Site
navigation
home technical diary webmaster orange
book moobiles shop contact links Updated
March
2003
|
Orange
Book Summary
Introduction
This document is a summary of the US
Department of Defense Trusted Computer System Evaluation Criteria,
known as the Orange Book. Although originally written for military systems,
the security classifications are now broadly used within the computer industry,
You can get further information on
the Orange Book and Rainbow Series by looking at the Orange
Book Links page. Example Operating System descriptions link to
the NCSC Evaluated
Products List.
The DoD security categories range
from D (Minimal Protection) to A (Verified Protection).
D - Minimal Protection
Any system that does not comply to any
other category, or has failed to receive a higher classification. D-level
certification is very rare.
C - Discretionary Protection
Discretionary protection applies to
Trusted Computer Bases (TCBs) with optional object (i.e. file, directory,
devices etc.) protection.
C1 - Discretionary Security Protection
-
Discretionary Access Control, for example
Access Control Lists (ACLs), User/Group/World protection.
-
Usually for users who are all on the
same security level.
-
Username and Password protection and
secure authorisations database (ADB).
-
Protected operating system and system
operations mode.
-
Periodic integrity checking of TCB.
-
Tested security mechanisms with no obvious
bypasses.
-
Documentation for User Security.
-
Documentation for Systems Administration
Security.
-
Documentation for Security Testing.
-
TCB design documentation.
-
Typically for users on the same security
level
-
C1 certification is rare. Example systems
are earlier versions of Unix, IBM RACF.
C2 - Controlled Access Protection
As C1, plus
-
Object protection can be on a single-user
basis, e.g. through an ACL or Trustee database.
-
Authorisation for access may only be
assigned by authorised users.
-
Object reuse protection (i.e. to avoid
reallocation of secure deleted objects).
-
Mandatory identification and authorisation
procedures for users, e.g. Username/Password.
-
Full auditing of security events (i.e.
date/time, event, user, success/failure, terminal ID)
-
Protected system mode of operation.
-
Added protection for authorisation and
audit data.
-
Documentation as C1 plus information
on examining audit information.
-
This is one of the most common certifications.
Example Operating Systems are: VMS,
IBM
OS/400, Windows
NT, Novell NetWare
4.11, Oracle
7, DG AOS/VS
II.
B - Mandatory Protection
Division B specifies that the TCB protection
systems should be mandatory, not discretionary.
B1 - Labelled Security Protection
As C2 plus:
-
Mandatory security and access labelling
of all objects, e.g. files, processes, devices etc.
-
Label integrity checking (e.g. maintenance
of sensitivity labels when data is exported).
-
Auditing of labelled objects.
-
Mandatory access control for all operations.
-
Ability to specify security level printed
on human-readable output (e.g. printers).
-
Ability to specify security level on
any machine-readable output.
-
Enhanced auditing.
-
Enhanced protection of Operating System.
-
Improved documentation.
-
Example OSes are: HP-UX
BLS, Cray Research Trusted
Unicos 8.0, Digital SEVMS,
Harris CS/SX,
SGI Trusted
IRIX.
B2 - Structured Protection
As B1 plus:
-
Notification of security level changes
affecting interactive users.
-
Hierarchical device labels.
-
Mandatory access over all objects and
devices.
-
Trusted path communications between
user and system.
-
Tracking down of covert storage channels.
-
Tighter system operations mode into
multilevel independent units.
-
Covert channel analysis.
-
Improved security testing.
-
Formal models of TCB.
-
Version, update and patch analysis and
auditing.
-
Example systems are: Honeywell Multics,
Cryptek VSLAN,
Trusted XENIX.
B3 - Security Domains
As B2 plus:
-
ACLs additionally based on groups and
identifiers.
-
Trusted path access and authentication.
-
Automatic security analysis.
-
TCB models more formal.
-
Auditing of security auditing events.
-
Trusted recovery after system down and
relevant documentation.
-
Zero design flaws in TCB, and minimum
implementation flaws.
-
The only B3-certified OS is Getronics/Wang
Federal XTS-300.
A - Verified Protection
Division A is the highest security division.
A1 - Verified Protection
As B3 plus:
A2 and above
Provision is made for security levels
higher than A2, although these have not yet been formally defined. No OSes
are rated above A1.
|
|