National Computer Security Center, Fort Meade, Maryland. Department of Defense Trusted Computer System Evaluation Criteria (The Orange Book), December 1985.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....components. In general, rapid production of software in a time to market driven economy discourages the application of these techniques. Two detrimental effects enabled by low We define COTS components to be either unevaluated by independent third parties, or evaluated below Class B2 EAL5. [13, 3] The evaluation classes below Class B2 and EAL5 do not require either substantial configuration management or code inspection for malicious artifacts during evaluation, and components in these classes are considered to be low assurance. 11] integrity production techniques are incorrect ....

....entry into the system. subversion. Various approaches exist for ensuring these characteristics. The primary approaches are (1) post development testing; 2) abstract process certification such as the Capability Maturity Model [2, 15] and ISO 9001 [1] and (3) rigorous engineering processes [3, 13]. There is ample evidence that testing alone is insufficient to ensure against malicious artifices [8] The abstract certification approaches are not specifictohigh assurance or high integrity (although they can be used to manage a rigorous engineering approach) so they are not discussed ....

[Article contains additional citation context not shown here]

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, December 1985.

....expected to react appropriately to its environment, despite emergency or overload situations. 2. 3 Multilevel Security Secure Alpha is intended to support applications that require high assurance for MLS, such as that defined by Class B3 of the Trusted Computer System Evaluation Criteria (TCSEC) [12]. The security functionality required for this type of system includes the labeling of subjects and storage objects, mandatory and discretionary access control, When a thread invokes an operation of an object, it gets a new address space, completely disjoint from its previous ....

National Computer SecurityCenter. Department of Defense Trusted Computer System Evaluation Criteria. DOD 5200.28-STD, Department of Defense, December 1985.

....access control is implemented by making use of these labels. But they assume that Identification and Authentication will be implemented at a higher layer in the protocol stack. In other words cryptographic protection is not implemented. The Trusted Computer System Evaluation Criteria (TCSEC) [20] specify the general principles to be applied in any computer system handling sensitive information and specifically detail the features and assurance mechanisms for general purpose host computers. The Trusted network Interpretation (TNI) 21] of the TCSEC extends these principles to network ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria. 1985. DoD 5200.28-STD.

....with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. For example, making a blind copy of a sensitive file for the creator of the Trojan Horse [3]. At a professional meeting last week, we had a presentation by a university data center manager on a Trojan Horse attack which had shut down his operation [4] However, even these problems were limited due to the fact that connectivity during these early days was still basically limited to ....

National Computer Security Center. 1985. Department of Defense Trusted Computer System Evaluation Criteria. Orange Book.

....and are therefore reasonably portable to kernelized UNIX systems. We have also recently ported the DTE prototype to run on TMach Version 0. 2 [7] a high assurance trusted computing base designed to satisfy DoD security requirements as specified in the Trusted Computer System Evaluation Criteria [20]. Even though TMach employs a TMach specific file system format, the integration required almost no change to the DTE implementation because the integration points between the UNIX server and TMach are generally at low layers in the UNIX architecture, whereas DTE is mostly implemented in the upper ....

....finer grained control over propagation of access rights, but both mechanisms are discretionary in nature and provide little protection against error prone root programs. A variety of trusted UNIX systems have been implemented and evaluated against the Trusted Computer System Evaluation Criteria [20]. These systems typically provide MLS security but lack the flexibility of DTE. Additionally, tools such as COPS [12] check 5 Sidewinder is a trademark of Secure Computing Corporation, Inc. for system miscofigurations but do not improve on the base UNIX security mechanisms themselves. The ....

National Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria," DoD 5200.28-STD, Dec. 1985.

....sensitive information, then an accomplice executing at a lower sensitivity level can locate and reveal the information. An effective approach to object reuse must be developed for systems enforcing either identitybased or label based policies. Both the Trusted Computer System Evaluation Criteria [19] and the Common Criteria [2] stipulate mechanisms to ensure that storage objects are voided prior to reuse. As part of the Naval Postgraduate School (NPS) Multilevel Secure Local Area Network (MLS LAN) project [16] we have investigated object reuse in client PCs which may be used by a sequence ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, December 1985.

....to the favorable outcome of this effort. It is defined by the broad properties needed for a viable commercial product. Our definition of a high assurance base is a TCB that is already on the Evaluated Products List (EPL) with a Class B3 or higher digraph based upon an evaluation against the TCSEC [12] or the TNI. We considered ONLY products on the EPL. We have selected the most recent model of the Wang XTS 300. Both business and technical considerations affected our deliberations. The principal non technical consideration was the availability of software and hardware maintenance support to ....

....functions: establish a trusted path between the user and the TCB, enforce the object reuse provision of the extended TCB, and enforce data movement and access controls based on a system of labels indicating the user s authorization and data sensitivity. To insure that object reuse requirements [12] are met, workstations will be diskless, with sufficient RAM disk capability to support a wide variety of user applications. The workstation TCB extension will satisfy object reuse requirements by ensuring that RAM and other volatile primary and secondary storage at the workstation are purged ....

National Computer Security Center, Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28STD, December 1985.

....function as advertised, it has the ability to guard them from possibly damaging input (e.g. attacks on weak or overly privileged portions of a system s API) thus increasing their overall strength. The wrapper approach, therefore, contrasts but is complementary with, that of Trusted Systems[26] such as Trusted XENIX[27] and Trusted Mach[7] which are built from the ground up with support for enhanced security. In the following sections, we present our central wrappers concepts, several applications for wrappers, design and implementation issues, capabilities and limitations, and ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985.

....upgrading either A to L 3 or B to L 4 . Note that either solution is minimal according to Definition 2.2, and thus, minimal solutions for sets that include complex constraints are generally not unique. The particular minimal solution O N D E L1 L 3 P L 5 B M C F I G L 4 L 2 (a) Priority Sets [4] [3] 2] 1] P B C E F G M I O N D ffl initial levels L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 P L1 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 L 6 B try(B; L 5 ) L5 L 6 L 6 L 6 L 5 L 5 L 6 L 6 L 6 L 6 C try(C; L 4 ) L4 L 4 L 4 L 3 L 3 L 6 L 6 L 6 L 6 E try(E; L 2 ) L 2 L 4 L 3 L 3 L 6 L 6 ....

....The 3 Note that this correspondence can be assumed only for computing reachability and traversing the graph, not for actual constraint enforcement. execution of Main produces the following priority sets: priority [1] fDg priority [2] fI; O; Ng priority [3] fB; C; E; F; G; Mg priority [4] = fPg: In the following we refer to each priority [i] as priority set. In addition to computing priority assignments, Main initializes several variables that are used either during the DFS visits or in the actual classification process, as follows. For each complex constraint c, unlabeled [c] ....

[Article contains additional citation context not shown here]

Dep. Defense, National Computer Security Center, Standard DOD 5200.28-STD, 1985. Department of Defense Trusted Computer System Evaluation Criteria.

....small collections of large machines [9] Even large distributed collections of very modest machines with high latency have many uses. The security requirements of MPI users also span a wide spectrum, from high assurance systems enforcing strict well defined security policies, such as DoD MLS [16] and related policies (such as DoE policies) to corporate policies and security policies of universities. The work that needs to be done to address such diverse range of systems has not been part of the MPI 1 standard work [13] or the on going MPI 2 process [14] Previous This work was ....

National Computer Security Center, DoD. Department of Defense Trusted Computer System Evaluation Criteria, December 1985.

..... 1.0 INTRODUCTION 1.1 BACKGROUND The principal goal of the National Computer Security Center (NCSC) is to encourage the widespread availability of trusted computer systems. In support of this goal the NCSC created a metric, the DoD Trusted Computer System Evaluation Criteria (TCSEC) [17], against which computer systems could be evaluated. The TCSEC was originally published on 15 August 1983 as CSC STD 001 83. In December 1985 the Department of Defense adopted it, with a few changes, as a Department of Defense Standard, DoD 5200.28 STD. DoD Directive 5200.28, Security Requirements ....

National Computer Security Center, Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, December 1985.

....a wide variety of both internal and external threats. Which view should be adopted is a function of a number of factors including the nature of the material to be protected: its sensitivity, size, and timeliness, and the threat environment to which the system will be exposed. Under the TCSEC [28], covert channel analysis is required starting at the B2 level of assurance with increasingly rigorous analysis required for B3 and A1 systems. This is consistent with the view that high assurance security systems are primarily required to protect highly sensitive information, to counter serious ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. DoD 5200.28-STD.

No context found.

National Computer Security Center, Fort Meade, Maryland. Department of Defense Trusted Computer System Evaluation Criteria (The Orange Book), December 1985.

No context found.

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, December 1985.

....Protocol does not define or does not even encourage the deployment of any auditing system. The fourth fundamental requirement in the Orange Book is accountability: Audit information must be selectively kept and protected so that actions a#ecting security can be traced to the responsible party [7]. In the case of a DDoS Attack against a commercial host on the internet, there will be no evidence of who launched the particular attack. An even more scaring scenario is that somebody performs several attacks on many di#erent Internet hosts and there will be no way to prevent or eliminate his ....

National computer Security Center. "Department of Defense Trusted Computer System Evaluation Criteria", 1985.

....as described in the Trusted Facilities Manual [38, 45, 46, 54, 47, 57] has been evaluated by the National Security Agency (NSA) The security features of UTS MLS 2.1. 5 were examined against the requirements specified by the Department of Defense Trusted Computer System Evaluation Criteria [81] (TCSEC) dated December 1985 in order to establish a candidate rating. The NSA evaluation team has determined that the highest class at which UTS MLS 2.1.5 satisfies all the specified requirements of the TCSEC is B1. A system that is rated as being a B1 class system provides a Trusted Computing ....

....and assurances provided by the UTS MLS 2.1.5 operating system. It documents the evaluation team s understanding of the product s security design and appraises its functionality and integrity against the B Division security requirements in the Trusted Computer System Evaluation Criteria (TCSEC) [81]. Material for the report was gathered by the NSA Amdahl evaluation team, through documentation, training, hands on testing, and interaction with system developers. 1.1 Evaluation Process Overview The Department of Defense Computer Security Center was established in January 1981 to encourage the ....

[Article contains additional citation context not shown here]

NATIONAL COMPUTER SECURITY CENTER. Department of Defense Trusted Computer System Evaluation Criteria. Linthicum, MD, December 1985. DoD 5200.28-STD.

No context found.

National Computer Security Center staff. Department of defense trusted computer system evaluation criteria. Department of Defense Computer Security Center, December 1985. DoD 5200.28-STD.

....Web services. We end with a discussion of how other Internet based services might benefit from the application of this technology. II. The Compartmented Mode Workstation The Compartmented Mode Workstation was originally developed for military and government use according to the CMWEC criteria[2] for evaluating trusted systems. The CMW class is an entirely separate but related set of criteria to the more familiar Orange Book criteria[3] In Orange Book terms, CMW has all of the B1 level security features, and includes a number of B2 and B3 features. A number of the CMW features are ....

National Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", DOD Standard 5200.28-STD, 1985.

....discretionary access control policy. Access would be granted only if both servers returned TRUE. Another reason for this alternative hierarchy is to facilitate the evaluation of a system under a trusted computer system evaluation criteria, such as that of the United States Department of Defense [9], which call for a strict separation between security critical and nonsecurity critical system components. In DTMach, for example [12] the designers separated the non securitycritical network protocol software from the trusted software of the secure operating system. In the DTMach design, the ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. DOD-5200.28-STD.

....system were designed to call a centralized SecurityManager class which checks if the action requested is allowed (using the mechanism described above) and throws an exception if remote code is found on the call stack. The SecurityManager is meant to implement a reference monitor [Lampson 1971; National Computer Security Center 1985] always invoked, tamperproof, and easily verifiable for correctness. In practice, this design proved insufficient. First, when an application written in Java (e.g. the HotJava Web browser) wishes to run applets within itself, the low level file system and networking code has a problem ....

....combined a bug in Java s interface mechanism with a shared public variable to ultimately break the type system, and thus circumvent system security. This principle is also meant to discuss the notion of covert storage channels [Lampson 1973] an issue in the design of multi level secure systems [National Computer Security Center 1985]. Java presently makes no effort to limit or control covert channels, but this could be an interesting area for future work. 4.6 Accountability In the event that the user has granted trust to a program which then abuses that trust, logging mechanisms will be necessary to prove that damages ....

NATIONAL COMPUTER SECURITY CENTER. 1985. Department of Defense Trusted Computer System Evaluation Criteria (The Orange Book).

....is placed to the element of points of view and frames of reference, multiple design levels and applications will be addressed. 4 Assessing the Results Assessment of systems is an accepted practice by the security community. For example, the Trusted Computer System Evaluation Criteria (TCSEC) [25] describe seven system rating classes and their respective functional and assurance requirements. See Table 4 from Gasser [16] For consumers, the ratings provide an independent technical assessment of the likelihood that a system contains a flaw that would result in a catastrophic failure to ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, December 1985. DoD 5200.28-STD.

....be enforced by the TP system, first in general terms and then as a technical policy, i.e. in the context of a computer system where the policy is applied to subjects and objects. The mandatory policy can be related to corporate or government directives an example of which is DoD Directive 5200.28 [12]. Simply stated, the policy declares that only authorized users may have access to sensitive information. User authorization is conveyed through clearances, while information sensitivity is denoted by its classification. Each user will be accorded an access class which will be a combined secrecy ....

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, December 1985.

No context found.

US National Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, US Department of Defense, Ft. Meade, MD., December 1985.

No context found.

US National Computer Security Center, "Department of Defense Trusted Computer System Evaluation Criteria", DoD 5200.28-STD, US Department of Defense, Ft. Meade, MD., December 1985.

No context found.

National Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, December 1985.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC