpreted to apply to individual TCB subsets as well as
to the overall TCB.
CLASS (B3): SECURITY DOMAINS
B3-1 SECURITY POLICY
B3-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
B3-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB.
B3-1.3 LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP system resource
. . . that is directly or indirectly accessible by subjects
external to the TCB shall be maintained by the TCB
Interpretation
Internal TCB variables that are not visible to untrusted subjects
need not be labeled, provided that they are not directly or
indirectly accessible by subjects external to the TCB. However,
it is important to understand that such internal variables can
function as covert signaling channels when untrusted subjects
are able to detect changes in these variables by observing
system behavior.
B3-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B3-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B3-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
B3-1.3.4 DEVICE LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects and has attached physical or virtual
devices. Any TCB subset whose policy does not include such
mandatory access control or has no attached physical or virtual
devices is exempt from this requirement. This requirement
can be satisifed by the cooperative action of more than one TCB
subset.
B3-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
B3-2 ACCOUNTABILITY
B3-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to ensure that the security
level of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by the clearance
and authorization of that user. Each TCB subset may maintain
its own identification and authentication data or one
central repository may be maintained. If each TCB subset has
its own data, then the information for each individual user
must be consistent among all subsets.
B3-2.1.1 TRUSTED PATH
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
When TCB subsets are used, the requirement for trusted path
at levels B2 and above remains applicable to the entire
TCB. The need for trusted path "when positive TCB-to-user
connection is required (e.g., login, change subject security
level)" can require user interaction with virtually any
TCB subset within the TCB. The implementation of trusted
path could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one TCB subset
if the separate implementations together comply with the system
security policy.
B3-2.2 AUDIT
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement. A TCB subset may
maintain its own security audit log, distinct from that
maintained by more primitive TCB subsets, or it may use an audit
interface provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or at some later time.
Any TCB subset wherein events may occur that require notification
of the security administrator shall be able to: (1) detect
the occurrence of these events, (2) initiate the recording of
the audit trail entry, and (3) initiate the notification
of the security administrator The ability to terminate events
(2) and (3) above may be provided either in the TCB subset within
which they occur, or in the TCB subset(s) where actions
that lead to the event were initiated. The monitoring and
notification requirements may require cooperation between multiple
distinct TCB subsets or multiple instantiations of the same
TCB subset. For example, to detect the accumulation of events
for a single user it may be necessary to collect events from several
subjects in distinct processes that are surrogates for the same
user. As another example, there may be a single TCB subset
that collects events from a number of other TCB subset instantiations
and, based on its analysis of them, notifies the security administrator.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be audited. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, and inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
B3-3 ASSURANCE
B3-3.1 OPERATIONAL ASSURANCE 1
B3-3.1.1 System Architecture
This requirement applies as stated in the TCSEC to every
TCB subset, with the following additional interpretations.
The TCB must provide domains for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains for execution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Similarly, the TCB must provide distinct address spaces
for untrusted processes. A most primitive TCB subset
must provide distinct address spaces for its subjects. A
less primitive TCB subset must make use of the distinct address
space provided by a more primitive TCB subset. A less primitive
TCB subset may provide more fine-grained distinct address spaces,
but is not required to do so.
In general, requirements specifically referring to hardware
or firmware apply only to TCB subsets that include hardware
or firmware. However, the requirement that the TCB make
effective use of hardware requires that a less primitive TCB
subset make effective use of the protection-relevant features
exported to it by the more primitive TCB subsets (e.g., execution
domains, support for distinct address spaces) to separate those
elements that are protection-critical from those that are not.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be completely defined
and all elements of the TCB identified.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
the user interface to the whole TCB.
Statement from TCSEC
It shall make effective use of available hardware to
separate those elements that are protection-critical from
those that are not.
Interpretation
If the TCB is composed of multiple subsets, each TCB subset
must make use of facilities provided to it by more primitive
TCB subsets, such as support for execution domains and for distinct
address spaces, to achieve the required separation.
B3-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
B3-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the TCSEC to the entire
TCB. When the TCB is made up entirely of TCB subsets
meeting the conditions for evaluation by parts, analysis of
the individual TCB subsets satisfies this requirement. Otherwise,
covert channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the individual
TCB subsets were available).
B3-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the TCSEC to the
entire TCB. Any "operator" or "administrator"
functions intrinsic to an individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
B3-3.1.5 TRUSTED RECOVERY
This requirement applies as stated in the TCSEC to the entire
TCB and to the individual TCB subsets. The cooperative recovery
actions of the TCB subsets making up the TCB must provide trusted
recovery for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the individual
TCB subsets meet the trusted recovery requirements).
B3-3.2 LIFE CYCLE ASSURANCE
B3-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB.
Otherwise, security testing of the entire TCB must be performed
(even if the results of testing the individual TCB subsets
were available).
B3-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the TCSEC to every TCB
subset, with the following specific additional interpretations.
It must be demonstrated that the security policy enforced
by the composite TCB is represented by the collection of policy
models for the individual TCB subsets.
The argument that the descriptive top level specification (DTLS)
is consistent with the TCB interface applies to the entire
TCB. There is required an explicit and convincing description
of how the set of top level specifications (one for each TCB
subset) describes the TCB interface in terms of exceptions,
errors, and effects.
Statement from TCSEC
A formal model of the security policy supported by the
TCB shall be maintained over the life cycle of the ADP system
and demonstrated to be consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB subsets, this
requirement applies to the security policy of each TCB subset.
An informal argument that the set of policy models represents
the "security policy supported by the [composite] TCB"
must be provided.
Statement from TCSEC
A descriptive top-level specification (DTLS) of the TCB shall
be maintained that completely and accurately describes the
TCB in terms of exceptions, error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to the DTLS of each TCB subset. An informal argument
that the set of DTLSs accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both mandatory access
control and discretionary access control policies) in a
particular TCB subset, then all facets must be represented in
the DTLS and in the TCB subset's model.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to individual TCB subsets. Enforcement of all policies
must be shown to occur in all situations (e.g., state transitions)
required by the formal security policy model. In the case
of a discretionary access control policy, the presence of
the access control check at all identified state transitions
is the total of what is required for demonstrating consistency
between the DTLS and the model. This may be verified by
inspection of the DTLS (that is, by visually checking that
exception checks required by the model are present in the DTLS).
For the mandatory access control policy, the DTLS must be shown
by a convincing argument to be consistent with the model.
B3-3.2.3 CONFIGURATION MANAGEMENT
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB, with the following additional interpretation.
Because subsets of the TCB may be developed independently, a
single configuration management system may not be feasible.
However, the combination of configuration management systems
used to support all the TCB subsets must meet all the stated
requirements. The information describing the interrelations
between separate TCB subsets and separate security policy
models falls into the category of "all documentation and
code associated with the current version of the TCB"
in the TCSEC requirements.
B3-4 DOCUMENTATION
B3-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B3-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed.
The means for correlating multiple audit logs and synonymous
user identifications from multiple TCB subsets (if such exist)
shall also be addressed.
The trusted facility manual shall describe the composite TCB
so that the interactions among the TCB subsets can be readily
determined. Other manuals may be referenced in this determination.
The manuals that address the distinct modules of the TCB
and the generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that they are
affected by the use and operation (versus the development) of
the composite TCB.
The TCB modules that contain the reference validation mechanism
must be associated with the TCB subset to which they belong.
The procedure for generating a new TCB after modifying
only one (or several) TCB subsets must be described. This
may be accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the affected
TCB subsets.
B3-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
B3-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the
composite TCB, with the following addtional specific interpretations
Requirements concerning models and DTLSs apply to individual
TCB subsets. The requirement concerning the description of interfaces
between modules of the TCB includes the interfaces between
TCB subsets. The documentation of the implementation of a reference
validation mechanism must include justification for
meeting the conditions for evaluation by parts.
Statement from TCSEC
The interfaces between the TCB modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall be identified and
an explanation given to show that they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and shall include the protection
mechanisms which support the conditions for TCB subset
structure and separate subset-domains.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB implements the
reference monitor concept and give an explanation of why it
is tamper resistant, cannot be bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB subsets, this
requirement is interpreted to apply to each TCB subset with
respect to its specific technical policy. In addition, there
must be documented an informal argument that the cooperative
action of the TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is structured to facilitate
testing and to enforce least privilege.
Interpretation
If the TCB is composed of multiple subsets, this requirement
is interpreted to apply to individual TCB subsets as well as
to the overall TCB.
Statement from TCSEC
The TCB implementation shall be informally shown to be consistent
with the DTLS.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to individual TCB subsets.
CLASS (A1): VERIFIED DESIGN
A1-1 SECURITY POLICY
A1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements apply as stated
in the TCSEC to every TCB subset whose policy includes discretionary
access control of its subjects to its objects. Any TCB subset
whose policy does not include such discretionary access control
is exempt from this requirement.
A1-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB.
A1-1.3 LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP system resource
. . . that is directly or indirectly accessible by subjects
external to the TCB shall be maintained by the TCB
Interpretation
Internal TCB variables that are not visible to untrusted subjects
need not be labeled, provided that they are not directly or
indirectly accessible by subjects external to the TCB. However,
it is important to understand that such internal variables can
function as covert signaling channels when untrusted subjects
are able to detect changes in these variables by observing
system behavior.
A1-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
A1-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
A1-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
A1-1.3.4 DEVICE LABELS
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects and has attached physical or virtual
devices. Any TCB subset whose policy does not include such
mandatory access control or has no attached physical or virtual
devices is exempt from this requirement. This requirement
can be satisifed by the cooperative action of more than one TCB
subset.
A1-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the TCSEC to every
TCB subset whose policy includes mandatory access control
of its subjects to its objects. Any TCB subset whose policy
does not include such mandatory access control is exempt
from this requirement.
A1-2 ACCOUNTABILITY
A1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
If the TCB is composed of TCB subsets, one TCB subset may
either rely on a mechanism in another TCB subset to provide
identification and authentication services or provide the services
directly. Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to ensure that the security
level of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by the clearance
and authorization of that user. Each TCB subset may maintain
its own identification and authentication data or one
central repository may be maintained. If each TCB subset has
its own data, then the information for each individual user
must be consistent among all subsets.
A1-2.1.1 TRUSTED PATH
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement.
When TCB subsets are used, the requirement for trusted path
at levels B2 and above remains applicable to the entire
TCB. The need for trusted path "when positive TCB-to-user
connection is required (e.g., login, change subject security
level)" can require user interaction with virtually any
TCB subset within the TCB. The implementation of trusted
path could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one TCB subset
if the separate implementations together comply with the system
security policy.
A1-2.2 AUDIT
This requirement applies as stated in the TCSEC to the entire
TCB. The cooperative action of the TCB subsets making up
the TCB must satisfy the requirement. A TCB subset may
maintain its own security audit log, distinct from that
maintained by more primitive TCB subsets, or it may use an audit
interface provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB subset.
If the TCB subset uses different user identifications
than a more primitive TCB subset, there shall be a means to associate
audit records generated by different TCB subsets for the same
individual with each other, either at the time they are generated
or at some later time.
Any TCB subset wherein events may occur that require notification
of the security administrator shall be able to: (1) detect
the occurrence of these events, (2) initiate the recording of
the audit trail entry, and (3) initiate the notification
of the security administrator. The ability to terminate
events (2) and (3) above may be provided either in the TCB subset
within which they occur, or in the TCB subset(s) where actions
that lead to the event were initiated.
The monitoring and notification requirements may require cooperation
between multiple distinct TCB subsets or multiple instantiations
of the same TCB subset. For example, to detect the accumulation
of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the same user. As another example, there may be a single
TCB subset that collects events from a number of other TCB
subset instantiations and, based on its analysis of them, notifies
the security administrator.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be audited. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain, and protect from
modification . . . an audit trail of accesses to the objects
it protects.
Interpretation
Auditable events, in the case of a database management system,
are the individual operations initiated by untrusted
users (e.g., updates, retrievals, and inserts), not just
the invocation of the database management system. The auditing
mechanism shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each discretionary
access control policy decision and each mandatory access control
policy decision shall be auditable. Individual operations
performed by trusted software, if totally transparent to the
user, need not be auditable. If the total audit requirement is
met by the use of more than one audit log, a method of
correlation must be available.
A1-3 ASSURANCE
A1-3.1 OPERATIONAL ASSURANCE
A1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the TCSEC to every
TCB subset, with the following additional interpretations.The
TCB must provide domains for execution that are allocated to
and used by TCB subsets according to the subset-domain condition
for evaluation by parts. A most primitive TCB subset must provide
domains for execution. A less primitive TCB subset must make
use of domains provided by a more primitive TCB subset. A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Similarly, the TCB must provide distinct address spaces
for untrusted processes. A most primitive TCB subset
must provide distinct address spaces for its subjects. A
less primitive TCB subset must make use of the distinct address
space provided by a more primitive TCB subset. A less primitive
TCB subset may provide more fine-grained distinct address spaces,
but is not required to do so. In general, requirements
specifically referring to hardware or firmware apply only
to TCB subsets that include hardware or firmware. However,
the requirement that the TCB make effective use of hardware
requires that a less primitive TCB subset make effective use
of the protection-relevant features exported to it by the
more primitive TCB subsets (e.g., execution domains, support for
distinct address spaces) to separate those elements that are protection-critical
from those that are not.
Statement from TCSEC
The TCB shall maintain a domain for its own execution that
protects it from external interference or tampering.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be completely defined
and all elements of the TCB identified.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
the user interface to the whole TCB.
Statement from TCSEC
It shall make effective use of available hardware to
separate those elements that are protection-critical from
those that are not.
Interpretation
If the TCB is composed of multiple subsets, each TCB subset
must make use of facilities provided to it by more primitive
TCB subsets, such as support for execution domains and for distinct
address spaces, to achieve the required separation.
A1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the TCSEC to every
TCB subset that includes hardware or firmware. Any TCB
subset that does not include hardware or firmware is exempt
from this requirement.
A1-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the TCSEC to the entire
TCB. When the TCB is made up entirely of TCB subsets meeting
the conditions for evaluation by parts, analysis of the individual
TCB subsets satisfies this requirement. Otherwise, covert channel
analysis of the entire TCB must be performed (even if the results
of covert channel analysis of the individual TCB subsets were
available).
A1-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the TCSEC to the
entire TCB. Any "operator" or "administrator"
functions intrinsic to an individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
A1-3.1.5 TRUSTED RECOVERY
This requirement applies as stated in the TCSEC to the entire
TCB and to the individual TCB subsets. The cooperative recovery
actions of the TCB subsets making up the TCB must provide trusted
recovery for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the individual
TCB subsets meet the trusted recovery requirements).
A1-3.2 LIFE CYCLE ASSURANCE
A1-3.2.1 SECURITY TESTING
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies the requirement for the
entire TCB.
Otherwise, security testing of the entire TCB must be performed
(even if the results of testing the individual TCB subsets
were available).
A1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the TCSEC to every TCB
subset, with the following specific additional interpretations.
It must be demonstrated that the security policy enforced
by the composite TCB is represented by the collection of policy
models for the individual TCB subsets.
The argument that the descriptive top level specification (DTLS)
and formal top level specification (FTLS) are consistent with
the TCB interface applies to the entire TCB. There is required
an explicit and convincing description of how the set of
top level specifications (one for each TCB subset) describes
the TCB interface in terms of exceptions, errors, and effects.
Statement from TCSEC
A formal model of the security policy supported by the
TCB shall be maintained over the life cycle of the ADP system
and demonstrated to be consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB subsets, this
requirement applies to the security policy of each TCB subset.
An informal argument that the set of policy models represents
the "security policy supported by the [composite] TCB"
must be provided.
Statement from TCSEC
A descriptive top-level specification (DTLS) of the TCB shall
be maintained that completely and accurately describes the
TCB in terms of exceptions, error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to the DTLS of each TCB subset. An informal argument
that the set of DTLSs accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both mandatory access
control and discretionary access control policies) in a
particular TCB subset, then all facets must be represented in
the DTLS and in the TCB subset's model.
Statement from TCSEC
A formal top-level specification (FTLS) of the TCB shall be
maintained that accurately describes the TCB in terms of exceptions,
error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to the FTLS of each TCB subset. An informal argument
that the set of FTLSs accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both mandatory access
control and discretionary access control policies) in a
particular TCB subset, then all facets must be represented in
the FTLS and in the TCB subset's model.
Statement from TCSEC
The FTLS shall be shown to be an accurate description of the
TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to individual TCB subsets. Enforcement of all policies
must be shown to occur in all situations (e.g., state transitions)
required by the formal security policy model. In the case
of a discretionary access control policy, the presence of
the access control check at all identified state transitions
is the total of what is required for demonstrating consistency
between the DTLS and the model. This may be verified by
inspection of the DTLS (that is, by visually checking that
exception checks required by the model are present in the DTLS).
For the mandatory access control policy, the DTLS must be shown
by a convincing argument to be consistent with the model.
Statement from TCSEC
. . . a combination of formal and informal techniques shall
be used to show that the FTLS is consistent with the model.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
applies to individual TCB subsets. Enforcement of all policies
must be shown to occur in all situations (e.g., state transitions)
required by the formal security policy model at the required
occasions. In the case of a discretionary access control
policy, the presence of the access control check at all
identified state transitions is the total of what is required
for demonstrating consistency between the FTLS and the model.
This may be verified by inspection of the FTLS (that is,
by visually checking that exception checks required by the model
are present in the FTLS). For the mandatory access control
policy, the FTLS must be shown by a combination of formal
and informal techniques to be consistent with the model.
A1-3.2.3 CONFIGURATION MANAGEMENT
This requirement applies as stated in the TCSEC to every
TCB subset in the TCB, with the following additional interpretation.
Because subsets of the TCB may be developed independently, a
single configuration management system may not be feasible.
However, the combination of configuration management systems
used to support all the TCB subsets must meet all the stated
requirements. The information describing the interrelations
between separate TCB subsets and separate security policy
models falls into the category of "all documentation and
code associated with the current version of the TCB"
in the TCSEC requirements.
A1-3.2.4 TRUSTED DISTRIBUTION
This requirement applies as stated in the TCSEC to the entire
TCB. It can be met by satisfying the requirements for each
TCB subset if procedures exist for assuring that all TCB subsets
upon which a particular TCB subset depends (that is, the
more primitive TCB subsets) are exactly the same version as
specified for the TCB subset in question.
A1-4 DOCUMENTATION
A1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the TCSEC to every TCB
subset in the TCB. This collection of guides must include descriptions
of every TCB subset in the TCB and explicit cross-references
to other related user's guides to other TCB subsets,
as required. In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
A1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the TCSEC to the TCB
and to every TCB subset in the TCB. This requirement can be
met by providing a set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions and privileges
to be controlled for the associated TCB subset. Additionally,
it must clearly show the interfaces to, and the interaction
with, more primitive TCB subsets. The manual for each TCB
subset shall identify the functions and privileges of the
TCB subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if any,
configuration options of the more primitive TCB subsets are
to be used for the composite TCB to operate securely.
Any pre-defined roles supported (e.g., database administrator)
by the TCB subset shall be addressed. The means for correlating
multiple audit logs and synonymous user identifications from
multiple TCB subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe the composite TCB
so that the interactions among the TCB subsets can be readily
determined. Other manuals may be referenced in this determination.
The manuals that address the distinct modules of the TCB
and the generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that they are
affected by the use and operation (versus the development) of
the composite TCB.
The TCB modules that contain the reference validation mechanism
must be associated with the TCB subset to which they belong.
The procedure for generating a new TCB after modifying
only one (or several) TCB subsets must be described. This
may be accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the affected
TCB subsets.
A1-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB.
A1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the composite
TCB, with the following specific additional interpretations:
Requirements concerning models, FTLS and DTLS, apply to individual
TCB subsets.
The requirement concerning the description of interfaces between
modules of the TCB includes the interfaces between TCB subsets.
The documentation of the implementation of a reference validation
mechanism must include justification for meeting the
conditions for evaluation by parts.
The A1 requirement to describe clearly non-FTLS internals
of the TCB applies to TCB subsets.
Statement from TCSEC
The interfaces between the TCB modules shall be described.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and the interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall be identified and
an explanation given to show that they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to each TCB subset and shall include the protection
mechanisms which support the conditions for TCB subset
structure and separate subset-domains.
Statement from TCSEC
The descriptive top-level specification (DTLS) shall be
shown to be an accurate description of the TCB interface.
Interpretation
If the TCB is composed of multiple subsets, this requirement
applies to the interface between the TCB subsets as well as
to the user interface of the composite TCB. The TCB interface
description shall include an explanation of how to describe the
total TCB accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB implements the
reference monitor concept and give an explanation of why it
is tamper resistant, cannot be bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to each TCB subset with respect to
its specific technical policy. In addition, there must be
documented an informal argument that the cooperative action
of the TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
The TCB implementation shall be informally shown to be consistent
with the DTLS.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to individual TCB subsets.
Statement from TCSEC
The TCB implementation shall be informally shown to be consistent
with the FTLS.
Interpretation
If the TCB is composed of multiple TCB subsets, this requirement
is interpreted to apply to individual TCB subsets.
Statement from TCSEC
Documentation shall describe how the TCB is structured to facilitate
testing and to enforce least privilege.
Interpretation
If the TCB is composed of multiple subsets, this requirement
is interpreted to apply to individual TCB subsets as well as
to the overall TCB.
APPENDIX B
GENERAL ITEMS
1. PERSPECTIVE ON ASSURANCE
This Trusted Database Management System Interpretation
(TDI) of the Trusted Computer System Evaluation Criteria (TCSEC)
derives its perspective on assurance directly from the reference
monitor concept as recorded in the Anderson Report [1] and as
embodied in the TCSEC. In both the reference monitor concept
and in the TCSEC, the assessment of a system for trust characteristics
involves a single, global review of the system at issue. That
same perspective of an even, global review of a candidate
trusted database management system (DBMS) is present in the
TDI, in that only complete systems will be considered
for assessment. That is, neither software packages in isolation
nor systems that satisfy only a subset of the TCSEC. requirements
will be considered for evaluation or accreditation. The interpretation
of requirements, both in Part 1, "Technical Context,"
and Part 2, "Interpreted Requirements," is consistent
with both community experience in designing and assessing trusted
systems, and the precedents of the reference monitor concept
and the TCSEC. The interpretations, therefore, provide special
guidance for the task of evaluating (or accrediting) candidate
systems composed of distinguishable parts. However,
the interpretations neither attenuate nor delete TCSEC requirements.
It is worth noting that the introduction of the TCSEC with
its metric for the evaluation of whole systems had as one goal
the simplification of the task of accrediting computer systems
for use in the processing of sensitive information. The
evaluation process was not intended to replace the accreditation
process but to provide input to that process. It must be recognized
that there will be occasions when a fielded suite of computer
systems, each evaluated against the TCSEC requirements at
a particular class, will not be able to be assigned a TCSEC
class, nor is it necessary to be able to make such an assignment.
The accreditation decision includes the assessment of risk
of a particular system configuration in a particular
environment; a decision to connect a suite of TCSEC evaluated
systems may have to be made without a uniformly applied TCSEC-like
assessment over the entire system.
2. PROCUREMENT OPTIONS
The Trusted Computing System Evaluation Criteria (TCSEC)
and its published interpretations, including this Trusted
Database Management System Interpretation, have as a
primary purpose the "provision [of] a basis for
specifying security requirements in acquisition specifications."
[8, p. 2] In the area of trusted DBMS and trusted systems that
include database management functionality, there is a range
of options open to an acquisition organization. These options
need to be understood by the acquisition managers and their
staffs to allow them the greatest possible flexibility
in matching operational requirements with a combination
of available products and the state of the art in system
integration and development.
The fundamental point is the distinction between the target
trust class (that is, C1, C2, B1, B2, B3, or A1) needed for
a particular installation and the degree of trusted DBMS
functionality that is required. Succinctly, a system that
requires a particular level of trust (B2, for example) and
DBMS functionality does not necessarily require an evaluated
trusted DBMS at the level of B2. In fact, if the statement
of required capability allows it, meeting the requirement without
a trusted DBMS could well be the preferred risk-reducing approach.
This is generally true because the more sophisticated the
trusted DBMS requirement, the more likely it is that the current
vendor base will not be able to supply the needed functionality
(with the requisite assurance) from the normal product line.
Further, even if one can specify carefully just what additional
assured capability is needed so that a program-specific development
can be undertaken, the lack of community experience and
consensus on advanced trusted DBMS issues and implementations
introduces the potential for
significant programmatic, schedule, and cost risks.
Although a full description of options for the acquisition
manager is beyond the scope of this document, a representative
description of some of the options that could be considered
is included below. The options include (1) multiple copies
of a DBMS running at different levels, each maintaining
single-level databases; (2) a single copy of a DBMS, but
with each database maintained at a single sensitivity
level (i.e., no sharing of data between databases); (3) a
single copy supporting single level databases, but with limited
sharing, perhaps of a "snapshot" nature; and (4)
DBMSs that allow databases that include data of several sensitivity
levels. This option admits of subcases from the very simple
to the very complex.
To illustrate the options listed above, consider a command
post where a commander's staff uses a single computer system.
Included on the staff are logistics, weather, and intelligence
organizations, each dealing with information of differing
(maximum) sensitivity. If all three organizations require
similar DBMS functions, there might be a variety of ways to
provide that functionality.
• (1) If the product DBMS-1 suited the needs of each of the
organizations and there were no requirement to share data between
them, then three copies of DBMS-1 could be used, running at,
for example, TOP SECRET, SECRET, and CONFIDENTIAL, respectively,
and maintaining separate single-level databases. If the organizational
missions do not require multilevel operations or sharing,
this option could be perfectly suited to the operational need.
In this case, every copy of DBMS-1 would be running as an
application outside the TCB and would not have to be evaluated
at all, neither as a product nor as a developed system. The
advantages of this option are that commercial, off-the-shelf
systems can be used (both the DBMS and the underlying trusted
operating system) and no evaluation risk is entailed.
The disadvantages are the limited flexibility and the
hidden fact that the installation procedures for many
DBMSs require the insertion of code into the heart of the underlying
computer system, insertions that would undermine the evaluation
rating and thus theconfidence in the trusted operating system.
• (2) A cost advantage could be realized in the preceding case
if there were a product, DBMS-2, such that a single copy could
provide DBMS functionality at all three levels. This capability
requires that the base trusted operating system and the DBMS
itself are designed so that the DBMS code uses scratch space
to allow the code to be shared without the potential for mixing
control or metadata in workspaces, indices, and stacks. Not
all commercial DBMSs have this property, so this option will
be less available than case (1). Note that in this case also,
the databases themselves are single-level and the workspace
used by the DBMS itself will have to be single-level.
(3) If the operational requirements are that the intelligence
and logistics organizations must have access to the weather
data maintained by the weather organization, the simplest technical
solution would be to periodically provide a snapshot of
the needed weather data for use by the other organizations.
The database management system DBMS-2 above could provide a solution
in this case if a portion of the weather database could
be copied onto diskette (or even into another file) for
the other organizations to incorporate into their own
DBMS operations. The disadvantage of this approach is that
the information will not be as current as that available to the
weather organization itself. Frequently, however, that lack of
currency may be a reasonable price to pay for the enormous
reductions in cost and risk in procurement and maintenance.
(4) If the operational requirements will not allow anything
less than real-time sharing of information, then DBMS-2
will not be sufficient. At this point, the operational requirements
have forced the inclusion of the most sophisticated solution
to a trusted system with DBMS requirements, a true multilevel
DBMS. In this case, it remains a valuable goal to minimize
the complexity of the needed sharing. If the DBMS is providing
a functionality that looks like tables to the user, then it
is less complex if each table is at a single level than if
each row (or each column) could be at a different sensitivity
level. The most complex situation is when each entry in the
table could be at a different sensitivity level. During
the procurement and development process, it would be worthwhile
to structure the procurement to favor solutions that are as
simple as possible from a multilevel trusted DBMS standpoint.
3. ALTERATION OF PREVIOUSLY EVALUATED TCB
The discussion in Part 1, "Technical Context" arose
from consideration of the conditions under which it is possible
to add an application layer, such as a DBMS, to another TCB
in such a way as to allow the system rating to be determined
by evaluating the system elements (i.e., the subsets) separately.
The benefit to both the applications vendor and the evaluators
derives from the fact that the DBMS operates as an untrusted
subject relative to the underlying TCB (even though the DBMS
enforces its own policy). Therefore, there is no need to
re-examine previous evaluation evidence; any and ll actions
performed by the application layer are completely constrained
in accordance with the security policy defined for the underlying
TCB.
The savings in evaluation effort is predicated on the
assumption that the vendor of the application layer makes
no changes of any kind to the other TCB. In effect, the argument
made by the vendor is as follows:
(a) The underlying TCB enforces policy P[i].
The validity of the claims about the underlying TCB has already
been established, and these claims remain valid because the underlying
TCB has not been altered in any way and because the DBMS is
completely constrained by that policy (i.e., P[i] cannot
be violated by any action of the DBMS).
(b) The application is a TCB subset which enforces policy
P[k]
Thus, the policy enforced by the composite system (i.e.,
the policy enforced at the user interface of the composite TCB)
is merely a combination of the policies of the individual TCB
subsets.
Because there is neither theory nor experience which
allows one to make general, a priori statements about the effects
of arbitrary changes, any alterations to a previously evaluated
product must, in general, be considered to result in a product
whose security attributes, and thus whose rating, is unknown.
Thus, if the previously evaluated product is altered, argument
(a) cannot be made merely by referencing the published evaluation
report. It becomes the responsibility of the DBMS vendor
to state P[i] (i.e., identify the policy enforced by the altered
product) and to demonstrate that the implementation satisfies
the appropriate TCSEC requirements. Hence, at least some evaluation
evidence focused on the underlying TCB must be provided by
the vendor of the application layer. The amount of evidence
required will be determined by the type, extent, and amount
of change, as well as the characteristics of the original TCB.
This is not to say, however, that changes always invalidate
all previous evaluation evidence. Rather, that there is no
way to predict what effect arbitrary change will have on that
evidence. Clearly, some changes will invalidate a substantial
part, if not all, of the previous evaluation results, requiring
a completely new evaluation. In some cases it will be virtually
impossible to determine the full effect of even relatively
simple changes, whereas in other instances it may be possible
to determine the effects of at least some changes quite
precisely. In a well-modularized system, changes to the internals
of a module might be shown to have no functional or security effect
outside of the module. Even changes to the module that alter
its interface might be shown to have effects which do not propagate
beyond those modules which have a direct interface to the altered
module.
In either case however, at least some evidence must be
produced about the underlying, altered TCB. Thus, the vendor
who alters the product which is hosting his application becomes
responsible for any and all evidence required to substantiate
the claims being made for both the application and the underlying
TCB.
In fact, it is always the case that the DBMS vendor is responsible
for all the evidence required to demonstrate that the system
(i.e., the trusted components of the application plus the
underlying TCB) has the level of trust claimed for it. In the
case of strict subsetting for evaluation by parts, in which the
application is layered onto an unaltered, previously-evaluated
TCB, part of the evidence is satisfied by referencing
the previous evaluation results and the commercially-available
specifications for that portion of the system. However,
if the previously evaluated TCB has been altered, the
applications vendor is now responsible for demonstrating
that the underlying TCB has the level of trust being claimed
for it. How much, if any, of the previous evaluation evidence
is still valid is a matter to be resolved.
The development of the subsetting notion has been motivated by
the need for evaluating systems whose elements may have been
developed by different vendors. Consequently, the discussion
of TCB subsets has been largely focused on the topic of extending
the policy enforcement attributes of previously evaluated
TCBs. However, the notion of TCB subsetting provides a
perfectly general design method. A TCB can be structured
and policy enforcement allocated to simplify both analysis and
evaluation. To the extent that each TCB subset in a subsetted
system satisfies the conditions of TC-4.3, the evaluation
can be factored along policy lines, and a rating for the
composite system determined.
4. SATISFYING RVM REQUIREMENTS
The evaluation of a system whose TCB is made up of a set of TCB
subsets follows a logical flow that makes it an orderly process.
The initial step is satisfying the conditions for evaluation
by parts. Those conditions are as follows:
Identification of the candidate TCB subsets;
Allocation of the policy (the clear statement of the technical
policies enforced by the individual TCB subsets, stated in terms
of the subjects and objects for that TCB subset);
Demonstration that each candidate TCB subset contains its
own trusted subjects;
Specification of the structure of the TCB subsets (as a collection
of abstract machines);
Identification of sets of domains (called "subset-domains")
assigned for the execution of the individual TCB subsets;
and
Identification of what externally stated properties of TCB
subsets will be used to argue convincingly and independently
for the RVM nature of each of the constituent TCB subsets.
The successful completion of this step, especially the "support
for RVM arguments" will result in a conditional approval
of two items: a set of goals in the evaluation of the more primitive
TCB subsets and the feasibility of being able to argue
the RVM properties of less primitive TCB subsets using no more
information about the more primitive TCB subsets than the identified
goals. The goals for the more primitive TCB subsets will
be a set of mechanisms, characteristics, or properties
whose proper, assured functioning will have to be demonstrated.
Examples are domain mechanisms, mandatory integrity
policy enforcement mechanisms, and a special category of
object with associated content-preservation guarantees. These
mechanisms or characteristics or properties are strictly a
function of the more primitive TCB subset and will have to
be evaluated and approved in a (possibly) later part of
the evaluation process. The conditional approval of the feasibility
of constructing an independent RVM argument for less primitive
TCB subsets relies on an interplay between the proposed mechanisms
of the more primitive TCB subset and the anticipated needs
of the RVM argument for the less primitive TCB subset.
The next steps of the evaluation process, with regards to
the reference validation mechanism requirements, involve the
independent evaluation of the TCB subsets. TCB subsets that
have been identified as providing features or mechanisms on
which other TCB subsets will rely for RVM arguments will
have to be demonstrated to provide the stated mechanisms with
the same level of assurance as the target evaluation class of
the entire system. If all the identified mechanisms can be
validated, the conditional approval of the "support
for RVM arguments" condition remains unchanged. If some
mechanism cannot be properly established from either a
functional or an assurance perspective, then the conditional
approval of that portion of the "support" condition
is withdrawn and the evaluation effort must regroup.
TCB subsets that were projected to be able to complete RVM arguments
successfully using no more than the identified "support"
mechanisms and features will have to have full RVM arguments
advanced and accepted by the evaluation team. There are
three possible outcomes: (1) it could be shown that the TCB
subset in question does not meet the RVM requirements; (2)
it could be shown, using the external descriptions and assurances
of the mechanisms of the more primitive TCB subsets, that the
less primitive TCB subset does meet the RVM requirements; or
(3) it might be impossible to determine whether or not the
TCB subset meets the requirements. In case (1), the TCB subset
failed to meet its reference validation mechanism requirements
and the design team must regroup. In case (2), the TCB subset
satisfies its reference validation mechanism requirements.
In case (3), the conditional approval of the "support
for RVM arguments" condition will be withdrawn and the
design and evaluation teams will have to agree on an alternate
course of action.
In the case that an attempt to establish RVM properties for a
less primitive TCB subset could not be completed (case (3)
above), it might well be that additional mechanisms or features
of the more primitive TCB subset would allow the RVM arguments
to be completed successfully. In that case, the evaluation
team and the design team would have to establish a new, augmented
set of mechanisms for the "support" condition.
The evaluation could then continue with the new mechanism requiring
validation by the evaluation team and the argument for the
RVM properties of the less primitive TCB subset having to be
re-attempted.
It is important to note that the dependency of the less primitive
TCB subsets on the assured policies and RVM supporting
mechanisms makes it imperative that the evaluation of the
whole TCB be done by a single evaluation team through
the final determination that the system complies with the
full
set of requirements for the target class. Thus, in particular,
an evaluation team addressing an evaluation by parts (including
the case of a TCB subset that has been previously evaluated
and placed on the EPL) must be kept together for the entire
evaluation. Local evaluation of one TCB subset does
not justify dissolving the responsible subteam. Later results,
global or local to another TCB subset, could require a full
evaluation team current on all aspects of the evaluated configuration.
This does not mean, of course, that the original evaluation
team for a previously evaluated EPL product has to be reassembled.
A new team, part of which may be delegated prime responsibility
for that TCB subset, suffices, as long as the full team
is kept together for the whole evaluation.
5. SUBSET DEPENDENCY
For candidate TCB subset M, sM denotes the specification of
M, including as a minimum, the statement of the technical
policy P of M. The term vM denotes the (engineering) demonstrations
of the correctness of the implementation of M with respect
to its specification. A (candidate) TCB subset A "depends
(for its correctness)" on (candidate) TCB subset B if and
only if the arguments within vA assume the correctness
of the implementation of B with respect to sB.
In less precise terms, the specification sM defines what M is
supposed to do. M does whatever its implementation allows,
features and all. How well M does compared to what sM
says it should do is encompassed in the engineering arguments
vM. If, in the argument vA, one has to assume that all or part
of sB accurately describes what B does, A "depends"
on B for its correctness.
Example 1: Use of Provided Objects
Suppose TCB subset B provides "file" as a mediated
object under its technical policy P[B] and that candidate
TCB subset A uses B-files to store data and executables. If
vA uses the fact that different B-files are distinct and access
to them is constrained by the technical policy P[B] (assumptions
that are nearly certain to apply), then vA is relying on the
fact that sB and B match and in this case, A depends on B.
Example 2: Mutually Suspicious Systems
Suppose A and B are mutually suspicious airline reservation
systems hosted in two interconnected systems belonging
to two distinct organizations. It is assumed that sA
and sB both provide for a capability to accept reservations
over the network from "foreign" systems using a
mutually defined protocol. The protocol is carefully and
completely specified (within both sA and sB) and both vA and
vB demonstrate, to the desired level of satisfaction,
that A and B are correct with respect to sA and sB, respectively.
A does not depend for its correctness on B because sA is complete:
for whatever sequence of bits it receives from B, sA specifies
exactly what behavior A must exhibit, and vA demonstrates
that it does exhibit that behavior. Similarly, B does
not depend upon A for its correctness. Neither A nor
B depends on the other.
There may well exist a "system specification" that
specifies the desired behavior of the entire system, but
that is irrelevant to the arguments that A and B are individually
correct with respect to their own specifications. It may even
be the case that both A and B are individually correct, while
the combined system is incorrect with respect to the
"system specification." That is, two correct subsystems
can be combined improperly with respect to the desired "system
specification."
Example 3: Use of Remotely Provided Functionality
Suppose A is a mail server and B a generic SQL DBMS. The specification
sA (as might be expected) makes no mention of a DBMS; it
simply specifies the interface behavior (to its human clients)
of the mail system. In vA, however, we find that the software
for A uses tables provided by B to store messages. A and B are
on separate, interconnected machines. Neither sB nor vB make
mention of the mail system at all. As in the preceding example,
sB completely specifies the behavior of B for all received
bit patterns and sequences. Here, A depends upon B, but
B does not depend on A. Note that data flow in both directions
is completely legitimate and does not compromise in any way
the "integrity" (correctness) of B. Dependency is
distinct from "data flow."
This example shows that a superficial examination of the
"architecture" of a domain structure is insufficient
to determine which candidate TCB subsets depend upon other
TCB subsets. Superficially, this architecture is the same
as the example of mutually suspicious systems above, but
here A depends on B. It also shows that an examination
of the interface specifications is insufficient. Finally, it
shows that dependency is not the same as the notion of "privilege"
(as normally understood in the context of operating systems
to mean loosened restrictions on allowed functions and accesses),
because there is in this example no sense in which B has access
to all of A's internal structures. It only has access to some
of them.
Example 4: Use of Locally Provided Functionality
Suppose A and B are the mail server and SQL DBMS of the preceding
example, except that A is implemented in a less privileged
ring than B. That is, the interconnect is replaced by a ring-crossing
service call. Obviously, A still depends on B and B does not
depend on A. The change is that now B has potential access
to any of A's structures. The general rule for the use of domain
protection mechanisms (such as rings) is that if B is privileged
with respect to A, then A necessarily depends on B (simply
by virtue of B's privilege to access any of A's structures).
Thus, a detailed examination of sA and vA is unnecessary
to establish dependency.
Cautionary Example
Suppose that A and B are "mutually dependent";
that is, A depends on B and B depends on A. This means that
vA assumes that B is implemented correctly with respect to
sB, and vB assumes that A is implemented correctly with respect
to sA. Further suppose that both vA and vB are valid (reasonable
and compelling). One would hope that it follows from this that
both A and B are correct. Unfortunately, this is not always
the case.
If A and B are both correct with respect to sA and sB, then
vA is a valid argument with a true premise and is therefore
true. The same is true for B and vB.
Suppose, however, that A is implemented incorrectly with
respect to sA and B is implemented incorrectly with respect
to sB. vA is a valid argument with a false premise; it is thus
valid but (possibly) untrue. Similarly, vB is valid but (possibly)
untrue. This case shows that it is quite possible for vA and
vB to both be valid while A and B are both (individually) incorrectly
implemented.
What has been exposed here is a hidden case of circular reasoning:
the argument that A is correct is based on the assumption that
B is correct, and the argument that B is correct is based on
the assumption that A is correct. Thus, vA depends (circularly)
on the assumption that A is correct, and vA reduces to the following
tautology: if vA is correct with respect to sA then vA is correct
with respect to sA. It is thus possible in principle for mutually
dependent subsystems A and B to have vA and vB to be logically
valid while either A or B, or both, are incorrect with respect
to their specifications (sA or sB).
To make this result concrete, consider two airline reservation
systems, A and B, based on the mutually suspicious systems
of example 2 above. Suppose that A maintains information
about all flights originating or terminating in the United States
while B maintains information about flights originating or
terminating in Europe. Assume sA includes a statement that A
will generate flight itineraries from an origin to a destination,
with appropriate provision for connections. "Appropriate
provision for connections" means allowing enough time
to change planes without requiring passengers to wait an
excessive period of time. Further assume that sB includes
a similar statement. From the assumption that A meets sA
and B meets sB, one can construct a valid argument that A
meets its specification sA for itineraries orginating or terminating
in either the U.S. or Europe. A similarly valid argument
can be made about B. If, however, A stores flight segment
times in the local time of the airport and B stores them
i n Greenwich Mean Time, an itinerary generated by either A or
B that relies on information from the other will be incorrect
because of the time differences. Thus, A will not generate
accurate, timely flight itineraries, even though a valid
argument that it does can be constructed. This difficulty
arises from the presumption that A and B are mutually dependent.
6. TAMPER RESISTANCE ARGUMENTS
The requirement to demonstrate that individual TCB subsets
exhibit the reference validation mechanism tamper resistance
property deserves special attention. In a subsetted architecture
there are two (related) aspects to this requirement. The
first is the ability of a less primitive TCB subset to maintain
control over access to the objects that implement its logic
and data structures. The second is establishing the assurance
that policy-critical or correctness-critical data
used by a TCB subset is persistent (that is, that it does
not change or become contaminated with other data between the
execution of instructions).
A less primitive TCB subset will be using objects and subjects
provided by a more primitive TCB subset. Thus, policy-critical
data will be stored in objects that are provided by the more
primitive TCB subset rather than in some system entity created
and maintained by the less primitive TCB subset itself.
One part of the tamper resistance argument focuses on being
able to demonstrate that no alteration of either the policy-critical
data or of the TCB subset's code is possible. That is, no system
entity external to a TCB subset (with the possible exception
of more primitive TCB subsets upon which it depends) should be
capable of causing arbitrary changes to that TCB subset's code
or data structures. If a third, not more primitive TCB subset
(or a subject totally outside the TCB) were able to gain access
to an object where policy-critical data was stored, the tamper
resistance property could not be established for the TCB subset
in question. For a most-primitive TCB subset, a wide variety
of techniques could be used to limit access to an object in
which such policy-critical data is stored (e.g., prohibition
on the sharing of objects, strict ownership control of the ability
to extend access permission, and mandatory access controls).
Similarly, the conditions for evaluation by parts require
that the system designer identify a set of mechanisms and
their assured properties as the basis for demonstrating
tamper resistance for each TCB subset.
The second topic is the assurance that the contents of the
objects that store a TCB subset's policy-critical data not
change except through the execution of that TCB subset's
logic. If a data structure that identified an exported object
(such as tables or tuples or entities) were to have extraneous
data inserted by a more primitive TCB subset (for example,
as a result of garbage collection or the random action
of memory management), then no basis would exist for arguments
concerning the correct implementation of the less primitive
TCB subset. For a most primitive TCB subset (which includes
supporting hardware), the argument that the policy-critical
data is kept current and correct can be made strictly on the basis
of that TCB subset. However, when a TCB subset obtains resources
from a more primitive TCB subset, the argument cannot be made
strictly on the basis of the design of the TCB subset. Rather,
the argument must proceed from assured mechanisms provided
by more primitive TCB subsets. This is exactl y analogous
to the case of a reference validation mechanism for which one
relies on mechanisms not strictly included in the design of
the policy-enforcing elements to establish the requisite properties
of non-bypassability and tamper resistance. A variety
of mechanisms might provide a basis for demonstrating
that the implementation of a TCB subset is correct, even
though resources are obtained from a more primitive TCB subset
(e.g., type-enforcement).
7. RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS
Section TC-5, "General Interpreted Requirements,"
lists the requirements of the TCSEC according to how the
requirements apply to a TCB made up of more than one TCB subset.
The general rationale for distinguishing which requirements
can be satisfied by independent analysis and consideration
of the TCB subsets was to consider the requirements one at a
time to determine whether satisfaction of the requirement by the
individual TCB subsets would necessarily mean that the entire
system satisfies the stated requirement.
For some requirements, such as those for certain documentation,
it is clear that the requirement is factorable; that is,
it is satisfied for the composite TCB if it is satisfied for
each of the TCB subsets individually. For other requirements,
individual system characteristics could make factorability
of a requirement patently obvious, but not all systems would
enjoy such simple factorability. An example would be trusted
path requirements for security-related events: if all security-related
ev ents occur in the most primitive TCB subset, satisfaction
of the requirement by that TCB subset suffices to demonstrate
that the system meets the requirement, but for systems that have
security-relevant events in less primitive TCB subsets, some explanation
of the cooperative action of the TCB subsets would be
required. For still other requirements, one can expect
that the satisfaction of the requirement for the entire
system will always require some explanation of the cooperative
action of the constituent TCB subsets. Provision of a coherent
audit record across events in several TCB subsets is in this category.
In the paragraphs below, a brief rationale for identifying
requirements as wholly or partially global is provided.
Those requirements that are not listed are considered to be completely
local.
Subject Sensitivity Labels
At level B2 and above, the TCSEC requires the following:
The TCB shall immediately notify a terminal user of each change
in the security level associated with that user during an
interactive session. A terminal user shall be able to query
the TCB as desired for a display of the subject's complete
sensitivity level.
For subsetted architectures, the user interface could
be to a TCB subset that does not support a mandatory access
control policy. Thus, a change noted by a more primitive TCB
subset that does support such a policy would have to be relayed
to the user, possibly through cooperative action of the full
set of TCB subsets. Similarly, a request by a terminal user
for the complete sensitivity level could be initially received
by a TCB subset that does not support a mandatory access
control policy and will require cooperation between TCB subsets
to determine the complete subject sensitivity level and to
provide that information to the requesting user.
Identification and Authentication
The identification and authentication requirements in
the TCSEC address the need to correctly associate authorizations
with subjects. In a TCB made of several TCB subsets, it is possible
that only one of the TCB subsets will provide identification
and authentication, which will be used by all the less primitive
TCB subsets. Alternatively, identification and authentication
may be provided directly in more than one TCB subset. In
either case, the TCB subsets have to work cooperatively to
use identification and authentication data for uniquely identifying
users and for associating users with auditable actions.
Trusted Path
At B2, the only required uses of trusted path are login and
authentication. At B3 and above, occasions "when
a positive TCB-to-user connection is required (e.g., login,
change subject security level)" are included. In both
cases, a system vendor may choose to use trusted path for
situations where the security-relevant event could be recognized
or handled in more than one TCB subset. On those occasions,
the careful coordination of all the involved TCB subsets in the
correct handling of trusted path situations must be shown. If
a single TCB subset implements trusted path and all the invocations
of trusted path are limited to that TCB subset (that is,
the flow of control in responding to a trusted path initiation
never leaves the TCB subset until the response is completed),
then nothing further would be required. The description of the
limitation of trusted path to a single TCB subset will suffice
for the global part of the requirement, leaving only the demonstration
of local satisfaction of the requireme nt by the identified TCB
subset.
Audit
If each of several TCB subsets meets the audit requirements
locally, then there is the issue of whether the set of audit
records meets the requirements of being able to note and
record individual user actions, and at B3 and above, to be
able to initiate required action. If not all the TCB subsets
meet the audit requirements locally, then the requirements must
be satisfied by the cooperative action of the set of TCB subsets.
In both cases, consideration of the audit characteristics of
all the TCB subsets has to be part of determining that the
entire TCB meets the audit requirements.
System Architecture
For many of the system architecture requirements, demonstrating
that a requirement is satisfied by all of the consitituent
TCB subsets is sufficient to demonstrate that it is satisfied
for the composite TCB. The requirements for the "TCB
[to] maintain a domain for its execution" and for the TCB
to "maintain process isolation through the provision of
distinct address spaces" could be satisfied by the entire
TCB without each constituent TCB meeting the requirement.
The requirement for the TCB to maintain a domain for its execution
implies the need for each TCB subset to have a domain for its
own execution, isolated from both untrusted portions of the
system and from less primitive TCB subsets. The exact wording
of the TCSEC requirement could be read as disallowing a less
primitive TCB subset from occupying a domain provided by a
more primitive TCB subset and to allocate its subjects to
domains that do not have access to its own domain: the verb
"maintain" could be (erroneously) read as requiring
each TCB subset to create and maintain its own domain
for execution. The proper interpretation is that the TCB as
a whole must provide and maintain such domains for execution,
rather than each individual TCB subset. Similarly, the exact
wording of the TCSEC requirement on the "maintain[ing]
of process isolation through the provision of distinct address
spaces" could be read as requiring each TCB subset
to provide distinct address spaces. The proper interpretation
is that the TCB as a whole must provide and maintain process
isolation, either through provision and subsequent use
of distinct address spaces, or through provision of distinct
address spaces by every TCB subset.
Covert Channel Analysis
This requirement applies as stated in the TCSEC to the entire
TCB. When the TCB is made up entirely of TCB subsets
meeting the conditions for evaluation by parts, analysis of
the individual TCB subsets suffices to satisfy this analysis
requirement. Otherwise, covert channel analysis must address
the entire TCB (even if the result of covert channel analyses
of the individual TCB subsets were available).
Trusted Facility Management
The ability to run a trusted system facility properly applies
to the combination of TCB subsets making up the TCB. This
requirement should not be difficult to meet, provided that
the individual TCB subsets meet the requirement and the
interactions between the TCB subsets at the facility management
level are clear.
Trusted Recovery
In the case of "an ADP system failure or other discontinuity,"
each TCB subset in a B3 or above system needs to be able
to recover "without a protection compromise."
Further, the recovery actions of distinct TCB subsets needs
to be coordinated and combined so that the resulting system
is not only recovered as far as each TCB subset is concerned,
but is also recovered as a composite TCB.
Security Testing
This requirement applies as stated in the TCSEC to the entire
TCB. If a TCB consists of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset suffices to satisfy the requirement for the
entire TCB. Otherwise, security testing must include testing
of the entire TCB (even if the results of testing the
individual TCB subsets are available).
Design Specification and Verification
For many of the design specification and verification requirements,
demonstrating that a requirement is satisfied by all of
the consitituent TCB subsets is sufficient to demonstrate
that it is satisfied for the composite TCB. The requirements
for a "formal model of the security policy supported by the
TCB" and that the DTLS at B3 and the FTLS at A1 "be
an accurate description of the TCB interface" apply in
a limited way to the entire TCB.
After complying security models are provided for the individual
TCB subsets, a convincing argument is required to explain how
the set of models represents abstractly the policy of the entire
system.
After complying top-level specifications (DTLS at B3 and
FTLS at A1) are provided for the individual TCB subsets,
an explicit and convincing description of how the set of top-level
specifications describe the TCB interface with respect to exceptions,
errors and effects must also be provided.
8. CONTENT-DEPENDENT AND CONTEXT-DEPENDENT ACCESS CONTROL
An attractive proposition in a database managment system
is to implement access controls that depend in some way on
the values of the data in a storage object or the context
in which the information is accessed. For example, one might
desire to limit access to all personnel records in a database
according to the salary value (content-dependent access rules).
On the other hand, a company's earnings report might be held
in confidence until announced at the stockholders' meeting, at
which time it is public information (context-dependent
access rules).
This document does not encourage or endorse mandatory access
control on storage objects that are based on the content of
data values or on the context in which the information is viewed.
Given that these are research topics, it is prudent to
take this conservative stance. Research and current practice
are insufficient to allow definitive guidance on such implementations.
9. BULK LOADING OF A DATABASE
The bulk loading of a database into (perhaps thousands of) database
objects must be done with care. If the data to be loaded are
unlabeled, it may not be practical to require an authorized
user to examine the data to be loaded into each object and
assign it a sensitivity label. Instead it may be more practical
to assign labels to the data according to the sensitivity label
of the single-level device that is used to import it. In this
way, bulk loading may be done in single-level stages.
Even importing labeled multilevel data may prove difficult.
The imported data records may be organized on the input
device in accordance with their logical structure, not their
sensitivity levels. For some trusted DBMS architectures, this
requires that the TCB first separate the data by sensitivity
levels and subsequently load the data into the database
as single-level structures.
Another problem with bulk loading of labeled data is granularity.
It may be that the labeling granularity of data on the
input device is different from the labeling granularity
supported by the receiving trusted DBMS. As an example,
the data being imported may be labeled at the file or field level,
and the importing DBMS may support labeling at the tuple level.
In such instances, the data would have to be mapped into objects
of the proper labeling granularity as the data are being imported.
10. LOCAL ANALYSIS IN SYSTEM ASSESSMENT
The ability to distinguish and separately reference the results
of local analysis of TCB subsets is a primary aspect of evaluation
by parts, and the benefits which accrue are apparent in
two, closely related, cases that arise in evalutions by
parts. These may be thought of as dealing with the problems of
"hosting" and "porting" although they are
actually two aspects of the same problemthat of assessing a trusted
system constructed of previously evaluated parts.
For the first case (i.e., that of "hosting"), consider
an operating system which has been evaluated against the TCSEC
requirements and has received a rating. Thus, the operating
system is a TCB for which both the local and global analysis
has been done. The results of the local analysis can now
be used to support the evaluation of a TCB made up of
the operating system (or, the more primitive TCB subset) and
any proposed TCB extension (or, less primitive TCB subset).
Suppose, for example, that vendor A chooses the rated operating
system as the host for a DBMS product, which implements an
access control policy. As described in TC-6, it is now
possible, under the
correct conditions, to re-use the results of the local analysis
of the host operating system in developing a rating for the
composite system. Even for those cases not meeting all the conditions
for evaluation by parts, it may be possible that some, if
not most, of the previous results are still valid. If vendor
B also chooses the rated operating system as the host for his
DBMS product, it will be possible (again, under the proper
conditions) to develop a rating for the (new) composite system
without having to repeat the local analysis of the host operating
system. As an alternate case, suppose a site has need of
an electronic mail service as well as the DBMS utility. The
mail utility will operate in a peer-entity relation with the trusted
DBMS utility (i.e., both the mail service and the DBMS depend
on the host operating system, but neither depends on the
other). Again, having the results of the local analysis of
the host operating system eases the burden of assessing the security
characteristics of the user interface to the composite system
made up of the mail system and the host operating system.
In short, the ability to distinguish and separately reference
the results of the local analysis of the host operating system
makes it feasible to evaluate the effect of adding arbitrary
trusted applications, only by performing the local analyis for
the application and any global analysis required.
For the second case, (i.e., that of "porting")
the question becomes that of determining the effect of moving
a known trusted application, such as a DBMS, across arbitrary
host systems. Assume that a trusted DBMS product meeting
the conditions for evaluation by parts has been evaluated
on some trusted host, and a rating determined for the composite
system. Clearly, the results of the local analysis of the
trusted application available are also applicable to the analysis
of a composite system made up of the trusted application
and a different host operating system. Thus, having the local
analysis of the trusted application will ease the evaluation
burden associated with porting of trusted applications to
different hosts. To the extent that the conditions
for evaluations by parts have been satisfied, the local analysis
of the application is valid by reference.
Hence only the local analysis of the host operating system
and the requisite global analysis is needed to assess the security
attributes of the new composite system.
11. RATING MORE COMPLEX SYSTEMS
The view taken by the TCSEC is that of an "atomic"
TCB; the TCB is seen to be a single entity which is, in some
sense, homogeneous. This allows a relatively simple measure
(i.e., the digraphs) to be assigned to the TCB. However, real
systems may be more complex, resulting in the inability of a single,
simple rating to convey the full complexity of the system.
This is implicitly recognized in TCSEC evaluation reports
and EPL entries, in which credit may be given to a vendor for
meeting TCSEC (functional) requirements beyond those necessary
to satisfy the rating (e.g., the B3 discretionary access control
feature in a C2 TCB). In short, systems which reflect
straightforward implementations or extensions of the
TCSEC can accurately be described with a single digraph. On
the other hand, adding complexity to systems may violate assumptions
which underlie the TCSEC rating system, requiring a more complex
description if accuracy is to be achieved.
If a TCB made up of TCB subsets is consistent with the TCSEC
assumptions on homogeneity, then a simple digraph suffices
for a full and accurate description of the security properties
of the product. However, to the extent that a subsetted architecture
introduces complexity not captured by the digraphs, the simple
TCSEC ratings cannot be applied to the composite system. More
specifically, for a subsetted TCB to achieve a single rating,
all the requirements of that class must be satisfied.
For example, if a discretionary access control-enforcing
DBMS TCB subset is added onto a previously evaluated B3 product,
the entire system can achieve a B3 rating if it could also have
achieved the B3 rating evaluated as a monolith. That is, the
new TCB subset must also satisfy all the assurance and architectural
requirements of B3.
Consider a candidate TCB subset which enforces a discretionary
access control policy over a new type of object, targeted at
a host system which has already been evaluated at the B3 level.
Examples are a database management system providing discretionary
access control over tuples, a transaction processor providing
discretionary access control over transactions,
and a message system providing discretionary access
control over messages. If the candidate TCB subset meets all
the C2 requirements, the problem is what rating will be
assigned to the composite system. To designate it a "C2"
is clearly inaccurate, as well as being unfair to the original
B3 product vendor. To designate it "B3" may be equally
inaccurate, and it creates ambiguity in the meaning of the metric
used for comparing systems. In fact, depending on the details
of the specific candidate, the composite system could legitimately
be rated at any level from C2 to B3 under a TCSEC evaluation.
The TCSEC rating system assumes a measure of homogeneity which
the above example violates thus invalidating the very basis
upon which a single digraph may be assigned. Hence, a subsetted
system such as described above, will have to be characterized
with a more complex description than a single digraph.
Although this may seem undesirable, it will be a more accurate
description of the system, and it provides sufficient information
to allow system designers and accreditors to make decisions
about sufficiency of security for their specific applications.
In essence, such an approach is necessary for recognizing
the additional complexity which can be introduced by architectures
which allow system elements to be developed separately.
GLOSSARY
candidate TCB subset The identification of the hardware,
firmware, and software that make up the proposed TCB subset,
along with the identification of its subjects and objects;
one of the conditions for evaluation by parts
content-dependent access control Access control in which
access is determined by the value of the data to be accessed.
context-dependent access control Access control in which
access is determined by the specific circumstances
under which the data is being accessed.
database management system A computer system whose main function
is to facilitate the sharing of a common set of data among many
different users. It may or may not maintain semantic relationships
among the data items.
DBMS Abbreviation for "database management system."
depends A TCB subset A depends (for its correctness) on TCB
subset B if and only if the (engineering) arguments of
the correct implementation of A with respect to its specification
assume, wholly or in part, that the specification of B has
been implemented correctly.
domain The set of objects that a subject has the ability
to access.
dominated by Security level A is dominated by security
level B if (1) the clearance/classification in A is less than
or equal to the clearance/classification in B, and (2) the
set of access approvals (e.g., compartment designators) in
A is contained in the set of access approvals in B (i.e., each
access approval appearing in A also appears in B). This
dominance relation is a special case of a partial order.
dominates "Security level B dominates security level A"
is synonymous with "security level A is dominated by security
level B." See "dominated by."
global requirements Those which require analysis of the entire
system and for which separate analysis of the individual TCB
subsets does not suffice. See Section TC-5.3.2 for a summary
list.
lattice A partially ordered set for which every pair of elements
has a greatest lower bound and a least upper bound.
local requirements Those for which separate analysis of the
individual TCB subsets suffices to determine compliance for
the composite TCB. See Section TC-5.3.1 for summary list.
metadata (1) Data referring to other data; data (such as
data structures, indices, and pointers) that are used to
instantiate an abstraction (such as "process,"
"task," "segment," "file," or "pipe").
(2) A special database, also referred to as a data dictionary,
containing descriptions of the elements (e.g., relations,
domains, entities, or relationships) of a database.
monolithic TCB A TCB that consists of a single TCB subset.
object A passive entity that contains or receives information.
Access to an object potentially implies access to the information
it contains. Examples of objects are: records, blocks, pages,
segments, files, directories, directory trees, and programs,
as well as bits, bytes, words, fields, processors, video displays,
keyboards, clocks, printers, network nodes, etc.
partial order A relation that is symmetric (a is related
to a), transitive (if a is related to b and b is related to
c, then a is related to c), and antisymmetric (if a is
related to b and b is related to a, then a and b are identical.)
primitive An ordering relation between TCB subsets based
on dependency (see "depends" above). A TCBsubset
B is more primitive than a second TCB subset A (and A is less
primitive than B) if (a) A directly depends on B or (b) a chain
of TCB subsets from A to B exists such that each element of
the chain directly depends on its successor in the chain.
reference monitor concept An access control concept that refers
to an abstract machine that mediates all accesses to objects
by subjects.
reference validation mechanism "An implementation of the
reference monitor concept . . . that validates each reference
to data or programs by any user (program) against a list
of authorized types of reference for that user." It
must be tamper proof, must always be invoked, and must be small
enough to be subject to analysis and tests, the completeness
of which can be assured. [1]
security policy The set of laws, rules, and practices
that regulate how an organization manages, protects, and distributes
sensitive information.
storage object An object that supports both read and write accesses.
subject An active entity, generally in the form of a person,
process, or device that causes information to flow among objects
or changes the system state. Technically, a process/domain
pair.
subset-domain A set of system domains. For evaluation
by parts, each candidate TCB subset must occupy a distinct
subset domain such that modify-access to a domain within a
TCB subset's subset-domain is permitted only to that TCB
subset and (possibly) to more primitive TCB subsets.
TCB subset A set of software, firmware, and hardware (where
any of these three could be absent) that mediates the
access of a set S of subjects to a set O of objects on the
basis of a stated access control policy P and satisfies the
properties:
• (1) M mediates every access to objects O by subjects in
S;
• (2) M is tamper resistant; and
• (3) M is small enough to be subject to analysis and
tests, the completeness of which can be assured.
• technical policy The set of rules regulating access of
subjects to objects enforced by a computer system.
Trusted Computing Base (TCB) The totality of protection
mechanisms within a computer system including hardware,
firmware, and software the combination of which is responsible
for enforcing a security policy. A TCB consists of one
or more components that together enforce a unified security
policy over a product or system. The ability of a TCB to correctly
enforce a security policy depends solely on the mechanisms
within the TCB and on the correct input by system administrative
personnel of parameters (e.g., a user's clearance) related
to the security policy.
trusted subject A subject that is permitted to have simultaneous
view- and alter-access to objects of more than one sensitivity
level.
user Any person who interacts directly with a computer
system.
view That portion of the database that satisfies the conditions
specified in a query.
view definition A stored query; sometimes loosely referred
to as a "view."
BIBLIOGRAPHY
1. J. P. Anderson, "Computer Security Technology
Planning Study," ESD-TR-73-51 (AD-758206),
J. P.
Anderson Co., October 1972.
• 2. J. P. Anderson, "On the Feasibility of Connecting
• RECON to an External Network," Technical Report, J.
P.
• Anderson Co., March 1981.
• 3. D. E. Bell and L. J. La Padula, "Secure
• Computer Systems: Unified Exposition and Multics Interpretation,"
MTR-2997, (AY/W 020 445), The MITRE Corporation, Bedford, Massachusetts,
July 1975.
• 4. D. E. Bell and L. J. La Padula, "Secure
Computer Systems: Mathematical Foundations,"
MTR-2547-I, (AD 770 768), The MITRE Corporation,
Bedford, Massachusetts, March 1973.
• 5. L. J. La Padula and D. E. Bell, "Secure
• Computer Systems: A Mathematical Model," MTR 2547-II,
(AD 771 543), The MITRE Corporation, Bedford, Massachusetts,
May 1973.
• 6. D. E. Bell, "Secure Computer Systems:
A
• Refinement of the Mathematical Model," MTR 2547-III,
• (AD 780 528), The MITRE Corporation, Bedford,
Massachusetts, December 1973.
• 7. D. E. Bell, "Secure Computer Systems: A Network
• Interpretation," Proceedings of the Second Aerospace
Computer Security Conference, McLean Virginia, December 2-4, 1986,
pp. 32-39.
8. Department of Defense, Department of Defense
Trusted Computer System Evaluation Criteria,
DOD
5200.28-STD, December 1985.
• 9. D. E. Denning, "Cryptographic Checksums for
• Multilevel Database Security," Proceedings of the IEEE
Symposium on Security & Privacy, Oakland, California, April
29-May 2, 1984, pp. 52-61.
• 10. D. E. Denning, "Commutative Filters for Reducing
• Inference Threats in Multilevel Database Systems,"
Proceedings of the IEEE Symposium on Security & Privacy,
Oakland, California, April 22-24, 1985, pp. 134-146.
• 11. E. B. Fernandez, R. C. Summers, and C. Wood,
• Database Security and Integrity, Boston, Massachusetts:
• Addison Wesley, 1981.
• 12. C. Garvey and A. Wu, "ASD Views," Proceedings
of the Fourth Aerospace Computer Security Applications Conference,
Orlando, Florida, December 1988, pp. 85-95.
• 13. R. D. Graubart and J. P. L. Woodward, "A
• Preliminary Naval Surveillance DBMS Security Model,"
Proceedings of the IEEE Symposium on Security & Privacy,
Oakland, California, April 26-28, 1982, pp. 21-37.
• 14. R. D. Graubart, "The Integrity-Lock Approach to
• Secure Database Management," Proceedings of the IEEE
• Symposium on Security & Privacy, Oakland, California,
April 29-May 2, 1984, pp. 62-74.
• 15. M. J. Grohn, "A Model of a Protected Data
• Management System," ESD-TR-76-289, I. P. Sharp
Associates, Ltd., June 1976.
• 16. T. H. Hinke, M. Schaefer et al., "Secure Data
• Management System," RADC-TR-75-266 (AD-A019201), System
Development Corporation, Santa Monica, California, November
1975.
• 17. C. E. Landwehr, C. L. Heitmeyer, and J.
• McLean, "A Security Model for Military Message
Systems," ACM Transactions on Computer Systems, Vol.
2, No. 3, August 1984, pp. 198-222.
• 18. T. F. Lunt, D. E. Denning, P. G. Neumann, R.
• R. Schell, M. Heckman, and W. R. Shockley, "Final
Report Vol. 1: Security Policy and Policy
Interpretation for a Class A1 Multilevel Secure
Relational Database System," Computer
Science
Laboratory, SRI International, Menlo Park, California, 1988.
• 19. J. McHugh and B. M. Thuraisingham, "Multilevel
• Security Issues in Distributed Database Management Systems,"
Computers & Security, Vol. 7, No. 4, Elsevier Advanced
Technology Publications, August 1988, pp. 387-396.
• 20. National Computer Security Center, Proceedings of the
National Computer Security Center Invitational Workshop
on Database Security, Baltimore, Maryland, June 17-20, 1986.
• 21. P. A. Rougeau and E. D. Sturms, "The Sybase
• Secure Dataserver: A Solution to the Multilevel Secure
DBMS Problem," Proceedings of the 10th
National
Computer Security Conference, Baltimore, Maryland,
September 21-24, 1987, pp. 211-215.
• 22. M. Schaefer, ed., Multilevel Data Management
Security, Air Force Studies Board, Committee on
Multilevel Data Management Security, National Academy Press:
Washington, D.C., 1983.
• 23. M. D. Schroeder and J. H. Saltzer, "A Hardware
• Architecture for Implementing Protection Rings,"
Communications of the ACM, Vol. 15, No. 3, March 1972,
pp.157-170.
• 24. W. R. Shockley and R. R. Schell, "TCB Subsets
for Incremental Evaluation," Proceedings of the Third Aerospace
Computer Security Conference, Orlando, Florida, December
7-11, 1987, pp. 131-139.
• 25. P. Stachour and B. Thuraisingham, "Design of LDV
• A Multilevel Secure Database Management System,"
IEEE Transactions on Knowledge and Data Engineering, Vol.
2, No. 2, June 1990, pp. 190-209.
• 26. M. Stonebraker, "Operating System Support
for Database Management," Communications of the ACM, Vol.
24, No. 7, July 1981, pp. 412-418.
• 27. Unisys Corporation, "Secure Distributed Database
• Management System," Final Technical Report, Rome
Air Development Center Technical Report, RADC-TR-89-314, Vol.
1-5, December 1989.
• 28. J. Wilson, "Views as the Security Objects in
a
• Multi-level Secure Relational Database Management System,"
Proceedings of the 1988 IEEE Symposium on Security &
Privacy, Oakland, California, April 18-21, 1988, pp. 70-84.
t