[CONTACT]

[ABOUT]

[POLICY]

Library Version FOREWORD This public

Found at: 0x1bi.net:70/textfiles/file?hacking/COLORBOOKS/red.txt

Library Version FOREWORD This public
                                                 NCSC-TG-005
                                        Library No. S228,526
                                                   Version 1
                          FOREWORD
     This publication is issued  by  the  National  Computer
Security  Center (NCSC) as part of its program to promulgate
technical computer security guidelines. The  interpretations
extend the evaluation classes of the Trusted Systems Evalua-
tion Criteria (DOD 5200.28-STD) to trusted  network  systems
and components.
     This document will be used for a period of at least one
year  after  date of signature.  During this period the NCSC
tion  in several network evaluations.  In addition, the NCSC
the   community  on  the  details  of  the  Trusted  Network
     Workshops and tutorials will be open to any  member  of
the network security community interested in providing feed-
back.  Anyone wishing more information, or wishing  to  pro-
vide  comments  on  the  usefulness  or  correctness  of the
Trusted Network Interpretation may contact:  Chief,  Techni-
cal  Guidelines Division, National Computer Security Center,
Ft.  George G. Meade, MD  20755-6000, ATTN: C11.  The  tele-
______________________________________________
Director
National Computer Security Center
                       ACKNOWLEDGMENT
                       ______________
     Acknowledgment is extended to the members of the  Work-
ng  Group  who produced this Interpretation.  Members were:
Alfred Arsenault, National Computer Security Center (Chair);
Dr.  Roger Schell, Gemini Computers; Stephen Walker, Trusted
Jonathan  Millen,  MITRE;  Leonard  LaPadula,  MITRE; Robert
Morris, NCSC; and  Jack  Moskowitz,  NCSC.   Also  due  ack-
nowledgement  for  their  many inputs to this interpretation
are Steve Padilla and William Shockley, Gemini Computers.
                       Introduction
                       ____________
_ _   _____
     Part I of this document provides interpretations of the
Department  of  Defense  Trusted  Computer System Evaluation
Criteria    (TCSEC)    (DOD-5200.28-STD),    for     trusted
computer/communications network systems.  The specific secu-
nternetwork systems.
     Part II of this document describes a  number  of  addi-
tional  security  services  (e.g., communications integrity,
assurance requirements, may receive qualitative ratings.
     The TCSEC related feature and  assurance  requirements,
and  the  additional  security services described herein are
ntended for  the  evaluation  of  trusted  network  systems
cedural,  and  related  protection  measures adequate to the
operate a network in a secure manner at a single system high
or assurance requirements described herein. The  full  range
of physical and administrative security measures appropriate
to the highest sensitivity level of information on the  net-
as described in this Interpretation.
     It is important to note that this  Interpretation  does
not  describe  all  the  security  requirements  that may be
mposed  on  a  network.   Depending  upon  the   particular
environment,  there may be communications security (COMSEC),
emanations security, physical security, and  other  measures
     An  environmental  evaluation  process,  such  as  that
for Applying the DoD TCSEC in Specific Environments''  (CSC-
STD-003-85),  can  be  used  to determine the level of trust
are applicable to networks evaluated under these Interpreta-
tions.
_ _   _______
     As with the TCSEC itself, this Interpretation has  been
        security features and assurance levels to build into
        their new and planned, commercial  network  products
        in  order  to  provide widely available systems that
        satisfy trust requirements  for  sensitive  applica-
        tions
        of  trust that can be placed in a given network sys-
        tem for processing sensitive information
        ments in acquisition specifications.
     With respect to the second purpose for  development  of
the  criteria, i.e., providing a security evaluation metric,
evaluations can be delineated into two types:  an evaluation
can  be  performed  on  a network product from a perspective
that excludes the application environment, or an  evaluation
can  be done to assess whether appropriate security measures
ally  in a specific environment.  The former type of evalua-
tion is  done  by  the  National  Computer  Security  Center
through the Commercial Product Evaluation Process.
     The latter type of evaluation, those done for the  pur-
certification  evaluation.   It  must be understood that the
completion of a formal product evaluation does  not  consti-
tute  certification  or  accreditation  for the system to be
used in any specific application environment.  On  the  con-
trary, the evaluation report only provides a trusted network
from a computer security point of view.  The system security
certification  and  the  formal  approval/accreditation pro-
cedure, done in accordance with the applicable  policies  of
the  issuing  agencies, must still be followed before a net-
     This Interpretation can be used directly and indirectly
n the certification process.  Along with applicable policy,
t can be used directly as technical guidance for evaluation
of  the  total system and for specifying system security and
certification requirements for new  acquisitions.   Where  a
that has undergone a Commercial Product Evaluation,  reports
from that process will be used as input to the certification
evaluation. Technical data will be furnished  to  designers,
evaluators,  and  the DAAs to support their needs for making
     The  fundamental  computer  security  requirements   as
_ _   __________
     The term ``sponsor'' is used throughout  this  document
to  represent  the  individual  or  entity  responsible  for
     A network system is the entire collection of  hardware,
firmware,  and software necessary to provide a desired func-
tionality.
     A component is any part of  a  system  that,  taken  by
tself, provides all or a portion of the total functionality
be an individual unit, not useful to further subdivide, or a
collection of components up to and including the entire sys-
tem.
     Because the term integrity has  been  used  in  various
contexts  to denote specific aspects of an overall issue, it
s important for the reader to  understand  the  context  in
n the TCSEC itself, the use of this term is limited to  (1)
the correct operation of NTCB hardware/firmware and (2) pro-
tection against  unauthorized  modification  of  labels  and
labels (viz., Divisions A and B) must, as  detailed  in  the
Label  Integrity  section  of  the TCSEC, protect the labels
that represent the sensitivity of information (contained  in
objects) and the corresponding authorizations of users (with
the accesses of users that modify information-. As  part  of
the  NTCB  itself, such integrity policies will be supported
by access control mechanisms based on the identity of  indi-
viduals  (for  discretionary  integrity)  and/or sensitivity
levels (for mandatory integrity).  In contrast, within  Part
tion transfer between distinct components.  This  communica-
tions  integrity includes the issues for correctness of mes-
_________________________
  - See, for example, K. J. Biba, Integrity  Considera-
                                  _________  _________
tions  for Secure Computer Systems, MTR-3153, The MITRE
_____  ___ ______ ________ _______
Corporation, Bedford, MA, June 1975.
     In many network environments, encryption  can  play  an
essential role in protecting sensitive information.  In Part
encryption is described as a tool for protecting  data  from
compromise  or  modification attacks.  Encryption algorithms
and their implementation are outside the scope of this docu-
ment.  This document was prepared from a DoD perspective and
other contexts, alternate approval authority may exist.
     As with the TCSEC itself, this is a reference  document
and is not intended to be used as a tutorial.  The reader is
assumed to be familiar with  the  background  literature  on
computer security  and  communications  networks=.  Part  II
assumes  a  familiarity with the terminology used within ISO
Security Services documentation.
_________________________
  = See, for example, M. D. Abrams and  H.  J.  Podell,
Tutorial:  Computer and Network Security, IEEE Computer
________   ________ ___ _______ ________
Society Press, 1987.
  * ISO 7498/Part 2 - Security Architecture, ISO  /  TC
    ___ ____ ____ _   ________ ____________
_ _ _   _______ ________ ______ __________ ________
     The DoD TCSEC was published in December 1985 to provide
a   means  of  evaluating  specific  security  features  and
assurance requirements available in  ``trusted  commercially
available   automatic   data   processing  (ADP)  systems,''
(AIS).   The rating scale of the TCSEC extends from a rating
for  ``state  of  the art'' features and assurance measures.
These technical criteria guide system builders  and  evalua-
tors in determining the level of trust required for specific
minimum  security  protection  requirements, and appropriate
accreditation decisions for specific  installations  can  be
TCSEC requires that the  access  of  subjects  (i.e.,  human
users or processes acting on their behalf) to objects (i.e.,
containers of sensitive information) be mediated  in  accor-
     In order to ensure strict compatibility  between  TCSEC
evaluated  AIS  and  networks  and  their components, and to
avoid the possible evolution of incompatible evaluation cri-
teria,  Part  I  of  this  document  has  been  specifically
s  based  entirely on the principles of the TCSEC, uses all
TCSEC basic definitions, and introduces  new  concepts  only
text.  Unless otherwise stated, the TCSEC requirements apply
as written.  The approach of interpreting the TCSEC for net-
number of specific complex network and AIS applications.
     There are several security policy models  that  may  be
used  with the reference monitor concept.  The Bell-LaPadula
model is commonly used but is not mandated.   Similarly  for
ntegrity policy, models such as Biba have been proposed but
are not  mandated.   For  this  network  interpretation,  no
necessary that either a secrecy policy, an integrity policy,
or  both be specified for enforcement by the reference moni-
tor.
     In the context of network systems, there are  a  number
of  additional  security services that do not normally arise
n individual AIS, and are not appropriate to  the  detailed
feature  and  assurance  evaluation prescribed by the TCSEC.
These security services, which may or may not  be  available
n  specific  network offerings, include provisions for com-
munications security, denial of service, transmission  secu-
sms and protocols.  Part  II  of  this  document  describes
these  services and provides a qualitative means of evaluat-
ng their effectiveness when provided.
     Evaluation of Part II  offered  services  is  dependent
upon  the  results  of  the  system's  Part  I evaluation or
component's Appendix A evaluation.   A  Part  II  evaluation
tify which security services are offered by a system or com-
normally give a none, minimum, fair or good rating for those
that  can be given or a quantitative measure of strength may
be used as the basis for rating.  A  not  applicable  rating
_ _ _   ___ _______ _____
     DoD Directive 5200.28 (and similar  policies  elsewhere
n  government) establishes the concept of a DAA, an indivi-
this approval process and the technical advisory role to the
DAA  provided  by  the  TCSEC are well understood.  The same
approval process applies to networks of AIS and plays a  key
using this Interpretation.
     Depending upon the operational  and  technical  charac-
teristics  of  the  environment  in  which a network exists,
either of two views for accreditation  and  evaluation  pur-
nected separately accredited AIS or as a single unified sys-
tem  the security accreditation of which is the responsibil-
ty of a single authority.
     The security feature and assurance  requirements  of  a
under this Interpretation, is greatly impacted by which view
of the network is appropriate.
_ _ _ _   ______________ __________ ___ ____
     The interconnected accredited AIS  view  is  an  opera-
tional perspective that recognizes that parts of the network
may  be  independently  created,  managed,  and  accredited.
Where  different accrediting jurisdictions are involved, the
between the components involved.
     Interconnected accredited AIS consist of multiple  sys-
tems  (some of which may be trusted) that have been indepen-
and  lowest  sensitivity  levels  of information that may be
ndividual  AIS  may be thought of as ``devices'' with which
neighboring systems can send and receive information.   Each
AIS  is accredited to handle sensitive information at a sin-
level.
     The  range  of  sensitive  information  that   may   be
exchanged  between  two  such AIS is a range, agreed upon by
each system's approving authorities, which cannot exceed the
maximum  sensitivity  levels  in common between the two sys-
tems.
     Because of the complex structure of a network  consist-
ng  of interconnected accredited AIS, it may not be practi-
cal to evaluate such a network using this Interpretation  or
to  assign  it  a  trusted system rating.  In this case, the
accreditor is forced to accept the  risk  of  assessing  the
against the principles of the TCSEC as interpreted in Part I
of  the  document.   Appendix C describes the rules for con-
necting separately accredited AIS and the  circumstances  in
_ _ _ _   ______ _______ ______ ____
     The policy  enforcement  by  trusted  components  in  a
``single  trusted  system'' exhibits a common level of trust
throughout.  A single trusted system is accredited as a sin-
circumstances where a system will process  information  from
multiple   sensitive  sources,  more  then  one  accrediting
authority may be involved, but their responsibility will  be
for  accrediting the whole system as a single entity for use
Networks  such  as  these  can  be  evaluated  against  this
AIS evaluated by the TCSEC itself.
     A ``single trusted system'' network implements a refer-
ence monitor to enforce the access of subjects to objects in
accordance with an explicit and well defined  network  secu-
base, referred to as  the  Network  Trusted  Computing  Base
(NTCB),  which  is partitioned (see section I.4.2) among the
network components in a manner that ensures the overall net-
     Every  component  that  is  trusted  must   enforce   a
component-level security policy that may contain elements of
the  overall  network  security  policy.  The  sum  of   all
component-level  security  policies must be shown to enforce
the overall network security policy.
     There is no requirement that  every  component  in  the
network  have  an NTCB partition nor that any such partition
comprise a complete TCB (e.g., a network component could  be
only that portion of the NTCB). Interaction among NTCB  par-
titions  shall  be via communications channels, operating at
either single or multiple levels as appropriate.   The  net-
tioned and how  all  the  trusted  system  requirements  are
     A given component that does not enforce the full imple-
mentation  of  all  polices (i.e., mandatory access control,
and  audit) must be evaluated as a component as specified in
Appendix A.  For example, a network architecture  that  does
not operate above Level 3 of the ISO protocol model and typ-
cally does not enforce discretionary access control must be
evaluated  as a component under Appendix A and not as a full
_ _ _ _ _   __________ ________ ___________
     In many networking environments,  the  overall  network
authorized connections across the network.  The access  con-
trol mediation performed by the components of these networks
enforces the establishment of connections between host  com-
authorized connection  list.   While  a  connection-oriented
abstractions  may  be  difficult but is required in order to
evaluate the network.
     Individual trusted  network  components  may  employ  a
local mechanism to enforce mediation only between local sub-
components  may have no direct involvement with the enforce-
ment of network connections.  Others, however, will have  an
additional higher level network connection enforcement role.
This higher level  connection-oriented  abstraction  may  be
enforced  solely  within  an  individual component or may be
encryption case, cryptographic front end devices enforce the
network connection authorization decisions made by an access
control/key management center.)
     With the connection-oriented abstraction, the  role  of
the  network  as a whole in controlling information flow may
be more easily understood, but there may be no simple way to
extend  this  abstraction  to the reference monitor require-
ments of individual components in the network.  The  overall
network  security policy must be decomposed into policy ele-
ments that are allocated to appropriate components and  used
as  the  basis  for  security  policy  models for these com-
     The reference  monitor  subject/object  definitions  as
enforcement at the individual component level  but  may  not
oriented  abstraction  may be essential to understanding the
overall network security policy.  The  network  architecture
must demonstrate the linkage between the connection-oriented
abstraction and its realization in the individual components
of the network.
_ _ _ _ _   ________ ___ _______
     For purposes of this  trusted  network  interpretation,
the  terms  ``subject'' and ``object'' are defined as in the
TCSEC.
     The subjects of a trusted network  commonly  fall  into
two  classes:   those  that serve as direct surrogates for a
user (where ``user'' is synonymous  with  ``human  being''),
and  ``internal''  subjects  that provide services for other
than being made part of each user surrogate subject.
     There is a set of TCSEC requirements that are  directed
at  users,  rather  than  subjects.  In the network context,
AIS (e.g., protocol handlers) are usually provided by inter-
nal subjects.  Some components that provide only  communica-
tions facilitating services have only internal subjects.
     Examples of ``single trusted system'' networks or  com-
networks (as found in the Defense Data Network  (DDN),  end-
to-end (or host-to-host) encryption systems (such as used in
Blacker or ANSI X9.17  implementations),  application  level
networks or closed user community systems (such as the Inter
Service/Agency Automated Message Processing Exchange [I  S/A
AMPE]  and  SACDIN  Programs),  local area networks, digital
vices Digital Network (ISDN) implementations, and a  Virtual
Machine  Monitor (VMM) on a single computer when analyzed as
a network.
_ _   __________ __ ________
     The  TCSEC  provides  a  means   for   evaluating   the
trustworthiness  of  a  system  and  assigning an evaluation
class based on its technical properties - independent of the
as  a  whole  with  its various interconnected components is
on design and implementation choices  as  long  as  for  the
_________________________
  - Examples are employed throughout this  document  to
clarify the concepts presented.  The naming of an exam-
nor on its suitability for any particular purpose.
a  definitive  protection domain boundary.  The features and
assurance measures provided within the  TCB  perimeter  will
as PARTITIONED into  a  set  of  interconnected  components,
tion.''  All interaction  between  such  trusted  components
must  be  via  ``communication  channels or I/O devices'' as
_ _ _   _______ ________ ____________ ___ ______
     Any network evaluated under  this  Interpretation  must
(Interconnection of components that do not adhere to such  a
Network  Security Architecture is addressed in the Intercon-
nection Rules, Appendix C.)  The Network Security  Architec-
ture  must  address  the  security-relevant policies, objec-
tives, and protocols.  The Network Security Design specifies
the  interfaces  and services that must be incorporated into
the network so that it can be evaluated as a trusted entity.
There  may  be  multiple  designs  that  conform to the same
architecture but which are more  or  less  incompatible  and
non-interoperable   (except   through   the  Interconnection
Rules).  Security related mechanisms that  require  coopera-
tion  among  components are specified in the design in terms
of their visible interfaces; mechanisms which have no  visi-
ble  interfaces  are  not specified in this document but are
left as implementation decisions.
     The Network Security Architecture and  Design  must  be
available  from the network sponsor before evaluation of the
network, or any component, can be undertaken.   The  Network
Security  Architecture  and Design must be sufficiently com-
the  construction  or assembly of a trusted network based on
the structure it specifies.
     When a component is being  designed  or  presented  for
evaluation,  or  when a network assembled from components is
assembled or presented  for  evaluation,  there  must  be  a
Design are satisfied.  That is, the components are  assembl-
able into a network that conforms in every way with the Net-
tion indicates.
     In order for a trusted network to be  constructed  from
components  that  can  be  built  independently, the Network
Security Architecture and Design must completely and unambi-
Network  Security  Architecture and Design must be evaluated
to determine that a network constructed  to  its  specifica-
tions  will  in  fact  be  trusted,  that  is,  it  will be
evaluatable under these Interpretations.
_ _ _   ___ ___________ ____
     Like a stand-alone  system,  the  network  as  a  whole
of the totality of security-relevant portions  of  the  net-
evaluation of the network rests on an understanding  of  how
the  security  mechanisms  are  distributed and allocated to
various components, in such a way that the  security  policy
s  supported  reliably in spite of (1) the vulnerability of
the communication paths and (2) the concurrent, asynchronous
operation of the network components.
     Some distributed systems have reliable, protected  com-
munication  paths  and  thus  satisfy only the first charac-
teristic of  a  network:   the  division  into  concurrently
operating,  communicating  processing  components.  Although
certain interpretations  in  this  Interpretation  will  not
apply to them, it may be beneficial to employ this Interpre-
tation to evaluate  them,  and  to  take  advantage  of  the
nterpretations  relating to component properties and inter-
faces.
     An NTCB that is distributed over a  number  of  network
components  is  referred to as partitioned, and that part of
the NTCB residing in a given component is referred to as  an
NTCB  partition.   A network host may possess a TCB that has
TCB does not necessarily coincide with the NTCB partition in
the host, in the sense of having the same  security  perime-
ter.  Whether it does or not depends on whether the security
the  network security policy, to the extent that it is allo-
cated to that host.
     Even when a network host has a TCB that has been previ-
ously  evaluated  at a given class, and the host's TCB coin-
cides with the host's NTCB partition, there is  still  no  a
and the evaluation class of the network.  Some examples will
be given below to illustrate this point.
     To evaluate a network at a given class,  each  require-
ment  in Part I for that class must be satisfied by the net-
each  requirement  is  allocated  among  the  network's com-
the  entire  security  policy  in isolation; others, such as
network  security  policy may be allocated to different net-
     Forcing every component to satisfy a  specific  Part  I
that the network as a whole meets that requirement.
     To show that it is not sufficient, consider two trusted
multilevel AIS that export and import labeled information to
and from each other over a direct connection.  Both  satisfy
the  Label Integrity requirement that a sensitivity label be
accurately and unambiguously associated with exported  data.
for the same sensitive information, the network as  a  whole
above  that  there be uniform labeling of sensitive informa-
tion throughout the network.
     To show that it is not necessary, consider  the  Manda-
tory  Access  Control  requirement  that at least two sensi-
tivity levels be supported.  Suppose that the  network  con-
maintaining labels and are operating at different levels  in
a  single-level  mode.   If  they are interconnected through
can support the ``two or more levels'' requirement.
     The allocation of a requirement to a component does not
solation, but includes the possibility that it  depends  on
other  components  to  satisfy  the  requirement locally, or
cooperates with other components to ensure that the require-
ment is satisfied elsewhere in the network.
     Taken together, these examples illustrate the essential
ng and evaluating a trusted network.
_ _ _   _________ __________
     Because network components are often supplied  by  dif-
ferent  vendors  and are designed to support standardized or
common functions  in  a  variety  of  networks,  significant
advantages  can accrue from a procedure for evaluating indi-
vidual components.  The purpose of component  evaluation  is
to  aid  both the network designer and the evaluator by per-
forming the evaluation process once and reusing the  results
     There are four types of security policies that  may  be
     1.   Mandatory Access Control
     2.   Discretionary Access Control
     3.   Supportive policies (e.g., Authentication, Audit)
     4.   Application policies (e.g., the  policy  supported
          by  a DBMS that is distinct from that supported by
          the underlying system)
Application level policies are user dependent and  will  not
be considered further in these Interpretations.
     For a component to support a policy such  as  Mandatory
Access  Controls,  it must support all the required features
for that policy with all of the required assurances  of  the
_ _   _________ __ ___ ________
     The remainder of this  document  is  divided  into  two
a list of references.  Part I presents TCSEC statements  and
TCSEC statement applies as modified by  the  Interpretation.
covered in the TCSEC interpretation which may be  applicable
to  networks. Appendix A describes the evaluation of network
components. Appendix B describes the rationale  for  network
accredited AIS.
 
              Part I:  Interpretations of the 
              ____ _   _______________ __ ___ 
 
        Trusted Computer System Evaluation Criteria 
        _______ ________ ______ __________ ________ 
 
 
Highlighting (ALL CAPS) is used in Part I to indicate criteria
not contained  in a lower class or changes and additions to
already defined criteria.  Where there is no highlighting, 
addition or modification. 
 
 
            1.0 DIVISION D:  MINIMAL PROTECTION 
            _ _ ________ _   _______ __________ 
 
 
This division contains only one class.  It is  reserved  for 
those systems that have been evaluated but that fail to meet 
the requirements for a higher evaluation class. 
 
 
 
 
         2.0 DIVISION C:  DISCRETIONARY PROTECTION 
         _ _ ________ _   _____________ __________ 
 
 
Classes in this division provide  for  discretionary  (need- 
to-know)  protection  and,  through  the  inclusion of audit 
capabilities, for accountability of subjects and the actions 
they initiate. 
 
 
 
     2.1 CLASS (C1): DISCRETIONARY SECURITY PROTECTION 
     _ _ _____  __   _____________ ________ __________ 
 
 
     THE NETWORK TRUSTED COMPUTING BASE  (NTCB)  OF  A 
     CLASS  (C1) NETWORK SYSTEM NOMINALLY SATISFIES THE 
     DISCRETIONARY SECURITY REQUIREMENTS  BY  PROVIDING 
     SEPARATION  OF  USERS  AND  DATA.  IT INCORPORATES 
     SOME FORM OF CREDIBLE CONTROLS CAPABLE OF  ENFORC- 
     ING  ACCESS  LIMITATIONS  ON  AN INDIVIDUAL BASIS, 
     I.E., OSTENSIBLY SUITABLE FOR ALLOWING USERS TO BE 
     ABLE TO PROTECT PRIVATE OR PROJECT INFORMATION AND 
     TO KEEP OTHER USERS FROM ACCIDENTALLY  READING  OR 
     DESTROYING THEIR DATA.  THE CLASS (C1) ENVIRONMENT 
     IS EXPECTED TO BE ONE OF  COOPERATING  USERS  PRO- 
     CESSING  DATA AT THE SAME LEVEL(S) OF SENSITIVITY. 
     THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR SYSTEMS 
     ASSIGNED A CLASS (C1) RATING. 
            
 
     
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     THE NETWORK SPONSOR SHALL DESCRIBE THE OVERALL  NETWORK 
SECURITY  POLICY  ENFORCED  BY  THE NTCB. AT A MINIMUM, THIS 
BLE  TO THIS CLASS.  THE POLICY MAY REQUIRE DATA SECRECY, OR 
DATA INTEGRITY, OR BOTH.  THE POLICY SHALL INCLUDE A DISCRE- 
TIONARY  POLICY  FOR  PROTECTING  THE INFORMATION BEING PRO- 
CESSED BASED ON THE AUTHORIZATIONS OF  USERS  OR  GROUPS  OF 
USERS.   THIS ACCESS CONTROL POLICY STATEMENT SHALL DESCRIBE 
THE REQUIREMENTS ON THE NETWORK TO PREVENT OR DETECT  "READ- 
USERS OR ERRORS. UNAUTHORIZED USERS INCLUDE BOTH THOSE  THAT 
ARE  NOT  AUTHORIZED TO USE THE NETWORK AT ALL (E.G., A USER 
ATTEMPTING TO USE A PASSIVE OR ACTIVE WIRE TAP) OR A LEGITI- 
MATE  USER  OF THE NETWORK WHO IS NOT AUTHORIZED TO ACCESS A 
SPECIFIC PIECE OF INFORMATION BEING PROTECTED. 
      
     NOTE THAT "USERS" DOES NOT INCLUDE "OPERATORS," "SYSTEM 
OFFICERS," AND OTHER SYSTEM  SUPPORT  PERSONNEL.   THEY  ARE 
DISTINCT  FROM USERS AND ARE SUBJECT TO THE TRUSTED FACILITY 
MANUAL AND THE SYSTEM ARCHITECTURE REQUIREMENTS.  SUCH INDI- 
VIDUALS MAY CHANGE THE SYSTEM PARAMETERS OF THE NETWORK SYS- 
TEM, FOR EXAMPLE, BY DEFINING MEMBERSHIP OF A GROUP.   THESE 
 
        SECRECY POLICY: THE NETWORK SPONSOR SHALL DEFINE THE 
        FORM  OF  THE  DISCRETIONARY  SECRECY POLICY THAT IS 
        ENFORCED IN  THE  NETWORK  TO  PREVENT  UNAUTHORIZED 
        USERS   FROM   READING   THE  SENSITIVE  INFORMATION 
        ENTRUSTED TO THE NETWORK. 
  
 
        DATA INTEGRITY POLICY:  THE  NETWORK  SPONSOR  SHALL 
        DEFINE THE DISCRETIONARY INTEGRITY POLICY TO PREVENT 
        UNAUTHORIZED USERS FROM  MODIFYING,  VIZ.,  WRITING, 
        SENSITIVE   INFORMATION.   THE  DEFINITION  OF  DATA 
        INTEGRITY PRESENTED BY THE NETWORK SPONSOR REFERS TO 
        THE  REQUIREMENT  THAT  THE INFORMATION HAS NOT BEEN 
        SUBJECTED TO UNAUTHORIZED MODIFICATION IN  THE  NET- 
        WORK. 
         
 
+ Rationale 
 
     THE WORD "SPONSOR" IS USED  IN  PLACE  OF  ALTERNATIVES 
(SUCH   AS   "VENDOR,"   "ARCHITECT,"   "MANUFACTURER,"  AND 
"DEVELOPER") BECAUSE THE ALTERNATIVES  INDICATE  PEOPLE  WHO 
MAY NOT BE AVAILABLE, INVOLVED, OR RELEVANT AT THE TIME THAT 
A NETWORK SYSTEM IS PROPOSED FOR EVALUATION. 
       
     A TRUSTED NETWORK IS ABLE TO CONTROL BOTH  THE  READING 
AND  WRITING  OF  SHARED  SENSITIVE INFORMATION.  CONTROL OF 
WRITING IS USED TO PROTECT AGAINST DESTRUCTION  OF  INFORMA- 
TION. A NETWORK NORMALLY IS EXPECTED TO HAVE POLICY REQUIRE- 
MENTS TO PROTECT BOTH  THE  SECRECY  AND  INTEGRITY  OF  THE 
FREQUENTLY AS IMPORTANT OR MORE IMPORTANT THAN  THE  SECRECY 
REQUIREMENTS.  THEREFORE THE SECRECY AND/OR INTEGRITY POLICY 
TO BE ENFORCED BY THE NETWORK MUST BE STATED FOR  EACH  NET- 
WORK  REGARDLESS OF ITS EVALUATION CLASS. THE ASSURANCE THAT 
THE POLICY  IS  FAITHFULLY  ENFORCED  IS  REFLECTED  IN  THE 
EVALUATION CLASS OF THE NETWORK. 
     
 
     THIS CONTROL OVER MODIFICATION  IS  TYPICALLY  USED  TO 
CONTROL THE POTENTIAL HARM THAT WOULD RESULT IF THE INFORMA- 
TION  WERE  CORRUPTED.   THE OVERALL NETWORK POLICY REQUIRE- 
MENTS FOR INTEGRITY INCLUDES THE PROTECTION  FOR  DATA  BOTH 
WHILE  BEING  PROCESSED  IN  A  COMPONENT  AND  WHILE  BEING 
TRANSMITTED IN  THE  NETWORK.   THE  ACCESS  CONTROL  POLICY 
ENFORCED  BY  THE  NTCB RELATES TO THE ACCESS OF SUBJECTS TO 
OBJECTS WITHIN  EACH  COMPONENT.   COMMUNICATIONS  INTEGRITY 
ADDRESSED  WITHIN PART II RELATES TO INFORMATION WHILE BEING 
TRANSMITTED. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL DEFINE AND CONTROL ACCESS BETWEEN NAMED  USERS 
AND NAMED OBJECTS (E.G., FILES AND PROGRAMS) IN THE ADP SYS- 
TEM.  THE  ENFORCEMENT  MECHANISM  (E.G.,  SELF/GROUP/PUBLIC 
CONTROLS, ACCESS CONTROL LISTS) SHALL ALLOW USERS TO SPECIFY 
AND CONTROL SHARING OF THOSE OBJECTS BY NAMED INDIVIDUALS OR 
DEFINED GROUPS OF INDIVIDUALS, OR BOTH. 
       
 
+  Interpretation 
 
     THE DISCRETIONARY ACCESS CONTROL (DAC) MECHANISM(S) MAY 
BE  DISTRIBUTED  OVER  THE PARTITIONED NTCB IN VARIOUS WAYS. 
SOME PART, ALL, OR NONE OF THE DAC MAY BE IMPLEMENTED  IN  A 
GIVEN  COMPONENT OF THE NETWORK SYSTEM.  IN PARTICULAR, COM- 
NO  SUBJECTS ACTING AS DIRECT SURROGATES FOR USERS), SUCH AS 
A PUBLIC NETWORK PACKET SWITCH, MIGHT NOT IMPLEMENT THE  DAC 
MECHANISM(S)  DIRECTLY  (E.G.,  THEY ARE UNLIKELY TO CONTAIN 
ACCESS CONTROL LISTS). 
   
     IDENTIFICATION OF USERS BY GROUPS MAY  BE  ACHIEVED  IN 
VARIOUS  WAYS  IN  THE NETWORKING ENVIRONMENT.  FOR EXAMPLE, 
THE NETWORK IDENTIFIERS (E.G., INTERNET ADDRESSES) FOR VARI- 
OUS  COMPONENTS (E.G., HOSTS, GATEWAYS) CAN BE USED AS IDEN- 
TIFIERS OF GROUPS OF INDIVIDUAL USERS (E.G., "ALL  USERS  AT 
HOST A," "ALL USERS OF NETWORK Q") WITHOUT EXPLICIT IDENTIF-
USERS IMPLIED), IF THIS IS CONSISTENT WITH THE NETWORK SECU- 
RITY POLICY. 
 
     FOR NETWORKS, INDIVIDUAL HOSTS WILL IMPOSE NEED-TO-KNOW 
CONTROLS OVER THEIR USERS - MUCH LIKE (IN FACT, PROBABLY THE 
SAME) CONTROLS USED WHEN THERE IS NO NETWORK CONNECTION. 
     WHEN GROUP IDENTIFIERS ARE ACCEPTABLE FOR  ACCESS  CON- 
TROL,  THE IDENTIFIER OF SOME OTHER HOST MAY BE EMPLOYED, TO 
ELIMINATE THE MAINTENANCE THAT WOULD BE REQUIRED IF  INDIVI- 
DUAL IDENTIFICATION OF REMOTE USERS WAS EMPLOYED. 
 
     THE DAC MECHANISM OF A NTCB  PARTITION  MAY  BE  IMPLE- 
MENTED  AT  THE INTERFACE OF THE REFERENCE MONITOR OR MAY BE 
DISTRIBUTED IN SUBJECTS THAT ARE PART OF  THE  NTCB  IN  THE 
SAME  OR  DIFFERENT COMPONENT. THE REFERENCE MONITOR MANAGES 
ALL THE PHYSICAL RESOURCES  OF  THE  SYSTEM  AND  FROM  THEM 
CREATES THE ABSTRACTION OF SUBJECTS AND OBJECTS THAT IT CON- 
TROLS. SOME OF THESE SUBJECTS AND OBJECTS  MAY  BE  USED  TO 
     WHEN INTEGRITY IS INCLUDED AS PART OF THE NETWORK  DIS- 
CRETIONARY  SECURITY POLICY, THE ABOVE INTERPRETATIONS SHALL 
BE SPECIFICALLY APPLIED TO THE CONTROLS  OVER  MODIFICATION, 
VIZ,  THE  WRITE MODE OF ACCESS, WITHIN EACH COMPONENT BASED 
ON IDENTIFIED USERS OR GROUPS OF USERS. 
 
 
+  Rationale 
 
     IN THIS CLASS, THE SUPPORTING ELEMENTS OF  THE  OVERALL 
DAC  MECHANISM ARE TREATED EXACTLY AS UNTRUSTED SUBJECTS ARE 
TREATED WITH RESPECT TO DAC IN AN ADP SYSTEM, WITH THE  SAME 
RESULT AS NOTED IN THE INTERPRETATION.  STRENGTHENING OF THE 
DAC MECHANISM IN THE  NETWORK  ENVIRONMENT  IS  PROVIDED  IN 
CLASS (C2) (SEE THE DISCRETIONARY ACCESS CONTROL SECTION). 
 
     A TYPICAL SITUATION FOR DAC IS THAT A SURROGATE PROCESS 
FOR A REMOTE USER WILL BE CREATED IN SOME HOST FOR ACCESS TO 
OBJECTS UNDER THE CONTROL OF THE NTCB PARTITION WITHIN  THAT 
HOST.  THE INTERPRETATION REQUIRES THAT A USER IDENTIFIER BE 
ASSIGNED AND MAINTAINED FOR EACH SUCH PROCESS BY  THE  NTCB, 
SO  THAT  ACCESS BY A SURROGATE PROCESS IS SUBJECT TO ESSEN- 
TIALLY THE SAME DISCRETIONARY CONTROLS AS ACCESS BY  A  PRO- 
CESS  ACTING  ON  BEHALF OF A LOCAL USER WOULD BE.  HOWEVER, 
WITHIN THIS INTERPRETATION A RANGE OF  POSSIBLE  INTERPRETA- 
TIONS OF THE ASSIGNED USER IDENTIFICATION IS PERMITTED. 
  
     THE MOST OBVIOUS SITUATION  WOULD  EXIST  IF  A  GLOBAL 
DATABASE OF NETWORK USERS WERE TO BE MADE PERMANENTLY AVAIL- 
ABLE ON DEMAND TO EVERY HOST, (I.E., A NAME SERVER  EXISTED) 
SO THAT ALL USER IDENTIFICATIONS WERE GLOBALLY MEANINGFUL. 
  
     IT IS ALSO ACCEPTABLE, HOWEVER, FOR  SOME  NTCB  PARTI- 
TIONS TO MAINTAIN A DATABASE OF LOCALLY-REGISTERED USERS FOR 
THE CREATION OF SURROGATE PROCESSES FOR LOCALLY UNREGISTERED 
USERS, OR (IF PERMITTED BY THE LOCAL POLICY)  ALTERNATIVELY, 
TO   PERMIT   THE   CREATION  OF  SURROGATE  PROCESSES  WITH
GROUP OF USERS ON A PARTICULAR REMOTE HOST.  THE  INTENT  OF 
THE  WORDS CONCERNING AUDIT IN THE INTERPRETATION IS TO PRO- 
VIDE A MINIMALLY ACCEPTABLE DEGREE OF AUDITABILITY FOR CASES 
SUCH  AS THE LAST DESCRIBED.  WHAT IS REQUIRED IS THAT THERE 
BE A CAPABILITY, USING THE AUDIT FACILITIES PROVIDED BY  THE 
NETWORK  NTCB  PARTITIONS  INVOLVED,  TO  DETERMINE  WHO WAS 
LOGGED IN AT THE ACTUAL HOST OF THE GROUP OF REMOTE USERS AT 
THE TIME THE SURROGATE PROCESSING OCCURED. 
     ASSOCIATING THE PROPER USER ID WITH A SURROGATE PROCESS 
THAT DAC IS APPLIED LOCALLY, WITH RESPECT TO THE USER ID  OF 
THE  SURROGATE  PROCESS.   THE TRANSMISSION OF THE DATA BACK 
ACROSS THE NETWORK TO THE USER'S HOST, AND THE CREATION OF A 
COPY OF THE DATA THERE, IS NOT THE BUSINESS OF DAC. 
  
     COMPONENTS THAT SUPPORT ONLY INTERNAL  SUBJECTS  IMPACT 
THE IMPLEMENTATION OF THE DAC BY PROVIDING SERVICES BY WHICH 
WOULD BE THE CASE THAT A USER AT HOST A ATTEMPTS TO ACCESS A 
FILE  AT  HOST  B.   THE  DAC DECISION MIGHT BE (AND USUALLY 
WOULD BE) MADE AT HOST B ON THE BASIS OF A USER-ID TRANSMIT- 
TED FROM HOST A TO HOST B. 
 
     UNIQUE USER IDENTIFICATION MAY BE ACHIEVED BY A VARIETY 
OF  MECHANISMS, INCLUDING (A) A REQUIREMENT FOR UNIQUE IDEN- 
TIFICATION AND AUTHENTICATION ON THE HOST WHERE ACCESS TAKES 
ADDRESSES AUTHENTICATED BY ANOTHER HOST AND FORWARDED TO THE 
HOST WHERE ACCESS TAKES PLACE; OR (C) ADMINISTRATIVE SUPPORT 
OF A NETWORK-WIDE UNIQUE PERSONNEL IDENTIFIER THAT COULD  BE 
AUTHENTICATED AND FORWARDED BY ANOTHER HOST AS IN (B) ABOVE, 
OR COULD BE AUTHENTICATED AND FORWARDED BY A DEDICATED  NET- 
WORK  IDENTIFICATION  AND AUTHENTICATION SERVER.  THE PROTO- 
COLS WHICH IMPLEMENT (B) OR (C) ARE SUBJECT  TO  THE  SYSTEM 
ARCHITECTURE REQUIREMENTS. 
  
     NETWORK SUPPORT FOR DAC MIGHT BE HANDLED IN OTHER  WAYS 
THAN  THAT DESCRIBED AS "TYPICAL" ABOVE. IN PARTICULAR, SOME 
FORM OF CENTRALIZED ACCESS CONTROL IS  OFTEN  PROPOSED.   AN 
ACCESS  CONTROL CENTER MAY MAKE ALL DECISIONS FOR DAC, OR IT 
MAY SHARE THE BURDEN WITH THE HOSTS BY CONTROLLING  HOST-TO- 
HOST  CONNECTIONS, AND LEAVING THE HOSTS TO DECIDE ON ACCESS 
TO THEIR OBJECTS BY USERS AT A LIMITED SET OF REMOTE  HOSTS. 
BETWEEN THE CONNECTION ORIENTED ABSTRACTION (AS DISCUSSED IN 
THE  INTRODUCTION)  AND  THE OVERALL NETWORK SECURITY POLICY 
FOR DAC.  IN ALL CASES THE ENFORCEMENT OF THE DECISION  MUST 
BE PROVIDED BY THE HOST WHERE THE OBJECT RESIDES. 
   
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL REQUIRE USERS TO  IDENTIFY  THEMSELVES  TO  IT 
BEFORE  BEGINNING  TO PERFORM ANY OTHER ACTIONS THAT THE TCB 
USER'S IDENTITY. THE TCB SHALL PROTECT  AUTHENTICATION  DATA 
SO THAT IT CANNOT BE ACCESSED BY ANY UNAUTHORIZED USER. 
 
+  Interpretation 
 
     THE REQUIREMENT FOR IDENTIFICATION  AND  AUTHENTICATION 
OF USERS IS THE SAME FOR A NETWORK SYSTEM AS FOR AN ADP SYS- 
TEM. THE IDENTIFICATION AND AUTHENTICATION MAY  BE  DONE  BY 
THE  COMPONENT  TO  WHICH  THE USER IS DIRECTLY CONNECTED OR 
SOME OTHER COMPONENT, SUCH AS AN IDENTIFICATION AND  AUTHEN- 
TICATION  SERVER.   AVAILABLE  TECHNIQUES,  SUCH  AS   THOSE 
DESCRIBED IN THE PASSWORD  GUIDELINE=,  ARE  GENERALLY  ALSO 
APPLICABLE  IN  THE NETWORK CONTEXT. HOWEVER, IN CASES WHERE 
THE NTCB IS EXPECTED TO MEDIATE ACTIONS OF A HOST (OR  OTHER 
NETWORK  COMPONENT)  THAT  IS  ACTING ON BEHALF OF A USER OR 
GROUP OF USERS,  THE  NTCB  MAY  EMPLOY  IDENTIFICATION  AND 
AUTHENTICATION  OF  THE HOST (OR OTHER COMPONENT) IN LIEU OF 
 
     AUTHENTICATION INFORMATION, INCLUDING THE IDENTITY OF A 
USER  (ONCE  AUTHENTICATED) MAY BE PASSED FROM ONE COMPONENT 
TO ANOTHER WITHOUT REAUTHENTICATION, SO  LONG  AS  THE  NTCB 
THORIZED DISCLOSURE AND MODIFICATION. THIS PROTECTION  SHALL 
OF MECHANISM) AS PERTAINS TO THE PROTECTION OF THE AUTHENTI- 
CATION MECHANISM AND AUTHENTICATION DATA. 
     
 
+  Rationale 
 
     THE NEED FOR ACCOUNTABILITY IS NOT CHANGED IN THE  CON- 
TEXT  OF A NETWORK SYSTEM.  THE FACT THAT THE NTCB IS PARTI- 
TIONED OVER A SET OF COMPONENTS NEITHER REDUCES THE NEED NOR 
NETWORK  SYSTEM  AT THE (C1) LEVEL (WHEREIN EXPLICIT INDIVI- 
DUAL USER ACCOUNTABILITY  IS  NOT  REQUIRED),    "INDIVIDUAL 
ACCOUNTABILITY" CAN BE SATISFIED BY IDENTIFICATION OF A HOST 
(OR OTHER COMPONENT).  IN ADDITION, THERE IS NO  NEED  IN  A 
DISTRIBUTED  PROCESSING SYSTEM LIKE A NETWORK TO REAUTHENTI- 
CATE A USER AT EACH POINT IN THE NETWORK WHERE A  PROJECTION 
OF  A USER (VIA THE SUBJECT OPERATING ON BEHALF OF THE USER) 
     THE PASSING OF IDENTIFIERS AND/OR AUTHENTICATION INFOR- 
MATION FROM ONE COMPONENT TO ANOTHER IS USUALLY DONE IN SUP- 
TROL  (DAC).   THIS  SUPPORT  RELATES  DIRECTLY  TO  THE DAC 
REGARDING ACCESS BY A USER TO A STORAGE  OBJECT  IN  A  DIF- 
FERENT  NTCB  PARTITION  THAN  THE  ONE  WHERE  THE USER WAS 
AUTHENTICATED. EMPLOYING A FORWARDED IDENTIFICATION  IMPLIES 
ADDITIONAL  RELIANCE  ON THE SOURCE AND COMPONENTS ALONG THE  
 
 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL MAINTAIN A DOMAIN FOR ITS OWN  EXECUTION  THAT 
BY MODIFICATION OF ITS CODE OR DATA STRUCTURES).   RESOURCES 
CONTROLLED  BY  THE  TCB MAY BE A DEFINED SUBSET OF THE SUB- 
JECTS AND OBJECTS IN THE ADP SYSTEM. 
 
+  Interpretation 
 
    THE SYSTEM ARCHITECTURE CRITERION MUST BE MET INDIVIDU- 
ALLY BY ALL NTCB PARTITIONS.  IMPLEMENTATION OF THE REQUIRE- 
MENT THAT THE NTCB MAINTAIN A DOMAIN FOR ITS  OWN  EXECUTION 
FOR ITS OWN EXECUTION. 
 
     THE SUBSET OF NETWORK RESOURCES OVER WHICH THE NTCB HAS 
CONTROL  ARE  THE  UNION OF THE SETS OF RESOURCES OVER WHICH 
THE NTCB PARTITIONS HAVE CONTROL.  CODE AND DATA  STRUCTURES 
BELONGING  TO  THE  NTCB,  TRANSFERRED  AMONG  NTCB SUBJECTS 
(I.E., SUBJECTS OUTSIDE THE REFERENCE MONITOR BUT INSIDE THE 
NTCB)  BELONGING  TO DIFFERENT NTCB PARTITIONS, MUST BE PRO- 
TECTED AGAINST  EXTERNAL  INTERFERENCE  OR  TAMPERING.   FOR 
EXAMPLE,  A  CRYPTOGRAPHIC CHECKSUM OR PHYSICAL MEANS MAY BE 
EMPLOYED  TO  PROTECT  USER  AUTHENTICATION  DATA  EXCHANGED 
BETWEEN NTCB PARTITIONS. 
 
+  Rationale 
 
     THE REQUIREMENT FOR THE  PROTECTION  OF  COMMUNICATIONS 
BETWEEN NTCB PARTITIONS IS SPECIFICALLY DIRECTED TO SUBJECTS 
THAT ARE PART OF THE NTCB PARTITIONS.  ANY REQUIREMENTS  FOR 
SUCH  PROTECTION  FOR THE SUBJECTS THAT ARE OUTSIDE THE NTCB 
REQUIREMENTS OF THE SECURITY POLICY. 
     
 
 
+ Statement from DoD 5200.28-STD 
 
HARDWARE AND/OR SOFTWARE FEATURES SHALL BE PROVIDED THAT CAN 
BE  USED  TO  PERIODICALLY VALIDATE THE CORRECT OPERATION OF 
THE ON-SITE HARDWARE AND FIRMWARE ELEMENTS OF THE TCB. 
 
+  Interpretation 
 
     IMPLEMENTATION OF THE REQUIREMENT IS PARTLY ACHIEVED BY 
HAVING HARDWARE AND/OR SOFTWARE FEATURES THAT CAN BE USED TO 
AND  FIRMWARE  ELEMENTS  OF EACH COMPONENT'S NTCB PARTITION. 
FEATURES SHALL ALSO BE PROVIDED TO VALIDATE THE IDENTITY AND 
CORRECT  OPERATION OF A COMPONENT PRIOR TO ITS INCORPORATION 
EXAMPLE,  A PROTOCOL COULD BE DESIGNED THAT ENABLES THE COM- 
TOCOL SHALL BE ABLE TO DETERMINE THE REMOTE ENTITY'S ABILITY 
TO  RESPOND. NTCB PARTITIONS SHALL PROVIDE THE CAPABILITY TO 
REPORT TO  NETWORK  ADMINISTRATIVE  PERSONNEL  THE  FAILURES 
DETECTED IN OTHER NTCB PARTITIONS. 
     
     INTERCOMPONENT  PROTOCOLS  IMPLEMENTED  WITHIN  A  NTCB 
SHALL BE DESIGNED IN SUCH A WAY AS TO PROVIDE CORRECT OPERA- 
TION IN THE CASE OF FAILURES OF  NETWORK  COMMUNICATIONS  OR 
ACCESS CONTROL POLICY IN A NETWORK MAY REQUIRE COMMUNICATION 
BETWEEN  TRUSTED  SUBJECTS  THAT ARE PART OF THE NTCB PARTI- 
TIONS IN DIFFERENT COMPONENTS.  THIS COMMUNICATION  IS  NOR- 
MALLY  IMPLEMENTED  WITH  A PROTOCOL BETWEEN THE SUBJECTS AS 
NOT  RESULT FROM FAILURE OF AN NTCB PARTITION TO COMMUNICATE 
WITH OTHER COMPONENTS. 
   
+ Rationale 
 
     THE  FIRST  PARAGRAPH  OF  THE  INTERPRETATION   IS   A 
STRAIGHTFORWARD  EXTENSION  OF THE REQUIREMENT INTO THE CON- 
TEXT OF A NETWORK SYSTEM AND PARTITIONED NTCB AS DEFINED FOR 
THESE NETWORK CRITERIA. 
 
     NTCB PROTOCOLS SHOULD BE ROBUST  ENOUGH  SO  THAT  THEY 
THE INTEGRITY OF THE NTCB ITSELF.  IT IS NOT UNUSUAL FOR ONE 
OR MORE COMPONENTS IN A NETWORK TO  BE  INOPERATIVE  AT  ANY 
TIME,  SO  IT  IS  IMPORTANT TO MINIMIZE THE EFFECTS OF SUCH 
FAILURES ON THE REST OF THE  NETWORK.  ADDITIONAL  INTEGRITY 
AND DENIAL OF SERVICE ISSUES ARE ADDRESSED IN PART II. 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE SECURITY MECHANISMS OF THE ADP SYSTEM  SHALL  BE  TESTED 
AND  FOUND  TO  WORK AS CLAIMED IN THE SYSTEM DOCUMENTATION. 
TESTING SHALL BE DONE TO ASSURE THAT THERE  ARE  NO  OBVIOUS 
WAYS  FOR AN UNAUTHORIZED USER TO BYPASS OR OTHERWISE DEFEAT 
THE SECURITY PROTECTION MECHANISMS  OF  THE  TCB.  (SEE  THE 
SECURITY TESTING GUIDELINES.) 
 
+  Interpretation 
 
     TESTING OF A COMPONENT  WILL  REQUIRE  A  TESTBED  THAT 
EXERCISES  THE  INTERFACES  AND PROTOCOLS OF THE COMPONENT. 
THE TESTING OF A SECURITY MECHANISM OF  THE  NETWORK  SYSTEM 
FOR  MEETING  THIS  CRITERION SHALL BE AN INTEGRATED TESTING 
TION  THAT  IMPLEMENT  THE  GIVEN MECHANISM. THIS INTEGRATED 
TESTING IS ADDITIONAL  TO  ANY  INDIVIDUAL  COMPONENT  TESTS 
SOR SHOULD IDENTIFY  THE  ALLOWABLE  SET  OF  CONFIGURATIONS 
OF  THESE  CONFIGURATIONS.  A CHANGE IN CONFIGURATION WITHIN 
THE ALLOWABLE SET OF CONFIGURATIONS DOES NOT REQUIRE RETEST- 
 
+  Rationale 
 
  TESTING IS THE PRIMARY METHOD AVAILABLE IN THIS EVALUA- 
TION  DIVISION  TO  GAIN  ANY  ASSURANCE  THAT  THE SECURITY 
MECHANISMS PERFORM THEIR INTENDED FUNCTION. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A SINGLE SUMMARY, CHAPTER, OR MANUAL IN  USER  DOCUMENTATION 
SHALL  DESCRIBE  THE  PROTECTION  MECHANISMS PROVIDED BY THE 
TCB, INTERPRETATIONS ON THEIR USE,  AND  HOW  THEY  INTERACT 
WITH ONE ANOTHER. 
 
+  Interpretation 
 
     THIS USER DOCUMENTATION DESCRIBES USER VISIBLE  PROTEC- 
TION  MECHANISMS AT THE GLOBAL (NETWORK SYSTEM) LEVEL AND AT 
THE USER INTERFACE OF EACH COMPONENT,  AND  THE  INTERACTION 
AMONG THESE. 
  
+  Rationale 
 
     THE INTERPRETATION IS AN EXTENSION OF  THE  REQUIREMENT 
NETWORK CRITERIA.  DOCUMENTATION  OF  PROTECTION  MECHANISMS 
TERIA FOR TRUSTED  COMPUTER  SYSTEMS  THAT  ARE  APPLIED  AS 
APPROPRIATE FOR THE INDIVIDUAL COMPONENTS. 
  
 
 
+ Statement from DoD 5200.28-STD 
 
A MANUAL ADDRESSED TO THE  ADP  SYSTEM  ADMINISTRATOR  SHALL 
BE CONTROLLED WHEN RUNNING A SECURE FACILITY. 
  
+ Interpretation 
 
     THIS MANUAL SHALL CONTAIN SPECIFICATIONS AND PROCEDURES 
TO ASSIST THE SYSTEM ADMINISTRATOR(S) MAINTAIN COGNIZANCE OF 
THE NETWORK CONFIGURATION.  THESE  SPECIFICATIONS  AND  PRO- 
CEDURES SHALL ADDRESS THE FOLLOWING: 
 
  NETWORK; 
 
  LEAVE  THE  NETWORK  (E.G., BY CRASHING, OR BY BEING 
  DISCONNECTED) AND THEN REJOIN; 
  
  SECURITY  OF  THE  NETWORK SYSTEM; (FOR EXAMPLE, THE 
  MANUAL  SHOULD  DESCRIBE  FOR  THE  NETWORK   SYSTEM 
  ADMINISTRATOR  THE INTERCONNECTIONS AMONG COMPONENTS 
  THAT ARE CONSISTENT WITH THE OVERALL NETWORK  SYSTEM 
  ARCHITECTURE.) 
 
  (E.G., DOWN-LINE LOADING). 
    THE PHYSICAL AND ADMINISTRATIVE ENVIRONMENTAL  CONTROLS 
SHALL  BE  SPECIFIED.   ANY  ASSUMPTIONS ABOUT SECURITY OF A 
GIVEN NETWORK SHOULD BE CLEARLY STATED (E.G., THE FACT  THAT 
ALL  COMMUNICATIONS  LINKS MUST BE PHYSICALLY PROTECTED TO A 
CERTAIN LEVEL). 
  
 
+ Rationale 
 
     THERE  MAY  BE  MULTIPLE  SYSTEM  ADMINISTRATORS   WITH 
DIVERSE  RESPONSIBILITIES.   THE TECHNICAL SECURITY MEASURES 
DESCRIBED BY THESE CRITERIA MUST BE USED IN CONJUNCTION WITH 
OTHER  FORMS OF SECURITY IN ORDER TO ACHIEVE SECURITY OF THE 
NETWORK.  ADDITIONAL FORMS INCLUDE ADMINISTRATIVE  SECURITY, 
 
 
     EXTENSION OF  THIS  CRITERION  TO  COVER  CONFIGURATION 
ASPECTS  OF  THE  NETWORK  IS  NEEDED  BECAUSE, FOR EXAMPLE, 
TO  ACHIEVE  A  CORRECT REALIZATION OF THE NETWORK ARCHITEC- 
TURE. 
 
 
     CRYPTOGRAPHY  IS ONE COMMON MECHANISM EMPLOYED TO  PRO- 
TECT  COMMUNICATION  CIRCUITS.   ENCRYPTION  TRANSFORMS  THE 
REPRESENTATION OF INFORMATION SO THAT IT  IS  UNINTELLIGIBLE 
TO  UNAUTHORIZED  SUBJECTS.  REFLECTING THIS TRANSFORMATION, 
THE SENSITIVITY OF THE CIPHERTEXT IS  GENERALLY  LOWER  THAN   
THE  CLEARTEXT.   IF  ENCRYPTION METHODOLOGIES ARE EMPLOYED, 
THEY SHALL BE  APPROVED  BY  THE  NATIONAL  SECURITY  AGENCY 
(NSA). 
 
     THE ENCRYPTION ALGORITHM  AND  ITS  IMPLEMENTATION  ARE 
OUTSIDE  THE SCOPE OF THESE INTERPRETATIONS.  THIS ALGORITHM 
AND IMPLEMENTATION MAY BE IMPLEMENTED IN A  SEPARATE  DEVICE 
OR  MAY  BE A FUNCTION OF A SUBJECT IN A COMPONENT NOT DEDI- 
CATED TO ENCRYPTION.  WITHOUT PREJUDICE, EITHER  IMPLEMENTA- 
TION  PACKAGING  IS  REFERRED  TO AS AN ENCRYPTION MECHANISM 
HEREIN. 
 
 
+ Statement from DoD 5200.28-STD 
 
THE SYSTEM DEVELOPER SHALL PROVIDE TO THE EVALUATORS A DOCU- 
MENT THAT DESCRIBES THE TEST PLAN, TEST PROCEDURES THAT SHOW 
HOW THE SECURITY MECHANISMS WERE TESTED, AND RESULTS OF  THE 
SECURITY MECHANISMS' FUNCTIONAL TESTING. 
  
 
+  Interpretation 
 
    THE "SYSTEM DEVELOPER" IS INTERPRETED AS  "THE  NETWORK 
SYSTEM  SPONSOR".   THE  DESCRIPTION OF THE TEST PLAN SHOULD 
ESTABLISH THE CONTEXT IN WHICH THE TESTING WAS OR SHOULD  BE 
CONDUCTED.   THE  DESCRIPTION SHOULD IDENTIFY ANY ADDITIONAL 
TEST COMPONENTS THAT  ARE  NOT  PART  OF  THE  SYSTEM  BEING 
EVALUATED.  THIS INCLUDES A DESCRIPTION OF THE TEST-RELEVANT 
FUNCTIONS OF SUCH TEST COMPONENTS AND A DESCRIPTION  OF  THE 
EVALUATED.  THE DESCRIPTION OF THE  TEST  PLAN  SHOULD  ALSO 
DEMONSTRATE  THAT  THE  TESTS  ADEQUATELY  COVER THE NETWORK 
SECURITY POLICY.  THE  TESTS  SHOULD  INCLUDE  THE  FEATURES 
DESCRIBED   IN   THE  SYSTEM  ARCHITECTURE  AND  THE  SYSTEM 
CONFIGURATION AND SIZING. 
 
+  Rationale 
 
     THE ENTITY BEING EVALUATED MAY BE A NETWORKING  SUBSYS- 
TEM (SEE APPENDIX A) TO WHICH OTHER COMPONENTS MUST BE ADDED 
TO MAKE A  COMPLETE  NETWORK  SYSTEM.  IN  THAT  CASE,  THIS 
BECAUSE, AT EVALUATION TIME, IT IS NOT POSSIBLE TO  VALIDATE 
THE  TEST  PLANS  WITHOUT THE DESCRIPTION OF THE CONTEXT FOR 
TESTING THE NETWORKING SUBSYSTEM. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
DOCUMENTATION SHALL BE AVAILABLE THAT PROVIDES A DESCRIPTION 
OF THE MANUFACTURER'S PHILOSOPHY OF PROTECTION AND AN EXPLA- 
NATION OF HOW THIS PHILOSOPHY IS TRANSLATED INTO THE TCB. IF 
THE  TCB  IS  COMPOSED  OF  DISTINCT MODULES, THE INTERFACES 
BETWEEN THESE MODULES SHALL BE DESCRIBED. 
+  Interpretation 
 
     EXPLANATION OF HOW THE SPONSOR'S PHILOSOPHY OF  PROTEC- 
TION IS TRANSLATED INTO THE NTCB SHALL INCLUDE A DESCRIPTION 
OF HOW THE NTCB IS PARTITIONED.  THE  SECURITY  POLICY  ALSO
SHALL  BE STATED.  THE DESCRIPTION OF THE INTERFACES BETWEEN 
THE NTCB MODULES SHALL INCLUDE THE INTERFACE(S) BETWEEN NTCB 
EXIST.  THE SPONSOR SHALL DESCRIBE THE SECURITY ARCHITECTURE 
AND  DESIGN,  INCLUDING  THE ALLOCATION OF SECURITY REQUIRE- 
MENTS AMONG  COMPONENTS.   APPENDIX  A  ADDRESSES  COMPONENT 
EVALUATION ISSUES. 
  
+  Rationale 
 
     THE INTERPRETATION IS A  STRAIGHTFORWARD  EXTENSION  OF 
THE  REQUIREMENT  INTO  THE  CONTEXT  OF A NETWORK SYSTEM AS 
DEFINED FOR THIS NETWORK INTERPRETATION.   OTHER  DOCUMENTA- 
TION,  SUCH  AS DESCRIPTION OF COMPONENTS AND DESCRIPTION OF 
OPERATING ENVIRONMENT(S) IN WHICH THE  NETWORKING  SUBSYSTEM 
OR NETWORK SYSTEM IS DESIGNED TO FUNCTION, IS REQUIRED ELSE- 
WHERE, E.G., IN THE TRUSTED FACILITY MANUAL. 
 
     IN ORDER TO BE EVALUATED,  A  NETWORK  MUST  POSSESS  A 
COHERENT  NETWORK SECURITY ARCHITECTURE AND DESIGN.  (INTER- 
CONNECTION OF COMPONENTS THAT DO NOT ADHERE TO SUCH A SINGLE 
COHERENT  NETWORK  SECURITY ARCHITECTURE IS ADDRESSED IN THE 
SECURITY  ARCHITECTURE  MUST  ADDRESS  THE SECURITY-RELEVANT 
DESIGN  SPECIFIES  THE  INTERFACES AND SERVICES THAT MUST BE 
A  TRUSTED  ENTITY.  THERE MAY BE MULTIPLE DESIGNS THAT CON- 
FORM TO THE SAME ARCHITECTURE BUT ARE MORE OR LESS  INCOMPA-   
TIBLE AND NON-INTEROPERABLE (EXCEPT THROUGH THE INTERCONNEC- 
TION RULES).  SECURITY RELATED MECHANISMS REQUIRING COOPERA- 
TION  AMONG  COMPONENTS ARE SPECIFIED IN THE DESIGN IN TERMS   
OF THEIR VISIBLE INTERFACES; MECHANISMS  HAVING  NO  VISIBLE 
AS IMPLEMENTATION DECISIONS. 
 
     THE NETWORK SECURITY ARCHITECTURE AND  DESIGN  MUST  BE 
AVAILABLE  FROM THE NETWORK SPONSOR BEFORE EVALUATION OF THE 
NETWORK, OR ANY COMPONENT, CAN BE UNDERTAKEN.   THE  NETWORK 
SECURITY  ARCHITECTURE  AND DESIGN MUST BE SUFFICIENTLY COM- 
THE  CONSTRUCTION  OR ASSEMBLY OF A TRUSTED NETWORK BASED ON 
THE STRUCTURE IT SPECIFIES. 
 
     WHEN A COMPONENT IS BEING  DESIGNED  OR  PRESENTED  FOR 
EVALUATION,  OR  WHEN A NETWORK ASSEMBLED FROM COMPONENTS IS 
ASSEMBLED OR PRESENTED  FOR  EVALUATION,  THERE  MUST  BE  A 
DESIGN ARE SATISFIED.  THAT IS, THE COMPONENTS CAN BE ASSEM- 
BLED INTO A NETWORK THAT CONFORMS IN EVERY WAY WITH THE NET- 
WORK SECURITY ARCHITECTURE AND DESIGN TO PRODUCE A  PHYSICAL 
REALIZATION  THAT  IS TRUSTED TO THE EXTENT THAT ITS EVALUA- 
TION INDICATES. 
 
     IN ORDER FOR A TRUSTED NETWORK TO BE  CONSTRUCTED  FROM 
COMPONENTS  THAT  CAN  BE  BUILT  INDEPENDENTLY, THE NETWORK 
SECURITY ARCHITECTURE AND DESIGN MUST COMPLETELY AND UNAMBI- 
GUOUSLY  DEFINE  THE SECURITY FUNCTIONALITY OF COMPONENTS AS 
WELL AS THE INTERFACES BETWEEN  OR  AMONG  COMPONENTS.   THE 
NETWORK  SECURITY  ARCHITECTURE AND DESIGN MUST BE EVALUATED 
TO   DETERMINE   THAT   A   NETWORK   CONSTRUCTED   TO   ITS 
SPECIFICATIONS  WILL IN FACT BE TRUSTED, THAT IS, IT WILL BE 
EVALUATABLE UNDER THESE INTERPRETATIONS. 
 
 
 
 
        2.2 CLASS (C2): CONTROLLED ACCESS PROTECTION 
        _ _ _____  __   __________ ______ __________ 
 
 
     NETWORK SYSTEMS  IN  THIS  CLASS  ENFORCE  A  MORE 
     FINELY  GRAINED  DISCRETIONARY ACCESS CONTROL THAN 
     (C1) NETWORK SYSTEMS,  MAKING  USERS  INDIVIDUALLY 
     ACCOUNTABLE  FOR  THEIR ACTIONS THROUGH LOGIN PRO- 
     CEDURES, AUDITING OF SECURITY-RELEVANT EVENTS, AND 
     RESOURCE  ISOLATION.   THE  FOLLOWING  ARE MINIMAL 
     REQUIREMENTS FOR SYSTEMS  ASSIGNED  A  CLASS  (C2) 
     RATING. 
 
 
_ _ _ ________ ______ 
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     The network sponsor shall describe the overall  network 
ble  to this class.  The policy may require data secrecy, or 
tionary  policy  for  protecting  the information being pro- 
cessed based on the authorizations of INDIVIDUALS, users, or 
unauthorized users or  errors.  Unauthorized  users  include 
both those that are not authorized to use the network at all 
(e.g., a user attempting to use a  passive  or  active  wire 
tap)  or a legitimate user of the network who is not author- 
zed to access a specific piece of  information  being  pro-
tected. 
 
     Note that "users" does not include "operators," "system 
officers," and other system  support  personnel.   They  are 
Manual and the System Architecture requirements.  Such indi- 
viduals  may  change  the  system  parameters of the network 
These individuals may also have the separate role of users. 
 
 
        SECRECY POLICY: The network sponsor shall define the 
        form  of  the  discretionary  secrecy policy that is 
        enforced in  the  network  to  prevent  unauthorized 
        users   from   reading   the  sensitive  information 
        entrusted to the network. 
 
 
        DATA INTEGRITY POLICY:  The  network  sponsor  shall 
        define the discretionary integrity policy to prevent 
        unauthorized users from  modifying,  viz.,  writing, 
        sensitive   information.   The  definition  of  data 
        integrity presented by the network sponsor refers to 
        the  requirement  that  the information has not been 
        subjected to unauthorized modification in  the  net- 
        work. 
 
+ Rationale 
 
     The word "sponsor" is used  in  place  of  alternatives 
(such   as   "vendor,"   "architect,"   "manufacturer,"  and 
"developer") because the alternatives  indicate  people  who 
may not be available, involved, or relevant at the time that 
a network system is proposed for evaluation. 
 
     A trusted network is able to control both  the  reading 
and  writing  of  shared  sensitive information.  Control of 
tion. A network normally is expected to have policy require- 
ments to protect both  the  secrecy  and  integrity  of  the 
nformation  entrusted to it.  In a network the integrity is
frequently as important or more important than  the  secrecy 
to be enforced by the network must be stated for  each  net- 
the policy  is  faithfully  enforced  is  reflected  in  the 
evaluation class of the network. 
 
     This control over modification  is  typically  used  to 
control the potential harm that would result if the informa- 
tion  were  corrupted.   The overall network policy require- 
ments for integrity includes the protection  for  data  both 
transmitted in  the  network.   The  access  control  policy 
enforced  by  the  NTCB relates to the access of subjects to 
objects within  each  component.   Communications  integrity 
addressed  within Part II relates to information while being 
transmitted. 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall define and control access between named  users 
and named objects (e.g., files and programs) in the ADP sys- 
tem.  The  enforcement  mechanism  (e.g.,  self/group/public 
controls, access control lists) shall allow users to specify 
and control sharing of those objects by named individuals or 
CONTROLS TO LIMIT PROPAGATION OF ACCESS RIGHTS.  THE DISCRE- 
TIONARY  ACCESS  CONTROL MECHANISM SHALL, EITHER BY EXPLICIT 
USER ACTION OR BY DEFAULT, PROVIDE  THAT  OBJECTS  ARE  PRO- 
TECTED  FROM  UNAUTHORIZED  ACCESS.   THESE  ACCESS CONTROLS 
SHALL BE CAPABLE OF INCLUDING OR  EXCLUDING  ACCESS  TO  THE 
GRANULARITY  OF  A  SINGLE  USER.   ACCESS  PERMISSION TO AN 
OBJECT BY USERS NOT  ALREADY  POSSESSING  ACCESS  PERMISSION 
SHALL ONLY BE ASSIGNED BY AUTHORIZED USERS. 
 
+  Interpretation 
 
     The discretionary access control (DAC) mechanism(s) may 
be  distributed  over  the partitioned NTCB in various ways. 
Some part, all, or none of the DAC may be implemented  in  a 
no  subjects acting as direct surrogates for users), such as 
a public network packet switch, might not implement the  DAC 
mechanism(s)  directly  (e.g.,  they are unlikely to contain 
access control lists). 
 
     Identification of users by groups may  be  achieved  in 
various  ways  in  the networking environment.  For example, 
the network identifiers (e.g., internet addresses) for vari- 
ous  components (e.g., hosts, gateways) can be used as iden- 
tifiers of groups of individual users (e.g., "all  users  at 
Host  A," "all users of network Q") SO LONG AS THE INDIVIDU- 
ALS INVOLVED IN THE GROUP ARE IMPLIED BY THE GROUP  IDENTIF- 
FOR WHICH IT MAINTAINS A LIST  OF  EXPLICIT  USERS  IN  THAT 
GROUP,  IN  ITS  NETWORK EXCHANGE WITH HOST B, WHICH ACCEPTS 
THE GROUP-ID UNDER THE CONDITIONS OF THIS INTERPRETATION. 
 
     For networks, individual hosts will impose need-to-know 
controls over their users ON THE BASIS OF NAMED INDIVIDUALS 
- much like (in fact, probably the same) controls used  when 
there is no network connection. 
 
     When group identifiers are acceptable for  access  con- 
trol,  the identifier of some other host may be employed, to 
eliminate the maintenance that would be required if  indivi- 
C2 AND HIGHER, HOWEVER, IT MUST BE POSSIBLE FROM THAT  AUDIT 
RECORD  TO  IDENTIFY  (IMMEDIATELY  OR  AT  SOME LATER TIME) 
EXACTLY THE INDIVIDUALS REPRESENTED BY A GROUP IDENTIFIER AT 
THE TIME OF THE USE OF THAT IDENTIFIER.  THERE IS ALLOWED TO 
BE AN UNCERTAINTY BECAUSE OF ELAPSED TIME BETWEEN CHANGES IN 
THE  GROUP MEMBERSHIP AND THE ENFORCEMENT IN THE ACCESS CON- 
TROL MECHANISMS. 
 
     The DAC mechanism of a NTCB  partition  may  be  imple- 
mented  at  the interface of the reference monitor or may be 
all the physical resources  of  the  system  and  from  them 
creates the abstraction of subjects and objects that it con- 
trols. Some of these subjects and objects  may  be  used  to 
mplement  a  part  of  the NTCB.  WHEN THE DAC MECHANISM IS
DISTRIBUTED IN SUCH NTCB SUBJECTS (I.E.,  WHEN  OUTSIDE  THE 
REFERENCE  MONITOR),  THE  ASSURANCE  REQUIREMENTS  (SEE THE 
ASSURANCE SECTION) FOR THE DESIGN AND IMPLEMENTATION OF  THE 
DAC  SHALL BE THOSE OF CLASS C2 FOR ALL NETWORKS OF CLASS C2 
OR ABOVE. 
 
     When integrity is included as part of the network  dis- 
cretionary  security policy, the above interpretations shall 
be specifically applied to the controls  over  modification, 
viz,  the  write mode of access, within each component based 
on identified users or groups of users. 
 
+  Rationale 
 
     In this class, THE SUPPORTING ELEMENTS OF  THE  OVERALL 
DAC  MECHANISM ARE REQUIRED TO ISOLATE INFORMATION (OBJECTS) 
THAT SUPPORTS DAC SO THAT IT IS SUBJECT TO AUDITING REQUIRE- 
MENTS  (SEE  THE  SYSTEM  ARCHITECTURE SECTION).  THE USE OF 
NETWORK IDENTIFIERS TO IDENTIFY GROUPS OF  INDIVIDUAL  USERS 
COULD  BE  IMPLEMENTED, FOR EXAMPLE, AS AN X.25 COMMUNITY OF 
OTHER  RESPECTS,  the supporting elements of the overall DAC 
mechanism are treated  exactly  as  untrusted  subjects  are 
treated  with respect to DAC in an ADP system, with the same 
 
     A typical situation for DAC is that a surrogate process 
for a remote user will be created in some host for access to 
objects under the control of the NTCB partition within  that 
assigned and maintained for each such process by  the  NTCB, 
tially the same discretionary controls as access by  a  pro- 
cess  acting  on  behalf of a local user would be.  However, 
tions of the assigned user identification is permitted. 
 
     The most obvious situation  would  exist  if  a  global 
able on demand to every host, (i.e., a name server  existed) 
 
     It is also acceptable, however, for  some  NTCB  parti- 
tions to maintain a database of locally-registered users for 
ts own use.  In such a case, one could  choose  to  inhibit
the creation of surrogate processes for locally unregistered 
users, or (if permitted by the local policy)  alternatively, 
to   permit   the   creation  of  surrogate  processes  with 
dentify the process as executing on behalf of a member of a
the  words concerning audit in the interpretation is to pro- 
vide a minimally acceptable degree of auditability for cases 
be a capability, using the audit facilities provided by  the 
network  NTCB  partitions  involved,  to  determine  who was 
logged in at the actual host of the group of remote users at 
the time the surrogate processing occured. 
 
     Associating the proper user id with a surrogate process 
s  the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id  of 
the  surrogate  process.   The transmission of the data back 
across the network to the user's host, and the creation of a 
copy of the data there, is not the business of DAC. 
 
     Components that support only internal  subjects  impact 
the implementation of the DAC by providing services by which 
nformation (e.g., a user-id) is made available  to  a  com-
file  at  Host  B.   The  DAC decision might be (and usually 
ted from Host A to Host B. 
 
     Unique user identification may be achieved by a variety 
of  mechanisms, including (a) a requirement for unique iden- 
tification and authentication on the host where access takes 
addresses authenticated by another host and forwarded to the 
of a network-wide unique personnel identifier that could  be 
authenticated and forwarded by another host as in (b) above, 
or could be authenticated and forwarded by a dedicated  net- 
cols which implement (b) or (c) are subject  to  the  System 
Architecture requirements. 
 
     Network support for DAC might be handled in other  ways 
than  that described as "typical" above. In particular, some 
form of centralized access control is  often  proposed.   An 
access  control center may make all decisions for DAC, or it 
may share the burden with the hosts by controlling  host-to- 
to their objects by users at a limited set of remote  hosts. 
between the connection oriented abstraction (as discussed in 
the  Introduction)  and  the overall network security policy 
for DAC.  In all cases the enforcement of the decision  must 
be provided by the host where the object resides. 
 
 
+ Statement from DoD 5200.28-STD 
 
ALL AUTHORIZATIONS TO THE  INFORMATION  CONTAINED  WITHIN  A 
STORAGE OBJECT SHALL BE REVOKED PRIOR TO INITIAL ASSIGNMENT, 
ALLOCATION OR REALLOCATION TO A SUBJECT FROM THE TCB'S  POOL 
OF   UNUSED  STORAGE  OBJECTS.   NO  INFORMATION,  INCLUDING 
ENCRYPTED REPRESENTATIONS  OF  INFORMATION,  PRODUCED  BY  A 
THAT OBTAINS ACCESS TO AN OBJECT THAT HAS BEEN RELEASED BACK 
TO THE SYSTEM. 
 
+  Interpretation 
 
     THE NTCB SHALL ENSURE THAT ANY STORAGE OBJECTS THAT  IT 
CONTROLS  (E.G., MESSAGE BUFFERS UNDER THE CONTROL OF A NTCB 
SUBJECT  IN THAT COMPONENT IS NOT AUTHORIZED BEFORE GRANTING 
ACCESS.  THIS REQUIREMENT MUST BE ENFORCED BY  EACH  OF  THE 
NTCB PARTITIONS. 
 
+  Rationale 
 
     IN A NETWORK SYSTEM, STORAGE OBJECTS  OF  INTEREST  ARE 
THINGS  THAT  THE  NTCB  DIRECTLY  CONTROLS, SUCH AS MESSAGE 
BUFFERS IN COMPONENTS.  EACH COMPONENT OF THE NETWORK SYSTEM 
MUST  ENFORCE  THE  OBJECT REUSE REQUIREMENT WITH RESPECT TO 
THE STORAGE OBJECTS OF INTEREST AS DETERMINED BY THE NETWORK 
SECURITY  POLICY.   FOR EXAMPLE, THE DAC REQUIREMENT IN THIS 
DIVISION LEADS TO THE REQUIREMENT HERE THAT MESSAGE  BUFFERS 
BE  UNDER  THE  CONTROL  OF  THE  NTCB  PARTITION.  A BUFFER 
ASSIGNED TO AN INTERNAL SUBJECT MAY BE REUSED AT THE DISCRE- 
TION OF THAT SUBJECT WHICH IS RESPONSIBLE FOR PRESERVING THE 
BE  IMPLEMENTED IN PHYSICAL RESOURCES, SUCH AS BUFFERS, DISK 
SECTORS, TAPE SPACE, AND MAIN MEMORY, IN COMPONENTS SUCH  AS 
NETWORK SWITCHES. 
 
 
_ _ _ ______________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall require users to  identify  themselves  to  it 
before  beginning  to perform any other actions that the TCB 
s expected to mediate.  Furthermore, the TCB  shall  use  a
user's identity. The TCB shall protect  authentication  data 
TCB SHALL BE ABLE TO ENFORCE  INDIVIDUAL  ACCOUNTABILITY  BY 
DUAL ADP SYSTEM USER.  THE TCB SHALL ALSO PROVIDE THE  CAPA- 
BILITY  OF  ASSOCIATING  THIS  IDENTITY  WITH  ALL AUDITABLE 
ACTIONS TAKEN BY THAT INDIVIDUAL. 
 
+  Interpretation 
 
     The requirement for identification  and  authentication 
of users is the same for a network system as for an ADP sys- 
tem. The identification and authentication may  be  done  by 
the  component  to  which  the user is directly connected or 
tication  server.   Available  techniques,  such  as   those 
applicable in the network context. However, in  cases  where 
the  NTCB is expected to mediate actions of a host (or other 
network component) that is acting on behalf  of  a  user  or 
authentication of the host (or other component) in  lieu  of 
dentification  and authentication of an individual user, SO
LONG AS THE COMPONENT IDENTIFIER IMPLIES A LIST OF  SPECIFIC 
USERS UNIQUELY ASSOCIATED WITH THE IDENTIFIER AT THE TIME OF 
TO INTERNAL SUBJECTS. 
 
     Authentication information, including the identity of a 
user  (once  authenticated) may be passed from one component 
to another without reauthentication, so  long  as  the  NTCB 
thorized disclosure and modification. This protection  shall 
of mechanism) as pertains to the protection of the authenti- 
cation mechanism and authentication data. 
 
+  Rationale 
 
     The need for accountability is not changed in the  con- 
text  of a network system.  The fact that the NTCB is parti- 
tioned over a set of components neither reduces the need nor 
mposes  new requirements.  That is, individual accountabil-
ty is still the objective. ALSO, in the context of  a  net-
TABILITY" CAN BE SATISFIED BY IDENTIFICATION OF A  HOST  (OR 
OTHER COMPONENT) SO LONG AS THE REQUIREMENT FOR TRACEABILITY 
TO INDIVIDUAL USERS OR A SET OF  SPECIFIC  INDIVIDUAL  USERS 
WITH ACTIVE SUBJECTS IS SATISFIED. THERE IS ALLOWED TO BE AN 
UNCERTAINTY IN TRACEABILITY BECAUSE OF ELAPSED TIME  BETWEEN 
CHANGES  IN  THE GROUP MEMBERSHIP AND THE ENFORCEMENT IN THE 
ACCESS CONTROL MECHANISMS.  In addition, there is no need in 
a  distributed processing system like a network to reauthen- 
ticate a user at each point in the network where  a  projec- 
tion  of  a user (via the subject operating on behalf of the 
user) into another remote subject takes place. 
_________________________ 
  = Department of Defense  Password  Management  Guide- 
    __________ __ _______  ________  __________  _____ 
line, CSC-STD-002-85 
____ 
 
     The passing of identifiers and/or authentication infor- 
mation from one component to another is usually done in sup- 
trol  (DAC).   This  support  relates  directly  to  the DAC 
ferent  NTCB  partition  than  the  one  where  the user was 
authenticated. Employing a forwarded identification  implies 
additional  reliance  on the source and components along the 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL BE ABLE TO CREATE, MAINTAIN, AND PROTECT  FROM 
MODIFICATION  OR UNAUTHORIZED ACCESS OR DESTRUCTION AN AUDIT 
TRAIL OF ACCESSES TO THE OBJECTS  IT  PROTECTS.   THE  AUDIT 
DATA SHALL BE PROTECTED BY THE TCB SO THAT READ ACCESS TO IT 
TCB  SHALL  BE ABLE TO RECORD THE FOLLOWING TYPES OF EVENTS: 
USE OF IDENTIFICATION AND AUTHENTICATION MECHANISMS,  INTRO- 
DUCTION  OF  OBJECTS INTO A USER'S ADDRESS SPACE (E.G., FILE 
OPEN, PROGRAM  INITIATION),  DELETION  OF  OBJECTS,  ACTIONS 
TAKEN BY COMPUTER OPERATORS AND SYSTEM ADMINISTRATORS AND/OR 
SYSTEM  SECURITY  OFFICERS,  AND  OTHER  SECURITY   RELEVANT 
EVENTS.  FOR  EACH  RECORDED  EVENT,  THE AUDIT RECORD SHALL 
AND    SUCCESS    OR    FAILURE    OF    THE   EVENT.    FOR 
(E.G.,  TERMINAL  ID) SHALL BE INCLUDED IN THE AUDIT RECORD. 
FOR EVENTS THAT INTRODUCE AN OBJECT INTO  A  USER'S  ADDRESS 
SPACE  AND FOR OBJECT DELETION EVENTS THE AUDIT RECORD SHALL 
TOR  SHALL  BE  ABLE TO SELECTIVELY AUDIT THE ACTIONS OF ANY 
ONE OR MORE USERS BASED ON INDIVIDUAL IDENTITY. 
 
+  Interpretation 
 
     THIS CRITERION APPLIES  AS  STATED.  THE  SPONSOR  MUST 
SELECT  WHICH  EVENTS ARE AUDITABLE.  IF ANY SUCH EVENTS ARE 
NOT DISTINGUISHABLE BY THE NTCB  ALONE  (FOR  EXAMPLE  THOSE 
AUDIT RECORDS SHALL BE DISTINGUISHABLE FROM  THOSE  PROVIDED 
BY  THE  NTCB.   IN  THE CONTEXT OF A NETWORK SYSTEM, "OTHER 
SECURITY  RELEVANT  EVENTS"  (DEPENDING  ON  NETWORK  SYSTEM 
ARCHITECTURE  AND  NETWORK SECURITY POLICY) MIGHT BE AS FOL- 
LOWS: 
 
        LISHING A CONNECTION OR A CONNECTIONLESS ASSOCIATION 
        BETWEEN PROCESSES IN TWO HOSTS OF THE  NETWORK)  AND 
        ITS  PRINCIPAL PARAMETERS (E.G., HOST IDENTIFIERS OF 
        THE TWO HOSTS INVOLVED IN THE ACCESS EVENT AND  USER 
        IDENTIFIER  OR  HOST  IDENTIFIER OF THE USER OR HOST 
        THAT IS REQUESTING THE ACCESS EVENT) 
 
        EACH  ACCESS  EVENT  USING LOCAL TIME OR GLOBAL SYN- 
        CHRONIZED TIME 
 
        DITIONS   (E.G.,   POTENTIAL   VIOLATION   OF   DATA 
        INTEGRITY, SUCH  AS  MISROUTED  DATAGRAMS)  DETECTED 
        DURING THE TRANSACTIONS BETWEEN TWO HOSTS 
 
 
        COMPONENT LEAVING THE NETWORK AND REJOINING) 
 
     IN  ADDITION,  IDENTIFICATION  INFORMATION  SHOULD   BE 
TO ALLOW ASSOCIATION OF ALL  RELATED  (E.G.,  INVOLVING  THE 
SAME  NETWORK EVENT) AUDIT TRAIL RECORDS (E.G., AT DIFFERENT 
HOSTS) WITH EACH OTHER.  FURTHERMORE,  A  COMPONENT  OF  THE 
NETWORK  SYSTEM  MAY  PROVIDE  THE REQUIRED AUDIT CAPABILITY 
(E.G., STORAGE, RETRIEVAL, REDUCTION,  ANALYSIS)  FOR  OTHER 
COMPONENTS  THAT  DO  NOT  INTERNALLY  STORE  AUDIT DATA BUT 
TRANSMIT THE AUDIT DATA TO SOME DESIGNATED  COLLECTION  COM- 
AUDIT DATA DUE TO UNAVAILABILITY OF RESOURCES. 
 
     IN THE CONTEXT OF A NETWORK SYSTEM, THE "USER'S ADDRESS 
SPACE"  IS  EXTENDED,  FOR  OBJECT INTRODUCTION AND DELETION 
EVENTS, TO INCLUDE ADDRESS SPACES BEING EMPLOYED  ON  BEHALF 
OF  A  REMOTE USER (OR HOST).  HOWEVER, THE FOCUS REMAINS ON 
USERS IN CONTRAST TO INTERNAL SUBJECTS AS DISCUSSED  IN  THE 
DAC  CRITERION.   IN  ADDITION,  AUDIT  INFORMATION  MUST BE 
STORED IN MACHINE-READABLE FORM. 
 
+  Rationale 
 
     FOR REMOTE USERS, THE NETWORK IDENTIFIERS (E.G., INTER- 
NET ADDRESS) CAN BE USED AS IDENTIFIERS OF GROUPS OF INDIVI- 
DUAL USERS (E.G., "ALL USERS AT HOST A")  TO  ELIMINATE  THE 
MAINTENANCE THAT WOULD BE REQUIRED IF INDIVIDUAL IDENTIFICA- 
TION OF REMOTE USERS WAS EMPLOYED.  IN THIS CLASS (C2), HOW- 
EVER,  IT  MUST  BE  POSSIBLE TO IDENTIFY (IMMEDIATELY OR AT 
SOME LATER TIME) THE  INDIVIDUALS  REPRESENTED  BY  A  GROUP 
STRAIGHTFORWARD EXTENSION OF THE CRITERION INTO THE  CONTEXT 
OF A NETWORK SYSTEM. 
 
 
_ _ _ _________ 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall maintain a domain for its own  execution  that 
by modification of its code or data structures).   Resources 
controlled  by  the  TCB may be a defined subset of the sub- 
THE  RESOURCES  TO  BE PROTECTED SO THAT THEY ARE SUBJECT TO 
THE ACCESS CONTROL AND AUDITING REQUIREMENTS. 
 
+  Interpretation 
 
     The system architecture criterion must be met individu- 
ally by all NTCB partitions.  Implementation of the require- 
ment that the NTCB maintain a domain for its  own  execution 
s  achieved by having each NTCB partition maintain a domain
for its own execution. 
 
     The subset of network resources over which the NTCB has 
control  are  the  union of the sets of resources over which 
the NTCB partitions have control.  Code and data  structures 
belonging  to  the  NTCB,  transferred  among  NTCB subjects 
(i.e., subjects outside the reference monitor but inside the 
NTCB)  belonging  to different NTCB partitions, must be pro- 
tected against  external  interference  or  tampering.   For 
example,  a  cryptographic checksum or physical means may be 
employed  to  protect  user  authentication  data  exchanged 
between NTCB partitions. 
 
     EACH NTCB PARTITION  PROVIDES  ISOLATION  OF  RESOURCES 
(WITHIN  ITS  COMPONENT)  TO BE PROTECTED IN ACCORD WITH THE 
NETWORK SYSTEM ARCHITECTURE AND SECURITY POLICY. 
 
+  Rationale 
 
 
     The requirement for the  protection  of  communications 
between NTCB partitions is specifically directed to subjects 
that are part of the NTCB partitions.  Any requirements  for 
 
     ISOLATION OF THE RESOURCES  TO  BE  PROTECTED  PROVIDES 
ADDITIONAL  PROTECTION, COMPARED TO CLASS (C1), THAT MECHAN- 
TIFICATION) WILL OPERATE CORRECTLY. 
 
 
+ Statement from DoD 5200.28-STD 
 
Hardware and/or software features shall be provided that can 
be  used  to  periodically validate the correct operation of 
the on-site hardware and firmware elements of the TCB. 
 
+  Interpretation 
 
     Implementation of the requirement is partly achieved by 
and  firmware  elements  of each component's NTCB partition. 
Features shall also be provided to validate the identity and 
correct  operation of a component prior to its incorporation 
n the network system and throughout system operation.   For
example,  a protocol could be designed that enables the com- 
cally  and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability 
to  respond. NTCB partitions shall provide the capability to 
 
     Intercomponent  protocols  implemented  within  a  NTCB 
tion in the case of failures of  network  communications  or 
ndividual  components.   The  allocation  of  discretionary
access control policy in a network may require communication 
between  trusted  subjects  that are part of the NTCB parti- 
tions in different components.  This communication  is  nor- 
mally  implemented  with  a protocol between the subjects as 
not  result from failure of an NTCB partition to communicate 
 
+ Rationale 
 
     The  first  paragraph  of  the  interpretation   is   a 
text of a network system and partitioned NTCB as defined for 
these network criteria. 
 
     NTCB protocols should be robust  enough  so  that  they 
zed failure. The purpose of this protection is to  preserve
the integrity of the NTCB itself.  It is not unusual for one 
or more components in a network to  be  inoperative  at  any 
time,  so  it  is  important to minimize the effects of such 
failures on the rest of the  network.  Additional  integrity 
and denial of service issues are addressed in Part II. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The security mechanisms of the ADP system  shall  be  tested 
and  found  to  work as claimed in the system documentation. 
Testing shall be done to assure that there  are  no  obvious 
the security protection mechanisms of the TCB. TESTING SHALL 
ALSO  INCLUDE  A  SEARCH  FOR OBVIOUS FLAWS THAT WOULD ALLOW 
VIOLATION OF RESOURCE ISOLATION, OR THAT WOULD PERMIT  UNAU- 
THORIZED  ACCESS  TO  THE AUDIT OR AUTHENTICATION DATA. (See 
the Security Testing Guidelines.) 
 
+  Interpretation 
 
     Testing of a component  will  require  a  testbed  that 
exercises  the  interfaces  and  protocols  of the COMPONENT 
of  a  security  mechanism of the network system for meeting 
this criterion shall  be  an  integrated  testing  procedure 
nvolving  all  components containing an NTCB partition that
mplement the given mechanism. This  integrated  testing  is
additional to any individual component tests involved in the 
evaluation of the network system.  The sponsor should  iden- 
tify the allowable set of configurations including the sizes 
of the networks.  Analysis or testing procedures  and  tools 
tions.  A change in configuration within the  allowable  set 
of configurations does not require retesting. 
 
+  Rationale 
 
     Testing is the primary method available in this evalua- 
tion  division  to  gain  any  assurance  that  the security 
mechanisms perform their intended function. 
 
 
_ _ _ _____________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A single summary, chapter, or manual in  user  documentation 
TCB, interpretations on their use,  and  how  they  interact 
 
+  Interpretation 
 
     This user documentation describes user visible  protec- 
tion  mechanisms at the global (network system) level and at 
the user interface of each component,  and  the  interaction 
among these. 
 
+  Rationale 
 
     The interpretation is an extension of  the  requirement 
nto  the  context  of a network system as defined for these
network criteria.  Documentation  of  protection  mechanisms 
teria for trusted  computer  systems  that  are  applied  as 
appropriate for the individual components. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A manual addressed to the  ADP  system  administrator  shall 
be controlled when running a secure facility. THE PROCEDURES 
FOR EXAMINING AND MAINTAINING THE AUDIT FILES AS WELL AS THE 
DETAILED AUDIT RECORD STRUCTURE FOR EACH TYPE OF AUDIT EVENT 
SHALL BE GIVEN. 
 
+ Interpretation 
 
     This manual shall contain specifications and procedures 
to assist the system administrator(s) maintain cognizance of 
the network configuration.  These  specifications  and  pro- 
cedures shall address the following: 
 
 
        network; 
 
        leave  the  network  (e.g., by crashing, or by being 
        disconnected) and then rejoin; 
 
        security  of  the  network system; (For example, the 
        manual  should  describe  for  the  network   system 
        administrator  the interconnections among components 
        that are consistent with the overall network  system 
        architecture.) 
 
        (e.g., down-line loading). 
 
     The physical and administrative environmental  controls 
all  communications  links must be physically protected to a 
certain level). 
 
+ Rationale 
 
     There  may  be  multiple  system  administrators   with 
other  forms of security in order to achieve security of the 
network.  Additional forms include administrative  security, 
 
     Extension of  this  criterion  to  cover  configuration 
aspects  of  the  network  is  needed  because, for example, 
to  achieve  a  correct realization of the network architec- 
ture. 
 
     Cryptography  is one common mechanism employed to  pro- 
tect  communication  circuits.   Encryption  transforms  the 
to  unauthorized  subjects.  Reflecting this transformation, 
the sensitivity of the ciphertext is  generally  lower  than 
the  cleartext.   If  encryption methodologies are employed, 
they shall be  approved  by  the  National  Security  Agency 
(NSA). 
 
     The encryption algorithm  and  its  implementation  are 
outside  the scope of these interpretations.  This algorithm 
and implementation may be implemented in a  separate  device 
or  may  be a function of a subject in a component not dedi- 
cated to encryption.  Without prejudice, either  implementa- 
tion  packaging  is  referred  to as an encryption mechanism 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall provide to the evaluators a docu- 
ment that describes the test plan, test procedures that show 
 
+  Interpretation 
 
     The "system developer" is interpreted as  "the  network 
establish the context in which the testing was or should  be 
conducted.   The  description should identify any additional 
test components that  are  not  part  of  the  system  being 
evaluated.  This includes a description of the test-relevant 
functions of such test components and a description  of  the 
nterfacing  of  those  test  components to the system being
evaluated.  The description of the  test  plan  should  also 
configuration and sizing. 
 
+  Rationale 
 
     The entity being evaluated may be a networking  subsys- 
tem (see Appendix A) to which other components must be added 
to make a  complete  network  system.  In  that  case,  this 
nterpretation  is extended to include contextual definition
because, at evaluation time, it is not possible to  validate 
the  test  plans  without the description of the context for 
testing the networking subsystem. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Documentation shall be available that provides a description 
of the manufacturer's philosophy of protection and an expla- 
nation of how this philosophy is translated into the TCB. If 
the  TCB  is  composed  of  distinct modules, the interfaces 
between these modules shall be described. 
 
+  Interpretation 
 
     Explanation of how the sponsor's philosophy of  protec- 
tion is translated into the NTCB shall include a description 
of how the NTCB is partitioned.  The  security  policy  also 
the NTCB modules shall include the interface(s) between NTCB 
exist.  The sponsor shall describe the security architecture 
and  design,  including  the allocation of security require- 
ments among  components.   Appendix  A  addresses  component 
evaluation issues. 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context  of a network system as 
tion,  such  as description of components and description of 
operating environment(s) in which the  networking  subsystem 
or network system is designed to function, is required else- 
 
     In order to be evaluated,  a  network  must  possess  a 
coherent  Network Security Architecture and Design.  (Inter- 
connection of components that do not adhere to such a single 
coherent  Network  Security Architecture is addressed in the 
Security  Architecture  must  address  the security-relevant 
Design  specifies  the  interfaces and services that must be 
ncorporated into the network so that it can be evaluated as
a  trusted  entity.  There may be multiple designs that con- 
form to the same architecture but are more or less  incompa- 
tible and non-interoperable (except through the Interconnec- 
tion Rules).  Security related mechanisms requiring coopera- 
tion  among  components are specified in the design in terms 
of their visible interfaces; mechanisms  having  no  visible 
nterfaces  are  not specified in this document but are left
as implementation decisions. 
 
     The Network Security Architecture and  Design  must  be 
available  from the network sponsor before evaluation of the 
network, or any component, can be undertaken.   The  Network 
Security  Architecture  and Design must be sufficiently com- 
the  construction  or assembly of a trusted network based on 
the structure it specifies. 
 
     When a component is being  designed  or  presented  for 
evaluation,  or  when a network assembled from components is 
assembled or presented  for  evaluation,  there  must  be  a 
Design are satisfied.  That is, the components can be assem- 
bled into a network that conforms in every way with the Net- 
tion indicates. 
 
     In order for a trusted network to be  constructed  from 
components  that  can  be  built  independently, the Network 
Security Architecture and Design must completely and unambi- 
Network  Security  Architecture and Design must be evaluated 
to determine that a network constructed  to  its  specifica- 
tions  will in fact be trusted, that is, it will be evaluat- 
able under these interpretations. 
 
           3.0 DIVISION B:  MANDATORY PROTECTION 
 
 
The notion of an NTCB that preserves the integrity of sensi- 
tivity  labels  and  uses them to enforce a set of mandatory 
access control rules is a major requirement  in  this  divi- 
The network system sponsor also provides the security policy 
model on which the NTCB is based and furnishes a  specifica- 
tion  of the NTCB.  Evidence must be provided to demonstrate 
that the reference monitor concept has been implemented. 
 
 
        3.1 CLASS (B1):  LABELED SECURITY PROTECTION 
        _ _ _____  __    _______ ________ __________ 
 
 
     CLASS  (B1)  NETWORK  SYSTEMS  REQUIRE   ALL   THE 
     FEATURES  REQUIRED FOR CLASS (C2). IN ADDITION, AN 
     INFORMAL STATEMENT OF THE SECURITY  POLICY  MODEL, 
     DATA  LABELING,  AND MANDATORY ACCESS CONTROL OVER 
     SUBJECTS AND STORAGE OBJECTS MUST BE PRESENT.  THE 
     CAPABILITY  MUST  EXIST  FOR  ACCURATELY  LABELING 
     EXPORTED INFORMATION.   ANY  FLAWS  IDENTIFIED  BY 
     TESTING   MUST  BE  REMOVED.   THE  FOLLOWING  ARE 
     MINIMAL REQUIREMENTS FOR NETWORK SYSTEMS  ASSIGNED 
     A CLASS (B1) RATING: 
 
 
_ _ _ ________ ______ 
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     The network sponsor shall describe the overall  network 
nclude  a  discretionary policy for protecting the informa-
tion being processed based on the authorizations of  indivi- 
cy statement shall describe the requirements on the network
to  prevent  or  detect  "reading  or  destroying" sensitive 
nformation by unauthorized users or errors.  THE  MANDATORY
THAT IT SUPPORTS.  FOR THE CLASS B1 OR ABOVE  THE  MANDATORY 
SECRECY AND/OR INTEGRITY, WHERE APPLICABLE, AND LABELS ASSO- 
CIATED WITH USERS TO REFLECT THEIR AUTHORIZATION  TO  ACCESS 
SUCH  INFORMATION.   UNAUTHORIZED  USERS  INCLUDE BOTH THOSE 
that are not authorized to use the network at all  (e.g.,  a 
user  attempting  to  use a passive or active wire tap) or a 
legitimate user of the network  who  is  not  authorized  to 
access a specific piece of information being protected. 
 
     Note that "users" does not include "operators," "system 
officers," and other system  support  personnel.   They  are 
Manual and the System Architecture requirements.  Such indi- 
viduals may change the system parameters of the network sys- 
tem, for example, by defining membership of a group.   These 
ndividuals may also have the separate role of users.
 
 
        SECRECY POLICY: The network sponsor shall define the 
        form  of  the  discretionary  AND MANDATORY  secrecy 
        policy that is enforced in the  network  to  prevent 
        unauthorized users from reading the sensitive infor- 
        mation entrusted to the network. 
 
 
        DATA INTEGRITY POLICY:  The  network  sponsor  shall 
        define  the  discretionary  AND MANDATORY  integrity 
        policy to prevent unauthorized users from modifying, 
        viz.,  writing,  sensitive information.  The defini- 
        tion of data  integrity  presented  by  the  network 
        sponsor  refers to the requirement that the informa- 
        tion has not been subjected to unauthorized  modifi- 
        cation  in the network. THE MANDATORY INTEGRITY POL- 
        ICY ENFORCED BY THE NTCB CANNOT, IN GENERAL, PREVENT 
        MODIFICATION  WHILE INFORMATION IS BEING TRANSMITTED 
        BETWEEN COMPONENTS.  HOWEVER,  AN  INTEGRITY  SENSI- 
        TIVITY  LABEL  MAY  REFLECT  THE CONFIDENCE THAT THE 
        INFORMATION HAS NOT BEEN SUBJECTED  TO  TRANSMISSION 
        ERRORS  BECAUSE  OF  THE  PROTECTION AFFORDED DURING 
        TRANSMISSION.  THIS REQUIREMENT IS DISTINCT FROM THE 
        REQUIREMENT FOR LABEL INTEGRITY. 
 
+ Rationale 
 
     The word "sponsor" is used  in  place  of  alternatives 
(such   as   "vendor,"   "architect,"   "manufacturer,"  and 
"developer") because the alternatives  indicate  people  who 
may not be available, involved, or relevant at the time that 
a network system is proposed for evaluation. 
 
     A trusted network is able to control both  the  reading 
and  writing  of  shared  sensitive information.  Control of 
tion. A network normally is expected to have policy require- 
ments to protect both  the  secrecy  and  integrity  of  the 
nformation  entrusted to it.  In a network the integrity is
frequently as important or more important than  the  secrecy 
to be enforced by the network must be stated for  each  net- 
the policy  is  faithfully  enforced  is  reflected  in  the 
evaluation class of the network. 
 
     This control over modification  is  typically  used  to 
control the potential harm that would result if the informa- 
tion  were  corrupted.   The overall network policy require- 
ments for integrity includes the protection  for  data  both 
transmitted in  the  network.   The  access  control  policy 
enforced  by  the  NTCB relates to the access of subjects to 
objects within  each  component.   Communications  integrity 
addressed  within Part II relates to information while being 
transmitted. 
 
     THE MANDATORY INTEGRITY POLICY (AT CLASS B1 AND  ABOVE) 
AGE BETWEEN THE CONNECTION ORIENTED  ABSTRACTION  INTRODUCED 
NETWORK.  FOR EXAMPLE, IN  A  KEY  DISTRIBUTION  CENTER  FOR 
END-TO-END  ENCRYPTION, A DISTINCT INTEGRITY CATEGORY MAY BE 
ASSIGNED TO ISOLATE THE KEY GENERATION CODE  AND  DATA  FROM 
SAME COMPONENT, SUCH AS OPERATOR INTERFACES AND AUDIT. 
 
     THE MANDATORY INTEGRITY POLICY  FOR  SOME  ARCHITECTURE 
MAY  DEFINE AN INTEGRITY SENSITIVITY LABEL THAT REFLECTS THE 
SPECIFIC REQUIREMENTS FOR ENSURING THAT INFORMATION HAS  NOT 
BEEN  SUBJECT  TO  RANDOM ERRORS IN EXCESS OF A STATED LIMIT 
NOR TO UNAUTHORIZED MESSAGE  STREAM  MODIFICATION  (MSM)  -. 
THE SPECIFIC METRIC ASSOCIATED WITH AN INTEGRITY SENSITIVITY 
LABEL WILL GENERALLY REFLECT THE  INTENDED  APPLICATIONS  OF 
THE NETWORK. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall define and control access between named  users 
and named objects (e.g., files and programs) in the ADP sys- 
tem.  The  enforcement  mechanism  (e.g.,  self/group/public 
controls, access control lists) shall allow users to specify 
and control sharing of those objects by named individuals or 
controls to limit propagation of access rights.  The discre- 
tionary  access  control mechanism shall, either by explicit 
user action or by default, provide  that  objects  are  pro- 
tected  from  unauthorized  access.   These  access controls 
object by users not  already  possessing  access  permission 
_________________________ 
  - See Voydock, Victor L. and Stephen T. Kent,  "Secu- 
                                                   ___ 
______ _______ 
 
+  Interpretation 
 
     The discretionary access control (DAC) mechanism(s) may 
be  distributed  over  the partitioned NTCB in various ways. 
Some part, all, or none of the DAC may be implemented  in  a 
no  subjects acting as direct surrogates for users), such as 
a public network packet switch, might not implement the  DAC 
mechanism(s)  directly  (e.g.,  they are unlikely to contain 
access control lists). 
 
     Identification of users by groups may  be  achieved  in 
various  ways  in  the networking environment.  For example, 
the network identifiers (e.g., internet addresses) for vari- 
ous  components (e.g., hosts, gateways) can be used as iden- 
tifiers of groups of individual users (e.g., "all  users  at 
Host  A," "all users of network Q") so long as the individu- 
als involved in the group are implied by the group  identif- 
er. For example, Host A might employ a particular group-id,
for which it maintains a list  of  explicit  users  in  that 
the group-id under the conditions of this interpretation. 
 
     For networks, individual hosts will impose need-to-know 
controls over their users on the basis of named individuals 
- much like (in fact, probably the same) controls used  when 
there is no network connection. 
 
     When group identifiers are acceptable for  access  con- 
trol,  the identifier of some other host may be employed, to 
eliminate the maintenance that would be required if  indivi- 
C2 and higher, however, it must be possible from that  audit 
exactly the individuals represented by a group identifier at 
the time of the use of that identifier.  There is allowed to 
be an uncertainty because of elapsed time between changes in 
the  group membership and the enforcement in the access con- 
trol mechanisms. 
 
     The DAC mechanism of a NTCB  partition  may  be  imple- 
mented  at  the interface of the reference monitor or may be 
all the physical resources  of  the  system  and  from  them 
creates the abstraction of subjects and objects that it con- 
trols. Some of these subjects and objects  may  be  used  to 
mplement  a  part  of  the NTCB.  When the DAC mechanism is
Assurance section) for the design and implementation of  the 
DAC  shall be those of class C2 for all networks of class C2 
or above. 
 
     When integrity is included as part of the network  dis- 
cretionary  security policy, the above interpretations shall 
be specifically applied to the controls  over  modification, 
viz,  the  write mode of access, within each component based 
on identified users or groups of users. 
 
+  Rationale 
 
     In this class, the supporting elements of  the  overall 
DAC  mechanism are required to isolate information (objects) 
that supports DAC so that it is subject to auditing require- 
ments  (see  the  System  Architecture section).  The use of 
network identifiers to identify groups of  individual  users 
could  be  implemented, for example, as an X.25 community of 
nterest in the network protocol layer (layer  3).   In  all
other  respects,  the supporting elements of the overall DAC 
mechanism are treated  exactly  as  untrusted  subjects  are 
treated  with respect to DAC in an ADP system, with the same 
 
     A typical situation for DAC is that a surrogate process 
for a remote user will be created in some host for access to 
objects under the control of the NTCB partition within  that 
assigned and maintained for each such process by  the  NTCB, 
tially the same discretionary controls as access by  a  pro- 
cess  acting  on  behalf of a local user would be.  However, 
tions of the assigned user identification is permitted. 
 
     The most obvious situation  would  exist  if  a  global 
able on demand to every host, (i.e., a name server  existed) 
 
     It is also acceptable, however, for  some  NTCB  parti- 
tions to maintain a database of locally-registered users for 
ts own use.  In such a case, one could  choose  to  inhibit
the creation of surrogate processes for locally unregistered 
users, or (if permitted by the local policy)  alternatively, 
to   permit   the   creation  of  surrogate  processes  with 
dentify the process as executing on behalf of a member of a
the  words concerning audit in the interpretation is to pro- 
vide a minimally acceptable degree of auditability for cases 
be a capability, using the audit facilities provided by  the 
network  NTCB  partitions  involved,  to  determine  who was 
logged in at the actual host of the group of remote users at 
the time the surrogate processing occured. 
 
     Associating the proper user id with a surrogate process 
s  the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id  of 
the  surrogate  process.   The transmission of the data back 
across the network to the user's host, and the creation of a 
copy of the data there, is not the business of DAC. 
 
     Components that support only internal  subjects  impact 
the implementation of the DAC by providing services by which 
nformation (e.g., a user-id) is made available  to  a  com-
file  at  Host  B.   The  DAC decision might be (and usually 
ted from Host A to Host B. 
 
     Unique user identification may be achieved by a variety 
of  mechanisms, including (a) a requirement for unique iden- 
tification and authentication on the host where access takes 
addresses authenticated by another host and forwarded to the 
of a network-wide unique personnel identifier that could  be 
authenticated and forwarded by another host as in (b) above, 
or could be authenticated and forwarded by a dedicated  net- 
cols which implement (b) or (c) are subject  to  the  System 
Architecture requirements. 
 
     Network support for DAC might be handled in other  ways 
than  that described as "typical" above. In particular, some 
form of centralized access control is  often  proposed.   An 
access  control center may make all decisions for DAC, or it 
may share the burden with the hosts by controlling  host-to- 
to their objects by users at a limited set of remote  hosts. 
between the connection oriented abstraction (as discussed in 
the  Introduction)  and  the overall network security policy 
for DAC.  In all cases the enforcement of the decision  must 
be provided by the host where the object resides. 
 
     THERE ARE TWO FORMS OF DISTRIBUTION FOR THE DAC MECHAN- 
THE  NTCB  PARTITION IN A COMPONENT.  SINCE "THE ADP SYSTEM" 
NETWORK  COMPONENT  IS RESPONSIBLE FOR ENFORCING SECURITY IN 
THE MECHANISMS ALLOCATED TO IT TO ENSURE SECURE  IMPLEMENTA- 
TION  OF  THE NETWORK SECURITY POLICY.  FOR TRADITIONAL HOST 
SYSTEMS IT IS FREQUENTLY EASY TO ALSO ENFORCE THE DAC  ALONG 
WITH  THE MAC WITHIN THE REFERENCE MONITOR, PER SE, ALTHOUGH 
A FEW APPROACHES, SUCH AS VIRTUAL MACHINE MONITORS,  SUPPORT 
DAC OUTSIDE THIS INTERFACE. 
 
     IN CONTRAST TO THE UNIVERSALLY RIGID STRUCTURE OF  MAN- 
DATORY  POLICIES (SEE THE MANDATORY ACCESS CONTROL SECTION), 
DAC POLICIES TEND TO BE VERY NETWORK  AND  SYSTEM  SPECIFIC, 
WITH  FEATURES  THAT  REFLECT THE NATURAL USE OF THE SYSTEM. 
FOR NETWORKS IT IS COMMON THAT INDIVIDUAL HOSTS WILL  IMPOSE 
CONTROLS  OVER  THEIR  LOCAL  USERS  ON  THE  BASIS OF NAMED 
NETWORK CONNECTION.  HOWEVER, IT IS DIFFICULT TO MANAGE IN A 
CENTRALIZED MANNER ALL THE INDIVIDUALS USING  A  LARGE  NET- 
WORK.   THEREFORE, USERS ON OTHER HOSTS ARE COMMONLY GROUPED 
TOGETHER SO THAT THE CONTROLS REQUIRED BY  THE  NETWORK  DAC 
OTHER COMPONENTS.  A GATEWAY IS AN EXAMPLE OF  SUCH  A  COM- 
 
     THE ASSURANCE REQUIREMENTS ARE AT THE VERY HEART OF THE 
CONCEPT  OF  A  TRUSTED  SYSTEM.   IT  IS THE ASSURANCE THAT 
DETERMINES IF A SYSTEM OR NETWORK IS APPROPRIATE FOR A GIVEN 
ENVIRONMENT,  AS REFLECTED, FOR EXAMPLE, IN THE ENVIRONMENTS 
GUIDELINE-.  IN THE CASE OF MONOLITHIC SYSTEMS THAT HAVE DAC 
MENTS FOR DAC ARE INSEPARABLE FROM THOSE OF THE REST OF  THE 
REFERENCE  MONITOR.   FOR NETWORKS THERE IS TYPICALLY A MUCH 
CLEARER DISTINCTION DUE TO DISTRIBUTED DAC.   THE  RATIONALE 
FOR MAKING THE DISTINCTION IN THIS NETWORK INTERPRETATION IS 
THAT IF MAJOR TRUSTED NETWORK COMPONENTS CAN BE MADE  SIGNI- 
FICANTLY EASIER TO DESIGN AND IMPLEMENT WITHOUT REDUCING THE 
ABILITY TO MEET SECURITY POLICY, THEN TRUSTED NETWORKS  WILL 
BE MORE EASILY AVAILABLE. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
All authorizations to the  information  contained  within  a 
allocation or reallocation to a subject from the TCB's  pool 
of   unused  storage  objects.   No  information,  including 
encrypted representations  of  information,  produced  by  a 
that obtains access to an object that has been released back 
to the system. 
 
+  Interpretation 
 
     The NTCB shall ensure that any storage objects that  it 
controls  (e.g., message buffers under the control of a NTCB 
access.  This requirement must be enforced by  each  of  the 
NTCB partitions. 
 
 
 
_________________________ 
  - Guidance for Applying  the  Department  of  Defense 
    ________ ___ ________  ___  __________  __  _______ 
Trusted Computer System Evaluation Criteria in Specific 
_______ ________ ______ __________ ________ __ ________ 
Environments, CSC-STD-003-85. 
____________ 
 
 
+  Rationale 
 
     In a network system, storage objects  of  interest  are 
things  that  the  NTCB  directly  controls, such as message 
buffers in components.  Each component of the network system 
must  enforce  the  object reuse requirement with respect to 
the storage objects of interest as determined by the network 
be  under  the  control  of  the  NTCB  partition.  A buffer 
assigned to an internal subject may be reused at the discre- 
tion of that subject which is responsible for preserving the 
ntegrity of message streams.  Such controlled  objects  may
be  implemented in physical resources, such as buffers, disk 
network switches. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
SENSITIVITY LABELS ASSOCIATED WITH EACH SUBJECT AND  STORAGE 
OBJECT UNDER ITS CONTROL (E.G., PROCESS, FILE, SEGMENT, DEV- 
USED  AS  THE  BASIS FOR MANDATORY ACCESS CONTROL DECISIONS. 
AND RECEIVE FROM AN AUTHORIZED USER THE SENSITIVITY LEVEL OF 
THE DATA, AND ALL SUCH ACTIONS SHALL  BE  AUDITABLE  BY  THE 
TCB. 
 
+  Interpretation 
 
     NON-LABELED DATA IMPORTED UNDER THE CONTROL OF THE NTCB 
SINGLE-LEVEL  DEVICE  USED  TO IMPORT IT. LABELS MAY INCLUDE 
SECRECY AND INTEGRITY- COMPONENTS  IN  ACCORDANCE  WITH  THE 
OVERALL  NETWORK  SECURITY  POLICY  DESCRIBED BY THE NETWORK 
SPONSOR.  WHENEVER THE TERM "LABEL" IS USED THROUGHOUT  THIS 
AS APPLICABLE.   SIMILARLY,  THE  TERMS  "SINGLE-LEVEL"  AND 
"MULTILEVEL"  ARE UNDERSTOOD TO BE BASED ON BOTH THE SECRECY 
AND INTEGRITY  COMPONENTS  OF  THE  POLICY.   THE  MANDATORY 
THE PROBABILITY OF UNDETECTED MESSAGE  STREAM  MODIFICATION, 
THAT  WILL  BE  REFLECTED  IN THE LABEL FOR THE DATA SO PRO- 
TECTED.  FOR EXAMPLE, WHEN DATA IS  IMPORTED  ITS  INTEGRITY 
LABEL  MAY BE ASSIGNED BASED ON MECHANISMS, SUCH AS CRYPTOG- 
RAPHY, USED TO PROVIDE THE ASSURANCE REQUIRED BY THE POLICY. 
THE NTCB SHALL ASSURE THAT SUCH MECHANISM ARE PROTECTED FROM 
TAMPERING AND ARE ALWAYS INVOKED WHEN THEY ARE THE BASIS FOR 
_________________________ 
  - See, for example, Biba, K.J., "Integrity Considera- 
tion  for Secure Computer Systems," ESD-TR-76-372, MTR- 
 
 
A LABEL.  
 
+ Rationale 
 
     THE INTERPRETATION IS AN EXTENSION OF  THE  REQUIREMENT 
DEFINED FOR THESE NETWORK INTERPRETATIONS.   A  SINGLE-LEVEL 
DEVICE  MAY  BE REGARDED EITHER AS A SUBJECT OR AN OBJECT. A 
MULTILEVEL DEVICE IS REGARDED AS A TRUSTED SUBJECT IN  WHICH 
THE  SECURITY  RANGE  OF  THE SUBJECT IS THE MINIMUM-MAXIMUM 
RANGE OF THE DATA EXPECTED TO BE TRANSMITTED OVER  THE  DEV- 
 
     THE SENSITIVITY LABELS FOR EITHER SECRECY OR  INTEGRITY 
OR BOTH MAY REFLECT NON-HIERARCHICAL CATEGORIES OR HIERARCH- 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
SENSITIVITY LABELS SHALL  ACCURATELY  REPRESENT  SENSITIVITY 
LEVELS  OF  THE SPECIFIC SUBJECTS OR OBJECTS WITH WHICH THEY 
ARE ASSOCIATED.   WHEN  EXPORTED  BY  THE  TCB,  SENSITIVITY 
LABELS  SHALL  ACCURATELY  AND  UNAMBIGUOUSLY  REPRESENT THE 
BEING EXPORTED. 
 
+  Interpretation 
 
     THE PHRASE "EXPORTED  BY  THE  TCB"  IS  UNDERSTOOD  TO 
COMPONENT TO AN OBJECT IN  ANOTHER  COMPONENT.   INFORMATION 
TRANSFERRED BETWEEN NTCB PARTITIONS IS ADDRESSED IN THE SYS- 
TEM INTEGRITY SECTION. THE FORM  OF  INTERNAL  AND  EXTERNAL 
(EXPORTED)  SENSITIVITY  LABELS  MAY DIFFER, BUT THE MEANING 
SHALL BE THE SAME.  THE NTCB SHALL, IN ADDITION, ENSURE THAT 
CORRECT  ASSOCIATION OF SENSITIVITY LABELS WITH THE INFORMA- 
TION BEING TRANSPORTED ACROSS THE NETWORK IS PRESERVED. 
 
     AS MENTIONED IN THE TRUSTED  FACILITY  MANUAL  SECTION, 
ENCRYPTION  TRANSFORMS  THE REPRESENTATION OF INFORMATION SO 
THAT  IT  IS  UNINTELLIGIBLE   TO   UNAUTHORIZED   SUBJECTS. 
REFLECTING THIS TRANSFORMATION, THE SENSITIVITY LEVEL OF THE 
CIPHERTEXT IS GENERALLY LOWER THAN THE CLEARTEXT.   IT  FOL- 
LOWS  THAT  CLEARTEXT  AND  CIPHERTEXT ARE CONTAINED IN DIF- 
FERENT OBJECTS, EACH POSSESSING ITS OWN LABEL.  THE LABEL OF 
THE  CLEARTEXT  MUST  BE  PRESERVED  AND ASSOCIATED WITH THE 
CIPHERTEXT SO THAT IT CAN BE RESTORED WHEN THE CLEARTEXT  IS 
SUBSEQUENTLY  OBTAINED BY DECRYPTING THE CIPHERTEXT.  IF THE 
CLEARTEXT IS ASSOCIATED  WITH  A  SINGLE-LEVEL  DEVICE,  THE 
LABEL OF THAT CLEARTEXT MAY BE IMPLICIT.  THE LABEL MAY ALSO 
BE IMPLICIT IN THE KEY. 
 
     WHEN INFORMATION IS EXPORTED TO AN ENVIRONMENT WHERE IT 
SHALL SUPPORT THE MEANS, SUCH AS CRYPTOGRAPHIC CHECKSUMS, TO 
ASSURE  THE  ACCURACY OF THE LABELS.  WHEN THERE IS A MANDA- 
TORY INTEGRITY POLICY, THE POLICY WILL DEFINE THE MEANING OF 
 
+  Rationale 
 
     ENCRYPTION ALGORITHMS AND THEIR IMPLEMENTATION ARE OUT- 
SIDE  THE  SCOPE  OF THESE INTERPRETATIONS.  SUCH ALGORITHMS 
MAY BE IMPLEMENTED IN A SEPARATE DEVICE  OR  MAY  BE  INCOR- 
DICE, EITHER IMPLEMENTATION PACKAGING IS REFERRED TO  AS  AN 
ENCRYPTION MECHANISM HEREIN. IF ENCRYPTION METHODOLOGIES ARE 
EMPLOYED IN THIS REGARD,  THEY  SHALL  BE  APPROVED  BY  THE 
NATIONAL  SECURITY  AGENCY (NSA).  THE ENCRYPTION PROCESS IS 
COMPONENTS IN WHICH IT IS IMPLEMENTED. 
 
     THE ENCRYPTION MECHANISM  IS  NOT  NECESSARILY  A  MUL- 
TILEVEL  DEVICE  OR  MULTILEVEL  SUBJECT, AS THESE TERMS ARE 
USED IN THESE CRITERIA.  THE PROCESS OF ENCRYPTION  IS  MUL- 
TILEVEL  BY DEFINITION.  THE CLEARTEXT AND CIPHERTEXT INTER- 
FACES  CARRY  INFORMATION  OF  DIFFERENT  SENSITIVITY.    AN 
ENCRYPTION  MECHANISM  DOES NOT PROCESS DATA IN THE SENSE OF 
WITH  THE  INTENT  OF PRODUCING NEW DATA.  THE CLEARTEXT AND 
CIPHERTEXT INTERFACES ON THE ENCRYPTION  MECHANISM  MUST  BE 
SEPARATELY  IDENTIFIED  AS BEING SINGLE-LEVEL OR MULTILEVEL. 
THE  DATA  IS ESTABLISHED BY A TRUSTED INDIVIDUAL AND IMPLI- 
CITLY ASSOCIATED WITH  THE  INTERFACE;  THE  EXPORTATION  TO 
SINGLE-LEVEL DEVICES CRITERION APPLIES. 
 
     IF THE INTERFACE IS MULTILEVEL, THEN THE DATA  MUST  BE 
LABELED;  THE  EXPORTATION  TO  MULTILEVEL DEVICES CRITERION 
APPLIES. THE NETWORK ARCHITECT IS FREE TO SELECT AN  ACCEPT- 
TABLE MECHANISM FOR ASSOCIATING A LABEL WITH AN OBJECT.  WITH 
REFERENCE TO ENCRYPTED OBJECTS, THE FOLLOWING  EXAMPLES  ARE 
 
        THE OBJECT. 
 
        THROUGH THE ENCRYPTION KEY.  THAT IS, THE ENCRYPTION 
        KEY UNIQUELY IDENTIFIES A SENSITIVITY LEVEL.  A SIN- 
        GLE OR PRIVATE KEY MUST BE PROTECTED AT THE LEVEL OF 
        THE DATA THAT IT ENCRYPTS. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL DESIGNATE EACH COMMUNICATION CHANNEL  AND  I/O 
DEVICE  AS EITHER SINGLE-LEVEL OR MULTILEVEL.  ANY CHANGE IN 
THIS DESIGNATION SHALL BE DONE MANUALLY AND SHALL BE  AUDIT- 
ABLE  BY  THE  TCB.   THE  TCB SHALL MAINTAIN AND BE ABLE TO 
AUDIT ANY CHANGE IN THE SENSITIVITY LEVEL OR LEVELS  ASSOCI- 
ATED WITH A COMMUNICATIONS CHANNEL OR I/O DEVICE. 
 
+  Interpretation 
 
     EACH COMMUNICATION CHANNEL AND NETWORK COMPONENT  SHALL 
BE  DESIGNATED  AS  EITHER  SINGLE-LEVEL OR MULTILEVEL.  ANY 
CHANGE IN THIS DESIGNATION SHALL BE DONE WITH THE COGNIZANCE 
AND  APPROVAL  OF  THE  ADMINISTRATOR OR SECURITY OFFICER IN 
CHARGE OF THE AFFECTED COMPONENTS AND THE  ADMINISTRATOR  OR 
SECURITY  OFFICER  IN CHARGE OF THE NTCB.  THIS CHANGE SHALL 
BE AUDITABLE BY THE NETWORK. THE NTCB SHALL MAINTAIN AND  BE 
ABLE  TO  AUDIT  ANY CHANGE IN THE CURRENT SENSITIVITY LEVEL 
ASSOCIATED WITH THE DEVICE CONNECTED TO A SINGLE-LEVEL  COM- 
MUNICATION CHANNEL OR THE RANGE ASSOCIATED WITH A MULTILEVEL 
COMMUNICATION CHANNEL OR COMPONENT. THE NTCB SHALL  ALSO  BE 
ABLE  TO  AUDIT  ANY CHANGE IN THE SET OF SENSITIVITY LEVELS 
ASSOCIATED WITH THE INFORMATION  WHICH  CAN  BE  TRANSMITTED 
OVER A MULTILEVEL COMMUNICATION CHANNEL OR COMPONENT. 
 
+  Rationale 
 
     COMMUNICATION CHANNELS AND COMPONENTS IN A NETWORK  ARE 
ANALOGOUS  TO  COMMUNICATION  CHANNELS  AND  I/O  DEVICES IN 
STAND-ALONE SYSTEMS.  THEY MUST BE DESIGNATED AS EITHER MUL- 
TILEVEL  (I.E.,  ABLE TO DISTINGUISH AND MAINTAIN SEPARATION 
AMONG INFORMATION OF VARIOUS SENSITIVITY LEVELS) OR  SINGLE- 
LEVEL.   AS  IN  THE TCSEC, SINGLE-LEVEL DEVICES MAY ONLY BE 
ATTACHED TO SINGLE-LEVEL CHANNELS. 
 
     THE LEVEL OR SET OF LEVELS OF INFORMATION THAT  CAN  BE 
SENT  TO  A  COMPONENT OR OVER A COMMUNICATION CHANNEL SHALL 
ONLY CHANGE WITH THE KNOWLEDGE AND APPROVAL OF THE  SECURITY 
OFFICERS  (OR  SYSTEM ADMINISTRATOR, IF THERE IS NO SECURITY 
OFFICER) OF THE NETWORK, AND  OF  THE  AFFECTED  COMPONENTS. 
THIS  REQUIREMENT  ENSURES  THAT  NO  SIGNIFICANT  SECURITY- 
RELEVANT CHANGES  ARE  MADE  WITHOUT  THE  APPROVAL  OF  ALL 
AFFECTED PARTIES. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
WHEN THE TCB EXPORTS AN OBJECT TO A MULTILEVEL  I/O  DEVICE, 
THE SENSITIVITY LABEL ASSOCIATED WITH THAT OBJECT SHALL ALSO 
BE EXPORTED AND SHALL RESIDE ON THE SAME PHYSICAL MEDIUM  AS 
THE  EXPORTED  INFORMATION  AND  SHALL  BE  IN THE SAME FORM 
(I.E., MACHINE-READABLE OR HUMAN-READABLE FORM).   WHEN  THE 
TCB  EXPORTS OR IMPORTS AN OBJECT OVER A MULTILEVEL COMMUNI- 
CATIONS CHANNEL, THE PROTOCOL USED  ON  THAT  CHANNEL  SHALL 
LABELS AND  THE  ASSOCIATED  INFORMATION  THAT  IS  SENT  OR 
RECEIVED. 
 
+  Interpretation 
 
     THE COMPONENTS, INCLUDING HOSTS, OF A NETWORK SHALL  BE 
MULTIPLE SINGLE-LEVEL COMMUNICATION CHANNELS, OR BOTH, WHEN- 
EVER  THE INFORMATION IS TO BE PROTECTED AT MORE THAN A SIN- 
GLE SENSITIVITY LEVEL.  THE  PROTOCOL  FOR  ASSOCIATING  THE 
SENSITIVITY LABEL AND THE EXPORTED INFORMATION SHALL PROVIDE 
THE ONLY INFORMATION NEEDED TO CORRECTLY ASSOCIATE A  SENSI- 
TIVITY  LEVEL WITH THE EXPORTED INFORMATION TRANSFERRED OVER 
THE MULTILEVEL CHANNEL BETWEEN THE NTCB PARTITIONS IN  INDI- 
VIDUAL COMPONENTS. THIS PROTOCOL DEFINITION MUST SPECIFY THE 
REPRESENTATION  AND  SEMANTICS  OF  THE  SENSITIVITY  LABELS 
(I.E.,  THE  MACHINE-READABLE  LABEL MUST UNIQUELY REPRESENT 
THE SENSITIVITY LEVEL). 
 
     THE "UNAMBIGUOUS" ASSOCIATION OF THE SENSITIVITY  LEVEL 
WITH  THE COMMUNICATED INFORMATION SHALL MEET THE SAME LEVEL 
OF ACCURACY AS THAT REQUIRED FOR ANY OTHER LABEL WITHIN  THE 
NTCB,  AS  SPECIFIED  IN  THE CRITERION FOR LABEL INTEGRITY. 
THIS MAY BE PROVIDED BY PROTECTED AND HIGHLY RELIABLE DIRECT 
LINK PROTECTION IN WHICH ANY ERRORS DURING TRANSMISSION  CAN 
BE READILY DETECTED, OR BY USE OF A SEPARATE CHANNEL. 
 
+  Rationale 
 
     THIS  PROTOCOL  MUST  SPECIFY  THE  REPRESENTATION  AND 
SEMANTICS  OF  THE  SENSITIVITY  LABELS.   SEE THE MANDATORY 
ACCESS CONTROL POLICIES SECTION IN  APPENDIX  B.   THE  MUL- 
TILEVEL  DEVICE  INTERFACE  TO  (UNTRUSTED)  SUBJECTS MAY BE 
TOR,  PER  SE,  OR BY A MULTILEVEL SUBJECT (E.G., A "TRUSTED 
SUBJECT" AS DEFINED IN THE BELL-LAPADULA  MODEL)  THAT  PRO- 
VIDES  THE  LABELS  BASED ON THE INTERNAL LABELS OF THE NTCB 
 
     THE CURRENT STATE OF THE ART  LIMITS  THE  SUPPORT  FOR 
MANDATORY  POLICY  THAT  IS  PRACTICAL  FOR SECURE NETWORKS. 
REFERENCE MONITOR SUPPORT TO ENSURE THE CONTROL OVER ALL THE 
OPERATIONS OF EACH SUBJECT IN THE NETWORK MUST BE COMPLETELY 
JECT  INTERFACES  TO  THE  NTCB.  THIS MEANS THAT THE ENTIRE 
THIS SUBJECT MUST BE CONTAINED IN THE SAME COMPONENT. 
 
     THE SECURE STATE OF AN NTCB PARTITION MAY  BE  AFFECTED 
BY EVENTS EXTERNAL TO THE COMPONENT IN WHICH THE NTCB PARTI- 
TION RESIDES (E.G.,  ARRIVAL  OF  A  MESSAGE).   THE  EFFECT 
OCCURS  ASYNCHRONUSLY  AFTER  BEING INITIATED BY AN EVENT IN 
ANOTHER COMPONENT OR PARTITION.  FOR EXAMPLE,  INDETERMINATE 
DELAYS  MAY OCCUR BETWEEN THE INITIATION OF A MESSAGE IN ONE 
COMPONENT, THE ARRIVAL OF THE MESSAGE IN THE NTCB  PARTITION 
SECURE STATE OF THE SECOND COMPONENT.  SINCE EACH  COMPONENT 
SOME SORT OF NETWORK-WIDE CONTROL TO SYNCHRONIZE STATE TRAN- 
SITIONS, SUCH AS A GLOBAL NETWORK-WIDE CLOCK FOR ALL PROCES- 
SORS; IN GENERAL, SUCH DESIGNS ARE NOT PRACTICAL  AND  PROB- 
ABLY NOT EVEN DESIRABLE.  THEREFORE, THE INTERACTION BETWEEN 
NTCB PARTITIONS IS RESTRICTED TO JUST COMMUNICATIONS BETWEEN 
THE DEVICE(S) CAN SEND/RECEIVE DATA OF MORE  THAN  A  SINGLE 
LEVEL.  FOR  BROADCAST CHANNELS THE PAIRS ARE THE SENDER AND 
CARRIES MULTIPLE LEVELS OF INFORMATION, ADDITIONAL MECHANISM 
(E.G., CRYPTOCHECKSUM MAINTAINED BY THE TCB) MAY BE REQUIRED 
TO ENFORCE SEPARATION AND PROPER DELIVERY. 
 
     A  COMMON  REPRESENTATION  FOR  SENSITIVITY  LABELS  IS 
NEEDED  IN  THE PROTOCOL USED ON THAT CHANNEL AND UNDERSTOOD 
BY BOTH THE SENDER AND RECEIVER WHEN TWO MULTILEVEL  DEVICES 
(IN  THIS  CASE,  IN TWO DIFFERENT COMPONENTS) ARE INTERCON- 
NECTED. EACH DISTINCT SENSITIVITY LEVEL OF THE OVERALL  NET- 
WORK POLICY MUST BE REPRESENTED UNIQUELY IN THESE LABELS. 
 
     WITHIN A MONOLITHIC TCB, THE  ACCURACY  OF  THE  SENSI- 
TIVITY  LABELS  IS  GENERALLY  ASSURED BY SIMPLE TECHNIQUES, 
E.G., VERY RELIABLE CONNECTIONS  OVER  VERY  SHORT  PHYSICAL 
CONNECTIONS,  SUCH  AS  ON A SINGLE PRINTED CIRCUIT BOARD OR 
OVER AN INTERNAL BUS.  IN MANY NETWORK ENVIRONMENTS THERE IS 
A  MUCH  HIGHER  PROBABILITY  OF ACCIDENTALLY OR MALICIOUSLY 
 
 
 
+ Statement from DoD 5200.28-STD 
 
SINGLE-LEVEL  I/O  DEVICES  AND  SINGLE-LEVEL  COMMUNICATION 
CHANNELS ARE NOT REQUIRED TO MAINTAIN THE SENSITIVITY LABELS 
OF THE INFORMATION THEY PROCESS.   HOWEVER,  THE  TCB  SHALL 
RELIABLY COMMUNICATE TO  DESIGNATE  THE  SINGLE  SENSITIVITY 
LEVEL  OF  INFORMATION IMPORTED OR EXPORTED VIA SINGLE-LEVEL 
COMMUNICATION CHANNELS OR I/O DEVICES. 
 
+  Interpretation 
 
     WHENEVER ONE OR BOTH OF  TWO  DIRECTLY  CONNECTED  COM- 
MATION OF DIFFERENT SENSITIVITY LEVELS, OR WHENEVER THE  TWO 
DIRECTLY CONNECTED COMPONENTS HAVE ONLY A SINGLE SENSITIVITY 
LEVEL IN COMMON, THE TWO COMPONENTS  OF  THE  NETWORK  SHALL 
COMMUNICATE  OVER A SINGLE-LEVEL CHANNEL.  SINGLE-LEVEL COM- 
REQUIRED   TO   MAINTAIN   THE  SENSITIVITY  LABELS  OF  THE 
RELIABLE  COMMUNICATION  MECHANISM  BY WHICH THE NTCB AND AN 
AUTHORIZED USER OR A SUBJECT WITHIN AN  NTCB  PARTITION  CAN 
DESIGNATE   THE  SINGLE  SENSITIVITY  LEVEL  OF  INFORMATION 
OR NETWORK COMPONENTS. 
 
+ Rationale 
 
     SINGLE-LEVEL COMMUNICATIONS CHANNELS  AND  SINGLE-LEVEL 
COMPONENTS  IN  NETWORKS ARE ANALOGOUS TO SINGLE LEVEL CHAN- 
NELS AND I/O DEVICES IN STAND-ALONE SYSTEMS IN THAT THEY ARE 
NOT  TRUSTED  TO  MAINTAIN  THE SEPARATION OF INFORMATION OF 
DIFFERENT SENSITIVITY LEVELS.  THE  LABELS  ASSOCIATED  WITH 
DATA TRANSMITTED OVER THOSE CHANNELS AND BY THOSE COMPONENTS 
ARE THEREFORE IMPLICIT; THE NTCB ASSOCIATES LABELS WITH  THE 
DATA  BECAUSE OF THE CHANNEL OR COMPONENT, NOT BECAUSE OF AN 
EXPLICIT PART OF THE BIT STREAM.  NOTE THAT THE  SENSITIVITY 
LEVEL  OF  ENCRYPTED INFORMATION IS THE LEVEL OF THE CIPHER- 
TEXT RATHER THAN THE ORIGINAL LEVEL(S) OF THE PLAINTEXT. 
 
 
+ Statement from DoD 5200.28-STD 
 
THE ADP SYSTEM ADMINISTRATOR SHALL BE ABLE  TO  SPECIFY  THE 
LABELS.  THE TCB SHALL MARK THE BEGINNING  AND  END  OF  ALL 
HUMAN-READABLE,  PAGED,  HARDCOPY OUTPUT (E.G., LINE PRINTER 
OUTPUT) WITH HUMAN-READABLE SENSITIVITY  LABELS  THAT  PROP- 
ERLY1  REPRESENT  THE  SENSITIVITY  OF  THE OUTPUT.  THE TCB 
SHALL, BY DEFAULT, MARK THE TOP AND BOTTOM OF EACH  PAGE  OF 
HUMAN-READABLE,  PAGED,  HARDCOPY OUTPUT (E.G., LINE PRINTER 
OUTPUT) WITH HUMAN-READABLE SENSITIVITY  LABELS  THAT  PROP- 
ERLY1 REPRESENT THE SENSITIVITY OF THE PAGE.  THE TCB SHALL, 
BY DEFAULT AND IN AN APPROPRIATE MANNER, MARK OTHER FORMS OF 
HUMAN  READABLE  OUTPUT  (E.G.,  MAPS, GRAPHICS) WITH HUMAN- 
READABLE SENSITIVITY LABELS  THAT  PROPERLY1  REPRESENT  THE 
SENSITIVITY  OF  THE OUTPUT.  ANY OVERRIDE OF THESE MARKINGS 
DEFAULTS SHALL BE AUDITABLE BY THE TCB. 
 
+  Interpretation 
 
     THIS CRITERION IMPOSES NO REQUIREMENT  TO  A  COMPONENT 
THAT  PRODUCES  NO HUMAN-READABLE OUTPUT.  FOR THOSE THAT DO 
_________________________ 
READABLE  SENSITIVITY  LABELS  SHALL  BE  EQUAL  TO THE 
GREATEST HIERARCHICAL CLASSIFICATION OF ANY OF THE  IN- 
FORMATION  IN  THE OUTPUT THAT THE LABELS REFER TO; THE 
NON-HIERARCHICAL CATEGORY COMPONENT SHALL  INCLUDE  ALL 
OF  THE  NON-HIERARCHICAL CATEGORIES OF THE INFORMATION 
HIERARCHICAL CATEGORIES. 
 
 
 
 
ACROSS  ALL  COMPONENTS.  THE NETWORK ADMINISTRATOR, IN CON- 
JUNCTION WITH ANY AFFECTED COMPONENT ADMINISTRATOR, SHALL BE 
ABLE  TO SPECIFY THE HUMAN-READABLE LABEL THAT IS ASSOCIATED 
WITH EACH DEFINED SENSITIVITY LEVEL. 
 
+  Rationale 
 
     THE INTERPRETATION IS A  STRAIGHTFORWARD  EXTENSION  OF 
THE  REQUIREMENT  INTO  THE  CONTEXT OF A NETWORK SYSTEM AND 
TIONS. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL ENFORCE A MANDATORY ACCESS CONTROL POLICY OVER 
ALL  SUBJECTS  AND  STORAGE OBJECTS UNDER ITS CONTROL (E.G., 
OBJECTS SHALL BE ASSIGNED SENSITIVITY LABELS THAT ARE A COM- 
BINATION OF  HIERARCHICAL  CLASSIFICATION  LEVELS  AND  NON- 
HIERARCHICAL CATEGORIES, AND THE LABELS SHALL BE USED AS THE 
BASIS FOR MANDATORY ACCESS CONTROL DECISIONS.  THE TCB SHALL 
BE  ABLE  TO  SUPPORT  TWO  OR MORE SUCH SENSITIVITY LEVELS. 
(SEE THE MANDATORY  ACCESS  CONTROL  INTERPRETATIONS.)   THE 
FOLLOWING  REQUIREMENTS  SHALL HOLD FOR ALL ACCESSES BETWEEN 
SUBJECTS AND OBJECTS CONTROLLED BY THE TCB:  A  SUBJECT  CAN 
READ  AN  OBJECT  ONLY IF THE HIERARCHICAL CLASSIFICATION IN 
THE SUBJECT'S SENSITIVITY LEVEL IS GREATER THAN OR EQUAL  TO 
THE  HIERARCHICAL CLASSIFICATION OF THE OBJECT'S SENSITIVITY 
LEVEL AND THE NON-HIERARCHICAL CATEGORIES IN  THE  SUBJECT'S 
SENSITIVITY   LEVEL   INCLUDE   ALL   THE   NON-HIERARCHICAL 
CATEGORIES IN THE OBJECT'S SENSITIVITY LEVEL. A SUBJECT  CAN 
WRITE  AN  OBJECT ONLY IF THE HIERARCHICAL CLASSIFICATION IN 
THE SUBJECT'S SENSITIVITY LEVEL IS LESS THAN OR EQUAL TO THE 
HIERARCHICAL  CLASSIFICATION  OF  THE  OBJECT'S  SENSITIVITY 
LEVEL AND THE NON-HIERARCHICAL CATEGORIES IN  THE  SUBJECT'S 
SENSITIVITY  LEVEL  ARE  INCLUDED  IN  THE  NON-HIERARCHICAL 
CATEGORIES IN THE OBJECT'S SENSITIVITY LEVEL. IDENTIFICATION 
AND  AUTHENTICATION DATA SHALL BE USED BY THE TCB TO AUTHEN- 
TICATE THE USER'S IDENTITY AND TO  ENSURE  THAT  THE  SENSI- 
TIVITY  LEVEL  AND AUTHORIZATION OF SUBJECTS EXTERNAL TO THE 
TCB THAT MAY BE CREATED TO ACT ON BEHALF OF  THE  INDIVIDUAL 
USER  ARE  DOMINATED  BY  THE CLEARANCE AND AUTHORIZATION OF 
THAT USER. 
 
+  Interpretation 
 
     EACH PARTITION OF THE NTCB EXERCISES  MANDATORY  ACCESS 
CONTROL  POLICY  OVER  ALL  SUBJECTS AND OBJECTS IN ITS COM- 
RESPONSIBILITY  OF  AN NTCB PARTITION ENCOMPASSES ALL MANDA- 
TORY ACCESS CONTROL FUNCTIONS IN ITS COMPONENT THAT WOULD BE 
REQUIRED  OF  A  TCB IN A STAND-ALONE SYSTEM. IN PARTICULAR, 
SUBJECTS AND OBJECTS USED FOR COMMUNICATION WITH OTHER  COM- 
TORY ACCESS CONTROL INCLUDES SECRECY AND  INTEGRITY  CONTROL 
TO  THE EXTENT THAT THE NETWORK SPONSOR HAS DESCRIBED IN THE 
OVERALL NETWORK SECURITY POLICY. 
 
     CONCEPTUAL  ENTITIES  ASSOCIATED   WITH   COMMUNICATION 
BETWEEN  TWO  COMPONENTS,  SUCH AS SESSIONS, CONNECTIONS AND 
VIRTUAL CIRCUITS, MAY BE THOUGHT OF AS HAVING TWO ENDS,  ONE 
OBJECT.  COMMUNICATION IS VIEWED AS AN OPERATION THAT COPIES 
ENTITIES,  SUCH  AS  DATAGRAMS  AND PACKETS, EXIST EITHER AS 
ONE AT EACH END OF THE COMMUNICATION PATH. 
 
     THE REQUIREMENT FOR "TWO OR  MORE"  SENSITIVITY  LEVELS 
CAN  BE  MET  BY  EITHER  SECRECY OR INTEGRITY LEVELS.  WHEN 
THERE IS A MANDATORY INTEGRITY POLICY, THE  STATED  REQUIRE- 
MENTS FOR READING AND WRITING ARE GENERALIZED TO:  A SUBJECT 
CAN READ AN OBJECT ONLY IF THE SUBJECT'S  SENSITIVITY  LEVEL 
DOMINATES  THE OBJECT'S SENSITIVITY LEVEL, AND A SUBJECT CAN 
WRITE AN OBJECT ONLY IF THE OBJECT'S SENSITIVITY LEVEL  DOM- 
NANCE  RELATION FOR THE TOTAL LABEL, FOR EXAMPLE, BY COMBIN- 
 
+ Rationale 
 
     AN NTCB PARTITION CAN MAINTAIN ACCESS CONTROL ONLY OVER 
SUBJECTS  AND  OBJECTS IN ITS COMPONENT. ACCESS BY A SUBJECT 
ANOTHER  COMPONENT REQUIRES THE CREATION OF A SUBJECT IN THE 
REMOTE COMPONENT WHICH ACTS AS A  SURROGATE  FOR  THE  FIRST 
SUBJECT. 
 
     THE MANDATORY ACCESS CONTROLS MUST BE ENFORCED  AT  THE 
CONTROLS PHYSICAL PROCESSING RESOURCES) FOR EACH NTCB PARTI- 
TION.   THIS  MECHANISM  CREATES THE ABSTRACTION OF SUBJECTS 
AND OBJECTS WHICH IT CONTROLS.  SOME OF THESE SUBJECTS  OUT- 
SIDE  THE  REFERENCE  MONITOR,  PER SE, MAY BE DESIGNATED TO 
E.G.,  BY USING THE ``TRUSTED SUBJECTS" DEFINED IN THE BELL- 
_________________________ 
  - See, for example, Grohn, M.  J., A Model of a  Pro- 
                                     _ _____ __ _  ___ 
tected  Data  Management  System, ESD-TR-76-289, I.  P. 
______  ____  __________  ______ 
Sharp Assoc.  Ltd., June, 1976;  and  Denning,  D  .E., 
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M. 
and Shockley, W., Secure Distributed Data Views,  Secu- 
                  ______ ___________ ____ _____   ____ 
____ ______ ___ ______________ ___ _ _____ __ ________ 
el Secure Relational Database System,SRI International, 
__ ______ __________ ________ ______ 
November 1986. 
 
 
LAPADULA MODEL. 
     THE PRIOR REQUIREMENTS ON EXPORTATION OF LABELED INFOR- 
MATION  TO  AND  FROM  I/O  DEVICES  ENSURE  THE CONSISTENCY 
BETWEEN THE SENSITIVITY LABELS OF  OBJECTS  CONNECTED  BY  A 
COMMUNICATION  PATH.  AS NOTED IN THE INTRODUCTION, THE NET- 
WORK ARCHITECTURE MUST RECOGNIZE  THE  LINKAGE  BETWEEN  THE 
OVERALL MANDATORY NETWORK SECURITY POLICY AND THE CONNECTION 
ORIENTED ABSTRACTION. FOR EXAMPLE, INDIVIDUAL  DATA-CARRYING 
ENTITIES  SUCH  AS DATAGRAMS CAN HAVE INDIVIDUAL SENSITIVITY 
LABELS THAT SUBJECT THEM TO MANDATORY ACCESS CONTROL IN EACH 
COMPONENT.   THE ABSTRACTION OF A SINGLE-LEVEL CONNECTION IS 
REALIZED AND ENFORCED IMPLICITLY BY AN ARCHITECTURE WHILE  A 
CONNECTION  IS REALIZED BY SINGLE-LEVEL SUBJECTS THAT NECES- 
SARILY EMPLOY ONLY DATAGRAMS OF THE SAME LEVEL. 
 
     THE FUNDAMENTAL TRUSTED SYSTEMS TECHNOLOGY PERMITS  THE 
DAC MECHANISM TO BE DISTRIBUTED, IN CONTRAST TO THE REQUIRE- 
MENTS FOR  MANDATORY  ACCESS  CONTROL.   FOR  NETWORKS  THIS 
SEPARATION OF MAC AND DAC MECHANISMS IS THE RULE RATHER THAN 
THE EXCEPTION. 
 
     THE SET OF TOTAL SENSITIVITY LABELS USED  TO  REPRESENT 
ALL  THE SENSITIVITY LEVELS FOR THE MANDATORY ACCESS CONTROL 
(COMBINED DATA SECRECY AND  DATA  INTEGRITY)  POLICY  ALWAYS 
FORMS  A PARTIALLY ORDERED SET.  WITHOUT LOSS OF GENERALITY, 
THIS SET OF LABELS CAN ALWAYS BE EXTENDED TO FORM A LATTICE, 
BY   INCLUDING  ALL  THE  COMBINATIONS  OF  NON-HIERARCHICAL 
CATEGORIES.  AS FOR ANY LATTICE,  A  DOMINANCE  RELATION  IS 
ALWAYS DEFINED FOR THE TOTAL SENSITIVITY LABELS.  FOR ADMIN- 
WHICH DOMINATES ALL OTHERS. 
 
 
_ _ _ ______________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall require users to  identify  themselves  to  it 
before  beginning  to perform any other actions that the TCB 
s expected to mediate.  Furthermore, the TCB shall MAINTAIN
AUTHENTICATION  DATA THAT INCLUDES INFORMATION FOR VERIFYING 
THE IDENTIFY OF INDIVIDUAL USERS (E.G., PASSWORDS)  AS  WELL 
AS  INFORMATION FOR DETERMINING THE CLEARANCE AND AUTHORIZA- 
TIONS OF INDIVIDUAL USERS.  THIS DATA SHALL BE USED  BY  THE 
TCB  TO  AUTHENTICATE THE USER'S IDENTITY AND TO ENSURE THAT 
THE SENSITIVITY LEVEL AND AUTHORIZATION OF SUBJECTS EXTERNAL 
TO THE TCB THAT MAY BE CREATED TO ACT ON BEHALF OF THE INDI- 
VIDUAL USER ARE DOMINATED BY THE CLEARANCE AND AUTHORIZATION 
OF  THAT  USER. The TCB shall protect authentication data so 
that it cannot be accessed by any  unauthorized  user.   The 
TCB  shall  be  able to enforce individual accountability by 
capability of associating this identity with  all  auditable 
actions taken by that individual. 
 
+  Interpretation 
 
     The requirement for identification  and  authentication 
of users is the same for a network system as for an ADP sys- 
tem. The identification and authentication may  be  done  by 
the  component  to  which  the user is directly connected or 
tication  server.   Available  techniques,  such  as   those 
applicable in the network context. However, in  cases  where 
the  NTCB is expected to mediate actions of a host (or other 
network component) that is acting on behalf  of  a  user  or 
authentication of the host (or other component) in  lieu  of 
dentification  and authentication of an individual user, so
long as the component identifier implies a list of  specific 
users uniquely associated with the identifier at the time of 
ts use for authentication.  This requirement does not apply
to internal subjects. 
 
     Authentication information, including the identity of a 
user  (once  authenticated) may be passed from one component 
to another without reauthentication, so  long  as  the  NTCB 
thorized disclosure and modification. This protection  shall 
of mechanism) as pertains to the protection of the authenti- 
cation mechanism and authentication data. 
 
+  Rationale 
 
     The need for accountability is not changed in the  con- 
text  of a network system.  The fact that the NTCB is parti- 
tioned over a set of components neither reduces the need nor 
mposes  new requirements.  That is, individual accountabil-
ty is still the objective. Also, in the context of  a  net-
tability" can be satisfied by identification of a  host  (or 
other component) so long as the requirement for traceability 
to individual users or a set of  specific  individual  users 
uncertainty in traceability because of elapsed time  between 
changes  in  the group membership and the enforcement in the 
access control mechanisms.  In addition, there is no need in 
a  distributed processing system like a network to reauthen- 
ticate a user at each point in the network where  a  projec- 
tion  of  a user (via the subject operating on behalf of the 
user) into another remote subject takes place. 
 
 
_________________________ 
  = Department of Defense  Password  Management  Guide- 
    __________ __ _______  ________  __________  _____ 
line, CSC-STD-002-85 
____ 
 
 
     The passing of identifiers and/or authentication infor- 
mation from one component to another is usually done in sup- 
trol  (DAC).   This  support  relates  directly  to  the DAC 
ferent  NTCB  partition  than  the  one  where  the user was 
authenticated. Employing a forwarded identification  implies 
additional  reliance  on the source and components along the 
BASIS  OF  DETERMINING A SENSITIVITY LABEL FOR A SUBJECT, IT 
MUST SATISFY THE LABEL INTEGRITY CRITERION. 
 
     AN  AUTHENTICATED  IDENTIFICATION  MAY   BE   FORWARDED 
BETWEEN  COMPONENTS  AND EMPLOYED IN SOME COMPONENT TO IDEN- 
TIFY THE SENSITIVITY LEVEL ASSOCIATED WITH A SUBJECT CREATED 
TO ACT ON BEHALF OF THE USER SO IDENTIFIED. 
 
 
_ _ _ _ _____ 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall be able to create, maintain, and protect  from 
modification  or unauthorized access or destruction an audit 
trail of accesses to the objects  it  protects.   The  audit 
s limited to those who are authorized for audit data.   The
TCB  shall  be able to record the following types of events: 
use of identification and authentication mechanisms,  intro- 
open, program  initiation),  deletion  of  objects,  actions 
taken by computer operators and system administrators and/or 
events.  THE TCB SHALL ALSO BE ABLE TO AUDIT ANY OVERRIDE OF 
HUMAN-READABLE OUTPUT MARKINGS.  For  each  recorded  event, 
the audit record shall identify: date and time of the event, 
user, type of event, and success or failure  of  the  event. 
For   identification/authentication  events  the  origin  of 
address space and  for  object  deletion  events  the  audit 
SENSITIVITY LEVEL. The ADP  system  administrator  shall  be 
able  to  selectively  audit  the actions of any one or more 
users based on individual identify AND/OR OBJECT SENSITIVITY 
LEVEL. 
 
+  Interpretation 
 
     This criterion applies  as  stated.  The  sponsor  must 
not distinguishable by the NTCB  alone  (for  example  those 
dentified in Part II), the audit mechanism shall provide an
nterface, which  an  authorized  subject  can  invoke  with
audit records shall be distinguishable from  those  provided 
by  the  NTCB.   In  the context of a network system, "other 
architecture  and  network security policy) might be as fol- 
lows: 
 
 
        lishing a connection or a connectionless association 
        between processes in two hosts of the  network)  and 
        its  principal parameters (e.g., host identifiers of 
        the two hosts involved in the access event and  user 
        identifier  or  host  identifier of the user or host 
        that is requesting the access event) 
 
        each  access  event  using local time or global syn- 
        chronized time 
 
        ditions   (e.g.,   potential   violation   of   data 
        integrity, such  as  misrouted  datagrams)  detected 
        during the transactions between two hosts 
 
 
        component leaving the network and rejoining) 
 
     In  addition,  identification  information  should   be 
ncluded  in  appropriate audit trail records, as necessary,
to allow association of all  related  (e.g.,  involving  the 
network  system  may  provide  the required audit capability 
(e.g., storage, retrieval, reduction,  analysis)  for  other 
components  that  do  not  internally  store  audit data but 
transmit the audit data to some designated  collection  com- 
audit data due to unavailability of resources. 
 
     In the context of a network system, the "user's address 
events, to include address spaces being employed  on  behalf 
of  a  remote user (or host).  However, the focus remains on 
users in contrast to internal subjects as discussed  in  the 
DAC  criterion.   In  addition,  audit  information  must be 
 
+  Rationale 
 
     For remote users, the network identifiers (e.g., inter- 
net address) can be used as identifiers of groups of indivi- 
maintenance that would be required if individual identifica- 
tion of remote users was employed.  In this class (C2), how- 
ever,  it  must  be  possible to identify (immediately or at 
dentifier.   In all other respects, the interpretation is a
of a network system. 
 
 
_ _ _ _________ 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall maintain a domain for its own  execution  that 
by modification of its code or data structures).   Resources 
controlled  by  the  TCB may be a defined subset of the sub- 
SPACES  UNDER  ITS  CONTROL.  The  TCB  shall  isolate   the 
access control and auditing requirements. 
 
+  Interpretation 
 
     The system architecture criterion must be met individu- 
ally by all NTCB partitions.  Implementation of the require- 
ment that the NTCB maintain a domain for its  own  execution 
s  achieved by having each NTCB partition maintain a domain
for its own execution. SINCE EACH COMPONENT IS ITSELF A DIS- 
TINCT DOMAIN IN THE OVERALL NETWORK SYSTEM, THIS ALSO SATIS- 
FIES THE REQUIREMENT FOR PROCESS ISOLATION THROUGH  DISTINCT 
ADDRESS  SPACES  IN  THE  SPECIAL CASE WHERE A COMPONENT HAS 
ONLY A SINGLE SUBJECT. 
 
     The subset of network resources over which the NTCB has 
control  are  the  union of the sets of resources over which 
the NTCB partitions have control.  Code and data  structures 
belonging  to  the  NTCB,  transferred  among  NTCB subjects 
(i.e., subjects outside the reference monitor but inside the 
NTCB)  belonging  to different NTCB partitions, must be pro- 
tected against  external  interference  or  tampering.   For 
example,  a  cryptographic checksum or physical means may be 
employed  to  protect  user  authentication  data  exchanged 
between NTCB partitions. 
 
     Each NTCB partition  provides  isolation  of  RESOURCES 
(WITHIN  ITS  COMPONENT)  TO BE PROTECTED IN accord with the 
network system architecture  and  security  policy  SO  THAT 
"SUPPORTING  ELEMENTS"  (E.G.,  DAC AND USER IDENTIFICATION) 
FOR THE  SECURITY  MECHANISMS  OF  THE  NETWORK  SYSTEM  ARE 
STRENGTHENED  COMPARED  TO  C2,  FROM  AN ASSURANCE POINT OF 
VIEW, THROUGH THE PROVISION OF DISTINCT ADDRESS SPACES UNDER 
CONTROL OF THE NTCB. 
 
     AS DISCUSSED IN THE DISCRETIONARY ACCESS  CONTROL  SEC- 
TION,  THE  DAC  MECHANISM OF A NTCB PARTITION MAY BE IMPLE- 
MENTED AT THE INTERFACE OF THE REFERENCE MONITOR OR  MAY  BE 
DISTRIBUTED  IN  SUBJECTS  THAT  ARE PART OF THE NTCB IN THE 
SAME OR DIFFERENT COMPONENT.  WHEN DISTRIBUTED IN NTCB  SUB- 
JECTS  (I.E.,  WHEN  OUTSIDE  THE  REFERENCE  MONITOR),  THE 
ASSURANCE REQUIREMENTS FOR THE DESIGN AND IMPLEMENTATION  OF 
THE DAC SHALL BE THOSE OF CLASS C2 FOR ALL NETWORKS OF CLASS 
C2 OR ABOVE. 
 
+  Rationale 
 
 
     The requirement for the  protection  of  communications 
between NTCB partitions is specifically directed to subjects 
that are part of the NTCB partitions.  Any requirements  for 
 
     THE PROVISION OF DISTINCT ADDRESS SPACES UNDER THE CON- 
TROL  OF  THE NTCB PROVIDES THE ABILITY TO SEPARATE SUBJECTS 
ACCORDING TO SENSITIVITY LEVEL.  THIS REQUIREMENT IS  INTRO- 
DUCED  AT  B1  SINCE IT IS AN ABSOLUTE NECESSITY IN ORDER TO 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Hardware and/or software features shall be provided that can 
be  used  to  periodically validate the correct operation of 
the on-site hardware and firmware elements of the TCB. 
 
+  Interpretation 
 
     Implementation of the requirement is partly achieved by 
and  firmware  elements  of each component's NTCB partition. 
Features shall also be provided to validate the identity and 
correct  operation of a component prior to its incorporation 
n the network system and throughout system operation.   For
example,  a protocol could be designed that enables the com- 
cally  and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability 
to  respond. NTCB partitions shall provide the capability to 
 
     Intercomponent  protocols  implemented  within  a  NTCB 
tion in the case of failures of  network  communications  or 
ndividual components.  The allocation of MANDATORY AND dis-
cretionary access control policy in a  network  may  require 
communication  between trusted subjects that are part of the 
NTCB partitions in different components.  This communication 
s normally implemented with a protocol between the subjects
as peer entities.  Incorrect access within a component shall 
not  result from failure of an NTCB partition to communicate 
 
+ Rationale 
 
     The  first  paragraph  of  the  interpretation   is   a 
text of a network system and partitioned NTCB as defined for 
these network criteria. 
 
     NTCB protocols should be robust  enough  so  that  they 
zed failure. The purpose of this protection is to  preserve
the integrity of the NTCB itself.  It is not unusual for one 
or more components in a network to  be  inoperative  at  any 
time,  so  it  is  important to minimize the effects of such 
failures on the rest of the  network.  Additional  integrity 
and denial of service issues are addressed in Part II. 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The security mechanisms of the ADP system  shall  be  tested 
and  found to work as claimed in the system documentation. A 
TEAM OF INDIVIDUALS WHO THOROUGHLY UNDERSTAND  THE  SPECIFIC 
TATION, SOURCE CODE, AND OBJECT CODE TO THROUGH ANALYSIS AND 
TESTING.   THEIR  OBJECTIVES SHALL BE: TO UNCOVER ALL DESIGN 
AND IMPLEMENTATION FLAWS THAT WOULD PERMIT A SUBJECT  EXTER- 
NAL  TO  THE  TCB  TO  READ, CHANGE, OR DELETE DATA NORMALLY 
DENIED UNDER THE MANDATORY OR DISCRETIONARY SECURITY  POLICY 
ENFORCED  BY  THE  TCB; AS WELL AS TO ASSURE THAT NO SUBJECT 
(WITHOUT AUTHORIZATION TO DO SO) IS ABLE TO CAUSE THE TCB TO 
ENTER  A STATE SUCH THAT IT IS UNABLE TO RESPOND TO COMMUNI- 
CATIONS INITIATED BY OTHER USERS. ALL DISCOVERED FLAWS SHALL 
BE  REMOVED  OR  NEUTRALIZED  AND THE TCB RETESTED TO DEMON- 
STRATE THAT THEY HAVE BEEN ELIMINATED  AND  THAT  NEW  FLAWS 
HAVE  NOT  BEEN INTRODUCED. (See the Security Testing Guide- 
lines.) 
 
+  Interpretation 
 
     Testing of a component  will  require  a  testbed  that 
exercises  the  interfaces  and  protocols  of the component 
ncluding tests under exceptional conditions.   The  testing
of  a  security  mechanism of the network system for meeting 
this criterion shall  be  an  integrated  testing  procedure 
nvolving  all  components containing an NTCB partition that
mplement the given mechanism. This  integrated  testing  is
additional to any individual component tests involved in the 
evaluation of the network system.  The sponsor should  iden- 
tify the allowable set of configurations including the sizes 
of the networks.  Analysis or testing procedures  and  tools 
tions.  A change in configuration within the  allowable  set 
of configurations does not require retesting. 
 
     THE TESTING OF EACH COMPONENT WILL INCLUDE  THE  INTRO- 
DUCTION  OF  SUBJECTS EXTERNAL TO THE NTCB PARTITION FOR THE 
COMPONENT THAT WILL ATTEMPT TO READ, CHANGE, OR DELETE  DATA 
NORMALLY  DENIED.   IF THE NORMAL INTERFACE TO THE COMPONENT 
DOES NOT PROVIDE A MEANS TO CREATE THE  SUBJECTS  NEEDED  TO 
CONDUCT  SUCH A TEST, THEN THIS PORTION OF THE TESTING SHALL 
USE A SPECIAL VERSION OF THE UNTRUSTED SOFTWARE FOR THE COM- 
THE RESULTS SHALL BE SAVED FOR TEST ANALYSIS.  SUCH  SPECIAL 
VERSIONS  SHALL  HAVE AN NTCB PARTITION THAT IS IDENTICAL TO 
THAT FOR THE NORMAL CONFIGURATION  OF  THE  COMPONENT  UNDER 
EVALUATION. 
 
     THE TESTING OF THE  MANDATORY  CONTROLS  SHALL  INCLUDE 
TESTS   TO  DEMONSTRATE  THAT  THE  LABELS  FOR  INFORMATION 
REPRESENT  THE  LABELS  MAINTAINED BY THE NTCB PARTITION FOR 
THE COMPONENT FOR USE AS THE BASIS FOR ITS MANDATORY  ACCESS 
CONTROL  DECISIONS.   THE  TESTS  SHALL INCLUDE EACH TYPE OF 
DEVICE, WHETHER SINGLE-LEVEL OR MULTILEVEL, SUPPORTED BY THE 
COMPONENT. 
 
+  Rationale 
 
     THE PHRASE "NO SUBJECT (WITHOUT AUTHORIZATION TO DO SO) 
UNABLE TO  RESPOND  TO  COMMUNICATIONS  INITIATED  BY  OTHER 
USERS"  RELATES  TO  THE  SECURITY SERVICES (PART II OF THIS 
TNI) FOR THE DENIAL OF SERVICE PROBLEM, AND  TO  CORRECTNESS 
OF THE PROTOCOL IMPLEMENTATIONS. 
 
     Testing  is  AN  IMPORTANT  method  available  in  this  
evaluation  division to gain any assurance that the security 
mechanisms perform their intended function.  A MAJOR PURPOSE 
OF TESTING IS TO DEMONSTRATE THE SYSTEM'S RESPONSE TO INPUTS 
TO THE NTCB PARTITION FROM  UNTRUSTED  (AND  POSSIBLY  MALI- 
CIOUS) SUBJECTS. 
 
     IN CONTRAST TO GENERAL PURPOSE SYSTEMS THAT  ALLOW  FOR 
THE  DYNAMIC  CREATION OF NEW PROGRAMS AND THE INTRODUCTIONS 
OF NEW PROCESSES (AND HENCE NEW SUBJECTS) WITH  USER  SPECI- 
FIED  SECURITY  PROPERITIES, MANY NETWORK COMPONENTS HAVE NO 
METHOD FOR INTRODUCING NEW PROGRAMS AND/OR PROCESSES  DURING 
THEIR  NORMAL  OPERATION.  THEREFORE, THE PROGRAMS NECESSARY 
FOR THE TESTING MUST BE INTRODUCED AS  SPECIAL  VERSIONS  OF 
THE  SOFTWARE  RATHER THAN AS THE RESULT OF NORMAL INPUTS BY 
THE TEST TEAM.  HOWEVER, IT MUST BE INSURED  THAT  THE  NTCB 
EVALUATION. 
 
     SENSITIVITY LABELS SERVE A CRITICAL ROLE IN MAINTAINING 
THE  SECURITY  OF  THE MANDATORY ACCESS CONTROLS IN THE NET- 
WORK.  ESPECIALLY IMPORTANT TO NETWORK SECURITY IS THE  ROLE 
OF  THE  LABELS  FOR  INFORMATION  COMMUNICATED BETWEEN COM- 
CIT  LABELS FOR SINGLE-LEVEL DEVICES.  THEREFORE THE TESTING 
FOR CORRECT LABELS IS HIGHLIGHTED. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
AN INFORMAL OR FORMAL MODEL OF THE SECURITY POLICY SUPPORTED 
BY  THE  TCB  SHALL BE MAINTAINED OVER THE LIFE CYCLE OF THE 
ADP SYSTEM  AND  DEMONSTRATED  TO  BE  CONSISTENT  WITH  ITS 
AXIOMS. 
 
+  Interpretation 
 
     THE OVERALL NETWORK SECURITY POLICY EXPRESSED  IN  THIS 
MODEL  WILL  PROVIDE THE BASIS FOR THE MANDATORY ACCESS CON- 
TROL POLICY EXERCISED BY THE NTCB OVER SUBJECTS AND  STORAGE 
OBJECTS  IN THE ENTIRE NETWORK.  THE POLICY WILL ALSO BE THE 
BASIS FOR THE DISCRETIONARY ACCESS CONTROL POLICY  EXERCISED 
BY  THE  NTCB  TO  CONTROL  ACCESS  OF  NAMED USERS TO NAMED 
OBJECTS.  DATA INTEGRITY REQUIREMENTS ADDRESSING THE EFFECTS 
OF UNAUTHORIZED MSM NEED NOT BE INCLUDED IN THIS MODEL.  THE 
OVERALL NETWORK POLICY MUST BE DECOMPOSED INTO  POLICY  ELE- 
MENTS  THAT ARE ALLOCATED TO APPROPRIATE COMPONENTS AND USED 
AS THE BASIS FOR THE SECURITY POLICY MODEL  FOR  THOSE  COM- 
 
     THE LEVEL OF ABSTRACTION OF THE MODEL, AND THE  SET  OF 
SUBJECTS  AND OBJECTS THAT ARE EXPLICITLY REPRESENTED IN THE 
MODEL, WILL BE AFFECTED BY THE NTCB PARTITIONING.   SUBJECTS 
AND  OBJECTS MUST BE REPRESENTED EXPLICITLY IN THE MODEL FOR 
THE PARTITION IF THERE IS SOME NETWORK COMPONENT WHOSE  NTCB 
SHALL BE STRUCTURED SO THAT THE AXIOMS AND ENTITIES APPLICA- 
BLE  TO  INDIVIDUAL NETWORK COMPONENTS ARE MANIFEST.  GLOBAL 
NETWORK POLICY ELEMENTS THAT  ARE  ALLOCATED  TO  COMPONENTS 
SHALL BE REPRESENTED BY THE MODEL FOR THAT COMPONENT. 
 
+ Rationale 
 
     THE TREATMENT OF THE MODEL DEPENDS TO A GREAT EXTENT ON 
THE DEGREE OF INTEGRATION OF THE COMMUNICATIONS SERVICE INTO 
A DISTRIBUTED SYSTEM. IN A CLOSELY COUPLED DISTRIBUTED  SYS- 
TEM,  ONE  MIGHT  USE  A  MODEL  THAT  CLOSELY RESEMBLES ONE 
APPROPRIATE FOR A STAND-ALONE COMPUTER SYSTEM. 
 
     IN OTHER CASES, THE MODEL OF  EACH  PARTITION  WILL  BE 
EXPECTED TO SHOW THE ROLE OF THE NTCB PARTITION IN EACH KIND 
OF COMPONENT.   IT  WILL  MOST  LIKELY  CLARIFY  THE  MODEL, 
ALTHOUGH  NOT PART OF THE MODEL, TO SHOW ACCESS RESTRICTIONS 
REPRESENTING  PROTOCOL  ENTITIES  MIGHT HAVE ACCESS ONLY  TO 
OBJECTS CONTAINING DATA UNITS AT THE SAME LAYER OF PROTOCOL. 
THE  ALLOCATION OF SUBJECTS AND  OBJECTS TO DIFFERENT PROTO- 
COL LAYERS IS A PROTOCOL DESIGN CHOICE WHICH  NEED  NOT   BE 
REFLECTED IN THE SECURITY POLICY MODEL. 
 
 
_ _ _ _____________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A single summary, chapter, or manual in  user  documentation 
TCB, interpretations on their use,  and  how  they  interact 
 
+  Interpretation 
 
     This user documentation describes user visible  protec- 
tion  mechanisms at the global (network system) level and at 
the user interface of each component,  and  the  interaction 
among these. 
 
+  Rationale 
 
     The interpretation is an extension of  the  requirement 
nto  the  context  of a network system as defined for these
network criteria.  Documentation  of  protection  mechanisms 
teria for trusted  computer  systems  that  are  applied  as 
appropriate for the individual components. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A manual addressed to the  ADP  system  administrator  shall 
be controlled when running a secure facility. The procedures 
for examining and maintaining the audit files as well as the 
ADMINISTRATOR FUNCTIONS  RELATED  TO  SECURITY,  TO  INCLUDE 
CHANGING  THE  SECURITY CHARACTERISTICS OF A USER.  IT SHALL 
OF THE PROTECTION FEATURES OF THE SYSTEM, HOW THEY INTERACT, 
HOW TO SECURELY GENERATE A NEW TCB, AND FACILITY PROCEDURES, 
WARNINGS, AND PRIVILEGES THAT NEED TO BE CONTROLLED IN ORDER 
TO OPERATE THE FACILITY IN A SECURE MANNER. 
 
 
+ Interpretation 
 
     This manual shall contain specifications and procedures 
to assist the system administrator(s) maintain cognizance of 
the network configuration.  These  specifications  and  pro- 
cedures shall address the following: 
 
 
        network; 
 
        leave  the  network  (e.g., by crashing, or by being 
        disconnected) and then rejoin; 
 
        security  of  the  network system; (For example, the 
        manual  should  describe  for  the  network   system 
        administrator  the interconnections among components 
        that are consistent with the overall network  system 
        architecture.) 
 
        (e.g., down-line loading). 
 
     The physical and administrative environmental  controls 
all  communications  links must be physically protected to a 
certain level). 
 
+ Rationale 
 
     There  may  be  multiple  system  administrators   with 
other  forms of security in order to achieve security of the 
network.  Additional forms include administrative  security, 
 
     Extension of  this  criterion  to  cover  configuration 
aspects  of  the  network  is  needed  because, for example, 
to  achieve  a  correct realization of the network architec- 
ture. 
 
     AS MENTIONED IN THE SECTION ON LABEL  INTEGRITY,  cryp- 
tography is one common mechanism employed to protect commun- 
cation circuits.  Encryption transforms the  representation
of  information so that it is unintelligible to unauthorized 
of the ciphertext is generally lower than the cleartext.  If 
encryption  methodologies  are  employed,  they   shall   be 
approved by the National Security Agency (NSA). 
 
     The encryption algorithm  and  its  implementation  are 
outside  the scope of these interpretations.  This algorithm 
and implementation may be implemented in a  separate  device 
or  may  be a function of a subject in a component not dedi- 
cated to encryption.  Without prejudice, either  implementa- 
tion  packaging  is  referred  to as an encryption mechanism 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall provide to the evaluators a docu- 
ment that describes the test plan, test procedures that show 
 
+  Interpretation 
 
     The "system developer" is interpreted as  "the  network 
establish the context in which the testing was or should  be 
conducted.   The  description should identify any additional 
test components that  are  not  part  of  the  system  being 
evaluated.  This includes a description of the test-relevant 
functions of such test components and a description  of  the 
nterfacing  of  those  test  components to the system being
evaluated.  The description of the  test  plan  should  also 
configuration and sizing. 
 
+  Rationale 
 
     The entity being evaluated may be a networking  subsys- 
tem (see Appendix A) to which other components must be added 
to make a  complete  network  system.  In  that  case,  this 
nterpretation  is extended to include contextual definition
because, at evaluation time, it is not possible to  validate 
the  test  plans  without the description of the context for 
testing the networking subsystem. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Documentation shall be available that provides a description 
of the manufacturer's philosophy of protection and an expla- 
nation of how this philosophy is translated into the TCB. If 
the  TCB  is  composed  of  distinct modules, the interfaces 
between these modules shall be described.   AN  INFORMAL  OR 
FORMAL  DESCRIPTION OF THE SECURITY POLICY MODEL ENFORCED BY 
THE TCB SHALL BE AVAILABLE AND AN  EXPLANATION  PROVIDED  TO 
SHOW  THAT  IT IS SUFFICIENT TO ENFORCE THE SECURITY POLICY. 
THE SPECIFIC TCB PROTECTION MECHANISMS SHALL  BE  IDENTIFIED 
AND  AN  EXPLANATION  GIVEN  TO  SHOW  THAT THEY SATISFY THE 
MODEL. 
 
+  Interpretation 
 
     Explanation of how the sponsor's philosophy of  protec- 
tion is translated into the NTCB shall include a description 
of how the NTCB is partitioned.  The  security  policy  also 
the NTCB modules shall include the interface(s) between NTCB 
exist.  The sponsor shall describe the security architecture 
and  design,  including  the allocation of security require- 
ments among  components.   Appendix  A  addresses  component 
evaluation issues. 
 
     AS STATED IN THE INTRODUCTION TO DIVISION B, THE  SPON- 
SOR  MUST  DEMONSTRATE  THAT  THE NTCB EMPLOYS THE REFERENCE 
MONITOR CONCEPT.  THE SECURITY POLICY MODEL MUST BE A  MODEL 
FOR A REFERENCE MONITOR. 
 
     THE SECURITY POLICY MODEL FOR EACH PARTITION IMPLEMENT- 
CONTROL POLICY SUPPORTED BY  THE  PARTITION,  INCLUDING  THE 
DISCRETIONARY  AND  MANDATORY  SECURITY  POLICY  FOR SECRECY 
AND/OR INTEGRITY.  FOR THE MANDATORY POLICY THE SINGLE DOMI- 
NANCE  RELATION  FOR  SENSITIVITY  LABELS, INCLUDING SECRECY 
AND/OR INTEGRITY COMPONENTS, SHALL BE PRECISELY DEFINED. 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context  of a network system as 
tion,  such  as description of components and description of 
operating environment(s) in which the  networking  subsystem 
or network system is designed to function, is required else- 
 
     In order to be evaluated,  a  network  must  possess  a 
coherent  Network Security Architecture and Design.  (Inter- 
connection of components that do not adhere to such a single 
coherent  Network  Security Architecture is addressed in the 
Security  Architecture  must  address  the security-relevant 
Design  specifies  the  interfaces and services that must be 
ncorporated into the network so that it can be evaluated as
a  trusted  entity.  There may be multiple designs that con- 
form to the same architecture but are more or less  incompa- 
tible and non-interoperable (except through the Interconnec- 
tion Rules).  Security related mechanisms requiring coopera- 
tion  among  components are specified in the design in terms 
of their visible interfaces; mechanisms  having  no  visible 
nterfaces  are  not specified in this document but are left
as implementation decisions. 
 
     The Network Security Architecture and  Design  must  be 
available  from the network sponsor before evaluation of the 
network, or any component, can be undertaken.   The  Network 
Security  Architecture  and Design must be sufficiently com- 
the  construction  or assembly of a trusted network based on 
the structure it specifies. 
 
     When a component is being  designed  or  presented  for 
evaluation,  or  when a network assembled from components is 
assembled or presented  for  evaluation,  there  must  be  a 
Design are satisfied.  That is, the components can be assem- 
bled into a network that conforms in every way with the Net- 
tion indicates. 
 
     In order for a trusted network to be  constructed  from 
components  that  can  be  built  independently, the Network 
Security Architecture and Design must completely and unambi- 
Network  Security  Architecture and Design must be evaluated 
to determine that a network constructed  to  its  specifica- 
tions  will in fact be trusted, that is, it will be evaluat- 
able under these interpretations. 
 
 
     THE TERM "MODEL" IS USED IN SEVERAL DIFFERENT WAYS IN A 
NETWORK CONTEXT, E.G., A "PROTOCOL REFERENCE MODEL," A "FOR- 
MAL NETWORK MODEL," ETC. ONLY THE "SECURITY POLICY MODEL" IS 
ADDRESSED  BY  THIS REQUIREMENT AND IS SPECIFICALLY INTENDED 
TO MODEL THE INTERFACE, VIZ., "SECURITY PERIMETER,"  OF  THE 
REFERENCE MONITOR AND MUST MEET ALL THE REQUIREMENTS DEFINED 
ARE  A  VALID  INTERPRETATION  OF THE SECURITY POLICY MODEL, 
REPRESENTED BY THE MODEL. 
 
           3.2 CLASS (B2):  STRUCTURED PROTECTION 
           _ _ _____  __    __________ __________ 
 
 
     IN CLASS (B2) NETWORK SYSTEMS, THE NTCB  IS  BASED 
     ON  A  CLEARLY DEFINED AND DOCUMENTED FORMAL SECU- 
     RITY POLICY MODEL THAT REQUIRES THE  DISCRETIONARY 
     AND  MANDATORY ACCESS CONTROL ENFORCEMENT FOUND IN 
     CLASS (B1) NETWORK SYSTEMS TO BE EXTENDED  TO  ALL 
     SUBJECTS  AND  OBJECTS  IN THE NETWORK SYSTEM.  IN 
     ADDITION, COVERT CHANNELS ARE ADDRESSED.  THE NTCB 
     MUST  BE  CAREFULLY  STRUCTURED  INTO  PROTECTION- 
     CRITICAL  AND  NON-PROTECTION-CRITICAL   ELEMENTS. 
     THE  NTCB  INTERFACE IS WELL-DEFINED, AND THE NTCB 
     DESIGN AND IMPLEMENTATION ENABLE  IT  TO  BE  SUB- 
     JECTED  TO MORE THOROUGH TESTING AND MORE COMPLETE 
     REVIEW.     AUTHENTICATION     MECHANISMS      ARE 
     STRENGTHENED,  TRUSTED FACILITY MANAGEMENT IS PRO- 
     VIDED IN THE FORM OF SUPPORT FOR  SYSTEM  ADMINIS- 
     TRATOR  AND OPERATOR FUNCTIONS, AND STRINGENT CON- 
     FIGURATION MANAGEMENT CONTROLS ARE  IMPOSED.   THE 
     SYSTEM  IS  RELATIVELY  RESISTANT  TO PENETRATION. 
     THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR  SYSTEM 
     ASSIGNED A CLASS (B2) RATING. 
 
 
_ _ _ ________ ______ 
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     The network sponsor shall describe the overall  network 
cy  is  an  access  control  policy having two primary com-
nclude  a  discretionary policy for protecting the informa-
tion being processed based on the authorizations of  indivi- 
cy statement shall describe the requirements on the network
to  prevent  or  detect  "reading  or  destroying" sensitive 
nformation by unauthorized users or errors.  The  mandatory
that it supports.  For the Class B1 or above  the  mandatory 
nformation that reflects its sensitivity  with  respect  to
ciated with users to reflect their authorization  to  access 
that are not authorized to use the network at all  (e.g.,  a 
user  attempting  to  use a passive or active wire tap) or a 
legitimate user of the network  who  is  not  authorized  to 
access a specific piece of information being protected. 
 
     Note that "users" does not include "operators," "system 
officers," and other system  support  personnel.   They  are 
Manual and the System Architecture requirements.  Such indi- 
viduals may change the system parameters of the network sys- 
tem, for example, by defining membership of a group.   These 
ndividuals may also have the separate role of users.
 
 
        SECRECY POLICY: The network sponsor shall define the 
        form  of  the  discretionary  and mandatory  secrecy 
        policy that is enforced in the  network  to  prevent 
        unauthorized users from reading the sensitive infor- 
        mation entrusted to the network. 
 
 
        DATA INTEGRITY POLICY:  The  network  sponsor  shall 
        define  the  discretionary  and mandatory  integrity 
        policy to prevent unauthorized users from modifying, 
        viz.,  writing,  sensitive information.  The defini- 
        tion of data  integrity  presented  by  the  network 
        sponsor  refers to the requirement that the informa- 
        tion has not been subjected to unauthorized  modifi- 
        cation  in the network. The mandatory integrity pol- 
        icy enforced by the NTCB cannot, in general, prevent 
        modification  while information is being transmitted 
        between components.  However,  an  integrity  sensi- 
        tivity  label  may  reflect  the confidence that the 
        information has not been subjected  to  transmission 
        errors  because  of  the  protection afforded during 
        transmission.  This requirement is distinct from the 
        requirement for label integrity. 
 
+ Rationale 
 
     The word "sponsor" is used  in  place  of  alternatives 
(such   as   "vendor,"   "architect,"   "manufacturer,"  and 
"developer") because the alternatives  indicate  people  who 
may not be available, involved, or relevant at the time that 
a network system is proposed for evaluation. 
 
     A trusted network is able to control both  the  reading 
and  writing  of  shared  sensitive information.  Control of 
tion. A network normally is expected to have policy require- 
ments to protect both  the  secrecy  and  integrity  of  the 
nformation  entrusted to it.  In a network the integrity is
frequently as important or more important than  the  secrecy 
to be enforced by the network must be stated for  each  net- 
the policy  is  faithfully  enforced  is  reflected  in  the 
evaluation class of the network. 
 
     This control over modification  is  typically  used  to 
control the potential harm that would result if the informa- 
tion  were  corrupted.   The overall network policy require- 
ments for integrity includes the protection  for  data  both 
transmitted in  the  network.   The  access  control  policy 
enforced  by  the  NTCB relates to the access of subjects to 
objects within  each  component.   Communications  integrity 
addressed  within Part II relates to information while being 
transmitted. 
 
     The mandatory integrity policy (at class B1 and  above) 
n  some architectures may be useful in supporting the link-
age between the connection oriented  abstraction  introduced 
n  the  Introduction  and  the individual components of the
network.  For example, in  a  key  distribution  center  for 
end-to-end  encryption, a distinct integrity category may be 
assigned to isolate the key generation code  and  data  from 
 
     The mandatory integrity policy  for  some  architecture 
may  define an integrity sensitivity label that reflects the 
been  subject  to  random errors in excess of a stated limit 
nor to unauthorized message  stream  modification  (MSM)  -. 
The specific metric associated with an integrity sensitivity 
label will generally reflect the  intended  applications  of 
the network. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall define and control access between named  users 
and named objects (e.g., files and programs) in the ADP sys- 
tem.  The  enforcement  mechanism  (e.g.,  self/group/public 
_________________________ 
  - See Voydock, Victor L. and Stephen T. Kent,  "Secu- 
                                                   ___ 
______ _______ 
 
 
controls, access control lists) shall allow users to specify 
and control sharing of those objects by named individuals or 
controls to limit propagation of access rights.  The discre- 
tionary access control mechanism shall, either  by  explicit 
user  action  or  by  default, provide that objects are pro- 
tected from  unauthorized  access.   These  access  controls 
object  by  users  not  already possessing access permission 
 
+  Interpretation 
 
     The discretionary access control (DAC) mechanism(s) may 
be  distributed  over  the partitioned NTCB in various ways. 
Some part, all, or none of the DAC may be implemented  in  a 
no  subjects acting as direct surrogates for users), such as 
a public network packet switch, might not implement the  DAC 
mechanism(s)  directly  (e.g.,  they are unlikely to contain 
access control lists). 
 
     Identification of users by groups may  be  achieved  in 
various  ways  in  the networking environment.  For example, 
the network identifiers (e.g., internet addresses) for vari- 
ous  components (e.g., hosts, gateways) can be used as iden- 
tifiers of groups of individual users (e.g., "all  users  at 
Host  A," "all users of network Q") so long as the individu- 
als involved in the group are implied by the group  identif- 
er. For example, Host A might employ a particular group-id,
for which it maintains a list  of  explicit  users  in  that 
the group-id under the conditions of this interpretation. 
 
     For networks, individual hosts will impose need-to-know 
controls over their users on the basis of named individuals 
- much like (in fact, probably the same) controls used  when 
there is no network connection. 
 
     When group identifiers are acceptable for  access  con- 
trol,  the identifier of some other host may be employed, to 
eliminate the maintenance that would be required if  indivi- 
C2 and higher, however, it must be possible from that  audit 
exactly the individuals represented by a group identifier at 
the time of the use of that identifier.  There is allowed to 
be an uncertainty because of elapsed time between changes in 
the  group membership and the enforcement in the access con- 
trol mechanisms. 
 
     The DAC mechanism of a NTCB  partition  may  be  imple- 
mented  at  the interface of the reference monitor or may be 
all the physical resources  of  the  system  and  from  them 
creates the abstraction of subjects and objects that it con- 
trols. Some of these subjects and objects  may  be  used  to 
mplement  a  part  of  the NTCB.  When the DAC mechanism is
Assurance section) for the design and implementation of  the 
DAC  shall be those of class C2 for all networks of class C2 
or above. 
 
     When integrity is included as part of the network  dis- 
cretionary  security policy, the above interpretations shall 
be specifically applied to the controls  over  modification, 
viz,  the  write mode of access, within each component based 
on identified users or groups of users. 
 
+  Rationale 
 
     In this class, the supporting elements of  the  overall 
DAC  mechanism are required to isolate information (objects) 
that supports DAC so that it is subject to auditing require- 
ments  (see  the  System  Architecture section).  The use of 
network identifiers to identify groups of  individual  users 
could  be  implemented, for example, as an X.25 community of 
nterest in the network protocol layer (layer  3).   In  all
other  respects,  the supporting elements of the overall DAC 
mechanism are treated  exactly  as  untrusted  subjects  are 
treated  with respect to DAC in an ADP system, with the same 
 
     A typical situation for DAC is that a surrogate process 
for a remote user will be created in some host for access to 
objects under the control of the NTCB partition within  that 
assigned and maintained for each such process by  the  NTCB, 
tially the same discretionary controls as access by  a  pro- 
cess  acting  on  behalf of a local user would be.  However, 
tions of the assigned user identification is permitted. 
 
     The most obvious situation  would  exist  if  a  global 
able on demand to every host, (i.e., a name server  existed) 
 
     It is also acceptable, however, for  some  NTCB  parti- 
tions to maintain a database of locally-registered users for 
ts own use.  In such a case, one could  choose  to  inhibit
the creation of surrogate processes for locally unregistered 
users, or (if permitted by the local policy)  alternatively, 
to   permit   the   creation  of  surrogate  processes  with 
dentify the process as executing on behalf of a member of a
the  words concerning audit in the interpretation is to pro- 
vide a minimally acceptable degree of auditability for cases 
be a capability, using the audit facilities provided by  the 
network  NTCB  partitions  involved,  to  determine  who was 
logged in at the actual host of the group of remote users at 
the time the surrogate processing occured. 
 
     Associating the proper user id with a surrogate process 
s  the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id  of 
the  surrogate  process.   The transmission of the data back 
across the network to the user's host, and the creation of a 
copy of the data there, is not the business of DAC. 
 
     Components that support only internal  subjects  impact 
the implementation of the DAC by providing services by which 
nformation (e.g., a user-id) is made available  to  a  com-
file  at  Host  B.   The  DAC decision might be (and usually 
ted from Host A to Host B. 
 
     Unique user identification may be achieved by a variety 
of  mechanisms, including (a) a requirement for unique iden- 
tification and authentication on the host where access takes 
addresses authenticated by another host and forwarded to the 
of a network-wide unique personnel identifier that could  be 
authenticated and forwarded by another host as in (b) above, 
or could be authenticated and forwarded by a dedicated  net- 
cols which implement (b) or (c) are subject  to  the  System 
Architecture requirements. 
 
     Network support for DAC might be handled in other  ways 
than  that described as "typical" above. In particular, some 
form of centralized access control is  often  proposed.   An 
access  control center may make all decisions for DAC, or it 
may share the burden with the hosts by controlling  host-to- 
to their objects by users at a limited set of remote  hosts. 
between the connection oriented abstraction (as discussed in 
the  Introduction)  and  the overall network security policy 
for DAC.  In all cases the enforcement of the decision  must 
be provided by the host where the object resides. 
 
     There are two forms of distribution for the DAC mechan- 
sm:  implementing  portions  of  the  DAC  in separate com-
the  NTCB  partition in a component.  Since "the ADP system" 
s understood to be "the computer network" as a whole,  each
network  component  is responsible for enforcing security in 
the mechanisms allocated to it to ensure secure  implementa- 
tion  of  the network security policy.  For traditional host 
a few approaches, such as virtual machine monitors,  support 
DAC outside this interface. 
 
     In contrast to the universally rigid structure of  man- 
DAC policies tend to be very network  and  system  specific, 
For networks it is common that individual hosts will  impose 
controls  over  their  local  users  on  the  basis of named 
ndividuals-much like the controls used  when  there  is  no
network connection.  However, it is difficult to manage in a 
centralized manner all the individuals using  a  large  net- 
together so that the controls required by  the  network  DAC 
other components.  A gateway is an example of  such  a  com- 
 
     The assurance requirements are at the very heart of the 
concept  of  a  trusted  system.   It  is the assurance that 
environment,  as reflected, for example, in the Environments 
Guideline-.  In the case of monolithic systems that have DAC 
ntegral  to  the  reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of  the 
clearer distinction due to distributed DAC.   The  rationale 
for making the distinction in this network interpretation is 
that if major trusted network components can be made  signi- 
ficantly easier to design and implement without reducing the 
ability to meet security policy, then trusted networks  will 
be more easily available. 
 
 
+ Statement from DoD 5200.28-STD 
 
All authorizations to the  information  contained  within  a 
allocation or reallocation to a subject from the TCB's  pool 
of   unused  storage  objects.   No  information,  including 
encrypted representations  of  information,  produced  by  a 
that obtains access to an object that has been released back 
to the system. 
 
 
_________________________ 
  - Guidance for Applying  the  Department  of  Defense 
    ________ ___ ________  ___  __________  __  _______ 
Trusted Computer System Evaluation Criteria in Specific 
_______ ________ ______ __________ ________ __ ________ 
Environments, CSC-STD-003-85. 
____________ 
 
 
+  Interpretation 
 
     The NTCB shall ensure that any storage objects that  it 
controls  (e.g., message buffers under the control of a NTCB 
access.  This requirement must be enforced by  each  of  the 
NTCB partitions. 
 
+  Rationale 
 
     In a network system, storage objects  of  interest  are 
things  that  the  NTCB  directly  controls, such as message 
buffers in components.  Each component of the network system 
must  enforce  the  object reuse requirement with respect to 
the storage objects of interest as determined by the network 
be  under  the  control  of  the  NTCB  partition.  A buffer 
assigned to an internal subject may be reused at the discre- 
tion of that subject which is responsible for preserving the 
ntegrity of message streams.  Such controlled  objects  may
be  implemented in physical resources, such as buffers, disk 
network switches. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels associated with each ADP SYSTEM  RESOURCE 
(E.G.,  SUBJECT,  STORAGE  OBJECT,  ROM) THAT IS DIRECTLY OR 
be maintained by the TCB.  These labels shall be used as the 
basis for mandatory access control decisions.  In  order  to 
mport  non-labeled  data, the TCB shall request and receive
from an authorized user the sensitivity level of  the  data, 
and all such actions shall be auditable by the TCB. 
 
+  Interpretation 
 
     Non-labeled data imported under the control of the NTCB 
LABELS OF the single-level device used to import it.  Labels 
may  include secrecy and integrity- components in accordance 
network   sponsor.    Whenever  the  term  "label"  is  used 
throughout this interpretation, it is understood to  include 
both   components   as  applicable.   Similarly,  the  terms 
"single-level" and "multilevel" are understood to  be  based 
_________________________ 
  - See, for example, Biba, K.J., "Integrity Considera- 
tion  for Secure Computer Systems," ESD-TR-76-372, MTR- 
 
 
on both the secrecy and integrity components of the  policy. 
The  mandatory integrity policy will typically have require- 
ments, such as the probability of undetected message  stream 
modification,  that  will  be reflected in the label for the 
ntegrity label may be assigned based on mechanisms, such as
cryptography, used to provide the assurance required by  the 
tected from tampering and are always invoked when  they  are 
the basis for a label. 
 
 
     IF THE SECURITY POLICY INCLUDES  AN  INTEGRITY  POLICY, 
ALL  ACTIVITIES  THAT  RESULT IN MESSAGE-STREAM MODIFICATION 
DURING TRANSMISSION ARE REGARDED AS UNAUTHORIZED ACCESSES IN 
VIOLATION  OF  THE INTEGRITY POLICY.  THE NTCB SHALL HAVE AN 
AUTOMATED CAPABILITY FOR TESTING, DETECTING,  AND  REPORTING 
THOSE   ERRORS/CORRUPTIONS  THAT  EXCEED  SPECIFIED  NETWORK 
(MSM)  COUNTERMEASURES SHALL BE IDENTIFIED.  A TECHNOLOGY OF 
ADEQUATE STRENGTH SHALL  BE  SELECTED  TO  RESIST  MSM.   IF 
ENCRYPTION   METHODOLOGIES   ARE  EMPLOYED,  THEY  SHALL  BE 
APPROVED BY THE NATIONAL SECURITY AGENCY. 
 
     ALL OBJECTS MUST BE LABELED WITHIN  EACH  COMPONENT  OF 
THE NETWORK THAT IS TRUSTED TO MAINTAIN SEPARATION OF MULTI- 
OBJECTS  ASSOCIATED  WITH  SINGLE-LEVEL  COMPONENTS  WILL BE 
STORE  NETWORK CONTROL INFORMATION, AND OTHER NETWORK STRUC- 
TURES, SUCH AS ROUTING TABLES, MUST BE  LABELED  TO  PREVENT 
UNAUTHORIZED ACCESS AND/OR MODIFICATION. 
 
+ Rationale 
 
     The interpretation is an extension of  the  requirement 
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in  which 
the  security  range  of  the subject is the minimum-maximum 
ce.
 
     The sensitivity labels for either secrecy or  integrity 
or both may reflect non-hierarchical categories or hierarch- 
cal classification or both.
 
     FOR A NETWORK IT IS NECESSARY THAT THIS REQUIREMENT  BE 
APPLIED  TO  ALL  NETWORK SYSTEM RESOURCES AT THE (B2) LEVEL 
AND ABOVE. 
 
     THE NTCB IS RESPONSIBLE FOR  IMPLEMENTING  THE  NETWORK 
THAT POLICY  BY  ENSURING  THAT  INFORMATION  IS  ACCURATELY 
TRANSMITTED  FROM  SOURCE  TO DESTINATION (REGARDLESS OF THE 
NUMBER OF INTERVENING CONNECTING POINTS).  THE NTCB MUST  BE 
ABLE  TO  COUNTER  EQUIPMENT  FAILURE, ENVIRONMENTAL DISRUP- 
TIONS, AND ACTIONS BY PERSONS AND PROCESSES  NOT  AUTHORIZED 
TO  ALTER  THE  DATA.  PROTOCOLS THAT PERFORM CODE OR FORMAT 
CONVERSION SHALL PRESERVE THE INTEGRITY OF DATA AND  CONTROL 
 
     THE PROBABILITY OF AN UNDETECTED TRANSMISSION ERROR MAY 
BE  SPECIFIED AS PART OF THE NETWORK SECURITY POLICY SO THAT 
THE ACCEPTABILITY OF THE NETWORK FOR ITS  INTENDED  APPLICA- 
TION  MAY  BE DETERMINED. THE SPECIFIC METRICS (E.G., PROBA- 
BILITY OF UNDETECTED MODIFICATION) SATISFIED BY THE DATA CAN 
BE  REFLECTED  IN THE INTEGRITY SENSITIVITY LABEL ASSOCIATED 
WITH THE DATA WHILE IT IS PROCESSED WITHIN A COMPONENT.   IT 
ENVIRONMENTS (E.G., CRISIS AS  COMPARED  TO  LOGISTIC)  WILL 
HAVE DIFFERENT INTEGRITY REQUIREMENTS. 
 
     THE NETWORK SHALL ALSO HAVE AN AUTOMATED CAPABILITY  OF 
TESTING  FOR,  DETECTING, AND REPORTING ERRORS THAT EXCEED A 
THRESHOLD CONSISTENT WITH THE OPERATIONAL MODE REQUIREMENTS. 
THE EFFECTIVENESS OF INTEGRITY COUNTERMEASURES MUST BE ESTA- 
BLISHED WITH THE SAME RIGOR AS THE  OTHER  SECURITY-RELEVANT 
 
     CRYPTOGRAPHY IS OFTEN UTILIZED AS A  BASIS  TO  PROVIDE 
DATA  INTEGRITY  ASSURANCE. MECHANISMS, SUCH AS MANIPULATION 
DETECTION CODES (MDC)-, MAY BE USED.  THE  ADEQUACY  OF  THE 
ENCRYPTION OR MDC ALGORITHM, THE CORRECTNESS OF THE PROTOCOL 
LOGIC, AND THE ADEQUACY  OF  IMPLEMENTATION  MUST  BE  ESTA- 
BLISHED IN MSM COUNTERMEASURES DESIGN. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels shall  accurately  represent  sensitivity 
levels  of  the specific subjects or objects with which they 
are associated.   When  exported  by  the  TCB,  sensitivity 
labels  shall  accurately  and  unambiguously  represent the 
nternal labels and shall be associated with the information
being exported. 
 
+  Interpretation 
 
     The phrase "exported  by  the  TCB"  is  understood  to 
nclude  transmission  of  information from an object in one
component to an object in  another  component.   Information 
transferred between NTCB partitions is addressed in the Sys- 
tem Integrity Section. The form  of  internal  and  external 
(exported)  sensitivity  labels  may differ, but the meaning 
_________________________ 
  - See Jueneman, R. R., "Electronic Document Authenti- 
cation," IEEE Network Magazine, April 1987, pp 17-23. 
         ____ _______ ________ 
 
correct association of sensitivity labels with the  informa- 
tion being transported across the network is preserved. 
 
     As mentioned in the Trusted  Facility  Manual  Section, 
encryption  transforms  the representation of information so 
that  it  is  unintelligible   to   unauthorized   subjects. 
Reflecting this transformation, the sensitivity level of the 
ciphertext is generally lower than the cleartext.   It  fol- 
lows  that  cleartext  and  ciphertext are contained in dif- 
ferent objects, each possessing its own label.  The label of 
the  cleartext  must  be  preserved  and associated with the 
ciphertext so that it can be restored when the cleartext  is 
cleartext is associated  with  a  single-level  device,  the 
label of that cleartext may be implicit.  The label may also 
be implicit in the key. 
 
     When information is exported to an environment where it 
s subject to deliberate or accidental modification, the TCB
assure  the  accuracy of the labels.  When there is a manda- 
tory integrity policy, the policy will define the meaning of 
ntegrity labels.
 
+  Rationale 
 
     Encryption algorithms and their implementation are out- 
may be implemented in a separate device  or  may  be  incor- 
encryption mechanism herein. If encryption methodologies are 
employed in this regard,  they  shall  be  approved  by  the 
National  Security  Agency (NSA).  The encryption process is 
components in which it is implemented. 
 
     The encryption mechanism  is  not  necessarily  a  mul- 
tilevel  device  or  multilevel  subject, as these terms are 
used in these criteria.  The process of encryption  is  mul- 
tilevel  by definition.  The cleartext and ciphertext inter- 
faces  carry  information  of  different  sensitivity.    An 
encryption  mechanism  does not process data in the sense of 
ciphertext interfaces on the encryption  mechanism  must  be 
the  data  is established by a trusted individual and impli- 
citly associated with  the  interface;  the  Exportation  to 
Single-Level Devices criterion applies. 
 
     If the interface is multilevel, then the data  must  be 
labeled;  the  Exportation  to  Multilevel Devices criterion 
applies. The network architect is free to select an  accept- 
able mechanism for associating a label with an object.  With 
 
        the object. 
 
        through the encryption key.  That is, the encryption 
        key uniquely identifies a sensitivity level.  A sin- 
        gle or private key must be protected at the level of 
        the data that it encrypts. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall designate each communication channel  and  I/O 
this designation shall be done manually and shall be  audit- 
able  by  the  TCB.   The  TCB shall maintain and be able to 
audit any change in the sensitivity level or levels  associ- 
ated with a communications channel or I/O device. 
 
+  Interpretation 
 
     Each communication channel and network component  shall 
be  designated  as  either  single-level or multilevel.  Any 
change in this designation shall be done with the cognizance 
and  approval  of  the  administrator or security officer in 
charge of the affected components and the  administrator  or 
be auditable by the network. The NTCB shall maintain and  be 
able  to  audit  any  change in the DEVICE LABELS associated 
ciated with a multilevel communication channel or component. 
The NTCB shall also be able to audit any change in  the  set 
of  sensitivity levels associated with the information which 
can be transmitted over a multilevel  communication  channel 
or component. 
 
+  Rationale 
 
     Communication channels and components in a network  are 
analogous  to  communication  channels  and  I/O  devices in 
tilevel  (i.e.,  able to distinguish and maintain separation 
among information of various sensitivity levels) or  single- 
level.   As  in  the TCSEC, single-level devices may only be 
attached to single-level channels. 
 
     The level or set of levels of information that  can  be 
only change with the knowledge and approval of the  security 
officers  (or  system administrator, if there is no security 
officer) of the network, and  of  the  affected  components. 
This  requirement  ensures  that  no  significant  security- 
affected parties. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
When the TCB exports an object to a multilevel  I/O  device, 
the sensitivity label associated with that object shall also 
be exported and shall reside on the same physical medium  as 
the  exported  information  and  shall  be  in the same form 
(i.e., machine-readable or human-readable form).   When  the 
TCB  exports or imports an object over a multilevel communi- 
cations channel, the protocol used  on  that  channel  shall 
labels and  the  associated  information  that  is  sent  or 
 
+  Interpretation 
 
     The components, including hosts, of a network shall  be 
nterconnected  over  "multilevel  communication  channels,"
multiple single-level communication channels, or both, when- 
ever  the information is to be protected at more than a sin- 
the only information needed to correctly associate a  sensi- 
tivity  level with the exported information transferred over 
the multilevel channel between the NTCB partitions in  indi- 
vidual components. This protocol definition must specify the 
(i.e.,  the  machine-readable  label must uniquely represent 
the sensitivity level). 
 
     The "unambiguous" association of the sensitivity  level 
of accuracy as that required for any other label within  the 
NTCB,  as  specified  in  the criterion for Label Integrity. 
This may be provided by protected and highly reliable direct 
link protection in which any errors during transmission  can 
be  readily  detected,  or by use of a separate channel. THE 
RANGE OF INFORMATION  IMPORTED  OR  EXPORTED  MUST  BE  CON- 
STRAINED BY THE ASSOCIATED DEVICE LABELS. 
 
+  Rationale 
 
     This  protocol  must  specify  the  representation  and 
Access Control Policies section in  Appendix  B.   The  mul- 
tilevel  device  interface  to  (untrusted)  subjects may be 
mplemented either by the interface of the  reference  moni-
tor,  per  se,  or by a multilevel subject (e.g., a "trusted 
vides  the  labels  based on the internal labels of the NTCB 
 
     The current state of the art  limits  the  support  for 
mandatory  policy  that  is  practical  for secure networks. 
Reference monitor support to ensure the control over all the 
operations of each subject in the network must be completely 
nvoked by this subject must be contained in the  same  com-
 
     The secure state of an NTCB partition may  be  affected 
by events external to the component in which the NTCB parti- 
tion resides (e.g.,  arrival  of  a  message).   The  effect 
occurs  asynchronusly  after  being initiated by an event in 
another component or partition.  For example,  indeterminate 
component, the arrival of the message in the NTCB  partition 
n  another  component,  and the corresponding change to the
s  executing  concurrently,  to  do otherwise would require
ably not even desirable.  Therefore, the interaction between 
NTCB partitions is restricted to just communications between 
the device(s) can send/receive data of more  than  a  single 
level.  For  broadcast channels the pairs are the sender and 
ntended receiver(s).  However,  if  the  broadcast  channel
carries multiple levels of information, additional mechanism 
(e.g., cryptochecksum maintained by the TCB) may be required 
to enforce separation and proper delivery. 
 
     A  common  representation  for  sensitivity  labels  is 
needed  in  the protocol used on that channel and understood 
by both the sender and receiver when two multilevel  devices 
(in  this  case,  in two different components) are intercon- 
nected. Each distinct sensitivity level of the overall  net- 
 
     Within a monolithic TCB, the  accuracy  of  the  sensi- 
tivity  labels  is  generally  assured by simple techniques, 
e.g., very reliable connections  over  very  short  physical 
connections,  such  as  on a single printed circuit board or 
over an internal bus.  In many network environments there is 
a  much  higher  probability  of accidentally or maliciously 
ntroduced errors, and these must be protected against.
 
 
 
+ Statement from DoD 5200.28-STD 
 
Single-level  I/O  devices  and  single-level  communication 
channels are not required to maintain the sensitivity labels 
of the information they process.   However,  the  TCB  shall 
nclude  a mechanism by which the TCB and an authorized user
level  of  information imported or exported via single-level 
communication channels or I/O devices. 
 
+  Interpretation 
 
     Whenever one or both of  two  directly  connected  com- 
mation of different sensitivity levels, or whenever the  two 
level in common, the two components  of  the  network  shall 
communicate  over a single-level channel.  Single-level com- 
tion they process. However, the NTCB shall include  a  reli- 
able  communication  mechanism  by  which  the  NTCB  and an 
authorized user (VIA A TRUSTED PATH) or a subject within  an 
NTCB partition can designate the single sensitivity level of 
nformation imported or exported via single-level communica-
tion  channels  or network components. THE LEVEL OF INFORMA- 
TION COMMUNICATED MUST EQUAL THE DEVICE LEVEL. 
 
+ Rationale 
 
     Single-level communications channels  and  single-level 
components  in  networks are analogous to single level chan- 
nels and I/O devices in stand-alone systems in that they are 
not  trusted  to  maintain  the separation of information of 
are therefore implicit; the NTCB associates labels with  the 
explicit part of the bit stream.  Note that the  sensitivity 
level  of  encrypted information is the level of the cipher- 
text rather than the original level(s) of the plaintext. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The ADP system administrator shall be able  to  specify  the 
labels.  The TCB shall mark the beginning  and  end  of  all 
output) with human-readable sensitivity  labels  that  prop- 
erly1  represent  the  sensitivity  of  the output.  The TCB 
output) with human-readable sensitivity  labels  that  prop- 
erly1 represent the sensitivity of the page.  The TCB shall, 
by default and in an appropriate manner, mark other forms of 
_________________________ 
classification of any of the information in the output that the
labels refer to; the non-hierarchical category component shall
nclude all of the non-hierarchical categories of the information
n the output the labels refer to, but to no other non-
 
 
+  Interpretation 
 
     This criterion imposes no requirement  to  a  component 
that  produces  no human-readable output.  For those that do 
s  defined  to  the  network  shall  have a uniform meaning
across all components.  The network administrator,  in  con- 
able to specify the human-readable label that is  associated 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context of a network system and 
tions. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL IMMEDIATELY NOTIFY A  TERMINAL  USER  OF  EACH 
CHANGE  IN  THE  SENSITIVITY LEVEL ASSOCIATED WITH THAT USER 
DURING AN INTERACTIVE SESSION.  A  TERMINAL  USER  SHALL  BE 
ABLE  TO  QUERY  THE  TCB  AS  DESIRED  FOR A DISPLAY OF THE 
SUBJECT'S COMPLETE SENSITIVITY LABEL. 
 
+ Interpretation 
 
     AN NTCB PARTITION SHALL IMMEDIATELY NOTIFY  A  TERMINAL 
USER  ATTACHED TO ITS COMPONENT OF EACH CHANGE IN THE SENSI- 
TIVITY LEVEL ASSOCIATED WITH THAT USER. 
 
+ Rationale 
 
     THE LOCAL NTCB PARTITION  MUST  ENSURE  THAT  THE  USER 
UNDERSTANDS THE SENSITIVITY LEVEL OF INFORMATION SENT TO AND 
FROM A TERMINAL.  WHEN A USER HAS  A  SURROGATE  PROCESS  IN 
ANOTHER  COMPONENT,  ADJUSTMENTS  TO  ITS LEVEL MAY OCCUR TO 
MAINTAIN COMMUNICATION WITH THE  USER.   THESE  CHANGES  MAY 
OCCUR  ASYNCHRONOUSLY.  SUCH ADJUSTMENTS ARE NECESSITATED BY 
MANDATORY ACCESS CONTROL AS APPLIED TO THE OBJECTS  INVOLVED 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL SUPPORT THE ASSIGNMENT OF MINIMUM AND  MAXIMUM 
SENSITIVITY  LEVELS TO ALL ATTACHED PHYSICAL DEVICES.  THESE 
SENSITIVITY LEVELS SHALL BE USED BY THE TCB TO ENFORCE  CON- 
STRAINTS  IMPOSED  BY THE PHYSICAL ENVIRONMENTS IN WHICH THE 
DEVICES ARE LOCATED. 
 
 
+ Interpretation 
 
     THIS REQUIREMENT APPLIES AS WRITTEN TO EACH NTCB PARTI- 
TION THAT IS TRUSTED TO SEPARATE INFORMATION BASED ON SENSI- 
TIVITY LEVEL.  EACH I/O DEVICE IN A COMPONENT, USED FOR COM- 
MUNICATION WITH OTHER NETWORK COMPONENTS, IS ASSIGNED A DEV- 
MINIMUM.   (A  DEVICE  RANGE  USUALLY CONTAINS, BUT DOES NOT 
NECESSARILY CONTAIN, ALL POSSIBLE LABELS "BETWEEN" THE  MAX- 
BEING DOMINATED BY THE MAXIMUM.) 
 
     THE NTCB ALWAYS PROVIDES AN ACCURATE LABEL FOR INFORMA- 
TION  EXPORTED  THROUGH  DEVICES.   INFORMATION  EXPORTED OR 
BY   THE  SENSITIVITY  LEVEL  OF  THE  DEVICE.   INFORMATION 
EXPORTED FROM ONE MULTILEVEL DEVICE AND IMPORTED AT  ANOTHER 
MUST  BE LABELLED THROUGH AN AGREED-UPON PROTOCOL, UNLESS IT 
ALWAYS CARRIES A SINGLE LEVEL. 
 
     INFORMATION EXPORTED AT A GIVEN SENSITIVITY  LEVEL  CAN 
BE  SENT ONLY TO AN IMPORTING DEVICE WHOSE DEVICE RANGE CON- 
TAINS THAT LEVEL OR A HIGHER LEVEL.  IF THE IMPORTING DEVICE 
RANGE  DOES  NOT CONTAIN THE GIVEN LEVEL, THE INFORMATION IS 
RELABELLED UPON RECEPTION  AT  A  HIGHER  LEVEL  WITHIN  THE 
WISE. 
 
+ Rationale 
 
     THE PURPOSE OF DEVICE LABELS IS  TO  REFLECT  AND  CON- 
STRAIN  THE SENSITIVITY LEVELS OF INFORMATION AUTHORIZED FOR 
THE PHYSICAL ENVIRONMENT IN WHICH THE DEVICES ARE LOCATED. 
 
     THE INFORMATION TRANSFER  RESTRICTIONS  PERMIT  ONE-WAY 
COMMUNICATION (I.E., NO ACKNOWLEDGEMENTS) FROM ONE DEVICE TO 
ANOTHER WHOSE RANGES HAVE NO LEVEL IN  COMMON,  AS  LONG  AS 
EACH  LEVEL IN THE SENDING DEVICE RANGE IS DOMINATED BY SOME 
LEVEL IN THE RECEIVING DEVICE RANGE.  IT IS NEVER  PERMITTED 
TO SEND INFORMATION AT A GIVEN LEVEL TO A DEVICE WHOSE RANGE 
DOES NOT CONTAIN A DOMINATING LEVEL.  (SEE  APPENDIX  C  FOR 
SIMILAR  INTERCONNECTION  RULES  FOR  THE INTERCONNECTED AIS 
VIEW.) 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall enforce a mandatory access control policy over 
all RESOURCES (I.E., SUBJECTS, STORAGE OBJECTS, AND I/O DEV- 
EXTERNAL  TO  THE  TCB.  These subjects and objects shall be 
assigned  sensitivity  labels  that  are  a  combination  of 
categories, and the labels shall be used as  the  basis  for 
mandatory  access  control decisions.  The TCB shall be able 
to support two or more such sensitivity  levels.   (See  the 
Mandatory  Access  Control  interpretations.)  The following 
JECTS  EXTERNAL  TO  THE  TCB  AND  ALL  OBJECTS DIRECTLY OR 
the subject's sensitivity level is greater than or equal  to 
the  hierarchical classification of the object's sensitivity 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. A subject  can 
the subject's sensitivity level is less than or equal to the 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. Identification 
and  authentication data shall be used by the TCB to authen- 
ticate the user's identity and to  ensure  that  the  sensi- 
tivity  level  and authorization of subjects external to the 
TCB that may be created to act on behalf of  the  individual 
user  are  dominated  by  the clearance and authorization of 
that user. 
 
+  Interpretation 
 
     Each partition of the NTCB exercises  mandatory  access 
control  policy  over  all  subjects and objects in its COM-
tion  encompasses  all mandatory access control functions in 
ts component that would be required of a TCB  in  a  stand-
alone  system.  In particular, subjects and objects used for 
communication with other components are under the control of 
the  NTCB  partition.   Mandatory  access  control  includes 
cy.
 
     Conceptual  entities  associated   with   communication 
between  two  components,  such as sessions, connections and 
virtual circuits, may be thought of as having two ends,  one 
n  each component, where each end is represented by a local
object.  Communication is viewed as an operation that copies 
nformation  from  an  object  at one end of a communication
entities,  such  as  datagrams  and packets, exist either as 
nformation within other objects, or as a pair  of  objects,
one at each end of the communication path. 
 
     The requirement for "two or  more"  sensitivity  levels 
can  be  met  by  either  secrecy or integrity levels.  When 
there is a mandatory integrity policy, the  stated  require- 
ments for reading and writing are generalized to:  A subject 
can read an object only if the subject's  sensitivity  level 
nates  the  subject's  sensitivity  level.   Based  on  the
ntegrity policy, the network sponsor shall define the domi-
nance  relation for the total label, for example, by combin- 
ng secrecy and integrity lattices. -
 
+ Rationale 
 
     An NTCB partition can maintain access control only over 
ABOVE, THE NTCB PARTITION MUST MAINTAIN ACCESS CONTROL  OVER 
ALL SUBJECTS AND OBJECTS IN ITS COMPONENT.  Access by a sub- 
n  another  component requires the creation of a subject in
the remote component which acts as a surrogate for the first 
 
     The mandatory access controls must be enforced  at  the 
nterface  of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti- 
tion.   This  mechanism  creates the abstraction of subjects 
and objects which it controls.  Some of these subjects  out- 
mplement part of  an  NTCB  partition's  mandatory  policy,
e.g.,  by using the ``trusted subjects" defined in the Bell- 
LaPadula model. 
 
     The prior requirements on exportation of labeled infor- 
mation  to  and  from  I/O  devices  ensure  the consistency 
between the sensitivity labels of  objects  connected  by  a 
communication  path.  As noted in the introduction, the net- 
overall mandatory network security policy and the connection 
oriented abstraction. For example, individual  data-carrying 
entities  such  as datagrams can have individual sensitivity 
labels that subject them to mandatory access control in each 
component.   The abstraction of a single-level connection is 
connection  is realized by single-level subjects that neces- 
 
     The fundamental trusted systems technology permits  the 
DAC mechanism to be distributed, in contrast to the require- 
ments for  mandatory  access  control.   For  networks  this 
_________________________ 
  - See, for example, Grohn, M.  J., A Model of a  Pro- 
                                     _ _____ __ _  ___ 
tected  Data  Management  System, ESD-TR-76-289, I.  P. 
______  ____  __________  ______ 
Sharp Assoc.  Ltd., June, 1976;  and  Denning,  D  .E., 
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M. 
and Shockley, W., Secure Distributed Data Views,  Secu- 
                  ______ ___________ ____ _____   ____ 
____ ______ ___ ______________ ___ _ _____ __ ________ 
el Secure Relational Database System,SRI International, 
__ ______ __________ ________ ______ 
November 1986. 
 
the exception. 
 
     The set of total sensitivity labels used  to  represent 
all  the sensitivity levels for the mandatory access control 
(combined data secrecy and  data  integrity)  policy  always 
forms  a partially ordered set.  Without loss of generality, 
this set of labels can always be extended to form a lattice, 
by   including  all  the  combinations  of  non-hierarchical 
categories.  As for any lattice,  a  dominance  relation  is 
always defined for the total sensitivity labels.  For admin- 
strative reasons it may be helpful to have a maximum  level
 
 
_ _ _ ______________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall require users to  identify  themselves  to  it 
before  beginning  to perform any other actions that the TCB 
s expected to mediate.  Furthermore, the TCB shall maintain
authentication  data that includes information for verifying 
the identify of individual users (e.g., passwords)  as  well 
as  information for determining the clearance and authoriza- 
tions of individual users.  This data shall be used  by  the 
TCB  to  authenticate the user's identity and to ensure that 
the sensitivity level and authorization of subjects external 
to the TCB that may be created to act on behalf of the indi- 
vidual user are dominated by the clearance and authorization 
of  that  user. The TCB shall protect authentication data so 
that it cannot be accessed by any  unauthorized  user.   The 
TCB  shall  be  able to enforce individual accountability by 
bility of  associating  this  identity  with  all  auditable 
actions taken by that individual. 
 
+  Interpretation 
 
     The requirement for identification  and  authentication 
of users is the same for a network system as for an ADP sys- 
tem. The identification and authentication may  be  done  by 
the  component  to  which  the user is directly connected or 
tication  server.   Available  techniques,  such  as   those 
applicable in the network context. However, in  cases  where 
the  NTCB is expected to mediate actions of a host (or other 
network component) that is acting on behalf  of  a  user  or 
_________________________ 
  = Department of Defense  Password  Management  Guide- 
    __________ __ _______  ________  __________  _____ 
line, CSC-STD-002-85 
____ 
 
 
authentication of the host (or other component) in  lieu  of 
dentification  and authentication of an individual user, so
long as the component identifier implies a list of  specific 
users uniquely associated with the identifier at the time of 
ts use for authentication.  This requirement does not apply
to internal subjects. 
 
     Authentication information, including the identity of a 
user  (once  authenticated) may be passed from one component 
to another without reauthentication, so  long  as  the  NTCB 
thorized disclosure and modification. This protection  shall 
of mechanism) as pertains to the protection of the authenti- 
cation mechanism and authentication data. 
 
+  Rationale 
 
     The need for accountability is not changed in the  con- 
text  of a network system.  The fact that the NTCB is parti- 
tioned over a set of components neither reduces the need nor 
mposes  new requirements.  That is, individual accountabil-
ty is still the objective. Also, in the context of  a  net-
tability" can be satisfied by identification of a  host  (or 
other component) so long as the requirement for traceability 
to individual users or a set of  specific  individual  users 
uncertainty in traceability because of elapsed time  between 
changes  in  the group membership and the enforcement in the 
access control mechanisms.  In addition, there is no need in 
a  distributed processing system like a network to reauthen- 
ticate a user at each point in the network where  a  projec- 
tion  of  a user (via the subject operating on behalf of the 
user) into another remote subject takes place. 
 
     The passing of identifiers and/or authentication infor- 
mation from one component to another is usually done in sup- 
trol  (DAC).   This  support  relates  directly  to  the DAC 
ferent  NTCB  partition  than  the  one  where  the user was 
authenticated. Employing a forwarded identification  implies 
additional  reliance  on the source and components along the 
basis  of  determining a sensitivity label for a subject, it 
must satisfy the Label Integrity criterion. 
 
     An  authenticated  identification  may   be   forwarded 
between  components  and employed in some component to iden- 
tify the sensitivity level associated with a subject created 
to act on behalf of the user so identified. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL SUPPORT A TRUSTED COMMUNICATION  PATH  BETWEEN 
MUNICATIONS VIA THIS PATH SHALL BE INITIATED  EXCLUSIVELY BY 
A USER. 
 
+ Interpretation 
 
     A TRUSTED PATH  IS  SUPPORTED  BETWEEN  A  USER  (I.E., 
HUMAN)  AND THE NTCB PARTITION IN THE COMPONENT TO WHICH THE 
USER IS DIRECTLY CONNECTED. 
 
+ Rationale 
 
     WHEN A USER LOGS INTO A REMOTE COMPONENT, THE  USER  ID 
CATION AND AUTHENTICATION. 
 
     TRUSTED PATH IS NECESSARY IN ORDER TO ASSURE  THAT  THE 
USER  IS  COMMUNICATING WITH THE NTCB AND ONLY THE NTCB WHEN 
SECURITY RELEVANT ACTIVITIES ARE TAKING PLACE (E.G., AUTHEN- 
TICATE  USER,  SET CURRENT SESSION SENSITIVITY LEVEL).  HOW- 
EVER, TRUSTED PATH DOES NOT  ADDRESS  COMMUNICATIONS  WITHIN 
THE NTCB, ONLY COMMUNICATIONS BETWEEN THE USER AND THE NTCB. 
COMMUNICATION THEN THE COMPONENT NEED NOT CONTAIN MECHANISMS 
FOR ASSURING DIRECT NTCB TO USER COMMUNICATIONS. 
 
     THE REQUIREMENT FOR TRUSTED COMMUNICATION  BETWEEN  ONE 
NTCB  PARTITION  AND  ANOTHER NCTB PARTITION IS ADDRESSED IN 
THE SYSTEM  ARCHITECTURE  SECTION.  THESE  REQUIREMENTS  ARE 
SEPARATE  AND  DISTINCT  FROM THE USER TO NTCB COMMUNICATION 
REQUIREMENT OF A TRUSTED PATH.  HOWEVER, IT IS EXPECTED THAT 
THIS  TRUSTED  COMMUNICATION  BETWEEN ONE NTCB PARTITION AND 
ANOTHER NTCB PARTITION WILL BE USED IN CONJUNCTION WITH  THE 
TRUSTED  PATH TO IMPLEMENT TRUSTED COMMUNICATION BETWEEN THE 
USER AND THE REMOTE NTCB PARTITION. 
 
 
_ _ _ _ _____ 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall be able to create, maintain, and protect  from 
modification  or unauthorized access or destruction an audit 
trail of accesses to the objects  it  protects.   The  audit 
s limited to those who are authorized for audit data.   The
TCB  shall  be able to record the following types of events: 
use of identification and authentication mechanisms,  intro- 
open, program  initiation),  deletion  of  objects,  actions 
taken by computer operators and system administrators and/or 
events.  The TCB shall also be able to audit any override of 
the audit record shall identify: date and time of the event, 
user, type of event, and success or failure  of  the  event. 
For   identification/authentication  events  the  origin  of 
address space and  for  object  deletion  events  the  audit 
able  to  selectively  audit  the actions of any one or more 
users based on individual identify and/or object sensitivity 
level.     THE  TCB  SHALL  BE  ABLE TO AUDIT THE IDENTIFIED 
EVENTS THAT MAY  BE  USED  IN  THE  EXPLOITATION  OF  COVERT 
STORAGE CHANNELS. 
 
+  Interpretation 
 
     This criterion applies  as  stated.  The  sponsor  must 
not distinguishable by the NTCB  alone  (for  example  those 
dentified in Part II), the audit mechanism shall provide an
nterface, which  an  authorized  subject  can  invoke  with
audit records shall be distinguishable from  those  provided 
by  the  NTCB.   In  the context of a network system, "other 
architecture  and  network security policy) might be as fol- 
lows: 
 
 
        lishing a connection or a connectionless association 
        between processes in two hosts of the  network)  and 
        its  principal parameters (e.g., host identifiers of 
        the two hosts involved in the access event and  user 
        identifier  or  host  identifier of the user or host 
        that is requesting the access event) 
 
        each  access  event  using local time or global syn- 
        chronized time 
 
        ditions   (e.g.,   potential   violation   of   data 
        integrity, such  as  misrouted  datagrams)  detected 
        during the transactions between two hosts 
 
 
        component leaving the network and rejoining) 
 
     In  addition,  identification  information  should   be 
ncluded  in  appropriate audit trail records, as necessary,
to allow association of all  related  (e.g.,  involving  the 
network  system  may  provide  the required audit capability 
(e.g., storage, retrieval, reduction,  analysis)  for  other 
components  that  do  not  internally  store  audit data but 
transmit the audit data to some designated  collection  com- 
audit data due to unavailability of resources. 
 
     In the context of a network system, the "user's address 
events, to include address spaces being employed  on  behalf 
of  a  remote user (or host).  However, the focus remains on 
users in contrast to internal subjects as discussed  in  the 
DAC  criterion.   In  addition,  audit  information  must be 
 
     THE CAPABILITY  MUST  EXIST  TO  AUDIT  THE  IDENTIFIED 
EVENTS  THAT  MAY  BE  USED  IN  THE  EXPLOITATION OF COVERT 
STORAGE CHANNELS.  TO ACCOMPLISH THIS, EACH  NTCB  PARTITION 
MUST  BE ABLE TO AUDIT THOSE EVENTS LOCALLY THAT MAY LEAD TO 
THE EXPLOITATION OF A COVERT  STORAGE  CHANNEL  WHICH  EXIST 
BECAUSE OF THE NETWORK. 
 
+  Rationale 
 
     For remote users, the network identifiers (e.g., inter- 
net address) can be used as identifiers of groups of indivi- 
maintenance that would be required if individual identifica- 
tion of remote users was employed.  In this class (C2), how- 
ever,  it  must  be  possible to identify (immediately or at 
dentifier.   In all other respects, the interpretation is a
of  a  network  system.   IDENTIFICATION  OF  COVERT CHANNEL 
EVENTS IS ADDRESSED IN THE COVERT CHANNEL ANALYSIS SECTION. 
 
 
 
_ _ _ _________ 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL MAINTAIN A DOMAIN FOR ITS OWN  EXECUTION  THAT 
BY MODIFICATION OF ITS CODE OR DATA  STRUCTURES).   THE  TCB 
SHALL  MAINTAIN  PROCESS  ISOLATION THROUGH THE PROVISION OF 
DISTINCT ADDRESS SPACES UNDER ITS CONTROL. THE TCB SHALL  BE 
MODULES.  IT SHALL MAKE EFFECTIVE USE OF AVAILABLE  HARDWARE 
TO SEPARATE THOSE ELEMENTS THAT ARE PROTECTION-CRITICAL FROM 
THOSE THAT ARE NOT. THE TCB MODULES SHALL BE  DESIGNED  SUCH 
THAT THE PRINCIPLE OF LEAST PRIVILEGE IS ENFORCED.  FEATURES 
LOGICALLY  DISTINCT STORAGE OBJECTS WITH SEPARATE ATTRIBUTES 
(NAMELY: READABLE, WRITABLE).  THE USER INTERFACE TO THE TCB 
SHALL  BE  COMPLETELY  DEFINED  AND  ALL ELEMENTS OF THE TCB 
 
+  Interpretation 
 
     The system architecture criterion must be met individu- 
ally by all NTCB partitions.  Implementation of the require- 
ment that the NTCB maintain a domain for its  own  execution 
s  achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis- 
tinct domain in the overall network system, this also satis- 
fies the requirement for process isolation through  distinct 
address  spaces  in  the  special case where a component has 
only a single subject. 
 
     THE NTCB  MUST  BE  INTERNALLY  STRUCTURED  INTO  WELL- 
DEFINED  LARGELY  INDEPENDENT  MODULES AND MEET THE HARDWARE 
REQUIREMENTS. THIS IS SATISFIED BY HAVING EACH  NTCB  PARTI- 
TION SO STRUCTURED. THE NTCB CONTROLS ALL NETWORK RESOURCES. 
THESE RESOURCES are the union of the sets of resources  over 
nside the NTCB) belonging  to  different  NTCB  partitions,
must  be  protected against external interference or tamper- 
ng.  For example,  a  cryptographic  checksum  or  physical
means  may  be  employed to protect user authentication data 
exchanged between NTCB partitions. 
 
     EACH NTCB PARTITION MUST ENFORCE THE PRINCIPLE OF LEAST 
BE STRUCTURED SO THAT THE PRINCIPLE OF  LEAST  PRIVILEGE  IS 
ENFORCED IN THE SYSTEM AS A WHOLE. 
 
     Each NTCB partition  provides  isolation  of  resources 
(within  its  component)  in  accord with the network system 
architecture and security policy so  that  "supporting  ele- 
ments"  (e.g., DAC and user identification) for the security 
mechanisms of the network system are  strengthened  compared 
to  C2,  from an assurance point of view, through the provi- 
 
     As discussed in the Discretionary Access  Control  sec- 
tion,  the  DAC  mechanism of a NTCB partition may be imple- 
mented at the interface of the reference monitor or  may  be 
assurance requirements for the design and implementation  of 
the DAC shall be those of class C2 for all networks of class 
C2 or above. 
 
+  Rationale 
 
 
     THE  REQUIREMENT  THAT  THE  NTCB  BE  STRUCTURED  INTO 
MODULES  AND  MEET  THE HARDWARE REQUIREMENTS APPLIES WITHIN 
THE NTCB PARTITIONS IN THE VARIOUS COMPONENTS. 
 
     THE PRINCIPLE OF LEAST  PRIVILEGE  REQUIRES  THAT  EACH 
USER  OR OTHER INDIVIDUAL WITH ACCESS TO THE SYSTEM BE GIVEN 
ONLY THOSE RESOURCES AND  AUTHORIZATIONS  REQUIRED  FOR  THE 
THAT  SUPPORTS  USERS  OR  OTHER  INDIVIDUALS.  FOR EXAMPLE, 
NTCB PARTITION (E.G., GAMES) LESSENS THE OPPORTUNITY OF DAM- 
AGE BY A TROJAN HORSE. 
 
     The requirement for the  protection  of  communications 
between NTCB partitions is specifically directed to subjects 
that are part of the NTCB partitions.  Any requirements  for 
 
     The provision of distinct address spaces under the con- 
trol  of  the NTCB provides the ability to separate subjects 
according to sensitivity level.  This requirement is  intro- 
mplement mandatory access controls.
 
 
 
+ Statement from DoD 5200.28-STD 
 
Hardware and/or software features shall be provided that can 
be  used  to  periodically validate the correct operation of 
the on-site hardware and firmware elements of the TCB. 
 
+  Interpretation 
 
     Implementation of the requirement is partly achieved by 
and  firmware  elements  of each component's NTCB partition. 
Features shall also be provided to validate the identity and 
correct  operation of a component prior to its incorporation 
n the network system and throughout system operation.   For
example,  a protocol could be designed that enables the com- 
cally  and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability 
to  respond. NTCB partitions shall provide the capability to 
 
     Intercomponent  protocols  implemented  within  a  NTCB 
tion in the case of failures of  network  communications  or 
ndividual components.  The allocation of mandatory and dis-
cretionary access control policy in a  network  may  require 
communication  between trusted subjects that are part of the 
NTCB partitions in different components.  This communication 
s normally implemented with a protocol between the subjects
as peer entities.  Incorrect access within a component shall 
not  result from failure of an NTCB partition to communicate 
 
+ Rationale 
 
     The  first  paragraph  of  the  interpretation   is   a 
text of a network system and partitioned NTCB as defined for 
these network criteria. 
 
     NTCB protocols should be robust  enough  so  that  they 
zed failure. The purpose of this protection is to  preserve
the integrity of the NTCB itself.  It is not unusual for one 
or more components in a network to  be  inoperative  at  any 
time,  so  it  is  important to minimize the effects of such 
failures on the rest of the  network.  Additional  integrity 
and denial of service issues are addressed in Part II. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE SYSTEM DEVELOPER SHALL CONDUCT  A  THOROUGH  SEARCH  FOR 
COVERT  STORAGE CHANNELS AND MAKE A DETERMINATION (EITHER BY 
ACTUAL MEASUREMENT OR BY ENGINEERING ESTIMATION) OF THE MAX- 
CHANNELS GUIDELINE SECTION.) 
 
+ Interpretation 
 
     THE REQUIREMENT, INCLUDING  THE  TCSEC  COVERT  CHANNEL 
GUIDELINE,  APPLIES  AS  WRITTEN.   IN  A NETWORK, THERE ARE 
ADDITIONAL INSTANCES OF COVERT CHANNELS ASSOCIATED WITH COM- 
MUNICATION BETWEEN COMPONENTS. 
 
+ Rationale 
 
     THE EXPLOITATION OF NETWORK PROTOCOL INFORMATION (E.G., 
HEADERS)  CAN  RESULT  IN COVERT STORAGE CHANNELS. THE TOPIC 
HAS BEEN ADDRESSED IN THE LITERATURE.- 
_________________________ 
  - See, for example, Girling, C. G., "Covert  Channels 
n  LAN's,"  IEEE Transactions on Software Engineering,
             ____ ____________ __ ________ ___________ 
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A., 
Snow,  D. P., and Karger, P. A., Limitations of End-to- 
                                 ___________ __ ___ __ 
End  Encryption  in  Secure  Computer  Networks,  MITRE 
___  __________  __  ______  ________  ________ 
Technical  Report,  MTR-3592,  Vol. I, May 1978 (ESD TR 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THE TCB SHALL SUPPORT SEPARATE  OPERATOR  AND  ADMINISTRATOR 
FUNCTIONS. 
+ Interpretation 
 
     THIS REQUIREMENT APPLIES AS WRITTEN TO BOTH THE NETWORK 
AS  A  WHOLE AND TO INDIVIDUAL COMPONENTS WHICH SUPPORT SUCH 
 
+ Rationale 
 
     IT IS RECOGNIZED THAT BASED  ON  THE  ALLOCATED  POLICY 
ELEMENTS  SOME  COMPONENTS  MAY OPERATE WITH NO HUMAN INTER- 
FACE. 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The security mechanisms of the ADP system  shall  be  tested 
and  found to work as claimed in the system documentation. A 
team of individuals who thoroughly understand  the  specific 
mplementation  of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and 
testing.   Their  objectives shall be: to uncover all design 
and implementation flaws that would permit a subject  exter- 
nal  to  the  TCB  to  read, change, or delete data normally 
enforced  by  the  TCB; as well as to assure that no subject 
(without authorization to do so) is able to cause the TCB to 
enter  a state such that it is unable to respond to communi- 
cations initiated by other users. THE  TCB  SHALL  BE  FOUND 
RELATIVELY  RESISTANT  TO PENETRATION.  All discovered flaws 
flaws have not been introduced.  TESTING  SHALL  DEMONSTRATE 
THAT  THE TCB IMPLEMENTATION IS CONSISTENT WITH THE DESCRIP- 
TIVE TOP-LEVEL SPECIFICATION.   (See  the  Security  Testing 
Guidelines.) 
 
+  Interpretation 
 
     Testing of a component  will  require  a  testbed  that 
exercises  the  interfaces  and  protocols  of the component 
ncluding tests under exceptional conditions.   The  testing
of  a  security  mechanism of the network system for meeting 
this criterion shall  be  an  integrated  testing  procedure 
nvolving  all  components containing an NTCB partition that
mplement the given mechanism. This  integrated  testing  is
additional to any individual component tests involved in the 
evaluation of the network system.  The sponsor should  iden- 
tify the allowable set of configurations including the sizes 
of the networks.  Analysis or testing procedures  and  tools 
tions.  A change in configuration within the  allowable  set 
of configurations does not require retesting. 
 
     The testing of each component will include  the  intro- 
component that will attempt to read, change, or delete  data 
normally  denied.   If the normal interface to the component 
conduct  such a test, then this portion of the testing shall 
use a special version of the untrusted software for the com- 
The results shall be saved for test analysis.  Such  special 
versions  shall  have an NTCB partition that is identical to 
that for the normal configuration  of  the  component  under 
evaluation. 
 
     The testing of the  mandatory  controls  shall  include 
tests   to  demonstrate  that  the  labels  for  information 
mported and/or exported to/from  the  component  accurately
the component for use as the basis for its mandatory  access 
control  decisions.   The  tests  shall include each type of 
component. 
 
     THE NTCB MUST BE FOUND RELATIVELY RESISTANT TO PENETRA- 
TION.  THIS APPLIES TO THE NTCB AS A WHOLE, AND TO EACH NTCB 
 
+  Rationale 
 
     The phrase "no subject (without authorization to do so) 
s  able  to  cause the TCB to enter a state such that it is
unable to  respond  to  communications  initiated  by  other 
users"  relates  to  the  security services (Part II of this 
TNI) for the Denial of Service problem, and  to  correctness 
of the protocol implementations. 
 
     Testing  is  an  important  method  available  in  this 
evaluation  division to gain any assurance that the security 
mechanisms perform their intended function.  A major purpose 
of testing is to demonstrate the system's response to inputs 
to the NTCB partition from  untrusted  (and  possibly  mali- 
cious) subjects. 
 
     In contrast to general purpose systems that  allow  for 
the  dynamic  creation of new programs and the introductions 
of new processes (and hence new subjects) with  user  speci- 
fied  security  properities, many network components have no 
method for introducing new programs and/or processes  during 
their  normal  operation.  Therefore, the programs necessary 
for the testing must be introduced as  special  versions  of 
the  software  rather than as the result of normal inputs by 
the test team.  However, it must be insured  that  the  NTCB 
evaluation. 
 
     Sensitivity labels serve a critical role in maintaining 
the  security  of  the mandatory access controls in the net- 
of  the  labels  for  information  communicated between com- 
cit  labels for single-level devices.  Therefore the testing 
for correct labels is highlighted. 
 
     THE REQUIREMENT FOR TESTING TO DEMONSTRATE  CONSISTENCY 
BETWEEN  THE NTCB IMPLEMENTATION AND THE DTLS IS A STRAIGHT- 
FORWARD EXTENSION OF THE TCSEC REQUIREMENT INTO THE  CONTEXT 
OF A NETWORK SYSTEM. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A FORMAL model of the security policy supported by  the  TCB 
THAT IS PROVEN and demonstrated to be  consistent  with  its 
axioms.  A DESCRIPTIVE TOP-LEVEL SPECIFICATION (DTLS) OF THE 
TCB SHALL  BE  MAINTAINED  THAT  COMPLETELY  AND  ACCURATELY 
DESCRIBES  THE  TCB  IN TERMS OF EXCEPTIONS, ERROR MESSAGES, 
AND EFFECTS.  IT SHALL BE SHOWN TO BE AN  ACCURATE  DESCRIP- 
TION OF THE TCB INTERFACE. 
 
+  Interpretation 
 
     The overall network security policy expressed  in  this 
model  will  provide the basis for the mandatory access con- 
trol policy exercised by the NTCB over subjects and  storage 
objects  in the entire network.  The policy will also be the 
basis for the discretionary access control policy  exercised 
by  the  NTCB  to  control  access  of  named users to named 
objects.  Data integrity requirements addressing the effects 
of unauthorized MSM need not be included in this model.  The 
overall network policy must be decomposed into  policy  ele- 
ments  that are allocated to appropriate components and used 
as the basis for the security policy model  for  those  com- 
 
     The level of abstraction of the model, and the  set  of 
model, will be affected by the NTCB partitioning.   Subjects 
and  objects must be represented explicitly in the model for 
the partition if there is some network component whose  NTCB 
applicable  to  individual  network components are manifest. 
Global network policy elements that are  allocated  to  com- 
 
     THE REQUIREMENTS FOR A NETWORK DTLS ARE  GIVEN  IN  THE 
DESIGN DOCUMENTATION SECTION. 
 
+ Rationale 
 
     The treatment of the model depends to a great extent on 
the degree of integration of the communications service into 
a distributed system. In a closely coupled distributed  sys- 
tem,  one  might  use  a  model  that  closely resembles one 
appropriate for a stand-alone computer system. 
 
     In other cases, the model of  each  partition  will  be 
expected to show the role of the NTCB partition in each kind 
of component.   It  will  most  likely  clarify  the  model, 
although  not part of the model, to show access restrictions 
mplied  by  the  system  design;  for   example,   subjects
objects containing data units at the same layer of protocol. 
The  allocation of subjects and  objects to different proto- 
col layers is a protocol design choice which  need  not   be 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
DURING DEVELOPMENT AND MAINTENANCE OF THE TCB, A  CONFIGURA- 
TION MANAGEMENT SYSTEM SHALL BE IN PLACE THAT MAINTAINS CON- 
TROL OF CHANGES TO THE DESCRIPTIVE TOP-LEVEL  SPECIFICATION, 
OTHER  DESIGN  DATA,  IMPLEMENTATION  DOCUMENTATION,  SOURCE 
CODE, THE RUNNING VERSION OF THE OBJECT CODE, AND TEST  FIX- 
TURES  AND DOCUMENTATION.  THE CONFIGURATION MANAGEMENT SYS- 
TEM SHALL ASSURE A CONSISTENT MAPPING AMONG  ALL  DOCUMENTA- 
TION  AND  CODE  ASSOCIATED  WITH THE CURRENT VERSION OF THE 
TCB.  TOOLS SHALL BE PROVIDED FOR GENERATION OF A  NEW  VER- 
SION  OF  THE TCB FROM SOURCE CODE.  ALSO AVAILABLE SHALL BE 
TOOLS FOR COMPARING A NEWLY GENERATED VERSION WITH THE  PRE- 
VIOUS  TCB  VERSION  IN  ORDER  TO  ASCERTAIN  THAT ONLY THE 
ALLY BE USED AS THE NEW VERSION OF THE TCB. 
 
+  Interpretation 
 
     THE REQUIREMENT APPLIES AS WRITTEN, WITH THE  FOLLOWING 
EXTENSIONS: 
 
        FOR EACH NTCB PARTITION. 
 
 
        ENTIRE SYSTEM.  IF THE CONFIGURATION MANAGEMENT SYS- 
        TEM IS MADE UP OF THE CONGLOMERATION OF  THE  CONFI- 
        GURATION MANAGEMENT SYSTEMS OF THE VARIOUS NTCB PAR- 
        TITIONS, THEN THE CONFIGURATION MANAGEMENT PLAN MUST 
        ADDRESS  THE  ISSUE  OF HOW CONFIGURATION CONTROL IS 
        APPLIED TO THE SYSTEM AS A WHOLE. 
 
+ Rationale 
 
     EACH NTCB PARTITION MUST HAVE A  CONFIGURATION  MANAGE- 
MENT  SYSTEM  IN PLACE, OR ELSE THERE WILL BE NO WAY FOR THE 
NTCB AS A WHOLE TO HAVE AN EFFECTIVE  CONFIGURATION  MANAGE- 
MENT SYSTEM.  THE OTHER EXTENSIONS ARE MERELY REFLECTIONS OF 
THE WAY THAT NETWORKS OPERATE IN PRACTICE. 
 
 
 
_ _ _ _____________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A single summary, chapter, or manual in  user  documentation 
TCB, interpretations on their use,  and  how  they  interact 
 
+  Interpretation 
 
     This user documentation describes user visible  protec- 
tion  mechanisms at the global (network system) level and at 
the user interface of each component,  and  the  interaction 
among these. 
 
+  Rationale 
 
     The interpretation is an extension of  the  requirement 
nto  the  context  of a network system as defined for these
network criteria.  Documentation  of  protection  mechanisms 
teria for trusted  computer  systems  that  are  applied  as 
appropriate for the individual components. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A manual addressed to the  ADP  system  administrator  shall 
be controlled when running a secure facility. The procedures 
for examining and maintaining the audit files as well as the 
administrator functions  related  to  security,  to  include 
changing  the  security characteristics of a user.  It shall 
of the protection features of the system, how they interact, 
to operate the facility in a secure manner. THE TCB  MODULES 
THAT  CONTAIN  THE  REFERENCE  VALIDATION MECHANISM SHALL BE 
TCB FROM SOURCE AFTER MODIFICATION OF ANY MODULES IN THE TCB 
SHALL BE DESCRIBED. 
 
+ Interpretation 
 
     This manual shall contain specifications and procedures 
to assist the system administrator(s) maintain cognizance of 
the network configuration.  These  specifications  and  pro- 
cedures shall address the following: 
 
 
        network; 
 
        leave  the  network  (e.g., by crashing, or by being 
        disconnected) and then rejoin; 
 
        security  of  the  network system; (For example, the 
        manual  should  describe  for  the  network   system 
        administrator  the interconnections among components 
        that are consistent with the overall network  system 
        architecture.) 
 
        (e.g., down-line loading). 
 
        INDICATE  WHICH COMPONENTS OF THE NETWORK MAY CHANGE 
        WITHOUT OTHERS ALSO CHANGING. 
  
     The physical and administrative environmental  controls 
all  communications  links must be physically protected to a 
certain level). 
 
     THE COMPONENTS OF THE NETWORK THAT FORM THE  NTCB  MUST 
BE IDENTIFIED.  FURTHERMORE, THE MODULES WITHIN AN NTCB PAR- 
TITION THAT CONTAIN THE REFERENCE VALIDATION  MECHANISM  (IF 
ANY) WITHIN THAT PARTITION MUST BE IDENTIFIED. 
 
     THE PROCEDURES FOR THE SECURE GENERATION OF A NEW  VER- 
SION  (OR  COPY)  OF EACH NTCB PARTITION FROM SOURCE MUST BE 
DESCRIBED.  THE PROCEDURES AND REQUIREMENTS FOR  THE  SECURE 
GENERATION  OF  THE NTCB NECESSITATED BY CHANGES IN THE NET- 
WORK CONFIGURATION SHALL BE DESCRIBED. 
 
+ Rationale 
 
     There  may  be  multiple  system  administrators   with 
other  forms of security in order to achieve security of the 
network.  Additional forms include administrative  security, 
 
     Extension of  this  criterion  to  cover  configuration 
aspects  of  the  network  is  needed  because, for example, 
to  achieve  a  correct realization of the network architec- 
ture. 
 
     As mentioned in the section on Label  Integrity,  cryp- 
tography is one common mechanism employed to protect commun- 
cation circuits.  Encryption transforms the  representation
of  information so that it is unintelligible to unauthorized 
of the ciphertext is generally lower than the cleartext.  If 
encryption  methodologies  are  employed,  they   shall   be 
approved by the National Security Agency (NSA). 
 
     The encryption algorithm  and  its  implementation  are 
outside  the scope of these interpretations.  This algorithm 
and implementation may be implemented in a  separate  device 
or  may  be a function of a subject in a component not dedi- 
cated to encryption.  Without prejudice, either  implementa- 
tion  packaging  is  referred  to as an encryption mechanism 
 
     THE REQUIREMENTS FOR DESCRIPTIONS  OF  NTCB  GENERATION 
AND  IDENTIFICATION  OF MODULES AND COMPONENTS THAT FORM THE 
NTCB ARE STRAIGHTFORWARD EXTENSIONS OF  THE  TCSEC  REQUIRE- 
MENTS  INTO  THE  NETWORK CONTEXT.  IN THOSE CASES WHERE THE 
VENDOR DOES NOT PROVIDE SOURCE CODE, AN ACCEPTABLE PROCEDURE 
SHALL BE TO REQUEST THE VENDOR TO PERFORM THE SECURE GENERA- 
TION. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall provide to the evaluators a docu- 
ment that describes the test plan, test procedures that show 
RESULTS OF TESTING THE EFFECTIVENESS OF THE METHODS USED  TO 
REDUCE COVERT CHANNEL BANDWIDTHS. 
 
 
+  Interpretation 
 
     The "system developer" is interpreted as  "the  network 
establish the context in which the testing was or should  be 
conducted.   The  description should identify any additional 
test components that  are  not  part  of  the  system  being 
evaluated.  This includes a description of the test-relevant 
functions of such test components and a description  of  the 
nterfacing  of  those  test  components to the system being
evaluated.  The description of the  test  plan  should  also 
configuration and sizing. 
 
+  Rationale 
 
     The entity being evaluated may be a networking  subsys- 
tem (see Appendix A) to which other components must be added 
to make a  complete  network  system.  In  that  case,  this 
nterpretation  is extended to include contextual definition
because, at evaluation time, it is not possible to  validate 
the  test  plans  without the description of the context for 
testing the networking subsystem. 
 
     THE BANDWIDTHS OF COVERT CHANNELS ARE USED TO DETERMINE 
THE SUITABILITY OF A NETWORK SYSTEM FOR A GIVEN ENVIRONMENT. 
THE EFFECTIVENESS  OF  THE  METHODS  USED  TO  REDUCE  THESE 
BANDWIDTHS MUST THEREFORE BE ACCURATELY DETERMINED. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Documentation shall be available that provides a description 
of the manufacturer's philosophy of protection and an expla- 
nation of how this philosophy is translated  into  the  TCB. 
THE  interfaces between THE TCB modules shall be described. 
A FORMAL description of the security policy  model  enforced 
by the TCB shall be available and an explanation provided to 
The  specific  TCB protection mechanisms shall be identified 
and an explanation given  to  show  that  they  satisfy  the 
model.  THE DESCRIPTIVE TOP-LEVEL SPECIFICATION (DTLS) SHALL 
BE SHOWN TO BE AN ACCURATE DESCRIPTION OF THE TCB INTERFACE. 
DOCUMENTATION  SHALL  DESCRIBE  HOW  THE  TCB IMPLEMENTS THE 
REFERENCE MONITOR CONCEPT AND GIVE AN EXPLANATION WHY IT  IS 
TAMPER  RESISTANT,  CANNOT  BE  BYPASSED,  AND  IS CORRECTLY 
STRUCTURED  TO  FACILITATE  TESTING  AND  TO  ENFORCE  LEAST 
RESULTS  OF  THE  COVERT  CHANNEL ANALYSIS AND THE TRADEOFFS 
THAT MAY BE USED IN THE EXPLOITATION OF KNOWN COVERT STORAGE 
CHANNELS SHALL  BE  IDENTIFIED.   THE  BANDWIDTHS  OF  KNOWN 
COVERT  STORAGE CHANNELS, THE USE OF WHICH IS NOT DETECTABLE 
BY THE AUDITING MECHANISMS,  SHALL  BE  PROVIDED.  (SEE  THE 
COVERT CHANNEL GUIDELINE SECTION.) 
 
+  Interpretation 
 
     Explanation of how the sponsor's philosophy of  protec- 
tion is translated into the NTCB shall include a description 
of how the NTCB is partitioned.  The  security  policy  also 
the NTCB modules shall include the interface(s) between NTCB 
exist.  The sponsor shall describe the security architecture 
and  design,  including  the allocation of security require- 
ments among components. 
 
     THE DOCUMENTATION INCLUDES BOTH  A  SYSTEM  DESCRIPTION 
AND  A  SET  OF  COMPONENT  DTLS'S.   THE SYSTEM DESCRIPTION 
ADDRESSES THE NETWORK SECURITY ARCHITECTURE  AND  DESIGN  BY 
SPECIFYING  THE  TYPES  OF  COMPONENTS IN THE NETWORK, WHICH 
ONES ARE TRUSTED, AND IN WHAT WAY  THEY  MUST  COOPERATE  TO 
SUPPORT NETWORK SECURITY OBJECTIVES.  A COMPONENT DTLS SHALL 
BE PROVIDED FOR EACH TRUSTED NETWORK COMPONENT,  I.E.,  EACH 
COMPONENT CONTAINING AN NTCB PARTITION.  EACH COMPONENT DTLS 
SHALL DESCRIBE THE INTERFACE TO THE NTCB  PARTITION  OF  ITS 
COMPONENT. APPENDIX A ADDRESSES COMPONENT EVALUATION ISSUES. 
 
     As stated in the introduction to Division B, the  spon- 
monitor concept.  The security policy model must be a  model 
for a reference monitor. 
 
     The security policy model for each partition implement- 
ng  a  reference  monitor  shall fully represent the access
control policy supported by  the  partition,  including  the 
and/or integrity.  For the mandatory policy the single domi- 
nance  relation  for  sensitivity  labels, including secrecy 
and/or integrity components, shall be precisely defined. 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context  of a network system as 
tion,  such  as description of components and description of 
operating environment(s) in which the  networking  subsystem 
or network system is designed to function, is required else- 
 
     In order to be evaluated,  a  network  must  possess  a 
coherent  Network Security Architecture and Design.  (Inter- 
connection of components that do not adhere to such a single 
coherent  Network  Security Architecture is addressed in the 
Security  Architecture  must  address  the security-relevant 
Design  specifies  the  interfaces and services that must be 
ncorporated into the network so that it can be evaluated as
a  trusted  entity.  There may be multiple designs that con- 
form to the same architecture but are more or less  incompa- 
tible and non-interoperable (except through the Interconnec- 
tion Rules).  Security related mechanisms requiring coopera- 
tion  among  components are specified in the design in terms 
of their visible interfaces; mechanisms  having  no  visible 
nterfaces  are  not specified in this document but are left
as implementation decisions. 
 
     The Network Security Architecture and  Design  must  be 
available  from the network sponsor before evaluation of the 
network, or any component, can be undertaken.   The  Network 
Security  Architecture  and Design must be sufficiently com- 
the  construction  or assembly of a trusted network based on 
the structure it specifies. 
 
     When a component is being  designed  or  presented  for 
evaluation,  or  when a network assembled from components is 
assembled or presented  for  evaluation,  there  must  be  a 
Design are satisfied.  That is, the components can be assem- 
bled into a network that conforms in every way with the Net- 
tion indicates. 
 
     In order for a trusted network to be  constructed  from 
components  that  can  be  built  independently, the Network 
Security Architecture and Design must completely and unambi- 
Network  Security  Architecture and Design must be evaluated 
to determine that a network constructed  to  its  specifica- 
tions  will in fact be trusted, that is, it will be evaluat- 
able under these interpretations. 
 
 
     The term "model" is used in several different ways in a 
network context, e.g., a "protocol reference model," a "for- 
mal network model," etc. Only the "security policy model" is 
addressed  by  this requirement and is specifically intended 
to model the interface, viz., "security perimeter,"  of  the 
n the TCSEC.  It must be shown that all parts  of  the  TCB
are  a  valid  interpretation  of the security policy model, 
.e., that there is no change to the secure state except  as
 
             3.3  CLASS (B3):  SECURITY DOMAINS 
             _ _  _____  __    ________ _______ 
 
 
     THE CLASS (B3) NTCB  MUST  SATISFY  THE  REFERENCE 
     MONITOR  REQUIREMENTS THAT IT MEDIATE ALL ACCESSES 
     OF SUBJECTS TO OBJECTS,  BE  TAMPERPROOF,  AND  BE 
     SMALL  ENOUGH  TO  BE  SUBJECTED  TO  ANALYSIS AND 
     TESTS.  TO THIS END, THE  NTCB  IS  STRUCTURED  TO 
     EXCLUDE  CODE  NOT  ESSENTIAL  TO  SECURITY POLICY 
     ENFORCEMENT, WITH SIGNIFICANT  SYSTEM  ENGINEERING 
     DURING  NTCB  DESIGN  AND  IMPLEMENTATION DIRECTED 
     TOWARD  MINIMIZING  ITS  COMPLEXITY.   A  SECURITY 
     ADMINISTRATOR  IS  SUPPORTED, AUDIT MECHANISMS ARE 
     EXPANDED TO SIGNAL SECURITY-RELEVANT  EVENTS,  AND 
     SYSTEM RECOVERY PROCEDURES ARE REQUIRED.  THE SYS- 
     TEM IS HIGHLY RESISTANT TO PENETRATION.  THE  FOL- 
     LOWING   ARE   MINIMAL  REQUIREMENTS  FOR  SYSTEMS 
     ASSIGNED A CLASS (B3) RATING: 
 
 
_ _ _ ________ ______ 
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     The network sponsor shall describe the overall  network 
cy  is  an  access  control  policy having two primary com-
nclude  a  discretionary policy for protecting the informa-
tion being processed based on the authorizations of  indivi- 
cy statement shall describe the requirements on the network
to  prevent  or  detect  "reading  or  destroying" sensitive 
nformation by unauthorized users or errors.  The  mandatory
that it supports.  For the Class B1 or above  the  mandatory 
nformation that reflects its sensitivity  with  respect  to
ciated with users to reflect their authorization  to  access 
that are not authorized to use the network at all  (e.g.,  a 
user  attempting  to  use a passive or active wire tap) or a 
legitimate user of the network  who  is  not  authorized  to 
access a specific piece of information being protected. 
 
     Note that "users" does not include "operators," "system 
officers," and other system  support  personnel.   They  are 
Manual and the System Architecture requirements.  Such indi- 
viduals may change the system parameters of the network sys- 
tem, for example, by defining membership of a group.   These 
ndividuals may also have the separate role of users.
 
 
        SECRECY POLICY: The network sponsor shall define the 
        form  of  the  discretionary  and mandatory  secrecy 
        policy that is enforced in the  network  to  prevent 
        unauthorized users from reading the sensitive infor- 
        mation entrusted to the network. 
 
 
        DATA INTEGRITY POLICY:  The  network  sponsor  shall 
        define  the  discretionary  and mandatory  integrity 
        policy to prevent unauthorized users from modifying, 
        viz.,  writing,  sensitive information.  The defini- 
        tion of data  integrity  presented  by  the  network 
        sponsor  refers to the requirement that the informa- 
        tion has not been subjected to unauthorized  modifi- 
        cation  in the network. The mandatory integrity pol- 
        icy enforced by the NTCB cannot, in general, prevent 
        modification  while information is being transmitted 
        between components.  However,  an  integrity  sensi- 
        tivity  label  may  reflect  the confidence that the 
        information has not been subjected  to  transmission 
        errors  because  of  the  protection afforded during 
        transmission.  This requirement is distinct from the 
        requirement for label integrity. 
 
+ Rationale 
 
     The word "sponsor" is used  in  place  of  alternatives 
(such   as   "vendor,"   "architect,"   "manufacturer,"  and 
"developer") because the alternatives  indicate  people  who 
may not be available, involved, or relevant at the time that 
a network system is proposed for evaluation. 
 
     A trusted network is able to control both  the  reading 
and  writing  of  shared  sensitive information.  Control of 
tion. A network normally is expected to have policy require- 
ments to protect both  the  secrecy  and  integrity  of  the 
nformation  entrusted to it.  In a network the integrity is
frequently as important or more important than  the  secrecy 
to be enforced by the network must be stated for  each  net- 
the policy  is  faithfully  enforced  is  reflected  in  the 
evaluation class of the network. 
 
     This control over modification  is  typically  used  to 
control the potential harm that would result if the informa- 
tion  were  corrupted.   The overall network policy require- 
ments for integrity includes the protection  for  data  both 
transmitted in  the  network.   The  access  control  policy 
enforced  by  the  NTCB relates to the access of subjects to 
objects within  each  component.   Communications  integrity 
addressed  within Part II relates to information while being 
transmitted. 
 
     The mandatory integrity policy (at class B1 and  above) 
n  some architectures may be useful in supporting the link-
age between the connection oriented  abstraction  introduced 
n  the  Introduction  and  the individual components of the
network.  For example, in  a  key  distribution  center  for 
end-to-end  encryption, a distinct integrity category may be 
assigned to isolate the key generation code  and  data  from 
 
     The mandatory integrity policy  for  some  architecture 
may  define an integrity sensitivity label that reflects the 
been  subject  to  random errors in excess of a stated limit 
nor to unauthorized message  stream  modification  (MSM)  -. 
The specific metric associated with an integrity sensitivity 
label will generally reflect the  intended  applications  of 
the network. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall define and control access between named  users 
and named objects (e.g., files and programs) in the ADP sys- 
tem.  The enforcement mechanism (e.g., ACCESS CONTROL LISTS)  
OBJECTS and shall provide controls to limit  propagation  of  
access  rights.   The discretionary access control mechanism 
that  objects are protected from unauthorized access.  These 
access controls shall be capable  of  SPECIFYING,  FOR  EACH 
_________________________ 
  - See Voydock, Victor L. and Stephen T. Kent,  "Secu- 
                                                   ___ 
______ _______ 
 
 
 
NAMED OBJECT, A LIST OF NAMED  INDIVIDUALS  AND  A  LIST  OF 
GROUPS  OF  NAMED INDIVIDUALS WITH THEIR RESPECTIVE MODES OF 
ACCESS TO THAT OBJECT.  FURTHERMORE,  FOR  EACH  SUCH  NAMED 
OBJECT,  IT  SHALL  BE  POSSIBLE  TO SPECIFY A LIST OF NAMED 
WHICH  NO  ACCESS TO THE OBJECT IS GIVEN.  Access permission 
to an object by users not already possessing access  permis- 
 
+  Interpretation 
 
     The discretionary access control (DAC) mechanism(s) may 
be  distributed  over  the partitioned NTCB in various ways. 
Some part, all, or none of the DAC may be implemented  in  a 
no  subjects acting as direct surrogates for users), such as 
a public network packet switch, might not implement the  DAC 
mechanism(s)  directly  (e.g.,  they are unlikely to contain 
access control lists). 
 
     Identification of users by groups may  be  achieved  in 
various  ways  in  the networking environment.  For example, 
the network identifiers (e.g., internet addresses) for vari- 
ous  components (e.g., hosts, gateways) can be used as iden- 
tifiers of groups of individual users (e.g., "all  users  at 
Host  A," "all users of network Q") so long as the individu- 
als involved in the group are implied by the group  identif- 
er. For example, Host A might employ a particular group-id,
for which it maintains a list  of  explicit  users  in  that 
the group-id under the conditions of this interpretation. 
 
     For networks, individual hosts will impose need-to-know 
controls over their users on the basis of named individuals 
- much like (in fact, probably the same) controls used  when 
there is no network connection. 
 
     When group identifiers are acceptable for  access  con- 
trol,  the identifier of some other host may be employed, to 
eliminate the maintenance that would be required if  indivi- 
C2 and higher, however, it must be possible from that  audit 
exactly the individuals represented by a group identifier at 
the time of the use of that identifier.  There is allowed to 
be an uncertainty because of elapsed time between changes in 
the  group membership and the enforcement in the access con- 
trol mechanisms. 
 
     The DAC mechanism of a NTCB  partition  may  be  imple- 
mented  at  the interface of the reference monitor or may be 
all the physical resources  of  the  system  and  from  them 
creates the abstraction of subjects and objects that it con- 
trols. Some of these subjects and objects  may  be  used  to 
mplement  a  part  of  the NTCB.  When the DAC mechanism is
Assurance section) for the design and implementation of  the 
DAC  shall be those of class C2 for all networks of class C2 
or above. 
 
     When integrity is included as part of the network  dis- 
cretionary  security policy, the above interpretations shall 
be specifically applied to the controls  over  modification, 
viz,  the  write mode of access, within each component based 
on identified users or groups of users. 
 
+  Rationale 
 
     In this class, the supporting elements of  the  overall 
DAC  mechanism are required to isolate information (objects) 
that supports DAC so that it is subject to auditing require- 
ments  (see  the  System  Architecture section).  The use of 
network identifiers to identify groups of  individual  users 
could  be  implemented, for example, as an X.25 community of 
nterest in the network protocol layer (layer  3).   In  all
other  respects,  the supporting elements of the overall DAC 
mechanism are treated  exactly  as  untrusted  subjects  are 
treated  with respect to DAC in an ADP system, with the same 
 
     A typical situation for DAC is that a surrogate process 
for a remote user will be created in some host for access to 
objects under the control of the NTCB partition within  that 
assigned and maintained for each such process by  the  NTCB, 
tially the same discretionary controls as access by  a  pro- 
cess  acting  on  behalf of a local user would be.  However, 
tions of the assigned user identification is permitted. 
 
     The most obvious situation  would  exist  if  a  global 
able on demand to every host, (i.e., a name server  existed) 
 
     It is also acceptable, however, for  some  NTCB  parti- 
tions to maintain a database of locally-registered users for 
ts own use.  In such a case, one could  choose  to  inhibit
the creation of surrogate processes for locally unregistered 
users, or (if permitted by the local policy)  alternatively, 
to   permit   the   creation  of  surrogate  processes  with 
dentify the process as executing on behalf of a member of a
the  words concerning audit in the interpretation is to pro- 
vide a minimally acceptable degree of auditability for cases 
be a capability, using the audit facilities provided by  the 
network  NTCB  partitions  involved,  to  determine  who was 
logged in at the actual host of the group of remote users at 
the time the surrogate processing occured. 
 
     Associating the proper user id with a surrogate process 
s  the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id  of 
the  surrogate  process.   The transmission of the data back 
across the network to the user's host, and the creation of a 
copy of the data there, is not the business of DAC. 
 
     Components that support only internal  subjects  impact 
the implementation of the DAC by providing services by which 
nformation (e.g., a user-id) is made available  to  a  com-
file  at  Host  B.   The  DAC decision might be (and usually 
ted from Host A to Host B. 
 
     Unique user identification may be achieved by a variety 
of  mechanisms, including (a) a requirement for unique iden- 
tification and authentication on the host where access takes 
addresses authenticated by another host and forwarded to the 
of a network-wide unique personnel identifier that could  be 
authenticated and forwarded by another host as in (b) above, 
or could be authenticated and forwarded by a dedicated  net- 
cols which implement (b) or (c) are subject  to  the  System 
Architecture requirements. 
 
     Network support for DAC might be handled in other  ways 
than  that described as "typical" above. In particular, some 
form of centralized access control is  often  proposed.   An 
access  control center may make all decisions for DAC, or it 
may share the burden with the hosts by controlling  host-to- 
to their objects by users at a limited set of remote  hosts. 
between the connection oriented abstraction (as discussed in 
the  Introduction)  and  the overall network security policy 
for DAC.  In all cases the enforcement of the decision  must 
be provided by the host where the object resides. 
 
     There are two forms of distribution for the DAC mechan- 
sm:  implementing  portions  of  the  DAC  in separate com-
the  NTCB  partition in a component.  Since "the ADP system" 
s understood to be "the computer network" as a whole,  each
network  component  is responsible for enforcing security in 
the mechanisms allocated to it to ensure secure  implementa- 
tion  of  the network security policy.  For traditional host 
a few approaches, such as virtual machine monitors,  support 
DAC outside this interface. 
 
     In contrast to the universally rigid structure of  man- 
DAC policies tend to be very network  and  system  specific, 
For networks it is common that individual hosts will  impose 
controls  over  their  local  users  on  the  basis of named 
ndividuals-much like the controls used  when  there  is  no
network connection.  However, it is difficult to manage in a 
centralized manner all the individuals using  a  large  net- 
together so that the controls required by  the  network  DAC 
other components.  A gateway is an example of  such  a  com- 
 
     The assurance requirements are at the very heart of the 
concept  of  a  trusted  system.   It  is the assurance that 
environment,  as reflected, for example, in the Environments 
Guideline-.  In the case of monolithic systems that have DAC 
ntegral  to  the  reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of  the 
clearer distinction due to distributed DAC.   The  rationale 
for making the distinction in this network interpretation is 
that if major trusted network components can be made  signi- 
ficantly easier to design and implement without reducing the 
ability to meet security policy, then trusted networks  will 
be more easily available. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
All authorizations to the  information  contained  within  a 
allocation or reallocation to a subject from the TCB's  pool 
of   unused  storage  objects.   No  information,  including 
encrypted representations  of  information,  produced  by  a 
that obtains access to an object that has been released back 
to the system. 
 
+  Interpretation 
 
     The NTCB shall ensure that any storage objects that  it 
controls  (e.g., message buffers under the control of a NTCB 
_________________________ 
  - Guidance for Applying  the  Department  of  Defense 
    ________ ___ ________  ___  __________  __  _______ 
Trusted Computer System Evaluation Criteria in Specific 
_______ ________ ______ __________ ________ __ ________ 
Environments, CSC-STD-003-85. 
____________ 
 
 
access.  This requirement must be enforced by  each  of  the 
NTCB partitions. 
 
+  Rationale 
 
     In a network system, storage objects  of  interest  are 
things  that  the  NTCB  directly  controls, such as message 
buffers in components.  Each component of the network system 
must  enforce  the  object reuse requirement with respect to 
the storage objects of interest as determined by the network 
be  under  the  control  of  the  NTCB  partition.  A buffer 
assigned to an internal subject may be reused at the discre- 
tion of that subject which is responsible for preserving the 
ntegrity of message streams.  Such controlled  objects  may
be  implemented in physical resources, such as buffers, disk 
network switches. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels associated with each ADP system  resource 
(e.g.,  subject,  storage  object,  ROM) that is directly or 
ndirectly accessible by subjects external to the TCB  shall
be maintained by the TCB.  These labels shall be used as the 
basis for mandatory access control decisions.  In  order  to 
mport  non-labeled  data, the TCB shall request and receive
from an authorized user the sensitivity level of  the  data, 
and all such actions shall be auditable by the TCB. 
 
+  Interpretation 
 
     Non-labeled data imported under the control of the NTCB 
labels of the single-level device used to import it.  Labels 
may  include secrecy and integrity- components in accordance 
network   sponsor.    Whenever  the  term  "label"  is  used 
throughout this interpretation, it is understood to  include 
both   components   as  applicable.   Similarly,  the  terms 
"single-level" and "multilevel" are understood to  be  based 
on  both the secrecy and integrity components of the policy. 
The mandatory integrity policy will typically have  require- 
ments,  such as the probability of undetected message stream 
modification, that will be reflected in the  label  for  the 
_________________________ 
  - See, for example, Biba, K.J., "Integrity Considera- 
tion  for Secure Computer Systems," ESD-TR-76-372, MTR- 
 
ntegrity label may be assigned based on mechanisms, such as
cryptography, used to provide the assurance required by  the 
tected from tampering and are always invoked when  they  are 
the basis for a label. 
 
 
     If the security policy includes  an  integrity  policy, 
all  activities  that  result in message-stream modification 
violation  of  the integrity policy.  The NTCB shall have an 
automated capability for testing, detecting,  and  reporting 
those   errors/corruptions  that  exceed  specified  network 
ntegrity policy requirements.  Message-stream  modification
(MSM)  countermeasures shall be identified.  A technology of 
adequate strength shall  be  selected  to  resist  MSM.   If 
encryption   methodologies   are  employed,  they  shall  be 
approved by the National Security Agency. 
 
     All objects must be labeled within  each  component  of 
the network that is trusted to maintain separation of multi- 
objects  associated  with  single-level  components  will be 
dentical to the level of that component.  Objects  used  to
tures, such as routing tables, must be  labeled  to  prevent 
unauthorized access and/or modification. 
 
+ Rationale 
 
     The interpretation is an extension of  the  requirement 
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in  which 
the  security  range  of  the subject is the minimum-maximum 
ce.
 
     The sensitivity labels for either secrecy or  integrity 
or both may reflect non-hierarchical categories or hierarch- 
cal classification or both.
 
     For a network it is necessary that this requirement  be 
applied  to  all  network system resources at the (B2) level 
and above. 
 
     The NTCB is responsible for  implementing  the  network 
ntegrity  policy,  when  one exists.  The NTCB must enforce
that policy  by  ensuring  that  information  is  accurately 
transmitted  from  source  to destination (regardless of the 
number of intervening connecting points).  The NTCB must  be 
able  to  counter  equipment  failure, environmental disrup- 
tions, and actions by persons and processes  not  authorized 
to  alter  the  data.  Protocols that perform code or format 
conversion shall preserve the integrity of data and  control 
nformation.
 
     The probability of an undetected transmission error may 
be  specified as part of the network security policy so that 
the acceptability of the network for its  intended  applica- 
tion  may  be determined. The specific metrics (e.g., proba- 
bility of undetected modification) satisfied by the data can 
be  reflected  in the integrity sensitivity label associated 
s  recognized  that  different applications and operational
environments (e.g., crisis as  compared  to  logistic)  will 
 
     The network shall also have an automated capability  of 
testing  for,  detecting, and reporting errors that exceed a 
threshold consistent with the operational mode requirements. 
The effectiveness of integrity countermeasures must be esta- 
blished with the same rigor as the  other  security-relevant 
 
     Cryptography is often utilized as a  basis  to  provide 
Detection Codes (MDC)-, may be used.  The  adequacy  of  the 
encryption or MDC algorithm, the correctness of the protocol 
logic, and the adequacy  of  implementation  must  be  esta- 
blished in MSM countermeasures design. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels shall  accurately  represent  sensitivity 
levels  of  the specific subjects or objects with which they 
are associated.   When  exported  by  the  TCB,  sensitivity 
labels  shall  accurately  and  unambiguously  represent the 
nternal labels and shall be associated with the information
being exported. 
 
+  Interpretation 
 
     The phrase "exported  by  the  TCB"  is  understood  to 
nclude  transmission  of  information from an object in one
component to an object in  another  component.   Information 
transferred between NTCB partitions is addressed in the Sys- 
tem Integrity Section. The form  of  internal  and  external 
(exported)  sensitivity  labels  may differ, but the meaning 
correct  association of sensitivity labels with the informa- 
tion being transported across the network is preserved. 
 
 
_________________________ 
  - See Jueneman, R. R., "Electronic Document Authenti- 
cation," IEEE Network Magazine, April 1987, pp 17-23. 
         ____ _______ ________ 
 
 
     As mentioned in the Trusted  Facility  Manual  Section, 
encryption  transforms  the representation of information so 
that  it  is  unintelligible   to   unauthorized   subjects. 
Reflecting this transformation, the sensitivity level of the 
ciphertext is generally lower than the cleartext.   It  fol- 
lows  that  cleartext  and  ciphertext are contained in dif- 
ferent objects, each possessing its own label.  The label of 
the  cleartext  must  be  preserved  and associated with the 
ciphertext so that it can be restored when the cleartext  is 
cleartext is associated  with  a  single-level  device,  the 
label of that cleartext may be implicit.  The label may also 
be implicit in the key. 
 
     When information is exported to an environment where it 
s subject to deliberate or accidental modification, the TCB
assure  the  accuracy of the labels.  When there is a manda- 
tory integrity policy, the policy will define the meaning of 
ntegrity labels.
 
+  Rationale 
 
     Encryption algorithms and their implementation are out- 
may be implemented in a separate device  or  may  be  incor- 
encryption mechanism herein. If encryption methodologies are 
employed in this regard,  they  shall  be  approved  by  the 
National  Security  Agency (NSA).  The encryption process is 
components in which it is implemented. 
 
     The encryption mechanism  is  not  necessarily  a  mul- 
tilevel  device  or  multilevel  subject, as these terms are 
used in these criteria.  The process of encryption  is  mul- 
tilevel  by definition.  The cleartext and ciphertext inter- 
faces  carry  information  of  different  sensitivity.    An 
encryption  mechanism  does not process data in the sense of 
ciphertext interfaces on the encryption  mechanism  must  be 
the  data  is established by a trusted individual and impli- 
citly associated with  the  interface;  the  Exportation  to 
Single-Level Devices criterion applies. 
 
     If the interface is multilevel, then the data  must  be 
labeled;  the  Exportation  to  Multilevel Devices criterion 
applies. The network architect is free to select an  accept- 
able mechanism for associating a label with an object.  With 
 
 
        the object. 
 
        through the encryption key.  That is, the encryption 
        key uniquely identifies a sensitivity level.  A sin- 
        gle or private key must be protected at the level of 
        the data that it encrypts. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall designate each communication channel  and  I/O 
this designation shall be done manually and shall be  audit- 
able  by  the  TCB.   The  TCB shall maintain and be able to 
audit any change in the sensitivity level or levels  associ- 
ated with a communications channel or I/O device. 
 
+  Interpretation 
 
     Each communication channel and network component  shall 
be  designated  as  either  single-level or multilevel.  Any 
change in this designation shall be done with the cognizance 
and  approval  of  the  administrator or security officer in 
charge of the affected components and the  administrator  or 
be auditable by the network. The NTCB shall maintain and  be 
able  to  audit  any  change in the device labels associated 
ciated with a multilevel communication channel or component. 
The NTCB shall also be able to audit any change in  the  set 
of  sensitivity levels associated with the information which 
can be transmitted over a multilevel  communication  channel 
or component. 
 
+  Rationale 
 
     Communication channels and components in a network  are 
analogous  to  communication  channels  and  I/O  devices in 
tilevel  (i.e.,  able to distinguish and maintain separation 
among information of various sensitivity levels) or  single- 
level.   As  in  the TCSEC, single-level devices may only be 
attached to single-level channels. 
 
     The level or set of levels of information that  can  be 
only change with the knowledge and approval of the  security 
officers  (or  system administrator, if there is no security 
officer) of the network, and  of  the  affected  components. 
This  requirement  ensures  that  no  significant  security- 
affected parties. 
 
 
+ Statement from DoD 5200.28-STD 
 
When the TCB exports an object to a multilevel  I/O  device, 
the sensitivity label associated with that object shall also 
be exported and shall reside on the same physical medium  as 
the  exported  information  and  shall  be  in the same form 
(i.e., machine-readable or human-readable form).   When  the 
TCB  exports or imports an object over a multilevel communi- 
cations channel, the protocol used  on  that  channel  shall 
labels and  the  associated  information  that  is  sent  or 
 
+  Interpretation 
 
     The components, including hosts, of a network shall  be 
nterconnected  over  "multilevel  communication  channels,"
multiple single-level communication channels, or both, when- 
ever  the information is to be protected at more than a sin- 
the only information needed to correctly associate a  sensi- 
tivity  level with the exported information transferred over 
the multilevel channel between the NTCB partitions in  indi- 
vidual components. This protocol definition must specify the 
(i.e.,  the  machine-readable  label must uniquely represent 
the sensitivity level). 
 
     The "unambiguous" association of the sensitivity  level 
of accuracy as that required for any other label within  the 
NTCB,  as  specified  in  the criterion for Label Integrity. 
This may be provided by protected and highly reliable direct 
link protection in which any errors during transmission  can 
be  readily  detected,  or by use of a separate channel. The 
 
+  Rationale 
 
     This  protocol  must  specify  the  representation  and 
Access Control Policies section in  Appendix  B.   The  mul- 
tilevel  device  interface  to  (untrusted)  subjects may be 
mplemented either by the interface of the  reference  moni-
tor,  per  se,  or by a multilevel subject (e.g., a "trusted 
vides  the  labels  based on the internal labels of the NTCB 
 
     The current state of the art  limits  the  support  for 
mandatory  policy  that  is  practical  for secure networks. 
Reference monitor support to ensure the control over all the 
operations of each subject in the network must be completely 
nvoked by this subject must be contained in the  same  com-
 
     The secure state of an NTCB partition may  be  affected 
by events external to the component in which the NTCB parti- 
tion resides (e.g.,  arrival  of  a  message).   The  effect 
occurs  asynchronusly  after  being initiated by an event in 
another component or partition.  For example,  indeterminate 
component, the arrival of the message in the NTCB  partition 
n  another  component,  and the corresponding change to the
s  executing  concurrently,  to  do otherwise would require
ably not even desirable.  Therefore, the interaction between 
NTCB partitions is restricted to just communications between 
the device(s) can send/receive data of more  than  a  single 
level.  For  broadcast channels the pairs are the sender and 
ntended receiver(s).  However,  if  the  broadcast  channel
carries multiple levels of information, additional mechanism 
(e.g., cryptochecksum maintained by the TCB) may be required 
to enforce separation and proper delivery. 
 
     A  common  representation  for  sensitivity  labels  is 
needed  in  the protocol used on that channel and understood 
by both the sender and receiver when two multilevel  devices 
(in  this  case,  in two different components) are intercon- 
nected. Each distinct sensitivity level of the overall  net- 
 
     Within a monolithic TCB, the  accuracy  of  the  sensi- 
tivity  labels  is  generally  assured by simple techniques, 
e.g., very reliable connections  over  very  short  physical 
connections,  such  as  on a single printed circuit board or 
over an internal bus.  In many network environments there is 
a  much  higher  probability  of accidentally or maliciously 
ntroduced errors, and these must be protected against.
 
 
 
+ Statement from DoD 5200.28-STD 
 
Single-level  I/O  devices  and  single-level  communication 
channels are not required to maintain the sensitivity labels 
of the information they process.   However,  the  TCB  shall 
nclude  a mechanism by which the TCB and an authorized user
level  of  information imported or exported via single-level 
communication channels or I/O devices. 
 
+  Interpretation 
 
     Whenever one or both of  two  directly  connected  com- 
mation of different sensitivity levels, or whenever the  two 
level in common, the two components  of  the  network  shall 
communicate  over a single-level channel.  Single-level com- 
tion they process. However, the NTCB shall include  a  reli- 
able  communication  mechanism  by  which  the  NTCB  and an 
authorized user (via a trusted path) or a subject within  an 
NTCB partition can designate the single sensitivity level of 
nformation imported or exported via single-level communica-
tion  channels  or network components. The level of informa- 
tion communicated must equal the device level. 
 
+ Rationale 
 
     Single-level communications channels  and  single-level 
components  in  networks are analogous to single level chan- 
nels and I/O devices in stand-alone systems in that they are 
not  trusted  to  maintain  the separation of information of 
are therefore implicit; the NTCB associates labels with  the 
explicit part of the bit stream.  Note that the  sensitivity 
level  of  encrypted information is the level of the cipher- 
text rather than the original level(s) of the plaintext. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The ADP system administrator shall be able  to  specify  the 
labels.  The TCB shall mark the beginning  and  end  of  all 
output) with human-readable sensitivity  labels  that  prop- 
erly1  represent  the  sensitivity  of  the output.  The TCB 
output) with human-readable sensitivity  labels  that  prop- 
erly1 represent the sensitivity of the page.  The TCB shall, 
by default and in an appropriate manner, mark other forms of 
_________________________ 
output that the labels refer to; the non-hierarchical category
component shall include all of the non-hierarchical categories of
the information in the output the labels refer to, but no other
non-hierarchical categories. 
 
+  Interpretation 
 
     This criterion imposes no requirement  to  a  component 
that  produces  no human-readable output.  For those that do 
s  defined  to  the  network  shall  have a uniform meaning
across all components.  The network administrator,  in  con- 
able to specify the human-readable label that is  associated 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context of a network system and 
tions. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall immediately notify a  terminal  user  of  each 
change  in  the  sensitivity level associated with that user 
able  to  query  the  TCB  as  desired  for a display of the 
 
+ Interpretation 
 
     An NTCB partition shall immediately notify  a  terminal 
user  attached to its component of each change in the sensi- 
tivity level associated with that user. 
 
+ Rationale 
 
     The local NTCB partition  must  ensure  that  the  user 
understands the sensitivity level of information sent to and 
from a terminal.  When a user has  a  surrogate  process  in 
another  component,  adjustments  to  its level may occur to 
maintain communication with the  user.   These  changes  may 
occur  asynchronously.  Such adjustments are necessitated by 
mandatory access control as applied to the objects  involved 
n the communication path.
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support the assignment of minimum and  maximum 
 
+ Interpretation 
 
     This requirement applies as written to each NTCB parti- 
tion that is trusted to separate information based on sensi- 
tivity level.  Each I/O device in a component, used for com- 
munication with other network components, is assigned a dev- 
ce range, consisting of a set of labels with a maximum  and
minimum.   (A  device  range  usually contains, but does not 
necessarily contain, all possible labels "between" the  max- 
mum and minimum, in the sense of dominating the minimum and
being dominated by the maximum.) 
 
     The NTCB always provides an accurate label for informa- 
tion  exported  through  devices.   Information  exported or 
mported using a single-level device is labelled  implicitly
by   the  sensitivity  level  of  the  device.   Information 
exported from one multilevel device and imported at  another 
must  be labelled through an agreed-upon protocol, unless it 
s labelled implicitly by using a  communication  link  that
always carries a single level. 
 
     Information exported at a given sensitivity  level  can 
be  sent only to an importing device whose device range con- 
tains that level or a higher level.  If the importing device 
mporting device range.  Relabelling should not occur other-
 
+ Rationale 
 
     The purpose of device labels is  to  reflect  and  con- 
the physical environment in which the devices are located. 
 
     The information transfer  restrictions  permit  one-way 
communication (i.e., no acknowledgements) from one device to 
another whose ranges have no level in  common,  as  long  as 
each  level in the sending device range is dominated by some 
level in the receiving device range.  It is never  permitted 
to send information at a given level to a device whose range 
view.) 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall enforce a mandatory access control policy over 
all resources (i.e., subjects, storage objects, and I/O dev- 
ces) that are directly or indirectly accessible by subjects
external  to  the  TCB.  These subjects and objects shall be 
assigned  sensitivity  labels  that  are  a  combination  of 
categories, and the labels shall be used as  the  basis  for 
mandatory  access  control decisions.  The TCB shall be able 
to support two or more such sensitivity  levels.   (See  the 
Mandatory  Access  Control  interpretations.)  The following 
ndirectly accessible by these subjects.     A  subject  can
the subject's sensitivity level is greater than or equal  to 
the  hierarchical classification of the object's sensitivity 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. A subject  can 
the subject's sensitivity level is less than or equal to the 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. Identification 
and  authentication data shall be used by the TCB to authen- 
ticate the user's identity and to  ensure  that  the  sensi- 
tivity  level  and authorization of subjects external to the 
TCB that may be created to act on behalf of  the  individual 
user  are  dominated  by  the clearance and authorization of 
that user. 
 
+  Interpretation 
 
     Each partition of the NTCB exercises  mandatory  access 
control  policy  over  all  subjects and objects in its com- 
tion  encompasses  all mandatory access control functions in 
ts component that would be required of a TCB  in  a  stand-
alone  system.  In particular, subjects and objects used for 
communication with other components are under the control of 
the  NTCB  partition.   Mandatory  access  control  includes 
cy.
 
     Conceptual  entities  associated   with   communication 
between  two  components,  such as sessions, connections and 
virtual circuits, may be thought of as having two ends,  one 
n  each component, where each end is represented by a local
object.  Communication is viewed as an operation that copies 
nformation  from  an  object  at one end of a communication
entities,  such  as  datagrams  and packets, exist either as 
nformation within other objects, or as a pair  of  objects,
one at each end of the communication path. 
 
     The requirement for "two or  more"  sensitivity  levels 
can  be  met  by  either  secrecy or integrity levels.  When 
there is a mandatory integrity policy, the  stated  require- 
ments for reading and writing are generalized to:  A subject 
can read an object only if the subject's  sensitivity  level 
nates  the  subject's  sensitivity  level.   Based  on  the
ntegrity policy, the network sponsor shall define the domi-
nance  relation for the total label, for example, by combin- 
ng secrecy and integrity lattices. -
 
+ Rationale 
 
     An NTCB partition can maintain access control only over 
above, the NTCB partition must maintain access control  over 
all subjects and objects in its component.  Access by a sub- 
n  another  component requires the creation of a subject in
the remote component which acts as a surrogate for the first 
 
     The mandatory access controls must be enforced  at  the 
nterface  of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti- 
tion.   This  mechanism  creates the abstraction of subjects 
and objects which it controls.  Some of these subjects  out- 
mplement part of  an  NTCB  partition's  mandatory  policy,
e.g.,  by using the ``trusted subjects" defined in the Bell- 
LaPadula model. 
 
     The prior requirements on exportation of labeled infor- 
mation  to  and  from  I/O  devices  ensure  the consistency 
between the sensitivity labels of  objects  connected  by  a 
communication  path.  As noted in the introduction, the net- 
overall mandatory network security policy and the connection 
oriented abstraction. For example, individual  data-carrying 
entities  such  as datagrams can have individual sensitivity 
labels that subject them to mandatory access control in each 
component.   The abstraction of a single-level connection is 
connection  is realized by single-level subjects that neces- 
 
     The fundamental trusted systems technology permits  the 
DAC mechanism to be distributed, in contrast to the require- 
ments for  mandatory  access  control.   For  networks  this 
_________________________ 
  - See, for example, Grohn, M.  J., A Model of a  Pro- 
                                     _ _____ __ _  ___ 
tected  Data  Management  System, ESD-TR-76-289, I.  P. 
______  ____  __________  ______ 
Sharp Assoc.  Ltd., June, 1976;  and  Denning,  D  .E., 
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M. 
and Shockley, W., Secure Distributed Data Views,  Secu- 
                  ______ ___________ ____ _____   ____ 
____ ______ ___ ______________ ___ _ _____ __ ________ 
el Secure Relational Database System,SRI International, 
__ ______ __________ ________ ______ 
November 1986. 
 
the exception. 
 
     The set of total sensitivity labels used  to  represent 
all  the sensitivity levels for the mandatory access control 
(combined data secrecy and  data  integrity)  policy  always 
forms  a partially ordered set.  Without loss of generality, 
this set of labels can always be extended to form a lattice, 
by   including  all  the  combinations  of  non-hierarchical 
categories.  As for any lattice,  a  dominance  relation  is 
always defined for the total sensitivity labels.  For admin- 
strative reasons it may be helpful to have a maximum  level
 
 
_ _ _ ______________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall require users to  identify  themselves  to  it 
before  beginning  to perform any other actions that the TCB 
s expected to mediate.  Furthermore, the TCB shall maintain
authentication  data that includes information for verifying 
the identify of individual users (e.g., passwords)  as  well 
as  information for determining the clearance and authoriza- 
tions of individual users.  This data shall be used  by  the 
TCB  to  authenticate the user's identity and to ensure that 
the sensitivity level and authorization of subjects external 
to the TCB that may be created to act on behalf of the indi- 
vidual user are dominated by the clearance and authorization 
of  that  user. The TCB shall protect authentication data so 
that it cannot be accessed by any  unauthorized  user.   The 
TCB  shall  be  able to enforce individual accountability by 
bility of  associating  this  identity  with  all  auditable 
actions taken by that individual. 
 
+  Interpretation 
 
     The requirement for identification  and  authentication 
of users is the same for a network system as for an ADP sys- 
tem. The identification and authentication may  be  done  by 
the  component  to  which  the user is directly connected or 
tication  server.   Available  techniques,  such  as   those 
applicable in the network context. However, in  cases  where 
the  NTCB is expected to mediate actions of a host (or other 
network component) that is acting on behalf  of  a  user  or 
_________________________ 
  = Department of Defense  Password  Management  Guide- 
    __________ __ _______  ________  __________  _____ 
line, CSC-STD-002-85 
____ 
 
authentication of the host (or other component) in  lieu  of 
dentification  and authentication of an individual user, so
long as the component identifier implies a list of  specific 
users uniquely associated with the identifier at the time of 
ts use for authentication.  This requirement does not apply
to internal subjects. 
 
     Authentication information, including the identity of a 
user  (once  authenticated) may be passed from one component 
to another without reauthentication, so  long  as  the  NTCB 
thorized disclosure and modification. This protection  shall 
of mechanism) as pertains to the protection of the authenti- 
cation mechanism and authentication data. 
 
+  Rationale 
 
     The need for accountability is not changed in the  con- 
text  of a network system.  The fact that the NTCB is parti- 
tioned over a set of components neither reduces the need nor 
mposes  new requirements.  That is, individual accountabil-
ty is still the objective. Also, in the context of  a  net-
tability" can be satisfied by identification of a  host  (or 
other component) so long as the requirement for traceability 
to individual users or a set of  specific  individual  users 
uncertainty in traceability because of elapsed time  between 
changes  in  the group membership and the enforcement in the 
access control mechanisms.  In addition, there is no need in 
a  distributed processing system like a network to reauthen- 
ticate a user at each point in the network where  a  projec- 
tion  of  a user (via the subject operating on behalf of the 
user) into another remote subject takes place. 
 
     The passing of identifiers and/or authentication infor- 
mation from one component to another is usually done in sup- 
trol  (DAC).   This  support  relates  directly  to  the DAC 
ferent  NTCB  partition  than  the  one  where  the user was 
authenticated. Employing a forwarded identification  implies 
additional  reliance  on the source and components along the 
basis  of  determining a sensitivity label for a subject, it 
must satisfy the Label Integrity criterion. 
 
     An  authenticated  identification  may   be   forwarded 
between  components  and employed in some component to iden- 
tify the sensitivity level associated with a subject created 
to act on behalf of the user so identified. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support a trusted communication  path  between 
tself and USERS FOR USE WHEN A POSITIVE TCB-TO-USER CONNEC-
TION IS REQUIRED (E.G., LOGIN,  CHANGE  SUBJECT  SENSITIVITY 
LEVEL).    Communications  via  this  TRUSTED  path shall be     
ACTIVATED  exclusively by a USER OR THE  TCB  AND  SHALL  BE 
LOGICALLY AND UNMISTAKABLY DISTINGUISHABLE FROM OTHER PATHS. 
 
 
+ Interpretation 
 
     A trusted path  is  supported  between  a  user  (i.e., 
user is directly connected. 
 
+ Rationale 
 
     When a user logs into a remote component, the  user  id 
s  transmitted  securely  between the local and remote NTCB
cation and Authentication. 
 
     Trusted Path is necessary in order to assure  that  the 
user  is  communicating with the NTCB and only the NTCB when 
ticate  user,  set current session sensitivity level).  How- 
ever, Trusted Path does not  address  communications  within 
the NTCB, only communications between the user and the NTCB. 
communication then the component need not contain mechanisms 
for assuring direct NTCB to user communications. 
 
     The requirement for trusted communication  between  one 
NTCB  partition  and  another NCTB partition is addressed in 
the System  Architecture  section.  These  requirements  are 
this  trusted  communication  between one NTCB partition and 
another NTCB partition will be used in conjunction with  the 
trusted  path to implement trusted communication between the 
user and the remote NTCB partition. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall be able to create, maintain, and protect  from 
modification  or unauthorized access or destruction an audit 
trail of accesses to the objects  it  protects.   The  audit 
s limited to those who are authorized for audit data.   The
TCB  shall  be able to record the following types of events: 
use  of  identification   and   authentication   mechanisms, 
ntroduction  of  objects into a user's address space (e.g.,
file open, program initiation), deletion of objects, actions 
taken by computer operators and system administrators and/or 
events.  The TCB shall also be able to audit any override of 
the audit record shall identify: date and time of the event, 
user, type of event, and success or failure  of  the  event. 
For   identification/authentication  events  the  origin  of 
address space and  for  object  deletion  events  the  audit 
able  to  selectively  audit  the actions of any one or more 
users based on individual identify and/or object sensitivity 
level.     The  TCB  shall  be  able to audit the identified 
events that may  be  used  in  the  exploitation  of  covert 
RITY  AUDITABLE  EVENTS THAT MAY INDICATE AN IMMINENT VIOLA- 
TION OF SECURITY POLICY.  THIS MECHANISM SHALL  BE  ABLE  TO 
HOLDS ARE EXCEEDED AND, IF THE OCCURRENCE OR ACCUMULATION OF 
THESE  SECURITY  RELEVANT EVENTS CONTINUES, THE SYSTEM SHALL 
TAKE THE LEAST DISRUPTIVE ACTION TO TERMINATE THE EVENT. 
 
+  Interpretation 
 
     This criterion applies  as  stated.  The  sponsor  must 
not distinguishable by the NTCB  alone  (for  example  those 
dentified in Part II), the audit mechanism shall provide an
nterface, which  an  authorized  subject  can  invoke  with
audit records shall be distinguishable from  those  provided 
by  the  NTCB.   In  the context of a network system, "other 
architecture  and  network security policy) might be as fol- 
lows: 
 
 
        lishing a connection or a connectionless association 
        between processes in two hosts of the  network)  and 
        its  principal parameters (e.g., host identifiers of 
        the two hosts involved in the access event and  user 
        identifier  or  host  identifier of the user or host 
        that is requesting the access event) 
 
        each  access  event  using local time or global syn- 
        chronized time 
 
        ditions   (e.g.,   potential   violation   of   data 
        integrity, such  as  misrouted  datagrams)  detected 
        during the transactions between two hosts 
 
 
        component leaving the network and rejoining) 
 
     In  addition,  identification  information  should   be 
ncluded  in  appropriate audit trail records, as necessary,
to allow association of all  related  (e.g.,  involving  the 
network  system  may  provide  the required audit capability 
(e.g., storage, retrieval, reduction,  analysis)  for  other 
components  that  do  not  internally  store  audit data but 
transmit the audit data to some designated  collection  com- 
audit data due to unavailability of resources. 
 
     In the context of a network system, the "user's address 
events, to include address spaces being employed  on  behalf 
of  a  remote user (or host).  However, the focus remains on 
users in contrast to internal subjects as discussed  in  the 
DAC  criterion.   In  addition,  audit  information  must be 
 
     The capability  must  exist  to  audit  the  identified 
events  that  may  be  used  in  the  exploitation of covert 
must  be able to audit those events locally that may lead to 
the exploitation of a covert  storage  channel  which  exist 
because of the network. 
 
     THE  SPONSOR  SHALL  IDENTIFY  THE  SPECIFIC  AUDITABLE 
EVENTS  THAT  MAY INDICATE AN IMMINENT VIOLATION OF SECURITY 
MULATION  OF SUCH EVENTS MUST BE ABLE TO NOTIFY AN APPROPRI- 
ATE ADMINISTRATOR WHEN THRESHOLDS ARE EXCEEDED, AND TO  INI- 
TIATE  ACTIONS WHICH WILL RESULT IN TERMINATION OF THE EVENT 
HOLD  OF UNSUCCESSFUL LOGIN ATTEMPTS WITHIN A PERIOD OF TIME 
 
+  Rationale 
 
     For remote users, the network identifiers (e.g., inter- 
net address) can be used as identifiers of groups of indivi- 
maintenance that would be required if individual identifica- 
tion of remote users was employed.  In this class (C2), how- 
ever,  it  must  be  possible to identify (immediately or at 
dentifier.   In all other respects, the interpretation is a
of  a  network  system.   Identification  of  covert channel 
events is addressed in the Covert Channel Analysis section. 
 
     BECAUSE OF CONCURRENCY AND SYNCHRONIZATION PROBLEMS, IT 
MAY  NOT BE POSSIBLE TO DETECT IN REAL TIME THE ACCUMULATION 
OF SECURITY AUDITABLE EVENTS THAT ARE OCCURRING IN DIFFERENT 
NTCB PARTITIONS.  HOWEVER, EACH NTCB PARTITION THAT HAS BEEN 
ALLOCATED AUDIT RESPONSIBILITY MUST HAVE THE  CAPABILITY  TO 
DETECT  THE LOCAL ACCUMULATION OF EVENTS, TO NOTIFY THE PAR- 
TITION SECURITY ADMINISTRATOR AND/OR  THE  NETWORK  SECURITY 
ADMINISTRATOR,  AND TO INITIATE ACTIONS WHICH WILL RESULT IN 
TERMINATION OF THE EVENT LOCALLY. 
 
 
_ _ _ _________ 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall maintain a domain for its own  execution  that 
by modification of its code or data  structures).   The  TCB 
nternally  structured into well-defined largely independent
modules.  It shall make effective use of available  hardware 
to separate those elements that are protection-critical from 
those that are not. The TCB modules shall be  designed  such 
that the principle of least privilege is enforced.  Features 
n hardware, such as segmentation, shall be used to  support
logically  distinct storage objects with separate attributes 
(namely: readable, writable).  The user interface to the TCB 
dentified.   THE TCB SHALL BE DESIGNED  AND  STRUCTURED  TO
USE  A  COMPLETE,  CONCEPTUALLY  SIMPLE PROTECTION MECHANISM 
WITH PRECISELY DEFINED SEMANTICS.  THIS MECHANISM SHALL PLAY 
A  CENTRAL ROLE IN ENFORCING THE INTERNAL STRUCTURING OF THE 
TCB AND THE SYSTEM.  THE TCB SHALL  INCORPORATE  SIGNIFICANT 
USE  OF  LAYERING, ABSTRACTION AND DATA HIDING.  SIGNIFICANT 
SYSTEM ENGINEERING SHALL BE DIRECTED TOWARD  MINIMIZING  THE 
COMPLEXITY  OF  THE  TCB  AND EXCLUDING FROM THE TCB MODULES 
THAT ARE NOT PROTECTION-CRITICAL. 
 
+  Interpretation 
 
     The system architecture criterion must be met individu- 
ally by all NTCB partitions.  Implementation of the require- 
ment that the NTCB maintain a domain for its  own  execution 
s  achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis- 
tinct domain in the overall network system, this also satis- 
fies the requirement for process isolation through  distinct 
address  spaces  in  the  special case where a component has 
only a single subject. 
 
     The NTCB  must  be  internally  structured  into  well- 
tion so structured. The NTCB controls all network resources. 
These resources are the union of the sets of resources  over 
nside the NTCB) belonging  to  different  NTCB  partitions,
must  be  protected against external interference or tamper- 
ng.  For example,  a  cryptographic  checksum  or  physical
means  may  be  employed to protect user authentication data 
exchanged between NTCB partitions. 
 
     Each NTCB partition must enforce the principle of least 
be structured so that the principle of  least  privilege  is 
enforced in the system as a whole. 
 
     THE NTCB MUST BE DESIGNED AND STRUCTURED  ACCORDING  TO 
THE NETWORK SECURITY ARCHITECTURE TO USE A COMPLETE, CONCEP- 
TUALLY SIMPLE PROTECTION MECHANISM.  FURTHERMORE, EACH  NTCB 
 
     SIGNIFICANT  SYSTEM  ENGINEERING  SHOULD  BE   DIRECTED 
TOWARD MINIMIZING THE COMPLEXITY OF EACH NTCB PARTITION, AND 
OF THE NTCB.  CARE SHALL BE TAKEN TO  EXCLUDE  MODULES  (AND 
COMPONENTS) THAT ARE NOT PROTECTION-CRITICAL FROM THE NTCB. 
 
     IT IS RECOGNIZED THAT SOME  MODULES  AND/OR  COMPONENTS 
MAY  NEED  TO BE INCLUDED IN THE NTCB AND MUST MEET THE NTCB 
REQUIREMENTS EVEN THOUGH THEY MAY NOT APPEAR TO BE  DIRECTLY 
MODULES/COMPONENTS IS NECESSARY FOR THE CORRECT OPERATION OF 
THE  PROTECTION-CRITICAL  MODULES  AND COMPONENTS.  HOWEVER, 
THE NUMBER AND SIZE OF THESE  MODULES/COMPONENTS  SHOULD  BE 
KEPT TO A MINIMUM. 
 
     Each NTCB partition  provides  isolation  of  resources 
(within  its  component)  in  accord with the network system 
architecture and security policy so  that  "supporting  ele- 
ments"  (e.g., DAC and user identification) for the security 
mechanisms of the network system are  strengthened  compared 
to  C2,  from an assurance point of view, through the provi- 
 
     As discussed in the Discretionary Access  Control  sec- 
tion,  the  DAC  mechanism of a NTCB partition may be imple- 
mented at the interface of the reference monitor or  may  be 
assurance requirements for the design and implementation  of 
the DAC shall be those of class C2 for all networks of class 
C2 or above. 
 
+  Rationale 
 
 
     The  requirement  that  the  NTCB  be  structured  into 
modules  and  meet  the hardware requirements applies within 
the NTCB partitions in the various components. 
 
     The principle of least  privilege  requires  that  each 
user  or other individual with access to the system be given 
only those resources and  authorizations  required  for  the 
n the system it must be enforced in  every  NTCB  partition
that  supports  users  or  other  individuals.  For example, 
NTCB partition (e.g., games) lessens the opportunity of dam- 
age by a Trojan Horse. 
 
     The requirement for the  protection  of  communications 
between NTCB partitions is specifically directed to subjects 
that are part of the NTCB partitions.  Any requirements  for 
 
     THERE ARE CERTAIN PARTS OF A  NETWORK  (MODULES  AND/OR 
COMPONENTS)  THAT  MAY NOT APPEAR TO BE DIRECTLY PROTECTION- 
CRITICAL IN THAT THEY ARE NOT  INVOLVED  IN  ACCESS  CONTROL 
DECISIONS,  DO  NOT  DIRECTLY AUDIT, AND ARE NOT INVOLVED IN 
THE  IDENTIFICATION/AUTHENTICATION  PROCESS.   HOWEVER,  THE 
SECURITY OF THE NETWORK MUST DEPEND ON THE CORRECT OPERATION 
OF THESE MODULES AND/OR COMPONENTS.  AN EXAMPLE OF THIS IS A 
SINGLE LEVEL PACKET SWITCH.  ALTHOUGH IT MAY NOT NORMALLY BE 
FERENT MESSAGE STREAMS.  IF  THE  SWITCH  DOES  NOT  OPERATE 
CORRECTLY,  DATA  COULD  GET  MIXED, AND UNAUTHORIZED ACCESS 
COULD RESULT.  THEREFORE, THESE MODULES/COMPONENTS  MUST  BE 
APPLICABLE TO THE  POLICY  ELEMENT(S)  FOR  WHICH  THEY  ARE 
RESPONSIBLE. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Hardware and/or software features shall be provided that can 
be  used  to  periodically validate the correct operation of 
the on-site hardware and firmware elements of the TCB. 
 
+  Interpretation 
 
     Implementation of the requirement is partly achieved by 
and  firmware  elements  of each component's NTCB partition. 
Features shall also be provided to validate the identity and 
correct  operation of a component prior to its incorporation 
n the network system and throughout system operation.   For
example,  a protocol could be designed that enables the com- 
cally  and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability 
to  respond. NTCB partitions shall provide the capability to 
 
     Intercomponent  protocols  implemented  within  a  NTCB 
tion in the case of failures of  network  communications  or 
ndividual components.  The allocation of mandatory and dis-
cretionary access control policy in a  network  may  require 
communication  between trusted subjects that are part of the 
NTCB partitions in different components.  This communication 
s normally implemented with a protocol between the subjects
as peer entities.  Incorrect access within a component shall 
not  result from failure of an NTCB partition to communicate 
 
+ Rationale 
 
     The  first  paragraph  of  the  interpretation   is   a 
text of a network system and partitioned NTCB as defined for 
these network criteria. 
 
     NTCB protocols should be robust  enough  so  that  they 
zed failure. The purpose of this protection is to  preserve
the integrity of the NTCB itself.  It is not unusual for one 
or more components in a network to  be  inoperative  at  any 
time,  so  it  is  important to minimize the effects of such 
failures on the rest of the  network.  Additional  integrity 
and denial of service issues are addressed in Part II. 
 
     IT SHOULD BE CLEAR THAT SOME INTEGRITY  AND  DENIAL  OF 
SERVICE FEATURES CAN RESIDE OUTSIDE THE NTCB.  OTHERWISE ALL 
SOFTWARE IN A NETWORK WOULD BE IN THE NTCB.  EVERY PIECE  OF 
SOFTWARE  THAT  HAS  AN OPPORTUNITY TO WRITE TO SOME DATA OR 
CAUSE  DENIAL OF SERVICE TO SOME EXTENT.  FOR EXAMPLE, IT IS 
NECESSARY TO "TRUST"  TELNET  TO  CORRECTLY  TRANSLATE  USER 
DATA,  AND  TO EVENTUALLY TRANSMIT PACKETS.  FTP ALSO HAS TO 
BE "TRUSTED" TO NOT INAPPROPRIATELY  MODIFY  FILES,  AND  TO 
ATTEMPT  TO COMPLETE THE FILE TRANSFER.  THESE PROTOCOLS CAN 
BE DESIGNED, HOWEVER TO EXIST OUTSIDE THE NTCB (FROM A  PRO- 
TECTION  PERSPECTIVE).   IT IS BENEFICIAL TO DO THIS TYPE OF 
SECURITY ENGINEERING SO THAT THE AMOUNT OF CODE THAT MUST BE 
TRUSTED  TO  NOT DISCLOSE DATA IS MINIMIZED.  PUTTING EVERY- 
THING INSIDE THE NTCB CONTRADICTS THE REQUIREMENT TO PERFORM 
"SIGNIFICANT  SYSTEM  ENGINEERING  ...   DIRECTED TOWARD ... 
EXCLUDING FROM THE TCB MODULES THAT ARE NOT PROTECTION CRIT- 
B3.  IF EVERYTHING HAS TO BE  IN  THE  TCB  TO  ENSURE  DATA 
WILL BE CONSIDERABLY LESS ASSURANCE THAT DISCLOSURE  PROTEC- 
TION IS MAXIMIZED. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall conduct  a  thorough  search  for 
COVERT  CHANNELS  and make a determination (either by actual 
measurement or by engineering  estimation)  of  the  maximum 
bandwidth of each identified channel.  (See the Covert Chan- 
nels Guideline section.) 
 
+ Interpretation 
 
     The requirement, including  the  TCSEC  Covert  Channel 
Guideline,  applies  as  written.   In  a network, there are 
additional instances of covert channels associated with com- 
munication between components. 
 
+ Rationale 
 
     The exploitation of network protocol information (e.g., 
OF FREQUENCY OF TRANSMISSION CAN  RESULT  IN  COVERT  TIMING 
CHANNELS.  The topic has been addressed in the literature.- 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support separate  operator  and  administrator 
functions.   THE  FUNCTIONS PERFORMED IN THE ROLE OF A SECU- 
RITY ADMINISTRATOR SHALL  BE  IDENTIFIED.   THE  ADP  SYSTEM 
ADMINISTRATIVE PERSONNEL SHALL ONLY BE ABLE TO PERFORM SECU- 
RITY ADMINISTRATOR FUNCTIONS AFTER TAKING A DISTINCT  AUDIT- 
ABLE ACTION TO ASSUME THE SECURITY ADMINISTRATOR ROLE ON THE 
ADP SYSTEM.  NON-SECURITY FUNCTIONS THAT CAN BE PERFORMED IN 
THE  SECURITY  ADMINISTRATION ROLE SHALL BE LIMITED STRICTLY 
TO THOSE ESSENTIAL TO PERFORMING THE  SECURITY  ROLE  EFFEC- 
TIVELY. 
 
_________________________ 
  - See, for example, Girling, C. G., "Covert  Channels 
n  LAN's,"  IEEE Transactions on Software Engineering,
             ____ ____________ __ ________ ___________ 
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A., 
Snow,  D. P., and Karger, P. A., Limitations of End-to- 
                                 ___________ __ ___ __ 
End  Encryption  in  Secure  Computer  Networks,  MITRE 
___  __________  __  ______  ________  ________ 
Technical  Report,  MTR-3592,  Vol. I, May 1978 (ESD TR 
 
 
 
+ Interpretation 
 
     This requirement applies as written to both the network 
as  a  whole and to individual components which support such 
 
+ Rationale 
 
     It is recognized that based  on  the  allocated  policy 
elements  some  components  may operate with no human inter- 
face. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
THAT,  AFTER  AN  ADP SYSTEM FAILURE OR OTHER DISCONTINUITY, 
RECOVERY WITHOUT A PROTECTION COMPROMISE IS OBTAINED. 
 
+ Interpretation 
 
     THE RECOVERY PROCESS MUST  BE  ACCOMPLISHED  WITHOUT  A 
TINUITY OF ANY NTCB PARTITION.  IT MUST ALSO BE ACCOMPLISHED 
AFTER A FAILURE OF THE ENTIRE NTCB. 
 
+ Rationale 
 
     THIS IS A STRAIGHT-FORWARD EXTENSION OF THE REQUIREMENT 
CONTINUE  TO  OPERATE  NORMALLY.   THIS  MAY  BE A SECURITY- 
RELEVANT EVENT; IF SO IT MUST BE AUDITED. 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The security mechanisms of the ADP system  shall  be  tested 
and  found to work as claimed in the system documentation. A 
team of individuals who thoroughly understand  the  specific 
mplementation  of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and 
testing.   Their  objectives shall be: to uncover all design 
and implementation flaws that would permit a subject  exter- 
nal  to  the  TCB  to  read, change, or delete data normally 
enforced  by  the  TCB; as well as to assure that no subject 
(without authorization to do so) is able to cause the TCB to 
enter  a  state  such  that  it  is  unable  to  respond  to 
communications initiated by other users. The  TCB  shall  be 
FOUND  RESISTANT to penetration.  All discovered flaws shall  
be removed or neutralized and the  TCB  retested  to  demon- 
TCB  implementation  is consistent with the descriptive top- 
level specification.  NO DESIGN FLAWS AND NO MORE THAN A FEW 
CORRECTABLE IMPLEMENTATION FLAWS MAY BE FOUND DURING TESTING 
AND THERE SHALL BE REASONABLE CONFIDENCE THAT FEW REMAIN. 
(See the Security Testing Guidelines.) 
 
+  Interpretation 
 
     Testing of a component  will  require  a  testbed  that 
exercises  the  interfaces  and  protocols  of the component 
ncluding tests under exceptional conditions.   The  testing
of  a  security  mechanism of the network system for meeting 
this criterion shall  be  an  integrated  testing  procedure 
nvolving  all  components containing an NTCB partition that
mplement the given mechanism. This  integrated  testing  is
additional to any individual component tests involved in the 
evaluation of the network system.  The sponsor should  iden- 
tify the allowable set of configurations including the sizes 
of the networks.  Analysis or testing procedures  and  tools 
tions.  A change in configuration within the  allowable  set 
of configurations does not require retesting. 
 
     The testing of each component will include  the  intro- 
component that will attempt to read, change, or delete  data 
normally  denied.   If the normal interface to the component 
conduct  such a test, then this portion of the testing shall 
use a special version of the untrusted software for the com- 
The results shall be saved for test analysis.  Such  special 
versions  shall  have an NTCB partition that is identical to 
that for the normal configuration  of  the  component  under 
evaluation. 
 
     The testing of the  mandatory  controls  shall  include 
tests   to  demonstrate  that  the  labels  for  information 
mported and/or exported to/from  the  component  accurately
the component for use as the basis for its mandatory  access 
control  decisions.   The  tests  shall include each type of 
component. 
 
     The NTCB must be FOUND RESISTANT to penetration.   This 
applies  to  the NTCB as a whole, and to each NTCB partition 
n a component of this class.
 
 
+  Rationale 
 
     The phrase "no subject (without authorization to do so) 
s  able  to  cause the TCB to enter a state such that it is
unable to  respond  to  communications  initiated  by  other 
users"  relates  to  the  security services (Part II of this 
TNI) for the Denial of Service problem, and  to  correctness 
of the protocol implementations. 
 
     Testing  is  an  important  method  available  in  this 
evaluation  division to gain any assurance that the security 
mechanisms perform their intended function.  A major purpose 
of testing is to demonstrate the system's response to inputs 
to the NTCB partition from  untrusted  (and  possibly  mali- 
cious) subjects. 
 
     In contrast to general purpose systems that  allow  for 
the  dynamic  creation of new programs and the introductions 
of new processes (and hence new subjects) with  user  speci- 
fied  security  properities, many network components have no 
method for introducing new programs and/or processes  during 
their  normal  operation.  Therefore, the programs necessary 
for the testing must be introduced as  special  versions  of 
the  software  rather than as the result of normal inputs by 
the test team.  However, it must be insured  that  the  NTCB 
evaluation. 
 
     Sensitivity labels serve a critical role in maintaining 
the  security  of  the mandatory access controls in the net- 
of  the  labels  for  information  communicated between com- 
cit  labels for single-level devices.  Therefore the testing 
for correct labels is highlighted. 
 
     The requirement for testing to demonstrate  consistency 
between  the NTCB implementation and the DTLS is a straight- 
forward extension of the TCSEC requirement into the  context 
of a network system. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A formal model of the security policy supported by  the  TCB 
that is proven and demonstrated to be  consistent  with  its 
axioms.  A descriptive top-level specification (DTLS) of the 
TCB shall  be  maintained  that  completely  and  accurately 
and effects.  It shall be shown to be an  accurate  descrip- 
tion  of  the TCB interface.  A CONVINCING ARGUMENT SHALL BE 
GIVEN THAT THE DTLS IS CONSISTENT WITH THE MODEL. 
 
 
+  Interpretation 
 
     The overall network security policy expressed  in  this 
model  will  provide the basis for the mandatory access con- 
trol policy exercised by the NTCB over subjects and  storage 
objects  in the entire network.  The policy will also be the 
basis for the discretionary access control policy  exercised 
by  the  NTCB  to  control  access  of  named users to named 
objects.  Data integrity requirements addressing the effects 
of unauthorized MSM need not be included in this model.  The 
overall network policy must be decomposed into  policy  ele- 
ments  that are allocated to appropriate components and used 
as the basis for the security policy model  for  those  com- 
 
     The level of abstraction of the model, and the  set  of 
model, will be affected by the NTCB partitioning.   Subjects 
and  objects must be represented explicitly in the model for 
the partition if there is some network component whose  NTCB 
ble  to  individual network components are manifest.  Global 
network policy elements that  are  allocated  to  components 
 
     The requirements for a network DTLS are  given  in  the 
Design Documentation section. 
 
+ Rationale 
 
     The treatment of the model depends to a great extent on 
the degree of integration of the communications service into 
a distributed system. In a closely coupled distributed  sys- 
tem,  one  might  use  a  model  that  closely resembles one 
appropriate for a stand-alone computer system. 
 
     In ALL cases, the  model  of  each  partition  will  be 
expected to show the role of the NTCB partition in each kind 
of component.   It  will  most  likely  clarify  the  model, 
although  not part of the model, to show access restrictions 
mplied  by  the  system  design;  for   example,   subjects
objects containing data units at the same layer of protocol. 
The  allocation of subjects and  objects to different proto- 
col layers is a protocol design choice which  need  not   be 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
During development and maintenance of the TCB, a  configura- 
tion management system shall be in place that maintains con- 
trol of changes to the descriptive top-level  specification, 
other  design  data,  implementation  documentation,  source 
code, the running version of the object code, and test  fix- 
tures  and documentation.  The configuration management sys- 
tem shall assure a consistent mapping among  all  documenta- 
tion  and  code  associated  with the current version of the 
TCB.  Tools shall be provided for generation of a  new  ver- 
tools for comparing a newly generated version with the  pre- 
vious  TCB  version  in  order  to  ascertain  that only the 
ntended changes have been made in the code that will  actu-
ally be used as the new version of the TCB. 
 
+  Interpretation 
 
     The requirement applies as written, with the  following 
extensions: 
 
        for each NTCB partition. 
 
        entire system.  If the configuration management sys- 
        tem is made up of the conglomeration of  the  confi- 
        guration management systems of the various NTCB par- 
        titions, then the configuration management plan must 
        address  the  issue  of how configuration control is 
        applied to the system as a whole. 
 
+ Rationale 
 
     Each NTCB partition must have a  configuration  manage- 
ment  system  in place, or else there will be no way for the 
NTCB as a whole to have an effective  configuration  manage- 
ment system.  The other extensions are merely reflections of 
the way that networks operate in practice. 
 
 
 
 
_ _ _ _____________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A single summary, chapter, or manual in  user  documentation 
TCB, interpretations on their use,  and  how  they  interact 
 
+  Interpretation 
 
     This user documentation describes user visible  protec- 
tion  mechanisms at the global (network system) level and at 
the user interface of each component,  and  the  interaction 
among these. 
 
 
+  Rationale 
 
     The interpretation is an extension of  the  requirement 
nto  the  context  of a network system as defined for these
network criteria.  Documentation  of  protection  mechanisms 
teria for trusted  computer  systems  that  are  applied  as 
appropriate for the individual components. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A manual addressed to the  ADP  system  administrator  shall 
be controlled when running a secure facility. The procedures 
for examining and maintaining the audit files as well as the 
administrator functions  related  to  security,  to  include 
changing  the  security characteristics of a user.  It shall 
of the protection features of the system, how they interact, 
to operate the facility in a secure manner. The TCB  modules 
that  contain  the  reference  validation mechanism shall be 
dentified.  The procedures for secure generation of  a  new
TCB from source after modification of any modules in the TCB 
ENSURE  THAT  THE  SYSTEM  IS  INITIALLY STARTED IN A SECURE 
MANNER.  PROCEDURES SHALL ALSO BE INCLUDED TO RESUME  SECURE 
SYSTEM OPERATION AFTER ANY LAPSE IN SYSTEM OPERATION. 
 
+ Interpretation 
 
     This manual shall contain specifications and procedures 
to assist the system administrator(s) maintain cognizance of 
the network configuration.  These  specifications  and  pro- 
cedures shall address the following: 
 
 
        network; 
 
        leave  the  network  (e.g., by crashing, or by being 
        disconnected) and then rejoin; 
 
        security  of  the  network system; (For example, the 
        manual  should  describe  for  the  network   system 
        administrator  the interconnections among components 
        that are consistent with the overall network  system 
        architecture.) 
 
        (e.g., down-line loading). 
 
        indicate  which components of the network may change 
        without others also changing. 
 
     The physical and administrative environmental  controls 
all  communications  links must be physically protected to a 
certain level). 
 
     The components of the network that form the  NTCB  must 
be identified.  Furthermore, the modules within an NTCB par- 
tition that contain the reference validation  mechanism  (if 
any) within that partition must be identified. 
 
     The procedures for the secure generation of a new  ver- 
 
     PROCEDURES FOR STARTING EACH NTCB PARTITION IN A SECURE 
STATE  SHALL BE SPECIFIED.  PROCEDURES MUST ALSO BE INCLUDED 
TO RESUME SECURE OPERATION OF EACH NTCB PARTITION AND/OR THE 
NTCB AFTER ANY LAPSE IN SYSTEM OR SUBSYSTEM OPERATION. 
 
+ Rationale 
 
     There  may  be  multiple  system  administrators   with 
other  forms of security in order to achieve security of the 
network.  Additional forms include administrative  security, 
 
     Extension of  this  criterion  to  cover  configuration 
aspects  of  the  network  is  needed  because, for example, 
to  achieve  a  correct realization of the network architec- 
ture. 
 
     As mentioned in the section on Label  Integrity,  cryp- 
tography is one common mechanism employed to protect commun- 
cation circuits.  Encryption transforms the  representation
of  information so that it is unintelligible to unauthorized 
of the ciphertext is generally lower than the cleartext.  If 
encryption  methodologies  are  employed,  they   shall   be 
approved by the National Security Agency (NSA). 
 
     The encryption algorithm  and  its  implementation  are 
outside  the scope of these interpretations.  This algorithm 
and implementation may be implemented in a  separate  device 
or  may  be a function of a subject in a component not dedi- 
cated to encryption.  Without prejudice, either  implementa- 
tion  packaging  is  referred  to as an encryption mechanism 
 
     The requirements for descriptions  of  NTCB  generation 
and  identification  of modules and components that form the 
NTCB are straightforward extensions of  the  TCSEC  require- 
ments  into  the  network context.  In those cases where the 
vendor does not provide source code, an acceptable procedure 
tion. 
 
     GIVEN THE NATURE OF NETWORK SYSTEMS (E.G., VARIOUS COM- 
SYSTEM MUST CONTINUE OPERATION WITHOUT THAT  COMPONENT),  IT 
NECESSARY TO KNOW HOW TO RESUME SECURE OPERATION OF THE NTCB 
AFTER ANY PARTITION HAS BEEN DOWN. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall provide to the evaluators a docu- 
ment that describes the test plan, test procedures that show 
 
+  Interpretation 
 
     The "system developer" is interpreted as  "the  network 
establish the context in which the testing was or should  be 
conducted.   The  description should identify any additional 
test components that  are  not  part  of  the  system  being 
evaluated.  This includes a description of the test-relevant 
functions of such test components and a description  of  the 
nterfacing  of  those  test  components to the system being
evaluated.  The description of the  test  plan  should  also 
configuration and sizing. 
 
+  Rationale 
 
     The entity being evaluated may be a networking  subsys- 
tem (see Appendix A) to which other components must be added 
to make a  complete  network  system.  In  that  case,  this 
nterpretation  is extended to include contextual definition
because, at evaluation time, it is not possible to  validate 
the  test  plans  without the description of the context for 
testing the networking subsystem. 
 
     The bandwidths of covert channels are used to determine 
the suitability of a network system for a given environment. 
The effectiveness  of  the  methods  used  to  reduce  these 
bandwidths must therefore be accurately determined. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Documentation shall be available that provides a description 
of the manufacturer's philosophy of protection and an expla- 
nation of how this philosophy is translated  into  the  TCB. 
The  interfaces between the TCB modules shall be described. 
A formal description of the security policy  model  enforced 
by the TCB shall be available and an explanation provided to 
The  specific  TCB protection mechanisms shall be identified 
and an explanation given  to  show  that  they  satisfy  the 
model.  The descriptive top-level specification (DTLS) shall 
be shown to be an accurate description of the TCB interface. 
Documentation  shall  describe  how  the  TCB implements the 
tamper  resistant,  cannot  be  bypassed,  and  is correctly 
mplemented. THE  TCB  IMPLEMENTATION  (I.E.,  IN  HARDWARE,
FIRMWARE, AND SOFTWARE) SHALL BE INFORMALLY SHOWN TO BE CON- 
SISTENT WITH THE DTLS.  THE ELEMENTS OF THE  DTLS  SHALL  BE 
SHOWN,  USING INFORMAL TECHNIQUES, TO CORRESPOND TO THE ELE- 
MENTS OF THE TCB.   Documentation shall describe how the TCB 
s  structured  to  facilitate  testing and to enforce least
nvolved in restricting the channels.  All auditable  events
that may be used in the exploitation of known covert storage 
channels shall  be  identified.   The  bandwidths  of  known 
covert  storage channels, the use of which is not detectable 
by the auditing mechanisms,  shall  be  provided.  (See  the 
Covert Channel Guideline section.) 
 
+  Interpretation 
 
     Explanation of how the sponsor's philosophy of  protec- 
tion is translated into the NTCB shall include a description 
of how the NTCB is partitioned.  The  security  policy  also 
the NTCB modules shall include the interface(s) between NTCB 
exist.  The sponsor shall describe the security architecture 
and  design,  including  the allocation of security require- 
ments among components. 
 
     The documentation includes both  a  system  description 
and  a  set  of  component  DTLS's.   The system description 
addresses the network security architecture  and  design  by 
ones are trusted, and in what way  they  must  cooperate  to 
be provided for each trusted network component,  i.e.,  each 
component containing an NTCB partition.  Each component DTLS 
component.  BOTH  THE  SYSTEM DESCRIPTION AND EACH COMPONENT 
DTLS SHALL BE SHOWN CONSISTENT WITH THOSE ASSERTIONS IN  THE 
MODEL  THAT  APPLY  TO  IT.   Appendix A addresses component 
evaluation issues. 
 
     TO SHOW THE CORRESPONDENCE BETWEEN  THE  DTLS  AND  THE 
NTCB  IMPLEMENTATION,  IT  SUFFICES  TO  SHOW CORRESPONDENCE 
BETWEEN EACH COMPONENT DTLS AND THE NTCB PARTITION  IN  THAT 
COMPONENT. 
 
     As stated in the introduction to Division B, the  spon- 
monitor concept.  The security policy model must be a  model 
for a reference monitor. 
 
     The security policy model for each partition implement- 
ng  a  reference  monitor  shall fully represent the access
control policy supported by  the  partition,  including  the 
and/or integrity.  For the mandatory policy the single domi- 
nance  relation  for  sensitivity  labels, including secrecy 
and/or integrity components, shall be precisely defined. 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context  of a network system as 
tion,  such  as description of components and description of 
operating environment(s) in which the  networking  subsystem 
or network system is designed to function, is required else- 
 
     In order to be evaluated,  a  network  must  possess  a 
coherent  Network Security Architecture and Design.  (Inter- 
connection of components that do not adhere to such a single 
coherent  Network  Security Architecture is addressed in the 
Security  Architecture  must  address  the security-relevant 
Design  specifies  the  interfaces and services that must be 
ncorporated into the network so that it can be evaluated as
a  trusted  entity.  There may be multiple designs that con- 
form to the same architecture but are more or less  incompa- 
tible and non-interoperable (except through the Interconnec- 
tion Rules).  Security related mechanisms requiring coopera- 
tion  among  components are specified in the design in terms 
of their visible interfaces; mechanisms  having  no  visible 
nterfaces  are  not specified in this document but are left
as implementation decisions. 
 
     The Network Security Architecture and  Design  must  be 
available  from the network sponsor before evaluation of the 
network, or any component, can be undertaken.   The  Network 
Security  Architecture  and Design must be sufficiently com- 
the  construction  or assembly of a trusted network based on 
the structure it specifies. 
 
     When a component is being  designed  or  presented  for 
evaluation,  or  when a network assembled from components is 
assembled or presented  for  evaluation,  there  must  be  a 
Design are satisfied.  That is, the components can be assem- 
bled into a network that conforms in every way with the Net- 
tion indicates. 
 
     In order for a trusted network to be  constructed  from 
components  that  can  be  built  independently, the Network 
Security Architecture and Design must completely and unambi- 
Network  Security  Architecture and Design must be evaluated 
to determine that a network constructed  to  its  specifica- 
tions  will in fact be trusted, that is, it will be evaluat- 
able under these interpretations. 
 
 
     The term "model" is used in several different ways in a 
network context, e.g., a "protocol reference model," a "for- 
mal network model," etc. Only the "security policy model" is 
addressed  by  this requirement and is specifically intended 
to model the interface, viz., "security perimeter,"  of  the 
n the TCSEC.  It must be shown that all parts  of  the  TCB
are  a  valid  interpretation  of the security policy model, 
.e., that there is no change to the secure state except  as
 
 
            4.0 DIVISION A: VERIFIED PROTECTION 
            _ _ ________ _  ________ __________ 
 
 
This division is characterized by the use of formal security 
methods to assure that the mandatory and discretionary secu- 
quired  to  demonstrate that the NTCB meets the security re- 
quirements in all aspects of design, development and  imple- 
mentation. 
 
             4.1  CLASS (A1):  VERIFIED DESIGN 
             _ _  _____  __    ________ ______ 
 
 
     SYSTEMS IN CLASS (A1) ARE FUNCTIONALLY  EQUIVALENT 
     TO  THOSE  IN  CLASS  (B3)  IN  THAT NO ADDITIONAL 
     ARCHITECTURAL FEATURES OR POLICY REQUIREMENTS  ARE 
     ADDED.   THE  DISTINGUISHING FEATURE OF SYSTEMS IN 
     THIS CLASS IS THE  ANALYSIS  DERIVED  FROM  FORMAL 
     DESIGN  SPECIFICATION  AND VERIFICATION TECHNIQUES 
     AND THE RESULTING HIGH DEGREE  OF  ASSURANCE  THAT 
     THE NTCB IS CORRECTLY IMPLEMENTED.  THIS ASSURANCE 
     IS DEVELOPMENTAL IN NATURE, STARTING WITH A FORMAL 
     MODEL  OF  THE  SECURITY  POLICY AND A FORMAL TOP- 
     LEVEL  SPECIFICATION   (FTLS)   OF   THE   DESIGN. 
     INDEPENDENT   OF   THE   PARTICULAR  SPECIFICATION 
     LANGUAGE OR VERIFICATION SYSTEM  USED,  THERE  ARE 
     FIVE  IMPORTANT  CRITERIA  FOR  CLASS  (A1) DESIGN 
     VERIFICATION: 
 
    +  A FORMAL MODEL OF THE SECURITY  POLICY  MUST  BE 
      CLEARLY  IDENTIFIED  AND  DOCUMENTED, INCLUDING A 
      MATHEMATICAL PROOF THAT THE MODEL  IS  CONSISTENT 
      WITH  ITS AXIOMS AND IS SUFFICIENT TO SUPPORT THE 
      SECURITY POLICY. 
 
    +  AN FTLS MUST BE PRODUCED THAT INCLUDES  ABSTRACT 
      DEFINITIONS  OF  THE  FUNCTIONS THE NTCB PERFORMS 
      AND OF THE HARDWARE  AND/OR  FIRMWARE  MECHANISMS 
      THAT  ARE  USED  TO  SUPPORT  SEPARATE  EXECUTION 
      DOMAINS. 
 
    +  THE FTLS OF THE NTCB MUST BE SHOWN  TO  BE  CON- 
      SISTENT WITH THE MODEL BY FORMAL TECHNIQUES WHERE 
      POSSIBLE (I.E., WHERE VERIFICATION  TOOLS  EXIST) 
      AND INFORMAL ONES OTHERWISE. 
 
    +  THE  NTCB  IMPLEMENTATION  (I.E.,  IN  HARDWARE, 
      FIRMWARE,  AND SOFTWARE) MUST BE INFORMALLY SHOWN 
      TO BE CONSISTENT WITH THE FTLS.  THE ELEMENTS  OF 
      THE  FTLS  MUST  BE  SHOWN,  USING INFORMAL TECH- 
      NIQUES, TO CORRESPOND  TO  THE  ELEMENTS  OF  THE 
      NTCB.   THE FTLS MUST EXPRESS THE UNIFIED PROTEC- 
      TION MECHANISM REQUIRED TO SATISFY  THE  SECURITY 
      POLICY, AND IT IS THE ELEMENTS OF THIS PROTECTION 
      MECHANISM THAT ARE MAPPED TO THE ELEMENTS OF  THE 
      NTCB. 
 
    +  FORMAL ANALYSIS TECHNIQUES MUST BE USED TO IDEN- 
      TIFY AND ANALYZE COVERT CHANNELS.  INFORMAL TECH- 
      NIQUES MAY BE  USED  TO  IDENTIFY  COVERT  TIMING 
      CHANNELS.   THE CONTINUED EXISTENCE OF IDENTIFIED 
      COVERT CHANNELS IN THE SYSTEM MUST BE JUSTIFIED. 
 
     IN KEEPING WITH THE EXTENSIVE DESIGN AND  DEVELOP- 
     MENT  ANALYSIS  OF THE NTCB REQUIRED OF SYSTEMS IN 
     CLASS (A1), MORE STRINGENT  CONFIGURATION  MANAGE- 
     MENT  IS  REQUIRED  AND PROCEDURES ARE ESTABLISHED 
     FOR SECURELY DISTRIBUTING THE SYSTEM TO SITES.   A 
     SYSTEM SECURITY ADMINISTRATOR IS SUPPORTED. 
 
     THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR  SYSTEM 
     ASSIGNED A CLASS (A1) RATING: 
 
 
_ _ _ ________ ______ 
 
+ Statement from DoD 5200.28-STD 
 
 
 
+ Interpretation 
 
     The network sponsor shall describe the overall  network 
cy  is  an  access  control  policy having two primary com-
nclude  a  discretionary policy for protecting the informa-
tion being processed based on the authorizations of  indivi- 
cy statement shall describe the requirements on the network
to  prevent  or  detect  "reading  or  destroying" sensitive 
nformation by unauthorized users or errors.  The  mandatory
that it supports.  For the Class B1 or above  the  mandatory 
nformation that reflects its sensitivity  with  respect  to
ciated with users to reflect their authorization  to  access 
that are not authorized to use the network at all  (e.g.,  a 
user  attempting  to  use a passive or active wire tap) or a 
legitimate user of the network  who  is  not  authorized  to 
access a specific piece of information being protected. 
 
     Note that "users" does not include "operators," "system 
officers," and other system  support  personnel.   They  are 
Manual and the System Architecture requirements.  Such indi- 
viduals may change the system parameters of the network sys- 
tem, for example, by defining membership of a group.   These 
ndividuals may also have the separate role of users.
 
 
        SECRECY POLICY: The network sponsor shall define the 
        form  of  the  discretionary  and mandatory  secrecy 
        policy that is enforced in the  network  to  prevent 
        unauthorized users from reading the sensitive infor- 
        mation entrusted to the network. 
 
 
        DATA INTEGRITY POLICY:  The  network  sponsor  shall 
        define  the  discretionary  and mandatory  integrity 
        policy to prevent unauthorized users from modifying, 
        viz.,  writing,  sensitive information.  The defini- 
        tion of data  integrity  presented  by  the  network 
        sponsor  refers to the requirement that the informa- 
        tion has not been subjected to unauthorized  modifi- 
        cation  in the network. The mandatory integrity pol- 
        icy enforced by the NTCB cannot, in general, prevent 
        modification  while information is being transmitted 
        between components.  However,  an  integrity  sensi- 
        tivity  label  may  reflect  the confidence that the 
        information has not been subjected  to  transmission 
        errors  because  of  the  protection afforded during 
        transmission.  This requirement is distinct from the 
        requirement for label integrity. 
 
+ Rationale 
 
     The word "sponsor" is used  in  place  of  alternatives 
(such   as   "vendor,"   "architect,"   "manufacturer,"  and 
"developer") because the alternatives  indicate  people  who 
may not be available, involved, or relevant at the time that 
a network system is proposed for evaluation. 
 
     A trusted network is able to control both  the  reading 
and  writing  of  shared  sensitive information.  Control of 
tion. A network normally is expected to have policy require- 
ments to protect both  the  secrecy  and  integrity  of  the 
nformation  entrusted to it.  In a network the integrity is
frequently as important or more important than  the  secrecy 
to be enforced by the network must be stated for  each  net- 
the policy  is  faithfully  enforced  is  reflected  in  the 
evaluation class of the network. 
 
     This control over modification  is  typically  used  to 
control the potential harm that would result if the informa- 
tion  were  corrupted.   The overall network policy require- 
ments for integrity includes the protection  for  data  both 
transmitted in  the  network.   The  access  control  policy 
enforced  by  the  NTCB relates to the access of subjects to 
objects within  each  component.   Communications  integrity 
addressed  within Part II relates to information while being 
transmitted. 
 
     The mandatory integrity policy (at class B1 and  above) 
n  some architectures may be useful in supporting the link-
age between the connection oriented  abstraction  introduced 
n  the  Introduction  and  the individual components of the
network.  For example, in  a  key  distribution  center  for 
end-to-end  encryption, a distinct integrity category may be 
assigned to isolate the key generation code  and  data  from 
 
     The mandatory integrity policy  for  some  architecture 
may  define an integrity sensitivity label that reflects the 
been  subject  to  random errors in excess of a stated limit 
nor to unauthorized message  stream  modification  (MSM)  -. 
The specific metric associated with an integrity sensitivity 
label will generally reflect the  intended  applications  of 
the network. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall define and control access between named  users 
and named objects (e.g., files and programs) in the ADP sys- 
tem.  The enforcement mechanism (e.g., access control lists) 
objects and shall provide controls to limit  propagation  of 
access  rights.   The discretionary access control mechanism 
that  objects are protected from unauthorized access.  These 
access controls shall be capable  of  specifying,  for  each 
named  object,  a  list  of  named individuals and a list of 
access  to  that  object.   Furthermore, for each such named 
object, it shall be possible to  specify  a  list  of  named 
ndividuals  and  a  list of groups of named individuals for
to   an  object  by  users  not  already  possessing  access 
_________________________ 
  - See Voydock, Victor L. and Stephen T. Kent,  "Secu- 
                                                   ___ 
______ _______ 
 
 
 
+  Interpretation 
 
     The discretionary access control (DAC) mechanism(s) may 
be  distributed  over  the partitioned NTCB in various ways. 
Some part, all, or none of the DAC may be implemented  in  a 
no  subjects acting as direct surrogates for users), such as 
a public network packet switch, might not implement the  DAC 
mechanism(s)  directly  (e.g.,  they are unlikely to contain 
access control lists). 
 
     Identification of users by groups may  be  achieved  in 
various  ways  in  the networking environment.  For example, 
the network identifiers (e.g., internet addresses) for vari- 
ous  components (e.g., hosts, gateways) can be used as iden- 
tifiers of groups of individual users (e.g., "all  users  at 
Host  A," "all users of network Q") so long as the individu- 
als involved in the group are implied by the group  identif- 
er. For example, Host A might employ a particular group-id,
for which it maintains a list  of  explicit  users  in  that 
the group-id under the conditions of this interpretation. 
 
     For networks, individual hosts will impose need-to-know 
controls over their users on the basis of named individuals 
- much like (in fact, probably the same) controls used  when 
there is no network connection. 
 
     When group identifiers are acceptable for  access  con- 
trol,  the identifier of some other host may be employed, to 
eliminate the maintenance that would be required if  indivi- 
C2 and higher, however, it must be possible from that  audit 
exactly the individuals represented by a group identifier at 
the time of the use of that identifier.  There is allowed to 
be an uncertainty because of elapsed time between changes in 
the  group membership and the enforcement in the access con- 
trol mechanisms. 
 
     The DAC mechanism of a NTCB  partition  may  be  imple- 
mented  at  the interface of the reference monitor or may be 
all the physical resources  of  the  system  and  from  them 
creates the abstraction of subjects and objects that it con- 
trols. Some of these subjects and objects  may  be  used  to 
mplement  a  part  of  the NTCB.  When the DAC mechanism is
Assurance section) for the design and implementation of  the 
DAC  shall be those of class C2 for all networks of class C2 
or above. 
 
     When integrity is included as part of the network  dis- 
cretionary  security policy, the above interpretations shall 
be specifically applied to the controls  over  modification, 
viz,  the  write mode of access, within each component based 
on identified users or groups of users. 
 
+  Rationale 
 
     In this class, the supporting elements of  the  overall 
DAC  mechanism are required to isolate information (objects) 
that supports DAC so that it is subject to auditing require- 
ments  (see  the  System  Architecture section).  The use of 
network identifiers to identify groups of  individual  users 
could  be  implemented, for example, as an X.25 community of 
nterest in the network protocol layer (layer  3).   In  all
other  respects,  the supporting elements of the overall DAC 
mechanism are treated  exactly  as  untrusted  subjects  are 
treated  with respect to DAC in an ADP system, with the same 
 
     A typical situation for DAC is that a surrogate process 
for a remote user will be created in some host for access to 
objects under the control of the NTCB partition within  that 
assigned and maintained for each such process by  the  NTCB, 
tially the same discretionary controls as access by  a  pro- 
cess  acting  on  behalf of a local user would be.  However, 
tions of the assigned user identification is permitted. 
 
     The most obvious situation  would  exist  if  a  global 
able on demand to every host, (i.e., a name server  existed) 
 
     It is also acceptable, however, for  some  NTCB  parti- 
tions to maintain a database of locally-registered users for 
ts own use.  In such a case, one could  choose  to  inhibit
the creation of surrogate processes for locally unregistered 
users, or (if permitted by the local policy)  alternatively, 
to   permit   the   creation  of  surrogate  processes  with 
dentify the process as executing on behalf of a member of a
the  words concerning audit in the interpretation is to pro- 
vide a minimally acceptable degree of auditability for cases 
be a capability, using the audit facilities provided by  the 
network  NTCB  partitions  involved,  to  determine  who was 
logged in at the actual host of the group of remote users at 
the time the surrogate processing occured. 
 
     Associating the proper user id with a surrogate process 
s  the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id  of 
the  surrogate  process.   The transmission of the data back 
across the network to the user's host, and the creation of a 
copy of the data there, is not the business of DAC. 
 
     Components that support only internal  subjects  impact 
the implementation of the DAC by providing services by which 
nformation (e.g., a user-id) is made available  to  a  com-
file  at  Host  B.   The  DAC decision might be (and usually 
ted from Host A to Host B. 
 
     Unique user identification may be achieved by a variety 
of  mechanisms, including (a) a requirement for unique iden- 
tification and authentication on the host where access takes 
addresses authenticated by another host and forwarded to the 
of a network-wide unique personnel identifier that could  be 
authenticated and forwarded by another host as in (b) above, 
or could be authenticated and forwarded by a dedicated  net- 
cols which implement (b) or (c) are subject  to  the  System 
Architecture requirements. 
 
     Network support for DAC might be handled in other  ways 
than  that described as "typical" above. In particular, some 
form of centralized access control is  often  proposed.   An 
access  control center may make all decisions for DAC, or it 
may share the burden with the hosts by controlling  host-to- 
to their objects by users at a limited set of remote  hosts. 
between the connection oriented abstraction (as discussed in 
the  Introduction)  and  the overall network security policy 
for DAC.  In all cases the enforcement of the decision  must 
be provided by the host where the object resides. 
 
     There are two forms of distribution for the DAC mechan- 
sm:  implementing  portions  of  the  DAC  in separate com-
the  NTCB  partition in a component.  Since "the ADP system" 
s understood to be "the computer network" as a whole,  each
network  component  is responsible for enforcing security in 
the mechanisms allocated to it to ensure secure  implementa- 
tion  of  the network security policy.  For traditional host 
a few approaches, such as virtual machine monitors,  support 
DAC outside this interface. 
 
     In contrast to the universally rigid structure of  man- 
DAC policies tend to be very network  and  system  specific, 
For networks it is common that individual hosts will  impose 
controls  over  their  local  users  on  the  basis of named 
ndividuals-much like the controls used  when  there  is  no
network connection.  However, it is difficult to manage in a 
centralized manner all the individuals using  a  large  net- 
together so that the controls required by  the  network  DAC 
other components.  A gateway is an example of  such  a  com- 
 
     The assurance requirements are at the very heart of the 
concept  of  a  trusted  system.   It  is the assurance that 
environment,  as reflected, for example, in the Environments 
Guideline-.  In the case of monolithic systems that have DAC 
ntegral  to  the  reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of  the 
clearer distinction due to distributed DAC.   The  rationale 
for making the distinction in this network interpretation is 
that if major trusted network components can be made  signi- 
ficantly easier to design and implement without reducing the 
ability to meet security policy, then trusted networks  will 
be more easily available. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
All authorizations to the  information  contained  within  a 
allocation or reallocation to a subject from the TCB's  pool 
of   unused  storage  objects.   No  information,  including 
encrypted representations  of  information,  produced  by  a 
that obtains access to an object that has been released back 
to the system. 
 
+  Interpretation 
 
     The NTCB shall ensure that any storage objects that  it 
controls  (e.g., message buffers under the control of a NTCB 
access.  This requirement must be enforced by  each  of  the 
NTCB partitions. 
 
 
 
_________________________ 
  - Guidance for Applying  the  Department  of  Defense 
    ________ ___ ________  ___  __________  __  _______ 
Trusted Computer System Evaluation Criteria in Specific 
_______ ________ ______ __________ ________ __ ________ 
Environments, CSC-STD-003-85. 
____________ 
 
 
+  Rationale 
 
     In a network system, storage objects  of  interest  are 
things  that  the  NTCB  directly  controls, such as message 
buffers in components.  Each component of the network system 
must  enforce  the  object reuse requirement with respect to 
the storage objects of interest as determined by the network 
be  under  the  control  of  the  NTCB  partition.  A buffer 
assigned to an internal subject may be reused at the discre- 
tion of that subject which is responsible for preserving the 
ntegrity of message streams.  Such controlled  objects  may
be  implemented in physical resources, such as buffers, disk 
network switches. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels associated with each ADP system  resource 
(e.g.,  subject,  storage  object,  ROM) that is directly or 
ndirectly accessible by subjects external to the TCB  shall
be maintained by the TCB.  These labels shall be used as the 
basis for mandatory access control decisions.  In  order  to 
mport  non-labeled  data, the TCB shall request and receive
from an authorized user the sensitivity level of  the  data, 
and all such actions shall be auditable by the TCB. 
 
+  Interpretation 
 
     Non-labeled data imported under the control of the NTCB 
labels of the single-level device used to import it.  Labels 
may  include secrecy and integrity- components in accordance 
network   sponsor.    Whenever  the  term  "label"  is  used 
throughout this interpretation, it is understood to  include 
both   components   as  applicable.   Similarly,  the  terms 
"single-level" and "multilevel" are understood to  be  based 
on  both the secrecy and integrity components of the policy. 
The mandatory integrity policy will typically have  require- 
ments,  such as the probability of undetected message stream 
modification, that will be reflected in the  label  for  the 
ntegrity label may be assigned based on mechanisms, such as
cryptography,  used to provide the assurance required by the 
tected  from  tampering and are always invoked when they are 
_________________________ 
  - See, for example, Biba, K.J., "Integrity Considera- 
tion  for Secure Computer Systems," ESD-TR-76-372, MTR- 
 
 
the basis for a label. 
 
 
     If the security policy includes  an  integrity  policy, 
all  activities  that  result in message-stream modification 
violation  of  the integrity policy.  The NTCB shall have an 
automated capability for testing, detecting,  and  reporting 
those   errors/corruptions  that  exceed  specified  network 
ntegrity policy requirements.  Message-stream  modification
(MSM)  countermeasures shall be identified.  A technology of 
adequate strength shall  be  selected  to  resist  MSM.   If 
encryption   methodologies   are  employed,  they  shall  be 
approved by the National Security Agency. 
 
     All objects must be labeled within  each  component  of 
the network that is trusted to maintain separation of multi- 
objects  associated  with  single-level  components  will be 
dentical to the level of that component.  Objects  used  to
tures, such as routing tables, must be  labeled  to  prevent 
unauthorized access and/or modification. 
 
+ Rationale 
 
     The interpretation is an extension of  the  requirement 
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in  which 
the  security  range  of  the subject is the minimum-maximum 
ce.
 
     The sensitivity labels for either secrecy or  integrity 
or both may reflect non-hierarchical categories or hierarch- 
cal classification or both.
 
     For a network it is necessary that this requirement  be 
applied  to  all  network system resources at the (B2) level 
and above. 
 
     The NTCB is responsible for  implementing  the  network 
ntegrity  policy,  when  one exists.  The NTCB must enforce
that policy  by  ensuring  that  information  is  accurately 
transmitted  from  source  to destination (regardless of the 
number of intervening connecting points).  The NTCB must  be 
able  to  counter  equipment  failure, environmental disrup- 
tions, and actions by persons and processes  not  authorized 
to  alter  the  data.  Protocols that perform code or format 
conversion shall preserve the integrity of data and  control 
nformation.
 
     The probability of an undetected transmission error may 
be  specified as part of the network security policy so that 
the  acceptability  of  the   network   for   its   intended 
application  may  be determined. The specific metrics (e.g., 
associated with the data while it is processed within a com- 
operational environments (e.g., crisis as compared to logis- 
tic) will have different integrity requirements. 
 
     The network shall also have an automated capability  of 
testing  for,  detecting, and reporting errors that exceed a 
threshold consistent with the operational mode requirements. 
The effectiveness of integrity countermeasures must be esta- 
blished with the same rigor as the  other  security-relevant 
 
     Cryptography is often utilized as a  basis  to  provide 
Detection Codes (MDC)-, may be used.  The  adequacy  of  the 
encryption or MDC algorithm, the correctness of the protocol 
logic, and the adequacy  of  implementation  must  be  esta- 
blished in MSM countermeasures design. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Sensitivity labels shall  accurately  represent  sensitivity 
levels  of  the specific subjects or objects with which they 
are associated.   When  exported  by  the  TCB,  sensitivity 
labels  shall  accurately  and  unambiguously  represent the 
nternal labels and shall be associated with the information
being exported. 
 
+  Interpretation 
 
     The phrase "exported  by  the  TCB"  is  understood  to 
nclude  transmission  of  information from an object in one
component to an object in  another  component.   Information 
transferred between NTCB partitions is addressed in the Sys- 
tem Integrity Section. The form  of  internal  and  external 
(exported)  sensitivity  labels  may differ, but the meaning 
correct  association of sensitivity labels with the informa- 
tion being transported across the network is preserved. 
 
     As mentioned in the Trusted  Facility  Manual  Section, 
encryption  transforms  the representation of information so 
that  it  is  unintelligible   to   unauthorized   subjects. 
Reflecting this transformation, the sensitivity level of the 
ciphertext is generally lower than the cleartext.   It  fol- 
lows   that   cleartext  and  ciphertext  are  contained  in 
_________________________ 
  - See Jueneman, R. R., "Electronic Document Authenti- 
cation," IEEE Network Magazine, April 1987, pp 17-23. 
         ____ _______ ________ 
 
 
of  the  cleartext must be preserved and associated with the 
ciphertext so that it can be restored when the cleartext  is 
cleartext is associated  with  a  single-level  device,  the 
label of that cleartext may be implicit.  The label may also 
be implicit in the key. 
 
     When information is exported to an environment where it 
s subject to deliberate or accidental modification, the TCB
assure  the  accuracy of the labels.  When there is a manda- 
tory integrity policy, the policy will define the meaning of 
ntegrity labels.
 
+  Rationale 
 
     Encryption algorithms and their implementation are out- 
may be implemented in a separate device  or  may  be  incor- 
encryption mechanism herein. If encryption methodologies are 
employed in this regard,  they  shall  be  approved  by  the 
National  Security  Agency (NSA).  The encryption process is 
components in which it is implemented. 
 
     The encryption mechanism  is  not  necessarily  a  mul- 
tilevel  device  or  multilevel  subject, as these terms are 
used in these criteria.  The process of encryption  is  mul- 
tilevel  by definition.  The cleartext and ciphertext inter- 
faces  carry  information  of  different  sensitivity.    An 
encryption  mechanism  does not process data in the sense of 
ciphertext interfaces on the encryption  mechanism  must  be 
the  data  is established by a trusted individual and impli- 
citly associated with  the  interface;  the  Exportation  to 
Single-Level Devices criterion applies. 
 
     If the interface is multilevel, then the data  must  be 
labeled;  the  Exportation  to  Multilevel Devices criterion 
applies. The network architect is free to select an  accept- 
able mechanism for associating a label with an object.  With 
 
        the object. 
 
        through the encryption key.  That is, the encryption 
        key uniquely identifies a sensitivity level.  A sin- 
        gle or private key must be protected at the level of 
        the data that it encrypts. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall designate each communication channel  and  I/O 
this designation shall be done manually and shall be  audit- 
able  by  the  TCB.   The  TCB shall maintain and be able to 
audit any change in the sensitivity level or levels  associ- 
ated with a communications channel or I/O device. 
 
+  Interpretation 
 
     Each communication channel and network component  shall 
be  designated  as  either  single-level or multilevel.  Any 
change in this designation shall be done with the cognizance 
and  approval  of  the  administrator or security officer in 
charge of the affected components and the  administrator  or 
be auditable by the network. The NTCB shall maintain and  be 
able  to  audit  any  change in the device labels associated 
ciated with a multilevel communication channel or component. 
The NTCB shall also be able to audit any change in  the  set 
of  sensitivity levels associated with the information which 
can be transmitted over a multilevel  communication  channel 
or component. 
 
+  Rationale 
 
     Communication channels and components in a network  are 
analogous  to  communication  channels  and  I/O  devices in 
tilevel  (i.e.,  able to distinguish and maintain separation 
among information of various sensitivity levels) or  single- 
level.   As  in  the TCSEC, single-level devices may only be 
attached to single-level channels. 
 
     The level or set of levels of information that  can  be 
only change with the knowledge and approval of the  security 
officers  (or  system administrator, if there is no security 
officer) of the network, and  of  the  affected  components. 
This  requirement  ensures  that  no  significant  security- 
affected parties. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
When the TCB exports an object to a multilevel  I/O  device, 
the sensitivity label associated with that object shall also 
be exported and shall reside on the same physical medium  as 
the  exported  information  and  shall  be  in the same form 
(i.e., machine-readable or human-readable form).   When  the 
TCB  exports or imports an object over a multilevel communi- 
cations channel, the protocol used  on  that  channel  shall 
labels and  the  associated  information  that  is  sent  or 
 
+  Interpretation 
 
     The components, including hosts, of a network shall  be 
nterconnected  over  "multilevel  communication  channels,"
multiple single-level communication channels, or both, when- 
ever  the information is to be protected at more than a sin- 
the only information needed to correctly associate a  sensi- 
tivity  level with the exported information transferred over 
the multilevel channel between the NTCB partitions in  indi- 
vidual components. This protocol definition must specify the 
(i.e.,  the  machine-readable  label must uniquely represent 
the sensitivity level). 
 
     The "unambiguous" association of the sensitivity  level 
of accuracy as that required for any other label within  the 
NTCB,  as  specified  in  the criterion for Label Integrity. 
This may be provided by protected and highly reliable direct 
link protection in which any errors during transmission  can 
be  readily  detected,  or by use of a separate channel. The 
 
+  Rationale 
 
     This  protocol  must  specify  the  representation  and 
Access Control Policies section in  Appendix  B.   The  mul- 
tilevel  device  interface  to  (untrusted)  subjects may be 
mplemented either by the interface of the  reference  moni-
tor,  per  se,  or by a multilevel subject (e.g., a "trusted 
vides  the  labels  based on the internal labels of the NTCB 
 
     The current state of the art  limits  the  support  for 
mandatory  policy  that  is  practical  for secure networks. 
Reference monitor support to ensure the control over all the 
operations of each subject in the network must be completely 
nvoked by this  subject  must  be  contained  in  the  same
component. 
 
     The secure state of an NTCB partition may  be  affected 
by events external to the component in which the NTCB parti- 
tion resides (e.g.,  arrival  of  a  message).   The  effect 
occurs  asynchronusly  after  being initiated by an event in 
another component or partition.  For example,  indeterminate 
component, the arrival of the message in the NTCB  partition 
n  another  component,  and the corresponding change to the
s  executing  concurrently,  to  do otherwise would require
ably not even desirable.  Therefore, the interaction between 
NTCB partitions is restricted to just communications between 
the device(s) can send/receive data of more  than  a  single 
level.  For  broadcast channels the pairs are the sender and 
ntended receiver(s).  However,  if  the  broadcast  channel
carries multiple levels of information, additional mechanism 
(e.g., cryptochecksum maintained by the TCB) may be required 
to enforce separation and proper delivery. 
 
     A  common  representation  for  sensitivity  labels  is 
needed  in  the protocol used on that channel and understood 
by both the sender and receiver when two multilevel  devices 
(in  this  case,  in two different components) are intercon- 
nected. Each distinct sensitivity level of the overall  net- 
 
     Within a monolithic TCB, the  accuracy  of  the  sensi- 
tivity  labels  is  generally  assured by simple techniques, 
e.g., very reliable connections  over  very  short  physical 
connections,  such  as  on a single printed circuit board or 
over an internal bus.  In many network environments there is 
a  much  higher  probability  of accidentally or maliciously 
ntroduced errors, and these must be protected against.
 
 
 
+ Statement from DoD 5200.28-STD 
 
Single-level  I/O  devices  and  single-level  communication 
channels are not required to maintain the sensitivity labels 
of the information they process.   However,  the  TCB  shall 
nclude  a mechanism by which the TCB and an authorized user
level  of  information imported or exported via single-level 
communication channels or I/O devices. 
 
+  Interpretation 
 
     Whenever one or both of  two  directly  connected  com- 
nformation of different sensitivity levels, or whenever the
two  directly connected components have only a single sensi- 
tivity level in common, the two components  of  the  network 
components and single-level communication channels  are  not 
tion they process. However, the NTCB shall include  a  reli- 
able  communication  mechanism  by  which  the  NTCB  and an 
authorized user (via a trusted path) or a subject within  an 
NTCB partition can designate the single sensitivity level of 
nformation imported or exported via single-level communica-
tion  channels  or network components. The level of informa- 
tion communicated must equal the device level. 
 
+ Rationale 
 
     Single-level communications channels  and  single-level 
components  in  networks are analogous to single level chan- 
nels and I/O devices in stand-alone systems in that they are 
not  trusted  to  maintain  the separation of information of 
are therefore implicit; the NTCB associates labels with  the 
explicit part of the bit stream.  Note that the  sensitivity 
level  of  encrypted information is the level of the cipher- 
text rather than the original level(s) of the plaintext. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The ADP system administrator shall be able  to  specify  the 
labels.  The TCB shall mark the beginning  and  end  of  all 
output) with human-readable sensitivity  labels  that  prop- 
erly1  represent  the  sensitivity  of  the output.  The TCB 
output) with human-readable sensitivity  labels  that  prop- 
erly1 represent the sensitivity of the page.  The TCB shall, 
by default and in an appropriate manner, mark other forms of 
_________________________ 
formation  in  the output that the labels refer to; the 
non-hierarchical category component shall  include  all 
of  the  non-hierarchical categories of the information 
n the output the labels refer to, but  no  other  non-
 
+  Interpretation 
 
     This criterion imposes no requirement  to  a  component 
that  produces  no human-readable output.  For those that do 
s  defined  to  the  network  shall  have a uniform meaning
across all components.  The network administrator,  in  con- 
able to specify the human-readable label that is  associated 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context of a network system and 
tions. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall immediately notify a  terminal  user  of  each 
change  in  the  sensitivity level associated with that user 
able  to  query  the  TCB  as  desired  for a display of the 
 
+ Interpretation 
 
     An NTCB partition shall immediately notify  a  terminal 
user  attached to its component of each change in the sensi- 
tivity level associated with that user. 
 
+ Rationale 
 
     The local NTCB partition  must  ensure  that  the  user 
understands the sensitivity level of information sent to and 
from a terminal.  When a user has  a  surrogate  process  in 
another  component,  adjustments  to  its level may occur to 
maintain communication with the  user.   These  changes  may 
occur  asynchronously.  Such adjustments are necessitated by 
mandatory access control as applied to the objects  involved 
n the communication path.
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support the assignment of minimum and  maximum 
 
+ Interpretation 
 
     This requirement applies as written to each NTCB parti- 
tion that is trusted to separate information based on sensi- 
tivity level.  Each I/O device in a component, used for com- 
munication with other network components, is assigned a dev- 
ce range, consisting of a set of labels with a maximum  and
minimum.   (A  device  range  usually contains, but does not 
necessarily contain, all possible labels "between" the  max- 
mum and minimum, in the sense of dominating the minimum and
being dominated by the maximum.) 
 
     The NTCB always provides an accurate label for informa- 
tion  exported  through  devices.   Information  exported or 
mported using a single-level device is labelled  implicitly
by   the  sensitivity  level  of  the  device.   Information 
exported from one multilevel device and imported at  another 
must  be labelled through an agreed-upon protocol, unless it 
s labelled implicitly by using a  communication  link  that
always carries a single level. 
 
     Information exported at a given sensitivity  level  can 
be  sent only to an importing device whose device range con- 
tains that level or a higher level.  If the importing device 
mporting device range.  Relabelling should not occur other-
 
+ Rationale 
 
     The purpose of device labels is  to  reflect  and  con- 
the physical environment in which the devices are located. 
 
     The information transfer  restrictions  permit  one-way 
communication (i.e., no acknowledgements) from one device to 
another whose ranges have no level in  common,  as  long  as 
each  level in the sending device range is dominated by some 
level in the receiving device range.  It is never  permitted 
to send information at a given level to a device whose range 
view.) 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall enforce a mandatory access control policy over 
all resources (i.e., subjects, storage objects, and I/O dev- 
ces) that are directly or indirectly accessible by subjects
external  to  the  TCB.  These subjects and objects shall be 
assigned  sensitivity  labels  that  are  a  combination  of 
categories, and the labels shall be used as  the  basis  for 
mandatory  access  control decisions.  The TCB shall be able 
to support two or more such sensitivity  levels.   (See  the 
Mandatory  Access  Control  interpretations.)  The following 
ndirectly accessible by these subjects.     A  subject  can
the subject's sensitivity level is greater than or equal  to 
the  hierarchical classification of the object's sensitivity 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. A subject  can 
the subject's sensitivity level is less than or equal to the 
level and the non-hierarchical categories in  the  subject's 
categories in the object's sensitivity level. Identification 
and  authentication data shall be used by the TCB to authen- 
ticate the user's identity and to  ensure  that  the  sensi- 
tivity  level  and authorization of subjects external to the 
TCB that may be created to act on behalf of  the  individual 
user  are  dominated  by  the clearance and authorization of 
that user. 
 
+  Interpretation 
 
     Each partition of the NTCB exercises  mandatory  access 
control  policy  over  all  subjects and objects in its com- 
tion  encompasses  all mandatory access control functions in 
ts component that would be required of a TCB  in  a  stand-
alone  system.  In particular, subjects and objects used for 
communication with other components are under the control of 
the  NTCB  partition.   Mandatory  access  control  includes 
cy.
 
     Conceptual  entities  associated   with   communication 
between  two  components,  such as sessions, connections and 
virtual circuits, may be thought of as having two ends,  one 
n  each component, where each end is represented by a local
object.  Communication is viewed as an operation that copies 
nformation  from  an  object  at one end of a communication
entities,  such  as  datagrams  and packets, exist either as 
nformation within other objects, or as a pair  of  objects,
one at each end of the communication path. 
 
     The requirement for "two or  more"  sensitivity  levels 
can  be  met  by  either  secrecy or integrity levels.  When 
there is a mandatory integrity policy, the  stated  require- 
ments for reading and writing are generalized to:  A subject 
can read an object only if the subject's  sensitivity  level 
nates  the  subject's  sensitivity  level.   Based  on  the
ntegrity policy, the network sponsor shall define the domi-
nance  relation for the total label, for example, by combin- 
ng secrecy and integrity lattices. -
 
+ Rationale 
 
     An NTCB partition can maintain access control only over 
above, the NTCB partition must maintain access control  over 
all subjects and objects in its component.  Access by a sub- 
n  another  component requires the creation of a subject in
the remote component which acts as a surrogate for the first 
 
     The mandatory access controls must be enforced  at  the 
nterface  of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti- 
tion.   This  mechanism  creates the abstraction of subjects 
and objects which it controls.  Some of these subjects  out- 
mplement part of  an  NTCB  partition's  mandatory  policy,
e.g.,  by using the ``trusted subjects" defined in the Bell- 
LaPadula model. 
 
     The prior requirements on exportation of labeled infor- 
mation  to  and  from  I/O  devices  ensure  the consistency 
between the sensitivity labels of  objects  connected  by  a 
communication  path.  As noted in the introduction, the net- 
overall mandatory network security policy and the connection 
oriented abstraction. For example, individual  data-carrying 
entities  such  as datagrams can have individual sensitivity 
labels that subject them to mandatory access control in each 
component.   The abstraction of a single-level connection is 
connection  is realized by single-level subjects that neces- 
 
     The fundamental trusted systems technology permits  the 
DAC mechanism to be distributed, in contrast to the require- 
ments for  mandatory  access  control.   For  networks  this 
_________________________ 
  - See, for example, Grohn, M.  J., A Model of a  Pro- 
                                     _ _____ __ _  ___ 
tected  Data  Management  System, ESD-TR-76-289, I.  P. 
______  ____  __________  ______ 
Sharp Assoc.  Ltd., June, 1976;  and  Denning,  D  .E., 
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M. 
and Shockley, W., Secure Distributed Data Views,  Secu- 
                  ______ ___________ ____ _____   ____ 
____ ______ ___ ______________ ___ _ _____ __ ________ 
el Secure Relational Database System,SRI International, 
__ ______ __________ ________ ______ 
November 1986. 
 
 
the exception. 
 
     The set of total sensitivity labels used  to  represent 
all  the sensitivity levels for the mandatory access control 
(combined data secrecy and  data  integrity)  policy  always 
forms  a partially ordered set.  Without loss of generality, 
this set of labels can always be extended to form a lattice, 
by   including  all  the  combinations  of  non-hierarchical 
categories.  As for any lattice,  a  dominance  relation  is 
always defined for the total sensitivity labels.  For admin- 
strative reasons it may be helpful to have a maximum  level
 
 
_ _ _ ______________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall require users to  identify  themselves  to  it 
before  beginning  to perform any other actions that the TCB 
s expected to mediate.  Furthermore, the TCB shall maintain
authentication  data that includes information for verifying 
the identify of individual users (e.g., passwords)  as  well 
as  information for determining the clearance and authoriza- 
tions of individual users.  This data shall be used  by  the 
TCB  to  authenticate the user's identity and to ensure that 
the sensitivity level and authorization of subjects external 
to the TCB that may be created to act on behalf of the indi- 
vidual user are dominated by the clearance and authorization 
of  that  user. The TCB shall protect authentication data so 
that it cannot be accessed by any  unauthorized  user.   The 
TCB  shall  be  able to enforce individual accountability by 
bility of  associating  this  identity  with  all  auditable 
actions taken by that individual. 
 
+  Interpretation 
 
     The requirement for identification  and  authentication 
of users is the same for a network system as for an ADP sys- 
tem. The identification and authentication may  be  done  by 
the  component  to  which  the user is directly connected or 
tication  server.   Available  techniques,  such  as   those 
applicable in the network context. However, in  cases  where 
the  NTCB is expected to mediate actions of a host (or other 
network component) that is acting on behalf  of  a  user  or 
_________________________ 
  = Department of Defense  Password  Management  Guide- 
    __________ __ _______  ________  __________  _____ 
line, CSC-STD-002-85 
____ 
 
 
authentication of the host (or other component) in  lieu  of 
dentification  and authentication of an individual user, so
long as the component identifier implies a list of  specific 
users uniquely associated with the identifier at the time of 
ts use for authentication.  This requirement does not apply
to internal subjects. 
 
     Authentication information, including the identity of a 
user  (once  authenticated) may be passed from one component 
to another without reauthentication, so  long  as  the  NTCB 
thorized disclosure and modification. This protection  shall 
of mechanism) as pertains to the protection of the authenti- 
cation mechanism and authentication data. 
 
+  Rationale 
 
     The need for accountability is not changed in the  con- 
text  of a network system.  The fact that the NTCB is parti- 
tioned over a set of components neither reduces the need nor 
mposes  new requirements.  That is, individual accountabil-
ty is still the objective. Also, in the context of  a  net-
tability" can be satisfied by identification of a  host  (or 
other component) so long as the requirement for traceability 
to individual users or a set of  specific  individual  users 
uncertainty in traceability because of elapsed time  between 
changes  in  the group membership and the enforcement in the 
access control mechanisms.  In addition, there is no need in 
a  distributed processing system like a network to reauthen- 
ticate a user at each point in the network where  a  projec- 
tion  of  a user (via the subject operating on behalf of the 
user) into another remote subject takes place. 
 
     The passing of identifiers and/or authentication infor- 
mation from one component to another is usually done in sup- 
trol  (DAC).   This  support  relates  directly  to  the DAC 
ferent  NTCB  partition  than  the  one  where  the user was 
authenticated. Employing a forwarded identification  implies 
additional  reliance  on the source and components along the 
basis  of  determining a sensitivity label for a subject, it 
must satisfy the Label Integrity criterion. 
 
     An  authenticated  identification  may   be   forwarded 
between  components  and employed in some component to iden- 
tify the sensitivity level associated with a subject created 
to act on behalf of the user so identified. 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support a trusted communication  path  between 
tself and users for use when a positive TCB-to-user connec-
tion is required (e.g., login,  change  subject  sensitivity 
level).    Communications  via  this  trusted  path shall be 
activated  exclusively by a user or the  TCB  and  shall  be 
logically and unmistakably distinguishable from other paths. 
 
 
+ Interpretation 
 
     A trusted path  is  supported  between  a  user  (i.e., 
user is directly connected. 
 
+ Rationale 
 
     When a user logs into a remote component, the  user  id 
s  transmitted  securely  between the local and remote NTCB
cation and Authentication. 
 
     Trusted Path is necessary in order to assure  that  the 
user  is  communicating with the NTCB and only the NTCB when 
ticate  user,  set current session sensitivity level).  How- 
ever, Trusted Path does not  address  communications  within 
the NTCB, only communications between the user and the NTCB. 
communication then the component need not contain mechanisms 
for assuring direct NTCB to user communications. 
 
     The requirement for trusted communication  between  one 
NTCB  partition  and  another NCTB partition is addressed in 
the System  Architecture  section.  These  requirements  are 
this  trusted  communication  between one NTCB partition and 
another NTCB partition will be used in conjunction with  the 
trusted  path to implement trusted communication between the 
user and the remote NTCB partition. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall be able to create, maintain, and protect  from 
modification  or unauthorized access or destruction an audit 
trail of accesses to the objects  it  protects.   The  audit 
s limited to those who are authorized for audit data.   The
TCB  shall  be able to record the following types of events: 
use  of  identification   and   authentication   mechanisms, 
ntroduction  of  objects into a user's address space (e.g.,
file open, program initiation), deletion of objects, actions 
taken by computer operators and system administrators and/or 
events.  The TCB shall also be able to audit any override of 
the audit record shall identify: date and time of the event, 
user, type of event, and success or failure  of  the  event. 
For   identification/authentication  events  the  origin  of 
address space and  for  object  deletion  events  the  audit 
able  to  selectively  audit  the actions of any one or more 
users based on individual identify and/or object sensitivity 
level.     The  TCB  shall  be  able to audit the identified 
events that may  be  used  in  the  exploitation  of  covert 
s able to monitor the occurrence or accumulation  of  secu-
tion of security policy.  This mechanism shall  be  able  to 
mmediately  notify  the  security administrator when thres-
these  security  relevant events continues, the system shall 
take the least disruptive action to terminate the event. 
 
+  Interpretation 
 
     This criterion applies  as  stated.  The  sponsor  must 
not distinguishable by the NTCB  alone  (for  example  those 
dentified in Part II), the audit mechanism shall provide an
nterface, which  an  authorized  subject  can  invoke  with
audit records shall be distinguishable from  those  provided 
by  the  NTCB.   In  the context of a network system, "other 
architecture  and  network security policy) might be as fol- 
lows: 
 
 
        lishing a connection or a connectionless association 
        between processes in two hosts of the  network)  and 
        its  principal parameters (e.g., host identifiers of 
        the two hosts involved in the access event and  user 
        identifier  or  host  identifier of the user or host 
        that is requesting the access event) 
 
        each  access  event  using local time or global syn- 
        chronized time 
 
        ditions   (e.g.,   potential   violation   of   data 
        integrity, such  as  misrouted  datagrams)  detected 
        during the transactions between two hosts 
 
 
        component leaving the network and rejoining) 
 
     In  addition,  identification  information  should   be 
ncluded  in  appropriate audit trail records, as necessary,
to allow association of all  related  (e.g.,  involving  the 
network  system  may  provide  the required audit capability 
(e.g., storage, retrieval, reduction,  analysis)  for  other 
components  that  do  not  internally  store  audit data but 
transmit the audit data to some designated  collection  com- 
audit data due to unavailability of resources. 
 
     In the context of a network system, the "user's address 
events, to include address spaces being employed  on  behalf 
of  a  remote user (or host).  However, the focus remains on 
users in contrast to internal subjects as discussed  in  the 
DAC  criterion.   In  addition,  audit  information  must be 
 
     The capability  must  exist  to  audit  the  identified 
events  that  may  be  used  in  the  exploitation of covert 
must  be able to audit those events locally that may lead to 
the exploitation of a covert  storage  channel  which  exist 
because of the network. 
 
     The  sponsor  shall  identify  the  specific  auditable 
events  that  may indicate an imminent violation of security 
mulation  of such events must be able to notify an appropri- 
ate administrator when thresholds are exceeded, and to  ini- 
tiate  actions which will result in termination of the event 
f the accumulation continues.  For example, when the thres-
s exceeded, login shall be inhibited for  a  specific  time
 
+  Rationale 
 
     For remote users, the network identifiers (e.g., inter- 
net address) can be used as identifiers of groups of indivi- 
maintenance that would be required if individual identifica- 
tion of remote users was employed.  In this class (C2), how- 
ever,  it  must  be  possible to identify (immediately or at 
dentifier.   In all other respects, the interpretation is a
of  a  network  system.   Identification  of  covert channel 
events is addressed in the Covert Channel Analysis section. 
 
     Because of concurrency and synchronization problems, it 
may  not be possible to detect in real time the accumulation 
of security auditable events that are occurring in different 
NTCB partitions.  However, each NTCB partition that has been 
allocated audit responsibility must have the  capability  to 
tition security administrator and/or  the  network  security 
administrator,  and to initiate actions which will result in 
termination of the event locally. 
 
 
_ _ _ _________ 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall maintain a domain for its own  execution  that 
by modification of its code or data  structures).   The  TCB 
nternally  structured into well-defined largely independent
modules.  It shall make effective use of available  hardware 
to separate those elements that are protection-critical from 
those that are not. The TCB modules shall be  designed  such 
that the principle of least privilege is enforced.  Features 
n hardware, such as segmentation, shall be used to  support
logically  distinct storage objects with separate attributes 
(namely: readable, writable).  The user interface to the TCB 
dentified.   The TCB shall be designed  and  structured  to
use  a  complete,  conceptually  simple protection mechanism 
a  central role in enforcing the internal structuring of the 
TCB and the system.  The TCB shall  incorporate  significant 
use  of  layering, abstraction and data hiding.  Significant 
complexity  of  the  TCB  and excluding from the TCB modules 
that are not protection-critical. 
 
+  Interpretation 
 
     The system architecture criterion must be met individu- 
ally by all NTCB partitions.  Implementation of the require- 
ment that the NTCB maintain a domain for its  own  execution 
s  achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis- 
tinct domain in the overall network system, this also satis- 
fies the requirement for process isolation through  distinct 
address  spaces  in  the  special case where a component has 
only a single subject. 
 
     The NTCB  must  be  internally  structured  into  well- 
tion so structured. The NTCB controls all network resources. 
These resources are the union of the sets of resources  over 
nside the NTCB) belonging  to  different  NTCB  partitions,
must  be  protected against external interference or tamper- 
ng.  For example,  a  cryptographic  checksum  or  physical
means  may  be  employed to protect user authentication data 
exchanged between NTCB partitions. 
 
     Each NTCB partition must enforce the principle of least 
be structured so that the principle of  least  privilege  is 
enforced in the system as a whole. 
 
     The NTCB must be designed and structured  according  to 
the network security architecture to use a complete, concep- 
tually simple protection mechanism.  Furthermore, each  NTCB 
 
     Significant  system  engineering  should  be   directed 
toward minimizing the complexity of each NTCB partition, and 
of the NTCB.  Care shall be taken to  exclude  modules  (and 
components) that are not protection-critical from the NTCB. 
 
     It is recognized that some  modules  and/or  components 
may  need  to be included in the NTCB and must meet the NTCB 
modules/components is necessary for the correct operation of 
the  protection-critical  modules  and components.  However, 
the number and size of these  modules/components  should  be 
kept to a minimum. 
 
     Each NTCB partition  provides  isolation  of  resources 
(within  its  component)  in  accord with the network system 
architecture and security policy so  that  "supporting  ele- 
ments"  (e.g., DAC and user identification) for the security 
mechanisms of the network system are  strengthened  compared 
to  C2,  from an assurance point of view, through the provi- 
 
     As discussed in the Discretionary Access  Control  sec- 
tion,  the  DAC  mechanism of a NTCB partition may be imple- 
mented at the interface of the reference monitor or  may  be 
assurance requirements for the design and implementation  of 
the DAC shall be those of class C2 for all networks of class 
C2 or above. 
 
+  Rationale 
 
 
     The  requirement  that  the  NTCB  be  structured  into 
modules  and  meet  the hardware requirements applies within 
the NTCB partitions in the various components. 
 
     The principle of least  privilege  requires  that  each 
user  or other individual with access to the system be given 
only those resources and  authorizations  required  for  the 
n the system it must be enforced in  every  NTCB  partition
that  supports  users  or  other  individuals.  For example, 
NTCB partition (e.g., games) lessens the opportunity of dam- 
age by a Trojan Horse. 
 
     The requirement for the  protection  of  communications 
between NTCB partitions is specifically directed to subjects 
that are part of the NTCB partitions.  Any requirements  for 
 
     There are certain parts of a  network  (modules  and/or 
components)  that  may not appear to be directly protection- 
critical in that they are not  involved  in  access  control 
the  identification/authentication  process.   However,  the 
of these modules and/or components.  An example of this is a 
nvolved directly in enforcing  the  discretionary  security
ferent message streams.  If  the  switch  does  not  operate 
correctly,  data  could  get  mixed, and unauthorized access 
could result.  Therefore, these modules/components  must  be 
ncluded  in  the  NTCB  and must meet the NTCB requirements
applicable to the  policy  element(s)  for  which  they  are 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Hardware and/or software features shall be provided that can 
be  used  to  periodically validate the correct operation of 
the on-site hardware and firmware elements of the TCB. 
 
+  Interpretation 
 
     Implementation of the requirement is partly achieved by 
and  firmware  elements  of each component's NTCB partition. 
Features shall also be provided to validate the identity and 
correct  operation of a component prior to its incorporation 
n the network system and throughout system operation.   For
example,  a protocol could be designed that enables the com- 
cally  and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability 
to  respond. NTCB partitions shall provide the capability to 
 
     Intercomponent  protocols  implemented  within  a  NTCB 
tion in the case of failures of  network  communications  or 
ndividual components.  The allocation of mandatory and dis-
cretionary access control policy in a  network  may  require 
communication  between trusted subjects that are part of the 
NTCB partitions in different components.  This communication 
s normally implemented with a protocol between the subjects
as peer entities.  Incorrect access within a component shall 
not  result from failure of an NTCB partition to communicate 
 
+ Rationale 
 
     The  first  paragraph  of  the  interpretation   is   a 
text of a network system and partitioned NTCB as defined for 
these network criteria. 
 
     NTCB protocols should be robust  enough  so  that  they 
zed failure. The purpose of this protection is to  preserve
the integrity of the NTCB itself.  It is not unusual for one 
or more components in a network to  be  inoperative  at  any 
time,  so  it  is  important to minimize the effects of such 
failures on the rest of the  network.  Additional  integrity 
and denial of service issues are addressed in Part II. 
 
     It should be clear that some integrity  and  denial  of 
cause  denial of service to some extent.  For example, it is 
necessary to "trust"  TELNET  to  correctly  translate  user 
be "trusted" to not inappropriately  modify  files,  and  to 
attempt  to complete the file transfer.  These protocols can 
be designed, however to exist outside the NTCB (from a  pro- 
tection  perspective).   It is beneficial to do this type of 
trusted  to  not disclose data is minimized.  Putting every- 
thing inside the NTCB contradicts the requirement to perform 
"significant  system  engineering  ...   directed toward ... 
excluding from the TCB modules that are not protection crit- 
cal,"  which  removes the primary difference between B2 and
B3.  If everything has to be  in  the  TCB  to  ensure  data 
ntegrity  and  protection  against denial of service, there
tion is maximized. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall conduct  a  thorough  search  for 
covert  channels  and make a determination (either by actual 
measurement or by engineering  estimation)  of  the  maximum 
bandwidth of each identified channel.  (See the Covert Chan- 
nels Guideline section.) FORMAL METHODS SHALL BE USED IN THE 
ANALYSIS. 
 
+ Interpretation 
 
     The requirement, including  the  TCSEC  Covert  Channel 
Guideline,  applies  as  written.   In  a network, there are 
additional instances of covert channels associated with com- 
munication  between components.  THE FORMAL METHODS SHALL BE 
USED IN THE ANALYSIS OF EACH INDIVIDUAL COMPONENT DESIGN AND 
 
+ Rationale 
 
     The exploitation of network protocol information (e.g., 
of frequency of transmission can  result  in  covert  timing 
channels.  The topic has been addressed in the literature.- 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The TCB shall support separate  operator  and  administrator 
functions.   The  functions performed in the role of a secu- 
administrative personnel shall only be able to perform secu- 
able action to assume the security administrator role on the 
ADP system.  Non-security functions that can be performed in 
the  security  administration role shall be limited strictly 
_________________________ 
  - See, for example, Girling, C. G., "Covert  Channels 
n  LAN's,"  IEEE Transactions on Software Engineering,
             ____ ____________ __ ________ ___________ 
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A., 
Snow,  D. P., and Karger, P. A., Limitations of End-to- 
                                 ___________ __ ___ __ 
End  Encryption  in  Secure  Computer  Networks,  MITRE 
___  __________  __  ______  ________  ________ 
Technical  Report,  MTR-3592,  Vol. I, May 1978 (ESD TR 
 
to those essential to performing the  security  role  effec- 
tively. 
 
+ Interpretation 
 
     This requirement applies as written to both the network 
as  a  whole and to individual components which support such 
 
+ Rationale 
 
     It is recognized that based  on  the  allocated  policy 
elements  some  components  may operate with no human inter- 
face. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
that,  after  an  ADP system failure or other discontinuity, 
 
+ Interpretation 
 
     The recovery process must  be  accomplished  without  a 
tinuity of any NTCB partition.  It must also be accomplished 
after a failure of the entire NTCB. 
 
+ Rationale 
 
     This is a straight-forward extension of the requirement 
nto  the network context, and takes into account that it is
continue  to  operate  normally.   This  may  be a security- 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The security mechanisms of the ADP system  shall  be  tested 
and  found to work as claimed in the system documentation. A 
team of individuals who thoroughly understand  the  specific 
mplementation  of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and 
testing.   Their  objectives shall be: to uncover all design 
and implementation flaws that would permit a subject  exter- 
nal  to  the  TCB  to  read, change, or delete data normally 
enforced  by  the  TCB; as well as to assure that no subject 
(without authorization to do so) is able to cause the TCB to 
enter  a state such that it is unable to respond to communi- 
cations initiated by other users. The  TCB  shall  be  found 
that  they  have been eliminated and that new flaws have not 
been introduced. Testing  shall  demonstrate  that  the  TCB 
mplementation  is consistent with the descriptive top-level
correctable implementation flaws may be found during testing 
and there shall be reasonable confidence that few remain. 
MANUAL  OR  OTHER MAPPING OF THE FTLS TO THE SOURCE CODE MAY 
FORM A BASIS FOR PENETRATION TESTING.    (See  the  Security 
Testing Guidelines.) 
 
+  Interpretation 
 
     Testing of a component  will  require  a  testbed  that 
exercises  the  interfaces  and  protocols  of the component 
ncluding tests under exceptional conditions.   The  testing
of  a  security  mechanism of the network system for meeting 
this criterion shall  be  an  integrated  testing  procedure 
nvolving  all  components containing an NTCB partition that
mplement the given mechanism. This  integrated  testing  is
additional to any individual component tests involved in the 
evaluation of the network system.  The sponsor should  iden- 
tify the allowable set of configurations including the sizes 
of the networks.  Analysis or testing procedures  and  tools 
tions.  A change in configuration within the  allowable  set 
of configurations does not require retesting. 
 
     The testing of each component will include  the  intro- 
component that will attempt to read, change, or delete  data 
normally  denied.   If the normal interface to the component 
conduct  such a test, then this portion of the testing shall 
use a special version of the untrusted software for the com- 
The results shall be saved for test analysis.  Such  special 
versions  shall  have an NTCB partition that is identical to 
that for the normal configuration  of  the  component  under 
evaluation. 
 
     The testing of the  mandatory  controls  shall  include 
tests   to  demonstrate  that  the  labels  for  information 
mported and/or exported to/from  the  component  accurately
the component for use as the basis for its mandatory  access 
control  decisions.   The  tests  shall include each type of 
component. 
 
     The NTCB must be found resistant to penetration.   This 
applies  to  the NTCB as a whole, and to each NTCB partition 
n a component of this class.
 
+  Rationale 
 
     The phrase "no subject (without authorization to do so) 
s  able  to  cause the TCB to enter a state such that it is
unable to  respond  to  communications  initiated  by  other 
users"  relates  to  the  security services (Part II of this 
TNI) for the Denial of Service problem, and  to  correctness 
of the protocol implementations. 
 
     Testing  is  an  important  method  available  in  this 
evaluation  division to gain any assurance that the security 
mechanisms perform their intended function.  A major purpose 
of testing is to demonstrate the system's response to inputs 
to the NTCB partition from  untrusted  (and  possibly  mali- 
cious) subjects. 
 
     In contrast to general purpose systems that  allow  for 
the  dynamic  creation of new programs and the introductions 
of new processes (and hence new subjects) with  user  speci- 
fied  security  properities, many network components have no 
method for introducing new programs and/or processes  during 
their  normal  operation.  Therefore, the programs necessary 
for the testing must be introduced as  special  versions  of 
the  software  rather than as the result of normal inputs by 
the test team.  However, it must be insured  that  the  NTCB 
evaluation. 
 
     Sensitivity labels serve a critical role in maintaining 
the  security  of  the mandatory access controls in the net- 
of  the  labels  for  information  communicated between com- 
cit  labels for single-level devices.  Therefore the testing 
for correct labels is highlighted. 
 
     The requirement for testing to demonstrate  consistency 
between  the NTCB implementation and the FTLS is a straight- 
forward extension of the TCSEC requirement into the  context 
of a network system. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A formal model of the security policy supported by  the  TCB 
that is proven and demonstrated to be  consistent  with  its 
axioms.  A descriptive top-level specification (DTLS) of the 
TCB shall  be  maintained  that  completely  and  accurately 
and effects.  A FORMAL TOP-LEVEL SPECIFICATION (FTLS) OF THE 
TCB SHALL BE MAINTAINED THAT ACCURATELY DESCRIBES THE TCB IN 
TERMS OF EXCEPTIONS, ERROR MESSAGES, AND EFFECTS.  THE  DTLS 
AND  FTLS SHALL INCLUDE THOSE COMPONENTS OF THE TCB THAT ARE 
ARE  VISIBLE  AT THE TCB INTERFACE.  THE FTLS SHALL BE SHOWN 
to be an accurate description of the TCB interface.  A  con- 
vincing  argument shall be given that the DTLS is consistent 
TECHNIQUES SHALL BE USED TO SHOW THAT THE FTLS IS CONSISTENT 
WITH THE MODEL.  THIS VERIFICATION EVIDENCE  SHALL  BE  CON- 
SISTENT  WITH  THAT  PROVIDED WITHIN THE STATE-OF-THE-ART OF 
THE PARTICULAR NATIONAL  COMPUTER  SECURITY  CENTER-ENDORSED 
FORMAL  SPECIFICATION  AND VERIFICATION SYSTEM USED.  MANUAL 
OR OTHER MAPPING OF THE FTLS TO THE TCB SOURCE CODE SHALL BE 
 
+  Interpretation 
 
     The overall network security policy expressed  in  this 
model  will  provide the basis for the mandatory access con- 
trol policy exercised by the NTCB over subjects and  storage 
objects  in the entire network.  The policy will also be the 
basis for the discretionary access control policy  exercised 
by  the  NTCB  to  control  access  of  named users to named 
objects.  Data integrity requirements addressing the effects 
of unauthorized MSM need not be included in this model.  The 
overall network policy must be decomposed into  policy  ele- 
ments  that are allocated to appropriate components and used 
as the basis for the security policy model  for  those  com- 
 
     The level of abstraction of the model, and the  set  of 
model, will be affected by the NTCB partitioning.   Subjects 
and  objects must be represented explicitly in the model for 
the partition if there is some network component whose  NTCB 
ble  to  individual network components are manifest.  Global 
network policy elements that  are  allocated  to  components 
 
     AN FTLS FOR A NETWORK CONSISTS OF A COMPONENT FTLS  FOR 
EACH  UNIQUE  TRUSTED  NETWORK  COMPONENT,  PLUS  ANY GLOBAL 
DECLARATIONS AND ASSERTIONS THAT APPLY TO MORE THAN ONE COM- 
GLOBAL MANDATORY POLICY  ELEMENTS  ALLOCATED  TO  THAT  COM- 
SHARED  DECLARATIONS,  IS  THE NETWORK FTLS.  EACH COMPONENT 
FTLS SHALL DESCRIBE THE INTERFACE TO THE NTCB  PARTITION  OF 
 
+ Rationale 
 
     The treatment of the model depends to a great extent on 
the degree of integration of the communications service into 
a distributed system. In a closely coupled distributed  sys- 
tem,  one  might  use  a  model  that  closely resembles one 
appropriate for a stand-alone computer system. 
 
     In all cases, the  model  of  each  partition  will  be 
expected to show the role of the NTCB partition in each kind 
of component.   It  will  most  likely  clarify  the  model, 
although  not part of the model, to show access restrictions 
mplied  by  the  system  design;  for   example,   subjects
objects containing data units at the same layer of protocol. 
The  allocation of subjects and  objects to different proto- 
col layers is a protocol design choice which  need  not   be 
 
     THE FTLS MUST REPRESENT THE UNDERLYING REFERENCE  MONI- 
TOR  AND  ANY  SUBJECTS  IMPLEMENTING  THE MANDATORY POLICY. 
OTHER POLICY ELEMENTS DISTRIBUTED IN NTCB SUBJECTS (SEE  THE 
REPRESENTED BY THE FTLS. 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
During  THE  ENTIRE  LIFE-CYCLE,  I.E.  DURING  THE  DESIGN, 
DEVELOPMENT,  and  maintenance  of  the TCB, a configuration 
management system  shall  be  in  place  FOR  ALL  SECURITY- 
RELEVANT  HARDWARE,  FIRMWARE,  AND  SOFTWARE that maintains 
control of changes to THE FORMAL MODEL, the descriptive  AND 
FORMAL  top-level  SPECIFICATIONS, other design data, imple- 
mentation documentation, source code, the running version of 
the  object  code, and test fixtures and documentation.  The 
configuration management system shall  assure  a  consistent 
mapping among all documentation and code associated with the 
current version of the TCB.  Tools  shall  be  provided  for 
Also available shall be tools, MAINTAINED UNDER STRICT  CON- 
FIGURATION  CONTROL, for comparing a newly generated version 
only  the  intended  changes have been made in the code that 
BINATION  OF TECHNICAL, PHYSICAL, AND PROCEDURAL SAFEGUARDS 
SHALL BE USED TO PROTECT FROM UNAUTHORIZED  MODIFICATION  OR 
DESTRUCTION  THE  MASTER COPY OR COPIES OF ALL MATERIAL USED 
TO GENERATE THE TCB. 
 
+  Interpretation 
 
     The requirement applies as written, with the  following 
extensions: 
 
        for each NTCB partition. 
 
        entire system.  If the configuration management sys- 
        tem is made up of the conglomeration of  the  confi- 
        guration management systems of the various NTCB par- 
        titions, then the configuration management plan must 
        address  the  issue  of how configuration control is 
        applied to the system as a whole. 
 
     ALL MATERIAL USED IN GENERATING A NEW  VERSION  OF  THE 
NTCB  AND  EACH NTCB PARTITION MUST BE PROTECTED, REGARDLESS 
OF WHERE IT PHYSICALLY RESIDES. 
 
+ Rationale 
 
     Each NTCB partition must have a  configuration  manage- 
ment  system  in place, or else there will be no way for the 
NTCB as a whole to have an effective  configuration  manage- 
ment system.  The other extensions are merely reflections of 
the way that networks operate in practice. 
 
     THIS NEW REQUIREMENT EXPLICITLY MANDATES THE PROTECTION 
OF  MATERIAL  USED  TO GENERATE AN NTCB PARTITION, EVEN WHEN 
THE GENERATION OCCURS BY DOWN-LINE LOADING OF A REMOTE  COM- 
 
 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A TRUSTED ADP SYSTEM CONTROL AND DISTRIBUTION FACILITY SHALL 
BE  PROVIDED  FOR  MAINTAINING  THE INTEGRITY OF THE MAPPING 
BETWEEN THE MASTER DATA DESCRIBING THE  CURRENT  VERSION  OF 
THE  TCB  AND  THE  ON-SITE  MASTER COPY OF THE CODE FOR THE 
CURRENT VERSION.  PROCEDURES (E.G., SITE SECURITY ACCEPTANCE 
TESTING)  SHALL  EXIST  FOR  ASSURING THAT THE TCB SOFTWARE, 
FIRMWARE, AND HARDWARE UPDATES DISTRIBUTED TO A CUSTOMER ARE 
EXACTLY AS SPECIFIED BY THE MASTER COPIES. 
 
+ Interpretation 
 
     THIS REQUIREMENT APPLIES AS STATED, WITH THE ADDITIONAL 
REQUIREMENT  THAT,  IF DOWN-LINE LOADING IS USED, THERE MUST 
BE A TRUSTED METHOD OF GENERATING, SENDING, AND LOADING  ANY 
SOFTWARE INVOLVED. 
 
+ Rationale 
 
     THIS IS A STRAIGHTFORWARD EXTENSION OF THE  REQUIREMENT 
 
 
_ _ _ _____________ 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A single summary, chapter, or manual in  user  documentation 
TCB, interpretations on their use,  and  how  they  interact 
 
+  Interpretation 
 
     This user documentation describes user visible  protec- 
tion  mechanisms at the global (network system) level and at 
the user interface of each component,  and  the  interaction 
among these. 
 
+  Rationale 
 
     The interpretation is an extension of  the  requirement 
nto  the  context  of a network system as defined for these
network criteria.  Documentation  of  protection  mechanisms 
teria for trusted  computer  systems  that  are  applied  as 
appropriate for the individual components. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
A manual addressed to the  ADP  system  administrator  shall 
be controlled when running a secure facility. The procedures 
for examining and maintaining the audit files as well as the 
administrator functions  related  to  security,  to  include 
changing  the  security characteristics of a user.  It shall 
of the protection features of the system, how they interact, 
to operate the facility in a secure manner. The TCB  modules 
that  contain  the  reference  validation mechanism shall be 
dentified.  The procedures for secure generation of  a  new
TCB from source after modification of any modules in the TCB 
ensure  that  the  system  is  initially started in a secure 
manner.  Procedures shall also be included to resume  secure 
 
+ Interpretation 
 
     This manual shall contain specifications and procedures 
to assist the system administrator(s) maintain cognizance of 
the network configuration.  These  specifications  and  pro- 
cedures shall address the following: 
 
 
        network; 
 
        leave  the  network  (e.g., by crashing, or by being 
        disconnected) and then rejoin; 
 
        security  of  the  network system; (For example, the 
        manual  should  describe  for  the  network   system 
        administrator  the interconnections among components 
        that are consistent with the overall network  system 
        architecture.) 
 
        (e.g., down-line loading). 
 
        indicate  which components of the network may change 
        without others also changing. 
 
     The physical and administrative environmental  controls 
all  communications  links must be physically protected to a 
certain level). 
 
     The components of the network that form the  NTCB  must 
be identified.  Furthermore, the modules within an NTCB par- 
tition that contain the reference validation  mechanism  (if 
any) within that partition must be identified. 
 
     The procedures for the secure generation of a new  ver- 
 
     Procedures for starting each NTCB partition in a secure 
to resume secure operation of each NTCB partition and/or the 
NTCB after any lapse in system or subsystem operation. 
 
+ Rationale 
 
     There  may  be  multiple  system  administrators   with 
other  forms of security in order to achieve security of the 
network.  Additional forms include administrative  security, 
 
     Extension of  this  criterion  to  cover  configuration 
aspects  of  the  network  is  needed  because, for example, 
to  achieve  a  correct realization of the network architec- 
ture. 
 
     As mentioned in the section on Label  Integrity,  cryp- 
tography is one common mechanism employed to protect commun- 
cation circuits.  Encryption transforms the  representation
of  information so that it is unintelligible to unauthorized 
of the ciphertext is generally lower than the cleartext.  If 
encryption  methodologies  are  employed,  they   shall   be 
approved by the National Security Agency (NSA). 
 
     The encryption algorithm  and  its  implementation  are 
outside  the scope of these interpretations.  This algorithm 
and implementation may be implemented in a  separate  device 
or  may  be a function of a subject in a component not dedi- 
cated to encryption.  Without prejudice, either  implementa- 
tion  packaging  is  referred  to as an encryption mechanism 
 
     The requirements for descriptions  of  NTCB  generation 
and  identification  of modules and components that form the 
NTCB are straightforward extensions of  the  TCSEC  require- 
ments  into  the  network context.  In those cases where the 
vendor does not provide source code, an acceptable procedure 
tion. 
 
     Given the nature of network systems (e.g., various com- 
s  imperative to know both how to securely start up an NTCB
necessary to know how to resume secure operation of the NTCB 
after any partition has been down. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
The system developer shall provide to the evaluators a docu- 
ment that describes the test plan, test procedures that show 
SOURCE CODE SHALL BE GIVEN. 
 
 
+  Interpretation 
 
     The "system developer" is interpreted as  "the  network 
establish the context in which the testing was or should  be 
conducted.   The  description should identify any additional 
test components that  are  not  part  of  the  system  being 
evaluated.  This includes a description of the test-relevant 
functions of such test components and a description  of  the 
nterfacing  of  those  test  components to the system being
evaluated.  The description of the  test  plan  should  also 
configuration and sizing. 
 
     THE MAPPING BETWEEN THE FTLS AND THE NTCB  SOURCE  CODE 
MUST  BE  CHECKED  TO ENSURE TO THE EXTENT POSSIBLE THAT THE 
FTLS IS A CORRECT REPRESENTATION OF  THE  SOURCE  CODE,  AND 
THAT THE FTLS HAS BEEN STRICTLY ADHERED TO DURING THE DESIGN 
AND DEVELOPMENT OF THE NETWORK SYSTEM.  THIS CHECK  MUST  BE 
DONE  FOR  EACH COMPONENT OF THE NETWORK SYSTEM FOR WHICH AN 
FTLS EXISTS. 
 
+  Rationale 
 
     The entity being evaluated may be a networking  subsys- 
tem (see Appendix A) to which other components must be added 
to make a  complete  network  system.  In  that  case,  this 
nterpretation  is extended to include contextual definition
because, at evaluation time, it is not possible to  validate 
the  test  plans  without the description of the context for 
testing the networking subsystem. 
 
     The bandwidths of covert channels are used to determine 
the suitability of a network system for a given environment. 
The effectiveness  of  the  methods  used  to  reduce  these 
bandwidths must therefore be accurately determined. 
 
 
 
+ Statement from DoD 5200.28-STD 
 
Documentation shall be available that provides a description 
of the manufacturer's philosophy of protection and an expla- 
nation of how this philosophy is translated  into  the  TCB. 
The  interfaces between the TCB modules shall be described. 
A formal description of the security policy  model  enforced 
by the TCB shall be available and an explanation provided to 
The  specific  TCB protection mechanisms shall be identified 
and an explanation given  to  show  that  they  satisfy  the 
model.  The descriptive top-level specification (DTLS) shall 
be shown to be an accurate description of the TCB interface. 
Documentation  shall  describe  how  the  TCB implements the 
tamper  resistant,  cannot  be  bypassed,  and  is correctly 
mplemented. The  TCB  implementation  (i.e.,  in  hardware,
firmware, and software) shall be informally shown to be con- 
elements  of  the  FTLS shall be shown, using informal tech- 
niques, to correspond to the elements of the TCB.   Documen- 
tation  shall  describe how the TCB is structured to facili- 
tate testing and to enforce least privilege.  This  documen- 
tation  shall also present the results of the covert channel 
analysis and the tradeoffs involved in restricting the chan- 
nels.   All auditable events that may be used in the exploi- 
tation of known covert storage channels shall be identified. 
The  bandwidths of known covert storage channels, the use of 
HARDWARE, FIRMWARE, AND SOFTWARE MECHANISMS NOT  DEALT  WITH 
REGISTERS,  DIRECT  MEMORY  ACCESS  I/O)  SHALL  BE  CLEARLY 
DESCRIBED. 
 
+  Interpretation 
 
     Explanation of how the sponsor's philosophy of  protec- 
tion is translated into the NTCB shall include a description 
of how the NTCB is partitioned.  The  security  policy  also 
the NTCB modules shall include the interface(s) between NTCB 
exist.  The sponsor shall describe the security architecture 
and  design,  including  the allocation of security require- 
ments among components. 
 
     The documentation includes both  a  system  description 
and  a  set  of  component  DTLS's.   The system description 
addresses the network security architecture  and  design  by 
ones are trusted, and in what way  they  must  cooperate  to 
be provided for each trusted network component,  i.e.,  each 
component containing an NTCB partition.  Each component DTLS 
component.  Both  the  system description and each component 
DTLS shall be shown consistent with those assertions in  the 
model  that  apply  to  it.   Appendix A addresses component 
evaluation issues. 
 
     To show the correspondence between  the  FTLS  and  the 
NTCB  implementation,  it  suffices  to  show correspondence 
between each component FTLS and the NTCB partition  in  that 
component. 
 
     As stated in the introduction to Division B, the  spon- 
monitor concept.  The security policy model must be a  model 
for a reference monitor. 
 
     The security policy model for each partition implement- 
ng  a  reference  monitor  shall fully represent the access
control policy supported by  the  partition,  including  the 
and/or integrity.  For the mandatory policy the single domi- 
nance  relation  for  sensitivity  labels, including secrecy 
and/or integrity components, shall be precisely defined. 
 
+  Rationale 
 
     The interpretation is a  straightforward  extension  of 
the  requirement  into  the  context  of a network system as 
tion,  such  as description of components and description of 
operating environment(s) in which the  networking  subsystem 
or network system is designed to function, is required else- 
 
     In order to be evaluated,  a  network  must  possess  a 
coherent  Network Security Architecture and Design.  (Inter- 
connection of components that do not adhere to such a single 
coherent  Network  Security Architecture is addressed in the 
Security  Architecture  must  address  the security-relevant 
Design  specifies  the  interfaces and services that must be 
ncorporated into the network so that it can be evaluated as
a  trusted  entity.  There may be multiple designs that con- 
form to the same architecture but are more or less  incompa- 
tible and non-interoperable (except through the Interconnec- 
tion Rules).  Security related mechanisms requiring coopera- 
tion  among  components are specified in the design in terms 
of their visible interfaces; mechanisms  having  no  visible 
nterfaces  are  not specified in this document but are left
as implementation decisions. 
 
     The Network Security Architecture and  Design  must  be 
available  from the network sponsor before evaluation of the 
network, or any component, can be undertaken.   The  Network 
Security  Architecture  and Design must be sufficiently com- 
the  construction  or assembly of a trusted network based on 
the structure it specifies. 
 
     When a component is being  designed  or  presented  for 
evaluation,  or  when a network assembled from components is 
assembled or presented  for  evaluation,  there  must  be  a 
Design are satisfied.  That is, the components can be assem- 
bled into a network that conforms in every way with the Net- 
tion indicates. 
 
     In order for a trusted network to be  constructed  from 
components  that  can  be  built  independently, the Network 
Security  Architecture  and  Design  must   completely   and 
unambiguously  define  the  security  functionality  of com- 
be evaluated to determine that a network constructed to  its 
evaluatable under these interpretations. 
 
 
     The term "model" is used in several different ways in a 
network context, e.g., a "protocol reference model," a "for- 
mal network model," etc. Only the "security policy model" is 
addressed  by  this requirement and is specifically intended 
to model the interface, viz., "security perimeter,"  of  the 
n the TCSEC.  It must be shown that all parts  of  the  TCB
are  a  valid  interpretation  of the security policy model, 
.e., that there is no change to the secure state except  as
             Part II:   Other Security Services
             ____ __    _____ ________ ________
_   ____________
     Part I of this Interpretation contains  interpretations
of the Department of Defense Trusted Computer System Evalua-
tion Criteria (TCSEC), DOD 5200.28-STD.  Part I  deals  with
controlling  access  to information.  Part II contains addi-
tional network security concerns.  These concerns  differen-
tiate the network environment from the stand-alone computer.
Some concerns take on increased significance in the  network
environment; other concerns do not exist on stand-alone com-
analysis underlying Part I.  The criteria in  this  Part  II
address  these  concerns  in the form of additional security
between Part I and Part II is minimized as much as possible.
However, when an overlap occurs the association between  the
concerns  addressed  in both parts is defined.  Part II ser-
vices may be provided by mechanisms outside the NTCB.
_ _   _______ ___ _____
     This Part II addresses network security  disjoint  from
as  a  basis  for  the Part II evaluation.  Part II includes
teria.   As described below, Part II evaluations differ from
ever:  to  provide guidance to network managers and accredi-
tors as to the reliance they can place in security services.
These  evaluations  are  input to the accreditor's decisions
concerning the  operational  mode  and  range  of  sensitive
nformation entrusted to the network.
     The network sponsor shall identify  the  security  ser-
vices offered by his system or component(s).  Those services
_ _   ________ ____
     The general form of Part II criteria  is  a  relatively
brief  statement, followed by a discussion of functionality,
     Functionality refers to the objective and approach of a
     _____________
formance.  Alternative approaches to achieving  the  desired
functionality may be more suitable in different applications
environments.
     Strength of mechanism refers to  how  well  a  specific
     ________ __ _________
approach may be expected to achieve its objectives.  In some
cases selection of parameters, such as number of  bits  used
n  a  checksum  or  the  number  of permutations used in an
encryption algorithm, can significantly affect  strength  of
mechanism.
     Assurance refers to a  basis  for  believing  that  the
     _________
functionality  will  be  achieved; it includes tamper resis-
tance, verifiability, and resistance  against  circumvention
or bypass.  Assurance is generally based on analysis involv-
ng theory, testing, software  engineering,  validation  and
verification,  and  related approaches.  The analysis may be
formal or informal, theoretical or applied.
     For example, consider communications integrity  protec-
tion  against  message stream modification.  A functionality
correction;  also one may select whether it is sufficient to
fied  duration,  or a specified probability of an undetected
error.  Available mechanisms  include  parity,  longitudinal
cryptographic checkfunction.  The strength  of  the  CRC  is
measured  in the probability of an undetected error; this is
There is no assurance of security associated with any of the
mentioned  mechanisms  except  cryptographic  checkfunction.
The  algorithms  are  well  known; an adversary could change
message  contents  and  recalculate  the   non-cryptographic
checkfunction.  The recipient would calculate the checkfunc-
tion and not discover that the message had been manipulated.
A  cryptographic  checkfunction  would  be resistant to such
manipulation.
_ _   __________ _______
     Part II evaluations are qualitative, as  compared  with
the  hierarchically-ordered  ratings  (e.g.,  C1,  C2,  ...)
                                              ____  _______
fair, and good.  Services not offered by the sponsor will be
____      ____
assigned a rating of not offered.  For some services it will
                     ___ _______
be most meaningful to assign a rating of  none  or  present.
                                                    _______
The  term  none  is  used  when  the security service is not
offered.  In some cases the functionality evaluations may be
limited to present or none.
     The assurance rating for each service is bounded by the
ntegrity of the service depends on the  protection  of  the
NTCB.   Table  II-1  relates the Part II assurance rating to
the minimum corresponding Part I evaluation ratings.
     These Part II evaluations tend to be  more  qualitative
and  subjective,  and will exhibit greater variance than the
valuable  information  concerning  the  capabilities  of the
evaluated systems and their suitability for specific  appli-
cations environments.  If functionality, strength of mechan-
sm, and assurance are separately evaluated then a term  may
be  applied to each. In some cases the strength of mechanism
may be expressed quantitatively as a natural consequence  of
the  technology (e.g., the number of bits in a CRC, the par-
ticular function employed);  this  quantitative  measure  of
     The Part II evaluations may also be expected to exhibit
a  greater  sensitivity  to  technological advances than the
vices as compared to the theoretical foundation of  Part  I.
Research  advances  may  help change this situation.  As the
tions may also be expected to increase.  Therefore, a rating
may become dated and may change upon reevaluation.
     In  general,  mechanisms  that  only  protect   against
accidents  and  malfunctions cannot achieve an evaluation of
vide  protection  against  deliberate  attacks  in  order to
obtain at least a good evaluation.
     The summary report of a network  product  will  contain
the  rating  reflecting  the Part I evaluation plus a paired
list of Part II services and the evaluation for  each.   For
example, network product XYZ might be rated as follows: [B2,
offered,  security service-3: none, ... ,security service-n:
(functionality:   good,   strength   of   mechanism:   fair,
assurance: good)].  In some cases where the security service
s addressed  outside  this  document  (e.g.,  COMSEC),  the
evaluation  from the external source may be reflected in the
evaluation report.  In  such  cases,  the  terms  used  will
_ _   ____________ __ ___ ___ ____________
     An effort is underway to extend  the  ISO  Open  System
appropriately  in  the circumstances for which protection of
communications between open systems is  required."  -  Fami-
liarity  with OSI terminology is assumed in this discussion.
The scope of this  security  addendum  "provides  a  general
_________________________
  - ISO 7498/Part 2 - Security Architecture, ISO  /  TC
    ___ ____ ____ _   ________ ____________
the  positions within the Reference Model where the services
and mechanisms may be provided."
     There is considerable overlap between the OSI  Security
Addendum and Part II.  At the time of writing, the OSI docu-
ment is evolving, making it difficult to exactly define  the
to be modified in the future.
     Some of the security services  identified  in  the  OSI
Security  Addendum are covered by Part I of this Interpreta-
tion; others are addressed in Part II.  The emphasis  is  on
making  sure that all services are covered.  The distinction
between the security service and the mechanism  that  imple-
ments the service is less strong in this Interpretation than
n the OSI Security Addendum.  The  OSI  Addendum  generally
addresses  Functionality, occasionally addresses Strength of
Mechanism, and rarely addresses  Assurance,  while  in  this
factor.
     The scope of the OSI Security Addendum is limited: "OSI
Security  is  not concerned with security measures needed in
end systems, installations and  organizations  except  where
these  have implications on the choice and position of secu-
tation include OSI concerns as a proper subset.
_ _   _________ ________ ________ ___ _ ________ ___________
     The enumeration of security  services  in  Part  II  is
choose to employ  in  a  specific  network  for  a  specific
environment.   But not all security services will be equally
mportant in a specific environment, nor will their relative
mportance  be  the  same among different environments.  The
network management has to decide whether the rating achieved
by  a  network product for a specific criterion is satisfac-
tory for the application environment.
     As an abstract example, consider  the  network  product
minimum,  security  service-2:  not  offered,  ...  ].   The
management  of network K may decide that they do not require
effect  the  acceptability  of the XYZ product; however, the
management of network Q may decide that  security  service-2
s  essential,  so  the absence of this service disqualifies
than good is  unacceptable,  thereby  disqualifying  product
     As a more concrete  example,  consider  an  application
environment  where  wire-tapping  is  not  a threat, such as
aboard an airplane or in an  underground  bunker.   A  Local
Area  Network (LAN) in such an environment can be physically
tion because the system exists within a protected perimeter.
and  access  control based on labels provide sufficient pro-
tection  if  sufficient  mechanisms  exist  to  protect  the
ntegrity  of  the  labels.   Cryptographic  mechanisms  are
environment  involves  passage  through  unprotected  space,
management may decide that a LAN must provide integrity pro-
tection employing a cryptographic mechanism.
_   _______ _________ __________
     This section addresses assurance approaches  applicable
to many security services.
     The logic of the protocols and  the  implementation  of
countermeasures may be shown correct and effective by formal
methods where possible (i.e., where tools exist) and  infor-
mal ones otherwise.
     To provide assurance  that  the  security  service  can
methods of  real  and  simulated  testing  can  be  applied,
ncluding:
     1.   Functional testing
     2.   Periodic testing
     3.   Penetration testing
     4.   Stress testing
     5.   Protocol testing for deadlock, liveness, and other
          security properties of the protocol suites
     In addition, the trusted computer base provides an exe-
cution  environment  that is extremely valuable in enhancing
the assurance of a variety of security services.   The  dis-
cretionary  and mandatory access controls can be employed in
the design and implementation of these services to segregate
unrelated  services.   Thus,  service implementation that is
complex and error-prone or obtained from an unevaluated sup-
TCB  ensures  that  the basic protection of the security and
ntegrity- of the information entrusted to  the  network  is
not  diluted by various supporting security services identi-
fied in this Part II.  See also the discussion of  Integrity
n the Supportive Primitives section.
     In general, assurance may be provided  by  implementing
these features in a limited set of subjects in each applica-
ble NTCB partition whose code and data have a unique  manda-
tory  integrity  level  to protect against circumvention and
tampering.
_________________________
  - See, for example, Biba, K.J., "Integrity Considera-
tion  for Secure Computer Systems," ESD-TR-76-372, MTR-
     Assurance of trustworthiness of the design  and  imple-
mentation  of  Part  II  mechanisms  may  be  related to the
assurance requirements in Part I.  The following factors are
dentified  as contributing to an assurance evaluation: ser-
vice design  and  implementation,  service  testing,  design
and distribution.
_ _   _______ ______ ___ ______________ _______
     An evaluation rating of fair indicates that the  imple-
mentation  of  the service employs the provisions of the TCB
for a distinct address space.  In addition, the  implementa-
tion  of  the  service  is  internally structured into well-
available  hardware  to  separate  those  elements  that are
s  designed  such  that the principle of least privilege is
enforced; and the user interface is completely  defined  and
all elements relevant to the service are identified.
     An evaluation rating of good indicates  that  the  ser-
vice, in addition, incorporates significant use of layering,
abstraction and data hiding; and employs significant  system
engineering   directed   toward  minimizing  complexity  and
_ _   _______ _______ _______
     With respect to  security  testing,  an  evaluation  of
minimum  indicates  that the service was tested and found to
unauthorized user to bypass or otherwise defeat the security
constraints  and  objectives;  and  that  testing included a
mproper modification of data used by the service, either by
external software or by errors in the implementation of  the
     An evaluation rating of fair indicates that,  in  addi-
tion  to  the  minimum  factors,  a  team of individuals who
thoroughly understand the specific implementation  subjected
ts  design  documentation,  source code, and object code to
through analysis and testing with the objectives of uncover-
ng  all design and implementation flaws that would permit a
the purpose of the service.   A  fair  evaluation  indicates
that  all  discovered  flaws were removed or neutralized and
the system retested to demonstrate that they have been elim-
nated  and that new flaws have not been introduced. Testing
     An evaluation  rating of good indicates that, in  addi-
tion  to  the  fair factors, the system is more resistant to
a  few  correctable  implementation  flaws were found during
testing and there is reasonable confidence that few  remain.
Manual  or other mapping of the specifications to the source
code may form a basis for testing.
_ _   ______ _____________ ___ ____________ _______
     With respect to design specification and  verification,
an  evaluation  rating of minimum indicates that an informal
model of the properties of the service  is  maintained  over
the  life  cycle of the system.  Additional requirements for
an evaluation rating of fair have not been defined.
     An evaluation rating of good indicates that,  in  addi-
tion,  a  formal  model  of the properties of the service is
maintained over the life cycle  of  the  system  and  demon-
maintained  that  completely  and accurately describes it in
terms of exceptions, error messages, and effects.
_ _   _____________ __________ _______
     With respect to configuration management, an evaluation
maintenance of the service, a configuration management  sys-
tem  was  in  place  that  maintained  control of changes to
tion,  source  code, the running version of the object code,
test fixtures, test code, and documentation.
     An evaluation rating of fair indicates that,  in  addi-
tion,  the  configuration  management  system assures a con-
newly generated version with the previous version  in  order
to  ascertain  that only the intended changes have been made
n the code.
     An evaluation rating of good indicates that,  in  addi-
tion,   configuration  management  covers  the  entire life-
cycle; that it applies to all firmware,  and  hardware  that
unauthorized  modification or destruction the master copy or
copies of all material used to generate  the  implementation
of the service.
_ _   ____________ _______
     There are currently no  requirements  for  minimum  and
fair evaluation ratings.
     With respect to distribution, an evaluation  rating  of
between  the  master  data describing the current version of
the service and the master copy of the code for the  current
version.   Procedures  (e.g., site security acceptance test-
ng) shall exist for assuring that the  software,  firmware,
and hardware updates distributed are exactly as specified by
the master copies.
_   __________ __________
     This  subsection  describes  mechanisms  and  assurance
techniques  that  apply  across  multiple security services.
They are grouped  together  here  for  convenience  and  are
     Encryption is a pervasive mechanism for  many  security
The information in this Section 7 is provided as  background
and support for the services addressed in Section 8.
_ _   ___ __________ _________
_ _ _   _____________ _______
     Encryption is a tool for protecting data from  comprom-
se  or  modification  attacks.  Through its use, release of
message content and traffic analysis can be prevented;  mes-
and masquerading can be detected. For example, an ISO  docu-
ment-, describing the use of encipherment techniques in com-
munications  architectures,  has  been  published  as a U.S.
member body contribution for consideration as  cryptographic
environment.  Encryption is probably the most important  and
threat; sometimes it is even confused with being a service.
     Use of the encryption mechanism leads to a  requirement
for  key  management  (e.g.,  manually or in the form of key
_ _ _   ________ __ _________ _______
     The strength of a cryptographic cipher is determined by
mathematical and statistical analysis; the results are typi-
cally expressed in the workfunction required  for  unauthor-
zed decryption.  In many cases this analysis is classified;
the results are available only as a statement of the highest
level  of  classified  data which may be protected by use of
the mechanism.
     When encryption is used in networks, it may be combined
logic,  and the adequacy of implementation, are primary fac-
tors in assessing the strength of Data Confidentiality using
_________________________
  - Addendum to the Transport Layer Protocol Definition
    ________ __ ___ _________ _____ ________ __________
for  Providing  Connection  Oriented End-to-End Crypto-
___  _________  __________  ________ ___ __ ___ ______
_______ ____ __________ _____ _  __ ___  _____  ______
cryptography techniques.  Algorithms  are  characterized  by
the  National  Security Agency on a pass/fail basis in terms
of the sensitivity of the information which  the  encryption
algorithm is approved to protect.
_ _ _   _________ _______
     The analysis of encryption  techniques  is  quite  dif-
ferent  from the formal specification and verification tech-
nology employed as the basis of trust in the TCSEC.  Much of
this  analysis  is  classified.  Consequently,  assurance of
encryption techniques will be provided by the National Secu-
be given.
_ _   _________
_ _ _   _____________ _______
     Protocols are a set of rules and formats (semantic  and
entities in a network.  Their design and  implementation  is
crucial to the correct, efficient, and effective transfer of
nformation among network systems and sub-systems.
     Many network security services are implemented with the
tocol result in failures and deficiencies  in  the  security
     One class of design, or logical, deficiencies in proto-
cols  are  those  having some form of denial of service as a
consequence.   This  class  includes  deadlocks,  livelocks,
unspecified receptions, lack-of-liveness, and non-executable
nteractions. A protocol with one of these design flaws  can
cease  to function under circumstances that can occur during
normal operation but  which  were  not  anticipated  by  the
     Another class of design concerns are typical of  proto-
cols   that  must  work  despite  various  kinds  of  random
nterference or communication difficulties, such  as  noise,
message  loss,  and  message reordering.  It should be noted
that most networks are designed in  a  layered  fashion,  in
that  if one layer provides protection from certain types of
communication difficulties, higher layers need  not  address
those problems in their design.
     A third class of design deficiency might occur in  pro-
tocols  that  are  expected to work in the presence of mali-
cious interference, such as active wiretapping.  Such proto-
cols  should  have  countermeasures  against  Message Stream
Modification (MSM) attacks.
_ _ _   ________ __ _________ _______
     Protocol deficiencies may lie either in their design or
their  implementation.   By  an implementation deficiency is
meant a lack of correspondence between a protocol specifica-
tion and its implementation in software.
_ _ _   _________ _______
     Assurances  of  implementation   correctness   may   be
addressed  by  techniques  such  as design specification and
verification, and testing.
     Ideally, all of the network protocol functions would be
verified  to  operate  correctly.  However,  verification of
large amounts of code is  prohibitively  expensive  (if  not
mpossible)  at the current state-of-the-art, so the code to
be verified must be kept to an absolute  minimum.  It  seems
feasible to split up a complex protocol (e.g., the TCP) into
trusted  portions  (i.e.,   the   software   that   performs
other software) so that only the  security-related  portions
must  be shown to meet the requirements of Part I.  However,
there is a general concern about the extent to which trusted
untrusted portions.
     Methods for assuring the design correctness  of  proto-
cols  involve  the  use  of  tools  and techniques specially
oriented toward the kinds of problems peculiar to protocols.
Either formal methods, or testing, or both, may be used.
     Some assurance in design correctness  may  be  obtained
model or technique found in the literature if it is known to
address  the  kinds  of  problems  likely  to  arise.   This
assurance is lessened to the extent that the actual protocol
_ _ _ _   ______ _______
     Formal techniques of protocol definition and validation
actual  protocols  to  verify  the  absence  of   deadlocks,
livelocks, and incompleteness for design verification.  When
the state-of-the-art of formal tools is inadequate, or  when
the  sponsor  decides  not  to employ formal tools, informal
methods may be used.  The evaluation of protocol  specifica-
tion  and verification should indicate which assurance tools
     Formal methods for protocol specification and verifica-
tion  are typically based on a finite-state machine concept,
extended in one of various ways to represent the concurrency
and  communication  properties  characteristic  of networks.
Communicating sequential machines and Petri nets  have  been
used  as  a  functional  modeling context for protocols, and
experimental automated verification  tools  based  on  these
models  have been developed.  Different models and tools may
need to be used depending on the design objective for  which
assurance is desired.
     To the extent that the protocol model  and  implementa-
tion  permit  separation  by  layers,  the functional model,
applied  to  individual  layers  or sets of adjacent layers.
Generally, the assurances obtained about  protocols  in  one
layer  are  conditional  on,  or relative to, assurances for
_ _ _ _   _______
     Protocol  testing  is  another  method  to  assure  the
correctness of the protocols other than formal verification.
conformance  to  standards such as X.25, TCP, and TP4 with a
moderate level of success.
     The type of testing called for can be  referred  to  as
conformance testing and penetration testing.  The purpose of
fidence on the correct operation of the protocols.
     Objectives should be to uncover design and  implementa-
tion  flaws  that would cause the protocols to perform their
functions incorrectly,  and  to  determine  if  the  Message
Stream  Modification (MSM) countermeasures are effective, if
applicable.  They may attempt to uncover all kinds of  logi-
cal  deficiencies, such as deadlocks, livelocks, unspecified
tions.   All  discovered  flaws  should be corrected and the
mplementations retested to demonstrate that they have  been
eliminated and that new flaws have not been introduced.  For
a successful conclusion to a test suite, no design flaws and
no  more  than a few correctable implementation flaws may be
found during testing, and there should be reasonable  confi-
tocol specification to the source code may form a basis  for
testing.
     Protocols should be thoroughly analyzed and tested  for
their  responses  to both normal and abnormal data type mes-
mode  of operation both in controlled environment and in the
environment of deployment.
_   _____________
     The section headings in  these  Part  II  Documentation
criteria  are the same as those employed for Part I Documen-
tation criteria.  The documentation produced in response  to
both  sets  of  criteria  may optionally be combined or pub-
lished separately, as the sponsor sees fit.
_ _   ________ ________ ____ _ _____
     A single summary, chapter, or manual in user documenta-
tion  shall  describe  the Part II security services, guide-
lines on their use, and how they interact with one another.
     This user documentation describes security services  at
the  global (network system) level, at the user interface of
each component, and the interaction among these.
_ _   _______ ________ ______
     A manual addressed to the network  and  component  sub-
and privileges that should be controlled to maintain network
administrator functions related to  security  services.   It
of the network security services,  how  they  interact,  and
facility  procedures,  warnings, and privileges that need to
be controlled in order to maintain network security.
     The software modules  that  provide  security  services
of new security service object  modules  from  source  after
modification  of  source  code  shall be described. It shall
nclude the procedures, if any, required to ensure that  the
network is initially started in a secure manner.  Procedures
after any lapse in operation.
     This manual shall contain specifications and procedures
to assist the system administrator to maintain cognizance of
the network configuration.  These  specifications  and  pro-
cedures shall address:
        network.
        leave  the  network  (e.g.,  by crashing or by being
        disconnected) and then rejoin.
        indicate  which security services may change without
        others also changing.
     The physical and administrative environmental  controls
all  communications  links must be physically protected to a
certain level).
_ _   ____ _____________
     A document shall be provided that  describes  the  test
tional testing.
     The description of the test plan should  establish  the
context  in  which  the  testing was or should be conducted.
The description should identify  any  additional  test  com-
This includes a description of the  test-relevant  functions
of  such test components, and a description of the interfac-
ng of those test components to the system being  evaluated.
The  description  of  the  test plan should also demonstrate
that the tests adequately cover the network security policy.
The tests should also include network configuration and siz-
ng.
     As identified in Appendix A, the entity being evaluated
may be a networking subsystem to which other components must
be added to make a complete network system.  In  that  case,
test   documentation   must  include  contextual  definition
because, at evaluation time, it is not possible to  validate
the  test  plans  without the description of the context for
testing the networking subsystem.
_ _   ______ _____________
     Documentation  shall  be  available  that  provides   a
explanation of how this philosophy is  translated  into  the
be stated.
     The system description addresses the  network  security
architecture  and design by specifying the security services
n the network, and in what way they must cooperate to  sup-
ferent  policies  to  communicate, the relationships between
the policies shall be defined.
_   ________ ________ ________
     This section contains specific security  services  that
may  be provided in networks.  The structure of the specific
n  Table  II-2.  This table shows the network security con-
cerns addressed, the criteria  for  each  concern,  and  the
evaluation range for each criterion.
_ _   ______________ _________
     Communications integrity is a  collective  term  for  a
number  of  security  services.   These  services, described
below, are all concerned with  the  accuracy,  faithfulness,
non-corruptibility,   and   believability   of   information
transfer between peer entities through the computer communi-
cations network.
     Integrity is an important  issue.   However,  there  is
considerable  confusion  and inconsistency in the use of the
term.  The term is used to  address  matters  such  as  con-
cation access control (write, append,  delete,  update)  and
the credibility of information that is read by a process.-
     The mechanisms that can be used to  enforce  communica-
tion  integrity have some strong similarities to the mechan-
sms that are used to enforce  discretionary  and  mandatory
access  controls.   Integrity  in  Part  I is concerned with
access control, specifically  the  ability  of  subjects  to
modify  objects.  This should be contrasted with the Part II
concerns for communications integrity described below.
_ _ _   ______________
+ Functionality
  _____________
     The network should ensure that a data exchange is esta-
blished  with  the  addressed  peer  entity (and not with an
entity attempting a masquerade or a  replay  of  a  previous
establishment).   The  network  should  assure that the data
less association, it is known as Data Origin Authentication.
     Attempts to create a session under a false identity  or
_________________________
  - See, for example, Biba, K.J., "Integrity Considera-
tion  for Secure Systems," ESD-TR-76-372, MTR-3153, The
Mitre Corporation, Bedford, MA, April 1977; and  Juene-
man,  R. R., "Electronic Document Authentication," IEEE
                                                   ____
Network Magazine, April 1987, pp 17-23.
_______ ________
authentication is an appropriate countermeasure.
     Authentication generally follows identification, estab-
lishing  the validity of the claimed identity providing pro-
tection against  fraudulent  transactions.   Identification,
authentication,  and  authorization information (e.g., pass-
     Available techniques  which  may  be  applied  to  peer
authentication mechanisms are:
     1.   Something known by the entity (e.g., passwords)
     2.   Cryptographic means
     3.   Use of the characteristics and/or  possessions  of
          the entity
     The above mechanisms may be incorporated into the  (N)-
layer peer-to-peer protocol to provide peer entity authenti-
cation.
     To tie data to a specific origin, implicit or  explicit
dentification  information  must  be derived and associated
may include verification through an alternate communications
channel, or a user-unique cryptographic authentication.
     When encryption is used for authentication service,  it
can be provided by encipherment or signature mechanisms.  In
conventional private-key cryptosystems, the encryption of  a
message  with a secret key automatically implies data origin
authenticity, because only the holder of that key  can  pro-
authentication  provided  by  the  conventional  private-key
cryptosystem  can  protect  both sender and receiver against
third party enemies, but it  cannot  protect  against  fraud
committed  by  the  other.   The reason is that the receiver
knowing the encryption key,  could  generate  the  encrypted
form  of a message and forge messages appearing to come from
the sender.  In the case where possible  disputes  that  may
arise  from  the  dishonesty of either sender or receiver, a
     In  public-key  cryptosystems,  message   secrecy   and
message/sender  authenticity  are  functionally independent.
To achieve authenticity, the message is "decrypted" with the
that does not conceal the  message.   If  both  secrecy  and
authenticity  are  required,  a  public-key signature scheme
must be used. This subject is extensively addressed  in  the
_________________________
  = The  Directory  -  Authentication  Framework  (Mel-
    ___  _________     ______________  _________   ___
bourne,  April  1986),  ISO/CCITT Directory Convergence
______   _____  ____
Document #3.
     Basis for Rating: Presence or absence.
     Evaluation Range: None or present.
+ Strength of Mechanism
  ________ __ _________
     The security provided by  the  passwords  mechanism  is
very  sensitive to how passwords are selected and protected.
The security provided by a password depends on  composition,
lifetime, length, and protection from disclosure and substi-
tution. Password  Management  Guidance  is  contained  in  a
     When cryptographic techniques are  used,  they  may  be
combined   with   "hand-shaking"  protocols  and  "liveness"
assurance procedures to  protect  against  masquerading  and
by:
     1.   Synchronized clocks
     2.   Two and three ways handshakes
     3.   Non-repudiation services provided by digital  sig-
          nature and/or notarization mechanisms
     The strength of the ciphers,  the  correctness  of  the
using  cryptography  techniques.   See  also  the Encryption
Mechanism section.
     Basis for Rating: In order to obtain a rating  of  good
using passwords, such usage must conform to Password Manage-
ment Guidance-.  The strength of a  cryptographic  mechanism
     Evaluation Range: None to good.
+ Assurance
  _________
     Basis for rating assurance is concerned with guarantee-
ng or providing confidence that features to address authen-
tication threats have been implemented  correctly  and  that
the  control  objectives  of each feature have been actually
and accurately achieved.
     This assurance may be  addressed  by  analysis  of  the
ncludes  password  scheme  and/or  cryptographic  algorithm
analysis  and  the  automated protocol testing for deadlock,
_________________________
  - Department of Defense  Password  Management  Guide-
    __________ __ _______  ________  __________  _____
line,  National  Computer Security Center, CSC-STD-002-
____
liveness,  and  other  security  properties  of  the  "hand-
     Many of the assurance approaches are  common  to  other
may  be  employed  for  peer  entity  authentication.  These
mechanisms, and their assurance, are discussed in a separate
     Basis for Rating: See the General Assurance  Approaches
     Evaluation Range: None to good.
_ _ _   ______________ _____ _________
     Communications Field Integrity refers to protection  of
any  of the fields involved in communications from unauthor-
zed modification.  Two well-known fields are the  protocol-
nformation  (a.k.a.  header) field and the user-data field.
A protocol-data-unit (PDU) (a.k.a. packet, datagram)  always
contains protocol-information; user-data is optional.
     Other division and identification of fields are  possi-
ble.  Some  communications  systems  identify such fields as
control and priority.  For generality, this  section  refers
to  any  field  as containing data; this data may in fact be
fied  field.   For convenience, the term data integrity will
be used synonymously with  communications  field  integrity.
Data  integrity  may be provided on a selective field basis;
     It should be mentioned that in a layered  protocol  the
combination  of  layer  N  protocol-information plus layer N
user-data is considered to be all user-data  in  layer  N-1.
the relationship between PDUs and  messages.  Each  PDU  may
constitute an independent message, or a sequence of PDUs may
constitute a single message.
+ Functionality
  _____________
     Data integrity service counters active threats and pro-
tects  data  against  unauthorized  alteration.  The network
from  source  to  destination  (regardless  of the number of
ntermittent connecting points). The network should be  able
to counter both equipment failure as well as actions by per-
cols  that  perform  code or format conversion will preserve
the integrity of data and control information.
     The network should also have an automated capability of
testing  for,  detecting, and reporting errors that exceed a
threshold.
     Since communication may be subject to  jamming/spoofing
attack,   line  and  node  outages,  hardware  and  software
failures, and active wiretapping attacks, there should exist
effective countermeasures to counter possible communications
threats. The countermeasures may include policy, procedures,
automated  or  physical  controls, mechanisms, and protocols
means.
     Basis  for  Rating:  Data  Integrity  service  may   be
evaluated  according to its ability to detect integrity vio-
lations.  The following  progression  relates  features  and
evaluation.
     Functionality would be evaluated as minimum  if  either
of the following two levels of features were provided:
     1.   Integrity of a single  connectionless  PDU.   This
          takes  the  form of determining whether a received
          PDU has been modified.
     2.   Integrity of selected fields within a  connection-
          less  PDU.   This  takes  the  form of determining
          whether the selected fields have been modified.
     Functionality would be evaluated as fair if,  in  addi-
tion,  either  of  the following two levels of features were
     1.   Integrity of selected fields  transferred  over  a
          connection.   This  takes  the form of determining
          whether the selected fields  have  been  modified,
          inserted, deleted, or replayed.
     2.   Integrity of all user-data  on  a  protocol  layer
          connection.   This  service  detects any modifica-
          tion, insertion, deletion, or replay of any PDU of
          an entire PDU sequence with no recovery attempted.
     Functionality would be evaluated as good if,  in  addi-
tion, the following feature is provided:
        Integrity of all user-data on a protocol layer  con-
        nection.   This  service  detects  any modification,
        insertion, deletion, or replay  of  any  PDU  of  an
        entire PDU sequence with recovery attempted.
     Evaluation Range: None to good.
+ Strength of Mechanism
  ________ __ _________
     Policy, procedures,  automated  or  physical  controls,
mechanisms,  and  protocols  should  exist for ensuring that
unauthorized  message  stream  modification, such as altera-
tion, substitution, reordering, replay, or  insertion.  Mes-
dentified and shown to be effective.  A technology of  ade-
quate strength should be selected to resist MSM.
     The probability of an undetected error should be speci-
fied as an indication of the strength of mechanism. The net-
cation  errors/corruptions  that  exceed  specified  network
     Basis for Rating: When encryption is used in  networks,
t  is  combined  with  network protocols to protect against
unauthorized  data  modification.   The  strength   of   the
ciphers, the correctness of the protocol logic, and the ade-
quacy of implementation are three primary factors in assess-
ng  the strength of Data Integrity using cryptography tech-
niques.  See the Encryption Mechanism  section  for  further
nformation.
     Evaluation Range: None to good.
+ Assurance
  _________
     Basis for rating: Assurance is concerned  with  guaran-
     _____ ___ ______
teeing or providing confidence that features to address Data
the  control  objectives  of each feature have been actually
and accurately achieved.
     Many of the assurance approaches for data integrity are
common   to   other  security  services.   See  the  General
Assurance section for further information.
     Evaluation Range: None to good.
_ _ _   ___ ___________
+ Functionality
  _____________
     Non-repudiation service provides unforgeable  proof  of
     This service prevents the sender from disavowing a leg-
timate  message or the recipient from denying receipt.  The
network may provide either or  both  of  the  following  two
forms:
     1.   The recipient of data is provided  with  proof  of
          origin  of  data  that  will  protect  against any
          attempt by the sender to falsely deny sending  the
          data or its contents.
     2.   The sender is provided with proof of  delivery  of
          data  such  that  the  recipient cannot later deny
          receiving the data or its contents.
     Basis for Rating: Presence or absence of  each  of  the
two forms.
     Evaluation Range: None or present.
     Discussion: Digital signatures are available techniques
that  may be applied to non-repudiation mechanisms.  Digital
     1.   Signing a data unit
     2.   Verifying a signed data unit
     The signing process typically employs either  an  enci-
     The verification process involves using the public pro-
cedure  and  information  to determine whether the signature
     It  is  essential  that  the  signature  mechanism   be
unforgeable  and  adjudicable. This means that the signature
can only be produced using the signer's private information,
and  in  case the signer should disavow signing the message,
t must be possible for a judge or arbitrator to  resolve  a
message.
     Digital signature schemes are usually  classified  into
one  of two categories: true signatures or arbitrated signa-
tures.  In a true signature scheme, signed messages produced
by  the  sender are transmitted directly to the receiver who
verifies their validity and authenticity.  In an  arbitrated
the sender to the receiver via an arbitrator who serves as a
notary public.  In the latter case, a notarization mechanism
s needed.
     Both public-key and conventional private-key cryptosys-
tems can be utilized to generate digital signatures.  When a
message M is to be signed by a private-key cryptosystem, the
along with it.  In a public-key implementation, when a  mes-
key is applied to M before transmitting it. Thus, the signa-
ture is presented by the resulting transformed message.
+ Strength of Mechanism
  ________ __ _________
     Basis for  Rating:  The  strength  and  trustworthiness
the underlying cryptography implementing  digital  signature
mechanism,  the  correctness  of the protocol logic, and the
adequacy of protocol implementation. Additional  information
may  be found in the separate sections addressing these sub-
     Evaluation Range: None to good.
+ Assurance
  _________
     Basis for Rating: Assurance is concerned  with  guaran-
teeing  or  providing  confidence  that  features to provide
non-repudiation service have been implemented correctly  and
that  the control objectives of each feature have been actu-
ally and accurately achieved.
     This assurance is addressed by analysis of the logic of
the  protocols  and the implementation of the digital signa-
ture mechanisms to show  correctness  and  effectiveness  by
formal  methods where possible (i.e., where tools exist) and
nformal ones otherwise.
     The information in the  General  Assurance,  Encryption
Mechanisms, and Protocols sections also applies.
     Evaluation Range: None to good.
_ _   ______ __ _______
     Assurance of communications availability would probably
be  more properly identified as a service,  while denial-of-
s traditional to employ denial of service as the identifier
of this topic.
     DOS detection is highly  dependent  on  data  integrity
checking/detection mechanisms.  Other mechanisms relating to
numbers, frame counts) are also measures of DOS protection.
     A  denial-of-service  condition  exists  whenever   the
throughput  falls  below  a  pre-established  threshold,  or
access to a remote entity is unavailable.  DOS  also  exists
basis.  Priority and similar mechanisms should be taken into
account in determining equity.  If a connection is active, a
DOS condition can be detected by the  maximum  waiting  time
(MWT)  or  the  predetermined  minimum throughput.  However,
of  a  connection  has  no  way of determining when the next
s  thus  unable to detect a DOS attack that completely cuts
off the flow of packets from that entity.
     Denial of service conditions should be  considered  for
all  services  being  provided  by the network. As discussed
below for specific services, depending on  the  strength  of
mechanism  the  network  should  be able to detect, recover,
and/or resist denial of service  conditions.   The  specific
conditions,  which  the network will address, are determined
through the use  of  informal  models,  such  as  Mission(s)
Model,  Threat Model, Life Cycle Model, and Service Oriented
Model. The network manager or sponsor  shall  determine  the
network's denial of service requirements and shall establish
the desired service criteria accordingly.
_ _ _   __________ __ __________
+ Functionality
  _____________
     The security features providing resistance against  DOS
external  attacks  and the objectives that each feature will
achieve may include the following:
        of  redundancy  throughout  the  network  components
        (i.e.,  network  nodes,  connectivity,  and  control
        capability)  may enhance reliability, reduce single-
        point-of-failure, enhance survivability, and provide
        excess capacity.
        nance  and program down-loading to network nodes for
        software distribution, and to provide initialization
        and  reconfiguration after removing failed or faulty
        components and replacing  with  replaced  components
        can  isolate and/or confine network failures, accom-
        modate the addition and  deletion  of  network  com-
        ponents, and circumvent a detected fault.
        functions utilizing a distributed control capability
        to reduce or eliminate the possibility of  disabling
        the  network by destroying or disabling one or a few
        network control facilities, and a  flexible  control
        capability  which  is  able  to  respond promptly to
        emergency needs, such  as  increase  in  traffic  or
        quick  restoration,  can  improve  the capability to
        respond promptly to the changes in network  topology
        and network throughput thereby enhancing survivabil-
        ity and continuity of operation, perhaps by  enforc-
        ing precedence and preemption on traffic handling.
        deal  with  network  failures  and  to maintain con-
        tinuity of operations of  a  network  including  the
        following  features:  error/fault  detection,  fault
        treatment, damage assessment (analysis on effects of
        failures), error/failure recovery, component/segment
        crash recovery, and whole network crash recovery.
        interest separation through creation of logical sub-
        nets with disjoint non-hierarchical mandatory access
        control categories, and protection of control infor-
        mation from active wiretapping.
     Basis  for  Rating:  The  network  should  ensure  some
minimum  specified continuing level of service.  The follow-
ng service would be considered minimum:
     a)   Detect conditions that would degrade service below
          a  pre-specified  minimum  and  would  report such
          degradation to its operators.
The following service would be considered fair:
     b)   Service that would continue in the event of equip-
          ment  failure and actions by persons and processes
          not authorized to alter the data.  The  resiliency
          may  be  provided by redundancy, alternate facili-
          ties, or other means.  The service provided may be
          degraded and/or may invoke priorities of service.
The following service would be considered good:
     c)   The same as (a), but with automatic adaptation.
     Evaluation Range: None to good.
+ Strength of Mechanism
  ________ __ _________
     Network operational maintenance is based on  mechanisms
ng. It may be nearly impossible to  guarantee  sufficiently
     In addition to rigorous analysis to assure  algorithmic
correctness  in  dealing with the "internal failures" (e.g.,
component, segment, or system failures caused by  errors  in
countermeasures shall also  be  employed  against  "external
attacks" such as physical attacks.
     Basis for Rating: For each DOS feature  defined  above,
t  is  possible  to  assign a rating such as none, minimum,
fair, and good  for  the  assessment  of  a  network's  "DOS
     For example, major  ways  of  providing  fault-tolerant
mechanisms include:
     1.   Error/fault detection
     2.   Fault treatment
     3.   Damage  assessment   (analysis   on   effects   of
          failures)
     4.   Error/failure recovery
     5.   Component/segment crash recovery
     6.   Whole network crash recovery
     Evaluation Range: None to good.
+ Assurance
  _________
     Assurance is concerned with guaranteeing  or  providing
confidence  that  features  to address DOS threats have been
mplemented  correctly  and  that  the  objectives  of  each
feature have been actually and accurately achieved.
     This assurance may be addressed by analysis  for  weak-
ness  or  anomalous  behavior  of  the  resource  allocation
models, protocol models, or resource allocation models which
can  be  analyzed for deadlock, liveness, and other security
     Basis for Rating: To provide assurance that the network
can  respond  to  various  forms of denial of service condi-
tions, the following methods may be employed:
     1.   Simulation
     2.   Testing
             a. Functional
             b. Periodic
             c. Penetration
     3.   Measurement under extreme conditions
     Distribution,  as  discussed  as  one  of  the  General
Assurance  Factors,  can  increase  the  assurance  that the
text  of  deployment  of new software and in crash recovery.
ncrease assurance.
     Evaluation Range: None to good.
_ _ _   ________ _____ ___ __________ __________
+ Functionality
  _____________
     Mechanisms for addressing DOS are often protocol  based
and  may  involve  testing  or  probing.  Any communications
availability service should consider using existing communi-
cations  protocol  mechanisms  where  feasible  so as not to
ncrease network overhead.  DOS mechanisms add overhead that
may  have  some  adverse impact on network performance.  The
benefits of value-added functions should offset  the  resul-
tant performance cost.
     For example, in order to detect  throughput  denial  of
ng.   The measured transmission rate shall be compared with
a predetermined  minimum  to  detect  a  DOS  condition  and
activate an alarm.
     Another example is a  protocol  to  detect  failure  to
This protocol would determine the remote entity's ability to
     A request-response mechanism  such  as  "are-you-there"
message  exchange  may  be employed to detect DOS conditions
mechanism  involves  the  periodic  exchange of "hello", and
"are-you-there" messages between  peer  entities  to  verify
that  an  open  path  exists  between them; such a mechanism
Based on the ability to respond and the response time to the
entity  can  be  determined  and  the  DOS  condition can be
     Request-response mechanisms have been  known  to  crash
networks when coupled with hardware failures and/or abnormal
loading.  Incompatibilities also sometimes show up when dis-
tion.
     Basis for Rating: The number of protocol based  mechan-
sms  could  be  used for evaluation.  If only one mechanism
might be rated as fair.  If more than three mechanisms  were
     Evaluation Range: None to good.
+ Strength of Mechanism
  ________ __ _________
     Basis  for  Rating:  Network  protocol  robustness  may
analysis  to assure protocol correctness in dealing with the
"internal  failures"  and  against  "external  attacks"  are
appropriate ways of establishing strength of mechanism.
     Evaluation Range: None to good.
+ Assurance
  _________
     Assurance is concerned with guaranteeing  or  providing
confidence  that  features  to address DOS threats have been
mplemented  correctly  and  that  the  objectives  of  each
feature have been actually and accurately achieved.
     Basis for Rating: This assurance may  be  addressed  by
analysis  for  weakness or anomalous behavior of the network
theoretic  models,  hierarchical service models, petri nets,
or resource allocation models  which  can  be  analyzed  for
     To provide assurance that the network can  response  to
various forms of external attacks, the following methods may
be employed:
     1.   simulation
     2.   testing
          -    functional
          -    periodic
          -    penetration
     3.   measurement under extreme conditions
     Distribution,  as  discussed  as  one  of  the  General
Assurance  Factors,  can  increase  the  assurance  that the
text  of  deployment  of new software and in crash recovery.
ncrease assurance.
     Evaluation Range: None to good.
_ _ _   _______ __________
+ Functionality
  _____________
     DOS resistance  based  on  a  system/message  integrity
measure  is two- tiered.  Tier one deals with communications
maintenance).    These  tiers  for  the  most  part  operate
ndependently.
     Network management and maintenance in  tier  two  deals
not  necessarily  be  a  good measure of proper performance.
Loading above  capacity,  flooding,  replays,  and  protocol
an acceptable level and/or cause selective outages.  Manage-
ment protocols, such as those which configure the network or
monitor its performance,  are  not  described  well  by  the
existing protocol reference models.
     A DOS attack may cause disruption of more than one peer
entity  association.   For this reason detection and correc-
tion may be implemented in tier two.   The  detection  of  a
by the layer management functions of  those  entities.   The
function, and the corrective action is a  system  management
function.
     Basis for Rating: Presence or absence.
     Evaluation Range: None or present.
+ Strength of Mechanism
  ________ __ _________
     Network operational maintenance is based on  mechanisms
(e.g., update of routing tables).
     Basis for Rating: Integrity and adequacy of control  in
a network are the keys in coping with denial of service con-
(e.g., component, segment,  or  system  failures  caused  by
errors  in resource allocation policy or mechanism implemen-
tation), countermeasures  shall  also  be  employed  against
"external  attacks,"  such  as  physical attacks and attacks
against network control.
     Based on these characterizations, a set of ratings  can
be  assigned  to  each  category  under  the fault tolerance
feature and an overall rating can then be determined  for  a
network's  strength  in  providing  "fault tolerance mechan-
sms".
     Evaluation Range: None to good.
+ Assurance
  _________
     Basis  for  Rating:  Assurance  may  be  addressed   by
analysis  for  weakness or anomalous behavior of the network
management policy/mechanisms of the  network  using  various
formal models such as queuing theoretic models, hierarchical
models  which  can  be  analyzed for deadlock, liveness, and
other security properties.
     Distribution,  as  discussed  as  one  of  the  General
Assurance  Factors,  can  increase  the  assurance  that the
text  of  deployment  of new software and in crash recovery.
ncrease assurance.
     Evaluation Range: None to good.
_ _   __________ __________
     Compromise protection is a collective term for a number
of  security services.  These services, described below, are
all concerned with the secrecy, or non-disclosure of  infor-
mation  transfer  between peer entities through the computer
communications network.  Physical  security,  such  as  pro-
tected wireways, can also provide transmission security. The
network manager  or  sponsor  must  decide  on  the  balance
between  physical,  administrative,  and technical security.
This document only addresses technical security.
_ _ _   ____ _______________
+ Functionality
  _____________
     Data  confidentiality  service  protects  data  against
unauthorized  disclosure.   Data  confidentiality  is mainly
compromised by passive wiretapping attacks.  Passive attacks
consist  of  observation  of  information passing on a link.
Release of message content to unauthorized users is the fun-
     Prevention of release of message contents can be accom-
Encryption Mechanism section.) The granularity of  key  dis-
tribution is a trade-off between convenience and protection.
Fine granularity would employ a unique key for  each  sensi-
tivity  level  for  each  session;  coarse granularity would
employ the same key for all sessions during a time period.
     The network must provide protection of data from  unau-
thorized disclosure.  Confidentiality can have the following
features:
     1.   Confidentiality of all  user-data  on  a  specific
          protocol layer connection.  Note: depending on use
          and layer, it may not be  appropriate  to  protect
          all  data,  e.g., expedited data or data in a con-
          nection request.
     2.   Confidentiality of all user-data in a single  con-
          nectionless datagram
     3.   Confidentiality  of  selected  fields  within  the
          user-data of an PDU
     Basis for Rating: Presence or absence of each feature.
     Evaluation Range: None or present.
+ Strength of Mechanism
  ________ __ _________
     Physical protection and encryption are the  fundamental
techniques  for  protecting  data  from compromise.  Through
their use, release of message content and  traffic  analysis
can be prevented.
     Basis for Rating: The evaluation of data  confidential-
ty  mechanisms  is outside the scope of this document.  The
cognizant authorities will evaluate the mechanisms  relative
to  a  specific environment according to their own rules and
     Evaluation Range: Sensitivity level of data approved to
+ Assurance
  _________
     Basis of rating: Assurance is concerned with guarantee-
     _____ __ ______
ng  or  providing  confidence that features to address Data
Confidentiality threats have been implemented correctly  and
that  the control objectives of each feature have been actu-
ally and accurately achieved.  Blacker is an example of such
an application of a TCB for high assurance of data confiden-
tiality.
     Many of the assurance approaches for data confidential-
ty  are common to other security services.  See the General
Assurance section for further information.
     Evaluation Range: None to good.
_ _ _   _______ ____ _______________
+ Functionality
  _____________
     Traffic  flow  confidentiality  service  protects  data
against  unauthorized  disclosure.  Traffic  analysis  is  a
compromise in which analysis of message  length,  frequency,
and  protocol  components  (such  as  addresses)  results in
nformation disclosure through inference.
     Traffic flow confidentiality is concerned with  masking
the  frequency,  length,  and origin-destination patterns of
communications between protocol  entities.   Encryption  can
effectively  and  efficiently  restrict disclosure above the
transport layer; that is, it can  conceal  the  process  and
application but not the host computer node.
     The OSI Addendum- notes:  "Traffic  padding  mechanisms
can  be used to provide various levels of protection against
traffic analysis.  This mechanism can be effective  only  if
the  traffic  padding  is  protected  by  a  confidentiality
_________________________
  - ISO 7498/Part 2 - Security Architecture, ISO  /  TC
    ___ ____ ____ _   ________ ____________
     Basis for Rating: Presence or absence.
     Evaluation Range: None or present.
+ Strength of Mechanism
  ________ __ _________
     Physical protection, encryption,  and  traffic  padding
are the fundamental countermeasures for traffic analysis.
     Basis for Rating: The evaluation of  traffic  confiden-
     _____ ___ ______
tiality  mechanisms  are outside the scope of this document.
The cognizant authorities will evaluate the mechanisms rela-
tive  to a specific environment according to their own rules
and procedures.
     Evaluation Range: Sensitivity level of data approved to
+ Assurance
  _________
     Basis for rating: Assurance is concerned  with  guaran-
     _____ ___ ______
teeing  or  providing  confidence  that  features to address
Traffic  Confidentiality  threats  have   been   implemented
correctly  and  that  the control objectives of each feature
     Many of the assurance approaches for traffic  confiden-
tiality are common to other security services.  See the Gen-
eral Assurance section for further information.
     Evaluation Range: None to good.
_ _ _   _________ _______
+ Functionality
  _____________
     "Routing control is the application of rules during the
cally secure sub-networks, relays,  or  links.   End-systems
may,  on  detection of persistent manipulation attacks, wish
to instruct the network service provider to establish a con-
nection  via a different route.  Data carrying labels may be
forbidden by the security policy  to  pass  through  certain
nection (or the sender of a connectionless  data  unit)  may
networks, links or relays be avoided."
_________________________
  - ISO 7498/Part 2 - Security Architecture, ISO  /  TC
    ___ ____ ____ _   ________ ____________
     For  example,  there  are  national  laws  and  network
administration policies governing individual privacy rights,
encryption, and trans-border data flow.  A  user  in  a  end
nformation should not flow.
     Basis for Rating: Presence or absence.
     Evaluation Range: None or present.
+ Strength of Mechanism
  ________ __ _________
     Basis for Rating: The factors discussed  under  Suppor-
tive Primitives (Section 7) apply.
     Evaluation Range: None to good.
+ Assurance
  _________
     Basis for  Rating:  The  General  Assurance  Approaches
apply.
     Evaluation Range: None to good.
 Table II-1. Part II Assurance Rating Relationship to Part I Evaluation
 _____ __ _  ____ __ _________ ______ ____________ __ ____ _ __________
(note:  Table not included)
 Table II-2.  Evaluation Structure for the Network Security Services
 _____ __ _   __________ _________ ___ ___ _______ ________ ________
   (note:  Table not included)
                         Appendix A
                         ________ _
              Evaluation of Network Components
              __________ __ _______ __________
A.1.  Purpose
_ _   _______
     Part I of this  Trusted  Network  Interpretation  (TNI)
Evaluation Criteria (TCSEC)  appropriate  for  evaluating  a
network  of  computer  and communication devices as a single
the  Network  Trusted Computing Base (NTCB), which is physi-
cally and logically partitioned among the components of  the
network.   These  interpretations  stem from the recognition
that networks form an important and recognizable subclass of
ADP  systems with distinctive technical characteristics that
allow tailored interpretations of the TCSEC to be formulated
for them.
     An extension of this view of  networks  can  be  taken:
that  a  trusted network represents a composition of trusted
components.  This view is sound, consistent with the  first,
and  useful.   The  approach to evaluation of a network sug-
of  the  components to arrive at an overall rating class for
the network.  This approach aids  in  the  assigning  of  an
overall  network  evaluation class in two ways: 1) it allows
for the evaluation of components which in and of  themselves
for the reuse of the evaluated component in  different  net-
     This approach to evaluation does not negate or override
any of the interpretations presented in Part I of this docu-
ment, which describe the global characteristics of a trusted
network.   In order to present a unified and self-consistent
exposition within Part  I  of  the  document,  a  deliberate
choice was made to express the basic network interpretations
n terms of the view that networks are instances of ADP sys-
tems  to which the TCSEC are applied on a system-wide basis.
This choice allows  Part  I  to  follow  the  TCSEC  closely
because  the  basic  structural  model underlying the TCSEC,
that of a system with a single Trusted Computer Base  (TCB),
     This appendix provides guidance for the  evaluation  of
the  individual  components  of a trusted network.  The com-
application  of  the total network interpretations expressed
to  support  the eventual evaluation of a network or network
the  Part  I  interpretations.  Note that Part II applies to
components without further interpretation.   No  implication
s  intended in this appendix that all networks must be com-
complete  network  could  be  evaluated as a whole using the
cal  cases,  however, the techniques presented here for con-
composition  into an evaluatable whole, constitutes a viable
and attractive means for actually conducting the  evaluation
of the system under Part I interpretations.
     Three major issues must be confronted by the  architect
or  evaluator  of  a  trusted  system  when  the partitioned
viewpoint is applied:
     1.   How is the network to be partitioned in such a way
          that evaluation of individual components will sup-
          port eventual evaluation of the entire network?
     2.   What evaluation criteria should be applied to each
          component when rating that component?
     3.   How can the composition  of  rated  components  be
          evaluated?
     The first of these issues is addressed in the  separate
Appendix B, Rationale Behind NTCB Partitions.  The remaining
two issues are addressed in this Appendix:   the  first,  in
     Section  A.1.1  presents  a  taxonomy   (classification
ture for individual components.
     Section A.2 presents techniques and guidelines for  the
composition  of  rated processing components to achieve par-
ticular system ratings for the assembled network.  This gui-
the policy elements supported where these are organized into
the  four  broad  policy areas of Mandatory Access Controls,
Discretionary Access Controls, Identification and  Authenti-
cation, and Audit support.
     Section A.3 presents specific  evaluation  guidance  in
terms  of  the network interpretations articulated in Part I
of this document, to allow individual processing  components
to  be  rated  preparatory to their utilization in a trusted
network.  The sections are organized according to  component
type, as defined in section A.1.1.  For each component type,
the applicable interpretations, from Part I,  are  provided,
organized according to rating class.
A.1.1.  Component Taxonomy and Rating Structure
_ _ _   _________ ________ ___ ______ _________
     The primary difference between a processing  component,
a stand-alone ADP system is that as a stand-alone system all
of  the  TCSEC  requirements  for a particular class must be
met:  for policy requirements (i.e., what features the  sys-
tem  must  support)  the intent of the TCSEC is to enforce a
collection of features which are felt  to  be  operationally
complete  and consistent for a total system.  In the context
of a larger system, however, it may well be (and usually is)
the  case that the set of policy-related features to be sup-
one component for the system are supplied by another.
     In rating a product for potential use as a network com-
ts security properties exactly:  in practice, we  shall  be
content  to  identify the component as being of a particular
type (which identifies the general policy elements the  com-
dentifies the assurance levels provided for each  supported
feature),  and  the target architecture.  The description of
the target architecture shall include a description  of  the
     In order to limit the  number  of  component  types  we
break   the  ``maximal''  set  of  policy-related  features,
ndependent  categories  which  can be characterized as sup-
Access Controls (DAC), Audit, and Identification and Authen-
tication.  (In various tables and text in the  remainder  of
this appendix, these categories will be given the one-letter
     A given component can be  intended  (by  the  component
combination of M, D, A or I functionality.  Logically, then,
there  are  sixteen  different  component types which can be
the sixteen possible combinations of M, D, A, and I theoret-
cally possible.  Of these combinations one (no M, no D,  no
A,  no  I)  typifies  a  component intended (or required) to
enforce no security policy whatsoever, and therefore has  no
TCSEC  requirements to meet and need not be evaluated.  How-
ever, it is still possible to  utilize  such  components  as
The  remaining  component  types are denoted M, D, A, I, MD,
MA, MI, DA, DI, IA, MDA, MDI, MIA, IAD, and  MIAD  with  the
obvious  meanings  (for example, an "MIA component" supports
aspects of Mandatory, Audit, and Authentication and ID poli-
cies,  with  the  exact features provided being specified in
    Table A1.  Component Type Maximum and Minimum Class
COMPONENT  TYPE  MIN CLASS       MAX CLASS       
       M           B1                A1
       D           C1                C2+  
       I           C1                C2 
       A           C2                C2+
       DI          C1                C2+ 
       DA          C2                C2+
       IA          C2                C2+
       IAD         C2                C2+ 
       MD          B1                A1  
       MA          B1                A1
       MI          B1                A1 
       MDA         B1                A1 
       MDI         B1                A1
       MIA         B1                A1 
       MIAD        B1                A1
     In addition to a type based upon  the  policy  elements
class,  the  component  must  meet all of the guidelines for
that rating level for the applicable component type provided
n  section A.3.  In general, these guidelines are straight-
forward interpretations of the TCSEC for the subset of  pol-
cy features to be provided.  Each component type has a max-
mum and minimum class listed in Table A1 below.  To achieve
a  particular  class,  a  component  must  meet  appropriate
     The maximum class for each component  type  is  derived
from  the  TCSEC, and is that evaluation class which imposes
the highest requirement  relevant  to  the  component  type.
Similarly,  the  lowest  class  available for each component
type is the TCSEC evaluation class  which  first  imposes  a
     Exceptions to this general approach have been made  for
the  requirements  for DAC and Audit support at the B3 level
as the additional support for  these  policy  categories  at
these levels (namely, the provision of ACL's for DAC and for
assurance provided for the B3 MAC support.  It is considered
more appropriate to use the notation of  C2+  for  component
types  including D or A, but not M which meet the functional
     Components including support for I may be  required  to
(at possibly relatively low levels of assurance) or both DAC
and  MAC  (at  relatively high levels of assurance).  There-
fore, rating levels ranging from C1 to A1 for  type  I  com-
the need for added assurance for the label integrity for the
MAC  label  information, rather than any additional require-
ments for features.
     Components including support for I are required to pro-
vide  Identification  and  Authentication which supports the
DAC   Policy.    The   TCSEC   Identification-Authentication
n M Components, since this requirement is in essence estab-
lishing a security label for a user.
     Components of multiple types have  been  given  minimum
and maximum levels based upon meaningful combinations of the
ncluded types.
     It might be noted in passing that a C1 stand-alone sys-
tem  has exactly the same certification requirements as a C1
DI component, a C2 system as a C2 IAD component,  and  B1-A1
A.2.  Composition Rules
_ _   ___________ _____
A.2.1.  Purpose
_ _ _   _______
     In order for a (sub)system composed of components to be
assigned  a  rating, the components that make up the network
must be interconnected in such a way that the connections do
not  violate the assumptions made at the time the components
evaluatable (sub)system and the method for assigning a  rat-
ng to a (sub)system conforming to the rules.
     This section does not consider  the  relative  risk  of
utilizing  the  evaluated  (sub)system  to  separate data at
various levels of sensitivity:  that  is  the  role  of  the
environmental  security  requirements, such as those of Com-
                                                        ____
_____  ________  ____________   ________  ___  ________  ___
Department  of  Defense  Trusted  Computer System Evaluation
__________  __  _______  _______  ________ ______ __________
Criteria in  Specific  Environments,  CSC-STD-003-85.   This
________ __  ________  ____________
a (sub)system which is composed of more than one  component.
The rating assigned indicates a minimum level of security as
     Components must provide interfaces to support the other
     The composition rules are divided up according  to  the
evaluated components (i.e., Mandatory Access  Control,  Dis-
cretionary   Access   Control,  Audit,  and  Identification-
Authentication).
A.2.2.  Discretionary Access  Control  (D-Only)  Composition
_ _ _   _____________ ______  _______   _ ____   ___________
Rules
_____
     The rules presented below are based on the  concept  of
components.  Specifically, the rules presented in this  sec-
tion  deal  with the composition of a component with respect
to the DAC Policy of the Network.  It is expected  that  the
composition   of  a  D-Component  will  require  significant
engineering and system architectural consideration.
     When a D-Component is evaluated, it will  be  evaluated
against  some  stated Network DAC Policy and a stated target
Network Security Architecture.  Included  in  the  component
ng DAC decisions.  The stated protocol will be evaluated to
assure that it is sufficient to support the  target  Network
DAC  Policy  (e.g., if the Network DAC Policy is that access
be designated down to the granularity of a single user, then
an  Identification Protocol which maps all users into a sin-
     The type of Components discussed  below,  D-Components,
are  components  that have received a rating relative to DAC
(e.g., C1-C2+ D-Only Component, C1-C2+ DI  Component,  B1-A1
MD  Component,  etc.).   The  rules of this section are con-
cerned only with the composition of  these  components  with
A.2.2.1.  Composition of Two D-Components
_ _ _ _   ___________ __ ___ _ __________
     Whenever two D-Components are  directly  connected  the
from one component to the other (for the purposes of  making
DAC decisions) must be the same in both components.  It must
be the case that the Identification  Passing  Protocol  pro-
vided by the composed component must support the Identifica-
tion Passing Protocol of the  target  Network  Architecture.
nation of the DAC Policy provided by one component over  the
named  objects  under its control and by the DAC Policy pro-
vided by the other component over the  named  objects  under
ts  control) must be shown to be able to support the target
Network DAC Policy.
A.2.2.2.  Discretionary Access  Control  Policy  Composition
_ _ _ _   _____________ ______  _______  ______  ___________
Rating
______
     Given that a component is composed as described  above,
the  evaluation  class  assigned  to the composed component,
assigned to any D-Component within the composed component.
A.2.3.  Identification-Authentication  (I-Only)  Composition
_ _ _   ______________ ______________   _ ____   ___________
Rules
_____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the composition of a component with respect to the Identifi-
cation and Authentication Policy  of  the  Network.   It  is
expected that the composition of an I-Component will require
consideration.
     When an I-Component is evaluated it will  be  evaluated
against  some  stated  Network Identification-Authentication
n  the component definition will be a statement of the sup-
Authentication  Information,  and the interfaces provided by
the I-Component.  The composition of two  I-Components  must
maintain  the  protocol  which  supports the Identification-
Authentication Policy  of  the  Network.   In  addition  the
nterfaces  provided by the composed I-Component, which sup-
A.2.3.1.  Identification-Authentication Composition Rating
_ _ _ _   ______________ ______________ ___________ ______
     Given that a component is composed as described  above,
the  evaluation  class  assigned  to the composed component,
A.2.4.  Audit (A-Only) Composition Rules
_ _ _   _____  _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition  of  a  component with respect to the Audit
of  an  A-Component will require significant engineering and
     When an A-Component is evaluated it will  be  evaluated
against some stated Network Audit Policy and a stated target
Network architecture.  Included in the component  definition
tion  of  two  A-Components must maintain the protocol which
A.2.4.1.  Audit Composition Rating
_ _ _ _   _____ ___________ ______
     Given that a component is composed as described  above,
the  evaluation  class  assigned  to the composed component,
class  assigned  to any A-Component within the composed com-
A.2.5.  Mandatory Access Control (M-Only) Composition Rules
_ _ _   _________ ______ _______  _ ____  ___________ _____
     The rules presented below are based on the  concept  of
(at the physical layer) components.  Specifically, the rules
component with respect to the MAC Policy of the Network.
     The MAC Composition Rules provide  a  strong  guarantee
that  if  the  network  is  composed  of directly connected,
evaluated components,  and each  connection  meets  the  MAC
Composition Rules, the Network MAC Policy will be supported.
These rules permit the recursive definition of  a  component
based on the MAC Policy.
     The MAC Composition Rules are  divided  into  two  sec-
tions.   The  first  section addresses the  composition of a
component from two directly connected components  with  mul-
tilevel  devices  at each end of the connection.  The second
each end of the connection.
     The type of Components discussed  below,  M-Components,
are  components which have received a rating relative to the
MAC  Policy  (e.g.,  B1-A1  M-Only  Components,  B1-A1   MD-
Components, B1-A1 MI-Components, etc.).
A.2.5.1.  Multilevel Devices
_ _ _ _   __________ _______
     Whenever two M-Components are directly connected, via a
communication  channel, with a multilevel device at each end
of the connection, the labeling protocol (as required by the
Exportation  to  Multilevel  Devices  requirements, sections
be the same at the network interface to both devices.
     Whenever two Class B1  M-Component  are  directly  con-
nected,  the range of sensitivity labels denoted by the max-
mum and minimum levels (System High and System Low) associ-
ated  with  each  of  the  Class B1 M-Components must be the
for Class B1.)
     Whenever a Class B1 M-Component is  directly  connected
to  a  Class  B2-A1  M-Component,  the  range of sensitivity
labels denoted by the maximum  and  minimum  levels  (System
High  and  System  Low)  associated  with  the  Class  B1 M-
Component must be the  same  as  the  range  of  sensitivity
labels  denoted by the maximum and minimum levels associated
     Whenever two Class B2-A1 M-Components are directly con-
nected  with  a multilevel device at each end of the connec-
tion, the range of sensitivity labels denoted by the maximum
and minimum levels associated with the each of the connected
A.2.5.2.  Single-Level Devices
_ _ _ _   ______ _____ _______
     Whenever two M-Components are directly connected with a
     Whenever two Non-M-Components  are  directly  connected
the  maximum  sensitivity level of data processed by the two
Non-M-Components must be the same.
A.2.5.3.  Mandatory Access Control Policy Composition Rating
_ _ _ _   _________ ______ _______ ______ ___________ ______
     Given that a component is composed as described in sec-
tions  2.5.1  and 2.5.2 above, the evaluation class assigned
to the composed component, with regard to MAC, will  be  the
A.2.6.  DI-Component (D-Only and I-Only) Composition Rules
_ _ _   __ _________  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the DAC Pol-
cy and the Identification-Authentication Policy of the Net-
tural consideration.
     Whenever an I-Component and a D-Component are  composed
to  form  a  DI-Component the DI-Component must preserve the
Network DAC Policy of the D-Component.   This implies  that,
nformation and returning data might be  required  for  each
DAC  interface.   This  protocol must be able to support the
Network DAC policy.  (Note that if the Network DAC policy is
being a "member of the network group", i.e., is a legitimate
user  of  another  component, then the DAC interface may not
     In addition, for class C2 and above, the  composed  DI-
Component  must  preserve  the  Audit  Interface(s) used for
exporting audit information from the D-Component and the  I-
Component.   This implies that the DI-Component must provide
a means for exporting audit information generated by actions
taken within each of its parts.
     The   DI-Component    may    provide    Identification-
Authentication  support  services  to  other components.  In
this case the Identification Interface of  the  DI-Component
must  be  defined and a protocol established for this inter-
face which is able to support the Network  I/A  Policy.   In
this  case  the  DI-Component  may  be further composed with
other D-Only Components to form new DI-Components, using the
     However, it is not necessary that the DI-Component pro-
vide  Identification-Authentication  services  to other com-
MI-Components, etc.) which are  also  self  sufficient  with
     If the composed  DI-Component  supports  directly  con-
nected users then the DI-Component must, minimally, meet all
the requirements for a Class C1 Network System.
A.2.6.1.  DI-Component Composition Rating
_ _ _ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and  that the I-Component has an evaluation class of C1, the
evaluation class assigned to the composed DI-Component, will
be C1.
     Given that a component is composed as described  above,
and  that the I-Component has an evaluation class of C2, the
evaluation class assigned to the composed DI-Component, will
be equal to the evaluation class of the D-Component.
A.2.7.  DA (D-Only and A-Only) Composition Rules
_ _ _   __  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the DAC Pol-
cy and the Audit Policy of the  Network.   It  is  expected
that the composition of a DA-Component will require signifi-
cant engineering and system architectural consideration.
     Whenever an A-Component and a D-Component are  composed
to  form  a DA-Component, the DA-Component must preserve the
Network DAC Policy of the D-Component.   This implies  that,
nformation and returning data, might be required  for  each
DAC  interface.   This  protocol must be able to support the
Network DAC policy.  (Note that if the Network DAC policy is
being a "member of the network group", i.e., is a legitimate
user  of  another  component, then the DAC interface may not
     The DA-Component may provide Audit support services  to
other  components.   In this case the Audit Interface of the
DA-Component must be defined and a protocol established  for
this  interface,  which is able to support the Network Audit
Components, using the rules defined above.
     However, it is not necessary that the DA-Component pro-
vide  Audit  services to other components.  In this case the
DA-Component may only  be  composed  with  other  components
(i.e.,  DA-Components, MIAD-Components, MA-Components, etc.)
that are also self sufficient with  respect  to  Audit  ser-
vices.
A.2.7.1.  DA-Component Composition Rating
_ _ _ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and that the D-Component has an evaluation class of at least
C2, the  evaluation  class  assigned  to  the  composed  DA-
Component,  will  be the rating of the lowest class assigned
to either of the two components which make up  the  composed
component.
A.2.8.  IA (I-Only and A-Only) Composition Rules
_ _ _   __  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the   composition   of  a  component  with  respect  to  the
the  Network.   It is expected that the composition of a IA-
Component will require significant  engineering  and  system
architectural consideration.
     Whenever an IA-Component is composed of an  I-Component
connected  to an A-Component, the IA-Component must preserve
both the Network Audit Interface  and  Protocol  of  the  A-
Component   and  the  Network  Identification-Authentication
that  the composed IA-Component must provide an Audit Inter-
face as well as a Identification-Authentication Interface. A
Audit Interface.  This protocol must be able to support  the
Network  Audit Policy.  In addition, a protocol, for receiv-
ng Identification-Authentication data and returning authen-
ticated  user-ids,  must  be defined for each Identification
A.2.8.1.  IA-Component Composition Rating
_ _ _ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and that the I-Component has an evaluation class of at least
C2, the  evaluation  class  assigned  to  the  composed  IA-
Component, will be the rating of the A-Component.
A.2.9.  MD (M-Only and D-Only) Composition Rules
_ _ _   __  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy and the DAC Policy of the Network. It is  expected  that
the  composition of an MD-Component will require significant
engineering and system architectural consideration.
     Whenever  an  MD-Component  is  composed  from  an   M-
Component  directly connected to a D-Component, the composi-
tion rules, with respect to the MAC Policy, are that the  M-
Component  must  only  connect  to  the  D-Component  via  a
must  be  the  same as the maximum sensitivity level of data
vided  by  the MD-Component via direct connections to the D-
Component must be at the level of the D-Component.
     The composition rules, with respect to the DAC  Policy,
are that any network interfaces provided by the MD-Component
(including those which only involve  direct  connections  to
the  M-Component)  must  support  the Identification Passing
DAC  policy  is defined such that access decisions are based
on the user being a ``member of the network  group'',  i.e.,
s  a  legitimate  user  of  another component, then the DAC
nterface may not require any identifiers to  be  passed  to
the DI-Component.)
     In addition, the composed MD-Component must ensure that
any  external  requests for access to data under the control
of the composed component are subject to both  the  MAC  and
DAC Policies of the original M and D Components.
A.2.9.1.  MD-Component Composition Rating
_ _ _ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and  that the D-Component has an evaluation class of C2, the
evaluation class assigned to the composed MD-Component, will
be  either B1 (if the evaluation class of the M-Component is
B1) or B2 (if the evaluation class  of  the  M-Component  is
     Given that a component is composed as described  above,
and that the D-Component has an evaluation class of C2+, the
evaluation class assigned to the composed MD-Component, will
be equal to the evaluation class of the M-Component.
A.2.10.  MI (M-Only and I-Only) Composition Rules
_ _ __   __  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy and the Identification-Authentication Policy of the Net-
tural consideration.
     Whenever  an  MI-Component  is  composed  from  an   M-
Component directly connected to an I-Component, the composi-
tion rules, with respect to the MAC Policy, are that the  M-
Component  must  only  connect  to  the  I-Component  via  a
must  be  the  same as the maximum sensitivity level of data
vided  by  the MI-Component via direct connections to the I-
Component must be at the level of the I-Component.
     In addition, the composed  MI-Component  must  preserve
the  Audit Interface(s) used for exporting audit information
from the M-Component and the I-Component.  This implies that
the  MI-Component  must  provide a means for exporting audit
nformation generated by actions taken within  each  of  its
     The   MI-Component    may    provide    Identification-
Authentication  support  services  to  other components.  In
this case the Identification Interface of  the  MI-Component
must  be  defined and a protocol established for this inter-
face, which is able to support the Network I/A  Policy.   In
this  case  the  MI-Component  may  be further composed with
other M-Only Components to form new MI-Components, using the
     However, it is not necessary that the MI-Component pro-
vide  Identification-Authentication  services  to other com-
DI-Components, etc.) that  are  also  self  sufficient  with
     The composed MI-Component must assure that  MAC  Policy
and  the Identification-Authentication Policy of the Network
s supported on any  direct  User  connections  to  the  MI-
Component.  This  implies  that  if the M-Component supports
tocol   on   these  connections  such  that  Identification-
Authentication information may be  exchanged  (with  the  I-
Component)  which  will  fully  support the IA Policy of the
Network.
A.2.10.1.  MI-Component Composition Rating
_ _ __ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and  that the I-Component has an evaluation class of C2, the
evaluation class assigned to the composed MI-Component  will
be equal to the evaluation class of the M-Component.
A.2.11.  MA (M-Only and A-Only) Composition Rules
_ _ __   __  _ ____ ___ _ ____  ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy and the Audit Policy of the  Network.   It  is  expected
that  the composition of an MA-Component will require signi-
ficant engineering and system architectural consideration.
     Whenever  an  MA-Component  is  composed  from  an   M-
Component directly connected to an A-Component, the composi-
tion rules, with respect to the MAC Policy, are that the  M-
Component  must  only  connect  to  the  A-Component  via  a
must  be  the  same as the maximum sensitivity level of data
network  interfaces  provided by the MA-Component via direct
connections to the A-Component must be at the level  of  the
A-Component.
     The MA-Component may provide Audit support services  to
other  components.   In this case the Audit Interface of the
MA-Component must be defined and a protocol established  for
this  interface  which  is able to support the Network Audit
Components, using the rules defined above.
     However, it  is not  necessary  that  the  MA-Component
the MA-Component may only be composed with other  components
(i.e.,  MA-Components, MIAD-Components, DA-Components, etc.)
vices.
A.2.11.1.  MA-Component Composition Rating
_ _ __ _   __ _________ ___________ ______
     Given that a component is composed as described  above,
and  that the A-Component has an evaluation class of C2, the
evaluation class assigned to the composed MA-Component, will
be  either B1 (if the evaluation class of the M-Component is
B1) or B2 (if the evaluation class  of  the  M-Component  is
     Given that a component is composed as described  above,
and that the A-Component has an evaluation class of C2+, the
evaluation class assigned to the composed MA-Component  will
be equal to the evaluation class of the M-Component.
A.2.12.  IAD Composition Rules
_ _ __   ___ ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the DAC Pol-
cy, the Identification-Authentication Policy, and the Audit
of a IAD-Component will require significant engineering  and
     Whenever a IAD-Component is composed from directly con-
nected  components,  the  IAD-Component  must conform to the
composition rules for a DI-Component, a DA-Component, and an
nected users then the IAD-Component  must,  minimally,  meet
all the requirements for a Class C2 Network System.
A.2.12.1.  IAD-Component Composition Rating
_ _ __ _   ___ _________ ___________ ______
     Given that a component is composed as described  above,
and  that  the  I-Component  and  D-Component  each  have an
evaluation class of C2, the evaluation class assigned to the
composed IAD-Component will be C2.
     Given that a component is composed as described  above,
and  that  the I-Component has an evaluation class of C2 and
the D-Component has an evaluation class of C2+, the  evalua-
tion  class  assigned  to the composed IAD-Component will be
the evaluation class of the A-Component.
A.2.13.  MDA Composition Rules
_ _ __   ___ ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy, the DAC Policy, and the Audit Policy  of  the  Network.
consideration.
     Whenever a MDA-Component is composed from directly con-
nected  components,  the  MDA-Component  must conform to the
composition rules for an MD-Component, an MA-Component,  and
a DA-Component.
A.2.13.1.  MDA-Component Composition Rating
_ _ __ _   ___ _________ ___________ ______
     Given that a component is composed as described  above,
and  that the A-Component has an evaluation class of C2, and
the D-Component has an evaluation class of C2 or higher, the
evaluation class assigned to the composed MDA-Component will
be either B1 (if the evaluation class of the M-Component  is
B1)  or  B2  (if  the evaluation class of the M-Component is
     Given that a component is composed as described  above,
and  that  the  D-Component  and  A-Component  each  have an
evaluation class of C2+, the evaluation  class  assigned  to
the  composed  MDA-Component will be equal to the evaluation
class of the M-Component.
A.2.14.  MDI Composition Rules
_ _ __   ___ ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy, the DAC Policy, and  the  Identification-Authentication
of a MDI-Component will require significant engineering  and
     Whenever a MDI-Component is composed from directly con-
nected  components,  the  MDI-Component  must conform to the
composition rules for an MD-Component, an MI-Component,  and
a DI-Component.
A.2.14.1.  MDI-Component Composition Rating
_ _ __ _   ___ _________ ___________ ______
     Given that a component is composed as described  above,
and  that  the  I-Component and the D-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed  MDA-Component will be either B1 (if the evaluation
class of the M-Component is B1) or  B2  (if  the  evaluation
class of the M-Component is greater than B1).
     Given that a component is composed as described  above,
and  that the I-Component has an evaluation class of C2, and
the D-Component has an evaluation class of C2+, the  evalua-
tion  class  assigned  to the composed MDI-Component will be
equal to the evaluation class of the M-Component.
A.2.15.  MIA Composition Rules
_ _ __   ___ ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy, the Identification-Authentication Policy, and the Audit
of a MIA-Component will require significant engineering  and
     Whenever a MIA-Component is composed from directly con-
nected  components,  the  MIA-Component  must conform to the
composition rules for an MI-Component, an MA-Component,  and
a IA-Component.
A.2.15.1.  MIA-Component Composition Rating
_ _ __ _   ___ _________ ___________ ______
     Given that a component is composed as described  above,
and  that  the  I-Component and the A-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed MIA-Component, will be either B1 (if the evaluation
class of the M-Component is B1) or  B2  (if  the  evaluation
class of the M-Component is greater than B1).
     Given that a component is composed as described  above,
and  that  the I-Component has an evaluation class of C2 and
the A-Component has an evaluation class of C2+, the  evalua-
tion  class  assigned to the composed MIA-Component, will be
equal to the evaluation class of the M-Component.
A.2.16.  MIAD Composition Rules
_ _ __   ____ ___________ _____
     The rules presented below are based on the  concept  of
Specifically, the rules presented in this section deal  with
the  composition of a component with respect to the MAC Pol-
cy, the DAC Policy, the Identification-Authentication  Pol-
cy,  and  the  Audit Policy of the Network.  It is expected
that the composition of a MIA-Component will require  signi-
ficant engineering and system architectural consideration.
     Whenever an MIAD-Component is  composed  from  directly
connected components, the MIAD-Component must conform to the
composition rules for an MIA-Component, an MDA-Component, an
MDI-Component,  and  a  IAD-Component. If the MIAD-Component
must,  minimally,  meet  all the requirements for a Class B1
Network System.
A.2.16.1.  MIAD-Component Composition Rating
_ _ __ _   ____ _________ ___________ ______
     Given that a component is composed as described  above,
and  that  the  I-Component and the D-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed MIAD-Component will be either B1 (if the evaluation
class of the M-Component is B1) or  B2  (if  the  evaluation
class of the M-Component is greater than B1).
     Given that a component is composed as described  above,
and  that the I-Component has an evaluation class of C2, and
the D-Component and the A-Component each have an  evaluation
class  of C2+, the evaluation class assigned to the composed
MIAD-Component will be equal to the evaluation class of  the
M-Component.
A.3.  Guidelines for Specific Component Evaluation
_ _   __________ ___ ________ _________ __________
A.3.1.  Mandatory Only Components (M-Components)
_ _ _   _________ ____ __________  _ __________
     Mandatory Only Components are components  that  provide
network  support  of the MAC Policy as specified in the Net-
Evaluation  TCSEC.   M-Components do not include the mechan-
sms necessary to completely support any of the 3 other net-
Audit) as defined in the Interpretation.
     M-Components belong to one of four classes B1, B2,  B3,
and A1 (as defined by the requirements below).
     M-Components are rated according to the  highest  level
for which all the requirements of a given class are met.
A.3.1.1.  Overall Interpretation
_ _ _ _   _______ ______________
     In the requirements referenced, TCB will be  understood
to refer to the NTCB Partition of the M-Component.  Also any
mean  "the  M-Component  shall  produce audit data about any
auditable actions performed by the M-Component".   In  addi-
tion  the  M-Component  shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.1.2.  Generally Interpreted Requirements
_ _ _ _   _________ ___________ ____________
     The requirements listed in the Table A2 apply  directly
to   M-Components   as   interpreted   in  Part  I  of  this
nterpretation.
  Table A2.  M-Component Requirements That Can Be Applied
  _____ __   _ _________ ____________ ____ ___ __ _______
               Without Further Interpretation
               _______ _______ ______________
(NOTE:  Table not included)
A.3.1.3.  Specifically Interpreted Requirements
_ _ _ _   ____________ ___________ ____________
     The following requirements require additional interpre-
tation as indicated. -
A.3.1.3.1.  Subject Sensitivity Labels
_ _ _ _ _   _______ ___________ ______
+ Criteria
     (Class   B2   - Section  3.2.1.3.3;    Class    B3    -
     Section 3.3.1.3.3; Class A1 - Section 4.1.1.3.3)
+ Interpretation
     An M-Component need not support direct  terminal  input
n  which  case  this requirement is not applicable.  Any M-
Component which does support direct terminal input must meet
_________________________
  - For brevity, the following TCSEC  sections  contain
terpretation being interpreted, instead of  the  actual
the requirement as stated.
+ Rationale
     The only way that a user can change the  current  level
of  the  session  is to be directly connected to a component
that supports the MAC Policy.  If the user is directly  con-
nected  to  a component that does not support the MAC Policy
then the user will always operate at the level of  the  com-
must  meet  the  requirements as stated.  M-Components which
may be part of the network which do not directly communicate
user is directly communicating.
A.3.1.3.2.  Trusted Path
_ _ _ _ _   _______ ____
+ Criteria
     (Class   B2   - Section  3.2.2.1.1;    Class    B3    -
     Section 3.3.2.1.1; Class A1 - Section 4.1.2.1.1)
+ Interpretation
     An M-Component  need  not  support  direct  user  input
(e.g.,  the  M-Component may not be attached to any user I/O
not  applicable.   Any M-Component which does support direct
communication  with  users  must  meet  the  requirement  as
users must provide mechanisms which establish the  clearance
of users and associate that clearance with the users current
+ Rationale
     Trusted Path is necessary in order to assure  that  the
user  is  communicating  with  the TCB and only the TCB when
ticate  user, set current session security level).  However,
Trusted Path does not address communications within the TCB,
only  communications  between  the  user  and  the TCB.  If,
therefore, an M-Component does not support any  direct  user
communication  then the M-Component need not contain mechan-
sms for assuring direct TCB to user communications.
     In the case where an M-Component  does  support  direct
user  communication  the Clearance of the user must be esta-
blished by the M-Component.  There are three possible  means
of  providing  this support:  a) all direct user connections
are via single-level channels, where the  maximum  level  of
the  channel  equals  the  minimum level of the channel, and
level  of the channel; in this case there may exist no secu-
alone, b) some direct user connections are via  single-level
channels,  where  the  maximum level of the channel does not
equal the minimum level of the channel, and physical  access
to the channel implies clearance to the maximum level of the
channel, c) some direct user  connections  are  via  single-
level  channels, where the maximum level of the channel does
not equal the minimum level  of  the  channel,  and  the  M-
Component  contains  some internal mechanism for mapping the
user clearance to the range on the channel.  The  first  two
options map the user clearance to the activities of the user
through external means.   The  third  option  requires  some
nternal  mechanism.   Such  a  mechanism  might  be  a user
d/password/clearance  database   maintained   by   the   M-
Component.  Another acceptable mechanism might be a protocol
and interface definition within the M-Component for  obtain-
ng such information (via a multilevel channel - the channel
s multilevel because it is passing labels, i.e.,  the  user
clearance) from some other M-Component.
A.3.1.3.3.  System Architecture
_ _ _ _ _   ______ ____________
+ Criteria
     (Class B1 -  Section  3.1.3.1.1;  Class  B2  -  Section
     3.2.3.1.1;  Class  B3  - Section  3.3.3.1.1; Class A1 -
     Section 4.1.3.1.1)
+ Interpretation
     An M-Component must meet the requirement as stated.  In
this interpretation the words "The user interface to the TCB
the  interface  between  the  reference  monitor  of  the M-
Component and the subjects external to the reference monitor
+ Rationale
     The M-Component may not have a  direct  user  interface
but  is  expected  to support subjects which are not part of
the TCB.  It is important that the interface between the TCB
and  subjects  external  to  the  TCB be completely defined.
(Note that in such a case the subjects are  always  internal
to the component, viz., are "internal subjects").
A.3.1.3.4.  Covert Channel Analysis
_ _ _ _ _   ______ _______ ________
+ Criteria
     (Class   B2   - Section  3.2.3.1.3;    Class    B3    -
     Section 3.3.3.1.3; Class A1 - Section 4.1.3.1.3)
+ Interpretation
     An M-Component must meet the requirement as stated.  In
addition, if the analysis indicates that channels exist that
need to be audited (according to the Covert Channel Analysis
Guideline),  the  M-Component  shall contain a mechanism for
making audit data (related to possible use of  covert  chan-
nels) available outside of the M-Component (e.g., by passing
the data to an audit collection component).
+ Rationale
     If an M-Component contains covert channels   that  need
to  be  audited  the M-Component must produce the audit data
nels in the network occur in an M-Component, the M-Component
must be the source of the audit  record  which  records  the
A.3.1.3.5.  Security Testing
_ _ _ _ _   ________ _______
+ Criteria
     (Class   B1   - Section  3.1.3.2.1;    Class    B2    -
     Section  3.2.3.2.1; Class B3 - Section 3.3.3.2.1; Class
     A1 - Section 4.1.3.2.1)
+ Interpretation
     An M-Component must  meet  the  requirement  as  stated
except for the words ``normally denied under the ... discre-
tionary security policy,'' which are not  applicable  to  an
M-Component.
+ Rationale
     An M-Component does not support a  discretionary  secu-
A.3.1.3.6.  Design Specification and Verification
_ _ _ _ _   ______ _____________ ___ ____________
+ Criteria
     (Class B1 -  Section  3.1.3.2.2;  Class  B2  -  Section
     3.2.3.2.2;  Class  B3  - Section  3.3.3.2.2; Class A1 -
     Section 4.1.3.2.2)
+ Interpretation
     An M-Component must meet the requirement as stated.
     Security Policy is interpreted to mean the  MAC  Policy
those  portions  of  a  reference  monitor  model  that  are
the representation of the current access set and the  sensi-
tivity  labels of subjects and objects, and the Simple Secu-
Model).
A.3.1.3.7.  Trusted Facility Manual
_ _ _ _ _   _______ ________ ______
+ Criteria
(Class  B1 - Section 3.1.4.2;  Class B2 - Section   3.2.4.2;
Class B3 - Section  3.3.4.2; Class A1 - Section 4.1.4.2)
+ Interpretation
     An M-Component must  meet  the  requirement  as  stated
except  for  the  words  ``The  procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
of a user", shall not be applicable to an M-Component.
+ Rationale
     An M-Component does not maintain the  audit  files  nor
these  mechanisms need to be defined in the Trusted Facility
Manual.  The M-Component also does not maintain user  infor-
mation.
A.3.1.4.  Representative Application of M-Components
_ _ _ _   ______________ ___________ __ _ __________
     As an example of an M-Component, consider a MLS  packet
as shown in Figure A1.  This component  supports  16  levels
and 64 categories for non-discretionary access classes.  The
MLS packet switch is rated as an A1 M-Component against  the
     Such an A1 M-Component may, as an example, be used in a
network  as  a  Multilevel  Packet  Switch.  The M-Component
could be configured with several single-level  channels  and
assume that the multilevel channels each have a  maximum  of
Top  Secret  and  a minimum of Secret. Also imagine that the
Multilevel  channels are directly connected to B2 hosts each
The single-level channels are directly connected to C2 hosts
ning  at  dedicated  Top  Secret.   One of the Dedicated Top
Secret Hosts and one of the Dedicated Secret Hosts would  be
M-Component.  In this fashion one  could  create  a  network
cate with each other as well as with the single-level hosts.
The  separation  necessary  for such communications would be
Secure  Packet  Switch.   It  is  noted that the composition
evaluation class of B2 for the overall NTCB.
A.3.2.  Discretionary Only Components (D-Components)
_ _ _   _____________ ____ __________  _ __________
     Discretionary Only Components are components that  pro-
vide  network  support of the DAC Policy as specified in the
Network Interpretation of the DoD  Trusted  Computer  System
Evaluation  TCSEC.   D-Components do not include the mechan-
sms necessary to completely support any of the three  other
network  policies (i.e., MAC, Identification-Authentication,
and Audit) as defined in the Interpretation.
     D-Components belong to one of three  classes,  C1,  C2,
and C2+ (as defined by the requirements below).
     D-Components are rated according to the  highest  level
for which all the requirements of a given class are met.
A.3.3.  Overall Interpretation
_ _ _   _______ ______________
     In the requirements referenced, TCB will be  understood
to refer to the NTCB Partition of the D-Component.  Also any
mean  "the  D-Component  shall  produce audit data about any
auditable actions performed by the D-Component."   In  addi-
tion  the  D-Component  shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.3.1.  Generally Interpreted Requirements
_ _ _ _   _________ ___________ ____________
     The requirements listed in Table A3 apply  directly  to
D-Components  as  interpreted  in Part I of this interpreta-
tion.
A.3.3.2.  Specifically Interpreted Requirements
_ _ _ _   ____________ ___________ ____________
     The following requirements require additional interpre-
tation as indicated. -
_________________________
  - For brevity, the following TCSEC  sections  contain
terpretation being interpreted, instead of  the  actual
A.3.3.2.1.  Trusted Facility Manual
_ _ _ _ _   _______ ________ ______
+ Criteria
(Class  C1  - Section 2.1.4.2;  Class C2 - Section  2.2.4.2;
Class C2+ - Section  2.2.4.2)
+ Interpretation
     A D-Component  must  meet  the  requirement  as  stated
except  for  the  words  ``The  procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
+ Rationale
     A D-Component does not maintain the  audit  files,  nor
audit  component, and these mechanisms need to be defined in
the Trusted Facility Manual.
A.3.3.2.2.  Design Documentation
_ _ _ _ _   ______ _____________
+ Criteria
(Class  C1  - Section 2.1.4.4;  Class C2 - Section  2.2.4.4;
Class C2+ - Section  2.2.4.4)
+ Interpretation
     A D-Component must meet the requirement as stated.   In
addition the Design Documentation must include a description
of the protocol used by the D-Component to communicate  Sub-
other components.  This protocol must be shown to be  suffi-
cient to support the DAC policy enforced by the D-Component.
+ Rationale
     A   D-Component   does   not    maintain    the    user
use some form of  authenticated  user  identification  as  a
basis  for  making  DAC decisions.  Such information must be
tocol.   The  protocol used by the D-Component may vary, but
t must be shown to be adequate to support  the  DAC  policy
n  from  a  given  port would be associated with the access
be  adequate  to  support a DAC policy of access granted, or
A.3.3.3.  Representative Application of D-Components
_ _ _ _   ______________ ___________ __ _ __________
     As an example of a D-Component, consider a system  that
n Figure A2.  The system is  rated  as  a  C2+  D-Component
against the requirements described above.
   Figure A2.  Representative Application of D-Components
   ______ __   ______________ ___________ __ _ __________
B1: box wid 1.15i ht .95i "Class  B3"  "Host"  B2:  box  wid
tion" "Facility)" at B1.e +(3i,0) B3: box wid 1.15i ht  .96i
"Class  C2+"  "D-Component" "(Single Level" "File Server" at
B2.s -(1.75i,.30i) B4: box wid  1.85i  ht  .96i  "Class  C2"
"Host" "(Network Identification &" "Authentication" "Facili-
ty)" at B1.s -(0,1.05i) B5: box wid 1.15i ht .96i "Class A1"
"Host"  at  B2.s  -(0,1.05i)  B6:  box  invis  "(S)" at B1.e
+(.50i,.30i) B7: box invis "(S)" at B2.w -(.50i, -.30i)  B8:
box  invis  "(S)"  at B4.e +(.50i,.2) B9: box invis "(S)" at
B5.w  -(.50i,.2)  A1:  arrow  <->  from  B4.e  to   (B3.s.x-
(B3.s.x+.2,B5.w.y) to (B3.s.x+.2,B3.s.y) A3: arrow  left  1i
from   B6.c  +(.48,-.15i)  A4:  arrow  right  1i  from  B7.c
-(.48i,.15i) A5: arrow down .39i from A4.w  A6:  arrow  down
     Such a C2+ D-Component may, as an example, be used in a
network  as  a  Single  Level  File Server.  The D-Component
could be  configured  with  several  communication  channels
(each  of  which  would be connected to single-level devices
leaving the system to be  connected  to  other  single-level
to be connected to single-level secret devices.   The  docu-
mentation  associated  with the D-Component must specify the
must  be  followed  on each connection to the component.  In
addition the documentation must specify the protocol used to
output  audit  information.   The  audit  protocol  must  be
exactly the same as the protocol of the audit node to  which
t  is  attached.  It is noted that the composition rules of
Section A.2 result in an evaluation  class  of  B3  for  the
overall NTCB.
A.3.4.  Identification-Authentication  Only  Components  (I-
_ _ _   ______________ ______________  ____  __________   _
Components)
__________
     Identification-Authentication Only Components are  com-
Authentication Policy as specified in the Network  Interpre-
tation  of the DoD Trusted Computer System Evaluation TCSEC.
completely  support  any of the three other network policies
(i.e., MAC, DAC, and Audit) as defined  in  the  Interpreta-
tion.
     I-Components belong to one of two classes,  C1  and  C2
(as defined by the requirements below).
     I-Components are rated according to the  highest  level
for which all the requirements of a given class are met.
A.3.4.1.  Overall Interpretation
_ _ _ _   _______ ______________
     In the requirements referenced, TCB will be  understood
to refer to the NTCB Partition of the I-Component.  Also any
mean  "the  I-Component  shall  produce audit data about any
auditable actions performed by the I-Component.''  In  addi-
tion  the  I-Component  shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.4.2.  Generally Interpreted Requirements
_ _ _ _   _________ ___________ ____________
     The requirements listed in Table A4 apply  directly  to
tion.
  Table A4.  I-Component Requirements That Can Be Applied
  _____ __   _ _________ ____________ ____ ___ __ _______
               Without Further Interpretation
               _______ _______ ______________
(Note:  Table not included)
A.3.4.3.  Specifically Interpreted Requirements
_ _ _ _   ____________ ___________ ____________
     The following requirements require additional interpre-
tation as indicated. -
A.3.4.3.1.  Trusted Facility Manual
_ _ _ _ _   _______ ________ ______
_________________________
  - For brevity, the following TCSEC  sections  contain
terpretation being interpreted, instead of  the  actual
+ Criteria
(Class  C1  - Section 2.1.4.2;  Class C2 - Section  2.2.4.2;
Class C2+ - Section  2.2.4.2)
+ Interpretation
     An I-Component must  meet  the  requirement  as  stated
except  for  the  words  ``The  procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
+ Rationale
     An I-Component does not maintain the audit  files,  nor
audit  component, and these mechanisms need to be defined in
the Trusted Facility Manual.
A.3.4.3.2.  Design Documentation
_ _ _ _ _   ______ _____________
+ Criteria
(Class  C1  - Section 2.1.4.4;  Class C2 - Section  2.2.4.4;
Class C2+ - Section  2.2.4.4)
+ Interpretation
     An I-Component must meet the requirement as stated.  In
addition the Design Documentation must include a description
of the protocol used by the I-Component to export  Authenti-
cated Subject Identifiers to other components.
+ Rationale
     The  Authenticated  Identifiers  provided  by   an   I-
Component  will  not  be  primarily  used on the I-Component
tself but instead will be used by other Components  enforc-
ng  the  network DAC policy.  It is therefore necessary for
the I-Component to define the protocol which it will use  to
A.3.4.4.  Representative Application of I-Components
_ _ _ _   ______________ ___________ __ _ __________
     As an example of  an  I-Component,  consider  a  system
nected to single-level devices with the same access  class).
As   part  of  the  example,  consider  the  TAC  to  be  an
unclassified TAC (i.e., accessible through the phone  system
the system to be connected to other  single-level  unclassi-
fied  components  or, in the case of multi-level components,
to be connected to single-level unclassified  devices.   All
authentication is done in the TAC, and Authenticated Ids are
basis  for  DAC decisions and audit entries.  The documenta-
tion associated with the I-Component must specify the proto-
col  used to pass user-ids to the attached components.  This
tocol used to output audit information.  The audit  protocol
must  be  exactly the same as the protocol of the audit com-
B3 for the overall NTCB.
A.3.5.  Audit Only Components (A-Components)
_ _ _   _____ ____ __________  _ __________
     Audit Only Components are components which provide net-
TCSEC.  A-Components do not include the mechanisms necessary
to completely support any of the three other  network  poli-
cies  (i.e., MAC, DAC, and Identification-Authentication) as
     A-Components belong to one of two classes  C2  and  C2+
(as  defined  by  the  requirements below).  (The difference
between a C2 A-Component and a C2+ A-Component is  the  sup-
     A-Components are rated according to the  highest  level
for which all the requirements of a given class are met.
A.3.5.1.  Overall Interpretation
_ _ _ _   _______ ______________
     In the requirements referenced, TCB will be  understood
to refer to the NTCB Partition of the A-Component.
A.3.5.2.  Generally Interpreted Requirements
_ _ _ _   _________ ___________ ____________
     The requirements listed in Table A5 apply  directly  to
A-Components  as  interpreted  in Part I of this interpreta-
tion.
A.3.5.3.  Specifically Interpreted Requirements
_ _ _ _   ____________ ___________ ____________
     The following requirements require additional interpre-
tation as indicated.  -
_________________________
  - For brevity, the following TCSEC  sections  contain
terpreted, instead of the actual requirements.
A.3.5.3.1.  Design Documentation
_ _ _ _ _   ______ _____________
+ Criteria
(Class C2 - Section  2.2.4.4; Class C2+ - Section  2.2.4.4)
+ Interpretation
     An A-Component must meet the requirement as stated.  In
addition the Design Documentation must include a description
of the protocol used by the A-Component to import Audit Data
from other nodes.
+ Rationale
     The Audit component will potentially be used  for  col-
lection  of  audit  data  generated  on  many different com-
the information to the A-component in a form that will allow
the A-Component to create an audit  record.   The  mechanism
for  defining the acceptable form of information is the pro-
tocol used by the audit component.
A.3.5.4.  Representative Application of A-Components
_ _ _ _   ______________ ___________ __ _ __________
     As an example of an A-Component, consider a system that
s rate C2+ against the requirements described above.
     As part of the example, consider the A-Component to  be
operating at System High (Top Secret) collecting information
from several components through  single-level  (Top  Secret)
channels.   The  A-Component provides auditing functions for
the network as a whole.  The A-Component  defines  an  audit
cate information to the A-Component  which  results  in  the
creation  of  audit  records.  Note that in this example the
Auditor (i.e., the person responsible  for  reviewing  audit
files)  is  accessing  the  A-Component through an operators
console  attached  to  the  A-Component.   In  a   different
A-Component via another component,  in  which  case  the  A-
Component  would be responsible for enforcing an access con-
trol policy that defined which  users  (i.e.,  the  auditor)
could  view  audit data. This  would require the A-Component
to establish a user-id  passing  protocol  much  like  a  D-
Component.   It  is noted that the composition rules of Sec-
tion 3 result in an evaluation class of B3 for  the  overall
NTCB.
    Figure A1.  Representative Application of M-Components
    ______ __   ______________ ___________ __ _ __________
(Note: Figure not included)
   Table A3.  D-Component Requirements That Can Be Applied
   _____ __   _ _________ ____________ ____ ___ __ _______
                Without Further Interpretation
                _______ _______ ______________
(Note:  Table not included)
    Figure A3.  Representative Application of I-Component
    ______ __   ______________ ___________ __ _ _________
(Note:  Figure not included)
 Table A5.  Audit Component Requirements That Can Be Applied
 _____ __   _____ _________ ____________ ____ ___ __ _______
                Without Further Interpretation
                _______ _______ ______________
(Note:  Table not included)
                         Appendix B
                         ________ _
              Rationale Behind NTCB Partitions
              _________ ______ ____ __________
B.1.  Purpose
_ _   _______
     Part I of this  Trusted  Network  Interpretation  (TNI)
Evaluation Criteria (TCSEC)  appropriate  for  evaluating  a
network  of  computer  and communication devices as a single
the  Network  Trusted Computing Base (NTCB), which is physi-
cally and logically partitioned among the components of  the
network.   Implicit  to  this  approach is the view that the
network to be evaluated (including the interconnected hosts)
s  analogous  to  a single stand-alone computer system, and
can therefore be evaluated using the TCSEC under appropriate
nterpretation.   It is the purpose of this appendix to pro-
vide the main technical rationale and illustrative  examples
of help to the sponsors and evaluators of networks and  net-
cleanly partitioned into components  in  a  way   that  will
facilitate its eventual evaluation and certification.  It is
and  philosophical.   Therefore,  readers  whose interest is
tion may choose not to study this appendix in detail.
     The separate Appendix A, providing Interpretations  for
the  Evaluation  of Network Components, rests upon this view
as well: the evaluation of particular network components  is
viewed as a useful preliminary step for the eventual evalua-
tion of the network as a whole, which must proceed, however,
n  the context of an overall network architecture providing
a clean decomposition of an overall network security  policy
nto  policies  for  the individual components.  The overall
architecture and  design  will,  once  individual  component
evaluations have been finished, support the final evaluation
of the network as a sound composition of  trusted  elements,
each  enforcing its allocated policy, and together enforcing
the policy defined for the entire network.  Specific  guide-
lines  for  actually partitioning the various network policy
elements to components  are  presented  under  the  relevant
that such a partitioning is possible is presented here.
     It is emphasized that the view of  what  a  network  is
(and  how  its  NTCB may be partitioned into NTCB partitions
completely  contained  in  individual  network   components)
the evaluation and assignment to the  network  of  a  single
certification  as  meeting  the  TCSEC  criteria for a given
evaluation class.  It is recognized that this goal  may  not
be  appropriate for every circumstance, or meet the needs of
The  risk assessment and accreditation of such systems is an
mportant and interesting problem.  It is not, however,  the
entire network which is to support a network security policy
      _ ______
B.2.  Background and Overview
_ _   __________ ___ ________
B.2.1.  Organization of this Appendix
_ _ _   ____________ __ ____ ________
     The material within this appendix is organized as  fol-
lows. Section B.3 discusses some considerations for properly
formulating the policy to be enforced by the  network  NTCB,
and its allocation to the various components of the network.
Section B.4 presents an argument supporting the adequacy  of
the partitioned NTCB view and the conclusion that the refer-
ence monitor for an entire network may be implemented  as  a
collection  of  locally autonomous reference monitors.  Sec-
tion B.5 discusses the idealization of  intercomponent  com-
munications channels, assumed as an axiom in Section B.4, in
the context of real communications  channels,  and  provides
nsight into when the techniques of communications security,
and when the techniques of trusted  systems  technology  are
applicable.   Section B.6 provides additional rationale sup-
B.3.  Security Policy
_ _   ________ ______
     The TCSEC Glossary defines ``Security Policy'' as ``the
organization manages, protects,  and  distributes  sensitive
nformation''.   It should be noted that ``Security Policy''
s a distinct notion from that of ``Formal  Security  Policy
Model''  and  a  ``Security  Policy Model''.  The ``Security
trolling the access of people to information.
                       ______
     Because a Security Policy concerns, by definition,  the
access  of people to sensitive information and includes both
manner  that  is free of computer, network, or communication
network  ultimately  is  possible  only if a single, uniform
network security policy can be adopted by the  organizations
by the network and its components.  The existence of such  a
network  is  to  be used to allow the sharing of information
among many  organizations,  the  definition  of  a  mutually
acceptable  Security  Policy applicable to that sharing must
be an early goal during the design of  the  network  if  the
bility is desired.
B.3.1.  Mandatory Access Control Policies
_ _ _   _________ ______ _______ ________
     One may observe that, for those  access  controls  nor-
mally  denoted as ``Mandatory Access Controls'', the defini-
tion of a mutually acceptable joint policy may  be  expected
to  be  relatively  straightforward,  as  such  controls are
based, by definition, upon the comparison of a label  denot-
ng  the  sensitivity of the information contained within an
nformation repository with a user  clearance  denoting  the
formal  authorization  of a user to access that information.
The definition of a jointly acceptable  policy  may  involve
the merging of several systems of classifications and clear-
ances into a unified system; in practice, if the systems  in
use  by the various organizations are not already identical,
those responsible for the protection of  information  within
each  organization must determine which external user clear-
ances will be honored as an  adequate  basis  for  providing
access to which classes of information.
     It may also be true that a particular organization  may
      __
or  private  institutions  may be so characterized)-.  It is
class and clearance level (i.e., every user belonging to the
nstitution  has clearance to access all information belong-
ng to the institution, except as refined by  less  rigorous
access  controls).   Thus,  it could well be that an overall
for an arbitrary collection of institutions wishing to share
nformation using a network, can be resolved in a relatively
ssues and effects  of  particular  decisions  are  easy  to
understand.
B.3.2.  Discretionary Access Control Policies
_ _ _   _____________ ______ _______ ________
     Turning to those policies characterizable as  involving
Discretionary   Access  Controls,  one  finds  substantially
might  adopt.   The  notion  of  ``Discretionary Access Con-
trols'', as defined in the TCSEC Glossary, involves the res-
triction  of  access  by users to information based upon the
dentity of the users or their membership  in  a  particular
access to an object  containing  information  to  pass  that
authorization  to  other users or groups either directly, or
_________________________
  - See,  for  example,  Steven   B.   Lipner,   ``Non-
Discretionary  Controls  for Commercial Applications'',
____ ___________ __ ___ ____ _________ __ ________  ___
_______
ndirectly (viz., by copying it and providing  authorization
to  access  the  copy).   Within  these  limits, there is an
extremely broad range of permissible policies, differing  in
the  modes  of  access that may form the basis for controls,
and the mechanisms that may be defined for users to limit or
expect, therefore, that when designing a network, the formu-
lation  of  an  overall  Discretionary  Policy by a group of
organizations may require a period of intensive  generaliza-
tion of policy.  Moreover, the overall policy resulting from
this activity may be expected to  depend,  to  a  relatively
large  extent,  upon  the  underlying capabilities and func-
tionality ascribed to the network.
B.3.3.  Supporting Policies
_ _ _   __________ ________
     In addition to the basic access control policies  (man-
tional capabilities relating to the accountability of  indi-
viduals for their security-relevant actions.  These capabil-
ties are usually thought of  as  comprising  ``supporting''
effective enforcement and monitoring  of  the  basic  access
     Accountability requirements are comprised of two  major
cy, and audit policy.  The former supports  both  mandatory
and  discretionary  access  control policy by specifying the
of  an  individual  prior to permitting access, is the basis
for determining the clearance of an individual in  the  case
of mandatory access policy, is the basis for determining the
ary  access policy, and is the basis for recording the iden-
tity of  the  individual  taking  or  causing  an  auditable
action.
     Audit policy proper provides for the recording of those
for the security-relevant actions they take.
     The supporting policies adopted by different  organiza-
tions  may differ even more widely than discretionary access
control  policies.   The  task  of  formulating  a  mutually
acceptable   set  of  overall  supporting  policies  may  be
expected to be even more challenging for the sponsors  of  a
network than for discretionary policy.
B.3.4.  Formal Security Policy Model
_ _ _   ______ ________ ______ _____
     As defined in the TCSEC, a Formal Security Policy Model
Whereas the objective  of  stating  Security  Policy  is  to
authority, the purpose of a Formal Security Policy Model  is
to  serve  as a precise starting point in the chain of argu-
ments leading to the higher levels of assurance required for
Class B2; it is not introduced earlier because the chain  of
arguments  needed  for  lower  evaluation  classes  does not
this observation is that the definition of a Formal Security
Model is not a gratuitous requirement, but serves  the  pur-
     Current practice  requires  a  formal  security  policy
model  only  for the access control policies to be enforced.
The model is a representation of the reference monitor for a
tion is strongly influenced by the technical characteristics
of the system to be built, as the feasibility and economy of
constructing the chain of assurance arguments needed to sup-
tially increased by utilizing a model  that  has  an  intui-
tively  attractive  resemblance  to the abstractions of sub-
     As previously described, the reference  monitor  for  a
kernels for individual components.  In order to  obtain  the
mulated  for  each such component.  We would argue, however,
that it is too restrictive to require that the formal  model
for  each  security  kernel  be the same, or that an overall
model be formulated for  the  network,  provided  that  each
model   is   shown  by  convincing  arguments  to  correctly
component.   As  the  only  function of a formal model is to
and designers of network components should be free to choose
that model which will most efficiently serve  this  purpose,
model  be  an accurate representation of the Security Policy
to be enforced by the component.
B.3.5.  Summary of Policy Considerations for a Network
_ _ _   _______ __ ______ ______________ ___ _ _______
     In summary, a precondition  for  the  evaluation  of  a
networked  system of computers is the formulation of overall
mandatory (when applicable), discretionary,  and  supporting
organizations  involved,  and  stated  in  terms  of  people
accessing  information  (i.e., free, to the extent feasible,
of computer and network jargon).  In the case  of  mandatory
to involve the  relatively  straightforward  issues  of  how
clearances  in  use by one organization are to relate to the
nformation access classes in use by  another  organization:
the  formulation of appropriate discretionary and supporting
cantly  influenced  by  the  particular network architecture
chosen.
B.4.  Derivation of the Partitioned NTCB View
_ _   __________ __ ___ ___________ ____ ____
B.4.1.  Introduction to the Partitioned NTCB Concept
_ _ _   ____________ __ ___ ___________ ____ _______
     Using the definitions  provided  above,  the  following
conclusion  may be stated: if it is supposed (1) that a sub-
time,  (2)  that  it may directly access only objects within
ts component, (3) that every component contains a component
(and enforce the same access control policy), and  (4)  that
all   communications  channels  linking  components  do  not
compromise the security  of  the  information  entrusted  to
them,  one  may  conclude  that the total collection of com-
network.   The  conclusion  follows  because (1) all network
accesses  are  mediated  (because  there  are  no  non-local
accesses);  and  (2) the network reference monitor cannot be
tampered with (because none of its component reference moni-
tors can be tampered with), and it is simple enough to vali-
s assured if the correct operation of each of its component
against  access  across components prevents the introduction
of additional complexity).
     It is useful,  before  expanding  this  basic  argument
examine briefly the individual preconditions  (axioms)  that
must  be  met  in  order for the conclusion to be valid, and
be  achieved within the current state of network technology.
Generally, the crucial step the sponsors and architects of a
ts partitioning into components and communication  channels
n such a way that all of the axioms can be easily validated
by the evaluators.
     The first axiom is that regarding confinement  of  sub-
notion of a subject as a  pair is  adequate
to fulfill this axiom, provided it is recognized that limit-
ng the access of subjects to objects within the  same  com-
than one component.  It follows that no subject may ``move''
from  one  component  to  another.  Even if we permit (as is
execution  begins  in  a  remote component a new subject has
been introduced (because there has been a change in  protec-
tion domains).
     The second axiom requires that a  subject  be  able  to
the subject is associated.  The major theoretical  issue  to
be  confronted  is  to  understand  how  information  may be
transmitted  between  components  without  the  sharing   of
objects  between them.  This issue is explored in some depth
n Section B.5.  Logically, the connection of components  by
an  ideal  communication  channel is viewed as involving the
transfer of information from one device to  another  without
the  existence of an intermediate object. (i.e., information
``in motion'' is not regarded as an object -  a  view  which
``comes to rest'' within the destination component - and  is
then  within an object again).  This view is consistent with
the TCSEC Glossary definition of ``object''  which  includes
the  sentence,  ``Access  to  an  object potentially implies
access to the information it contains''.   For  a  Security-
Compliant   communication   channel  (discussed  in  Section
B.6.2), there are no subjects with potential access  to  the
nformation  being transmitted while it is in transit: it is
                               _____ __ __ __ _______
therefore unnecessary (and misleading) to treat such  infor-
mation  as an object.  (This argument is invalid for complex
channels, which contain internal subjects, which is the rea-
     The third axiom requires that every component contain a
component  reference monitor which enforces that part of the
network access  control  policy  relevant  to  subjects  and
objects  within the component.  In validating this axiom, it
s important to understand that for  certain  components,  a
for a dedicated component for which all subjects and objects
zation and sensitivity,  respectively,  so  that  no  local
access  attempts  need  be  denied  on  the  basis of policy
enforcement).  It is logically equivalent, in such cases, to
claim  that  there  is a reference monitor (which never does
anything) or that there is  no  reference  monitor  (because
nothing  ever  needs  to  be done).  It is also important to
understand that each reference monitor need only to  enforce
that  subset  of access control policy relevant (in terms of
the network system architecture) to the local accesses  pos-
     The fourth axiom requires that communications  channels
between  components not compromise the security of sensitive
nformation entrusted to them.  Establishing that this axiom
s  actually met is a complex problem with some issues dealt
tion  for  use. A detailed discussion of the issues involved
s provided in Section B.6 of  this  Appendix.   Until  that
components of the network, and their composition into a com-
B.4.2.  Overview of the Argument for a Partitioned NTCB
_ _ _   ________ __ ___ ________ ___ _ ___________ ____
     To present the concept of a partitioned NTCB, and  show
analogous to a network of  ``loosely-coupled''  NTCB  parti-
tions  is  described  as  running upon a single, stand-alone
computer system with a TCB  assumed  to  be  evaluatable  in
terms of the existing Criteria.  A series of transformations
s then performed upon the simulation, that convert it  into
the  hypothesized  network  with a single, partitioned NTCB.
This argument is meant to demonstrate  that  the  notion  of
NTCB partitions is conceptually sound and does not require a
effect,  the  argument  serves  as  a   constructive   proof
(although  informally stated) that a trusted network is sim-
B.4.3.  Characterization of the Target Monolithic System
_ _ _   ________________ __ ___ ______ __________ ______
     Consider first a multiprocessor, multiprogrammed monol-
thic computer system, presumed to conform to the TCSEC Cri-
teria at, for example, a Class B2 level or higher.  It has a
Formal  Security  Policy  Model, e.g., the Bell and LaPadula
model, and it has been shown that  the  system  is  a  valid
nterpretation  of that model.  In the presumed system, sup-
concurrently executing processors, which are tightly-coupled
on a single bus.  (Worked examples of such systems  targeted
for  Class  B2 or higher exist).  Since this is a monolithic
tiprogramming  operating system, it can support a given pro-
cess on any processor, which can  (potentially)  access  any
memory  segments it may need to share with any other process
on any other processor.  Additionally, each process can  use
calls to the TCB.  In  particular,  assume  that  there  are
available multilevel I/O channels which can be controlled by
multilevel trusted processes executing under the control  of
the TCB.  Each multilevel channel conforms to the concept of
a connected multilevel device as  identified  in  the  TCSEC
Criteria.
B.4.4.  Characterization of the Loosely-Coupled Trusted Net-
_ _ _   ________________ __ ___ _______ _______ _______ ____
____
     Next, consider an arbitrary network architecture,  con-
network interface units, hosts, etc.) processing information
at  various  levels,  connected with communication channels,
viz., (1) each subject is confined to  a  single  component,
(2)  no subject may access an object within a different com-
are interconnected via a  multilevel  communications  subnet
(which  may itself be composed of components and simple com-
munications channels.  Subjects within one component can (by
nteracting  with  the  appropriate  device  drivers)  cause
nformation to be exchanged between components in  a  secure
     Note that a point-to-point connection may be abstracted
as  a pair of devices (one at each end) linked by a communi-
cation medium.  A broadcast channel may be abstracted  as  a
munication medium.  The  hypothesized  network  may  contain
both single-level and multi-level connections.
B.4.5.  Simulation of the Network on the Monolithic System
_ _ _   __________ __ ___ _______ __ ___ __________ ______
     The proposed system may be simulated in a very  natural
     Each component subject (in the network) is simulated as
a single subject (on the monolithic target system.) For rea-
there is a processor available for each network component.
     All of the communication devices are  provided  as  I/O
as appropriate.  For each device, it is supposed that  there
s a server subject, which correctly implements the protocol
ascribed to the communication channel  and,  for  multilevel
trusted subject.  As each device is local  to  a  processing
node  in the network system, it is made local to the associ-
ated processor in the monolithic computer system  (i.e.,  it
s accessible only by that processor).
     Finally, the I/O devices are linked using the appropri-
ate  physical  media, (which is considered to be external to
the system): in pairs, for point-to-point channels,  and  in
     The simulation is now an accurate representation of the
thic system, it  is  secure  to  the  degree  of  assurance
ascribed  to  the  monolithic system, subject, of course, to
the provision of appropriate levels of  communication  secu-
a network must have to be simulated in the way described.
B.4.6.  Transformation of the  Monolithic  Simulation  to  a
_ _ _   ______________ __ ___  __________  __________  __  _
Distributed System
___________ ______
     It is instructive to examine certain of the  properties
of the network simulation.
     It may be observed that there are no application memory
a  single  network  component  to  a single processor of the
monolithic system, and from the rule (for the network)  that
no subjects access objects in a different component.
     Furthermore subjects executing on different  processors
mechanisms provided by the TCB; all inter-processor communi-
cation  is  provided  by  means  of the I/O device protocols
embedded in the I/O device drivers, which are  part  of  the
TCB.   Moreover,  the (correct) operation of these protocols
usable  in  the network being simulated, and thus presumably
     Thus, outside of the security kernel,  no  memory  seg-
ments  are  shared by any two processes running on different
all  application  segments  may be moved (without effect) to
the appropriate processor-local memory address space.   Sup-
copies of the TCB code may also  be  removed  to  the  local
memory  address  space  of  each  processor  without effect.
Similarly, internal TCB data structures that  have  elements
that  are accessed only by a single processor can be removed
to the local memory of that processor without effect.
     It may be noted (based upon available worked  examples)
that  the  only data structures within the TCB, that must be
                                                     ____
ever, in the simulation just described, there  are  no  such
all  via  external  communication  channels),  and  the only
none.
     Thus, in the particular network  simulation  described,
underlying TCB, that potential is never exercised.  The par-
titioning  of  code  and  data described allows the internal
titioned  and  removed to processor local memory throughout,
nal  restructuring  in  no  way affects the operation of the
Criteria (for the specific application).
     Another result of the described partitioning and local-
zation of the TCB is that no communication ever takes place
over the system bus: all of the TCB  tables  may  be  locked
locally  so that no inter-processor communication within the
TCB is required, and there are no  global  memory  segments.
affecting either the operation of the system or its  compli-
ance  (in  this  particular  case)  with  the  Criteria.  An
nteresting observation is that no single step in  the  res-
tructuring  described  can  be regarded as changing the fact
that the collection of processors is utilizing a single TCB,
tion that impels one to conclude that a single  TCB  can  be
     The resulting partitioned TCB is now examined.   Within
the  TCB are a set of (trusted or untrusted, as appropriate)
attempting to utilize that device).  The driver subject, its
code, and its data may therefore be  removed  from  the  TCB
the device is local.  Again,  the  system  remains  a  valid
nterpretation  of the model, and remains compliant with the
Criteria.
     The resulting system still has  only  one  TCB,  parti-
tioned  among  a number of asynchronous processors, with the
code and data for supporting various devices  provided  only
local devices.  The only links between the physical  proces-
                    ____
channels provided.  These channels are afforded, it has been
assumed, the appropriate levels of physical security by com-
munications security techniques, just as they  would  be  if
they  were media connecting a computer to a remote terminal:
the provision of this physical security is an axiom  in  the
                                              _____
context  of  evaluating  the  validity  of the system from a
``computer security'' point of  view.   (This  is  discussed
fully  in  section  B.6, as the importance of communications
must not be trivialized).
     Each processor, and  its  associated  devices,  is  now
a single TCB, which has, however, been  transformed  into  a
  ______
collection  of  TCB partitions, each of which is responsible
for enforcing access control policy within its ``local  par-
tition'', or component.
     The TCB in a particular box may now be replaced  by  an
equivalent  TCB  (that  is,  a  TCB  with the same top-level
adherence to the TCSEC Criteria.  In fact, both the hardware
and software TCB bases within a partition could be replaced,
as long as the replacement has the same (or greater) evalua-
tion  class  and  completely  honors the interface protocols
(and thus, for example,  correctly  receives  and  transmits
labeled  datagrams) defined for the devices connecting it it
     Finally, the particular Formal Security  Policy  Models
upon  which  the  TCBs  within  each  box are based might be
allowed to differ without adverse impact, so  long  as  each
model  used was a valid representation of the single Network
Security Policy to be enforced, as allocated to the  activi-
ties of the application subjects within the box.
B.4.7.  Conclusions Regarding the Simulation Argument
_ _ _   ___________ _________ ___ __________ ________
     This informal argument shows how a network of  process-
ng nodes, which are ``locally autonomous'' (with respect to
their enforcement of a global  Security  Policy  for  access
controls),  can  be  simulated  upon  a  clearly evaluatable
monolithic system with a security kernel, and, in turn,  how
that  system can be physically partitioned into a confedera-
tion of components, each with its own  TCB  partition.   The
ts essential features, and is clearly in harmony  with  the
ntent  of  the  TCSEC  Criteria.  This argument provides an
ntuitive basis for the interpretation of the Criteria  pro-
vided in the TNI.  It also shows the sense in which the col-
lection of NTCB partitions may be viewed as forming a single
                                                      ______
NTCB: there is a single NTCB because there is a single Secu-
each  NTCB  partition  upon  its  local subjects and objects
(i.e., upon the resources it controls).
     Of significance for the design and evaluation  of  net-
that under the assumptions that an overall Network  Security
between components function correctly, (i.e.,  maintain  the
clearances, and names of objects), there  is  no  compelling
cessing node be obtained using the same Formal Security Pol-
cy Model.
B.5.  Cooperation Among Partitions
_ _   ___________ _____ __________
     In this section we focus on that part of the NTCB  out-
mplementation of supporting policies and typically  carried
out by trusted subjects.  Some non-kernel NTCB functions are
essentially the same as those normally provided  in  a  non-
networked trusted computer system, such as login authentica-
tion of local users.  Such functions in  an  NTCB  partition
can  be  understood  in  terms  of the services they perform
     Other non-kernel NTCB functions  provide  distinctively
network-related  services that can best be understood in the
context of the  network  security  architecture.   We  shall
essential task of these functions is to implement a protocol
for  conveying security-critical information between trusted
not an end in itself, but a means to accomplish services for
of a single-level communications channel.  While  each  com-
ts own end of a channel, a trusted protocol is required  to
coordinate the changes.
     In this section there will be two brief examples illus-
trating  the  relationship between a network security archi-
tecture and an  associated  trusted  network  service.   One
example  network  uses  trusted  network interface units and
encryption.   After  the  examples, design specification and
verification of trusted network services will be discussed.
B.5.1.  Trusted Interface Unit Example
_ _ _   _______ _________ ____ _______
     Consider a network in which untrusted  hosts  operating
at   various  single  security  levels  communicate  through
trusted  network  interface  units  (TIU's)  that  send  and
munication subnet.  The function of a TIU is to  place  mes-
labels on incoming messages, so  that  hosts  may  send  and
accreditation.
     Because the communication subnet  carries  messages  at
all levels, the I/O device connecting any TIU and the subnet
s single-level system-high.  But the connection between any
TIU  and  its host is at the level of the host.  Thus, a TIU
for a low-level host must contain  a  trusted  subject  that
     There is a trusted protocol in this example, though  it
s  relatively  trivial, since it merely identifies a header
field in each message  that  should  contain  a  sensitivity
label,   and  perhaps  also  a  checksum  to  guard  against
transmission errors.  A protocol of this  kind  is  required
tilevel communications channel.  See section 3.1.1.3.2.1  of
B.5.2.  End-to-End Encryption Example
_ _ _   ___ __ ___ __________ _______
     Consider a network in which hosts operating at  various
cessors (TFE's) that send  and  receive  encrypted  messages
over  a public communication subnet.  Suppose that the TFE's
obtain encryption keys at the level of the information to be
to  the  network  in  the same way as a host.  A key is sent
from the KDC to a TFE upon request, using  an  appropriately
certified protocol that authenticates both the requester and
the new key.
     The purpose of key distribution is really to support  a
trusted local service within the TFE, namely, the ability to
transform classified messages from the host  into  unclassi-
fied  encrypted  messages suitable for transmission over the
     Part of the  trusted  network  service  is  implemented
of information being communicated, and must also decide,  on
the basis of an access control policy, which TFE's may share
keys.  A single level subject in the KDC at the level of the
nformation  which  the  key  is  for  does  not necessarily
ous levels must correctly implement a certain policy  and  a
certain protocol.
B.5.3.  Design Specification and Documentation
_ _ _   ______ _____________ ___ _____________
     To obtain the level of assurance needed for systems  of
Evaluation Class A1, a formal top-level specification (FTLS)
of the NTCB is required, including a component FTLS for each
NTCB partition.  As in the case of stand-alone computer sys-
tems, non-kernel portions of the NTCB must be specified even
though they support policies that are not part of the access
control policy represented in  the  formal  security  policy
model.   In  particular, software supporting trusted network
     Where a trusted network service supporting  the  manda-
tory  policy depends on a protocol, the protocol will neces-
As  a  minimum, the role of the trusted subject in each NTCB
to  understand  a  protocol by looking at each participating
n  which the lines have been sorted by character.  For pur-
exhibits the  interactions  between  participants,  and  the
correspondence  between this representation and the relevant
     Just  as  the  FTLS  of  a  stand-alone  TCB   contains
tables, the FTLS of an NTCB contains representations of pro-
tocol entities and concepts, such as connections, where they
occur, such as in trusted network service specifications.
     In the end-to-end encryption example, correspondence of
the  FTLS  to the trusted network services supporting policy
that  all  data transmitted over the communication subnet is
encrypted with the proper key (e.g., for the  correct  secu-
n accordance with its access  control  restrictions.   Both
tions between hosts.  In the trusted interface unit example,
the  correspondence  should  show  that  each  TIU marks and
checks message labels in accordance with a given host label.
B.5.4.  Summary
_ _ _   _______
     Some non-kernel NTCB functions  in  a  network  may  be
characterized  as  trusted  network  services.  They provide
trusted protocols to implement security-critical cooperation
between  trusted  subjects  in  different  NTCB  partitions.
Showing correspondence between the FTLS for  these  services
and  their  supporting policies implies proving certain pro-
architecture.
B.6.  Communication Channels Between Components
_ _   _____________ ________ _______ __________
     In this section the communication channels used to con-
nect  components are examined more closely, with the goal of
understanding when the characteristics of a particular chan-
nel are relevant to the security characteristics of the sys-
tem, how the characteristics of such a  channel  are  to  be
evaluated  and related to the overall evaluation of the net-
ment  of the adequacy of the network to support a particular
application of it preceding its accreditation.
     The discussion is organized into  the  following  major
channel'' is related to the technical  terminology  provided
by  the  TCSEC  Glossary.  In section B.6.2, the notion of a
``Security-Compliant  communication  channel''  is  defined.
The  remaining  parts  of  the section discuss the important
cases of channels that are single-level and  multilevel  (in
the mandatory policy sense).
B.6.1.  Basic Notion of A Communication Channel
_ _ _   _____ ______ __ _ _____________ _______
     For the purposes of the TNI the network is viewed as  a
communication channels.  The term ``communication  channel''
s  used as a refinement of the term ``channel'', defined in
the TCSEC Glossary as ``an information transfer path  within
a  system.''  The  term  may  also refer to the mechanism by
architecture be formulated in  sufficient  detail  that  all
communication  channels  are  Security-Compliant  as defined
below.
     ``Point-to-point'' communication channels are discussed
first.  The  notions  of ``communication channel'' and ``I/O
nel  is  viewed as consisting of two I/O devices (each local
to the component it is attached to) coupled by a  communica-
tions  medium  (which  may  in  reality consist of a complex
arrangement of internal devices,  switches,  and  communica-
tions  links).   From  the  point of view of the components,
nformation is transmitted via the transmitting and  receiv-
ng  devices in a sufficiently error-free, physically secure
fashion to merit the particular labels associated  with  the
and evaluator of a particular network to confirm  that  this
condition  is  met  to  an  appropriate  level of assurance,
This  requirement,  which is a boundary condition upon which
the evaluation of the NTCB partition itself, will  typically
be  met  by  a  combination  of error-detection and recovery
techniques, cryptographic techniques, and  other  communica-
tions  security techniques as addressed in Section 9 of Part
(Note:  Figure not included)
        Figure B1.  Point-to-point communication channel.
     For example, two processing nodes connected by a single
channel  would  be  modeled as shown in Figure B1.  Here, we
to communicate, via I/O Device D2, with processing component
more complicated.) Subject S1 in component P1  may  transmit
nformation  to  a subject S2 in P2 as follows: each subject
obtains an object of the appropriate  class  for  use  as  a
buffer.  Each subject attaches its locally available device.
Subject S1 in P1  then  transmits  the  information  in  its
buffer  to D1; subject S2 receives the information via D2 in
ts buffer.  Note that in this  description,  it  was  quite
unnecessary  to  introduce  the  notion  of  either a shared
object or a shared device.  Of course, the  details  of  the
nter-communication will depend upon a shared communications
     Broadcast communication channels are only slightly dif-
ferent,  from the point of view adopted within the TNI, from
a  receiver,  a transmitter, or a transceiver in nature.  It
s assumed that anything transmitted by a transmitter can be
the communication protocols being executed  by  the  various
action by a particular receiver.)
B.6.2.  Security-Compliant Channels as the Basis for Evalua-
_ _ _   ________ _________ ________ __ ___ _____ ___ _______
tion
____
     Communication channels in trusted network  architecture
must  be Security-Compliant. A channel is Security-Compliant
         ________ _________
f the enforcement of the network policy depends  only  upon
characteristics  of  the  channel either (1) included in the
evaluation, or (2) assumed as a installation constraint  and
clearly documented in the Trusted Facility Manual. The first
approach tends to produce evaluated  network  systems  whose
tion or configuration choices. The  second  approach  yields
evaluated  network  systems  whose security is more strongly
conditioned upon the appropriateness of installation or con-
figuration  choices; however, the conditions and limitations
of the evaluation are clearly documented.
     The overall security of the network can be assessed  by
verifying the correctness of the NTCB partitions (an evalua-
tion issue) and by verifying that the required environmental
constraints  documented for all communications channels are,
n fact, met by the installation (an  accreditation  issue).
The thrust of this section is to show that channels that are
not Security-Compliant may be reduced to  Security-Compliant
channels  so  that the resulting architecture will support a
viable network  evaluation.  Three  general  techniques  are
available for rendering a channel Security-Compliant: 1) the
utilization of the channel for  security-critical  transmis-
NTCB partitions of the components linked by the channel;  2)
end-to-end  communications technologies (such as encryption)
may be installed and evaluated as part of  the  linked  NTCB
and  3) constraints on the intrinsic characteristics assumed
for the channel may be documented in the Trusted  Facilities
Manual. The last approach, in effect, reserves determination
of the adequacy of a particular channel to  the  accreditor:
the  evaluation  proper  will be based upon a communications
channel, which will be assumed to have the  desired  charac-
teristics.
     The evaluation effort is focused upon establishing  the
correctness  of  the technique, or combination of techniques
employed. The adequacy of the mechanisms is an accreditation
ssue.   For  example, the issues related to the adequacy of
     A channel can be made  Security-Compliant  by  using  a
combination  of the above techniques: cryptographic sealing,
for example, addresses the  issues  of  both  prevention  of
unauthorized modification and error-detection. In evaluating
each channel,  three  vulnerabilities  related  to  external
environmental  factors and one related to internal exploita-
tion must be addressed. They are as follows:
        modification of sensitive information in transit
        information,  (e.g.,  non-delivery, misdelivery, and
        delivery of erroneous data) the delivery of which is
        required for the correct operation of the NTCB (such
        as audit records or inter-partition security coordi-
        nation)
        critical  data, such as transmitted security labels,
        due to noise.  (Note that changes due  to  unauthor-
        ized  modification  are  categorized as a communica-
        tions security problem)
        mechanisms to signal information covertly
     The use of a channel as a  covert  signaling  mechanism
analysis  of  the  channel  drivers,  which  are part of the
linked NTCB partitions, is performed.  See the Covert  Chan-
nel  Analysis  section in Part I.  Techniques for addressing
the remaining three vulnerabilities are listed below.
     The first vulnerability, to the security  of  sensitive
nformation  in transit, must be addressed by one or more of
the following techniques:
        Manual that the installed channel be completely con-
        tained  within  an   adequate   security   perimeter
        (thereby  deferring  an  assessment of compliance to
        accreditation)
        munications security techniques which are documented
        and evaluated as part of the NTCB partitions  linked
        by the channel
        transmission  of  non-sensitive information by means
        of controls internal to the NTCB  partitions  linked
        by the channel
     Vulnerability of a channel to the  unreliable  delivery
of security-critical information must be addressed by one or
more of the following techniques:
        Manual  that  the  channel be comprised of intrinsi-
        cally reliable media and devices (thereby  deferring
        an assessment of compliance to accreditation)
        cols  for  the  reliable transmission of information
        within the NTCB partitions coupled by  the  channel,
        which will thereby be evaluated for correctness
        delivery of which is not critical to the functioning
        of the NTCB, by means of controls  internal  to  the
        NTCB  partitions  linked  by the channel, which will
        thereby be evaluated for correctness
     Vulnerability of a channel to noise, which may comprom-
se the correctness of security-relevant data (such as secu-
ng techniques:
        Manual  that  the  channel be comprised of intrinsi-
        cally noise- free media and devices (thereby  defer-
        ring an assessment of compliance to accreditation)
        reduction  techniques  within  the  NTCB  partitions
        linked  by  the  channel,  which  will  thereby   be
        evaluated for correctness
        noise-free  delivery of which is not critical to the
        functioning of the NTCB, by means of controls inter-
        nal  to  the  NTCB partitions linked by the channel,
        which will thereby be evaluated for correctness
     Three example scenarios are provided below, showing how
these techniques might be employed.
     Example A.  Two loosely-coupled  trusted  coprocessors,
     _______ _
one  in  active use and the other in ``hot standby'', are to
be   linked   by   a   dedicated   communications   channel.
Significant  amounts of dynamic, security-relevant data will
be exchanged over this channel.  The channel must be trusted
to  preserve label integrity and provide reliable and noise-
free delivery of security-critical  data.  Noise  is  not  a
environment.
     The simplest evaluation strategy would be  to  document
the required environmental constraints in the Trusted Facil-
ties  Manual:  that  the  channel  be  placed  within   the
``system-high'' security perimeter, and that it be comprised
of intrinsically reliable and noise-free media and  devices.
During  evaluation  the  proper  documentation of these con-
nel in the physical installation to them would be an accred-
tation issue which, in this  case,  would  (apparently)  be
easy  to  verify.  This  evaluation  approach would have the
advantage of allowing replacement of  the  original  channel
evaluation (although the system would have to be  accredited
again).
     Example B.  Numerous  single-level  hosts  (at  several
     _______ _
levels)  are  interconnected via a multilevel packet switch,
munities  of hosts of the same level. Communications between
level of each host is determined at the switch by internally
labeling the hard-wired communication ports. The  communica-
tion channel must be secure (separation of data of different
levels must be maintained), but it need be neither  reliable
nor noise-free (from the point of view of security).
     Two quite different approaches  might  be  regarded  as
first, (and most natural), the architecture would be  refor-
mulated  to  show  the packet switch as a network component,
connected to each host with a single-level channel.  Network
nels be constrained to  be  located  within  an  appropriate
tained), and that no security-critical information requiring
either reliability or fidelity is transmitted over them. The
the first during accreditation.
     A second (radical) approach would be to insist that the
case, it is difficult to  see  how  the  required  Security-
Compliance  is  to be attained while encompassing the packet
not  in use, and it is obvious that sensitive information is
being transmitted. The sponsor could document  a  constraint
upon  the  interconnection  of  hosts  that  the  (nominally
tion, but it is also then dropped from  the  description  of
the  network  being  evaluated,  and  is replaced by ``nomi-
nally'' Security-Compliant  point-to-point  channels,  docu-
mented in the Trusted Facilities Manual. The decision to use
a particular multilevel packet switch to meet the documented
bility  of the accreditor of such a system alone. In effect,
originally envisioned system)
     Example C.  Two trusted multilevel systems are to  con-
     _______ _
noisy, unreliable, and insecure. The data is to be encrypted
and   cryptographically  sealed.  Reliable  transmission  is
enforced  by  non-NTCB  software.  (This  is  not  security-
an insecurity).
     The communications security and  cryptographic  sealing
techniques must be included within the evaluated NTCB parti-
tions. Assessment of their correctness will be part  of  the
evaluation, and assessment of their adequacy, based upon the
true sensitivity of the  information  transferred,  will  be
ability, the NTCB internal control mechanisms preventing the
utilization  of  the channel for security data needing to be
transmitted reliably must be documented  and  evaluated  (in
this  case,  the  argument  is probably the degenerate case:
that no such information  exists.)  See,  for  example,  the
Encryption Mechanism section in Part II.
B.6.3.  TCSEC Criteria for Multilevel Communication Channels
_ _ _   _____ ________ ___ __________ _____________ ________
     In this section, those TCSEC Criteria relevant  to  the
utilization  of  communication  channels within networks are
examined, from the point  of  view  of  countering  internal
threats.   As  the  Criteria  for  Class  A1  are  the  most
classes, they are the basis for the discussion.
     The Class A1 Criteria (Section 4.1.1.3.4) requires that
``the  TCB  shall support the assignment of minimum and max-
mum security levels to all attached physical devices.'' The
basis  for making this designation is also stated in Section
the  physical  environments  in  which   the   devices   are
located''.
     In the case of a communication channel connecting  com-
nterpreted to include the environment of  the  devices  and
the  medium linking them.  The range of access classes (from
the Network Mandatory Access Control Policy) to be  assigned
to  the channel must take into account the physical security
afforded to the medium, the  communications  security  tech-
niques  that  have  been  applied  to the secure information
being transmitted through the medium, the physical  accessi-
bility  of  the  devices  involved  in  the channel, and the
ntended use of the channel from an architectural  point  of
view  for  the  network.  Within these constraints, the Cri-
teria cited requires that the devices comprising the channel
be  appropriately labeled (with, it may be inferred, locally
``appropriate'' internal labels).  For example, a particular
channel  may  be  designed  to  support  the transmission of
UNCLASSIFIED through SECRET information.  The receivers  and
transmitters  coupling  the transmission medium to the hosts
(assuming all hosts receive and transmit at all levels) must
be labeled within each host with whatever the local internal
labels  are  designating  the  UNCLASSIFIED  through  SECRET
ment to interpret properly a  network  Security  Policy  for
each NTCB partition.
     In addition to the labeling of devices coupling network
may exist, the TCSEC  requires,  for  multi-level  channels,
that  all  information  exported  to, and imported from, the
channel be properly labeled: ``when  exported  by  the  TCB,
the information being exported'' (Section 4.1.1.3.2); furth-
ermore, ``when the TCB exports or imports  an  object  [sic]
over a multilevel channel, the protocol used on that channel
tivity labels and the associated information that is sent or
these Criteria appears to be straightforward: in the context
of a network communication channel, they imply that informa-
tion  be properly labeled when it is exported, that there be
a shared protocol between the exporting and  importing  dev-
ces  which unambiguously and correctly maintains the label-
            _____________ ___ _________
nformation association, and  that  the  resulting  imported
label be honored by the receiving NTCB partition.  Note that
the requirement for integrity relative to label-data associ-
ations  is  clearly stated and need not be hypothesized as a
B.6.4.  Single-Level Communication Channels
_ _ _   ______ _____ _____________ ________
     The Criteria states that ``the TCB  shall  support  the
assignment  of  minimum  and  maximum security levels to all
attached  physical  devices''  which  ``enforce  constraints
mposed  by  the  physical environments in which devices are
located'' (Section 4.1.1.3.4).  Note that this capability is
                       ___
or ``multilevel''.   The  distinguishing  characteristic  of
``single-level  devices  and channels'' is stated in Section
tion they process''.  Thus, a device  and/or  channel  which
by definition, ``single-level''.
     There are two cases: the minimum and  maximum  security
levels of the devices coupling the channel to the processing
nodes may be all the same, or not.
     The case in which all of the minimum and maximum  secu-
communication channels) of a channel which  is  to  transmit
nformation of a single, invariant, sensitivity level.
     It is also possible that the minimum and maximum ranges
of  the various devices associated with a single-level chan-
nel are not all the same.  In this  case,  the  channel  may
carry  unlabeled  information,  but  of only one sensitivity
level at a time.  It is the responsibility of each NTCB par-
tition coupled to the channel to prevent the transmission of
nformation  of  a  sensitivity  level  different  from  the
current  level  of  the  channel  in accordance with Section
the  TCB  and  an  authorized  user  reliably communicate to
or  exported  via single-level communication channels or I/O
that  single-level  channels  may  be defined as part of the
network architecture which can be manually shifted from  the
transmission  of  one  level  of  unlabeled  information  to
another by an authorized user.  The  natural  interpretation
of  the  criterion  cited  above is that a reliable protocol
must exist for informing each  NTCB  partition  involved  in
controlling access to the channel that a change in level has
been ordered, prior to the transmission of  any  information
over  the  channel  (so  that  the  ``implied'' label can be
correctly assigned by each  NTCB  partition  to  information
B.7.  Miscellaneous Considerations
_ _   _____________ ______________
B.7.1.  Reference Monitor, Security Kernel, and Trusted Com-
_ _ _   _________ _______  ________ ______  ___ _______ ____
______ ____
     The notion of a ``reference monitor''  is  the  primary
abstraction  allowing an orderly evaluation of a stand-alone
computer system with respect to  its  abilities  to  enforce
both  mandatory  and  discretionary  access controls for the
     The TCSEC Glossary defines the ``Reference Monitor Con-
cept''  as  ``an  access  control  concept that refers to an
abstract machine that mediates all accesses  to  objects  by
ncludes the notion of protection, the abstraction itself is
ndependent  of  any  particular access control policy.  The
abstraction assumes that a system is comprised of a  set  of
active  entities  called  ``subjects''  and a set of passive
entities called ``objects''.  The control over the relation-
objects by subjects, is mediated by the reference monitor in
trol policy being enforced, are permitted by  the  reference
monitor.   The  reference monitor is thus the manager of the
the  monitor  is  that there is a well-defined interface, or
``perimeter'', between the reference monitor itself and  the
viding protection, the implementation of a reference monitor
must be (1) tamper-proof, (2) always invoked, and (3) simple
enough to support the analysis leading to a high  degree  of
assurance that it is correct.
     The hardware and software components of a computer sys-
tem  implementing  a reference monitor meeting these princi-
Glossary  as ``the hardware, firmware, and software elements
of a Trusted Computing Base  that  implement  the  reference
monitor concept.  It must mediate all accesses, be protected
                                  ___
from modification, and be verifiable as correct''.
     From this definition, it is apparent that a  ``security
kernel''  (if  there  is one) is always part of the TCB of a
computer system, defined as  ``the  totality  of  protection
mechanisms  within  a  computer system - including hardware,
firmware, and software - the combination of which is respon-
Trusted Computing Base to correctly enforce a security  pol-
cy  depends  solely on the mechanisms within the TCB and on
the correct input  by  system  administrative  personnel  of
sms  involved in the implementation of supporting policies,
nvolved  only  with the enforcement of access control poli-
cies.
B.7.2.  Network Trusted Computer Base and Reference Monitor
_ _ _   _______ _______ ________ ____ ___ _________ _______
     The notions of a TCB, and, for  the  higher  evaluation
classes,  security  kernel  and  reference monitor can, with
tion  of  trusted  networks  without significant change.  In
network (including mechanisms  provided  by  connected  host
that an evaluated network has a single NTCB, as the NTCB is,
                                ______
by definition, the totality of  enforcement  mechanisms  for
                   ________
the stated policy.
     For the higher evaluation classes the  TCSEC  requires,
n  effect,  that a reference monitor be implemented as part
of the TCB.  This, at least in theory, is not the only  con-
ceivable technology for implementing a highly-assured system
(one  could  envision  a  completely  verified  system,  for
nstance);  however, it appears to be the only current tech-
nology with a proven track record, and  within  the  current
     For these reasons, the Part I of the TNI takes a  prag-
matic  stance  with regard to specifying interpretations for
Trusted Networks: that the TCSEC notions of ``reference mon-
tor''  and  ``security  kernel''  be applied in the network
NTCB of a Trusted Network of class B2 or above must  contain
the  physical realization of a reference monitor which medi-
ates all references within the networked system of  subjects
to  objects,  is tamperproof, and is small enough, in aggre-
B.7.3.  NTCB Partitions
_ _ _   ____ __________
     The view taken of a ``network system''  throughout  the
TNI  is  that  the  network  can  be partitioned into ``com-
cation  capabilities.  Given such a decomposition, the func-
tions of the NTCB must be allocated in some coherent way  to
the various components of the network.
     The following terminology is introduced:  the  totality
of hardware, firmware, and software mechanisms within a sin-
(i.e., every part of the network system, including hosts, is
accounted  for)  and  disjoint  (i.e.,  no  parts are shared
between components), the NTCB partitions collectively are  a
true  partition  of  the  NTCB; they are non-overlapping and
complete.
     For Mandatory Access Control Policy, a large and useful
class  of  networks  can be envisioned, which allows a clean
ng  partitions  can be evaluated relative to enforcement of
mandatory access controls using conservative interpretations
of  the  TCSEC,  and  the  correctness of the composition of
these components into a network enforcing the overall policy
for mandatory access controls is easily confirmable as well.
For sponsors wishing to obtain an overall  evaluation  class
for  a  network  system,  such  a  ``partitionable'' network
architecture should be chosen.
     Concisely, the network architecture must have the  fol-
lowing  salient  features:  (1)  subjects and objects within
multilevel processing components are given the  usual  TCSEC
nterpretation;   (2)  subjects  and  objects  are  confined
________
(In practice, this means there are no  directly  accessible,
the access-relevant  security  state  of  the  subjects  and
objects  within  a  component,  is maintained locally by the
NTCB partition of that component.  (It may be the case  that
nformation representing the components state may be distri-
buted to other components for the purpose of overall network
control,  recovery,  etc.   but  the  decision  to permit or
available state information.
     A network of host processors and peripherals, intercon-
nected  according  to these rules, may be roughly described,
control of the two security kernels, to a subject in another
component.  However, the basic principle to be seen at  this
(i.e., constrained to be by a subject within a component  to
an  object within that component), all accesses are mediated
by the security kernel within a component.  Thus, the total-
ty of all of the security kernels within the system is ade-
quate to mediate all accesses made within the system.
B.8.  Summary and Conclusions
_ _   _______ ___ ___________
     In this Appendix, the rationale for the partitioning of
the  NTCB  into  a  set of cooperating, loosely-coupled NTCB
viewed  as a locally autonomous reference monitor, enforcing
the access of local subjects to local objects  and  devices.
Because the partitioning is carefully constrained to reflect
the lack of sharing  of  objects  among  components,  (while
allowing  the transmission of information between components
through shared physical media),  the  aggregate  of  locally
autonomous  NTCB  partitions  is  adequate  to  mediate  all
accesses of subjects to objects and thus is adequate to form
the  basis  for  a  reference monitor for the entire network
nterpreted as an individual Formal  Security  Policy  Model
for  each  component  enforcing access controls, suffices to
meets  the  requirements of the Security Policy.  The postu-
lated network architecture and design (that are presented by
the  network  sponsor)  suffices  to allow evaluation of the
                        APPENDIX C
                        ________ _
             Interconnection of Accredited AIS
             _______________ __ __________ ___
C.1.  Purpose
_ _   _______
     As was discussed in the Introduction to this  document,
there  are  many  "networks"  that  can  not be meaningfully
evaluated as a ``single trusted system''  because  they  are
evaluation rating can adequately reflect the trust that  can
be  placed in the "network". The purpose of this Appendix is
to provide guidance concerning how to  interconnect  systems
n  such  a  way  that  mandatory  security policies are not
violated.
C.1.1.  Problem Statement
_ _ _   _______ _________
     The  interconnected  accredited  Automated  Information
System (AIS) view is an operational perspective which recog-
nizes  that  parts  of  the  network  may  be  independently
created, managed, and accredited.  Interconnected accredited
AIS consist of  multiple  systems  (some  of  which  may  be
trusted) that have been independently assigned accreditation
mation  that may be simultaneously processed on that system.
ces"  with  which  neighboring systems can send and receive
nformation.  Each AIS is  accredited  to  handle  sensitive
nformation at a single level or over a range of levels.
     An example of when the  interconnected  accredited  AIS
view  is necessary is a network consisting of two A1 systems
and two B2 systems, all of which are interconnected and  all
of  which may be accessed locally by some users.  It is easy
to see that, if we regard this as a single  trusted  system,
t  would  be  impossible for it to achieve a rating against
accurate reflection of the trust that could be placed in the
two A1 systems and interconnections between them.  The  sin-
ng.
     While it provides much less information about a  system
than  does a meaningful evaluation rating, taking the inter-
connected accredited AIS view of the network  provides  gui-
C.1.2.  Component Connection View and Global Network View
_ _ _   _________ __________ ____ ___ ______ _______ ____
     There are two aspects of the Interconnected  Accredited
AIS view of a network that must be addressed:  the component
connection view and the  global  network  view.   These  two
views  are  discussed  below and will be examined in greater
     Any AIS that is connected to other AIS must enforce  an
"Interconnection Rule" that limits the sensitivity levels of
nformation that it may send or  receive.   Using  the  com-
taining the separation of  multiple  levels  of  information
must  decide  locally whether or not information can be sent
or received.  This view, then, does not require a  component
to  know the accreditation ranges of all other components on
the network; only of its immediate  neighbors  (i.e.,  those
     In addition to the Interconnection Rule, there  may  be
other  constraints  placed  on a network to combat potential
addressing  some  of  the other constraints placed on a net-
accreditation ranges of all components of the system.  These
accreditation ranges are taken into account when determining
the system.  In this way,  the  potential  damage  that  can
occur  when  information  is  compromised or modified can be
limited to an acceptable level.
     An example of a problem for which  constraints  may  be
lem."  This occurs when AIS are interconnected in such a way
that  the  potential  damage from unauthorized disclosure or
modification is above  an  acceptable  level.   The  network
ting the accreditation ranges of AISs that can be intercon-
nected.
C.2.  Accreditation Ranges and the Interconnection Rule
_ _   _____________ ______ ___ ___ _______________ ____
C.2.1.  Accreditation Ranges
_ _ _   _____________ ______
     The AIS accreditation range reflects the  judgement  of
the  accreditor on the ability of the component to appropri-
ately segregate and manage information with respect  to  its
network  connections  in  accord  with the designated sensi-
tivity levels.  An ADP system that has been  accredited  for
(stand-alone)  system  high  operation  would be assigned an
accreditation range having a single sensitivity level  equal
to  the  system high sensitivity level of the system. Such a
levels   of  information  processed.   All  the  information
exported from  such  a  system  must  be  labeled  with  the
manual  review  to  assign  a  lower  level.   A  multilevel
(stand-alone)  AIS  might be assigned an accreditation range
equal to the entire set of levels processed.  In this  case,
the  label of the exported data is equal to the actual level
of the data processed within the accredited range.
     In a network context, the  accreditation  range  bounds
the  sensitivity  levels  of  information  that  may be sent
(exported) to or received (imported) from other  components.
each component will be assigned single-valued  accreditation
     Consider an example, illustrated in  Figure  C1,  which
uses  accreditation  ranges  along with an approach based on
the Environmental Guidelines.- Component A  is  a  class  B2
    _____________ __________
through SECRET.  Component B is a class A1 system and has an
accreditation  range  of  CONFIDENTIAL  through  TOP SECRET.
Thus, if Component A has a direct connection to Component B,
the accreditation ranges provide a basis for both components
to be assured that  any  data  sent  or  received  will  not
"exceed" (that is, will be dominated by) SECRET in its clas-
       Figure C1.  Accreditation Ranges Illustrated
       ______ __   _____________ ______ ___________
(Note:  Figure not included)
C.2.2.  Interconnection Rule
_ _ _   _______________ ____
     A multilevel network is one in which some users do  not
A multilevel network therefore is one that processes a range
of sensitive information, which must be protected from unau-
thorized disclosure or modification.
     Each  component  of  the  network  must  be  separately
accredited to operate in an approved security mode of opera-
tion and for a specific accreditation range.  The  component
s  accredited to participate in the network at those levels
and only those levels.
     According to this definition, a multilevel network  may
comprise a mixture of dedicated, system high, compartmented,
controlled, and multilevel components,  where  two  or  more
ments, and/or some users  do  not  have  all  formal  access
approvals.
     The following requirement must  be  met  in  multilevel
networks.
_________________________
  - Security Requirements:  Guidance for  Applying  the
    ________ ____________   ________ ___  ________  ___
Department  of  Defense Trusted Computer System Evalua-
__________  __  _______ _______ ________ ______ ______
tion Criteria in Specific Environments,CSC-STD-003-85
____ ________ __ ________ ____________
C.2.2.1.  Information Transfer Restrictions
_ _ _ _   ___________ ________ ____________
     Each I/O device used by  an  AIS  to  communicate  with
other  AIS must have a device range associated with it.  The
levels  (in  which  case  the  device is referred to as mul-
tilevel), and it must be included within the AIS  accredita-
tion range.
     Information exported or imported using  a  single-level
mported  at  another must be labeled through an agreed-upon
cation link that always carries a single level.
     Information exported at a given security level  can  be
that level or a higher level.  If the importing device range
beled upon reception at a higher level within the  importing
C.2.2.2.  Discussion
_ _ _ _   __________
     The purpose of device labels is  to  reflect  and  con-
     The information transfer  restrictions  permit  one-way
communication (i.e., no acknowledgements) from one device to
another whose ranges have no level in  common,  as  long  as
each  level in the sending device range is dominated by some
level in the receiving device range.  It is never  permitted
to send information at a given level to a device whose range
     It is not necessary for an AIS sending  information  to
another  AIS through several other AISs to know the accredi-
tation range of the destination system, but it may be  bene-
ficial  to network performance; if the originator knows that
the information cannot be delivered, then it will not try to
     In the case  of  interconnected  accredited  AISs,  the
accreditation of a component system and the device ranges of
ts  network  interface  devices  are  set  by  a  component
administrator  in  agreement with the network administrator.
These ranges are generally static, and any change in them is
considered to be a reconfiguration of the network.
     In summary, then, if the Interconnection Rule  is  fol-
lowed,  information  will never be improperly sent to a com-
C.3.  The Global Network View
_ _   ___ ______ _______ ____
     The above rule applies for  communication  between  any
two  (or  more)  accredited  systems.   However, it does not
enforce any of the additional constraints that may be placed
on  a network.  Even when all components have been evaluated
(either against the TCSEC, or against  Appendix  A  of  this
may be  other  potential  security  problems.  In  order  to
address  these  problems,  it is necessary to adopt a global
view of the network.  That is, it is no longer  determinable
locally whether or not a constraint is being satisfied.
     Two global concerns will be discussed below.  One  con-
cern is the propagation of local risk; the other is the cas-
cading problem.
C.3.1.  Propagation of Local Risk
_ _ _   ___________ __ _____ ____
     The Environmental Guidelines recommend minimum  classes
of trusted systems for specific environments.  The recommen-
minimum architectural requirements and assurance appropriate
to counter a specific level of risk.
     In many  cases,  operational  needs  have  led  to  the
accreditation of systems for multilevel operation that would
not meet the requirements of the recommended  class.   While
the increased risk may be accepted by the users of a partic-
ular AIS, connection of such an AIS  to  a  network  exposes
users  of  all  other  AISs in the network to the additional
     Consequently, when an unevaluated AIS, or one that does
not  meet  the  class  recommended for its accreditation, is
considered,  such  as  one-way connections, manual review of
transmissions, cryptographic isolation, or other measures to
limit the risk it introduces.
C.3.2.  The Cascading Problem
_ _ _   ___ _________ _______
     One of the problems that the interconnection rule  does
not address is the cascading problem.  The cascading problem
                   _________ _______
exists when a penetrator can take advantage of network  con-
nections  to  compromise information across a range of secu-
any  of the component systems he must defeat to do so.  Cas-
cading is possible in any connected network that processes a
n others as well.
     As an example of the cascading  problem,  consider  two
classifications of  information,  as  shown  in  Figure  C2.
System  A  processes  SECRET and TOP SECRET information, and
all users are cleared to at least the SECRET level.   System
B  processes  CONFIDENTIAL  and  SECRET information, and all
users are cleared to at least the CONFIDENTIAL level.
     While the risk of compromise in each of  these  systems
s  small  enough  to  justify  their use with two levels of
nformation, the system as  a  whole  has  three  levels  of
nformation,  increasing  the  potential  harm that could be
caused by a compromise.  When they  are  connected  so  that
SECRET  information  can pass from one to the other, a pene-
trator able to defeat the  protection  mechanisms  in  these
CONFIDENTIAL level.
        Figure C2.  Cascade Problem, Illustration 1
        ______ __   _______ _______  ____________ _
(Note:  Figure not included)
     Consider this chain of events:  a penetrator (1)  over-
comes the protection mechanism in System A to downgrade some
TOP SECRET information to SECRET; (2) causes  this  informa-
tion  to be sent over the network to System B; and (3) over-
comes the protection mechanism in System B to downgrade that
C.3.2.1.  Problem Identification
_ _ _ _   _______ ______________
     There are various approaches, with different degrees of
complexity  and  precision, for recognizing a potential cas-
cading problem.  Two of these approaches will  be  addressed
n  this  Appendix.   The first is a fairly simple test that
can ensure that a network does not have a cascading problem:
                               ___
the  nesting  condition.   The  second, discussed in Section
     _______  _________
C.4, is a less conservative but much more complex  heuristic
that  takes into account the connectivity of the network and
the evaluation classes of the component AIS.
     The nesting condition is satisfied if the accreditation
n common) or nested,  i.e.,  one  is  included  within  the
other.   In  most  cases, the nesting condition is enough to
this  is a somewhat conservative test; there are cases where
the nesting condition fails, but there is actually  no  cas-
cading problem.
     Example 1:  Consider the situation illustrated in  Fig-
ure  C1.   The  accreditation range of Component A is nested
tained  within  C-TS).   Therefore, the nesting condition is
     Example 2:  Consider the situation illustrated in  Fig-
ure  C2.   The accreditation ranges of System A and System B
are not disjoint; neither is one completely contained within
the  other.   Therefore,  the nesting condition fails, and a
cascading condition is indicated.
     Example 3:  Consider the situation illustrated in  Fig-
ure  C3. Again, the nesting condition does not hold, because
the accreditation range of System B is neither disjoint from
nor  contained in that of Systems A and C.  A cascading con-
n  this Appendix that Figure C3 actually does not contain a
cascading condition, due to the presence of  the  end-to-end
encryption devices.
C.3.2.2.  Solutions
_ _ _ _   _________
     When a cascading problem is to be addressed, there  are
trusted system at appropriate nodes in the network, so  that
a penetrator will be forced to overcome a protection mechan-
sm commensurate  with  the  seriousness  of  the  potential
compromise.  In the example depicted in Figure C2, If either
ficient  according  to  the  Environmental  Guidelines for a
     Another possible solution is to eliminate certain  net-
end encryption. End-to-end encryption allows hosts that need
to  communicate  to  do  so,  while  eliminating  additional
unnecessary cascading risk on  the  path  from  one  to  the
other.
Figure C3.  Cascade Problem, Illustration 2 (End-to-End Encryption)
______ __   _______ _______  ____________ _  ___ __ ___ __________
(Note:  Figure not included)
     In Figure C3, suppose that System A needs only to  com-
municate  with System C, and B is just an intermediate node.
The possible cascade from TOP SECRET in A to CONFIDENTIAL in
B can be avoided by applying end-to-end encryption from A to
C, since encrypted data from A can be released at the CONFI-
DENTIAL level in B without compromise.
     Note that end-to-end encryption is of no  help  in  the
Figure  C2  example,  since the systems participating in the
cascade were required to communicate.
     In some situations where the potential for a  cascading
tions,  as  described above, generally requires coordination
between attacks on two connected systems.  It may be  possi-
ble  to  determine,  in individual cases, that opportunities
for this  kind  of  coordination,  in  the  form  of  common
     On a more global scale, one might  divide  the  network
nto communities, with respect to the possibility of cascad-
ng.  If connections between one community and another  were
believed  not  to support a cascade threat, then a cascading
analysis would be performed only within each community.
C.3.2.3.  Networks of Evaluated Systems
_ _ _ _   ________ __ _________ _______
     If the systems to be  interconnected  can  be  assigned
evaluation classes, the ratings of these systems can be used
as input to analysis procedures for  detecting  the  cascade
conditions  necessary  for the absence or presence of a cas-
cade problem.
     An assertion  called  the  Cascade  Condition  will  be
                                _______  _________
n  terms  of  the  evaluation ratings of the interconnected
tions between them.
     Some definitions are needed in order to state the  cas-
cade  condition  formally.   The  terminology given below is
meant to be used only in the context of this section.
     A protection region is a pair (h,s) such that  h  is  a
       __________ ______            _ _             _
network  component and s is a sensitivity level processed by
                       _
component h.
          _
     A  step  is  an  ordered  pair  of  protection  regions
        ____
(h1,s1), (h2,s2) such that either
 __ __    __ __
        __   __     __          __           __
        link), or
        __   __
     A path is a sequence of protection  regions  such  that
       ____
each consecutive pair of regions is a step.
     A path is a sequence of protection regions that may  be
traversed,  step  by  step, by data.  A step along a network
link is possible either when there is  a  direct  communica-
tions   link  from  one  component  to  the  other  carrying
nformation at a given level, or when there is an  indirect,
end-to-end  encrypted  connection in which intermediate com-
be) a covert channel.
     Given a host h, let L(h) be the  minimum  clearance  of
                  _      _ _
users  of  h.   Given a sensitivity level s, one can use the
           _                              _
Environmental Guidelines to determine the minimum evaluation
class  C(s,h) required for a system with the associated risk
       _ _ _
ndex. The requirement for open environments should be  used
unless  all systems on the path are closed. Note that C(s,h)
                                                      _ _ _
                                                      _
L(h) is greater than zero.
_ _
     With these definitions, we can now  state  the  Cascade
                                                     _______
Condition:
_________
     For any path (h1,s1),...,(hn,sn) such that sn  =  L(hn)
                   __ __       __ __            __     _ __
and  C(s1,hn)  is at least B1, there must exist at least one
     _ __ __
      __ __   __ _ __ _            __   __ _
class of hi is at least C(s1,hn), and si is not dominated by
         __             _ __ __       __
__ _
     This condition can be paraphrased by saying that  every
                                             __
available to an insufficiently cleared user of hn must over-
                                               __
come  the  protection  mechanism  in a component of class at
least C(s1,hn).
      _ __ __
C.4.  EXAMPLE: An Heuristic Procedure for Determining if an
_ _   _______  __ _________ _________ ___ ___________ __ __
_______________ ______ __ _______
     There should be some way of determining whether a  sys-
tem  has  a  risk index that is too great for its evaluation
Given the goal of not allowing a greater risk than is recom-
mended by the Environmental Guidelines, the following is  an
tems and determine if they fall within the bounds prescribed
by  the  Environmental  Guidelines.   (In formal terms, this
algorithm is an approximate test for the Cascade  Condition,
not intended to be prescriptive:  it is merely  one  way  of
examining  the problem.  There are doubtless many other ways
that are just as valid.
     Furthermore, as any heuristic algorithm, this cannot be
through trial and  error;  it  produces  reasonable  results
(e.g., it disallows systems when it seems prudent; it recom-
mends levels  of  security  that  are  consistent  with  the
Environmental Guidelines).
     This algorithm should not be taken to be anything  more
than intended; it does not magically solve all network secu-
ous systems.
     The following describes an  algorithm  for  determining
Guidelines.   The algorithm is based on the idea of dividing
up a network into groups (where a group is defined to  be  a
tion i.e., send and receive data  at  a  common  sensitivity
level,  and  have  an  evaluation  Class at or below a given
level).
     The risk presented by any given group can  be  compared
to  the  maximum allowed risk, as defined by the Yellow Book
for a system at the given evaluation class, to determine  if
any community presents an unacceptable risk.
        the  network.  This  table, illustrated in Table C1,
        should include  for  each  component  the  following
        information:   Component ID, Evaluation Class, Range
        of Security Classifications at which  the  component
        sends data to the network, List of Security Classif-
        ications at which the component receives  data  from
        the  network,  Maximum  of  (highest  level  of data
        received from network and highest level of data pro-
        cessed  by  component), Minimum of (clearance of the
        user with the lowest clearance  of  the  users  with
        direct  access  to the component and lowest level of
        data sent to the network from the component).
                    Table C1.  Example Entry:
                    _____ __   _______ _____
              (Note:  Table not included)
        Table Maximum and a Network Table Minimum.  The Net-
        work Table Evaluation  Class  will  be  the  highest
        evaluation  class  of  any  component  listed in the
        table.  (In Table C1,  this  is  A1.)   The  Network
        Table  Maximum  will  be the maximum of the Maximums
        associated with all the  components  listed  in  the
        table  which  send  data  to  the network.  (This is
        determined by taking the highest entry in the  "Max-
        imum"  column;  in Table C1, it is TS.)  The Network
        Table Minimum will be the minimum  of  the  Minimums
        associated  with  all  the  components listed in the
        table which receive data from the network. (This  is
        determined   by  taking  the  lowest  entry  in  the
        "Minimum" column; in Table C1, this is FOUO.)
        than  B1, (i.e,  A1, B3, or B2) then tables for each
        evaluation class lower than the Class of the Network
        Table, must be produced, down to table(s) for the C1
        class.  These  tables  will  be  produced  for  each
        evaluation  class by first listing any one component
        whose evaluation class is less than or equal to  the
        evaluation  class  for  the table.  Then, add to the
        table all components that meet all of the  following
        conditions:
        a)   They have an  evaluation  class  less  than  or
             equal to the class of the table.
        b)   They receive data from the network at  a  level
             that  is  being  sent  by  a  component  who is
             already in the table.
        c)   They send data to the network at a  level  that
             is  equal  to  or less than any node already in
             the table.
        Network Table Evaluation Class of each table is com-
        pared to the Maximum and Minimum for the Table  with
        regard  to  the rules specified by the Environmental
        Guidelines.
        the Environmental Guidelines then the Network passes
        the assurance requirements.  If any  of  the  Tables
        provide  a  greater  risk index than is permitted by
        the Environmental Guidelines then the  Network  pro-
        vides  a  high level of risk, and should not be con-
        nected as currently designed.
                      Table C2.  B2 TABLE 1
                      _____ __   __ _____ _
                   (Note:  Table not included)
                 Table C3. B2 TABLE 1, EXTENDED
                 _____ __  __ _____ _  ________
                   (Note:  Table not included)
                             Table C4:
                             _____ __
                     Table C4(a).  B2 TABLE 1
                     _____ __ _    __ _____ _
                   (Note:  Table not included)
                     Table C4(b).  B2 TABLE 2
                     _____ __ _    __ _____ _
                   (Note:  Table not included)
C.4.1.  Example B2 Table
_ _ _   _______ __ _____
     As an example consider Table C2.  This represents a  B2
table under construction with a single entry. If in the net-
and  could receive and send at C-S, this node would be added
to the table, producing  Table  C3.  In  contrast  if  there
existed  in the network a B2 node that could receive at S-TS
but could only send at TS, this node would not be  added  to
Table  C3  but  could  be  used  to start a second B2 table.
There would then be a set  of  two  tables,  represented  in
Table C4.
C.4.2.  Sample Network and Tables
_ _ _   ______ _______ ___ ______
     A sample network is  illustrated  in  Figure  C4.   The
tables  that  are  produced for it are given in Tables C5(a)
through C5(h).
     Notice at the B2 level the network  is  represented  by
two  tables,  C5(b) and C5(c).  This is due to the fact that
one of the components (Component C) is a  receive-only  com-
themselves due to the fact that they never  can  affect  the
consideration to make with such components is  whether  they
are receiving data at a level dominated by the approved max-
mum processing level for the component.)
     Notice at the B1 level the components  are  each  in  a
table  by themselves (Tables C5(d), C5(e), and C5(f)).  This
s due to the fact that although  Component  B  may  receive
a level lower than that sent by E (i.e., B can only send TS,
never  Confidential  or  Unclassified).  Thus  there  is  no
"added" risk in having B receive data from E. If it were the
case  the  B could send data at a level lower than (or equal
to) E then they would be included in the  same  table  since
they present an added (or equal) risk.
C.5.  Environmental Considerations
_ _   _____________ ______________
     Because of the very nature of networks, it is necessary
to  say something about the assumptions made with respect to
addressed by this Appendix, the issues are also important in
the interconnected accredited AIS view. Therefore, this sec-
tion  presents  a brief description of some of the important
considerations.  The interested reader is referred  to  Part
     It is not, repeat, NOT the intent of this  Appendix  to
circumstances. Rather, it is to identify  the  requirements,
and  where  known,  common  methods of achieving the desired
     This Appendix establishes the requirement for integrity
and the requirement to preserve the integrity of  both  con-
trol data and information in any other network.
C.5.1.  Communications Integrity
_ _ _   ______________ _________
     The accreditor(s)  will  define  transmission  accuracy
ments involved in the interconnection of the components will
argument that they meet  the  requirements.  Since  absolute
transmission accuracy is not possible, a capability of test-
ng for, detecting  and  reporting  errors  will  be  demon-
of cryptographic checksums, protected wireways, and reliable
     Hardware and/or software will be provided that  can  be
used  to  periodically validate the correct operation of all
elements involved in  interconnecting  two  accredited  com-
     Trusted communications paths will be  provided  between
network elements whenever secure element-to-element communi-
cations are  required.  (Initialization,  cryptographic  key
management,  change  of subject or object security levels or
access authorizations, etc.)
C.5.2.  Denial of Service
_ _ _   ______ __ _______
     The accreditor(s) will define denial of service  condi-
tions  relative to the services being provided by the inter-
connected components. Hardware and or software will be  pro-
vided to periodically assure the accessibility of the inter-
connected components.
C.5.3.  Data Content Protection
_ _ _   ____ _______ __________
     Where classified information or sensitive but unclassi-
fied  information  is to be exchanged between logically con-
nected components, it is the responsibility of each  of  the
DAAs  to  assure  that the content of their communication is
                           _______
of  providing this protection include cryptography, and Pro-
tected Wireline Distribution Systems (PWDS).
     Where the connection infrastructure is  operated  by  a
of the individual DAA to determine whether  this  protection
s adequate for the information to be exchanged.
                Figure C4.  A Sample Network
                ______ __   _ ______ _______
                 (Note:  Figure not included)
         Component ID   Permitted Operations
            A           Send and Receive data from C through TS
            B           Send and Receive TS-only
            C           Can Receive only audit records,
                          all of which are treated as TS
            D           Can Send and Receive C through TS
            E           Can Send and Receive S-only
            F           Send and Receive S and TS data
                 Table C5(a).  NETWORK TABLE
                 _____ __ _    _______ _____
                     NETWORK TABLE EVAL CLASS = A1
                     NETWORK TABLE MAXIMUM = TS
                     NETWORK TABLE MINIMUM = C
                     ENVIRONMENTAL GUIDELINES RULING = OK
                 (Note:  Table not included)
 (Note:  since there are no B3 components, the B3 tables  are
 identical  to the B2 tables and are therefore not reproduced
 here.)
 Table C5(b).  B2 TABLE 1           Table C5(c). B2 TABLE 2
 _____ __ _    __ _____ _           _____ __ _   __ _____ _
 TABLE EVAL CLASS = B2              TABLE EVAL CLASS = B2
 TABLE MAXIMUM = TS                 TABLE MAXIMUM = TS
 TABLE MINIMUM = S                  TABLE MINIMUM = TS
 ENV. GUIDELINES RULING= OK         ENV. GUIDELINES RULING= OK
                        (Note:  Tables not included)
 Table C5(d). B1 TABLE 1              Table C5(e).  B1 TABLE 2
 _____ __ _   __ _____ _              _____ __ _    __ _____ _
 TABLE EVAL CLASS = B1              TABLE EVAL CLASS = B1
 TABLE MAXIMUM = S                  TABLE MAXIMUM = TS
 TABLE MINIMUM = S                  TABLE MINIMUM = TS
 ENV. GUIDELINES RULING = OK        ENV. GUIDELINES RULING = OK
                        (Note:  Table not included)
                          Acronyms
                          ________
ACL             -       Access Control List
ADP             -       Automatic Data Processing
AIS             -       Automated Information System
ARPANET         -       Advanced Research Projects Agency Network
COMSEC          -       Communications Security
CPU             -       Central Processing Unit
CRC             -       Cyclic Redundancy Code or Cyclic Redundancy Check
DAA             -       Designated Approving Authority
DBMS            -       Data Base Management System
DAC             -       Discretionary Access Control
DDN             -       Defense Data Network
DoD             -       Department of Defense
DoDIIS          -       Department of Defense Intelligence Information System
DOS             -       Denial-of-service
DTLS            -       Descriptive Top-Level Specification
E3              -       End-to-end Encryption
FTLS            -       Formal Top-Level Specification
FTP             -       File Transfer Protocol
KDC             -       Key Distribution Center
LAN             -       Local Area Network
LRC             -       Longitudinal Redundancy Check
MAC             -       Mandatory Access Control
MDC             -       Manipulation Detection Code
MSM             -       Message Stream Modification
MWT             -       Maximum Waiting Time
NSA             -       National Security Agency
NTCB            -       Network Trusted Computing Base
OSI             -       Open System Interconnection
ROM             -       Read Only Memory
SACDIN          -       Strategic Air Command Digital Network
TAC             -       Terminal Access Controller
TCB             -       Trusted Computer Base
TCP             -       Transmission Control Protocol
TELNET          -       Network Virtual Terminal Protocol
TLS             -       Top Level Specification
TCSEC           -       Trusted Computer System Evaluation Criteria
TFE             -       Trusted Front-end Processor
TIU             -       Trusted Network Interface Unit
TNI             -       Trusted Network Interpretations
VMM             -       Virtual Machine Monitor
                          Glossary
                          ________
                           - A -
                             _
     Access - (1) A specific type of interaction  between  a
tion from one to the other. (2) The ability  and  the  means
necessary to approach, to store or retrieve data, to commun-
cate with, or to make use of any resource of an ADP system.
     Access control - (1) The limiting of rights or capabil-
ties of a subject to communicate with other subjects, or to
use functions or services in a computer system  or  network.
(2)  Restrictions  controlling  a  subject's  access  to  an
object.
     Access control list - (1) A list of subjects authorized
for  specific  access  to an object. (2) A list of entities,
together with their access rights, which are  authorized  to
     Accountability - the quality  or  state  which  enables
actions on an ADP system to be traced to individuals who may
then be held responsible.   These actions include violations
and  attempted violations of the security policy, as well as
allowed actions.
     Accreditation - the managerial authorization and appro-
val,  granted  to an ADP system or network to process sensi-
tive data in an operational environment, made on  the  basis
of  a certification by designated technical personnel of the
extent to which design and implementation of the system meet
achieving adequate data security. Management can accredit  a
level recommended (e.g., by the Requirements Guideline-) for
the  certification  level  of  the  system.   If  management
accredits the system to operate at a higher  level  than  is
appropriate  for  the  certification  level,  management  is
accepting the additional risk incurred.
     Accreditation range - of a host with respect to a  par-
ticular network, is a set of mandatory access control levels
_________________________
  - Security Requirements:  Guidance for  Applying  the
    ________ ____________   ________ ___  ________  ___
Department  of  Defense Trusted Computer System Evalua-
__________  __  _______ _______ ________ ______ ______
tion Criteria in Specific Environments,CSC-STD-003-85
____ ________ __ ________ ____________
for data storage, processing, and transmission. The accredi-
tation  range  will generally reflect the sensitivity levels
of data that the accreditation authority believes  the  host
can  reliably  keep  segregated  with an acceptable level of
accreditation  range  is given. Thus, although a host system
might be accredited to employ the mandatory  access  control
levels  CONFIDENTIAL,  SECRET, and TOP SECRET in stand-alone
operation, it might have an accreditation  range  consisting
of  the  single value TOP SECRET for attachment to some net-
     Audit trail - (1)  A set of records  that  collectively
tracing  from  original  transactions  forward  to   related
mation collected or used to facilitate a Security Audit.
     Authentication - (1) To establish  the  validity  of  a
claimed  identity. (2) To provide protection against fraudu-
lent transactions by establishing the validity  of  message,
                          -  B  -
     Bell-LaPadula Model - a formal state  transition  model
of  computer  security policy that describes a set of access
control rules.  In this formal model, the entities in a com-
objects.  The notion of a secure state is defined and it  is
ng from secure state to  secure  state;  thus,  inductively
s compared to the classification of the object and a deter-
mination is made as to whether the subject is authorized for
the specific  access  mode.   The  clearance/classifications
tice, Simple  Security  Property,  *-Property.  For  further
nformation  see  Bell, D. Elliott and LaPadula, Leonard J.,
Secure Computer  Systems:  Unified  Exposition  and  MULTICS
______ ________  _______   _______  __________  ___  _______
______________
(AD/A 020 445)
                          -  C  -
     Category - a grouping  of  objects  to  which  an  non-
     Certification - the technical evaluation of a  system's
approval/accreditation process, that establishes the  extent
to  which  a  particular  system's design and implementation
meet a set of specified security requirements.
     Closed user group - a closed user group  permits  users
belonging  to  a  group  to communicate with each other, but
members of the group.
     Communication channel - the physical media and  devices
one component of a network  to  (one  or  more)  other  com-
     Communication link - the physical means  of  connecting
one  location  to  another  for  the purpose of transmitting
and/or receiving data.
     Compartment - a designation applied to a type of sensi-
tive information, indicating the special handling procedures
to be used for the information and the general class of peo-
the designation of information  belonging  to  one  or  more
categories.
     Component - a device or set of devices,  consisting  of
network.   A  component  is a part of the larger system, and
may itself consist of other  components.   Examples  include
modems,  telecommunications  controllers,  message switches,
technical control devices, host computers, gateways, commun-
cations subnets, etc.
     Component Reference Monitor - an access control concept
that  refers to an abstract machine that mediates all access
to objects within a component by subjects  within  the  com-
     Compromise - a violation of the  security  system  such
that an unauthorized disclosure of sensitive information may
     Confidentiality - the property that information is  not
made  available  or  disclosed  to unauthorized individuals,
entities, or processes.
     Configuration control - management of changes made to a
throughout the development and operational life of the  sys-
tem.
     Connection - a liaison,  in  the  sense  of  a  network
nterrelationship,  between  two hosts for a period of time.
The liaison is established (by an initiating host)  for  the
the period of time is the time required  to  carry  out  the
ntent  of  the liaison (e.g., transfer of a file, a chatter
the  sense  of this glossary) will coincide with a host-host
connection (in a special technical  sense)  established  via
TCP  or equivalent protocol.  However a connection (liaison)
can also exist when only a protocol such as IP is in use (IP
time).  Hence, the notion of  connection  as  used  here  is
ndependent  of  the  particular  protocols  in use during a
liaison of two hosts.
     Correctness - the extent to which a  program  satisfies
ts specifications.
     Covert channel - a communications channel that allows a
the system's security policy.  A  covert  channel  typically
communicates  by  exploiting  a mechanism not intended to be
used for communication.   See  Covert  storage  channel  and
Covert timing channel.  Compare Overt channel.
     Covert storage channel - a covert channel that involves
the  direct or indirect writing of a storage location by one
location  by another process.  Covert storage channels typi-
cally involve a finite resource (e.g., sectors  on  a  disk)
that is shared by two subjects at different security levels.
     Covert timing channel - a covert channel in  which  one
use of system resources (e.g., CPU time) in such a way  that
this manipulation affects the real response time observed by
the second process.
                          -  D  -
     Data confidentiality - the state that exists when  data
s  held  in  confidence  and is protected from unauthorized
     Data integrity - (1) The state that exists when  compu-
terized data is the same as that in the source documents and
or  destruction.   (2)  The  property that data has not been
exposed to accidental or malicious  alteration  or  destruc-
tion.
     Dedicated Security Mode -  the  mode  of  operation  in
to and controlled for the processing of one particular  type
or  classification  of  information,  either  for  full-time
operation or for a specific period of  time.   Compare  Mul-
tilevel Security Mode, System High Security Mode.
     Denial of service - the prevention of authorized access
to system assets or services, or the delaying of time criti-
cal operations.
     Descriptive top-level specification  (DTLS)  -  a  top-
level  specification  that  is written in a natural language
(e.g., English), an informal program design notation,  or  a
combination of the two.
     Discretionary access control (DAC) - a  means  of  res-
tricting access to objects based on the identity of subjects
and/or groups to which they belong.  The controls  are  dis-
cretionary  in  the sense that: (a) A subject with a certain
access permission is  capable  of  passing  that  permission
(perhaps  indirectly)  on  to any other subject; (b)  DAC is
often employed to enforce need-to-know; (c)  Access  control
may  be changed by an authorized individual. Compare to Man-
     Domain - the set of objects  that  a  subject  has  the
ability to access.
     Dominated by (the relation) - a  security  level  A  is
clearance/classification in A is less than or equal  to  the
clearance/classification  in  B and the set of access appro-
vals (e.g., compartment designators) in A  is  contained  in
(the  set  relation) the set of access approvals in B (i.e.,
each access approval appearing in  A  also  appears  in  B).
Depending  upon  the  policy enforced (e.g., non-disclosure,
ntegrity) the definition of "less than  or  equal  to"  and
"contained  in"  may  vary.   For  example,  the level of an
object of high integrity (i.e., an object  which  should  be
modifiable  by  very trustworthy individuals) may be defined
to be "less than" the level of an object  of  low  integrity
(i.e., an object which is modifiable by everyone).
     Dominates (the relation) - security level  B  dominates
                           - E -
     Exploitable channel - any channel  that  is  usable  or
Base.
                           - F -
     Flaw - an error of commission, omission,  or  oversight
n   a  system  that  allows  protection  mechanisms  to  be
bypassed.
     Flaw hypothesis methodology -  a  system  analysis  and
for the system are analyzed and then flaws in the system are
tized on the basis of the estimated probability that a flaw
actually exists and, assuming a flaw does exist, on the ease
of exploiting it and on the extent of control or  compromise
t  would  provide.   The prioritized list is used to direct
the actual testing of the system.
     Formal proof - a complete and  convincing  mathematical
argument, presenting the full logical justification for each
The  formal  verification process uses formal proofs to show
the truth of certain properties of formal specification  and
for  showing that computer programs satisfy their specifica-
tions. Automated tools may (but need not) be used to  formu-
late and/or check the proof.
     Formal security policy model - a mathematically precise
the  way  in  which  the system progresses from one state to
another, and a definition of a "secure" state of the system.
To  be  acceptable  as  a basis for a TCB, the model must be
all assumptions required by the model hold, then all  future
techniques include: state transition models, temporal  logic
models,  denotational semantics models, algebraic specifica-
tion models.  See also:  Bell-LaPadula Model, Security  Pol-
cy Model.
     Formal top-level specification  (FTLS)  -  a  Top-Level
Specification  that  is  written  in  a  formal mathematical
language to allow theorems showing the correspondence of the
     Formal verification  -  the  process  of  using  formal
between a formal specification of  a  system  and  a  formal
between the formal specification and its program implementa-
tion.
     Functional testing - the portion of security testing in
correct operation.
                           - H -
     Hierarchical decomposition -  the  ordered,  structured
     Host - any computer-based system connected to the  net-
nformation  exchange  across  the  communications  network.
This definition encompasses typical "mainframe" hosts,  gen-
eric  terminal  support  machines (e.g., ARPANET TAC, DoDIIS
NTC), and workstations connected directly to the  communica-
tions  subnetwork and executing the intercomputer networking
contain  the protocol software needed to perform information
exchange; a workstation (by definition) is a host because it
                           - I -
     Integrity - See data integrity and integrity policy.
     Integrity Policy - a security policy to  prevent  unau-
thorized  users  from  modifying,  viz.,  writing, sensitive
nformation. See also Security Policy.
     Internal subject - a subject which  is  not  acting  as
ated with any user but performs system-wide  functions  such
as packet switching, line printer spooling, and so on.  Also
known as a daemon or a service machine.
                           - L -
     Label - see Security Label and Sensitivity Label.
     Lattice - a partially ordered set for which every  pair
of  elements  has  a  greatest lower bound and a least upper
bound.
     Least privilege - this  principle  requires  that  each
of authorized tasks.  The application of this principle lim-
ts the damage that can  result  from  accident,  error,  or
unauthorized use.
                           - M -
     Mandatory access  control  -  a  means  of  restricting
access  to  objects based on the sensitivity (as represented
by a label) of the information contained in the objects  and
the  formal  authorization  (i.e., clearance) of subjects to
access information of such sensitivity.
     Multilevel device - a device that is used in  a  manner
that  permits  it  to  simultaneously process data of two or
more security levels without risk of compromise.  To  accom-
     Multilevel secure - a class of system containing infor-
mation with different sensitivities that simultaneously per-
mits access by users with different security clearances  and
needs-to-know,  but  prevents users from obtaining access to
nformation for which they lack authorization.
     Multilevel Security Mode - the mode of  operation  that
allows  two  or more classification levels of information to
be processed simultaneously within the same system when some
users are not cleared for all levels of information present.
Compare Dedicated Security Mode, System High Security Mode.
                           - N -
     Network architecture -  the set of layers and protocols
(including    formats    and    standards   that   different
tives) which define a Network.
     Network  component  -  a  network  subsystem  which  is
evaluatable   for   compliance   with  the  trusted  network
nterpretations, relative to that policy induced on the com-
     Network connection - A network connection is any  logi-
cal  or  physical  path  from one host to another that makes
the  other.  An example is a TCP connection.  But also, when
a host transmits an IP datagram employing only the  services
of its "connectionless" Internet Protocol interpreter, there
s considered to be a connection between the source and  the
     Network Reference Monitor - an access  control  concept
that  refers to an abstract machine that mediates all access
to objects within the network by subjects  within  the  net-
     Network security - the protection of networks and their
ts  critical  functions  correctly and there are no harmful
     Network security architecture -  a  subset  of  network
architecture   specifically   addressing   security-relevant
ssues.
     Network sponsor - the individual or  organization  that
s  responsible  for stating the security policy enforced by
the network, for designing the network security architecture
to  properly  enforce that policy, and for ensuring that the
network is implemented in such a  way  that  the  policy  is
enforced.   For commercial, off-the- shelf systems, the net-
network  system,  the  sponsor  will normally be the project
manager or system administrator.
     Network System - a system which is implemented  with  a
collection  of interconnected network components.  A network
     Network trusted computing base (NTCB) - the totality of
s  responsible  for enforcing a security policy.  (See also
Trusted Computing Base.)
     NTCB Partition - the totality of  mechanisms  within  a
as allocated to that component; the part of the NTCB  within
a single network component.
                           - O -
     Object - a passive entity  that  contains  or  receives
nformation.  Access to an object potentially implies access
to the information it contains.  Examples  of  objects  are:
tory trees, and programs, as well  as  bits,  bytes,  words,
fields,   processors,  video  displays,  keyboards,  clocks,
     Object reuse - the reassignment of a medium (e.g., page
frame,  disk  sector,  magnetic  tape) that contained one or
more objects to some subject.  To  be  securely  reassigned,
contained object(s).
     OSI Architecture - the International  Organization  for
Standardization  (ISO) provides a framework for defining the
communications  process  between  systems.   This  framework
ncludes a network architecture, consisting of seven layers.
The architecture is referred to as the Open  Systems  Inter-
connection (OSI) model or Reference Model.  Services and the
model  are  defined by international standards.  From a sys-
tems viewpoint, the bottom three  layers  support  the  com-
next three layers generally pertain to  the  characteristics
of the communicating end systems, and the top layer supports
the end users.  The seven layers  are:  1.  Physical  Layer:
the physical connection.  It defines the functional and pro-
cedural  characteristics  of  the  interface to the physical
circuit: the electrical and  mechanical  specifications  are
considered  to  be  part  of the medium itself. 2. Data Link
Layer: Formats the  messages.   Covers  synchronization  and
error  control for the information transmitted over the phy-
error  checking"  is  one  way  to  describe  this layer. 3.
Network Layer: Selects the appropriate facilities.  Includes
tem where the communicating application is: segmentation and
tion. 4. Transport Layer: Includes such functions as  multi-
connection, and segmenting  data  into  appropriately  sized
to-end control  of  data  reliability.   5.  Session  Layer:
Selects  the  type  of  service.   Manages  and synchronizes
conversations between two application processes.   Two  main
types  of dialogue are provided: two-way simultaneous (full-
control  functions  similar  to the control language in com-
tion  is  delivered  in a form that the receiving system can
understand and use. Communicating parties determine the for-
mat   and  language  (syntax)  of  messages:  translates  if
Layer:  Supports  distributed  applications  by manipulating
nformation.   Provides   resource   management   for   file
transfer,  virtual file and virtual terminal emulation, dis-
tributed processes and other applications.
     Overt channel - an overt channel is  a  path  within  a
network  which  is  designed  for the authorized transfer of
                           - P -
     Passive - (1) A property of an object or network object
that  it  lacks  logical  or computational capability and is
unable to change the information  it  contains.   (2)  Those
threats  to  the confidentiality of data which, if realized,
the  intercommunicating  systems  (e.g.,  monitoring  and/or
     Penetration - the successful violation of  a  protected
     Penetration testing - the portion of  security  testing
n  which the penetrators attempt to circumvent the security
features of a system.  The penetrators may be assumed to use
all  system  design  and implementation documentation, which
may include listings of system  source  code,  manuals,  and
circuit diagrams.  The penetrators work under no constraints
other than those that would be applied to ordinary users  or
mplementors of untrusted portions of the component.
     Privacy - (1) the ability of an individual or organiza-
tion  to  control the collection, storage, sharing, and dis-
The  right  to insist on adequate security of, and to define
authorized users of, information or systems.  Note: The con-
cept of privacy cannot be very precise and its use should be
avoided in specifications except as a means to require secu-
legislation.
     Process - a program in  execution.   It  is  completely
characterized   by   a   single   current   execution  point
(represented by the machine state) and address space.
     Protection-critical portions of the TCB  -  those  por-
tions  of  the TCB whose normal function is to deal with the
control of access between subjects  and  objects.  See  also
Subject, Object, Trusted Computer Base.
     Protection philosophy - an informal description of  the
overall  design of a system that delineates each of the pro-
tection mechanisms employed. A combination  (appropriate  to
the  evaluation  class) of formal and informal techniques is
used to show that the mechanisms are adequate to enforce the
                           - R -
     Read - a fundamental operation that results only in the
flow of information from an object to a subject.
     Read access - permission to read information.
     Reference monitor concept - an access  control  concept
that  refers  to  an  abstract  machine  that  mediates  all
accesses to objects by subjects. See also Security Kernel.
     Reliability - the extent  to  which  a  system  can  be
expected to perform its intended function with required pre-
cision.
     Resource - anything used or consumed while performing a
function.   The categories of resources are:  time, informa-
tion, objects (information containers), or  processors  (the
ability  to  use  information).  specific examples are:  CPU
time; terminal connect time; amount of  directly-addressable
memory; disk space; number of I/O requests per minute, etc.
                           - S -
     Secrecy Policy - a security policy to prevent unauthor-
zed  users  from  reading  sensitive information.  See also
Security Policy
     Security architecture - the subset of  computer  archi-
tecture dealing with the security of the computer or network
     Security-Compliant Channel -  A  channel  is  Security-
Compliant  if  the enforcement of the network policy depends
only upon characteristics of the channel either (1) included
n  the  evaluation,  or  (2) assumed as a installation con-
Manual.
     Security Kernel - the hardware, firmware, and  software
elements  of  a  Trusted  Computing Base (or Network Trusted
Computing Base partition) that implement the reference moni-
tor  concept.   It  must  mediate all accesses, be protected
                                  ___
from modification, and be verifiable as correct.
     Security label - see Sensitivity label.
     Security level - the combination of hierarchical  clas-
     Security policy - the set of laws, rules, and practices
that  regulate  how  an  organization manages, protects, and
     Security policy model - an informal presentation  of  a
formal security policy model.
     Security testing - a process used to determine that the
and that  they  are  adequate  for  a  proposed  application
environment.   This  process  includes  hands-on  functional
testing, penetration testing, and  verification.  See  also:
Functional Testing, Penetration Testing, Verification.
     Sensitivity  label  -  A  piece  of  information   that
n  the  object.  Sensitivity labels are used by the NTCB as
the basis for mandatory access control decisions.
     Sensitivity level - See Security level.
     Simple security property  -  a  Bell-LaPadula  security
model  rule allowing a subject read access to an object only
f the security level of the subject dominates the  security
level of the object.
     Single-level device - a device that is used to  process
     *-property (star property) - a  Bell-LaPadula  security
model rule allowing a subject write access to an object only
f the security level of the subject  is  dominated  by  the
     Storage object - an object that supports both read  and
     Subject - an active entity, generally in the form of  a
among objects or changes the system state.   Technically,  a
     Subject security level - a subject's security level  is
equal  to  the security level of the objects to which it has
both read and write access.  A subject's security level must
always be dominated by the clearance of the user the subject
s associated with.
     System - an assembly of computer and/or  communications
of classifying, sorting, calculating,  computing,  summariz-
ng, transmitting and receiving, storing and retrieving data
     System High - the highest security level supported by a
     System High Security Mode - the mode  of  operation  in
vide discretionary protection between users.  In this  mode,
the  entire  system,  to include all components electrically
and/or physically  connected,  must  operate  with  security
measures  commensurate  with  the highest classification and
clearances and authorization for all  information  contained
n  the  system.   All  system output must be clearly marked
the  information has been reviewed manually by an authorized
ndividual to ensure appropriate  classifications  and  that
caveats have been affixed.  Compare Dedicated Security Mode,
Multilevel Security Mode.
     System Low - the lowest security level supported  by  a
     System Security Officer (SSO) - the person  responsible
for  the security of a system.  The SSO is authorized to act
n the "security administrator" role.   Functions  that  the
SSO  is  expected  to perform include: auditing and changing
                           - T -
     Top-level  specification  (TLS)  -   a   non-procedural
Typically a functional specification that omits  all  imple-
mentation details.
     Trap-door - a hidden  software  or  hardware  mechanism
that  permits  system  protection  mechanisms  to be circum-
vented.  It is activated in some non-apparent manner  (e.g.,
     Trojan horse - a computer program with an apparently or
actually  useful  function that contains additional (hidden)
functions  that  surreptitiously  exploit   the   legitimate
authorizations  of  the invoking process to the detriment of
file for the creator of the Trojan Horse.
     Trusted channel - a mechanism by which two NTCB  parti-
tions  can  communicate  directly.   This  mechanism  can be
activated by either of the NTCB partitions, cannot  be  imi-
tated  by untrusted software, and maintains the integrity of
nformation that is sent over it.  A trusted channel may  be
needed  for  the correct operation of other security mechan-
sms.
     Trusted computer system - a system that employs  suffi-
cient  hardware and software integrity measures to allow its
use for processing simultaneously a range  of  sensitive  or
classified information.
     Trusted computing base (TCB) - the totality of  protec-
tion  mechanisms  within  a  computer  system  --  including
s  responsible for enforcing a security policy.  It creates
a basic protection environment and provides additional  user
ty of a trusted computing base to correctly enforce a secu-
and on the correct input by system administrative  personnel
of  parameters  (e.g.,  a  user's  clearance) related to the
     Trusted functionality - that which is determined to  be
correct  with  respect to some criteria, e.g. as established
by a security policy.  The functionality shall neither  fall
     Trusted path - a mechanism by which a person at a  ter-
minal  can  communicate  directly with the Trusted Computing
Base.  This mechanism can only be activated by the person or
the  Trusted  Computing  Base  and  cannot  be  imitated  by
untrusted software.
     Trusted software - the software portion  of  a  Trusted
Computing Base.
     Trusted subject - a subject that is part  of  the  TCB.
trusted not to actually do so.  For  example  in  the  Bell-
LaPadulla  model a trusted subject is not constrained by the
*-property and thus  has  the  ability  to  write  sensitive
nformation  into  an object whose level is not dominated by
the (maximum) level of the subject, but  it  is  trusted  to
only write information into objects with a label appropriate
for the actual level of the information.
                           - U -
     User - any person who interacts directly with a network
to interact with the system and those  people  who  interact
Note that "users" does not include "operators," "system pro-
officers," and other system  support  personnel.   They  are
Manual and the System Architecture requirements.  Such indi-
viduals may change the system parameters of the network sys-
tem, for example by defining membership of a  group.   These
ndividuals may also have the separate role of users.
                           - V -
     Verification - the process of comparing two  levels  of
     Virus - malicious software, a  form  of  Trojan  horse,
                           - W -
     Write - a fundamental operation that  results  only  in
the flow of information from a subject to an object.
     Write access - permission to write an object.
                         References
                         __________
Abrams, M. D. and H. J. Podell, Tutorial: Computer and  Net-
                                ________  ________ ___  ____
____ ________
Addendum to the Transport Layer Protocol Definition for Pro-
________ __ ___ _________ _____ ________ __________ ___ ____
viding  Connection  Oriented  End-to-End  Cryptographic Data
______  __________  ________  ___ __ ___  _____________ ____
__________ _____ _ __ ___ _____ ______
WG 3, N 37, January 10, 1986.
Biba K. J., Integrity  Considerations  for  Secure  Computer
            _________  ______________  ___  ______  ________
Systems,  MTR-3153,  The  MITRE Corporation, June 1975; ESD-
_______
TR-76-372, April 1977.
Bell, D. Elliot and LaPadula, Leonard  J.,  Secure  Computer
                                            ______  ________
Systems:  Unified Exposition and Multics Interpretation, MTR
_______   _______ __________ ___ _______ ______________
Denning, D .E., Lunt, T. F., Neumann, P. G., Schell, R.  R.,
Heckman,  M.   and  Shockley,  W.,  Secure  Distributed Data
                                    ______  ___________ ____
Views, Security Policy and Interpretation  for  a  Class  A1
_____  ________ ______ ___ ______________  ___  _  _____  __
Multilevel  Secure  Relational Database System, SRI Interna-
__________  ______  __________ ________ ______
tional, November 1986.
Girling, C. G., "Covert Channels in  LAN's,"  IEEE  Transac-
                                              ____  ________
tions  on  Software Engineering, Vol. SE-13, No. 2, February
_____  __  ________ ___________
Grohn, M.  J., A Model of a Protected Data  Management  Sys-
               _ _____ __ _ _________ ____  __________  ____
tem, ESD-TR-76-289, I.  P.  Sharp Assoc.  Ltd., June, 1976.
___
``Integrity and Inference Group Report,'' Proceedings of the
                                          ___________ __ ___
National  Computer  Security Center Invitational Workshop on
________  ________  ________ ______ ____________ ________ __
Database Security, Baltimore, MD, 17-20 June 1986.
________ ________
___ ____ ____ _   ________ ____________
/  N1528  / WG 1 Ad hoc group on Security, Project 97.21.18,
September 1986.
Jueneman, R. R, "Electronic Document  Authentication,"  IEEE
                                                        ____
Network Magazine, April 1987, pp 17-23.
_______ ________
 Lipner, Steven B., ``Non-Discretionary Controls for Commer-
cial  Applications'', IEEE Proceedings of the 1982 Symposium
                      ____ ___________ __ ___ ____ _________
on Security and Privacy, April 26-28, 1982, Oakland, CA.
__ ________ ___ _______
National Computer Security  Center,  Department  of  Defense
                                     __________  __  _______
________  __________  _________
National Computer Security  Center,  Department  of  Defense
                                     __________  __  _______
Trusted  Computer Security Evaluation Criteria, DOD 5200.28-
_______  ________ ________ __________ ________
STD, December 1985.
National Computer Security  Center,  Security  Requirements:
                                     ________  ____________
Guidance for Applying the Department of Defense Trusted Com-
________ ___ ________ ___ __________ __ _______ _______ ____
_____ ______ __________ ________ __  ________  ____________
CSC-STD-003-85, 25 June 1985.
                                                     _______
tions  of End-to-End Encryption in Secure Computer Networks,
_____  __ ___ __ ___ __________ __ ______ ________ ________
The MITRE Corporation, MTR-3592, Vol. I, May  1978  (ESD  TR
The Directory - Authentication Framework  (Melbourne,  April
___ _________   ______________ _________   _________   _____
____
Voydock, Victor L. and Stephen T. Kent, "Security Mechanisms
n  High-Level  Network  Protocols," Computing Surveys, Vol.
                                     _________ _______
_________________________
bility.




			
			
AD: