Because it’s driving me nuts…
No, it’s not a steering wheel – it’s Orange Book!
D: Minimal Protection.
Systems that were submitted but failed evaluation.
C: Discretionary Protection
Discretionary protection tends to mean that the user has a lot of power over the security.
C has two rating categories:
C1: Discretionary Security Protection
Based on individuals and groups.
Identification and authentication of individual entries.
Some form of access control.
Protected execution domain, low-privilege processes can’t adversely affect higher-privilege processes.
System’s operational integrity can be validated.
Design doc, test doc, facility manual (helps install and configure properly)
User manuals.
C2: Controlled Access Protection
Users are identified individually.
Security events are audited (lowest mention of auditing – C2) and protected from unauthorized modification.
Resource or object isolation for protection and auditing (below process level)
Object reuse concept – objects are cleaned after use to prevent residual data leakage.
Strict logon and decision-making on object access requests.
Division B: Mandatory protection
MAC is enforced by means of labels.
Based on Bell-LaPadula, must use a reference monitor.
B1: Labeled Security.
Each data object bears a classification label.
Each subject must bear a clearance label.
Data leaving system also bears a security label.
Policy is based on an informal statement.
Design is reviewed and verified.
B2: Structured Protection.
Policy is clearly defined and documented.
Subjects and devices require labels.
No covert channels.
Trusted path for logon and authentication
Subject communicated directly with the application or OS.
There are no trapdoors.
Operator and admin functions are segregated
Distinct address spaces for each process.
Covert channel analysis.
B3: Security Domains
More granularity in the protection mechanisms.
Protection mechanisms exclude code that does not implement the policy.
Reference monitor components must be small and testable.
Ref monitor must be tamperproof.
Security admin role is clearly defined.
Recover from failures without reduction in security.
Starts and loads from an initial secure state.
Division A: Verified Protection.
Formal methods used to ensure control of subjects and objects.
A1: Verified design
B3 + formal methods.
Stringent change verification.
