NCSC-TG-005
Library No. S228,526
Version 1
FOREWORD
This publication is issued by the National Computer
Security Center (NCSC) as part of its program to promulgate
technical computer security guidelines. The interpretations
extend the evaluation classes of the Trusted Systems Evalua-
tion Criteria (DOD 5200.28-STD) to trusted network systems
and components.
This document will be used for a period of at least one
year after date of signature. During this period the NCSC
tion in several network evaluations. In addition, the NCSC
the community on the details of the Trusted Network
Workshops and tutorials will be open to any member of
the network security community interested in providing feed-
back. Anyone wishing more information, or wishing to pro-
vide comments on the usefulness or correctness of the
Trusted Network Interpretation may contact: Chief, Techni-
cal Guidelines Division, National Computer Security Center,
Ft. George G. Meade, MD 20755-6000, ATTN: C11. The tele-
______________________________________________
Director
National Computer Security Center
ACKNOWLEDGMENT
______________
Acknowledgment is extended to the members of the Work-
ng Group who produced this Interpretation. Members were:
Alfred Arsenault, National Computer Security Center (Chair);
Dr. Roger Schell, Gemini Computers; Stephen Walker, Trusted
Jonathan Millen, MITRE; Leonard LaPadula, MITRE; Robert
Morris, NCSC; and Jack Moskowitz, NCSC. Also due ack-
nowledgement for their many inputs to this interpretation
are Steve Padilla and William Shockley, Gemini Computers.
Introduction
____________
_ _ _____
Part I of this document provides interpretations of the
Department of Defense Trusted Computer System Evaluation
Criteria (TCSEC) (DOD-5200.28-STD), for trusted
computer/communications network systems. The specific secu-
nternetwork systems.
Part II of this document describes a number of addi-
tional security services (e.g., communications integrity,
assurance requirements, may receive qualitative ratings.
The TCSEC related feature and assurance requirements,
and the additional security services described herein are
ntended for the evaluation of trusted network systems
cedural, and related protection measures adequate to the
operate a network in a secure manner at a single system high
or assurance requirements described herein. The full range
of physical and administrative security measures appropriate
to the highest sensitivity level of information on the net-
as described in this Interpretation.
It is important to note that this Interpretation does
not describe all the security requirements that may be
mposed on a network. Depending upon the particular
environment, there may be communications security (COMSEC),
emanations security, physical security, and other measures
An environmental evaluation process, such as that
for Applying the DoD TCSEC in Specific Environments'' (CSC-
STD-003-85), can be used to determine the level of trust
are applicable to networks evaluated under these Interpreta-
tions.
_ _ _______
As with the TCSEC itself, this Interpretation has been
security features and assurance levels to build into
their new and planned, commercial network products
in order to provide widely available systems that
satisfy trust requirements for sensitive applica-
tions
of trust that can be placed in a given network sys-
tem for processing sensitive information
ments in acquisition specifications.
With respect to the second purpose for development of
the criteria, i.e., providing a security evaluation metric,
evaluations can be delineated into two types: an evaluation
can be performed on a network product from a perspective
that excludes the application environment, or an evaluation
can be done to assess whether appropriate security measures
ally in a specific environment. The former type of evalua-
tion is done by the National Computer Security Center
through the Commercial Product Evaluation Process.
The latter type of evaluation, those done for the pur-
certification evaluation. It must be understood that the
completion of a formal product evaluation does not consti-
tute certification or accreditation for the system to be
used in any specific application environment. On the con-
trary, the evaluation report only provides a trusted network
from a computer security point of view. The system security
certification and the formal approval/accreditation pro-
cedure, done in accordance with the applicable policies of
the issuing agencies, must still be followed before a net-
This Interpretation can be used directly and indirectly
n the certification process. Along with applicable policy,
t can be used directly as technical guidance for evaluation
of the total system and for specifying system security and
certification requirements for new acquisitions. Where a
that has undergone a Commercial Product Evaluation, reports
from that process will be used as input to the certification
evaluation. Technical data will be furnished to designers,
evaluators, and the DAAs to support their needs for making
The fundamental computer security requirements as
_ _ __________
The term ``sponsor'' is used throughout this document
to represent the individual or entity responsible for
A network system is the entire collection of hardware,
firmware, and software necessary to provide a desired func-
tionality.
A component is any part of a system that, taken by
tself, provides all or a portion of the total functionality
be an individual unit, not useful to further subdivide, or a
collection of components up to and including the entire sys-
tem.
Because the term integrity has been used in various
contexts to denote specific aspects of an overall issue, it
s important for the reader to understand the context in
n the TCSEC itself, the use of this term is limited to (1)
the correct operation of NTCB hardware/firmware and (2) pro-
tection against unauthorized modification of labels and
labels (viz., Divisions A and B) must, as detailed in the
Label Integrity section of the TCSEC, protect the labels
that represent the sensitivity of information (contained in
objects) and the corresponding authorizations of users (with
the accesses of users that modify information-. As part of
the NTCB itself, such integrity policies will be supported
by access control mechanisms based on the identity of indi-
viduals (for discretionary integrity) and/or sensitivity
levels (for mandatory integrity). In contrast, within Part
tion transfer between distinct components. This communica-
tions integrity includes the issues for correctness of mes-
_________________________
- See, for example, K. J. Biba, Integrity Considera-
_________ _________
tions for Secure Computer Systems, MTR-3153, The MITRE
_____ ___ ______ ________ _______
Corporation, Bedford, MA, June 1975.
In many network environments, encryption can play an
essential role in protecting sensitive information. In Part
encryption is described as a tool for protecting data from
compromise or modification attacks. Encryption algorithms
and their implementation are outside the scope of this docu-
ment. This document was prepared from a DoD perspective and
other contexts, alternate approval authority may exist.
As with the TCSEC itself, this is a reference document
and is not intended to be used as a tutorial. The reader is
assumed to be familiar with the background literature on
computer security and communications networks=. Part II
assumes a familiarity with the terminology used within ISO
Security Services documentation.
_________________________
= See, for example, M. D. Abrams and H. J. Podell,
Tutorial: Computer and Network Security, IEEE Computer
________ ________ ___ _______ ________
Society Press, 1987.
* ISO 7498/Part 2 - Security Architecture, ISO / TC
___ ____ ____ _ ________ ____________
_ _ _ _______ ________ ______ __________ ________
The DoD TCSEC was published in December 1985 to provide
a means of evaluating specific security features and
assurance requirements available in ``trusted commercially
available automatic data processing (ADP) systems,''
(AIS). The rating scale of the TCSEC extends from a rating
for ``state of the art'' features and assurance measures.
These technical criteria guide system builders and evalua-
tors in determining the level of trust required for specific
minimum security protection requirements, and appropriate
accreditation decisions for specific installations can be
TCSEC requires that the access of subjects (i.e., human
users or processes acting on their behalf) to objects (i.e.,
containers of sensitive information) be mediated in accor-
In order to ensure strict compatibility between TCSEC
evaluated AIS and networks and their components, and to
avoid the possible evolution of incompatible evaluation cri-
teria, Part I of this document has been specifically
s based entirely on the principles of the TCSEC, uses all
TCSEC basic definitions, and introduces new concepts only
text. Unless otherwise stated, the TCSEC requirements apply
as written. The approach of interpreting the TCSEC for net-
number of specific complex network and AIS applications.
There are several security policy models that may be
used with the reference monitor concept. The Bell-LaPadula
model is commonly used but is not mandated. Similarly for
ntegrity policy, models such as Biba have been proposed but
are not mandated. For this network interpretation, no
necessary that either a secrecy policy, an integrity policy,
or both be specified for enforcement by the reference moni-
tor.
In the context of network systems, there are a number
of additional security services that do not normally arise
n individual AIS, and are not appropriate to the detailed
feature and assurance evaluation prescribed by the TCSEC.
These security services, which may or may not be available
n specific network offerings, include provisions for com-
munications security, denial of service, transmission secu-
sms and protocols. Part II of this document describes
these services and provides a qualitative means of evaluat-
ng their effectiveness when provided.
Evaluation of Part II offered services is dependent
upon the results of the system's Part I evaluation or
component's Appendix A evaluation. A Part II evaluation
tify which security services are offered by a system or com-
normally give a none, minimum, fair or good rating for those
that can be given or a quantitative measure of strength may
be used as the basis for rating. A not applicable rating
_ _ _ ___ _______ _____
DoD Directive 5200.28 (and similar policies elsewhere
n government) establishes the concept of a DAA, an indivi-
this approval process and the technical advisory role to the
DAA provided by the TCSEC are well understood. The same
approval process applies to networks of AIS and plays a key
using this Interpretation.
Depending upon the operational and technical charac-
teristics of the environment in which a network exists,
either of two views for accreditation and evaluation pur-
nected separately accredited AIS or as a single unified sys-
tem the security accreditation of which is the responsibil-
ty of a single authority.
The security feature and assurance requirements of a
under this Interpretation, is greatly impacted by which view
of the network is appropriate.
_ _ _ _ ______________ __________ ___ ____
The interconnected accredited AIS view is an opera-
tional perspective that recognizes that parts of the network
may be independently created, managed, and accredited.
Where different accrediting jurisdictions are involved, the
between the components involved.
Interconnected accredited AIS consist of multiple sys-
tems (some of which may be trusted) that have been indepen-
and lowest sensitivity levels of information that may be
ndividual AIS may be thought of as ``devices'' with which
neighboring systems can send and receive information. Each
AIS is accredited to handle sensitive information at a sin-
level.
The range of sensitive information that may be
exchanged between two such AIS is a range, agreed upon by
each system's approving authorities, which cannot exceed the
maximum sensitivity levels in common between the two sys-
tems.
Because of the complex structure of a network consist-
ng of interconnected accredited AIS, it may not be practi-
cal to evaluate such a network using this Interpretation or
to assign it a trusted system rating. In this case, the
accreditor is forced to accept the risk of assessing the
against the principles of the TCSEC as interpreted in Part I
of the document. Appendix C describes the rules for con-
necting separately accredited AIS and the circumstances in
_ _ _ _ ______ _______ ______ ____
The policy enforcement by trusted components in a
``single trusted system'' exhibits a common level of trust
throughout. A single trusted system is accredited as a sin-
circumstances where a system will process information from
multiple sensitive sources, more then one accrediting
authority may be involved, but their responsibility will be
for accrediting the whole system as a single entity for use
Networks such as these can be evaluated against this
AIS evaluated by the TCSEC itself.
A ``single trusted system'' network implements a refer-
ence monitor to enforce the access of subjects to objects in
accordance with an explicit and well defined network secu-
base, referred to as the Network Trusted Computing Base
(NTCB), which is partitioned (see section I.4.2) among the
network components in a manner that ensures the overall net-
Every component that is trusted must enforce a
component-level security policy that may contain elements of
the overall network security policy. The sum of all
component-level security policies must be shown to enforce
the overall network security policy.
There is no requirement that every component in the
network have an NTCB partition nor that any such partition
comprise a complete TCB (e.g., a network component could be
only that portion of the NTCB). Interaction among NTCB par-
titions shall be via communications channels, operating at
either single or multiple levels as appropriate. The net-
tioned and how all the trusted system requirements are
A given component that does not enforce the full imple-
mentation of all polices (i.e., mandatory access control,
and audit) must be evaluated as a component as specified in
Appendix A. For example, a network architecture that does
not operate above Level 3 of the ISO protocol model and typ-
cally does not enforce discretionary access control must be
evaluated as a component under Appendix A and not as a full
_ _ _ _ _ __________ ________ ___________
In many networking environments, the overall network
authorized connections across the network. The access con-
trol mediation performed by the components of these networks
enforces the establishment of connections between host com-
authorized connection list. While a connection-oriented
abstractions may be difficult but is required in order to
evaluate the network.
Individual trusted network components may employ a
local mechanism to enforce mediation only between local sub-
components may have no direct involvement with the enforce-
ment of network connections. Others, however, will have an
additional higher level network connection enforcement role.
This higher level connection-oriented abstraction may be
enforced solely within an individual component or may be
encryption case, cryptographic front end devices enforce the
network connection authorization decisions made by an access
control/key management center.)
With the connection-oriented abstraction, the role of
the network as a whole in controlling information flow may
be more easily understood, but there may be no simple way to
extend this abstraction to the reference monitor require-
ments of individual components in the network. The overall
network security policy must be decomposed into policy ele-
ments that are allocated to appropriate components and used
as the basis for security policy models for these com-
The reference monitor subject/object definitions as
enforcement at the individual component level but may not
oriented abstraction may be essential to understanding the
overall network security policy. The network architecture
must demonstrate the linkage between the connection-oriented
abstraction and its realization in the individual components
of the network.
_ _ _ _ _ ________ ___ _______
For purposes of this trusted network interpretation,
the terms ``subject'' and ``object'' are defined as in the
TCSEC.
The subjects of a trusted network commonly fall into
two classes: those that serve as direct surrogates for a
user (where ``user'' is synonymous with ``human being''),
and ``internal'' subjects that provide services for other
than being made part of each user surrogate subject.
There is a set of TCSEC requirements that are directed
at users, rather than subjects. In the network context,
AIS (e.g., protocol handlers) are usually provided by inter-
nal subjects. Some components that provide only communica-
tions facilitating services have only internal subjects.
Examples of ``single trusted system'' networks or com-
networks (as found in the Defense Data Network (DDN), end-
to-end (or host-to-host) encryption systems (such as used in
Blacker or ANSI X9.17 implementations), application level
networks or closed user community systems (such as the Inter
Service/Agency Automated Message Processing Exchange [I S/A
AMPE] and SACDIN Programs), local area networks, digital
vices Digital Network (ISDN) implementations, and a Virtual
Machine Monitor (VMM) on a single computer when analyzed as
a network.
_ _ __________ __ ________
The TCSEC provides a means for evaluating the
trustworthiness of a system and assigning an evaluation
class based on its technical properties - independent of the
as a whole with its various interconnected components is
on design and implementation choices as long as for the
_________________________
- Examples are employed throughout this document to
clarify the concepts presented. The naming of an exam-
nor on its suitability for any particular purpose.
a definitive protection domain boundary. The features and
assurance measures provided within the TCB perimeter will
as PARTITIONED into a set of interconnected components,
tion.'' All interaction between such trusted components
must be via ``communication channels or I/O devices'' as
_ _ _ _______ ________ ____________ ___ ______
Any network evaluated under this Interpretation must
(Interconnection of components that do not adhere to such a
Network Security Architecture is addressed in the Intercon-
nection Rules, Appendix C.) The Network Security Architec-
ture must address the security-relevant policies, objec-
tives, and protocols. The Network Security Design specifies
the interfaces and services that must be incorporated into
the network so that it can be evaluated as a trusted entity.
There may be multiple designs that conform to the same
architecture but which are more or less incompatible and
non-interoperable (except through the Interconnection
Rules). Security related mechanisms that require coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms which have no visi-
ble interfaces are not specified in this document but are
left as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components are assembl-
able into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and unambi-
Network Security Architecture and Design must be evaluated
to determine that a network constructed to its specifica-
tions will in fact be trusted, that is, it will be
evaluatable under these Interpretations.
_ _ _ ___ ___________ ____
Like a stand-alone system, the network as a whole
of the totality of security-relevant portions of the net-
evaluation of the network rests on an understanding of how
the security mechanisms are distributed and allocated to
various components, in such a way that the security policy
s supported reliably in spite of (1) the vulnerability of
the communication paths and (2) the concurrent, asynchronous
operation of the network components.
Some distributed systems have reliable, protected com-
munication paths and thus satisfy only the first charac-
teristic of a network: the division into concurrently
operating, communicating processing components. Although
certain interpretations in this Interpretation will not
apply to them, it may be beneficial to employ this Interpre-
tation to evaluate them, and to take advantage of the
nterpretations relating to component properties and inter-
faces.
An NTCB that is distributed over a number of network
components is referred to as partitioned, and that part of
the NTCB residing in a given component is referred to as an
NTCB partition. A network host may possess a TCB that has
TCB does not necessarily coincide with the NTCB partition in
the host, in the sense of having the same security perime-
ter. Whether it does or not depends on whether the security
the network security policy, to the extent that it is allo-
cated to that host.
Even when a network host has a TCB that has been previ-
ously evaluated at a given class, and the host's TCB coin-
cides with the host's NTCB partition, there is still no a
and the evaluation class of the network. Some examples will
be given below to illustrate this point.
To evaluate a network at a given class, each require-
ment in Part I for that class must be satisfied by the net-
each requirement is allocated among the network's com-
the entire security policy in isolation; others, such as
network security policy may be allocated to different net-
Forcing every component to satisfy a specific Part I
that the network as a whole meets that requirement.
To show that it is not sufficient, consider two trusted
multilevel AIS that export and import labeled information to
and from each other over a direct connection. Both satisfy
the Label Integrity requirement that a sensitivity label be
accurately and unambiguously associated with exported data.
for the same sensitive information, the network as a whole
above that there be uniform labeling of sensitive informa-
tion throughout the network.
To show that it is not necessary, consider the Manda-
tory Access Control requirement that at least two sensi-
tivity levels be supported. Suppose that the network con-
maintaining labels and are operating at different levels in
a single-level mode. If they are interconnected through
can support the ``two or more levels'' requirement.
The allocation of a requirement to a component does not
solation, but includes the possibility that it depends on
other components to satisfy the requirement locally, or
cooperates with other components to ensure that the require-
ment is satisfied elsewhere in the network.
Taken together, these examples illustrate the essential
ng and evaluating a trusted network.
_ _ _ _________ __________
Because network components are often supplied by dif-
ferent vendors and are designed to support standardized or
common functions in a variety of networks, significant
advantages can accrue from a procedure for evaluating indi-
vidual components. The purpose of component evaluation is
to aid both the network designer and the evaluator by per-
forming the evaluation process once and reusing the results
There are four types of security policies that may be
1. Mandatory Access Control
2. Discretionary Access Control
3. Supportive policies (e.g., Authentication, Audit)
4. Application policies (e.g., the policy supported
by a DBMS that is distinct from that supported by
the underlying system)
Application level policies are user dependent and will not
be considered further in these Interpretations.
For a component to support a policy such as Mandatory
Access Controls, it must support all the required features
for that policy with all of the required assurances of the
_ _ _________ __ ___ ________
The remainder of this document is divided into two
a list of references. Part I presents TCSEC statements and
TCSEC statement applies as modified by the Interpretation.
covered in the TCSEC interpretation which may be applicable
to networks. Appendix A describes the evaluation of network
components. Appendix B describes the rationale for network
accredited AIS.
Part I: Interpretations of the
____ _ _______________ __ ___
Trusted Computer System Evaluation Criteria
_______ ________ ______ __________ ________
Highlighting (ALL CAPS) is used in Part I to indicate criteria
not contained in a lower class or changes and additions to
already defined criteria. Where there is no highlighting,
addition or modification.
1.0 DIVISION D: MINIMAL PROTECTION
_ _ ________ _ _______ __________
This division contains only one class. It is reserved for
those systems that have been evaluated but that fail to meet
the requirements for a higher evaluation class.
2.0 DIVISION C: DISCRETIONARY PROTECTION
_ _ ________ _ _____________ __________
Classes in this division provide for discretionary (need-
to-know) protection and, through the inclusion of audit
capabilities, for accountability of subjects and the actions
they initiate.
2.1 CLASS (C1): DISCRETIONARY SECURITY PROTECTION
_ _ _____ __ _____________ ________ __________
THE NETWORK TRUSTED COMPUTING BASE (NTCB) OF A
CLASS (C1) NETWORK SYSTEM NOMINALLY SATISFIES THE
DISCRETIONARY SECURITY REQUIREMENTS BY PROVIDING
SEPARATION OF USERS AND DATA. IT INCORPORATES
SOME FORM OF CREDIBLE CONTROLS CAPABLE OF ENFORC-
ING ACCESS LIMITATIONS ON AN INDIVIDUAL BASIS,
I.E., OSTENSIBLY SUITABLE FOR ALLOWING USERS TO BE
ABLE TO PROTECT PRIVATE OR PROJECT INFORMATION AND
TO KEEP OTHER USERS FROM ACCIDENTALLY READING OR
DESTROYING THEIR DATA. THE CLASS (C1) ENVIRONMENT
IS EXPECTED TO BE ONE OF COOPERATING USERS PRO-
CESSING DATA AT THE SAME LEVEL(S) OF SENSITIVITY.
THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR SYSTEMS
ASSIGNED A CLASS (C1) RATING.
+ Statement from DoD 5200.28-STD
+ Interpretation
THE NETWORK SPONSOR SHALL DESCRIBE THE OVERALL NETWORK
SECURITY POLICY ENFORCED BY THE NTCB. AT A MINIMUM, THIS
BLE TO THIS CLASS. THE POLICY MAY REQUIRE DATA SECRECY, OR
DATA INTEGRITY, OR BOTH. THE POLICY SHALL INCLUDE A DISCRE-
TIONARY POLICY FOR PROTECTING THE INFORMATION BEING PRO-
CESSED BASED ON THE AUTHORIZATIONS OF USERS OR GROUPS OF
USERS. THIS ACCESS CONTROL POLICY STATEMENT SHALL DESCRIBE
THE REQUIREMENTS ON THE NETWORK TO PREVENT OR DETECT "READ-
USERS OR ERRORS. UNAUTHORIZED USERS INCLUDE BOTH THOSE THAT
ARE NOT AUTHORIZED TO USE THE NETWORK AT ALL (E.G., A USER
ATTEMPTING TO USE A PASSIVE OR ACTIVE WIRE TAP) OR A LEGITI-
MATE USER OF THE NETWORK WHO IS NOT AUTHORIZED TO ACCESS A
SPECIFIC PIECE OF INFORMATION BEING PROTECTED.
NOTE THAT "USERS" DOES NOT INCLUDE "OPERATORS," "SYSTEM
OFFICERS," AND OTHER SYSTEM SUPPORT PERSONNEL. THEY ARE
DISTINCT FROM USERS AND ARE SUBJECT TO THE TRUSTED FACILITY
MANUAL AND THE SYSTEM ARCHITECTURE REQUIREMENTS. SUCH INDI-
VIDUALS MAY CHANGE THE SYSTEM PARAMETERS OF THE NETWORK SYS-
TEM, FOR EXAMPLE, BY DEFINING MEMBERSHIP OF A GROUP. THESE
SECRECY POLICY: THE NETWORK SPONSOR SHALL DEFINE THE
FORM OF THE DISCRETIONARY SECRECY POLICY THAT IS
ENFORCED IN THE NETWORK TO PREVENT UNAUTHORIZED
USERS FROM READING THE SENSITIVE INFORMATION
ENTRUSTED TO THE NETWORK.
DATA INTEGRITY POLICY: THE NETWORK SPONSOR SHALL
DEFINE THE DISCRETIONARY INTEGRITY POLICY TO PREVENT
UNAUTHORIZED USERS FROM MODIFYING, VIZ., WRITING,
SENSITIVE INFORMATION. THE DEFINITION OF DATA
INTEGRITY PRESENTED BY THE NETWORK SPONSOR REFERS TO
THE REQUIREMENT THAT THE INFORMATION HAS NOT BEEN
SUBJECTED TO UNAUTHORIZED MODIFICATION IN THE NET-
WORK.
+ Rationale
THE WORD "SPONSOR" IS USED IN PLACE OF ALTERNATIVES
(SUCH AS "VENDOR," "ARCHITECT," "MANUFACTURER," AND
"DEVELOPER") BECAUSE THE ALTERNATIVES INDICATE PEOPLE WHO
MAY NOT BE AVAILABLE, INVOLVED, OR RELEVANT AT THE TIME THAT
A NETWORK SYSTEM IS PROPOSED FOR EVALUATION.
A TRUSTED NETWORK IS ABLE TO CONTROL BOTH THE READING
AND WRITING OF SHARED SENSITIVE INFORMATION. CONTROL OF
WRITING IS USED TO PROTECT AGAINST DESTRUCTION OF INFORMA-
TION. A NETWORK NORMALLY IS EXPECTED TO HAVE POLICY REQUIRE-
MENTS TO PROTECT BOTH THE SECRECY AND INTEGRITY OF THE
FREQUENTLY AS IMPORTANT OR MORE IMPORTANT THAN THE SECRECY
REQUIREMENTS. THEREFORE THE SECRECY AND/OR INTEGRITY POLICY
TO BE ENFORCED BY THE NETWORK MUST BE STATED FOR EACH NET-
WORK REGARDLESS OF ITS EVALUATION CLASS. THE ASSURANCE THAT
THE POLICY IS FAITHFULLY ENFORCED IS REFLECTED IN THE
EVALUATION CLASS OF THE NETWORK.
THIS CONTROL OVER MODIFICATION IS TYPICALLY USED TO
CONTROL THE POTENTIAL HARM THAT WOULD RESULT IF THE INFORMA-
TION WERE CORRUPTED. THE OVERALL NETWORK POLICY REQUIRE-
MENTS FOR INTEGRITY INCLUDES THE PROTECTION FOR DATA BOTH
WHILE BEING PROCESSED IN A COMPONENT AND WHILE BEING
TRANSMITTED IN THE NETWORK. THE ACCESS CONTROL POLICY
ENFORCED BY THE NTCB RELATES TO THE ACCESS OF SUBJECTS TO
OBJECTS WITHIN EACH COMPONENT. COMMUNICATIONS INTEGRITY
ADDRESSED WITHIN PART II RELATES TO INFORMATION WHILE BEING
TRANSMITTED.
+ Statement from DoD 5200.28-STD
THE TCB SHALL DEFINE AND CONTROL ACCESS BETWEEN NAMED USERS
AND NAMED OBJECTS (E.G., FILES AND PROGRAMS) IN THE ADP SYS-
TEM. THE ENFORCEMENT MECHANISM (E.G., SELF/GROUP/PUBLIC
CONTROLS, ACCESS CONTROL LISTS) SHALL ALLOW USERS TO SPECIFY
AND CONTROL SHARING OF THOSE OBJECTS BY NAMED INDIVIDUALS OR
DEFINED GROUPS OF INDIVIDUALS, OR BOTH.
+ Interpretation
THE DISCRETIONARY ACCESS CONTROL (DAC) MECHANISM(S) MAY
BE DISTRIBUTED OVER THE PARTITIONED NTCB IN VARIOUS WAYS.
SOME PART, ALL, OR NONE OF THE DAC MAY BE IMPLEMENTED IN A
GIVEN COMPONENT OF THE NETWORK SYSTEM. IN PARTICULAR, COM-
NO SUBJECTS ACTING AS DIRECT SURROGATES FOR USERS), SUCH AS
A PUBLIC NETWORK PACKET SWITCH, MIGHT NOT IMPLEMENT THE DAC
MECHANISM(S) DIRECTLY (E.G., THEY ARE UNLIKELY TO CONTAIN
ACCESS CONTROL LISTS).
IDENTIFICATION OF USERS BY GROUPS MAY BE ACHIEVED IN
VARIOUS WAYS IN THE NETWORKING ENVIRONMENT. FOR EXAMPLE,
THE NETWORK IDENTIFIERS (E.G., INTERNET ADDRESSES) FOR VARI-
OUS COMPONENTS (E.G., HOSTS, GATEWAYS) CAN BE USED AS IDEN-
TIFIERS OF GROUPS OF INDIVIDUAL USERS (E.G., "ALL USERS AT
HOST A," "ALL USERS OF NETWORK Q") WITHOUT EXPLICIT IDENTIF-
USERS IMPLIED), IF THIS IS CONSISTENT WITH THE NETWORK SECU-
RITY POLICY.
FOR NETWORKS, INDIVIDUAL HOSTS WILL IMPOSE NEED-TO-KNOW
CONTROLS OVER THEIR USERS - MUCH LIKE (IN FACT, PROBABLY THE
SAME) CONTROLS USED WHEN THERE IS NO NETWORK CONNECTION.
WHEN GROUP IDENTIFIERS ARE ACCEPTABLE FOR ACCESS CON-
TROL, THE IDENTIFIER OF SOME OTHER HOST MAY BE EMPLOYED, TO
ELIMINATE THE MAINTENANCE THAT WOULD BE REQUIRED IF INDIVI-
DUAL IDENTIFICATION OF REMOTE USERS WAS EMPLOYED.
THE DAC MECHANISM OF A NTCB PARTITION MAY BE IMPLE-
MENTED AT THE INTERFACE OF THE REFERENCE MONITOR OR MAY BE
DISTRIBUTED IN SUBJECTS THAT ARE PART OF THE NTCB IN THE
SAME OR DIFFERENT COMPONENT. THE REFERENCE MONITOR MANAGES
ALL THE PHYSICAL RESOURCES OF THE SYSTEM AND FROM THEM
CREATES THE ABSTRACTION OF SUBJECTS AND OBJECTS THAT IT CON-
TROLS. SOME OF THESE SUBJECTS AND OBJECTS MAY BE USED TO
WHEN INTEGRITY IS INCLUDED AS PART OF THE NETWORK DIS-
CRETIONARY SECURITY POLICY, THE ABOVE INTERPRETATIONS SHALL
BE SPECIFICALLY APPLIED TO THE CONTROLS OVER MODIFICATION,
VIZ, THE WRITE MODE OF ACCESS, WITHIN EACH COMPONENT BASED
ON IDENTIFIED USERS OR GROUPS OF USERS.
+ Rationale
IN THIS CLASS, THE SUPPORTING ELEMENTS OF THE OVERALL
DAC MECHANISM ARE TREATED EXACTLY AS UNTRUSTED SUBJECTS ARE
TREATED WITH RESPECT TO DAC IN AN ADP SYSTEM, WITH THE SAME
RESULT AS NOTED IN THE INTERPRETATION. STRENGTHENING OF THE
DAC MECHANISM IN THE NETWORK ENVIRONMENT IS PROVIDED IN
CLASS (C2) (SEE THE DISCRETIONARY ACCESS CONTROL SECTION).
A TYPICAL SITUATION FOR DAC IS THAT A SURROGATE PROCESS
FOR A REMOTE USER WILL BE CREATED IN SOME HOST FOR ACCESS TO
OBJECTS UNDER THE CONTROL OF THE NTCB PARTITION WITHIN THAT
HOST. THE INTERPRETATION REQUIRES THAT A USER IDENTIFIER BE
ASSIGNED AND MAINTAINED FOR EACH SUCH PROCESS BY THE NTCB,
SO THAT ACCESS BY A SURROGATE PROCESS IS SUBJECT TO ESSEN-
TIALLY THE SAME DISCRETIONARY CONTROLS AS ACCESS BY A PRO-
CESS ACTING ON BEHALF OF A LOCAL USER WOULD BE. HOWEVER,
WITHIN THIS INTERPRETATION A RANGE OF POSSIBLE INTERPRETA-
TIONS OF THE ASSIGNED USER IDENTIFICATION IS PERMITTED.
THE MOST OBVIOUS SITUATION WOULD EXIST IF A GLOBAL
DATABASE OF NETWORK USERS WERE TO BE MADE PERMANENTLY AVAIL-
ABLE ON DEMAND TO EVERY HOST, (I.E., A NAME SERVER EXISTED)
SO THAT ALL USER IDENTIFICATIONS WERE GLOBALLY MEANINGFUL.
IT IS ALSO ACCEPTABLE, HOWEVER, FOR SOME NTCB PARTI-
TIONS TO MAINTAIN A DATABASE OF LOCALLY-REGISTERED USERS FOR
THE CREATION OF SURROGATE PROCESSES FOR LOCALLY UNREGISTERED
USERS, OR (IF PERMITTED BY THE LOCAL POLICY) ALTERNATIVELY,
TO PERMIT THE CREATION OF SURROGATE PROCESSES WITH
GROUP OF USERS ON A PARTICULAR REMOTE HOST. THE INTENT OF
THE WORDS CONCERNING AUDIT IN THE INTERPRETATION IS TO PRO-
VIDE A MINIMALLY ACCEPTABLE DEGREE OF AUDITABILITY FOR CASES
SUCH AS THE LAST DESCRIBED. WHAT IS REQUIRED IS THAT THERE
BE A CAPABILITY, USING THE AUDIT FACILITIES PROVIDED BY THE
NETWORK NTCB PARTITIONS INVOLVED, TO DETERMINE WHO WAS
LOGGED IN AT THE ACTUAL HOST OF THE GROUP OF REMOTE USERS AT
THE TIME THE SURROGATE PROCESSING OCCURED.
ASSOCIATING THE PROPER USER ID WITH A SURROGATE PROCESS
THAT DAC IS APPLIED LOCALLY, WITH RESPECT TO THE USER ID OF
THE SURROGATE PROCESS. THE TRANSMISSION OF THE DATA BACK
ACROSS THE NETWORK TO THE USER'S HOST, AND THE CREATION OF A
COPY OF THE DATA THERE, IS NOT THE BUSINESS OF DAC.
COMPONENTS THAT SUPPORT ONLY INTERNAL SUBJECTS IMPACT
THE IMPLEMENTATION OF THE DAC BY PROVIDING SERVICES BY WHICH
WOULD BE THE CASE THAT A USER AT HOST A ATTEMPTS TO ACCESS A
FILE AT HOST B. THE DAC DECISION MIGHT BE (AND USUALLY
WOULD BE) MADE AT HOST B ON THE BASIS OF A USER-ID TRANSMIT-
TED FROM HOST A TO HOST B.
UNIQUE USER IDENTIFICATION MAY BE ACHIEVED BY A VARIETY
OF MECHANISMS, INCLUDING (A) A REQUIREMENT FOR UNIQUE IDEN-
TIFICATION AND AUTHENTICATION ON THE HOST WHERE ACCESS TAKES
ADDRESSES AUTHENTICATED BY ANOTHER HOST AND FORWARDED TO THE
HOST WHERE ACCESS TAKES PLACE; OR (C) ADMINISTRATIVE SUPPORT
OF A NETWORK-WIDE UNIQUE PERSONNEL IDENTIFIER THAT COULD BE
AUTHENTICATED AND FORWARDED BY ANOTHER HOST AS IN (B) ABOVE,
OR COULD BE AUTHENTICATED AND FORWARDED BY A DEDICATED NET-
WORK IDENTIFICATION AND AUTHENTICATION SERVER. THE PROTO-
COLS WHICH IMPLEMENT (B) OR (C) ARE SUBJECT TO THE SYSTEM
ARCHITECTURE REQUIREMENTS.
NETWORK SUPPORT FOR DAC MIGHT BE HANDLED IN OTHER WAYS
THAN THAT DESCRIBED AS "TYPICAL" ABOVE. IN PARTICULAR, SOME
FORM OF CENTRALIZED ACCESS CONTROL IS OFTEN PROPOSED. AN
ACCESS CONTROL CENTER MAY MAKE ALL DECISIONS FOR DAC, OR IT
MAY SHARE THE BURDEN WITH THE HOSTS BY CONTROLLING HOST-TO-
HOST CONNECTIONS, AND LEAVING THE HOSTS TO DECIDE ON ACCESS
TO THEIR OBJECTS BY USERS AT A LIMITED SET OF REMOTE HOSTS.
BETWEEN THE CONNECTION ORIENTED ABSTRACTION (AS DISCUSSED IN
THE INTRODUCTION) AND THE OVERALL NETWORK SECURITY POLICY
FOR DAC. IN ALL CASES THE ENFORCEMENT OF THE DECISION MUST
BE PROVIDED BY THE HOST WHERE THE OBJECT RESIDES.
+ Statement from DoD 5200.28-STD
THE TCB SHALL REQUIRE USERS TO IDENTIFY THEMSELVES TO IT
BEFORE BEGINNING TO PERFORM ANY OTHER ACTIONS THAT THE TCB
USER'S IDENTITY. THE TCB SHALL PROTECT AUTHENTICATION DATA
SO THAT IT CANNOT BE ACCESSED BY ANY UNAUTHORIZED USER.
+ Interpretation
THE REQUIREMENT FOR IDENTIFICATION AND AUTHENTICATION
OF USERS IS THE SAME FOR A NETWORK SYSTEM AS FOR AN ADP SYS-
TEM. THE IDENTIFICATION AND AUTHENTICATION MAY BE DONE BY
THE COMPONENT TO WHICH THE USER IS DIRECTLY CONNECTED OR
SOME OTHER COMPONENT, SUCH AS AN IDENTIFICATION AND AUTHEN-
TICATION SERVER. AVAILABLE TECHNIQUES, SUCH AS THOSE
DESCRIBED IN THE PASSWORD GUIDELINE=, ARE GENERALLY ALSO
APPLICABLE IN THE NETWORK CONTEXT. HOWEVER, IN CASES WHERE
THE NTCB IS EXPECTED TO MEDIATE ACTIONS OF A HOST (OR OTHER
NETWORK COMPONENT) THAT IS ACTING ON BEHALF OF A USER OR
GROUP OF USERS, THE NTCB MAY EMPLOY IDENTIFICATION AND
AUTHENTICATION OF THE HOST (OR OTHER COMPONENT) IN LIEU OF
AUTHENTICATION INFORMATION, INCLUDING THE IDENTITY OF A
USER (ONCE AUTHENTICATED) MAY BE PASSED FROM ONE COMPONENT
TO ANOTHER WITHOUT REAUTHENTICATION, SO LONG AS THE NTCB
THORIZED DISCLOSURE AND MODIFICATION. THIS PROTECTION SHALL
OF MECHANISM) AS PERTAINS TO THE PROTECTION OF THE AUTHENTI-
CATION MECHANISM AND AUTHENTICATION DATA.
+ Rationale
THE NEED FOR ACCOUNTABILITY IS NOT CHANGED IN THE CON-
TEXT OF A NETWORK SYSTEM. THE FACT THAT THE NTCB IS PARTI-
TIONED OVER A SET OF COMPONENTS NEITHER REDUCES THE NEED NOR
NETWORK SYSTEM AT THE (C1) LEVEL (WHEREIN EXPLICIT INDIVI-
DUAL USER ACCOUNTABILITY IS NOT REQUIRED), "INDIVIDUAL
ACCOUNTABILITY" CAN BE SATISFIED BY IDENTIFICATION OF A HOST
(OR OTHER COMPONENT). IN ADDITION, THERE IS NO NEED IN A
DISTRIBUTED PROCESSING SYSTEM LIKE A NETWORK TO REAUTHENTI-
CATE A USER AT EACH POINT IN THE NETWORK WHERE A PROJECTION
OF A USER (VIA THE SUBJECT OPERATING ON BEHALF OF THE USER)
THE PASSING OF IDENTIFIERS AND/OR AUTHENTICATION INFOR-
MATION FROM ONE COMPONENT TO ANOTHER IS USUALLY DONE IN SUP-
TROL (DAC). THIS SUPPORT RELATES DIRECTLY TO THE DAC
REGARDING ACCESS BY A USER TO A STORAGE OBJECT IN A DIF-
FERENT NTCB PARTITION THAN THE ONE WHERE THE USER WAS
AUTHENTICATED. EMPLOYING A FORWARDED IDENTIFICATION IMPLIES
ADDITIONAL RELIANCE ON THE SOURCE AND COMPONENTS ALONG THE
+ Statement from DoD 5200.28-STD
THE TCB SHALL MAINTAIN A DOMAIN FOR ITS OWN EXECUTION THAT
BY MODIFICATION OF ITS CODE OR DATA STRUCTURES). RESOURCES
CONTROLLED BY THE TCB MAY BE A DEFINED SUBSET OF THE SUB-
JECTS AND OBJECTS IN THE ADP SYSTEM.
+ Interpretation
THE SYSTEM ARCHITECTURE CRITERION MUST BE MET INDIVIDU-
ALLY BY ALL NTCB PARTITIONS. IMPLEMENTATION OF THE REQUIRE-
MENT THAT THE NTCB MAINTAIN A DOMAIN FOR ITS OWN EXECUTION
FOR ITS OWN EXECUTION.
THE SUBSET OF NETWORK RESOURCES OVER WHICH THE NTCB HAS
CONTROL ARE THE UNION OF THE SETS OF RESOURCES OVER WHICH
THE NTCB PARTITIONS HAVE CONTROL. CODE AND DATA STRUCTURES
BELONGING TO THE NTCB, TRANSFERRED AMONG NTCB SUBJECTS
(I.E., SUBJECTS OUTSIDE THE REFERENCE MONITOR BUT INSIDE THE
NTCB) BELONGING TO DIFFERENT NTCB PARTITIONS, MUST BE PRO-
TECTED AGAINST EXTERNAL INTERFERENCE OR TAMPERING. FOR
EXAMPLE, A CRYPTOGRAPHIC CHECKSUM OR PHYSICAL MEANS MAY BE
EMPLOYED TO PROTECT USER AUTHENTICATION DATA EXCHANGED
BETWEEN NTCB PARTITIONS.
+ Rationale
THE REQUIREMENT FOR THE PROTECTION OF COMMUNICATIONS
BETWEEN NTCB PARTITIONS IS SPECIFICALLY DIRECTED TO SUBJECTS
THAT ARE PART OF THE NTCB PARTITIONS. ANY REQUIREMENTS FOR
SUCH PROTECTION FOR THE SUBJECTS THAT ARE OUTSIDE THE NTCB
REQUIREMENTS OF THE SECURITY POLICY.
+ Statement from DoD 5200.28-STD
HARDWARE AND/OR SOFTWARE FEATURES SHALL BE PROVIDED THAT CAN
BE USED TO PERIODICALLY VALIDATE THE CORRECT OPERATION OF
THE ON-SITE HARDWARE AND FIRMWARE ELEMENTS OF THE TCB.
+ Interpretation
IMPLEMENTATION OF THE REQUIREMENT IS PARTLY ACHIEVED BY
HAVING HARDWARE AND/OR SOFTWARE FEATURES THAT CAN BE USED TO
AND FIRMWARE ELEMENTS OF EACH COMPONENT'S NTCB PARTITION.
FEATURES SHALL ALSO BE PROVIDED TO VALIDATE THE IDENTITY AND
CORRECT OPERATION OF A COMPONENT PRIOR TO ITS INCORPORATION
EXAMPLE, A PROTOCOL COULD BE DESIGNED THAT ENABLES THE COM-
TOCOL SHALL BE ABLE TO DETERMINE THE REMOTE ENTITY'S ABILITY
TO RESPOND. NTCB PARTITIONS SHALL PROVIDE THE CAPABILITY TO
REPORT TO NETWORK ADMINISTRATIVE PERSONNEL THE FAILURES
DETECTED IN OTHER NTCB PARTITIONS.
INTERCOMPONENT PROTOCOLS IMPLEMENTED WITHIN A NTCB
SHALL BE DESIGNED IN SUCH A WAY AS TO PROVIDE CORRECT OPERA-
TION IN THE CASE OF FAILURES OF NETWORK COMMUNICATIONS OR
ACCESS CONTROL POLICY IN A NETWORK MAY REQUIRE COMMUNICATION
BETWEEN TRUSTED SUBJECTS THAT ARE PART OF THE NTCB PARTI-
TIONS IN DIFFERENT COMPONENTS. THIS COMMUNICATION IS NOR-
MALLY IMPLEMENTED WITH A PROTOCOL BETWEEN THE SUBJECTS AS
NOT RESULT FROM FAILURE OF AN NTCB PARTITION TO COMMUNICATE
WITH OTHER COMPONENTS.
+ Rationale
THE FIRST PARAGRAPH OF THE INTERPRETATION IS A
STRAIGHTFORWARD EXTENSION OF THE REQUIREMENT INTO THE CON-
TEXT OF A NETWORK SYSTEM AND PARTITIONED NTCB AS DEFINED FOR
THESE NETWORK CRITERIA.
NTCB PROTOCOLS SHOULD BE ROBUST ENOUGH SO THAT THEY
THE INTEGRITY OF THE NTCB ITSELF. IT IS NOT UNUSUAL FOR ONE
OR MORE COMPONENTS IN A NETWORK TO BE INOPERATIVE AT ANY
TIME, SO IT IS IMPORTANT TO MINIMIZE THE EFFECTS OF SUCH
FAILURES ON THE REST OF THE NETWORK. ADDITIONAL INTEGRITY
AND DENIAL OF SERVICE ISSUES ARE ADDRESSED IN PART II.
+ Statement from DoD 5200.28-STD
THE SECURITY MECHANISMS OF THE ADP SYSTEM SHALL BE TESTED
AND FOUND TO WORK AS CLAIMED IN THE SYSTEM DOCUMENTATION.
TESTING SHALL BE DONE TO ASSURE THAT THERE ARE NO OBVIOUS
WAYS FOR AN UNAUTHORIZED USER TO BYPASS OR OTHERWISE DEFEAT
THE SECURITY PROTECTION MECHANISMS OF THE TCB. (SEE THE
SECURITY TESTING GUIDELINES.)
+ Interpretation
TESTING OF A COMPONENT WILL REQUIRE A TESTBED THAT
EXERCISES THE INTERFACES AND PROTOCOLS OF THE COMPONENT.
THE TESTING OF A SECURITY MECHANISM OF THE NETWORK SYSTEM
FOR MEETING THIS CRITERION SHALL BE AN INTEGRATED TESTING
TION THAT IMPLEMENT THE GIVEN MECHANISM. THIS INTEGRATED
TESTING IS ADDITIONAL TO ANY INDIVIDUAL COMPONENT TESTS
SOR SHOULD IDENTIFY THE ALLOWABLE SET OF CONFIGURATIONS
OF THESE CONFIGURATIONS. A CHANGE IN CONFIGURATION WITHIN
THE ALLOWABLE SET OF CONFIGURATIONS DOES NOT REQUIRE RETEST-
+ Rationale
TESTING IS THE PRIMARY METHOD AVAILABLE IN THIS EVALUA-
TION DIVISION TO GAIN ANY ASSURANCE THAT THE SECURITY
MECHANISMS PERFORM THEIR INTENDED FUNCTION.
+ Statement from DoD 5200.28-STD
A SINGLE SUMMARY, CHAPTER, OR MANUAL IN USER DOCUMENTATION
SHALL DESCRIBE THE PROTECTION MECHANISMS PROVIDED BY THE
TCB, INTERPRETATIONS ON THEIR USE, AND HOW THEY INTERACT
WITH ONE ANOTHER.
+ Interpretation
THIS USER DOCUMENTATION DESCRIBES USER VISIBLE PROTEC-
TION MECHANISMS AT THE GLOBAL (NETWORK SYSTEM) LEVEL AND AT
THE USER INTERFACE OF EACH COMPONENT, AND THE INTERACTION
AMONG THESE.
+ Rationale
THE INTERPRETATION IS AN EXTENSION OF THE REQUIREMENT
NETWORK CRITERIA. DOCUMENTATION OF PROTECTION MECHANISMS
TERIA FOR TRUSTED COMPUTER SYSTEMS THAT ARE APPLIED AS
APPROPRIATE FOR THE INDIVIDUAL COMPONENTS.
+ Statement from DoD 5200.28-STD
A MANUAL ADDRESSED TO THE ADP SYSTEM ADMINISTRATOR SHALL
BE CONTROLLED WHEN RUNNING A SECURE FACILITY.
+ Interpretation
THIS MANUAL SHALL CONTAIN SPECIFICATIONS AND PROCEDURES
TO ASSIST THE SYSTEM ADMINISTRATOR(S) MAINTAIN COGNIZANCE OF
THE NETWORK CONFIGURATION. THESE SPECIFICATIONS AND PRO-
CEDURES SHALL ADDRESS THE FOLLOWING:
NETWORK;
LEAVE THE NETWORK (E.G., BY CRASHING, OR BY BEING
DISCONNECTED) AND THEN REJOIN;
SECURITY OF THE NETWORK SYSTEM; (FOR EXAMPLE, THE
MANUAL SHOULD DESCRIBE FOR THE NETWORK SYSTEM
ADMINISTRATOR THE INTERCONNECTIONS AMONG COMPONENTS
THAT ARE CONSISTENT WITH THE OVERALL NETWORK SYSTEM
ARCHITECTURE.)
(E.G., DOWN-LINE LOADING).
THE PHYSICAL AND ADMINISTRATIVE ENVIRONMENTAL CONTROLS
SHALL BE SPECIFIED. ANY ASSUMPTIONS ABOUT SECURITY OF A
GIVEN NETWORK SHOULD BE CLEARLY STATED (E.G., THE FACT THAT
ALL COMMUNICATIONS LINKS MUST BE PHYSICALLY PROTECTED TO A
CERTAIN LEVEL).
+ Rationale
THERE MAY BE MULTIPLE SYSTEM ADMINISTRATORS WITH
DIVERSE RESPONSIBILITIES. THE TECHNICAL SECURITY MEASURES
DESCRIBED BY THESE CRITERIA MUST BE USED IN CONJUNCTION WITH
OTHER FORMS OF SECURITY IN ORDER TO ACHIEVE SECURITY OF THE
NETWORK. ADDITIONAL FORMS INCLUDE ADMINISTRATIVE SECURITY,
EXTENSION OF THIS CRITERION TO COVER CONFIGURATION
ASPECTS OF THE NETWORK IS NEEDED BECAUSE, FOR EXAMPLE,
TO ACHIEVE A CORRECT REALIZATION OF THE NETWORK ARCHITEC-
TURE.
CRYPTOGRAPHY IS ONE COMMON MECHANISM EMPLOYED TO PRO-
TECT COMMUNICATION CIRCUITS. ENCRYPTION TRANSFORMS THE
REPRESENTATION OF INFORMATION SO THAT IT IS UNINTELLIGIBLE
TO UNAUTHORIZED SUBJECTS. REFLECTING THIS TRANSFORMATION,
THE SENSITIVITY OF THE CIPHERTEXT IS GENERALLY LOWER THAN
THE CLEARTEXT. IF ENCRYPTION METHODOLOGIES ARE EMPLOYED,
THEY SHALL BE APPROVED BY THE NATIONAL SECURITY AGENCY
(NSA).
THE ENCRYPTION ALGORITHM AND ITS IMPLEMENTATION ARE
OUTSIDE THE SCOPE OF THESE INTERPRETATIONS. THIS ALGORITHM
AND IMPLEMENTATION MAY BE IMPLEMENTED IN A SEPARATE DEVICE
OR MAY BE A FUNCTION OF A SUBJECT IN A COMPONENT NOT DEDI-
CATED TO ENCRYPTION. WITHOUT PREJUDICE, EITHER IMPLEMENTA-
TION PACKAGING IS REFERRED TO AS AN ENCRYPTION MECHANISM
HEREIN.
+ Statement from DoD 5200.28-STD
THE SYSTEM DEVELOPER SHALL PROVIDE TO THE EVALUATORS A DOCU-
MENT THAT DESCRIBES THE TEST PLAN, TEST PROCEDURES THAT SHOW
HOW THE SECURITY MECHANISMS WERE TESTED, AND RESULTS OF THE
SECURITY MECHANISMS' FUNCTIONAL TESTING.
+ Interpretation
THE "SYSTEM DEVELOPER" IS INTERPRETED AS "THE NETWORK
SYSTEM SPONSOR". THE DESCRIPTION OF THE TEST PLAN SHOULD
ESTABLISH THE CONTEXT IN WHICH THE TESTING WAS OR SHOULD BE
CONDUCTED. THE DESCRIPTION SHOULD IDENTIFY ANY ADDITIONAL
TEST COMPONENTS THAT ARE NOT PART OF THE SYSTEM BEING
EVALUATED. THIS INCLUDES A DESCRIPTION OF THE TEST-RELEVANT
FUNCTIONS OF SUCH TEST COMPONENTS AND A DESCRIPTION OF THE
EVALUATED. THE DESCRIPTION OF THE TEST PLAN SHOULD ALSO
DEMONSTRATE THAT THE TESTS ADEQUATELY COVER THE NETWORK
SECURITY POLICY. THE TESTS SHOULD INCLUDE THE FEATURES
DESCRIBED IN THE SYSTEM ARCHITECTURE AND THE SYSTEM
CONFIGURATION AND SIZING.
+ Rationale
THE ENTITY BEING EVALUATED MAY BE A NETWORKING SUBSYS-
TEM (SEE APPENDIX A) TO WHICH OTHER COMPONENTS MUST BE ADDED
TO MAKE A COMPLETE NETWORK SYSTEM. IN THAT CASE, THIS
BECAUSE, AT EVALUATION TIME, IT IS NOT POSSIBLE TO VALIDATE
THE TEST PLANS WITHOUT THE DESCRIPTION OF THE CONTEXT FOR
TESTING THE NETWORKING SUBSYSTEM.
+ Statement from DoD 5200.28-STD
DOCUMENTATION SHALL BE AVAILABLE THAT PROVIDES A DESCRIPTION
OF THE MANUFACTURER'S PHILOSOPHY OF PROTECTION AND AN EXPLA-
NATION OF HOW THIS PHILOSOPHY IS TRANSLATED INTO THE TCB. IF
THE TCB IS COMPOSED OF DISTINCT MODULES, THE INTERFACES
BETWEEN THESE MODULES SHALL BE DESCRIBED.
+ Interpretation
EXPLANATION OF HOW THE SPONSOR'S PHILOSOPHY OF PROTEC-
TION IS TRANSLATED INTO THE NTCB SHALL INCLUDE A DESCRIPTION
OF HOW THE NTCB IS PARTITIONED. THE SECURITY POLICY ALSO
SHALL BE STATED. THE DESCRIPTION OF THE INTERFACES BETWEEN
THE NTCB MODULES SHALL INCLUDE THE INTERFACE(S) BETWEEN NTCB
EXIST. THE SPONSOR SHALL DESCRIBE THE SECURITY ARCHITECTURE
AND DESIGN, INCLUDING THE ALLOCATION OF SECURITY REQUIRE-
MENTS AMONG COMPONENTS. APPENDIX A ADDRESSES COMPONENT
EVALUATION ISSUES.
+ Rationale
THE INTERPRETATION IS A STRAIGHTFORWARD EXTENSION OF
THE REQUIREMENT INTO THE CONTEXT OF A NETWORK SYSTEM AS
DEFINED FOR THIS NETWORK INTERPRETATION. OTHER DOCUMENTA-
TION, SUCH AS DESCRIPTION OF COMPONENTS AND DESCRIPTION OF
OPERATING ENVIRONMENT(S) IN WHICH THE NETWORKING SUBSYSTEM
OR NETWORK SYSTEM IS DESIGNED TO FUNCTION, IS REQUIRED ELSE-
WHERE, E.G., IN THE TRUSTED FACILITY MANUAL.
IN ORDER TO BE EVALUATED, A NETWORK MUST POSSESS A
COHERENT NETWORK SECURITY ARCHITECTURE AND DESIGN. (INTER-
CONNECTION OF COMPONENTS THAT DO NOT ADHERE TO SUCH A SINGLE
COHERENT NETWORK SECURITY ARCHITECTURE IS ADDRESSED IN THE
SECURITY ARCHITECTURE MUST ADDRESS THE SECURITY-RELEVANT
DESIGN SPECIFIES THE INTERFACES AND SERVICES THAT MUST BE
A TRUSTED ENTITY. THERE MAY BE MULTIPLE DESIGNS THAT CON-
FORM TO THE SAME ARCHITECTURE BUT ARE MORE OR LESS INCOMPA-
TIBLE AND NON-INTEROPERABLE (EXCEPT THROUGH THE INTERCONNEC-
TION RULES). SECURITY RELATED MECHANISMS REQUIRING COOPERA-
TION AMONG COMPONENTS ARE SPECIFIED IN THE DESIGN IN TERMS
OF THEIR VISIBLE INTERFACES; MECHANISMS HAVING NO VISIBLE
AS IMPLEMENTATION DECISIONS.
THE NETWORK SECURITY ARCHITECTURE AND DESIGN MUST BE
AVAILABLE FROM THE NETWORK SPONSOR BEFORE EVALUATION OF THE
NETWORK, OR ANY COMPONENT, CAN BE UNDERTAKEN. THE NETWORK
SECURITY ARCHITECTURE AND DESIGN MUST BE SUFFICIENTLY COM-
THE CONSTRUCTION OR ASSEMBLY OF A TRUSTED NETWORK BASED ON
THE STRUCTURE IT SPECIFIES.
WHEN A COMPONENT IS BEING DESIGNED OR PRESENTED FOR
EVALUATION, OR WHEN A NETWORK ASSEMBLED FROM COMPONENTS IS
ASSEMBLED OR PRESENTED FOR EVALUATION, THERE MUST BE A
DESIGN ARE SATISFIED. THAT IS, THE COMPONENTS CAN BE ASSEM-
BLED INTO A NETWORK THAT CONFORMS IN EVERY WAY WITH THE NET-
WORK SECURITY ARCHITECTURE AND DESIGN TO PRODUCE A PHYSICAL
REALIZATION THAT IS TRUSTED TO THE EXTENT THAT ITS EVALUA-
TION INDICATES.
IN ORDER FOR A TRUSTED NETWORK TO BE CONSTRUCTED FROM
COMPONENTS THAT CAN BE BUILT INDEPENDENTLY, THE NETWORK
SECURITY ARCHITECTURE AND DESIGN MUST COMPLETELY AND UNAMBI-
GUOUSLY DEFINE THE SECURITY FUNCTIONALITY OF COMPONENTS AS
WELL AS THE INTERFACES BETWEEN OR AMONG COMPONENTS. THE
NETWORK SECURITY ARCHITECTURE AND DESIGN MUST BE EVALUATED
TO DETERMINE THAT A NETWORK CONSTRUCTED TO ITS
SPECIFICATIONS WILL IN FACT BE TRUSTED, THAT IS, IT WILL BE
EVALUATABLE UNDER THESE INTERPRETATIONS.
2.2 CLASS (C2): CONTROLLED ACCESS PROTECTION
_ _ _____ __ __________ ______ __________
NETWORK SYSTEMS IN THIS CLASS ENFORCE A MORE
FINELY GRAINED DISCRETIONARY ACCESS CONTROL THAN
(C1) NETWORK SYSTEMS, MAKING USERS INDIVIDUALLY
ACCOUNTABLE FOR THEIR ACTIONS THROUGH LOGIN PRO-
CEDURES, AUDITING OF SECURITY-RELEVANT EVENTS, AND
RESOURCE ISOLATION. THE FOLLOWING ARE MINIMAL
REQUIREMENTS FOR SYSTEMS ASSIGNED A CLASS (C2)
RATING.
_ _ _ ________ ______
+ Statement from DoD 5200.28-STD
+ Interpretation
The network sponsor shall describe the overall network
ble to this class. The policy may require data secrecy, or
tionary policy for protecting the information being pro-
cessed based on the authorizations of INDIVIDUALS, users, or
unauthorized users or errors. Unauthorized users include
both those that are not authorized to use the network at all
(e.g., a user attempting to use a passive or active wire
tap) or a legitimate user of the network who is not author-
zed to access a specific piece of information being pro-
tected.
Note that "users" does not include "operators," "system
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network
These individuals may also have the separate role of users.
SECRECY POLICY: The network sponsor shall define the
form of the discretionary secrecy policy that is
enforced in the network to prevent unauthorized
users from reading the sensitive information
entrusted to the network.
DATA INTEGRITY POLICY: The network sponsor shall
define the discretionary integrity policy to prevent
unauthorized users from modifying, viz., writing,
sensitive information. The definition of data
integrity presented by the network sponsor refers to
the requirement that the information has not been
subjected to unauthorized modification in the net-
work.
+ Rationale
The word "sponsor" is used in place of alternatives
(such as "vendor," "architect," "manufacturer," and
"developer") because the alternatives indicate people who
may not be available, involved, or relevant at the time that
a network system is proposed for evaluation.
A trusted network is able to control both the reading
and writing of shared sensitive information. Control of
tion. A network normally is expected to have policy require-
ments to protect both the secrecy and integrity of the
nformation entrusted to it. In a network the integrity is
frequently as important or more important than the secrecy
to be enforced by the network must be stated for each net-
the policy is faithfully enforced is reflected in the
evaluation class of the network.
This control over modification is typically used to
control the potential harm that would result if the informa-
tion were corrupted. The overall network policy require-
ments for integrity includes the protection for data both
transmitted in the network. The access control policy
enforced by the NTCB relates to the access of subjects to
objects within each component. Communications integrity
addressed within Part II relates to information while being
transmitted.
+ Statement from DoD 5200.28-STD
The TCB shall define and control access between named users
and named objects (e.g., files and programs) in the ADP sys-
tem. The enforcement mechanism (e.g., self/group/public
controls, access control lists) shall allow users to specify
and control sharing of those objects by named individuals or
CONTROLS TO LIMIT PROPAGATION OF ACCESS RIGHTS. THE DISCRE-
TIONARY ACCESS CONTROL MECHANISM SHALL, EITHER BY EXPLICIT
USER ACTION OR BY DEFAULT, PROVIDE THAT OBJECTS ARE PRO-
TECTED FROM UNAUTHORIZED ACCESS. THESE ACCESS CONTROLS
SHALL BE CAPABLE OF INCLUDING OR EXCLUDING ACCESS TO THE
GRANULARITY OF A SINGLE USER. ACCESS PERMISSION TO AN
OBJECT BY USERS NOT ALREADY POSSESSING ACCESS PERMISSION
SHALL ONLY BE ASSIGNED BY AUTHORIZED USERS.
+ Interpretation
The discretionary access control (DAC) mechanism(s) may
be distributed over the partitioned NTCB in various ways.
Some part, all, or none of the DAC may be implemented in a
no subjects acting as direct surrogates for users), such as
a public network packet switch, might not implement the DAC
mechanism(s) directly (e.g., they are unlikely to contain
access control lists).
Identification of users by groups may be achieved in
various ways in the networking environment. For example,
the network identifiers (e.g., internet addresses) for vari-
ous components (e.g., hosts, gateways) can be used as iden-
tifiers of groups of individual users (e.g., "all users at
Host A," "all users of network Q") SO LONG AS THE INDIVIDU-
ALS INVOLVED IN THE GROUP ARE IMPLIED BY THE GROUP IDENTIF-
FOR WHICH IT MAINTAINS A LIST OF EXPLICIT USERS IN THAT
GROUP, IN ITS NETWORK EXCHANGE WITH HOST B, WHICH ACCEPTS
THE GROUP-ID UNDER THE CONDITIONS OF THIS INTERPRETATION.
For networks, individual hosts will impose need-to-know
controls over their users ON THE BASIS OF NAMED INDIVIDUALS
- much like (in fact, probably the same) controls used when
there is no network connection.
When group identifiers are acceptable for access con-
trol, the identifier of some other host may be employed, to
eliminate the maintenance that would be required if indivi-
C2 AND HIGHER, HOWEVER, IT MUST BE POSSIBLE FROM THAT AUDIT
RECORD TO IDENTIFY (IMMEDIATELY OR AT SOME LATER TIME)
EXACTLY THE INDIVIDUALS REPRESENTED BY A GROUP IDENTIFIER AT
THE TIME OF THE USE OF THAT IDENTIFIER. THERE IS ALLOWED TO
BE AN UNCERTAINTY BECAUSE OF ELAPSED TIME BETWEEN CHANGES IN
THE GROUP MEMBERSHIP AND THE ENFORCEMENT IN THE ACCESS CON-
TROL MECHANISMS.
The DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
all the physical resources of the system and from them
creates the abstraction of subjects and objects that it con-
trols. Some of these subjects and objects may be used to
mplement a part of the NTCB. WHEN THE DAC MECHANISM IS
DISTRIBUTED IN SUCH NTCB SUBJECTS (I.E., WHEN OUTSIDE THE
REFERENCE MONITOR), THE ASSURANCE REQUIREMENTS (SEE THE
ASSURANCE SECTION) FOR THE DESIGN AND IMPLEMENTATION OF THE
DAC SHALL BE THOSE OF CLASS C2 FOR ALL NETWORKS OF CLASS C2
OR ABOVE.
When integrity is included as part of the network dis-
cretionary security policy, the above interpretations shall
be specifically applied to the controls over modification,
viz, the write mode of access, within each component based
on identified users or groups of users.
+ Rationale
In this class, THE SUPPORTING ELEMENTS OF THE OVERALL
DAC MECHANISM ARE REQUIRED TO ISOLATE INFORMATION (OBJECTS)
THAT SUPPORTS DAC SO THAT IT IS SUBJECT TO AUDITING REQUIRE-
MENTS (SEE THE SYSTEM ARCHITECTURE SECTION). THE USE OF
NETWORK IDENTIFIERS TO IDENTIFY GROUPS OF INDIVIDUAL USERS
COULD BE IMPLEMENTED, FOR EXAMPLE, AS AN X.25 COMMUNITY OF
OTHER RESPECTS, the supporting elements of the overall DAC
mechanism are treated exactly as untrusted subjects are
treated with respect to DAC in an ADP system, with the same
A typical situation for DAC is that a surrogate process
for a remote user will be created in some host for access to
objects under the control of the NTCB partition within that
assigned and maintained for each such process by the NTCB,
tially the same discretionary controls as access by a pro-
cess acting on behalf of a local user would be. However,
tions of the assigned user identification is permitted.
The most obvious situation would exist if a global
able on demand to every host, (i.e., a name server existed)
It is also acceptable, however, for some NTCB parti-
tions to maintain a database of locally-registered users for
ts own use. In such a case, one could choose to inhibit
the creation of surrogate processes for locally unregistered
users, or (if permitted by the local policy) alternatively,
to permit the creation of surrogate processes with
dentify the process as executing on behalf of a member of a
the words concerning audit in the interpretation is to pro-
vide a minimally acceptable degree of auditability for cases
be a capability, using the audit facilities provided by the
network NTCB partitions involved, to determine who was
logged in at the actual host of the group of remote users at
the time the surrogate processing occured.
Associating the proper user id with a surrogate process
s the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id of
the surrogate process. The transmission of the data back
across the network to the user's host, and the creation of a
copy of the data there, is not the business of DAC.
Components that support only internal subjects impact
the implementation of the DAC by providing services by which
nformation (e.g., a user-id) is made available to a com-
file at Host B. The DAC decision might be (and usually
ted from Host A to Host B.
Unique user identification may be achieved by a variety
of mechanisms, including (a) a requirement for unique iden-
tification and authentication on the host where access takes
addresses authenticated by another host and forwarded to the
of a network-wide unique personnel identifier that could be
authenticated and forwarded by another host as in (b) above,
or could be authenticated and forwarded by a dedicated net-
cols which implement (b) or (c) are subject to the System
Architecture requirements.
Network support for DAC might be handled in other ways
than that described as "typical" above. In particular, some
form of centralized access control is often proposed. An
access control center may make all decisions for DAC, or it
may share the burden with the hosts by controlling host-to-
to their objects by users at a limited set of remote hosts.
between the connection oriented abstraction (as discussed in
the Introduction) and the overall network security policy
for DAC. In all cases the enforcement of the decision must
be provided by the host where the object resides.
+ Statement from DoD 5200.28-STD
ALL AUTHORIZATIONS TO THE INFORMATION CONTAINED WITHIN A
STORAGE OBJECT SHALL BE REVOKED PRIOR TO INITIAL ASSIGNMENT,
ALLOCATION OR REALLOCATION TO A SUBJECT FROM THE TCB'S POOL
OF UNUSED STORAGE OBJECTS. NO INFORMATION, INCLUDING
ENCRYPTED REPRESENTATIONS OF INFORMATION, PRODUCED BY A
THAT OBTAINS ACCESS TO AN OBJECT THAT HAS BEEN RELEASED BACK
TO THE SYSTEM.
+ Interpretation
THE NTCB SHALL ENSURE THAT ANY STORAGE OBJECTS THAT IT
CONTROLS (E.G., MESSAGE BUFFERS UNDER THE CONTROL OF A NTCB
SUBJECT IN THAT COMPONENT IS NOT AUTHORIZED BEFORE GRANTING
ACCESS. THIS REQUIREMENT MUST BE ENFORCED BY EACH OF THE
NTCB PARTITIONS.
+ Rationale
IN A NETWORK SYSTEM, STORAGE OBJECTS OF INTEREST ARE
THINGS THAT THE NTCB DIRECTLY CONTROLS, SUCH AS MESSAGE
BUFFERS IN COMPONENTS. EACH COMPONENT OF THE NETWORK SYSTEM
MUST ENFORCE THE OBJECT REUSE REQUIREMENT WITH RESPECT TO
THE STORAGE OBJECTS OF INTEREST AS DETERMINED BY THE NETWORK
SECURITY POLICY. FOR EXAMPLE, THE DAC REQUIREMENT IN THIS
DIVISION LEADS TO THE REQUIREMENT HERE THAT MESSAGE BUFFERS
BE UNDER THE CONTROL OF THE NTCB PARTITION. A BUFFER
ASSIGNED TO AN INTERNAL SUBJECT MAY BE REUSED AT THE DISCRE-
TION OF THAT SUBJECT WHICH IS RESPONSIBLE FOR PRESERVING THE
BE IMPLEMENTED IN PHYSICAL RESOURCES, SUCH AS BUFFERS, DISK
SECTORS, TAPE SPACE, AND MAIN MEMORY, IN COMPONENTS SUCH AS
NETWORK SWITCHES.
_ _ _ ______________
+ Statement from DoD 5200.28-STD
The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB
s expected to mediate. Furthermore, the TCB shall use a
user's identity. The TCB shall protect authentication data
TCB SHALL BE ABLE TO ENFORCE INDIVIDUAL ACCOUNTABILITY BY
DUAL ADP SYSTEM USER. THE TCB SHALL ALSO PROVIDE THE CAPA-
BILITY OF ASSOCIATING THIS IDENTITY WITH ALL AUDITABLE
ACTIONS TAKEN BY THAT INDIVIDUAL.
+ Interpretation
The requirement for identification and authentication
of users is the same for a network system as for an ADP sys-
tem. The identification and authentication may be done by
the component to which the user is directly connected or
tication server. Available techniques, such as those
applicable in the network context. However, in cases where
the NTCB is expected to mediate actions of a host (or other
network component) that is acting on behalf of a user or
authentication of the host (or other component) in lieu of
dentification and authentication of an individual user, SO
LONG AS THE COMPONENT IDENTIFIER IMPLIES A LIST OF SPECIFIC
USERS UNIQUELY ASSOCIATED WITH THE IDENTIFIER AT THE TIME OF
TO INTERNAL SUBJECTS.
Authentication information, including the identity of a
user (once authenticated) may be passed from one component
to another without reauthentication, so long as the NTCB
thorized disclosure and modification. This protection shall
of mechanism) as pertains to the protection of the authenti-
cation mechanism and authentication data.
+ Rationale
The need for accountability is not changed in the con-
text of a network system. The fact that the NTCB is parti-
tioned over a set of components neither reduces the need nor
mposes new requirements. That is, individual accountabil-
ty is still the objective. ALSO, in the context of a net-
TABILITY" CAN BE SATISFIED BY IDENTIFICATION OF A HOST (OR
OTHER COMPONENT) SO LONG AS THE REQUIREMENT FOR TRACEABILITY
TO INDIVIDUAL USERS OR A SET OF SPECIFIC INDIVIDUAL USERS
WITH ACTIVE SUBJECTS IS SATISFIED. THERE IS ALLOWED TO BE AN
UNCERTAINTY IN TRACEABILITY BECAUSE OF ELAPSED TIME BETWEEN
CHANGES IN THE GROUP MEMBERSHIP AND THE ENFORCEMENT IN THE
ACCESS CONTROL MECHANISMS. In addition, there is no need in
a distributed processing system like a network to reauthen-
ticate a user at each point in the network where a projec-
tion of a user (via the subject operating on behalf of the
user) into another remote subject takes place.
_________________________
= Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, CSC-STD-002-85
____
The passing of identifiers and/or authentication infor-
mation from one component to another is usually done in sup-
trol (DAC). This support relates directly to the DAC
ferent NTCB partition than the one where the user was
authenticated. Employing a forwarded identification implies
additional reliance on the source and components along the
+ Statement from DoD 5200.28-STD
THE TCB SHALL BE ABLE TO CREATE, MAINTAIN, AND PROTECT FROM
MODIFICATION OR UNAUTHORIZED ACCESS OR DESTRUCTION AN AUDIT
TRAIL OF ACCESSES TO THE OBJECTS IT PROTECTS. THE AUDIT
DATA SHALL BE PROTECTED BY THE TCB SO THAT READ ACCESS TO IT
TCB SHALL BE ABLE TO RECORD THE FOLLOWING TYPES OF EVENTS:
USE OF IDENTIFICATION AND AUTHENTICATION MECHANISMS, INTRO-
DUCTION OF OBJECTS INTO A USER'S ADDRESS SPACE (E.G., FILE
OPEN, PROGRAM INITIATION), DELETION OF OBJECTS, ACTIONS
TAKEN BY COMPUTER OPERATORS AND SYSTEM ADMINISTRATORS AND/OR
SYSTEM SECURITY OFFICERS, AND OTHER SECURITY RELEVANT
EVENTS. FOR EACH RECORDED EVENT, THE AUDIT RECORD SHALL
AND SUCCESS OR FAILURE OF THE EVENT. FOR
(E.G., TERMINAL ID) SHALL BE INCLUDED IN THE AUDIT RECORD.
FOR EVENTS THAT INTRODUCE AN OBJECT INTO A USER'S ADDRESS
SPACE AND FOR OBJECT DELETION EVENTS THE AUDIT RECORD SHALL
TOR SHALL BE ABLE TO SELECTIVELY AUDIT THE ACTIONS OF ANY
ONE OR MORE USERS BASED ON INDIVIDUAL IDENTITY.
+ Interpretation
THIS CRITERION APPLIES AS STATED. THE SPONSOR MUST
SELECT WHICH EVENTS ARE AUDITABLE. IF ANY SUCH EVENTS ARE
NOT DISTINGUISHABLE BY THE NTCB ALONE (FOR EXAMPLE THOSE
AUDIT RECORDS SHALL BE DISTINGUISHABLE FROM THOSE PROVIDED
BY THE NTCB. IN THE CONTEXT OF A NETWORK SYSTEM, "OTHER
SECURITY RELEVANT EVENTS" (DEPENDING ON NETWORK SYSTEM
ARCHITECTURE AND NETWORK SECURITY POLICY) MIGHT BE AS FOL-
LOWS:
LISHING A CONNECTION OR A CONNECTIONLESS ASSOCIATION
BETWEEN PROCESSES IN TWO HOSTS OF THE NETWORK) AND
ITS PRINCIPAL PARAMETERS (E.G., HOST IDENTIFIERS OF
THE TWO HOSTS INVOLVED IN THE ACCESS EVENT AND USER
IDENTIFIER OR HOST IDENTIFIER OF THE USER OR HOST
THAT IS REQUESTING THE ACCESS EVENT)
EACH ACCESS EVENT USING LOCAL TIME OR GLOBAL SYN-
CHRONIZED TIME
DITIONS (E.G., POTENTIAL VIOLATION OF DATA
INTEGRITY, SUCH AS MISROUTED DATAGRAMS) DETECTED
DURING THE TRANSACTIONS BETWEEN TWO HOSTS
COMPONENT LEAVING THE NETWORK AND REJOINING)
IN ADDITION, IDENTIFICATION INFORMATION SHOULD BE
TO ALLOW ASSOCIATION OF ALL RELATED (E.G., INVOLVING THE
SAME NETWORK EVENT) AUDIT TRAIL RECORDS (E.G., AT DIFFERENT
HOSTS) WITH EACH OTHER. FURTHERMORE, A COMPONENT OF THE
NETWORK SYSTEM MAY PROVIDE THE REQUIRED AUDIT CAPABILITY
(E.G., STORAGE, RETRIEVAL, REDUCTION, ANALYSIS) FOR OTHER
COMPONENTS THAT DO NOT INTERNALLY STORE AUDIT DATA BUT
TRANSMIT THE AUDIT DATA TO SOME DESIGNATED COLLECTION COM-
AUDIT DATA DUE TO UNAVAILABILITY OF RESOURCES.
IN THE CONTEXT OF A NETWORK SYSTEM, THE "USER'S ADDRESS
SPACE" IS EXTENDED, FOR OBJECT INTRODUCTION AND DELETION
EVENTS, TO INCLUDE ADDRESS SPACES BEING EMPLOYED ON BEHALF
OF A REMOTE USER (OR HOST). HOWEVER, THE FOCUS REMAINS ON
USERS IN CONTRAST TO INTERNAL SUBJECTS AS DISCUSSED IN THE
DAC CRITERION. IN ADDITION, AUDIT INFORMATION MUST BE
STORED IN MACHINE-READABLE FORM.
+ Rationale
FOR REMOTE USERS, THE NETWORK IDENTIFIERS (E.G., INTER-
NET ADDRESS) CAN BE USED AS IDENTIFIERS OF GROUPS OF INDIVI-
DUAL USERS (E.G., "ALL USERS AT HOST A") TO ELIMINATE THE
MAINTENANCE THAT WOULD BE REQUIRED IF INDIVIDUAL IDENTIFICA-
TION OF REMOTE USERS WAS EMPLOYED. IN THIS CLASS (C2), HOW-
EVER, IT MUST BE POSSIBLE TO IDENTIFY (IMMEDIATELY OR AT
SOME LATER TIME) THE INDIVIDUALS REPRESENTED BY A GROUP
STRAIGHTFORWARD EXTENSION OF THE CRITERION INTO THE CONTEXT
OF A NETWORK SYSTEM.
_ _ _ _________
+ Statement from DoD 5200.28-STD
The TCB shall maintain a domain for its own execution that
by modification of its code or data structures). Resources
controlled by the TCB may be a defined subset of the sub-
THE RESOURCES TO BE PROTECTED SO THAT THEY ARE SUBJECT TO
THE ACCESS CONTROL AND AUDITING REQUIREMENTS.
+ Interpretation
The system architecture criterion must be met individu-
ally by all NTCB partitions. Implementation of the require-
ment that the NTCB maintain a domain for its own execution
s achieved by having each NTCB partition maintain a domain
for its own execution.
The subset of network resources over which the NTCB has
control are the union of the sets of resources over which
the NTCB partitions have control. Code and data structures
belonging to the NTCB, transferred among NTCB subjects
(i.e., subjects outside the reference monitor but inside the
NTCB) belonging to different NTCB partitions, must be pro-
tected against external interference or tampering. For
example, a cryptographic checksum or physical means may be
employed to protect user authentication data exchanged
between NTCB partitions.
EACH NTCB PARTITION PROVIDES ISOLATION OF RESOURCES
(WITHIN ITS COMPONENT) TO BE PROTECTED IN ACCORD WITH THE
NETWORK SYSTEM ARCHITECTURE AND SECURITY POLICY.
+ Rationale
The requirement for the protection of communications
between NTCB partitions is specifically directed to subjects
that are part of the NTCB partitions. Any requirements for
ISOLATION OF THE RESOURCES TO BE PROTECTED PROVIDES
ADDITIONAL PROTECTION, COMPARED TO CLASS (C1), THAT MECHAN-
TIFICATION) WILL OPERATE CORRECTLY.
+ Statement from DoD 5200.28-STD
Hardware and/or software features shall be provided that can
be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
+ Interpretation
Implementation of the requirement is partly achieved by
and firmware elements of each component's NTCB partition.
Features shall also be provided to validate the identity and
correct operation of a component prior to its incorporation
n the network system and throughout system operation. For
example, a protocol could be designed that enables the com-
cally and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability
to respond. NTCB partitions shall provide the capability to
Intercomponent protocols implemented within a NTCB
tion in the case of failures of network communications or
ndividual components. The allocation of discretionary
access control policy in a network may require communication
between trusted subjects that are part of the NTCB parti-
tions in different components. This communication is nor-
mally implemented with a protocol between the subjects as
not result from failure of an NTCB partition to communicate
+ Rationale
The first paragraph of the interpretation is a
text of a network system and partitioned NTCB as defined for
these network criteria.
NTCB protocols should be robust enough so that they
zed failure. The purpose of this protection is to preserve
the integrity of the NTCB itself. It is not unusual for one
or more components in a network to be inoperative at any
time, so it is important to minimize the effects of such
failures on the rest of the network. Additional integrity
and denial of service issues are addressed in Part II.
+ Statement from DoD 5200.28-STD
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation.
Testing shall be done to assure that there are no obvious
the security protection mechanisms of the TCB. TESTING SHALL
ALSO INCLUDE A SEARCH FOR OBVIOUS FLAWS THAT WOULD ALLOW
VIOLATION OF RESOURCE ISOLATION, OR THAT WOULD PERMIT UNAU-
THORIZED ACCESS TO THE AUDIT OR AUTHENTICATION DATA. (See
the Security Testing Guidelines.)
+ Interpretation
Testing of a component will require a testbed that
exercises the interfaces and protocols of the COMPONENT
of a security mechanism of the network system for meeting
this criterion shall be an integrated testing procedure
nvolving all components containing an NTCB partition that
mplement the given mechanism. This integrated testing is
additional to any individual component tests involved in the
evaluation of the network system. The sponsor should iden-
tify the allowable set of configurations including the sizes
of the networks. Analysis or testing procedures and tools
tions. A change in configuration within the allowable set
of configurations does not require retesting.
+ Rationale
Testing is the primary method available in this evalua-
tion division to gain any assurance that the security
mechanisms perform their intended function.
_ _ _ _____________
+ Statement from DoD 5200.28-STD
A single summary, chapter, or manual in user documentation
TCB, interpretations on their use, and how they interact
+ Interpretation
This user documentation describes user visible protec-
tion mechanisms at the global (network system) level and at
the user interface of each component, and the interaction
among these.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system as defined for these
network criteria. Documentation of protection mechanisms
teria for trusted computer systems that are applied as
appropriate for the individual components.
+ Statement from DoD 5200.28-STD
A manual addressed to the ADP system administrator shall
be controlled when running a secure facility. THE PROCEDURES
FOR EXAMINING AND MAINTAINING THE AUDIT FILES AS WELL AS THE
DETAILED AUDIT RECORD STRUCTURE FOR EACH TYPE OF AUDIT EVENT
SHALL BE GIVEN.
+ Interpretation
This manual shall contain specifications and procedures
to assist the system administrator(s) maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address the following:
network;
leave the network (e.g., by crashing, or by being
disconnected) and then rejoin;
security of the network system; (For example, the
manual should describe for the network system
administrator the interconnections among components
that are consistent with the overall network system
architecture.)
(e.g., down-line loading).
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
+ Rationale
There may be multiple system administrators with
other forms of security in order to achieve security of the
network. Additional forms include administrative security,
Extension of this criterion to cover configuration
aspects of the network is needed because, for example,
to achieve a correct realization of the network architec-
ture.
Cryptography is one common mechanism employed to pro-
tect communication circuits. Encryption transforms the
to unauthorized subjects. Reflecting this transformation,
the sensitivity of the ciphertext is generally lower than
the cleartext. If encryption methodologies are employed,
they shall be approved by the National Security Agency
(NSA).
The encryption algorithm and its implementation are
outside the scope of these interpretations. This algorithm
and implementation may be implemented in a separate device
or may be a function of a subject in a component not dedi-
cated to encryption. Without prejudice, either implementa-
tion packaging is referred to as an encryption mechanism
+ Statement from DoD 5200.28-STD
The system developer shall provide to the evaluators a docu-
ment that describes the test plan, test procedures that show
+ Interpretation
The "system developer" is interpreted as "the network
establish the context in which the testing was or should be
conducted. The description should identify any additional
test components that are not part of the system being
evaluated. This includes a description of the test-relevant
functions of such test components and a description of the
nterfacing of those test components to the system being
evaluated. The description of the test plan should also
configuration and sizing.
+ Rationale
The entity being evaluated may be a networking subsys-
tem (see Appendix A) to which other components must be added
to make a complete network system. In that case, this
nterpretation is extended to include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
+ Statement from DoD 5200.28-STD
Documentation shall be available that provides a description
of the manufacturer's philosophy of protection and an expla-
nation of how this philosophy is translated into the TCB. If
the TCB is composed of distinct modules, the interfaces
between these modules shall be described.
+ Interpretation
Explanation of how the sponsor's philosophy of protec-
tion is translated into the NTCB shall include a description
of how the NTCB is partitioned. The security policy also
the NTCB modules shall include the interface(s) between NTCB
exist. The sponsor shall describe the security architecture
and design, including the allocation of security require-
ments among components. Appendix A addresses component
evaluation issues.
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system as
tion, such as description of components and description of
operating environment(s) in which the networking subsystem
or network system is designed to function, is required else-
In order to be evaluated, a network must possess a
coherent Network Security Architecture and Design. (Inter-
connection of components that do not adhere to such a single
coherent Network Security Architecture is addressed in the
Security Architecture must address the security-relevant
Design specifies the interfaces and services that must be
ncorporated into the network so that it can be evaluated as
a trusted entity. There may be multiple designs that con-
form to the same architecture but are more or less incompa-
tible and non-interoperable (except through the Interconnec-
tion Rules). Security related mechanisms requiring coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms having no visible
nterfaces are not specified in this document but are left
as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components can be assem-
bled into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and unambi-
Network Security Architecture and Design must be evaluated
to determine that a network constructed to its specifica-
tions will in fact be trusted, that is, it will be evaluat-
able under these interpretations.
3.0 DIVISION B: MANDATORY PROTECTION
The notion of an NTCB that preserves the integrity of sensi-
tivity labels and uses them to enforce a set of mandatory
access control rules is a major requirement in this divi-
The network system sponsor also provides the security policy
model on which the NTCB is based and furnishes a specifica-
tion of the NTCB. Evidence must be provided to demonstrate
that the reference monitor concept has been implemented.
3.1 CLASS (B1): LABELED SECURITY PROTECTION
_ _ _____ __ _______ ________ __________
CLASS (B1) NETWORK SYSTEMS REQUIRE ALL THE
FEATURES REQUIRED FOR CLASS (C2). IN ADDITION, AN
INFORMAL STATEMENT OF THE SECURITY POLICY MODEL,
DATA LABELING, AND MANDATORY ACCESS CONTROL OVER
SUBJECTS AND STORAGE OBJECTS MUST BE PRESENT. THE
CAPABILITY MUST EXIST FOR ACCURATELY LABELING
EXPORTED INFORMATION. ANY FLAWS IDENTIFIED BY
TESTING MUST BE REMOVED. THE FOLLOWING ARE
MINIMAL REQUIREMENTS FOR NETWORK SYSTEMS ASSIGNED
A CLASS (B1) RATING:
_ _ _ ________ ______
+ Statement from DoD 5200.28-STD
+ Interpretation
The network sponsor shall describe the overall network
nclude a discretionary policy for protecting the informa-
tion being processed based on the authorizations of indivi-
cy statement shall describe the requirements on the network
to prevent or detect "reading or destroying" sensitive
nformation by unauthorized users or errors. THE MANDATORY
THAT IT SUPPORTS. FOR THE CLASS B1 OR ABOVE THE MANDATORY
SECRECY AND/OR INTEGRITY, WHERE APPLICABLE, AND LABELS ASSO-
CIATED WITH USERS TO REFLECT THEIR AUTHORIZATION TO ACCESS
SUCH INFORMATION. UNAUTHORIZED USERS INCLUDE BOTH THOSE
that are not authorized to use the network at all (e.g., a
user attempting to use a passive or active wire tap) or a
legitimate user of the network who is not authorized to
access a specific piece of information being protected.
Note that "users" does not include "operators," "system
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network sys-
tem, for example, by defining membership of a group. These
ndividuals may also have the separate role of users.
SECRECY POLICY: The network sponsor shall define the
form of the discretionary AND MANDATORY secrecy
policy that is enforced in the network to prevent
unauthorized users from reading the sensitive infor-
mation entrusted to the network.
DATA INTEGRITY POLICY: The network sponsor shall
define the discretionary AND MANDATORY integrity
policy to prevent unauthorized users from modifying,
viz., writing, sensitive information. The defini-
tion of data integrity presented by the network
sponsor refers to the requirement that the informa-
tion has not been subjected to unauthorized modifi-
cation in the network. THE MANDATORY INTEGRITY POL-
ICY ENFORCED BY THE NTCB CANNOT, IN GENERAL, PREVENT
MODIFICATION WHILE INFORMATION IS BEING TRANSMITTED
BETWEEN COMPONENTS. HOWEVER, AN INTEGRITY SENSI-
TIVITY LABEL MAY REFLECT THE CONFIDENCE THAT THE
INFORMATION HAS NOT BEEN SUBJECTED TO TRANSMISSION
ERRORS BECAUSE OF THE PROTECTION AFFORDED DURING
TRANSMISSION. THIS REQUIREMENT IS DISTINCT FROM THE
REQUIREMENT FOR LABEL INTEGRITY.
+ Rationale
The word "sponsor" is used in place of alternatives
(such as "vendor," "architect," "manufacturer," and
"developer") because the alternatives indicate people who
may not be available, involved, or relevant at the time that
a network system is proposed for evaluation.
A trusted network is able to control both the reading
and writing of shared sensitive information. Control of
tion. A network normally is expected to have policy require-
ments to protect both the secrecy and integrity of the
nformation entrusted to it. In a network the integrity is
frequently as important or more important than the secrecy
to be enforced by the network must be stated for each net-
the policy is faithfully enforced is reflected in the
evaluation class of the network.
This control over modification is typically used to
control the potential harm that would result if the informa-
tion were corrupted. The overall network policy require-
ments for integrity includes the protection for data both
transmitted in the network. The access control policy
enforced by the NTCB relates to the access of subjects to
objects within each component. Communications integrity
addressed within Part II relates to information while being
transmitted.
THE MANDATORY INTEGRITY POLICY (AT CLASS B1 AND ABOVE)
AGE BETWEEN THE CONNECTION ORIENTED ABSTRACTION INTRODUCED
NETWORK. FOR EXAMPLE, IN A KEY DISTRIBUTION CENTER FOR
END-TO-END ENCRYPTION, A DISTINCT INTEGRITY CATEGORY MAY BE
ASSIGNED TO ISOLATE THE KEY GENERATION CODE AND DATA FROM
SAME COMPONENT, SUCH AS OPERATOR INTERFACES AND AUDIT.
THE MANDATORY INTEGRITY POLICY FOR SOME ARCHITECTURE
MAY DEFINE AN INTEGRITY SENSITIVITY LABEL THAT REFLECTS THE
SPECIFIC REQUIREMENTS FOR ENSURING THAT INFORMATION HAS NOT
BEEN SUBJECT TO RANDOM ERRORS IN EXCESS OF A STATED LIMIT
NOR TO UNAUTHORIZED MESSAGE STREAM MODIFICATION (MSM) -.
THE SPECIFIC METRIC ASSOCIATED WITH AN INTEGRITY SENSITIVITY
LABEL WILL GENERALLY REFLECT THE INTENDED APPLICATIONS OF
THE NETWORK.
+ Statement from DoD 5200.28-STD
The TCB shall define and control access between named users
and named objects (e.g., files and programs) in the ADP sys-
tem. The enforcement mechanism (e.g., self/group/public
controls, access control lists) shall allow users to specify
and control sharing of those objects by named individuals or
controls to limit propagation of access rights. The discre-
tionary access control mechanism shall, either by explicit
user action or by default, provide that objects are pro-
tected from unauthorized access. These access controls
object by users not already possessing access permission
_________________________
- See Voydock, Victor L. and Stephen T. Kent, "Secu-
___
______ _______
+ Interpretation
The discretionary access control (DAC) mechanism(s) may
be distributed over the partitioned NTCB in various ways.
Some part, all, or none of the DAC may be implemented in a
no subjects acting as direct surrogates for users), such as
a public network packet switch, might not implement the DAC
mechanism(s) directly (e.g., they are unlikely to contain
access control lists).
Identification of users by groups may be achieved in
various ways in the networking environment. For example,
the network identifiers (e.g., internet addresses) for vari-
ous components (e.g., hosts, gateways) can be used as iden-
tifiers of groups of individual users (e.g., "all users at
Host A," "all users of network Q") so long as the individu-
als involved in the group are implied by the group identif-
er. For example, Host A might employ a particular group-id,
for which it maintains a list of explicit users in that
the group-id under the conditions of this interpretation.
For networks, individual hosts will impose need-to-know
controls over their users on the basis of named individuals
- much like (in fact, probably the same) controls used when
there is no network connection.
When group identifiers are acceptable for access con-
trol, the identifier of some other host may be employed, to
eliminate the maintenance that would be required if indivi-
C2 and higher, however, it must be possible from that audit
exactly the individuals represented by a group identifier at
the time of the use of that identifier. There is allowed to
be an uncertainty because of elapsed time between changes in
the group membership and the enforcement in the access con-
trol mechanisms.
The DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
all the physical resources of the system and from them
creates the abstraction of subjects and objects that it con-
trols. Some of these subjects and objects may be used to
mplement a part of the NTCB. When the DAC mechanism is
Assurance section) for the design and implementation of the
DAC shall be those of class C2 for all networks of class C2
or above.
When integrity is included as part of the network dis-
cretionary security policy, the above interpretations shall
be specifically applied to the controls over modification,
viz, the write mode of access, within each component based
on identified users or groups of users.
+ Rationale
In this class, the supporting elements of the overall
DAC mechanism are required to isolate information (objects)
that supports DAC so that it is subject to auditing require-
ments (see the System Architecture section). The use of
network identifiers to identify groups of individual users
could be implemented, for example, as an X.25 community of
nterest in the network protocol layer (layer 3). In all
other respects, the supporting elements of the overall DAC
mechanism are treated exactly as untrusted subjects are
treated with respect to DAC in an ADP system, with the same
A typical situation for DAC is that a surrogate process
for a remote user will be created in some host for access to
objects under the control of the NTCB partition within that
assigned and maintained for each such process by the NTCB,
tially the same discretionary controls as access by a pro-
cess acting on behalf of a local user would be. However,
tions of the assigned user identification is permitted.
The most obvious situation would exist if a global
able on demand to every host, (i.e., a name server existed)
It is also acceptable, however, for some NTCB parti-
tions to maintain a database of locally-registered users for
ts own use. In such a case, one could choose to inhibit
the creation of surrogate processes for locally unregistered
users, or (if permitted by the local policy) alternatively,
to permit the creation of surrogate processes with
dentify the process as executing on behalf of a member of a
the words concerning audit in the interpretation is to pro-
vide a minimally acceptable degree of auditability for cases
be a capability, using the audit facilities provided by the
network NTCB partitions involved, to determine who was
logged in at the actual host of the group of remote users at
the time the surrogate processing occured.
Associating the proper user id with a surrogate process
s the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id of
the surrogate process. The transmission of the data back
across the network to the user's host, and the creation of a
copy of the data there, is not the business of DAC.
Components that support only internal subjects impact
the implementation of the DAC by providing services by which
nformation (e.g., a user-id) is made available to a com-
file at Host B. The DAC decision might be (and usually
ted from Host A to Host B.
Unique user identification may be achieved by a variety
of mechanisms, including (a) a requirement for unique iden-
tification and authentication on the host where access takes
addresses authenticated by another host and forwarded to the
of a network-wide unique personnel identifier that could be
authenticated and forwarded by another host as in (b) above,
or could be authenticated and forwarded by a dedicated net-
cols which implement (b) or (c) are subject to the System
Architecture requirements.
Network support for DAC might be handled in other ways
than that described as "typical" above. In particular, some
form of centralized access control is often proposed. An
access control center may make all decisions for DAC, or it
may share the burden with the hosts by controlling host-to-
to their objects by users at a limited set of remote hosts.
between the connection oriented abstraction (as discussed in
the Introduction) and the overall network security policy
for DAC. In all cases the enforcement of the decision must
be provided by the host where the object resides.
THERE ARE TWO FORMS OF DISTRIBUTION FOR THE DAC MECHAN-
THE NTCB PARTITION IN A COMPONENT. SINCE "THE ADP SYSTEM"
NETWORK COMPONENT IS RESPONSIBLE FOR ENFORCING SECURITY IN
THE MECHANISMS ALLOCATED TO IT TO ENSURE SECURE IMPLEMENTA-
TION OF THE NETWORK SECURITY POLICY. FOR TRADITIONAL HOST
SYSTEMS IT IS FREQUENTLY EASY TO ALSO ENFORCE THE DAC ALONG
WITH THE MAC WITHIN THE REFERENCE MONITOR, PER SE, ALTHOUGH
A FEW APPROACHES, SUCH AS VIRTUAL MACHINE MONITORS, SUPPORT
DAC OUTSIDE THIS INTERFACE.
IN CONTRAST TO THE UNIVERSALLY RIGID STRUCTURE OF MAN-
DATORY POLICIES (SEE THE MANDATORY ACCESS CONTROL SECTION),
DAC POLICIES TEND TO BE VERY NETWORK AND SYSTEM SPECIFIC,
WITH FEATURES THAT REFLECT THE NATURAL USE OF THE SYSTEM.
FOR NETWORKS IT IS COMMON THAT INDIVIDUAL HOSTS WILL IMPOSE
CONTROLS OVER THEIR LOCAL USERS ON THE BASIS OF NAMED
NETWORK CONNECTION. HOWEVER, IT IS DIFFICULT TO MANAGE IN A
CENTRALIZED MANNER ALL THE INDIVIDUALS USING A LARGE NET-
WORK. THEREFORE, USERS ON OTHER HOSTS ARE COMMONLY GROUPED
TOGETHER SO THAT THE CONTROLS REQUIRED BY THE NETWORK DAC
OTHER COMPONENTS. A GATEWAY IS AN EXAMPLE OF SUCH A COM-
THE ASSURANCE REQUIREMENTS ARE AT THE VERY HEART OF THE
CONCEPT OF A TRUSTED SYSTEM. IT IS THE ASSURANCE THAT
DETERMINES IF A SYSTEM OR NETWORK IS APPROPRIATE FOR A GIVEN
ENVIRONMENT, AS REFLECTED, FOR EXAMPLE, IN THE ENVIRONMENTS
GUIDELINE-. IN THE CASE OF MONOLITHIC SYSTEMS THAT HAVE DAC
MENTS FOR DAC ARE INSEPARABLE FROM THOSE OF THE REST OF THE
REFERENCE MONITOR. FOR NETWORKS THERE IS TYPICALLY A MUCH
CLEARER DISTINCTION DUE TO DISTRIBUTED DAC. THE RATIONALE
FOR MAKING THE DISTINCTION IN THIS NETWORK INTERPRETATION IS
THAT IF MAJOR TRUSTED NETWORK COMPONENTS CAN BE MADE SIGNI-
FICANTLY EASIER TO DESIGN AND IMPLEMENT WITHOUT REDUCING THE
ABILITY TO MEET SECURITY POLICY, THEN TRUSTED NETWORKS WILL
BE MORE EASILY AVAILABLE.
+ Statement from DoD 5200.28-STD
All authorizations to the information contained within a
allocation or reallocation to a subject from the TCB's pool
of unused storage objects. No information, including
encrypted representations of information, produced by a
that obtains access to an object that has been released back
to the system.
+ Interpretation
The NTCB shall ensure that any storage objects that it
controls (e.g., message buffers under the control of a NTCB
access. This requirement must be enforced by each of the
NTCB partitions.
_________________________
- Guidance for Applying the Department of Defense
________ ___ ________ ___ __________ __ _______
Trusted Computer System Evaluation Criteria in Specific
_______ ________ ______ __________ ________ __ ________
Environments, CSC-STD-003-85.
____________
+ Rationale
In a network system, storage objects of interest are
things that the NTCB directly controls, such as message
buffers in components. Each component of the network system
must enforce the object reuse requirement with respect to
the storage objects of interest as determined by the network
be under the control of the NTCB partition. A buffer
assigned to an internal subject may be reused at the discre-
tion of that subject which is responsible for preserving the
ntegrity of message streams. Such controlled objects may
be implemented in physical resources, such as buffers, disk
network switches.
+ Statement from DoD 5200.28-STD
SENSITIVITY LABELS ASSOCIATED WITH EACH SUBJECT AND STORAGE
OBJECT UNDER ITS CONTROL (E.G., PROCESS, FILE, SEGMENT, DEV-
USED AS THE BASIS FOR MANDATORY ACCESS CONTROL DECISIONS.
AND RECEIVE FROM AN AUTHORIZED USER THE SENSITIVITY LEVEL OF
THE DATA, AND ALL SUCH ACTIONS SHALL BE AUDITABLE BY THE
TCB.
+ Interpretation
NON-LABELED DATA IMPORTED UNDER THE CONTROL OF THE NTCB
SINGLE-LEVEL DEVICE USED TO IMPORT IT. LABELS MAY INCLUDE
SECRECY AND INTEGRITY- COMPONENTS IN ACCORDANCE WITH THE
OVERALL NETWORK SECURITY POLICY DESCRIBED BY THE NETWORK
SPONSOR. WHENEVER THE TERM "LABEL" IS USED THROUGHOUT THIS
AS APPLICABLE. SIMILARLY, THE TERMS "SINGLE-LEVEL" AND
"MULTILEVEL" ARE UNDERSTOOD TO BE BASED ON BOTH THE SECRECY
AND INTEGRITY COMPONENTS OF THE POLICY. THE MANDATORY
THE PROBABILITY OF UNDETECTED MESSAGE STREAM MODIFICATION,
THAT WILL BE REFLECTED IN THE LABEL FOR THE DATA SO PRO-
TECTED. FOR EXAMPLE, WHEN DATA IS IMPORTED ITS INTEGRITY
LABEL MAY BE ASSIGNED BASED ON MECHANISMS, SUCH AS CRYPTOG-
RAPHY, USED TO PROVIDE THE ASSURANCE REQUIRED BY THE POLICY.
THE NTCB SHALL ASSURE THAT SUCH MECHANISM ARE PROTECTED FROM
TAMPERING AND ARE ALWAYS INVOKED WHEN THEY ARE THE BASIS FOR
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Computer Systems," ESD-TR-76-372, MTR-
A LABEL.
+ Rationale
THE INTERPRETATION IS AN EXTENSION OF THE REQUIREMENT
DEFINED FOR THESE NETWORK INTERPRETATIONS. A SINGLE-LEVEL
DEVICE MAY BE REGARDED EITHER AS A SUBJECT OR AN OBJECT. A
MULTILEVEL DEVICE IS REGARDED AS A TRUSTED SUBJECT IN WHICH
THE SECURITY RANGE OF THE SUBJECT IS THE MINIMUM-MAXIMUM
RANGE OF THE DATA EXPECTED TO BE TRANSMITTED OVER THE DEV-
THE SENSITIVITY LABELS FOR EITHER SECRECY OR INTEGRITY
OR BOTH MAY REFLECT NON-HIERARCHICAL CATEGORIES OR HIERARCH-
+ Statement from DoD 5200.28-STD
SENSITIVITY LABELS SHALL ACCURATELY REPRESENT SENSITIVITY
LEVELS OF THE SPECIFIC SUBJECTS OR OBJECTS WITH WHICH THEY
ARE ASSOCIATED. WHEN EXPORTED BY THE TCB, SENSITIVITY
LABELS SHALL ACCURATELY AND UNAMBIGUOUSLY REPRESENT THE
BEING EXPORTED.
+ Interpretation
THE PHRASE "EXPORTED BY THE TCB" IS UNDERSTOOD TO
COMPONENT TO AN OBJECT IN ANOTHER COMPONENT. INFORMATION
TRANSFERRED BETWEEN NTCB PARTITIONS IS ADDRESSED IN THE SYS-
TEM INTEGRITY SECTION. THE FORM OF INTERNAL AND EXTERNAL
(EXPORTED) SENSITIVITY LABELS MAY DIFFER, BUT THE MEANING
SHALL BE THE SAME. THE NTCB SHALL, IN ADDITION, ENSURE THAT
CORRECT ASSOCIATION OF SENSITIVITY LABELS WITH THE INFORMA-
TION BEING TRANSPORTED ACROSS THE NETWORK IS PRESERVED.
AS MENTIONED IN THE TRUSTED FACILITY MANUAL SECTION,
ENCRYPTION TRANSFORMS THE REPRESENTATION OF INFORMATION SO
THAT IT IS UNINTELLIGIBLE TO UNAUTHORIZED SUBJECTS.
REFLECTING THIS TRANSFORMATION, THE SENSITIVITY LEVEL OF THE
CIPHERTEXT IS GENERALLY LOWER THAN THE CLEARTEXT. IT FOL-
LOWS THAT CLEARTEXT AND CIPHERTEXT ARE CONTAINED IN DIF-
FERENT OBJECTS, EACH POSSESSING ITS OWN LABEL. THE LABEL OF
THE CLEARTEXT MUST BE PRESERVED AND ASSOCIATED WITH THE
CIPHERTEXT SO THAT IT CAN BE RESTORED WHEN THE CLEARTEXT IS
SUBSEQUENTLY OBTAINED BY DECRYPTING THE CIPHERTEXT. IF THE
CLEARTEXT IS ASSOCIATED WITH A SINGLE-LEVEL DEVICE, THE
LABEL OF THAT CLEARTEXT MAY BE IMPLICIT. THE LABEL MAY ALSO
BE IMPLICIT IN THE KEY.
WHEN INFORMATION IS EXPORTED TO AN ENVIRONMENT WHERE IT
SHALL SUPPORT THE MEANS, SUCH AS CRYPTOGRAPHIC CHECKSUMS, TO
ASSURE THE ACCURACY OF THE LABELS. WHEN THERE IS A MANDA-
TORY INTEGRITY POLICY, THE POLICY WILL DEFINE THE MEANING OF
+ Rationale
ENCRYPTION ALGORITHMS AND THEIR IMPLEMENTATION ARE OUT-
SIDE THE SCOPE OF THESE INTERPRETATIONS. SUCH ALGORITHMS
MAY BE IMPLEMENTED IN A SEPARATE DEVICE OR MAY BE INCOR-
DICE, EITHER IMPLEMENTATION PACKAGING IS REFERRED TO AS AN
ENCRYPTION MECHANISM HEREIN. IF ENCRYPTION METHODOLOGIES ARE
EMPLOYED IN THIS REGARD, THEY SHALL BE APPROVED BY THE
NATIONAL SECURITY AGENCY (NSA). THE ENCRYPTION PROCESS IS
COMPONENTS IN WHICH IT IS IMPLEMENTED.
THE ENCRYPTION MECHANISM IS NOT NECESSARILY A MUL-
TILEVEL DEVICE OR MULTILEVEL SUBJECT, AS THESE TERMS ARE
USED IN THESE CRITERIA. THE PROCESS OF ENCRYPTION IS MUL-
TILEVEL BY DEFINITION. THE CLEARTEXT AND CIPHERTEXT INTER-
FACES CARRY INFORMATION OF DIFFERENT SENSITIVITY. AN
ENCRYPTION MECHANISM DOES NOT PROCESS DATA IN THE SENSE OF
WITH THE INTENT OF PRODUCING NEW DATA. THE CLEARTEXT AND
CIPHERTEXT INTERFACES ON THE ENCRYPTION MECHANISM MUST BE
SEPARATELY IDENTIFIED AS BEING SINGLE-LEVEL OR MULTILEVEL.
THE DATA IS ESTABLISHED BY A TRUSTED INDIVIDUAL AND IMPLI-
CITLY ASSOCIATED WITH THE INTERFACE; THE EXPORTATION TO
SINGLE-LEVEL DEVICES CRITERION APPLIES.
IF THE INTERFACE IS MULTILEVEL, THEN THE DATA MUST BE
LABELED; THE EXPORTATION TO MULTILEVEL DEVICES CRITERION
APPLIES. THE NETWORK ARCHITECT IS FREE TO SELECT AN ACCEPT-
TABLE MECHANISM FOR ASSOCIATING A LABEL WITH AN OBJECT. WITH
REFERENCE TO ENCRYPTED OBJECTS, THE FOLLOWING EXAMPLES ARE
THE OBJECT.
THROUGH THE ENCRYPTION KEY. THAT IS, THE ENCRYPTION
KEY UNIQUELY IDENTIFIES A SENSITIVITY LEVEL. A SIN-
GLE OR PRIVATE KEY MUST BE PROTECTED AT THE LEVEL OF
THE DATA THAT IT ENCRYPTS.
+ Statement from DoD 5200.28-STD
THE TCB SHALL DESIGNATE EACH COMMUNICATION CHANNEL AND I/O
DEVICE AS EITHER SINGLE-LEVEL OR MULTILEVEL. ANY CHANGE IN
THIS DESIGNATION SHALL BE DONE MANUALLY AND SHALL BE AUDIT-
ABLE BY THE TCB. THE TCB SHALL MAINTAIN AND BE ABLE TO
AUDIT ANY CHANGE IN THE SENSITIVITY LEVEL OR LEVELS ASSOCI-
ATED WITH A COMMUNICATIONS CHANNEL OR I/O DEVICE.
+ Interpretation
EACH COMMUNICATION CHANNEL AND NETWORK COMPONENT SHALL
BE DESIGNATED AS EITHER SINGLE-LEVEL OR MULTILEVEL. ANY
CHANGE IN THIS DESIGNATION SHALL BE DONE WITH THE COGNIZANCE
AND APPROVAL OF THE ADMINISTRATOR OR SECURITY OFFICER IN
CHARGE OF THE AFFECTED COMPONENTS AND THE ADMINISTRATOR OR
SECURITY OFFICER IN CHARGE OF THE NTCB. THIS CHANGE SHALL
BE AUDITABLE BY THE NETWORK. THE NTCB SHALL MAINTAIN AND BE
ABLE TO AUDIT ANY CHANGE IN THE CURRENT SENSITIVITY LEVEL
ASSOCIATED WITH THE DEVICE CONNECTED TO A SINGLE-LEVEL COM-
MUNICATION CHANNEL OR THE RANGE ASSOCIATED WITH A MULTILEVEL
COMMUNICATION CHANNEL OR COMPONENT. THE NTCB SHALL ALSO BE
ABLE TO AUDIT ANY CHANGE IN THE SET OF SENSITIVITY LEVELS
ASSOCIATED WITH THE INFORMATION WHICH CAN BE TRANSMITTED
OVER A MULTILEVEL COMMUNICATION CHANNEL OR COMPONENT.
+ Rationale
COMMUNICATION CHANNELS AND COMPONENTS IN A NETWORK ARE
ANALOGOUS TO COMMUNICATION CHANNELS AND I/O DEVICES IN
STAND-ALONE SYSTEMS. THEY MUST BE DESIGNATED AS EITHER MUL-
TILEVEL (I.E., ABLE TO DISTINGUISH AND MAINTAIN SEPARATION
AMONG INFORMATION OF VARIOUS SENSITIVITY LEVELS) OR SINGLE-
LEVEL. AS IN THE TCSEC, SINGLE-LEVEL DEVICES MAY ONLY BE
ATTACHED TO SINGLE-LEVEL CHANNELS.
THE LEVEL OR SET OF LEVELS OF INFORMATION THAT CAN BE
SENT TO A COMPONENT OR OVER A COMMUNICATION CHANNEL SHALL
ONLY CHANGE WITH THE KNOWLEDGE AND APPROVAL OF THE SECURITY
OFFICERS (OR SYSTEM ADMINISTRATOR, IF THERE IS NO SECURITY
OFFICER) OF THE NETWORK, AND OF THE AFFECTED COMPONENTS.
THIS REQUIREMENT ENSURES THAT NO SIGNIFICANT SECURITY-
RELEVANT CHANGES ARE MADE WITHOUT THE APPROVAL OF ALL
AFFECTED PARTIES.
+ Statement from DoD 5200.28-STD
WHEN THE TCB EXPORTS AN OBJECT TO A MULTILEVEL I/O DEVICE,
THE SENSITIVITY LABEL ASSOCIATED WITH THAT OBJECT SHALL ALSO
BE EXPORTED AND SHALL RESIDE ON THE SAME PHYSICAL MEDIUM AS
THE EXPORTED INFORMATION AND SHALL BE IN THE SAME FORM
(I.E., MACHINE-READABLE OR HUMAN-READABLE FORM). WHEN THE
TCB EXPORTS OR IMPORTS AN OBJECT OVER A MULTILEVEL COMMUNI-
CATIONS CHANNEL, THE PROTOCOL USED ON THAT CHANNEL SHALL
LABELS AND THE ASSOCIATED INFORMATION THAT IS SENT OR
RECEIVED.
+ Interpretation
THE COMPONENTS, INCLUDING HOSTS, OF A NETWORK SHALL BE
MULTIPLE SINGLE-LEVEL COMMUNICATION CHANNELS, OR BOTH, WHEN-
EVER THE INFORMATION IS TO BE PROTECTED AT MORE THAN A SIN-
GLE SENSITIVITY LEVEL. THE PROTOCOL FOR ASSOCIATING THE
SENSITIVITY LABEL AND THE EXPORTED INFORMATION SHALL PROVIDE
THE ONLY INFORMATION NEEDED TO CORRECTLY ASSOCIATE A SENSI-
TIVITY LEVEL WITH THE EXPORTED INFORMATION TRANSFERRED OVER
THE MULTILEVEL CHANNEL BETWEEN THE NTCB PARTITIONS IN INDI-
VIDUAL COMPONENTS. THIS PROTOCOL DEFINITION MUST SPECIFY THE
REPRESENTATION AND SEMANTICS OF THE SENSITIVITY LABELS
(I.E., THE MACHINE-READABLE LABEL MUST UNIQUELY REPRESENT
THE SENSITIVITY LEVEL).
THE "UNAMBIGUOUS" ASSOCIATION OF THE SENSITIVITY LEVEL
WITH THE COMMUNICATED INFORMATION SHALL MEET THE SAME LEVEL
OF ACCURACY AS THAT REQUIRED FOR ANY OTHER LABEL WITHIN THE
NTCB, AS SPECIFIED IN THE CRITERION FOR LABEL INTEGRITY.
THIS MAY BE PROVIDED BY PROTECTED AND HIGHLY RELIABLE DIRECT
LINK PROTECTION IN WHICH ANY ERRORS DURING TRANSMISSION CAN
BE READILY DETECTED, OR BY USE OF A SEPARATE CHANNEL.
+ Rationale
THIS PROTOCOL MUST SPECIFY THE REPRESENTATION AND
SEMANTICS OF THE SENSITIVITY LABELS. SEE THE MANDATORY
ACCESS CONTROL POLICIES SECTION IN APPENDIX B. THE MUL-
TILEVEL DEVICE INTERFACE TO (UNTRUSTED) SUBJECTS MAY BE
TOR, PER SE, OR BY A MULTILEVEL SUBJECT (E.G., A "TRUSTED
SUBJECT" AS DEFINED IN THE BELL-LAPADULA MODEL) THAT PRO-
VIDES THE LABELS BASED ON THE INTERNAL LABELS OF THE NTCB
THE CURRENT STATE OF THE ART LIMITS THE SUPPORT FOR
MANDATORY POLICY THAT IS PRACTICAL FOR SECURE NETWORKS.
REFERENCE MONITOR SUPPORT TO ENSURE THE CONTROL OVER ALL THE
OPERATIONS OF EACH SUBJECT IN THE NETWORK MUST BE COMPLETELY
JECT INTERFACES TO THE NTCB. THIS MEANS THAT THE ENTIRE
THIS SUBJECT MUST BE CONTAINED IN THE SAME COMPONENT.
THE SECURE STATE OF AN NTCB PARTITION MAY BE AFFECTED
BY EVENTS EXTERNAL TO THE COMPONENT IN WHICH THE NTCB PARTI-
TION RESIDES (E.G., ARRIVAL OF A MESSAGE). THE EFFECT
OCCURS ASYNCHRONUSLY AFTER BEING INITIATED BY AN EVENT IN
ANOTHER COMPONENT OR PARTITION. FOR EXAMPLE, INDETERMINATE
DELAYS MAY OCCUR BETWEEN THE INITIATION OF A MESSAGE IN ONE
COMPONENT, THE ARRIVAL OF THE MESSAGE IN THE NTCB PARTITION
SECURE STATE OF THE SECOND COMPONENT. SINCE EACH COMPONENT
SOME SORT OF NETWORK-WIDE CONTROL TO SYNCHRONIZE STATE TRAN-
SITIONS, SUCH AS A GLOBAL NETWORK-WIDE CLOCK FOR ALL PROCES-
SORS; IN GENERAL, SUCH DESIGNS ARE NOT PRACTICAL AND PROB-
ABLY NOT EVEN DESIRABLE. THEREFORE, THE INTERACTION BETWEEN
NTCB PARTITIONS IS RESTRICTED TO JUST COMMUNICATIONS BETWEEN
THE DEVICE(S) CAN SEND/RECEIVE DATA OF MORE THAN A SINGLE
LEVEL. FOR BROADCAST CHANNELS THE PAIRS ARE THE SENDER AND
CARRIES MULTIPLE LEVELS OF INFORMATION, ADDITIONAL MECHANISM
(E.G., CRYPTOCHECKSUM MAINTAINED BY THE TCB) MAY BE REQUIRED
TO ENFORCE SEPARATION AND PROPER DELIVERY.
A COMMON REPRESENTATION FOR SENSITIVITY LABELS IS
NEEDED IN THE PROTOCOL USED ON THAT CHANNEL AND UNDERSTOOD
BY BOTH THE SENDER AND RECEIVER WHEN TWO MULTILEVEL DEVICES
(IN THIS CASE, IN TWO DIFFERENT COMPONENTS) ARE INTERCON-
NECTED. EACH DISTINCT SENSITIVITY LEVEL OF THE OVERALL NET-
WORK POLICY MUST BE REPRESENTED UNIQUELY IN THESE LABELS.
WITHIN A MONOLITHIC TCB, THE ACCURACY OF THE SENSI-
TIVITY LABELS IS GENERALLY ASSURED BY SIMPLE TECHNIQUES,
E.G., VERY RELIABLE CONNECTIONS OVER VERY SHORT PHYSICAL
CONNECTIONS, SUCH AS ON A SINGLE PRINTED CIRCUIT BOARD OR
OVER AN INTERNAL BUS. IN MANY NETWORK ENVIRONMENTS THERE IS
A MUCH HIGHER PROBABILITY OF ACCIDENTALLY OR MALICIOUSLY
+ Statement from DoD 5200.28-STD
SINGLE-LEVEL I/O DEVICES AND SINGLE-LEVEL COMMUNICATION
CHANNELS ARE NOT REQUIRED TO MAINTAIN THE SENSITIVITY LABELS
OF THE INFORMATION THEY PROCESS. HOWEVER, THE TCB SHALL
RELIABLY COMMUNICATE TO DESIGNATE THE SINGLE SENSITIVITY
LEVEL OF INFORMATION IMPORTED OR EXPORTED VIA SINGLE-LEVEL
COMMUNICATION CHANNELS OR I/O DEVICES.
+ Interpretation
WHENEVER ONE OR BOTH OF TWO DIRECTLY CONNECTED COM-
MATION OF DIFFERENT SENSITIVITY LEVELS, OR WHENEVER THE TWO
DIRECTLY CONNECTED COMPONENTS HAVE ONLY A SINGLE SENSITIVITY
LEVEL IN COMMON, THE TWO COMPONENTS OF THE NETWORK SHALL
COMMUNICATE OVER A SINGLE-LEVEL CHANNEL. SINGLE-LEVEL COM-
REQUIRED TO MAINTAIN THE SENSITIVITY LABELS OF THE
RELIABLE COMMUNICATION MECHANISM BY WHICH THE NTCB AND AN
AUTHORIZED USER OR A SUBJECT WITHIN AN NTCB PARTITION CAN
DESIGNATE THE SINGLE SENSITIVITY LEVEL OF INFORMATION
OR NETWORK COMPONENTS.
+ Rationale
SINGLE-LEVEL COMMUNICATIONS CHANNELS AND SINGLE-LEVEL
COMPONENTS IN NETWORKS ARE ANALOGOUS TO SINGLE LEVEL CHAN-
NELS AND I/O DEVICES IN STAND-ALONE SYSTEMS IN THAT THEY ARE
NOT TRUSTED TO MAINTAIN THE SEPARATION OF INFORMATION OF
DIFFERENT SENSITIVITY LEVELS. THE LABELS ASSOCIATED WITH
DATA TRANSMITTED OVER THOSE CHANNELS AND BY THOSE COMPONENTS
ARE THEREFORE IMPLICIT; THE NTCB ASSOCIATES LABELS WITH THE
DATA BECAUSE OF THE CHANNEL OR COMPONENT, NOT BECAUSE OF AN
EXPLICIT PART OF THE BIT STREAM. NOTE THAT THE SENSITIVITY
LEVEL OF ENCRYPTED INFORMATION IS THE LEVEL OF THE CIPHER-
TEXT RATHER THAN THE ORIGINAL LEVEL(S) OF THE PLAINTEXT.
+ Statement from DoD 5200.28-STD
THE ADP SYSTEM ADMINISTRATOR SHALL BE ABLE TO SPECIFY THE
LABELS. THE TCB SHALL MARK THE BEGINNING AND END OF ALL
HUMAN-READABLE, PAGED, HARDCOPY OUTPUT (E.G., LINE PRINTER
OUTPUT) WITH HUMAN-READABLE SENSITIVITY LABELS THAT PROP-
ERLY1 REPRESENT THE SENSITIVITY OF THE OUTPUT. THE TCB
SHALL, BY DEFAULT, MARK THE TOP AND BOTTOM OF EACH PAGE OF
HUMAN-READABLE, PAGED, HARDCOPY OUTPUT (E.G., LINE PRINTER
OUTPUT) WITH HUMAN-READABLE SENSITIVITY LABELS THAT PROP-
ERLY1 REPRESENT THE SENSITIVITY OF THE PAGE. THE TCB SHALL,
BY DEFAULT AND IN AN APPROPRIATE MANNER, MARK OTHER FORMS OF
HUMAN READABLE OUTPUT (E.G., MAPS, GRAPHICS) WITH HUMAN-
READABLE SENSITIVITY LABELS THAT PROPERLY1 REPRESENT THE
SENSITIVITY OF THE OUTPUT. ANY OVERRIDE OF THESE MARKINGS
DEFAULTS SHALL BE AUDITABLE BY THE TCB.
+ Interpretation
THIS CRITERION IMPOSES NO REQUIREMENT TO A COMPONENT
THAT PRODUCES NO HUMAN-READABLE OUTPUT. FOR THOSE THAT DO
_________________________
READABLE SENSITIVITY LABELS SHALL BE EQUAL TO THE
GREATEST HIERARCHICAL CLASSIFICATION OF ANY OF THE IN-
FORMATION IN THE OUTPUT THAT THE LABELS REFER TO; THE
NON-HIERARCHICAL CATEGORY COMPONENT SHALL INCLUDE ALL
OF THE NON-HIERARCHICAL CATEGORIES OF THE INFORMATION
HIERARCHICAL CATEGORIES.
ACROSS ALL COMPONENTS. THE NETWORK ADMINISTRATOR, IN CON-
JUNCTION WITH ANY AFFECTED COMPONENT ADMINISTRATOR, SHALL BE
ABLE TO SPECIFY THE HUMAN-READABLE LABEL THAT IS ASSOCIATED
WITH EACH DEFINED SENSITIVITY LEVEL.
+ Rationale
THE INTERPRETATION IS A STRAIGHTFORWARD EXTENSION OF
THE REQUIREMENT INTO THE CONTEXT OF A NETWORK SYSTEM AND
TIONS.
+ Statement from DoD 5200.28-STD
THE TCB SHALL ENFORCE A MANDATORY ACCESS CONTROL POLICY OVER
ALL SUBJECTS AND STORAGE OBJECTS UNDER ITS CONTROL (E.G.,
OBJECTS SHALL BE ASSIGNED SENSITIVITY LABELS THAT ARE A COM-
BINATION OF HIERARCHICAL CLASSIFICATION LEVELS AND NON-
HIERARCHICAL CATEGORIES, AND THE LABELS SHALL BE USED AS THE
BASIS FOR MANDATORY ACCESS CONTROL DECISIONS. THE TCB SHALL
BE ABLE TO SUPPORT TWO OR MORE SUCH SENSITIVITY LEVELS.
(SEE THE MANDATORY ACCESS CONTROL INTERPRETATIONS.) THE
FOLLOWING REQUIREMENTS SHALL HOLD FOR ALL ACCESSES BETWEEN
SUBJECTS AND OBJECTS CONTROLLED BY THE TCB: A SUBJECT CAN
READ AN OBJECT ONLY IF THE HIERARCHICAL CLASSIFICATION IN
THE SUBJECT'S SENSITIVITY LEVEL IS GREATER THAN OR EQUAL TO
THE HIERARCHICAL CLASSIFICATION OF THE OBJECT'S SENSITIVITY
LEVEL AND THE NON-HIERARCHICAL CATEGORIES IN THE SUBJECT'S
SENSITIVITY LEVEL INCLUDE ALL THE NON-HIERARCHICAL
CATEGORIES IN THE OBJECT'S SENSITIVITY LEVEL. A SUBJECT CAN
WRITE AN OBJECT ONLY IF THE HIERARCHICAL CLASSIFICATION IN
THE SUBJECT'S SENSITIVITY LEVEL IS LESS THAN OR EQUAL TO THE
HIERARCHICAL CLASSIFICATION OF THE OBJECT'S SENSITIVITY
LEVEL AND THE NON-HIERARCHICAL CATEGORIES IN THE SUBJECT'S
SENSITIVITY LEVEL ARE INCLUDED IN THE NON-HIERARCHICAL
CATEGORIES IN THE OBJECT'S SENSITIVITY LEVEL. IDENTIFICATION
AND AUTHENTICATION DATA SHALL BE USED BY THE TCB TO AUTHEN-
TICATE THE USER'S IDENTITY AND TO ENSURE THAT THE SENSI-
TIVITY LEVEL AND AUTHORIZATION OF SUBJECTS EXTERNAL TO THE
TCB THAT MAY BE CREATED TO ACT ON BEHALF OF THE INDIVIDUAL
USER ARE DOMINATED BY THE CLEARANCE AND AUTHORIZATION OF
THAT USER.
+ Interpretation
EACH PARTITION OF THE NTCB EXERCISES MANDATORY ACCESS
CONTROL POLICY OVER ALL SUBJECTS AND OBJECTS IN ITS COM-
RESPONSIBILITY OF AN NTCB PARTITION ENCOMPASSES ALL MANDA-
TORY ACCESS CONTROL FUNCTIONS IN ITS COMPONENT THAT WOULD BE
REQUIRED OF A TCB IN A STAND-ALONE SYSTEM. IN PARTICULAR,
SUBJECTS AND OBJECTS USED FOR COMMUNICATION WITH OTHER COM-
TORY ACCESS CONTROL INCLUDES SECRECY AND INTEGRITY CONTROL
TO THE EXTENT THAT THE NETWORK SPONSOR HAS DESCRIBED IN THE
OVERALL NETWORK SECURITY POLICY.
CONCEPTUAL ENTITIES ASSOCIATED WITH COMMUNICATION
BETWEEN TWO COMPONENTS, SUCH AS SESSIONS, CONNECTIONS AND
VIRTUAL CIRCUITS, MAY BE THOUGHT OF AS HAVING TWO ENDS, ONE
OBJECT. COMMUNICATION IS VIEWED AS AN OPERATION THAT COPIES
ENTITIES, SUCH AS DATAGRAMS AND PACKETS, EXIST EITHER AS
ONE AT EACH END OF THE COMMUNICATION PATH.
THE REQUIREMENT FOR "TWO OR MORE" SENSITIVITY LEVELS
CAN BE MET BY EITHER SECRECY OR INTEGRITY LEVELS. WHEN
THERE IS A MANDATORY INTEGRITY POLICY, THE STATED REQUIRE-
MENTS FOR READING AND WRITING ARE GENERALIZED TO: A SUBJECT
CAN READ AN OBJECT ONLY IF THE SUBJECT'S SENSITIVITY LEVEL
DOMINATES THE OBJECT'S SENSITIVITY LEVEL, AND A SUBJECT CAN
WRITE AN OBJECT ONLY IF THE OBJECT'S SENSITIVITY LEVEL DOM-
NANCE RELATION FOR THE TOTAL LABEL, FOR EXAMPLE, BY COMBIN-
+ Rationale
AN NTCB PARTITION CAN MAINTAIN ACCESS CONTROL ONLY OVER
SUBJECTS AND OBJECTS IN ITS COMPONENT. ACCESS BY A SUBJECT
ANOTHER COMPONENT REQUIRES THE CREATION OF A SUBJECT IN THE
REMOTE COMPONENT WHICH ACTS AS A SURROGATE FOR THE FIRST
SUBJECT.
THE MANDATORY ACCESS CONTROLS MUST BE ENFORCED AT THE
CONTROLS PHYSICAL PROCESSING RESOURCES) FOR EACH NTCB PARTI-
TION. THIS MECHANISM CREATES THE ABSTRACTION OF SUBJECTS
AND OBJECTS WHICH IT CONTROLS. SOME OF THESE SUBJECTS OUT-
SIDE THE REFERENCE MONITOR, PER SE, MAY BE DESIGNATED TO
E.G., BY USING THE ``TRUSTED SUBJECTS" DEFINED IN THE BELL-
_________________________
- See, for example, Grohn, M. J., A Model of a Pro-
_ _____ __ _ ___
tected Data Management System, ESD-TR-76-289, I. P.
______ ____ __________ ______
Sharp Assoc. Ltd., June, 1976; and Denning, D .E.,
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M.
and Shockley, W., Secure Distributed Data Views, Secu-
______ ___________ ____ _____ ____
____ ______ ___ ______________ ___ _ _____ __ ________
el Secure Relational Database System,SRI International,
__ ______ __________ ________ ______
November 1986.
LAPADULA MODEL.
THE PRIOR REQUIREMENTS ON EXPORTATION OF LABELED INFOR-
MATION TO AND FROM I/O DEVICES ENSURE THE CONSISTENCY
BETWEEN THE SENSITIVITY LABELS OF OBJECTS CONNECTED BY A
COMMUNICATION PATH. AS NOTED IN THE INTRODUCTION, THE NET-
WORK ARCHITECTURE MUST RECOGNIZE THE LINKAGE BETWEEN THE
OVERALL MANDATORY NETWORK SECURITY POLICY AND THE CONNECTION
ORIENTED ABSTRACTION. FOR EXAMPLE, INDIVIDUAL DATA-CARRYING
ENTITIES SUCH AS DATAGRAMS CAN HAVE INDIVIDUAL SENSITIVITY
LABELS THAT SUBJECT THEM TO MANDATORY ACCESS CONTROL IN EACH
COMPONENT. THE ABSTRACTION OF A SINGLE-LEVEL CONNECTION IS
REALIZED AND ENFORCED IMPLICITLY BY AN ARCHITECTURE WHILE A
CONNECTION IS REALIZED BY SINGLE-LEVEL SUBJECTS THAT NECES-
SARILY EMPLOY ONLY DATAGRAMS OF THE SAME LEVEL.
THE FUNDAMENTAL TRUSTED SYSTEMS TECHNOLOGY PERMITS THE
DAC MECHANISM TO BE DISTRIBUTED, IN CONTRAST TO THE REQUIRE-
MENTS FOR MANDATORY ACCESS CONTROL. FOR NETWORKS THIS
SEPARATION OF MAC AND DAC MECHANISMS IS THE RULE RATHER THAN
THE EXCEPTION.
THE SET OF TOTAL SENSITIVITY LABELS USED TO REPRESENT
ALL THE SENSITIVITY LEVELS FOR THE MANDATORY ACCESS CONTROL
(COMBINED DATA SECRECY AND DATA INTEGRITY) POLICY ALWAYS
FORMS A PARTIALLY ORDERED SET. WITHOUT LOSS OF GENERALITY,
THIS SET OF LABELS CAN ALWAYS BE EXTENDED TO FORM A LATTICE,
BY INCLUDING ALL THE COMBINATIONS OF NON-HIERARCHICAL
CATEGORIES. AS FOR ANY LATTICE, A DOMINANCE RELATION IS
ALWAYS DEFINED FOR THE TOTAL SENSITIVITY LABELS. FOR ADMIN-
WHICH DOMINATES ALL OTHERS.
_ _ _ ______________
+ Statement from DoD 5200.28-STD
The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB
s expected to mediate. Furthermore, the TCB shall MAINTAIN
AUTHENTICATION DATA THAT INCLUDES INFORMATION FOR VERIFYING
THE IDENTIFY OF INDIVIDUAL USERS (E.G., PASSWORDS) AS WELL
AS INFORMATION FOR DETERMINING THE CLEARANCE AND AUTHORIZA-
TIONS OF INDIVIDUAL USERS. THIS DATA SHALL BE USED BY THE
TCB TO AUTHENTICATE THE USER'S IDENTITY AND TO ENSURE THAT
THE SENSITIVITY LEVEL AND AUTHORIZATION OF SUBJECTS EXTERNAL
TO THE TCB THAT MAY BE CREATED TO ACT ON BEHALF OF THE INDI-
VIDUAL USER ARE DOMINATED BY THE CLEARANCE AND AUTHORIZATION
OF THAT USER. The TCB shall protect authentication data so
that it cannot be accessed by any unauthorized user. The
TCB shall be able to enforce individual accountability by
capability of associating this identity with all auditable
actions taken by that individual.
+ Interpretation
The requirement for identification and authentication
of users is the same for a network system as for an ADP sys-
tem. The identification and authentication may be done by
the component to which the user is directly connected or
tication server. Available techniques, such as those
applicable in the network context. However, in cases where
the NTCB is expected to mediate actions of a host (or other
network component) that is acting on behalf of a user or
authentication of the host (or other component) in lieu of
dentification and authentication of an individual user, so
long as the component identifier implies a list of specific
users uniquely associated with the identifier at the time of
ts use for authentication. This requirement does not apply
to internal subjects.
Authentication information, including the identity of a
user (once authenticated) may be passed from one component
to another without reauthentication, so long as the NTCB
thorized disclosure and modification. This protection shall
of mechanism) as pertains to the protection of the authenti-
cation mechanism and authentication data.
+ Rationale
The need for accountability is not changed in the con-
text of a network system. The fact that the NTCB is parti-
tioned over a set of components neither reduces the need nor
mposes new requirements. That is, individual accountabil-
ty is still the objective. Also, in the context of a net-
tability" can be satisfied by identification of a host (or
other component) so long as the requirement for traceability
to individual users or a set of specific individual users
uncertainty in traceability because of elapsed time between
changes in the group membership and the enforcement in the
access control mechanisms. In addition, there is no need in
a distributed processing system like a network to reauthen-
ticate a user at each point in the network where a projec-
tion of a user (via the subject operating on behalf of the
user) into another remote subject takes place.
_________________________
= Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, CSC-STD-002-85
____
The passing of identifiers and/or authentication infor-
mation from one component to another is usually done in sup-
trol (DAC). This support relates directly to the DAC
ferent NTCB partition than the one where the user was
authenticated. Employing a forwarded identification implies
additional reliance on the source and components along the
BASIS OF DETERMINING A SENSITIVITY LABEL FOR A SUBJECT, IT
MUST SATISFY THE LABEL INTEGRITY CRITERION.
AN AUTHENTICATED IDENTIFICATION MAY BE FORWARDED
BETWEEN COMPONENTS AND EMPLOYED IN SOME COMPONENT TO IDEN-
TIFY THE SENSITIVITY LEVEL ASSOCIATED WITH A SUBJECT CREATED
TO ACT ON BEHALF OF THE USER SO IDENTIFIED.
_ _ _ _ _____
+ Statement from DoD 5200.28-STD
The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit
trail of accesses to the objects it protects. The audit
s limited to those who are authorized for audit data. The
TCB shall be able to record the following types of events:
use of identification and authentication mechanisms, intro-
open, program initiation), deletion of objects, actions
taken by computer operators and system administrators and/or
events. THE TCB SHALL ALSO BE ABLE TO AUDIT ANY OVERRIDE OF
HUMAN-READABLE OUTPUT MARKINGS. For each recorded event,
the audit record shall identify: date and time of the event,
user, type of event, and success or failure of the event.
For identification/authentication events the origin of
address space and for object deletion events the audit
SENSITIVITY LEVEL. The ADP system administrator shall be
able to selectively audit the actions of any one or more
users based on individual identify AND/OR OBJECT SENSITIVITY
LEVEL.
+ Interpretation
This criterion applies as stated. The sponsor must
not distinguishable by the NTCB alone (for example those
dentified in Part II), the audit mechanism shall provide an
nterface, which an authorized subject can invoke with
audit records shall be distinguishable from those provided
by the NTCB. In the context of a network system, "other
architecture and network security policy) might be as fol-
lows:
lishing a connection or a connectionless association
between processes in two hosts of the network) and
its principal parameters (e.g., host identifiers of
the two hosts involved in the access event and user
identifier or host identifier of the user or host
that is requesting the access event)
each access event using local time or global syn-
chronized time
ditions (e.g., potential violation of data
integrity, such as misrouted datagrams) detected
during the transactions between two hosts
component leaving the network and rejoining)
In addition, identification information should be
ncluded in appropriate audit trail records, as necessary,
to allow association of all related (e.g., involving the
network system may provide the required audit capability
(e.g., storage, retrieval, reduction, analysis) for other
components that do not internally store audit data but
transmit the audit data to some designated collection com-
audit data due to unavailability of resources.
In the context of a network system, the "user's address
events, to include address spaces being employed on behalf
of a remote user (or host). However, the focus remains on
users in contrast to internal subjects as discussed in the
DAC criterion. In addition, audit information must be
+ Rationale
For remote users, the network identifiers (e.g., inter-
net address) can be used as identifiers of groups of indivi-
maintenance that would be required if individual identifica-
tion of remote users was employed. In this class (C2), how-
ever, it must be possible to identify (immediately or at
dentifier. In all other respects, the interpretation is a
of a network system.
_ _ _ _________
+ Statement from DoD 5200.28-STD
The TCB shall maintain a domain for its own execution that
by modification of its code or data structures). Resources
controlled by the TCB may be a defined subset of the sub-
SPACES UNDER ITS CONTROL. The TCB shall isolate the
access control and auditing requirements.
+ Interpretation
The system architecture criterion must be met individu-
ally by all NTCB partitions. Implementation of the require-
ment that the NTCB maintain a domain for its own execution
s achieved by having each NTCB partition maintain a domain
for its own execution. SINCE EACH COMPONENT IS ITSELF A DIS-
TINCT DOMAIN IN THE OVERALL NETWORK SYSTEM, THIS ALSO SATIS-
FIES THE REQUIREMENT FOR PROCESS ISOLATION THROUGH DISTINCT
ADDRESS SPACES IN THE SPECIAL CASE WHERE A COMPONENT HAS
ONLY A SINGLE SUBJECT.
The subset of network resources over which the NTCB has
control are the union of the sets of resources over which
the NTCB partitions have control. Code and data structures
belonging to the NTCB, transferred among NTCB subjects
(i.e., subjects outside the reference monitor but inside the
NTCB) belonging to different NTCB partitions, must be pro-
tected against external interference or tampering. For
example, a cryptographic checksum or physical means may be
employed to protect user authentication data exchanged
between NTCB partitions.
Each NTCB partition provides isolation of RESOURCES
(WITHIN ITS COMPONENT) TO BE PROTECTED IN accord with the
network system architecture and security policy SO THAT
"SUPPORTING ELEMENTS" (E.G., DAC AND USER IDENTIFICATION)
FOR THE SECURITY MECHANISMS OF THE NETWORK SYSTEM ARE
STRENGTHENED COMPARED TO C2, FROM AN ASSURANCE POINT OF
VIEW, THROUGH THE PROVISION OF DISTINCT ADDRESS SPACES UNDER
CONTROL OF THE NTCB.
AS DISCUSSED IN THE DISCRETIONARY ACCESS CONTROL SEC-
TION, THE DAC MECHANISM OF A NTCB PARTITION MAY BE IMPLE-
MENTED AT THE INTERFACE OF THE REFERENCE MONITOR OR MAY BE
DISTRIBUTED IN SUBJECTS THAT ARE PART OF THE NTCB IN THE
SAME OR DIFFERENT COMPONENT. WHEN DISTRIBUTED IN NTCB SUB-
JECTS (I.E., WHEN OUTSIDE THE REFERENCE MONITOR), THE
ASSURANCE REQUIREMENTS FOR THE DESIGN AND IMPLEMENTATION OF
THE DAC SHALL BE THOSE OF CLASS C2 FOR ALL NETWORKS OF CLASS
C2 OR ABOVE.
+ Rationale
The requirement for the protection of communications
between NTCB partitions is specifically directed to subjects
that are part of the NTCB partitions. Any requirements for
THE PROVISION OF DISTINCT ADDRESS SPACES UNDER THE CON-
TROL OF THE NTCB PROVIDES THE ABILITY TO SEPARATE SUBJECTS
ACCORDING TO SENSITIVITY LEVEL. THIS REQUIREMENT IS INTRO-
DUCED AT B1 SINCE IT IS AN ABSOLUTE NECESSITY IN ORDER TO
+ Statement from DoD 5200.28-STD
Hardware and/or software features shall be provided that can
be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
+ Interpretation
Implementation of the requirement is partly achieved by
and firmware elements of each component's NTCB partition.
Features shall also be provided to validate the identity and
correct operation of a component prior to its incorporation
n the network system and throughout system operation. For
example, a protocol could be designed that enables the com-
cally and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability
to respond. NTCB partitions shall provide the capability to
Intercomponent protocols implemented within a NTCB
tion in the case of failures of network communications or
ndividual components. The allocation of MANDATORY AND dis-
cretionary access control policy in a network may require
communication between trusted subjects that are part of the
NTCB partitions in different components. This communication
s normally implemented with a protocol between the subjects
as peer entities. Incorrect access within a component shall
not result from failure of an NTCB partition to communicate
+ Rationale
The first paragraph of the interpretation is a
text of a network system and partitioned NTCB as defined for
these network criteria.
NTCB protocols should be robust enough so that they
zed failure. The purpose of this protection is to preserve
the integrity of the NTCB itself. It is not unusual for one
or more components in a network to be inoperative at any
time, so it is important to minimize the effects of such
failures on the rest of the network. Additional integrity
and denial of service issues are addressed in Part II.
+ Statement from DoD 5200.28-STD
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation. A
TEAM OF INDIVIDUALS WHO THOROUGHLY UNDERSTAND THE SPECIFIC
TATION, SOURCE CODE, AND OBJECT CODE TO THROUGH ANALYSIS AND
TESTING. THEIR OBJECTIVES SHALL BE: TO UNCOVER ALL DESIGN
AND IMPLEMENTATION FLAWS THAT WOULD PERMIT A SUBJECT EXTER-
NAL TO THE TCB TO READ, CHANGE, OR DELETE DATA NORMALLY
DENIED UNDER THE MANDATORY OR DISCRETIONARY SECURITY POLICY
ENFORCED BY THE TCB; AS WELL AS TO ASSURE THAT NO SUBJECT
(WITHOUT AUTHORIZATION TO DO SO) IS ABLE TO CAUSE THE TCB TO
ENTER A STATE SUCH THAT IT IS UNABLE TO RESPOND TO COMMUNI-
CATIONS INITIATED BY OTHER USERS. ALL DISCOVERED FLAWS SHALL
BE REMOVED OR NEUTRALIZED AND THE TCB RETESTED TO DEMON-
STRATE THAT THEY HAVE BEEN ELIMINATED AND THAT NEW FLAWS
HAVE NOT BEEN INTRODUCED. (See the Security Testing Guide-
lines.)
+ Interpretation
Testing of a component will require a testbed that
exercises the interfaces and protocols of the component
ncluding tests under exceptional conditions. The testing
of a security mechanism of the network system for meeting
this criterion shall be an integrated testing procedure
nvolving all components containing an NTCB partition that
mplement the given mechanism. This integrated testing is
additional to any individual component tests involved in the
evaluation of the network system. The sponsor should iden-
tify the allowable set of configurations including the sizes
of the networks. Analysis or testing procedures and tools
tions. A change in configuration within the allowable set
of configurations does not require retesting.
THE TESTING OF EACH COMPONENT WILL INCLUDE THE INTRO-
DUCTION OF SUBJECTS EXTERNAL TO THE NTCB PARTITION FOR THE
COMPONENT THAT WILL ATTEMPT TO READ, CHANGE, OR DELETE DATA
NORMALLY DENIED. IF THE NORMAL INTERFACE TO THE COMPONENT
DOES NOT PROVIDE A MEANS TO CREATE THE SUBJECTS NEEDED TO
CONDUCT SUCH A TEST, THEN THIS PORTION OF THE TESTING SHALL
USE A SPECIAL VERSION OF THE UNTRUSTED SOFTWARE FOR THE COM-
THE RESULTS SHALL BE SAVED FOR TEST ANALYSIS. SUCH SPECIAL
VERSIONS SHALL HAVE AN NTCB PARTITION THAT IS IDENTICAL TO
THAT FOR THE NORMAL CONFIGURATION OF THE COMPONENT UNDER
EVALUATION.
THE TESTING OF THE MANDATORY CONTROLS SHALL INCLUDE
TESTS TO DEMONSTRATE THAT THE LABELS FOR INFORMATION
REPRESENT THE LABELS MAINTAINED BY THE NTCB PARTITION FOR
THE COMPONENT FOR USE AS THE BASIS FOR ITS MANDATORY ACCESS
CONTROL DECISIONS. THE TESTS SHALL INCLUDE EACH TYPE OF
DEVICE, WHETHER SINGLE-LEVEL OR MULTILEVEL, SUPPORTED BY THE
COMPONENT.
+ Rationale
THE PHRASE "NO SUBJECT (WITHOUT AUTHORIZATION TO DO SO)
UNABLE TO RESPOND TO COMMUNICATIONS INITIATED BY OTHER
USERS" RELATES TO THE SECURITY SERVICES (PART II OF THIS
TNI) FOR THE DENIAL OF SERVICE PROBLEM, AND TO CORRECTNESS
OF THE PROTOCOL IMPLEMENTATIONS.
Testing is AN IMPORTANT method available in this
evaluation division to gain any assurance that the security
mechanisms perform their intended function. A MAJOR PURPOSE
OF TESTING IS TO DEMONSTRATE THE SYSTEM'S RESPONSE TO INPUTS
TO THE NTCB PARTITION FROM UNTRUSTED (AND POSSIBLY MALI-
CIOUS) SUBJECTS.
IN CONTRAST TO GENERAL PURPOSE SYSTEMS THAT ALLOW FOR
THE DYNAMIC CREATION OF NEW PROGRAMS AND THE INTRODUCTIONS
OF NEW PROCESSES (AND HENCE NEW SUBJECTS) WITH USER SPECI-
FIED SECURITY PROPERITIES, MANY NETWORK COMPONENTS HAVE NO
METHOD FOR INTRODUCING NEW PROGRAMS AND/OR PROCESSES DURING
THEIR NORMAL OPERATION. THEREFORE, THE PROGRAMS NECESSARY
FOR THE TESTING MUST BE INTRODUCED AS SPECIAL VERSIONS OF
THE SOFTWARE RATHER THAN AS THE RESULT OF NORMAL INPUTS BY
THE TEST TEAM. HOWEVER, IT MUST BE INSURED THAT THE NTCB
EVALUATION.
SENSITIVITY LABELS SERVE A CRITICAL ROLE IN MAINTAINING
THE SECURITY OF THE MANDATORY ACCESS CONTROLS IN THE NET-
WORK. ESPECIALLY IMPORTANT TO NETWORK SECURITY IS THE ROLE
OF THE LABELS FOR INFORMATION COMMUNICATED BETWEEN COM-
CIT LABELS FOR SINGLE-LEVEL DEVICES. THEREFORE THE TESTING
FOR CORRECT LABELS IS HIGHLIGHTED.
+ Statement from DoD 5200.28-STD
AN INFORMAL OR FORMAL MODEL OF THE SECURITY POLICY SUPPORTED
BY THE TCB SHALL BE MAINTAINED OVER THE LIFE CYCLE OF THE
ADP SYSTEM AND DEMONSTRATED TO BE CONSISTENT WITH ITS
AXIOMS.
+ Interpretation
THE OVERALL NETWORK SECURITY POLICY EXPRESSED IN THIS
MODEL WILL PROVIDE THE BASIS FOR THE MANDATORY ACCESS CON-
TROL POLICY EXERCISED BY THE NTCB OVER SUBJECTS AND STORAGE
OBJECTS IN THE ENTIRE NETWORK. THE POLICY WILL ALSO BE THE
BASIS FOR THE DISCRETIONARY ACCESS CONTROL POLICY EXERCISED
BY THE NTCB TO CONTROL ACCESS OF NAMED USERS TO NAMED
OBJECTS. DATA INTEGRITY REQUIREMENTS ADDRESSING THE EFFECTS
OF UNAUTHORIZED MSM NEED NOT BE INCLUDED IN THIS MODEL. THE
OVERALL NETWORK POLICY MUST BE DECOMPOSED INTO POLICY ELE-
MENTS THAT ARE ALLOCATED TO APPROPRIATE COMPONENTS AND USED
AS THE BASIS FOR THE SECURITY POLICY MODEL FOR THOSE COM-
THE LEVEL OF ABSTRACTION OF THE MODEL, AND THE SET OF
SUBJECTS AND OBJECTS THAT ARE EXPLICITLY REPRESENTED IN THE
MODEL, WILL BE AFFECTED BY THE NTCB PARTITIONING. SUBJECTS
AND OBJECTS MUST BE REPRESENTED EXPLICITLY IN THE MODEL FOR
THE PARTITION IF THERE IS SOME NETWORK COMPONENT WHOSE NTCB
SHALL BE STRUCTURED SO THAT THE AXIOMS AND ENTITIES APPLICA-
BLE TO INDIVIDUAL NETWORK COMPONENTS ARE MANIFEST. GLOBAL
NETWORK POLICY ELEMENTS THAT ARE ALLOCATED TO COMPONENTS
SHALL BE REPRESENTED BY THE MODEL FOR THAT COMPONENT.
+ Rationale
THE TREATMENT OF THE MODEL DEPENDS TO A GREAT EXTENT ON
THE DEGREE OF INTEGRATION OF THE COMMUNICATIONS SERVICE INTO
A DISTRIBUTED SYSTEM. IN A CLOSELY COUPLED DISTRIBUTED SYS-
TEM, ONE MIGHT USE A MODEL THAT CLOSELY RESEMBLES ONE
APPROPRIATE FOR A STAND-ALONE COMPUTER SYSTEM.
IN OTHER CASES, THE MODEL OF EACH PARTITION WILL BE
EXPECTED TO SHOW THE ROLE OF THE NTCB PARTITION IN EACH KIND
OF COMPONENT. IT WILL MOST LIKELY CLARIFY THE MODEL,
ALTHOUGH NOT PART OF THE MODEL, TO SHOW ACCESS RESTRICTIONS
REPRESENTING PROTOCOL ENTITIES MIGHT HAVE ACCESS ONLY TO
OBJECTS CONTAINING DATA UNITS AT THE SAME LAYER OF PROTOCOL.
THE ALLOCATION OF SUBJECTS AND OBJECTS TO DIFFERENT PROTO-
COL LAYERS IS A PROTOCOL DESIGN CHOICE WHICH NEED NOT BE
REFLECTED IN THE SECURITY POLICY MODEL.
_ _ _ _____________
+ Statement from DoD 5200.28-STD
A single summary, chapter, or manual in user documentation
TCB, interpretations on their use, and how they interact
+ Interpretation
This user documentation describes user visible protec-
tion mechanisms at the global (network system) level and at
the user interface of each component, and the interaction
among these.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system as defined for these
network criteria. Documentation of protection mechanisms
teria for trusted computer systems that are applied as
appropriate for the individual components.
+ Statement from DoD 5200.28-STD
A manual addressed to the ADP system administrator shall
be controlled when running a secure facility. The procedures
for examining and maintaining the audit files as well as the
ADMINISTRATOR FUNCTIONS RELATED TO SECURITY, TO INCLUDE
CHANGING THE SECURITY CHARACTERISTICS OF A USER. IT SHALL
OF THE PROTECTION FEATURES OF THE SYSTEM, HOW THEY INTERACT,
HOW TO SECURELY GENERATE A NEW TCB, AND FACILITY PROCEDURES,
WARNINGS, AND PRIVILEGES THAT NEED TO BE CONTROLLED IN ORDER
TO OPERATE THE FACILITY IN A SECURE MANNER.
+ Interpretation
This manual shall contain specifications and procedures
to assist the system administrator(s) maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address the following:
network;
leave the network (e.g., by crashing, or by being
disconnected) and then rejoin;
security of the network system; (For example, the
manual should describe for the network system
administrator the interconnections among components
that are consistent with the overall network system
architecture.)
(e.g., down-line loading).
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
+ Rationale
There may be multiple system administrators with
other forms of security in order to achieve security of the
network. Additional forms include administrative security,
Extension of this criterion to cover configuration
aspects of the network is needed because, for example,
to achieve a correct realization of the network architec-
ture.
AS MENTIONED IN THE SECTION ON LABEL INTEGRITY, cryp-
tography is one common mechanism employed to protect commun-
cation circuits. Encryption transforms the representation
of information so that it is unintelligible to unauthorized
of the ciphertext is generally lower than the cleartext. If
encryption methodologies are employed, they shall be
approved by the National Security Agency (NSA).
The encryption algorithm and its implementation are
outside the scope of these interpretations. This algorithm
and implementation may be implemented in a separate device
or may be a function of a subject in a component not dedi-
cated to encryption. Without prejudice, either implementa-
tion packaging is referred to as an encryption mechanism
+ Statement from DoD 5200.28-STD
The system developer shall provide to the evaluators a docu-
ment that describes the test plan, test procedures that show
+ Interpretation
The "system developer" is interpreted as "the network
establish the context in which the testing was or should be
conducted. The description should identify any additional
test components that are not part of the system being
evaluated. This includes a description of the test-relevant
functions of such test components and a description of the
nterfacing of those test components to the system being
evaluated. The description of the test plan should also
configuration and sizing.
+ Rationale
The entity being evaluated may be a networking subsys-
tem (see Appendix A) to which other components must be added
to make a complete network system. In that case, this
nterpretation is extended to include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
+ Statement from DoD 5200.28-STD
Documentation shall be available that provides a description
of the manufacturer's philosophy of protection and an expla-
nation of how this philosophy is translated into the TCB. If
the TCB is composed of distinct modules, the interfaces
between these modules shall be described. AN INFORMAL OR
FORMAL DESCRIPTION OF THE SECURITY POLICY MODEL ENFORCED BY
THE TCB SHALL BE AVAILABLE AND AN EXPLANATION PROVIDED TO
SHOW THAT IT IS SUFFICIENT TO ENFORCE THE SECURITY POLICY.
THE SPECIFIC TCB PROTECTION MECHANISMS SHALL BE IDENTIFIED
AND AN EXPLANATION GIVEN TO SHOW THAT THEY SATISFY THE
MODEL.
+ Interpretation
Explanation of how the sponsor's philosophy of protec-
tion is translated into the NTCB shall include a description
of how the NTCB is partitioned. The security policy also
the NTCB modules shall include the interface(s) between NTCB
exist. The sponsor shall describe the security architecture
and design, including the allocation of security require-
ments among components. Appendix A addresses component
evaluation issues.
AS STATED IN THE INTRODUCTION TO DIVISION B, THE SPON-
SOR MUST DEMONSTRATE THAT THE NTCB EMPLOYS THE REFERENCE
MONITOR CONCEPT. THE SECURITY POLICY MODEL MUST BE A MODEL
FOR A REFERENCE MONITOR.
THE SECURITY POLICY MODEL FOR EACH PARTITION IMPLEMENT-
CONTROL POLICY SUPPORTED BY THE PARTITION, INCLUDING THE
DISCRETIONARY AND MANDATORY SECURITY POLICY FOR SECRECY
AND/OR INTEGRITY. FOR THE MANDATORY POLICY THE SINGLE DOMI-
NANCE RELATION FOR SENSITIVITY LABELS, INCLUDING SECRECY
AND/OR INTEGRITY COMPONENTS, SHALL BE PRECISELY DEFINED.
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system as
tion, such as description of components and description of
operating environment(s) in which the networking subsystem
or network system is designed to function, is required else-
In order to be evaluated, a network must possess a
coherent Network Security Architecture and Design. (Inter-
connection of components that do not adhere to such a single
coherent Network Security Architecture is addressed in the
Security Architecture must address the security-relevant
Design specifies the interfaces and services that must be
ncorporated into the network so that it can be evaluated as
a trusted entity. There may be multiple designs that con-
form to the same architecture but are more or less incompa-
tible and non-interoperable (except through the Interconnec-
tion Rules). Security related mechanisms requiring coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms having no visible
nterfaces are not specified in this document but are left
as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components can be assem-
bled into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and unambi-
Network Security Architecture and Design must be evaluated
to determine that a network constructed to its specifica-
tions will in fact be trusted, that is, it will be evaluat-
able under these interpretations.
THE TERM "MODEL" IS USED IN SEVERAL DIFFERENT WAYS IN A
NETWORK CONTEXT, E.G., A "PROTOCOL REFERENCE MODEL," A "FOR-
MAL NETWORK MODEL," ETC. ONLY THE "SECURITY POLICY MODEL" IS
ADDRESSED BY THIS REQUIREMENT AND IS SPECIFICALLY INTENDED
TO MODEL THE INTERFACE, VIZ., "SECURITY PERIMETER," OF THE
REFERENCE MONITOR AND MUST MEET ALL THE REQUIREMENTS DEFINED
ARE A VALID INTERPRETATION OF THE SECURITY POLICY MODEL,
REPRESENTED BY THE MODEL.
3.2 CLASS (B2): STRUCTURED PROTECTION
_ _ _____ __ __________ __________
IN CLASS (B2) NETWORK SYSTEMS, THE NTCB IS BASED
ON A CLEARLY DEFINED AND DOCUMENTED FORMAL SECU-
RITY POLICY MODEL THAT REQUIRES THE DISCRETIONARY
AND MANDATORY ACCESS CONTROL ENFORCEMENT FOUND IN
CLASS (B1) NETWORK SYSTEMS TO BE EXTENDED TO ALL
SUBJECTS AND OBJECTS IN THE NETWORK SYSTEM. IN
ADDITION, COVERT CHANNELS ARE ADDRESSED. THE NTCB
MUST BE CAREFULLY STRUCTURED INTO PROTECTION-
CRITICAL AND NON-PROTECTION-CRITICAL ELEMENTS.
THE NTCB INTERFACE IS WELL-DEFINED, AND THE NTCB
DESIGN AND IMPLEMENTATION ENABLE IT TO BE SUB-
JECTED TO MORE THOROUGH TESTING AND MORE COMPLETE
REVIEW. AUTHENTICATION MECHANISMS ARE
STRENGTHENED, TRUSTED FACILITY MANAGEMENT IS PRO-
VIDED IN THE FORM OF SUPPORT FOR SYSTEM ADMINIS-
TRATOR AND OPERATOR FUNCTIONS, AND STRINGENT CON-
FIGURATION MANAGEMENT CONTROLS ARE IMPOSED. THE
SYSTEM IS RELATIVELY RESISTANT TO PENETRATION.
THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR SYSTEM
ASSIGNED A CLASS (B2) RATING.
_ _ _ ________ ______
+ Statement from DoD 5200.28-STD
+ Interpretation
The network sponsor shall describe the overall network
cy is an access control policy having two primary com-
nclude a discretionary policy for protecting the informa-
tion being processed based on the authorizations of indivi-
cy statement shall describe the requirements on the network
to prevent or detect "reading or destroying" sensitive
nformation by unauthorized users or errors. The mandatory
that it supports. For the Class B1 or above the mandatory
nformation that reflects its sensitivity with respect to
ciated with users to reflect their authorization to access
that are not authorized to use the network at all (e.g., a
user attempting to use a passive or active wire tap) or a
legitimate user of the network who is not authorized to
access a specific piece of information being protected.
Note that "users" does not include "operators," "system
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network sys-
tem, for example, by defining membership of a group. These
ndividuals may also have the separate role of users.
SECRECY POLICY: The network sponsor shall define the
form of the discretionary and mandatory secrecy
policy that is enforced in the network to prevent
unauthorized users from reading the sensitive infor-
mation entrusted to the network.
DATA INTEGRITY POLICY: The network sponsor shall
define the discretionary and mandatory integrity
policy to prevent unauthorized users from modifying,
viz., writing, sensitive information. The defini-
tion of data integrity presented by the network
sponsor refers to the requirement that the informa-
tion has not been subjected to unauthorized modifi-
cation in the network. The mandatory integrity pol-
icy enforced by the NTCB cannot, in general, prevent
modification while information is being transmitted
between components. However, an integrity sensi-
tivity label may reflect the confidence that the
information has not been subjected to transmission
errors because of the protection afforded during
transmission. This requirement is distinct from the
requirement for label integrity.
+ Rationale
The word "sponsor" is used in place of alternatives
(such as "vendor," "architect," "manufacturer," and
"developer") because the alternatives indicate people who
may not be available, involved, or relevant at the time that
a network system is proposed for evaluation.
A trusted network is able to control both the reading
and writing of shared sensitive information. Control of
tion. A network normally is expected to have policy require-
ments to protect both the secrecy and integrity of the
nformation entrusted to it. In a network the integrity is
frequently as important or more important than the secrecy
to be enforced by the network must be stated for each net-
the policy is faithfully enforced is reflected in the
evaluation class of the network.
This control over modification is typically used to
control the potential harm that would result if the informa-
tion were corrupted. The overall network policy require-
ments for integrity includes the protection for data both
transmitted in the network. The access control policy
enforced by the NTCB relates to the access of subjects to
objects within each component. Communications integrity
addressed within Part II relates to information while being
transmitted.
The mandatory integrity policy (at class B1 and above)
n some architectures may be useful in supporting the link-
age between the connection oriented abstraction introduced
n the Introduction and the individual components of the
network. For example, in a key distribution center for
end-to-end encryption, a distinct integrity category may be
assigned to isolate the key generation code and data from
The mandatory integrity policy for some architecture
may define an integrity sensitivity label that reflects the
been subject to random errors in excess of a stated limit
nor to unauthorized message stream modification (MSM) -.
The specific metric associated with an integrity sensitivity
label will generally reflect the intended applications of
the network.
+ Statement from DoD 5200.28-STD
The TCB shall define and control access between named users
and named objects (e.g., files and programs) in the ADP sys-
tem. The enforcement mechanism (e.g., self/group/public
_________________________
- See Voydock, Victor L. and Stephen T. Kent, "Secu-
___
______ _______
controls, access control lists) shall allow users to specify
and control sharing of those objects by named individuals or
controls to limit propagation of access rights. The discre-
tionary access control mechanism shall, either by explicit
user action or by default, provide that objects are pro-
tected from unauthorized access. These access controls
object by users not already possessing access permission
+ Interpretation
The discretionary access control (DAC) mechanism(s) may
be distributed over the partitioned NTCB in various ways.
Some part, all, or none of the DAC may be implemented in a
no subjects acting as direct surrogates for users), such as
a public network packet switch, might not implement the DAC
mechanism(s) directly (e.g., they are unlikely to contain
access control lists).
Identification of users by groups may be achieved in
various ways in the networking environment. For example,
the network identifiers (e.g., internet addresses) for vari-
ous components (e.g., hosts, gateways) can be used as iden-
tifiers of groups of individual users (e.g., "all users at
Host A," "all users of network Q") so long as the individu-
als involved in the group are implied by the group identif-
er. For example, Host A might employ a particular group-id,
for which it maintains a list of explicit users in that
the group-id under the conditions of this interpretation.
For networks, individual hosts will impose need-to-know
controls over their users on the basis of named individuals
- much like (in fact, probably the same) controls used when
there is no network connection.
When group identifiers are acceptable for access con-
trol, the identifier of some other host may be employed, to
eliminate the maintenance that would be required if indivi-
C2 and higher, however, it must be possible from that audit
exactly the individuals represented by a group identifier at
the time of the use of that identifier. There is allowed to
be an uncertainty because of elapsed time between changes in
the group membership and the enforcement in the access con-
trol mechanisms.
The DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
all the physical resources of the system and from them
creates the abstraction of subjects and objects that it con-
trols. Some of these subjects and objects may be used to
mplement a part of the NTCB. When the DAC mechanism is
Assurance section) for the design and implementation of the
DAC shall be those of class C2 for all networks of class C2
or above.
When integrity is included as part of the network dis-
cretionary security policy, the above interpretations shall
be specifically applied to the controls over modification,
viz, the write mode of access, within each component based
on identified users or groups of users.
+ Rationale
In this class, the supporting elements of the overall
DAC mechanism are required to isolate information (objects)
that supports DAC so that it is subject to auditing require-
ments (see the System Architecture section). The use of
network identifiers to identify groups of individual users
could be implemented, for example, as an X.25 community of
nterest in the network protocol layer (layer 3). In all
other respects, the supporting elements of the overall DAC
mechanism are treated exactly as untrusted subjects are
treated with respect to DAC in an ADP system, with the same
A typical situation for DAC is that a surrogate process
for a remote user will be created in some host for access to
objects under the control of the NTCB partition within that
assigned and maintained for each such process by the NTCB,
tially the same discretionary controls as access by a pro-
cess acting on behalf of a local user would be. However,
tions of the assigned user identification is permitted.
The most obvious situation would exist if a global
able on demand to every host, (i.e., a name server existed)
It is also acceptable, however, for some NTCB parti-
tions to maintain a database of locally-registered users for
ts own use. In such a case, one could choose to inhibit
the creation of surrogate processes for locally unregistered
users, or (if permitted by the local policy) alternatively,
to permit the creation of surrogate processes with
dentify the process as executing on behalf of a member of a
the words concerning audit in the interpretation is to pro-
vide a minimally acceptable degree of auditability for cases
be a capability, using the audit facilities provided by the
network NTCB partitions involved, to determine who was
logged in at the actual host of the group of remote users at
the time the surrogate processing occured.
Associating the proper user id with a surrogate process
s the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id of
the surrogate process. The transmission of the data back
across the network to the user's host, and the creation of a
copy of the data there, is not the business of DAC.
Components that support only internal subjects impact
the implementation of the DAC by providing services by which
nformation (e.g., a user-id) is made available to a com-
file at Host B. The DAC decision might be (and usually
ted from Host A to Host B.
Unique user identification may be achieved by a variety
of mechanisms, including (a) a requirement for unique iden-
tification and authentication on the host where access takes
addresses authenticated by another host and forwarded to the
of a network-wide unique personnel identifier that could be
authenticated and forwarded by another host as in (b) above,
or could be authenticated and forwarded by a dedicated net-
cols which implement (b) or (c) are subject to the System
Architecture requirements.
Network support for DAC might be handled in other ways
than that described as "typical" above. In particular, some
form of centralized access control is often proposed. An
access control center may make all decisions for DAC, or it
may share the burden with the hosts by controlling host-to-
to their objects by users at a limited set of remote hosts.
between the connection oriented abstraction (as discussed in
the Introduction) and the overall network security policy
for DAC. In all cases the enforcement of the decision must
be provided by the host where the object resides.
There are two forms of distribution for the DAC mechan-
sm: implementing portions of the DAC in separate com-
the NTCB partition in a component. Since "the ADP system"
s understood to be "the computer network" as a whole, each
network component is responsible for enforcing security in
the mechanisms allocated to it to ensure secure implementa-
tion of the network security policy. For traditional host
a few approaches, such as virtual machine monitors, support
DAC outside this interface.
In contrast to the universally rigid structure of man-
DAC policies tend to be very network and system specific,
For networks it is common that individual hosts will impose
controls over their local users on the basis of named
ndividuals-much like the controls used when there is no
network connection. However, it is difficult to manage in a
centralized manner all the individuals using a large net-
together so that the controls required by the network DAC
other components. A gateway is an example of such a com-
The assurance requirements are at the very heart of the
concept of a trusted system. It is the assurance that
environment, as reflected, for example, in the Environments
Guideline-. In the case of monolithic systems that have DAC
ntegral to the reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of the
clearer distinction due to distributed DAC. The rationale
for making the distinction in this network interpretation is
that if major trusted network components can be made signi-
ficantly easier to design and implement without reducing the
ability to meet security policy, then trusted networks will
be more easily available.
+ Statement from DoD 5200.28-STD
All authorizations to the information contained within a
allocation or reallocation to a subject from the TCB's pool
of unused storage objects. No information, including
encrypted representations of information, produced by a
that obtains access to an object that has been released back
to the system.
_________________________
- Guidance for Applying the Department of Defense
________ ___ ________ ___ __________ __ _______
Trusted Computer System Evaluation Criteria in Specific
_______ ________ ______ __________ ________ __ ________
Environments, CSC-STD-003-85.
____________
+ Interpretation
The NTCB shall ensure that any storage objects that it
controls (e.g., message buffers under the control of a NTCB
access. This requirement must be enforced by each of the
NTCB partitions.
+ Rationale
In a network system, storage objects of interest are
things that the NTCB directly controls, such as message
buffers in components. Each component of the network system
must enforce the object reuse requirement with respect to
the storage objects of interest as determined by the network
be under the control of the NTCB partition. A buffer
assigned to an internal subject may be reused at the discre-
tion of that subject which is responsible for preserving the
ntegrity of message streams. Such controlled objects may
be implemented in physical resources, such as buffers, disk
network switches.
+ Statement from DoD 5200.28-STD
Sensitivity labels associated with each ADP SYSTEM RESOURCE
(E.G., SUBJECT, STORAGE OBJECT, ROM) THAT IS DIRECTLY OR
be maintained by the TCB. These labels shall be used as the
basis for mandatory access control decisions. In order to
mport non-labeled data, the TCB shall request and receive
from an authorized user the sensitivity level of the data,
and all such actions shall be auditable by the TCB.
+ Interpretation
Non-labeled data imported under the control of the NTCB
LABELS OF the single-level device used to import it. Labels
may include secrecy and integrity- components in accordance
network sponsor. Whenever the term "label" is used
throughout this interpretation, it is understood to include
both components as applicable. Similarly, the terms
"single-level" and "multilevel" are understood to be based
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Computer Systems," ESD-TR-76-372, MTR-
on both the secrecy and integrity components of the policy.
The mandatory integrity policy will typically have require-
ments, such as the probability of undetected message stream
modification, that will be reflected in the label for the
ntegrity label may be assigned based on mechanisms, such as
cryptography, used to provide the assurance required by the
tected from tampering and are always invoked when they are
the basis for a label.
IF THE SECURITY POLICY INCLUDES AN INTEGRITY POLICY,
ALL ACTIVITIES THAT RESULT IN MESSAGE-STREAM MODIFICATION
DURING TRANSMISSION ARE REGARDED AS UNAUTHORIZED ACCESSES IN
VIOLATION OF THE INTEGRITY POLICY. THE NTCB SHALL HAVE AN
AUTOMATED CAPABILITY FOR TESTING, DETECTING, AND REPORTING
THOSE ERRORS/CORRUPTIONS THAT EXCEED SPECIFIED NETWORK
(MSM) COUNTERMEASURES SHALL BE IDENTIFIED. A TECHNOLOGY OF
ADEQUATE STRENGTH SHALL BE SELECTED TO RESIST MSM. IF
ENCRYPTION METHODOLOGIES ARE EMPLOYED, THEY SHALL BE
APPROVED BY THE NATIONAL SECURITY AGENCY.
ALL OBJECTS MUST BE LABELED WITHIN EACH COMPONENT OF
THE NETWORK THAT IS TRUSTED TO MAINTAIN SEPARATION OF MULTI-
OBJECTS ASSOCIATED WITH SINGLE-LEVEL COMPONENTS WILL BE
STORE NETWORK CONTROL INFORMATION, AND OTHER NETWORK STRUC-
TURES, SUCH AS ROUTING TABLES, MUST BE LABELED TO PREVENT
UNAUTHORIZED ACCESS AND/OR MODIFICATION.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in which
the security range of the subject is the minimum-maximum
ce.
The sensitivity labels for either secrecy or integrity
or both may reflect non-hierarchical categories or hierarch-
cal classification or both.
FOR A NETWORK IT IS NECESSARY THAT THIS REQUIREMENT BE
APPLIED TO ALL NETWORK SYSTEM RESOURCES AT THE (B2) LEVEL
AND ABOVE.
THE NTCB IS RESPONSIBLE FOR IMPLEMENTING THE NETWORK
THAT POLICY BY ENSURING THAT INFORMATION IS ACCURATELY
TRANSMITTED FROM SOURCE TO DESTINATION (REGARDLESS OF THE
NUMBER OF INTERVENING CONNECTING POINTS). THE NTCB MUST BE
ABLE TO COUNTER EQUIPMENT FAILURE, ENVIRONMENTAL DISRUP-
TIONS, AND ACTIONS BY PERSONS AND PROCESSES NOT AUTHORIZED
TO ALTER THE DATA. PROTOCOLS THAT PERFORM CODE OR FORMAT
CONVERSION SHALL PRESERVE THE INTEGRITY OF DATA AND CONTROL
THE PROBABILITY OF AN UNDETECTED TRANSMISSION ERROR MAY
BE SPECIFIED AS PART OF THE NETWORK SECURITY POLICY SO THAT
THE ACCEPTABILITY OF THE NETWORK FOR ITS INTENDED APPLICA-
TION MAY BE DETERMINED. THE SPECIFIC METRICS (E.G., PROBA-
BILITY OF UNDETECTED MODIFICATION) SATISFIED BY THE DATA CAN
BE REFLECTED IN THE INTEGRITY SENSITIVITY LABEL ASSOCIATED
WITH THE DATA WHILE IT IS PROCESSED WITHIN A COMPONENT. IT
ENVIRONMENTS (E.G., CRISIS AS COMPARED TO LOGISTIC) WILL
HAVE DIFFERENT INTEGRITY REQUIREMENTS.
THE NETWORK SHALL ALSO HAVE AN AUTOMATED CAPABILITY OF
TESTING FOR, DETECTING, AND REPORTING ERRORS THAT EXCEED A
THRESHOLD CONSISTENT WITH THE OPERATIONAL MODE REQUIREMENTS.
THE EFFECTIVENESS OF INTEGRITY COUNTERMEASURES MUST BE ESTA-
BLISHED WITH THE SAME RIGOR AS THE OTHER SECURITY-RELEVANT
CRYPTOGRAPHY IS OFTEN UTILIZED AS A BASIS TO PROVIDE
DATA INTEGRITY ASSURANCE. MECHANISMS, SUCH AS MANIPULATION
DETECTION CODES (MDC)-, MAY BE USED. THE ADEQUACY OF THE
ENCRYPTION OR MDC ALGORITHM, THE CORRECTNESS OF THE PROTOCOL
LOGIC, AND THE ADEQUACY OF IMPLEMENTATION MUST BE ESTA-
BLISHED IN MSM COUNTERMEASURES DESIGN.
+ Statement from DoD 5200.28-STD
Sensitivity labels shall accurately represent sensitivity
levels of the specific subjects or objects with which they
are associated. When exported by the TCB, sensitivity
labels shall accurately and unambiguously represent the
nternal labels and shall be associated with the information
being exported.
+ Interpretation
The phrase "exported by the TCB" is understood to
nclude transmission of information from an object in one
component to an object in another component. Information
transferred between NTCB partitions is addressed in the Sys-
tem Integrity Section. The form of internal and external
(exported) sensitivity labels may differ, but the meaning
_________________________
- See Jueneman, R. R., "Electronic Document Authenti-
cation," IEEE Network Magazine, April 1987, pp 17-23.
____ _______ ________
correct association of sensitivity labels with the informa-
tion being transported across the network is preserved.
As mentioned in the Trusted Facility Manual Section,
encryption transforms the representation of information so
that it is unintelligible to unauthorized subjects.
Reflecting this transformation, the sensitivity level of the
ciphertext is generally lower than the cleartext. It fol-
lows that cleartext and ciphertext are contained in dif-
ferent objects, each possessing its own label. The label of
the cleartext must be preserved and associated with the
ciphertext so that it can be restored when the cleartext is
cleartext is associated with a single-level device, the
label of that cleartext may be implicit. The label may also
be implicit in the key.
When information is exported to an environment where it
s subject to deliberate or accidental modification, the TCB
assure the accuracy of the labels. When there is a manda-
tory integrity policy, the policy will define the meaning of
ntegrity labels.
+ Rationale
Encryption algorithms and their implementation are out-
may be implemented in a separate device or may be incor-
encryption mechanism herein. If encryption methodologies are
employed in this regard, they shall be approved by the
National Security Agency (NSA). The encryption process is
components in which it is implemented.
The encryption mechanism is not necessarily a mul-
tilevel device or multilevel subject, as these terms are
used in these criteria. The process of encryption is mul-
tilevel by definition. The cleartext and ciphertext inter-
faces carry information of different sensitivity. An
encryption mechanism does not process data in the sense of
ciphertext interfaces on the encryption mechanism must be
the data is established by a trusted individual and impli-
citly associated with the interface; the Exportation to
Single-Level Devices criterion applies.
If the interface is multilevel, then the data must be
labeled; the Exportation to Multilevel Devices criterion
applies. The network architect is free to select an accept-
able mechanism for associating a label with an object. With
the object.
through the encryption key. That is, the encryption
key uniquely identifies a sensitivity level. A sin-
gle or private key must be protected at the level of
the data that it encrypts.
+ Statement from DoD 5200.28-STD
The TCB shall designate each communication channel and I/O
this designation shall be done manually and shall be audit-
able by the TCB. The TCB shall maintain and be able to
audit any change in the sensitivity level or levels associ-
ated with a communications channel or I/O device.
+ Interpretation
Each communication channel and network component shall
be designated as either single-level or multilevel. Any
change in this designation shall be done with the cognizance
and approval of the administrator or security officer in
charge of the affected components and the administrator or
be auditable by the network. The NTCB shall maintain and be
able to audit any change in the DEVICE LABELS associated
ciated with a multilevel communication channel or component.
The NTCB shall also be able to audit any change in the set
of sensitivity levels associated with the information which
can be transmitted over a multilevel communication channel
or component.
+ Rationale
Communication channels and components in a network are
analogous to communication channels and I/O devices in
tilevel (i.e., able to distinguish and maintain separation
among information of various sensitivity levels) or single-
level. As in the TCSEC, single-level devices may only be
attached to single-level channels.
The level or set of levels of information that can be
only change with the knowledge and approval of the security
officers (or system administrator, if there is no security
officer) of the network, and of the affected components.
This requirement ensures that no significant security-
affected parties.
+ Statement from DoD 5200.28-STD
When the TCB exports an object to a multilevel I/O device,
the sensitivity label associated with that object shall also
be exported and shall reside on the same physical medium as
the exported information and shall be in the same form
(i.e., machine-readable or human-readable form). When the
TCB exports or imports an object over a multilevel communi-
cations channel, the protocol used on that channel shall
labels and the associated information that is sent or
+ Interpretation
The components, including hosts, of a network shall be
nterconnected over "multilevel communication channels,"
multiple single-level communication channels, or both, when-
ever the information is to be protected at more than a sin-
the only information needed to correctly associate a sensi-
tivity level with the exported information transferred over
the multilevel channel between the NTCB partitions in indi-
vidual components. This protocol definition must specify the
(i.e., the machine-readable label must uniquely represent
the sensitivity level).
The "unambiguous" association of the sensitivity level
of accuracy as that required for any other label within the
NTCB, as specified in the criterion for Label Integrity.
This may be provided by protected and highly reliable direct
link protection in which any errors during transmission can
be readily detected, or by use of a separate channel. THE
RANGE OF INFORMATION IMPORTED OR EXPORTED MUST BE CON-
STRAINED BY THE ASSOCIATED DEVICE LABELS.
+ Rationale
This protocol must specify the representation and
Access Control Policies section in Appendix B. The mul-
tilevel device interface to (untrusted) subjects may be
mplemented either by the interface of the reference moni-
tor, per se, or by a multilevel subject (e.g., a "trusted
vides the labels based on the internal labels of the NTCB
The current state of the art limits the support for
mandatory policy that is practical for secure networks.
Reference monitor support to ensure the control over all the
operations of each subject in the network must be completely
nvoked by this subject must be contained in the same com-
The secure state of an NTCB partition may be affected
by events external to the component in which the NTCB parti-
tion resides (e.g., arrival of a message). The effect
occurs asynchronusly after being initiated by an event in
another component or partition. For example, indeterminate
component, the arrival of the message in the NTCB partition
n another component, and the corresponding change to the
s executing concurrently, to do otherwise would require
ably not even desirable. Therefore, the interaction between
NTCB partitions is restricted to just communications between
the device(s) can send/receive data of more than a single
level. For broadcast channels the pairs are the sender and
ntended receiver(s). However, if the broadcast channel
carries multiple levels of information, additional mechanism
(e.g., cryptochecksum maintained by the TCB) may be required
to enforce separation and proper delivery.
A common representation for sensitivity labels is
needed in the protocol used on that channel and understood
by both the sender and receiver when two multilevel devices
(in this case, in two different components) are intercon-
nected. Each distinct sensitivity level of the overall net-
Within a monolithic TCB, the accuracy of the sensi-
tivity labels is generally assured by simple techniques,
e.g., very reliable connections over very short physical
connections, such as on a single printed circuit board or
over an internal bus. In many network environments there is
a much higher probability of accidentally or maliciously
ntroduced errors, and these must be protected against.
+ Statement from DoD 5200.28-STD
Single-level I/O devices and single-level communication
channels are not required to maintain the sensitivity labels
of the information they process. However, the TCB shall
nclude a mechanism by which the TCB and an authorized user
level of information imported or exported via single-level
communication channels or I/O devices.
+ Interpretation
Whenever one or both of two directly connected com-
mation of different sensitivity levels, or whenever the two
level in common, the two components of the network shall
communicate over a single-level channel. Single-level com-
tion they process. However, the NTCB shall include a reli-
able communication mechanism by which the NTCB and an
authorized user (VIA A TRUSTED PATH) or a subject within an
NTCB partition can designate the single sensitivity level of
nformation imported or exported via single-level communica-
tion channels or network components. THE LEVEL OF INFORMA-
TION COMMUNICATED MUST EQUAL THE DEVICE LEVEL.
+ Rationale
Single-level communications channels and single-level
components in networks are analogous to single level chan-
nels and I/O devices in stand-alone systems in that they are
not trusted to maintain the separation of information of
are therefore implicit; the NTCB associates labels with the
explicit part of the bit stream. Note that the sensitivity
level of encrypted information is the level of the cipher-
text rather than the original level(s) of the plaintext.
+ Statement from DoD 5200.28-STD
The ADP system administrator shall be able to specify the
labels. The TCB shall mark the beginning and end of all
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the output. The TCB
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the page. The TCB shall,
by default and in an appropriate manner, mark other forms of
_________________________
classification of any of the information in the output that the
labels refer to; the non-hierarchical category component shall
nclude all of the non-hierarchical categories of the information
n the output the labels refer to, but to no other non-
+ Interpretation
This criterion imposes no requirement to a component
that produces no human-readable output. For those that do
s defined to the network shall have a uniform meaning
across all components. The network administrator, in con-
able to specify the human-readable label that is associated
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system and
tions.
+ Statement from DoD 5200.28-STD
THE TCB SHALL IMMEDIATELY NOTIFY A TERMINAL USER OF EACH
CHANGE IN THE SENSITIVITY LEVEL ASSOCIATED WITH THAT USER
DURING AN INTERACTIVE SESSION. A TERMINAL USER SHALL BE
ABLE TO QUERY THE TCB AS DESIRED FOR A DISPLAY OF THE
SUBJECT'S COMPLETE SENSITIVITY LABEL.
+ Interpretation
AN NTCB PARTITION SHALL IMMEDIATELY NOTIFY A TERMINAL
USER ATTACHED TO ITS COMPONENT OF EACH CHANGE IN THE SENSI-
TIVITY LEVEL ASSOCIATED WITH THAT USER.
+ Rationale
THE LOCAL NTCB PARTITION MUST ENSURE THAT THE USER
UNDERSTANDS THE SENSITIVITY LEVEL OF INFORMATION SENT TO AND
FROM A TERMINAL. WHEN A USER HAS A SURROGATE PROCESS IN
ANOTHER COMPONENT, ADJUSTMENTS TO ITS LEVEL MAY OCCUR TO
MAINTAIN COMMUNICATION WITH THE USER. THESE CHANGES MAY
OCCUR ASYNCHRONOUSLY. SUCH ADJUSTMENTS ARE NECESSITATED BY
MANDATORY ACCESS CONTROL AS APPLIED TO THE OBJECTS INVOLVED
+ Statement from DoD 5200.28-STD
THE TCB SHALL SUPPORT THE ASSIGNMENT OF MINIMUM AND MAXIMUM
SENSITIVITY LEVELS TO ALL ATTACHED PHYSICAL DEVICES. THESE
SENSITIVITY LEVELS SHALL BE USED BY THE TCB TO ENFORCE CON-
STRAINTS IMPOSED BY THE PHYSICAL ENVIRONMENTS IN WHICH THE
DEVICES ARE LOCATED.
+ Interpretation
THIS REQUIREMENT APPLIES AS WRITTEN TO EACH NTCB PARTI-
TION THAT IS TRUSTED TO SEPARATE INFORMATION BASED ON SENSI-
TIVITY LEVEL. EACH I/O DEVICE IN A COMPONENT, USED FOR COM-
MUNICATION WITH OTHER NETWORK COMPONENTS, IS ASSIGNED A DEV-
MINIMUM. (A DEVICE RANGE USUALLY CONTAINS, BUT DOES NOT
NECESSARILY CONTAIN, ALL POSSIBLE LABELS "BETWEEN" THE MAX-
BEING DOMINATED BY THE MAXIMUM.)
THE NTCB ALWAYS PROVIDES AN ACCURATE LABEL FOR INFORMA-
TION EXPORTED THROUGH DEVICES. INFORMATION EXPORTED OR
BY THE SENSITIVITY LEVEL OF THE DEVICE. INFORMATION
EXPORTED FROM ONE MULTILEVEL DEVICE AND IMPORTED AT ANOTHER
MUST BE LABELLED THROUGH AN AGREED-UPON PROTOCOL, UNLESS IT
ALWAYS CARRIES A SINGLE LEVEL.
INFORMATION EXPORTED AT A GIVEN SENSITIVITY LEVEL CAN
BE SENT ONLY TO AN IMPORTING DEVICE WHOSE DEVICE RANGE CON-
TAINS THAT LEVEL OR A HIGHER LEVEL. IF THE IMPORTING DEVICE
RANGE DOES NOT CONTAIN THE GIVEN LEVEL, THE INFORMATION IS
RELABELLED UPON RECEPTION AT A HIGHER LEVEL WITHIN THE
WISE.
+ Rationale
THE PURPOSE OF DEVICE LABELS IS TO REFLECT AND CON-
STRAIN THE SENSITIVITY LEVELS OF INFORMATION AUTHORIZED FOR
THE PHYSICAL ENVIRONMENT IN WHICH THE DEVICES ARE LOCATED.
THE INFORMATION TRANSFER RESTRICTIONS PERMIT ONE-WAY
COMMUNICATION (I.E., NO ACKNOWLEDGEMENTS) FROM ONE DEVICE TO
ANOTHER WHOSE RANGES HAVE NO LEVEL IN COMMON, AS LONG AS
EACH LEVEL IN THE SENDING DEVICE RANGE IS DOMINATED BY SOME
LEVEL IN THE RECEIVING DEVICE RANGE. IT IS NEVER PERMITTED
TO SEND INFORMATION AT A GIVEN LEVEL TO A DEVICE WHOSE RANGE
DOES NOT CONTAIN A DOMINATING LEVEL. (SEE APPENDIX C FOR
SIMILAR INTERCONNECTION RULES FOR THE INTERCONNECTED AIS
VIEW.)
+ Statement from DoD 5200.28-STD
The TCB shall enforce a mandatory access control policy over
all RESOURCES (I.E., SUBJECTS, STORAGE OBJECTS, AND I/O DEV-
EXTERNAL TO THE TCB. These subjects and objects shall be
assigned sensitivity labels that are a combination of
categories, and the labels shall be used as the basis for
mandatory access control decisions. The TCB shall be able
to support two or more such sensitivity levels. (See the
Mandatory Access Control interpretations.) The following
JECTS EXTERNAL TO THE TCB AND ALL OBJECTS DIRECTLY OR
the subject's sensitivity level is greater than or equal to
the hierarchical classification of the object's sensitivity
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. A subject can
the subject's sensitivity level is less than or equal to the
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. Identification
and authentication data shall be used by the TCB to authen-
ticate the user's identity and to ensure that the sensi-
tivity level and authorization of subjects external to the
TCB that may be created to act on behalf of the individual
user are dominated by the clearance and authorization of
that user.
+ Interpretation
Each partition of the NTCB exercises mandatory access
control policy over all subjects and objects in its COM-
tion encompasses all mandatory access control functions in
ts component that would be required of a TCB in a stand-
alone system. In particular, subjects and objects used for
communication with other components are under the control of
the NTCB partition. Mandatory access control includes
cy.
Conceptual entities associated with communication
between two components, such as sessions, connections and
virtual circuits, may be thought of as having two ends, one
n each component, where each end is represented by a local
object. Communication is viewed as an operation that copies
nformation from an object at one end of a communication
entities, such as datagrams and packets, exist either as
nformation within other objects, or as a pair of objects,
one at each end of the communication path.
The requirement for "two or more" sensitivity levels
can be met by either secrecy or integrity levels. When
there is a mandatory integrity policy, the stated require-
ments for reading and writing are generalized to: A subject
can read an object only if the subject's sensitivity level
nates the subject's sensitivity level. Based on the
ntegrity policy, the network sponsor shall define the domi-
nance relation for the total label, for example, by combin-
ng secrecy and integrity lattices. -
+ Rationale
An NTCB partition can maintain access control only over
ABOVE, THE NTCB PARTITION MUST MAINTAIN ACCESS CONTROL OVER
ALL SUBJECTS AND OBJECTS IN ITS COMPONENT. Access by a sub-
n another component requires the creation of a subject in
the remote component which acts as a surrogate for the first
The mandatory access controls must be enforced at the
nterface of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti-
tion. This mechanism creates the abstraction of subjects
and objects which it controls. Some of these subjects out-
mplement part of an NTCB partition's mandatory policy,
e.g., by using the ``trusted subjects" defined in the Bell-
LaPadula model.
The prior requirements on exportation of labeled infor-
mation to and from I/O devices ensure the consistency
between the sensitivity labels of objects connected by a
communication path. As noted in the introduction, the net-
overall mandatory network security policy and the connection
oriented abstraction. For example, individual data-carrying
entities such as datagrams can have individual sensitivity
labels that subject them to mandatory access control in each
component. The abstraction of a single-level connection is
connection is realized by single-level subjects that neces-
The fundamental trusted systems technology permits the
DAC mechanism to be distributed, in contrast to the require-
ments for mandatory access control. For networks this
_________________________
- See, for example, Grohn, M. J., A Model of a Pro-
_ _____ __ _ ___
tected Data Management System, ESD-TR-76-289, I. P.
______ ____ __________ ______
Sharp Assoc. Ltd., June, 1976; and Denning, D .E.,
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M.
and Shockley, W., Secure Distributed Data Views, Secu-
______ ___________ ____ _____ ____
____ ______ ___ ______________ ___ _ _____ __ ________
el Secure Relational Database System,SRI International,
__ ______ __________ ________ ______
November 1986.
the exception.
The set of total sensitivity labels used to represent
all the sensitivity levels for the mandatory access control
(combined data secrecy and data integrity) policy always
forms a partially ordered set. Without loss of generality,
this set of labels can always be extended to form a lattice,
by including all the combinations of non-hierarchical
categories. As for any lattice, a dominance relation is
always defined for the total sensitivity labels. For admin-
strative reasons it may be helpful to have a maximum level
_ _ _ ______________
+ Statement from DoD 5200.28-STD
The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB
s expected to mediate. Furthermore, the TCB shall maintain
authentication data that includes information for verifying
the identify of individual users (e.g., passwords) as well
as information for determining the clearance and authoriza-
tions of individual users. This data shall be used by the
TCB to authenticate the user's identity and to ensure that
the sensitivity level and authorization of subjects external
to the TCB that may be created to act on behalf of the indi-
vidual user are dominated by the clearance and authorization
of that user. The TCB shall protect authentication data so
that it cannot be accessed by any unauthorized user. The
TCB shall be able to enforce individual accountability by
bility of associating this identity with all auditable
actions taken by that individual.
+ Interpretation
The requirement for identification and authentication
of users is the same for a network system as for an ADP sys-
tem. The identification and authentication may be done by
the component to which the user is directly connected or
tication server. Available techniques, such as those
applicable in the network context. However, in cases where
the NTCB is expected to mediate actions of a host (or other
network component) that is acting on behalf of a user or
_________________________
= Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, CSC-STD-002-85
____
authentication of the host (or other component) in lieu of
dentification and authentication of an individual user, so
long as the component identifier implies a list of specific
users uniquely associated with the identifier at the time of
ts use for authentication. This requirement does not apply
to internal subjects.
Authentication information, including the identity of a
user (once authenticated) may be passed from one component
to another without reauthentication, so long as the NTCB
thorized disclosure and modification. This protection shall
of mechanism) as pertains to the protection of the authenti-
cation mechanism and authentication data.
+ Rationale
The need for accountability is not changed in the con-
text of a network system. The fact that the NTCB is parti-
tioned over a set of components neither reduces the need nor
mposes new requirements. That is, individual accountabil-
ty is still the objective. Also, in the context of a net-
tability" can be satisfied by identification of a host (or
other component) so long as the requirement for traceability
to individual users or a set of specific individual users
uncertainty in traceability because of elapsed time between
changes in the group membership and the enforcement in the
access control mechanisms. In addition, there is no need in
a distributed processing system like a network to reauthen-
ticate a user at each point in the network where a projec-
tion of a user (via the subject operating on behalf of the
user) into another remote subject takes place.
The passing of identifiers and/or authentication infor-
mation from one component to another is usually done in sup-
trol (DAC). This support relates directly to the DAC
ferent NTCB partition than the one where the user was
authenticated. Employing a forwarded identification implies
additional reliance on the source and components along the
basis of determining a sensitivity label for a subject, it
must satisfy the Label Integrity criterion.
An authenticated identification may be forwarded
between components and employed in some component to iden-
tify the sensitivity level associated with a subject created
to act on behalf of the user so identified.
+ Statement from DoD 5200.28-STD
THE TCB SHALL SUPPORT A TRUSTED COMMUNICATION PATH BETWEEN
MUNICATIONS VIA THIS PATH SHALL BE INITIATED EXCLUSIVELY BY
A USER.
+ Interpretation
A TRUSTED PATH IS SUPPORTED BETWEEN A USER (I.E.,
HUMAN) AND THE NTCB PARTITION IN THE COMPONENT TO WHICH THE
USER IS DIRECTLY CONNECTED.
+ Rationale
WHEN A USER LOGS INTO A REMOTE COMPONENT, THE USER ID
CATION AND AUTHENTICATION.
TRUSTED PATH IS NECESSARY IN ORDER TO ASSURE THAT THE
USER IS COMMUNICATING WITH THE NTCB AND ONLY THE NTCB WHEN
SECURITY RELEVANT ACTIVITIES ARE TAKING PLACE (E.G., AUTHEN-
TICATE USER, SET CURRENT SESSION SENSITIVITY LEVEL). HOW-
EVER, TRUSTED PATH DOES NOT ADDRESS COMMUNICATIONS WITHIN
THE NTCB, ONLY COMMUNICATIONS BETWEEN THE USER AND THE NTCB.
COMMUNICATION THEN THE COMPONENT NEED NOT CONTAIN MECHANISMS
FOR ASSURING DIRECT NTCB TO USER COMMUNICATIONS.
THE REQUIREMENT FOR TRUSTED COMMUNICATION BETWEEN ONE
NTCB PARTITION AND ANOTHER NCTB PARTITION IS ADDRESSED IN
THE SYSTEM ARCHITECTURE SECTION. THESE REQUIREMENTS ARE
SEPARATE AND DISTINCT FROM THE USER TO NTCB COMMUNICATION
REQUIREMENT OF A TRUSTED PATH. HOWEVER, IT IS EXPECTED THAT
THIS TRUSTED COMMUNICATION BETWEEN ONE NTCB PARTITION AND
ANOTHER NTCB PARTITION WILL BE USED IN CONJUNCTION WITH THE
TRUSTED PATH TO IMPLEMENT TRUSTED COMMUNICATION BETWEEN THE
USER AND THE REMOTE NTCB PARTITION.
_ _ _ _ _____
+ Statement from DoD 5200.28-STD
The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit
trail of accesses to the objects it protects. The audit
s limited to those who are authorized for audit data. The
TCB shall be able to record the following types of events:
use of identification and authentication mechanisms, intro-
open, program initiation), deletion of objects, actions
taken by computer operators and system administrators and/or
events. The TCB shall also be able to audit any override of
the audit record shall identify: date and time of the event,
user, type of event, and success or failure of the event.
For identification/authentication events the origin of
address space and for object deletion events the audit
able to selectively audit the actions of any one or more
users based on individual identify and/or object sensitivity
level. THE TCB SHALL BE ABLE TO AUDIT THE IDENTIFIED
EVENTS THAT MAY BE USED IN THE EXPLOITATION OF COVERT
STORAGE CHANNELS.
+ Interpretation
This criterion applies as stated. The sponsor must
not distinguishable by the NTCB alone (for example those
dentified in Part II), the audit mechanism shall provide an
nterface, which an authorized subject can invoke with
audit records shall be distinguishable from those provided
by the NTCB. In the context of a network system, "other
architecture and network security policy) might be as fol-
lows:
lishing a connection or a connectionless association
between processes in two hosts of the network) and
its principal parameters (e.g., host identifiers of
the two hosts involved in the access event and user
identifier or host identifier of the user or host
that is requesting the access event)
each access event using local time or global syn-
chronized time
ditions (e.g., potential violation of data
integrity, such as misrouted datagrams) detected
during the transactions between two hosts
component leaving the network and rejoining)
In addition, identification information should be
ncluded in appropriate audit trail records, as necessary,
to allow association of all related (e.g., involving the
network system may provide the required audit capability
(e.g., storage, retrieval, reduction, analysis) for other
components that do not internally store audit data but
transmit the audit data to some designated collection com-
audit data due to unavailability of resources.
In the context of a network system, the "user's address
events, to include address spaces being employed on behalf
of a remote user (or host). However, the focus remains on
users in contrast to internal subjects as discussed in the
DAC criterion. In addition, audit information must be
THE CAPABILITY MUST EXIST TO AUDIT THE IDENTIFIED
EVENTS THAT MAY BE USED IN THE EXPLOITATION OF COVERT
STORAGE CHANNELS. TO ACCOMPLISH THIS, EACH NTCB PARTITION
MUST BE ABLE TO AUDIT THOSE EVENTS LOCALLY THAT MAY LEAD TO
THE EXPLOITATION OF A COVERT STORAGE CHANNEL WHICH EXIST
BECAUSE OF THE NETWORK.
+ Rationale
For remote users, the network identifiers (e.g., inter-
net address) can be used as identifiers of groups of indivi-
maintenance that would be required if individual identifica-
tion of remote users was employed. In this class (C2), how-
ever, it must be possible to identify (immediately or at
dentifier. In all other respects, the interpretation is a
of a network system. IDENTIFICATION OF COVERT CHANNEL
EVENTS IS ADDRESSED IN THE COVERT CHANNEL ANALYSIS SECTION.
_ _ _ _________
+ Statement from DoD 5200.28-STD
THE TCB SHALL MAINTAIN A DOMAIN FOR ITS OWN EXECUTION THAT
BY MODIFICATION OF ITS CODE OR DATA STRUCTURES). THE TCB
SHALL MAINTAIN PROCESS ISOLATION THROUGH THE PROVISION OF
DISTINCT ADDRESS SPACES UNDER ITS CONTROL. THE TCB SHALL BE
MODULES. IT SHALL MAKE EFFECTIVE USE OF AVAILABLE HARDWARE
TO SEPARATE THOSE ELEMENTS THAT ARE PROTECTION-CRITICAL FROM
THOSE THAT ARE NOT. THE TCB MODULES SHALL BE DESIGNED SUCH
THAT THE PRINCIPLE OF LEAST PRIVILEGE IS ENFORCED. FEATURES
LOGICALLY DISTINCT STORAGE OBJECTS WITH SEPARATE ATTRIBUTES
(NAMELY: READABLE, WRITABLE). THE USER INTERFACE TO THE TCB
SHALL BE COMPLETELY DEFINED AND ALL ELEMENTS OF THE TCB
+ Interpretation
The system architecture criterion must be met individu-
ally by all NTCB partitions. Implementation of the require-
ment that the NTCB maintain a domain for its own execution
s achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis-
tinct domain in the overall network system, this also satis-
fies the requirement for process isolation through distinct
address spaces in the special case where a component has
only a single subject.
THE NTCB MUST BE INTERNALLY STRUCTURED INTO WELL-
DEFINED LARGELY INDEPENDENT MODULES AND MEET THE HARDWARE
REQUIREMENTS. THIS IS SATISFIED BY HAVING EACH NTCB PARTI-
TION SO STRUCTURED. THE NTCB CONTROLS ALL NETWORK RESOURCES.
THESE RESOURCES are the union of the sets of resources over
nside the NTCB) belonging to different NTCB partitions,
must be protected against external interference or tamper-
ng. For example, a cryptographic checksum or physical
means may be employed to protect user authentication data
exchanged between NTCB partitions.
EACH NTCB PARTITION MUST ENFORCE THE PRINCIPLE OF LEAST
BE STRUCTURED SO THAT THE PRINCIPLE OF LEAST PRIVILEGE IS
ENFORCED IN THE SYSTEM AS A WHOLE.
Each NTCB partition provides isolation of resources
(within its component) in accord with the network system
architecture and security policy so that "supporting ele-
ments" (e.g., DAC and user identification) for the security
mechanisms of the network system are strengthened compared
to C2, from an assurance point of view, through the provi-
As discussed in the Discretionary Access Control sec-
tion, the DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
assurance requirements for the design and implementation of
the DAC shall be those of class C2 for all networks of class
C2 or above.
+ Rationale
THE REQUIREMENT THAT THE NTCB BE STRUCTURED INTO
MODULES AND MEET THE HARDWARE REQUIREMENTS APPLIES WITHIN
THE NTCB PARTITIONS IN THE VARIOUS COMPONENTS.
THE PRINCIPLE OF LEAST PRIVILEGE REQUIRES THAT EACH
USER OR OTHER INDIVIDUAL WITH ACCESS TO THE SYSTEM BE GIVEN
ONLY THOSE RESOURCES AND AUTHORIZATIONS REQUIRED FOR THE
THAT SUPPORTS USERS OR OTHER INDIVIDUALS. FOR EXAMPLE,
NTCB PARTITION (E.G., GAMES) LESSENS THE OPPORTUNITY OF DAM-
AGE BY A TROJAN HORSE.
The requirement for the protection of communications
between NTCB partitions is specifically directed to subjects
that are part of the NTCB partitions. Any requirements for
The provision of distinct address spaces under the con-
trol of the NTCB provides the ability to separate subjects
according to sensitivity level. This requirement is intro-
mplement mandatory access controls.
+ Statement from DoD 5200.28-STD
Hardware and/or software features shall be provided that can
be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
+ Interpretation
Implementation of the requirement is partly achieved by
and firmware elements of each component's NTCB partition.
Features shall also be provided to validate the identity and
correct operation of a component prior to its incorporation
n the network system and throughout system operation. For
example, a protocol could be designed that enables the com-
cally and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability
to respond. NTCB partitions shall provide the capability to
Intercomponent protocols implemented within a NTCB
tion in the case of failures of network communications or
ndividual components. The allocation of mandatory and dis-
cretionary access control policy in a network may require
communication between trusted subjects that are part of the
NTCB partitions in different components. This communication
s normally implemented with a protocol between the subjects
as peer entities. Incorrect access within a component shall
not result from failure of an NTCB partition to communicate
+ Rationale
The first paragraph of the interpretation is a
text of a network system and partitioned NTCB as defined for
these network criteria.
NTCB protocols should be robust enough so that they
zed failure. The purpose of this protection is to preserve
the integrity of the NTCB itself. It is not unusual for one
or more components in a network to be inoperative at any
time, so it is important to minimize the effects of such
failures on the rest of the network. Additional integrity
and denial of service issues are addressed in Part II.
+ Statement from DoD 5200.28-STD
THE SYSTEM DEVELOPER SHALL CONDUCT A THOROUGH SEARCH FOR
COVERT STORAGE CHANNELS AND MAKE A DETERMINATION (EITHER BY
ACTUAL MEASUREMENT OR BY ENGINEERING ESTIMATION) OF THE MAX-
CHANNELS GUIDELINE SECTION.)
+ Interpretation
THE REQUIREMENT, INCLUDING THE TCSEC COVERT CHANNEL
GUIDELINE, APPLIES AS WRITTEN. IN A NETWORK, THERE ARE
ADDITIONAL INSTANCES OF COVERT CHANNELS ASSOCIATED WITH COM-
MUNICATION BETWEEN COMPONENTS.
+ Rationale
THE EXPLOITATION OF NETWORK PROTOCOL INFORMATION (E.G.,
HEADERS) CAN RESULT IN COVERT STORAGE CHANNELS. THE TOPIC
HAS BEEN ADDRESSED IN THE LITERATURE.-
_________________________
- See, for example, Girling, C. G., "Covert Channels
n LAN's," IEEE Transactions on Software Engineering,
____ ____________ __ ________ ___________
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A.,
Snow, D. P., and Karger, P. A., Limitations of End-to-
___________ __ ___ __
End Encryption in Secure Computer Networks, MITRE
___ __________ __ ______ ________ ________
Technical Report, MTR-3592, Vol. I, May 1978 (ESD TR
+ Statement from DoD 5200.28-STD
THE TCB SHALL SUPPORT SEPARATE OPERATOR AND ADMINISTRATOR
FUNCTIONS.
+ Interpretation
THIS REQUIREMENT APPLIES AS WRITTEN TO BOTH THE NETWORK
AS A WHOLE AND TO INDIVIDUAL COMPONENTS WHICH SUPPORT SUCH
+ Rationale
IT IS RECOGNIZED THAT BASED ON THE ALLOCATED POLICY
ELEMENTS SOME COMPONENTS MAY OPERATE WITH NO HUMAN INTER-
FACE.
+ Statement from DoD 5200.28-STD
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation. A
team of individuals who thoroughly understand the specific
mplementation of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and
testing. Their objectives shall be: to uncover all design
and implementation flaws that would permit a subject exter-
nal to the TCB to read, change, or delete data normally
enforced by the TCB; as well as to assure that no subject
(without authorization to do so) is able to cause the TCB to
enter a state such that it is unable to respond to communi-
cations initiated by other users. THE TCB SHALL BE FOUND
RELATIVELY RESISTANT TO PENETRATION. All discovered flaws
flaws have not been introduced. TESTING SHALL DEMONSTRATE
THAT THE TCB IMPLEMENTATION IS CONSISTENT WITH THE DESCRIP-
TIVE TOP-LEVEL SPECIFICATION. (See the Security Testing
Guidelines.)
+ Interpretation
Testing of a component will require a testbed that
exercises the interfaces and protocols of the component
ncluding tests under exceptional conditions. The testing
of a security mechanism of the network system for meeting
this criterion shall be an integrated testing procedure
nvolving all components containing an NTCB partition that
mplement the given mechanism. This integrated testing is
additional to any individual component tests involved in the
evaluation of the network system. The sponsor should iden-
tify the allowable set of configurations including the sizes
of the networks. Analysis or testing procedures and tools
tions. A change in configuration within the allowable set
of configurations does not require retesting.
The testing of each component will include the intro-
component that will attempt to read, change, or delete data
normally denied. If the normal interface to the component
conduct such a test, then this portion of the testing shall
use a special version of the untrusted software for the com-
The results shall be saved for test analysis. Such special
versions shall have an NTCB partition that is identical to
that for the normal configuration of the component under
evaluation.
The testing of the mandatory controls shall include
tests to demonstrate that the labels for information
mported and/or exported to/from the component accurately
the component for use as the basis for its mandatory access
control decisions. The tests shall include each type of
component.
THE NTCB MUST BE FOUND RELATIVELY RESISTANT TO PENETRA-
TION. THIS APPLIES TO THE NTCB AS A WHOLE, AND TO EACH NTCB
+ Rationale
The phrase "no subject (without authorization to do so)
s able to cause the TCB to enter a state such that it is
unable to respond to communications initiated by other
users" relates to the security services (Part II of this
TNI) for the Denial of Service problem, and to correctness
of the protocol implementations.
Testing is an important method available in this
evaluation division to gain any assurance that the security
mechanisms perform their intended function. A major purpose
of testing is to demonstrate the system's response to inputs
to the NTCB partition from untrusted (and possibly mali-
cious) subjects.
In contrast to general purpose systems that allow for
the dynamic creation of new programs and the introductions
of new processes (and hence new subjects) with user speci-
fied security properities, many network components have no
method for introducing new programs and/or processes during
their normal operation. Therefore, the programs necessary
for the testing must be introduced as special versions of
the software rather than as the result of normal inputs by
the test team. However, it must be insured that the NTCB
evaluation.
Sensitivity labels serve a critical role in maintaining
the security of the mandatory access controls in the net-
of the labels for information communicated between com-
cit labels for single-level devices. Therefore the testing
for correct labels is highlighted.
THE REQUIREMENT FOR TESTING TO DEMONSTRATE CONSISTENCY
BETWEEN THE NTCB IMPLEMENTATION AND THE DTLS IS A STRAIGHT-
FORWARD EXTENSION OF THE TCSEC REQUIREMENT INTO THE CONTEXT
OF A NETWORK SYSTEM.
+ Statement from DoD 5200.28-STD
A FORMAL model of the security policy supported by the TCB
THAT IS PROVEN and demonstrated to be consistent with its
axioms. A DESCRIPTIVE TOP-LEVEL SPECIFICATION (DTLS) OF THE
TCB SHALL BE MAINTAINED THAT COMPLETELY AND ACCURATELY
DESCRIBES THE TCB IN TERMS OF EXCEPTIONS, ERROR MESSAGES,
AND EFFECTS. IT SHALL BE SHOWN TO BE AN ACCURATE DESCRIP-
TION OF THE TCB INTERFACE.
+ Interpretation
The overall network security policy expressed in this
model will provide the basis for the mandatory access con-
trol policy exercised by the NTCB over subjects and storage
objects in the entire network. The policy will also be the
basis for the discretionary access control policy exercised
by the NTCB to control access of named users to named
objects. Data integrity requirements addressing the effects
of unauthorized MSM need not be included in this model. The
overall network policy must be decomposed into policy ele-
ments that are allocated to appropriate components and used
as the basis for the security policy model for those com-
The level of abstraction of the model, and the set of
model, will be affected by the NTCB partitioning. Subjects
and objects must be represented explicitly in the model for
the partition if there is some network component whose NTCB
applicable to individual network components are manifest.
Global network policy elements that are allocated to com-
THE REQUIREMENTS FOR A NETWORK DTLS ARE GIVEN IN THE
DESIGN DOCUMENTATION SECTION.
+ Rationale
The treatment of the model depends to a great extent on
the degree of integration of the communications service into
a distributed system. In a closely coupled distributed sys-
tem, one might use a model that closely resembles one
appropriate for a stand-alone computer system.
In other cases, the model of each partition will be
expected to show the role of the NTCB partition in each kind
of component. It will most likely clarify the model,
although not part of the model, to show access restrictions
mplied by the system design; for example, subjects
objects containing data units at the same layer of protocol.
The allocation of subjects and objects to different proto-
col layers is a protocol design choice which need not be
+ Statement from DoD 5200.28-STD
DURING DEVELOPMENT AND MAINTENANCE OF THE TCB, A CONFIGURA-
TION MANAGEMENT SYSTEM SHALL BE IN PLACE THAT MAINTAINS CON-
TROL OF CHANGES TO THE DESCRIPTIVE TOP-LEVEL SPECIFICATION,
OTHER DESIGN DATA, IMPLEMENTATION DOCUMENTATION, SOURCE
CODE, THE RUNNING VERSION OF THE OBJECT CODE, AND TEST FIX-
TURES AND DOCUMENTATION. THE CONFIGURATION MANAGEMENT SYS-
TEM SHALL ASSURE A CONSISTENT MAPPING AMONG ALL DOCUMENTA-
TION AND CODE ASSOCIATED WITH THE CURRENT VERSION OF THE
TCB. TOOLS SHALL BE PROVIDED FOR GENERATION OF A NEW VER-
SION OF THE TCB FROM SOURCE CODE. ALSO AVAILABLE SHALL BE
TOOLS FOR COMPARING A NEWLY GENERATED VERSION WITH THE PRE-
VIOUS TCB VERSION IN ORDER TO ASCERTAIN THAT ONLY THE
ALLY BE USED AS THE NEW VERSION OF THE TCB.
+ Interpretation
THE REQUIREMENT APPLIES AS WRITTEN, WITH THE FOLLOWING
EXTENSIONS:
FOR EACH NTCB PARTITION.
ENTIRE SYSTEM. IF THE CONFIGURATION MANAGEMENT SYS-
TEM IS MADE UP OF THE CONGLOMERATION OF THE CONFI-
GURATION MANAGEMENT SYSTEMS OF THE VARIOUS NTCB PAR-
TITIONS, THEN THE CONFIGURATION MANAGEMENT PLAN MUST
ADDRESS THE ISSUE OF HOW CONFIGURATION CONTROL IS
APPLIED TO THE SYSTEM AS A WHOLE.
+ Rationale
EACH NTCB PARTITION MUST HAVE A CONFIGURATION MANAGE-
MENT SYSTEM IN PLACE, OR ELSE THERE WILL BE NO WAY FOR THE
NTCB AS A WHOLE TO HAVE AN EFFECTIVE CONFIGURATION MANAGE-
MENT SYSTEM. THE OTHER EXTENSIONS ARE MERELY REFLECTIONS OF
THE WAY THAT NETWORKS OPERATE IN PRACTICE.
_ _ _ _____________
+ Statement from DoD 5200.28-STD
A single summary, chapter, or manual in user documentation
TCB, interpretations on their use, and how they interact
+ Interpretation
This user documentation describes user visible protec-
tion mechanisms at the global (network system) level and at
the user interface of each component, and the interaction
among these.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system as defined for these
network criteria. Documentation of protection mechanisms
teria for trusted computer systems that are applied as
appropriate for the individual components.
+ Statement from DoD 5200.28-STD
A manual addressed to the ADP system administrator shall
be controlled when running a secure facility. The procedures
for examining and maintaining the audit files as well as the
administrator functions related to security, to include
changing the security characteristics of a user. It shall
of the protection features of the system, how they interact,
to operate the facility in a secure manner. THE TCB MODULES
THAT CONTAIN THE REFERENCE VALIDATION MECHANISM SHALL BE
TCB FROM SOURCE AFTER MODIFICATION OF ANY MODULES IN THE TCB
SHALL BE DESCRIBED.
+ Interpretation
This manual shall contain specifications and procedures
to assist the system administrator(s) maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address the following:
network;
leave the network (e.g., by crashing, or by being
disconnected) and then rejoin;
security of the network system; (For example, the
manual should describe for the network system
administrator the interconnections among components
that are consistent with the overall network system
architecture.)
(e.g., down-line loading).
INDICATE WHICH COMPONENTS OF THE NETWORK MAY CHANGE
WITHOUT OTHERS ALSO CHANGING.
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
THE COMPONENTS OF THE NETWORK THAT FORM THE NTCB MUST
BE IDENTIFIED. FURTHERMORE, THE MODULES WITHIN AN NTCB PAR-
TITION THAT CONTAIN THE REFERENCE VALIDATION MECHANISM (IF
ANY) WITHIN THAT PARTITION MUST BE IDENTIFIED.
THE PROCEDURES FOR THE SECURE GENERATION OF A NEW VER-
SION (OR COPY) OF EACH NTCB PARTITION FROM SOURCE MUST BE
DESCRIBED. THE PROCEDURES AND REQUIREMENTS FOR THE SECURE
GENERATION OF THE NTCB NECESSITATED BY CHANGES IN THE NET-
WORK CONFIGURATION SHALL BE DESCRIBED.
+ Rationale
There may be multiple system administrators with
other forms of security in order to achieve security of the
network. Additional forms include administrative security,
Extension of this criterion to cover configuration
aspects of the network is needed because, for example,
to achieve a correct realization of the network architec-
ture.
As mentioned in the section on Label Integrity, cryp-
tography is one common mechanism employed to protect commun-
cation circuits. Encryption transforms the representation
of information so that it is unintelligible to unauthorized
of the ciphertext is generally lower than the cleartext. If
encryption methodologies are employed, they shall be
approved by the National Security Agency (NSA).
The encryption algorithm and its implementation are
outside the scope of these interpretations. This algorithm
and implementation may be implemented in a separate device
or may be a function of a subject in a component not dedi-
cated to encryption. Without prejudice, either implementa-
tion packaging is referred to as an encryption mechanism
THE REQUIREMENTS FOR DESCRIPTIONS OF NTCB GENERATION
AND IDENTIFICATION OF MODULES AND COMPONENTS THAT FORM THE
NTCB ARE STRAIGHTFORWARD EXTENSIONS OF THE TCSEC REQUIRE-
MENTS INTO THE NETWORK CONTEXT. IN THOSE CASES WHERE THE
VENDOR DOES NOT PROVIDE SOURCE CODE, AN ACCEPTABLE PROCEDURE
SHALL BE TO REQUEST THE VENDOR TO PERFORM THE SECURE GENERA-
TION.
+ Statement from DoD 5200.28-STD
The system developer shall provide to the evaluators a docu-
ment that describes the test plan, test procedures that show
RESULTS OF TESTING THE EFFECTIVENESS OF THE METHODS USED TO
REDUCE COVERT CHANNEL BANDWIDTHS.
+ Interpretation
The "system developer" is interpreted as "the network
establish the context in which the testing was or should be
conducted. The description should identify any additional
test components that are not part of the system being
evaluated. This includes a description of the test-relevant
functions of such test components and a description of the
nterfacing of those test components to the system being
evaluated. The description of the test plan should also
configuration and sizing.
+ Rationale
The entity being evaluated may be a networking subsys-
tem (see Appendix A) to which other components must be added
to make a complete network system. In that case, this
nterpretation is extended to include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
THE BANDWIDTHS OF COVERT CHANNELS ARE USED TO DETERMINE
THE SUITABILITY OF A NETWORK SYSTEM FOR A GIVEN ENVIRONMENT.
THE EFFECTIVENESS OF THE METHODS USED TO REDUCE THESE
BANDWIDTHS MUST THEREFORE BE ACCURATELY DETERMINED.
+ Statement from DoD 5200.28-STD
Documentation shall be available that provides a description
of the manufacturer's philosophy of protection and an expla-
nation of how this philosophy is translated into the TCB.
THE interfaces between THE TCB modules shall be described.
A FORMAL description of the security policy model enforced
by the TCB shall be available and an explanation provided to
The specific TCB protection mechanisms shall be identified
and an explanation given to show that they satisfy the
model. THE DESCRIPTIVE TOP-LEVEL SPECIFICATION (DTLS) SHALL
BE SHOWN TO BE AN ACCURATE DESCRIPTION OF THE TCB INTERFACE.
DOCUMENTATION SHALL DESCRIBE HOW THE TCB IMPLEMENTS THE
REFERENCE MONITOR CONCEPT AND GIVE AN EXPLANATION WHY IT IS
TAMPER RESISTANT, CANNOT BE BYPASSED, AND IS CORRECTLY
STRUCTURED TO FACILITATE TESTING AND TO ENFORCE LEAST
RESULTS OF THE COVERT CHANNEL ANALYSIS AND THE TRADEOFFS
THAT MAY BE USED IN THE EXPLOITATION OF KNOWN COVERT STORAGE
CHANNELS SHALL BE IDENTIFIED. THE BANDWIDTHS OF KNOWN
COVERT STORAGE CHANNELS, THE USE OF WHICH IS NOT DETECTABLE
BY THE AUDITING MECHANISMS, SHALL BE PROVIDED. (SEE THE
COVERT CHANNEL GUIDELINE SECTION.)
+ Interpretation
Explanation of how the sponsor's philosophy of protec-
tion is translated into the NTCB shall include a description
of how the NTCB is partitioned. The security policy also
the NTCB modules shall include the interface(s) between NTCB
exist. The sponsor shall describe the security architecture
and design, including the allocation of security require-
ments among components.
THE DOCUMENTATION INCLUDES BOTH A SYSTEM DESCRIPTION
AND A SET OF COMPONENT DTLS'S. THE SYSTEM DESCRIPTION
ADDRESSES THE NETWORK SECURITY ARCHITECTURE AND DESIGN BY
SPECIFYING THE TYPES OF COMPONENTS IN THE NETWORK, WHICH
ONES ARE TRUSTED, AND IN WHAT WAY THEY MUST COOPERATE TO
SUPPORT NETWORK SECURITY OBJECTIVES. A COMPONENT DTLS SHALL
BE PROVIDED FOR EACH TRUSTED NETWORK COMPONENT, I.E., EACH
COMPONENT CONTAINING AN NTCB PARTITION. EACH COMPONENT DTLS
SHALL DESCRIBE THE INTERFACE TO THE NTCB PARTITION OF ITS
COMPONENT. APPENDIX A ADDRESSES COMPONENT EVALUATION ISSUES.
As stated in the introduction to Division B, the spon-
monitor concept. The security policy model must be a model
for a reference monitor.
The security policy model for each partition implement-
ng a reference monitor shall fully represent the access
control policy supported by the partition, including the
and/or integrity. For the mandatory policy the single domi-
nance relation for sensitivity labels, including secrecy
and/or integrity components, shall be precisely defined.
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system as
tion, such as description of components and description of
operating environment(s) in which the networking subsystem
or network system is designed to function, is required else-
In order to be evaluated, a network must possess a
coherent Network Security Architecture and Design. (Inter-
connection of components that do not adhere to such a single
coherent Network Security Architecture is addressed in the
Security Architecture must address the security-relevant
Design specifies the interfaces and services that must be
ncorporated into the network so that it can be evaluated as
a trusted entity. There may be multiple designs that con-
form to the same architecture but are more or less incompa-
tible and non-interoperable (except through the Interconnec-
tion Rules). Security related mechanisms requiring coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms having no visible
nterfaces are not specified in this document but are left
as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components can be assem-
bled into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and unambi-
Network Security Architecture and Design must be evaluated
to determine that a network constructed to its specifica-
tions will in fact be trusted, that is, it will be evaluat-
able under these interpretations.
The term "model" is used in several different ways in a
network context, e.g., a "protocol reference model," a "for-
mal network model," etc. Only the "security policy model" is
addressed by this requirement and is specifically intended
to model the interface, viz., "security perimeter," of the
n the TCSEC. It must be shown that all parts of the TCB
are a valid interpretation of the security policy model,
.e., that there is no change to the secure state except as
3.3 CLASS (B3): SECURITY DOMAINS
_ _ _____ __ ________ _______
THE CLASS (B3) NTCB MUST SATISFY THE REFERENCE
MONITOR REQUIREMENTS THAT IT MEDIATE ALL ACCESSES
OF SUBJECTS TO OBJECTS, BE TAMPERPROOF, AND BE
SMALL ENOUGH TO BE SUBJECTED TO ANALYSIS AND
TESTS. TO THIS END, THE NTCB IS STRUCTURED TO
EXCLUDE CODE NOT ESSENTIAL TO SECURITY POLICY
ENFORCEMENT, WITH SIGNIFICANT SYSTEM ENGINEERING
DURING NTCB DESIGN AND IMPLEMENTATION DIRECTED
TOWARD MINIMIZING ITS COMPLEXITY. A SECURITY
ADMINISTRATOR IS SUPPORTED, AUDIT MECHANISMS ARE
EXPANDED TO SIGNAL SECURITY-RELEVANT EVENTS, AND
SYSTEM RECOVERY PROCEDURES ARE REQUIRED. THE SYS-
TEM IS HIGHLY RESISTANT TO PENETRATION. THE FOL-
LOWING ARE MINIMAL REQUIREMENTS FOR SYSTEMS
ASSIGNED A CLASS (B3) RATING:
_ _ _ ________ ______
+ Statement from DoD 5200.28-STD
+ Interpretation
The network sponsor shall describe the overall network
cy is an access control policy having two primary com-
nclude a discretionary policy for protecting the informa-
tion being processed based on the authorizations of indivi-
cy statement shall describe the requirements on the network
to prevent or detect "reading or destroying" sensitive
nformation by unauthorized users or errors. The mandatory
that it supports. For the Class B1 or above the mandatory
nformation that reflects its sensitivity with respect to
ciated with users to reflect their authorization to access
that are not authorized to use the network at all (e.g., a
user attempting to use a passive or active wire tap) or a
legitimate user of the network who is not authorized to
access a specific piece of information being protected.
Note that "users" does not include "operators," "system
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network sys-
tem, for example, by defining membership of a group. These
ndividuals may also have the separate role of users.
SECRECY POLICY: The network sponsor shall define the
form of the discretionary and mandatory secrecy
policy that is enforced in the network to prevent
unauthorized users from reading the sensitive infor-
mation entrusted to the network.
DATA INTEGRITY POLICY: The network sponsor shall
define the discretionary and mandatory integrity
policy to prevent unauthorized users from modifying,
viz., writing, sensitive information. The defini-
tion of data integrity presented by the network
sponsor refers to the requirement that the informa-
tion has not been subjected to unauthorized modifi-
cation in the network. The mandatory integrity pol-
icy enforced by the NTCB cannot, in general, prevent
modification while information is being transmitted
between components. However, an integrity sensi-
tivity label may reflect the confidence that the
information has not been subjected to transmission
errors because of the protection afforded during
transmission. This requirement is distinct from the
requirement for label integrity.
+ Rationale
The word "sponsor" is used in place of alternatives
(such as "vendor," "architect," "manufacturer," and
"developer") because the alternatives indicate people who
may not be available, involved, or relevant at the time that
a network system is proposed for evaluation.
A trusted network is able to control both the reading
and writing of shared sensitive information. Control of
tion. A network normally is expected to have policy require-
ments to protect both the secrecy and integrity of the
nformation entrusted to it. In a network the integrity is
frequently as important or more important than the secrecy
to be enforced by the network must be stated for each net-
the policy is faithfully enforced is reflected in the
evaluation class of the network.
This control over modification is typically used to
control the potential harm that would result if the informa-
tion were corrupted. The overall network policy require-
ments for integrity includes the protection for data both
transmitted in the network. The access control policy
enforced by the NTCB relates to the access of subjects to
objects within each component. Communications integrity
addressed within Part II relates to information while being
transmitted.
The mandatory integrity policy (at class B1 and above)
n some architectures may be useful in supporting the link-
age between the connection oriented abstraction introduced
n the Introduction and the individual components of the
network. For example, in a key distribution center for
end-to-end encryption, a distinct integrity category may be
assigned to isolate the key generation code and data from
The mandatory integrity policy for some architecture
may define an integrity sensitivity label that reflects the
been subject to random errors in excess of a stated limit
nor to unauthorized message stream modification (MSM) -.
The specific metric associated with an integrity sensitivity
label will generally reflect the intended applications of
the network.
+ Statement from DoD 5200.28-STD
The TCB shall define and control access between named users
and named objects (e.g., files and programs) in the ADP sys-
tem. The enforcement mechanism (e.g., ACCESS CONTROL LISTS)
OBJECTS and shall provide controls to limit propagation of
access rights. The discretionary access control mechanism
that objects are protected from unauthorized access. These
access controls shall be capable of SPECIFYING, FOR EACH
_________________________
- See Voydock, Victor L. and Stephen T. Kent, "Secu-
___
______ _______
NAMED OBJECT, A LIST OF NAMED INDIVIDUALS AND A LIST OF
GROUPS OF NAMED INDIVIDUALS WITH THEIR RESPECTIVE MODES OF
ACCESS TO THAT OBJECT. FURTHERMORE, FOR EACH SUCH NAMED
OBJECT, IT SHALL BE POSSIBLE TO SPECIFY A LIST OF NAMED
WHICH NO ACCESS TO THE OBJECT IS GIVEN. Access permission
to an object by users not already possessing access permis-
+ Interpretation
The discretionary access control (DAC) mechanism(s) may
be distributed over the partitioned NTCB in various ways.
Some part, all, or none of the DAC may be implemented in a
no subjects acting as direct surrogates for users), such as
a public network packet switch, might not implement the DAC
mechanism(s) directly (e.g., they are unlikely to contain
access control lists).
Identification of users by groups may be achieved in
various ways in the networking environment. For example,
the network identifiers (e.g., internet addresses) for vari-
ous components (e.g., hosts, gateways) can be used as iden-
tifiers of groups of individual users (e.g., "all users at
Host A," "all users of network Q") so long as the individu-
als involved in the group are implied by the group identif-
er. For example, Host A might employ a particular group-id,
for which it maintains a list of explicit users in that
the group-id under the conditions of this interpretation.
For networks, individual hosts will impose need-to-know
controls over their users on the basis of named individuals
- much like (in fact, probably the same) controls used when
there is no network connection.
When group identifiers are acceptable for access con-
trol, the identifier of some other host may be employed, to
eliminate the maintenance that would be required if indivi-
C2 and higher, however, it must be possible from that audit
exactly the individuals represented by a group identifier at
the time of the use of that identifier. There is allowed to
be an uncertainty because of elapsed time between changes in
the group membership and the enforcement in the access con-
trol mechanisms.
The DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
all the physical resources of the system and from them
creates the abstraction of subjects and objects that it con-
trols. Some of these subjects and objects may be used to
mplement a part of the NTCB. When the DAC mechanism is
Assurance section) for the design and implementation of the
DAC shall be those of class C2 for all networks of class C2
or above.
When integrity is included as part of the network dis-
cretionary security policy, the above interpretations shall
be specifically applied to the controls over modification,
viz, the write mode of access, within each component based
on identified users or groups of users.
+ Rationale
In this class, the supporting elements of the overall
DAC mechanism are required to isolate information (objects)
that supports DAC so that it is subject to auditing require-
ments (see the System Architecture section). The use of
network identifiers to identify groups of individual users
could be implemented, for example, as an X.25 community of
nterest in the network protocol layer (layer 3). In all
other respects, the supporting elements of the overall DAC
mechanism are treated exactly as untrusted subjects are
treated with respect to DAC in an ADP system, with the same
A typical situation for DAC is that a surrogate process
for a remote user will be created in some host for access to
objects under the control of the NTCB partition within that
assigned and maintained for each such process by the NTCB,
tially the same discretionary controls as access by a pro-
cess acting on behalf of a local user would be. However,
tions of the assigned user identification is permitted.
The most obvious situation would exist if a global
able on demand to every host, (i.e., a name server existed)
It is also acceptable, however, for some NTCB parti-
tions to maintain a database of locally-registered users for
ts own use. In such a case, one could choose to inhibit
the creation of surrogate processes for locally unregistered
users, or (if permitted by the local policy) alternatively,
to permit the creation of surrogate processes with
dentify the process as executing on behalf of a member of a
the words concerning audit in the interpretation is to pro-
vide a minimally acceptable degree of auditability for cases
be a capability, using the audit facilities provided by the
network NTCB partitions involved, to determine who was
logged in at the actual host of the group of remote users at
the time the surrogate processing occured.
Associating the proper user id with a surrogate process
s the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id of
the surrogate process. The transmission of the data back
across the network to the user's host, and the creation of a
copy of the data there, is not the business of DAC.
Components that support only internal subjects impact
the implementation of the DAC by providing services by which
nformation (e.g., a user-id) is made available to a com-
file at Host B. The DAC decision might be (and usually
ted from Host A to Host B.
Unique user identification may be achieved by a variety
of mechanisms, including (a) a requirement for unique iden-
tification and authentication on the host where access takes
addresses authenticated by another host and forwarded to the
of a network-wide unique personnel identifier that could be
authenticated and forwarded by another host as in (b) above,
or could be authenticated and forwarded by a dedicated net-
cols which implement (b) or (c) are subject to the System
Architecture requirements.
Network support for DAC might be handled in other ways
than that described as "typical" above. In particular, some
form of centralized access control is often proposed. An
access control center may make all decisions for DAC, or it
may share the burden with the hosts by controlling host-to-
to their objects by users at a limited set of remote hosts.
between the connection oriented abstraction (as discussed in
the Introduction) and the overall network security policy
for DAC. In all cases the enforcement of the decision must
be provided by the host where the object resides.
There are two forms of distribution for the DAC mechan-
sm: implementing portions of the DAC in separate com-
the NTCB partition in a component. Since "the ADP system"
s understood to be "the computer network" as a whole, each
network component is responsible for enforcing security in
the mechanisms allocated to it to ensure secure implementa-
tion of the network security policy. For traditional host
a few approaches, such as virtual machine monitors, support
DAC outside this interface.
In contrast to the universally rigid structure of man-
DAC policies tend to be very network and system specific,
For networks it is common that individual hosts will impose
controls over their local users on the basis of named
ndividuals-much like the controls used when there is no
network connection. However, it is difficult to manage in a
centralized manner all the individuals using a large net-
together so that the controls required by the network DAC
other components. A gateway is an example of such a com-
The assurance requirements are at the very heart of the
concept of a trusted system. It is the assurance that
environment, as reflected, for example, in the Environments
Guideline-. In the case of monolithic systems that have DAC
ntegral to the reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of the
clearer distinction due to distributed DAC. The rationale
for making the distinction in this network interpretation is
that if major trusted network components can be made signi-
ficantly easier to design and implement without reducing the
ability to meet security policy, then trusted networks will
be more easily available.
+ Statement from DoD 5200.28-STD
All authorizations to the information contained within a
allocation or reallocation to a subject from the TCB's pool
of unused storage objects. No information, including
encrypted representations of information, produced by a
that obtains access to an object that has been released back
to the system.
+ Interpretation
The NTCB shall ensure that any storage objects that it
controls (e.g., message buffers under the control of a NTCB
_________________________
- Guidance for Applying the Department of Defense
________ ___ ________ ___ __________ __ _______
Trusted Computer System Evaluation Criteria in Specific
_______ ________ ______ __________ ________ __ ________
Environments, CSC-STD-003-85.
____________
access. This requirement must be enforced by each of the
NTCB partitions.
+ Rationale
In a network system, storage objects of interest are
things that the NTCB directly controls, such as message
buffers in components. Each component of the network system
must enforce the object reuse requirement with respect to
the storage objects of interest as determined by the network
be under the control of the NTCB partition. A buffer
assigned to an internal subject may be reused at the discre-
tion of that subject which is responsible for preserving the
ntegrity of message streams. Such controlled objects may
be implemented in physical resources, such as buffers, disk
network switches.
+ Statement from DoD 5200.28-STD
Sensitivity labels associated with each ADP system resource
(e.g., subject, storage object, ROM) that is directly or
ndirectly accessible by subjects external to the TCB shall
be maintained by the TCB. These labels shall be used as the
basis for mandatory access control decisions. In order to
mport non-labeled data, the TCB shall request and receive
from an authorized user the sensitivity level of the data,
and all such actions shall be auditable by the TCB.
+ Interpretation
Non-labeled data imported under the control of the NTCB
labels of the single-level device used to import it. Labels
may include secrecy and integrity- components in accordance
network sponsor. Whenever the term "label" is used
throughout this interpretation, it is understood to include
both components as applicable. Similarly, the terms
"single-level" and "multilevel" are understood to be based
on both the secrecy and integrity components of the policy.
The mandatory integrity policy will typically have require-
ments, such as the probability of undetected message stream
modification, that will be reflected in the label for the
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Computer Systems," ESD-TR-76-372, MTR-
ntegrity label may be assigned based on mechanisms, such as
cryptography, used to provide the assurance required by the
tected from tampering and are always invoked when they are
the basis for a label.
If the security policy includes an integrity policy,
all activities that result in message-stream modification
violation of the integrity policy. The NTCB shall have an
automated capability for testing, detecting, and reporting
those errors/corruptions that exceed specified network
ntegrity policy requirements. Message-stream modification
(MSM) countermeasures shall be identified. A technology of
adequate strength shall be selected to resist MSM. If
encryption methodologies are employed, they shall be
approved by the National Security Agency.
All objects must be labeled within each component of
the network that is trusted to maintain separation of multi-
objects associated with single-level components will be
dentical to the level of that component. Objects used to
tures, such as routing tables, must be labeled to prevent
unauthorized access and/or modification.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in which
the security range of the subject is the minimum-maximum
ce.
The sensitivity labels for either secrecy or integrity
or both may reflect non-hierarchical categories or hierarch-
cal classification or both.
For a network it is necessary that this requirement be
applied to all network system resources at the (B2) level
and above.
The NTCB is responsible for implementing the network
ntegrity policy, when one exists. The NTCB must enforce
that policy by ensuring that information is accurately
transmitted from source to destination (regardless of the
number of intervening connecting points). The NTCB must be
able to counter equipment failure, environmental disrup-
tions, and actions by persons and processes not authorized
to alter the data. Protocols that perform code or format
conversion shall preserve the integrity of data and control
nformation.
The probability of an undetected transmission error may
be specified as part of the network security policy so that
the acceptability of the network for its intended applica-
tion may be determined. The specific metrics (e.g., proba-
bility of undetected modification) satisfied by the data can
be reflected in the integrity sensitivity label associated
s recognized that different applications and operational
environments (e.g., crisis as compared to logistic) will
The network shall also have an automated capability of
testing for, detecting, and reporting errors that exceed a
threshold consistent with the operational mode requirements.
The effectiveness of integrity countermeasures must be esta-
blished with the same rigor as the other security-relevant
Cryptography is often utilized as a basis to provide
Detection Codes (MDC)-, may be used. The adequacy of the
encryption or MDC algorithm, the correctness of the protocol
logic, and the adequacy of implementation must be esta-
blished in MSM countermeasures design.
+ Statement from DoD 5200.28-STD
Sensitivity labels shall accurately represent sensitivity
levels of the specific subjects or objects with which they
are associated. When exported by the TCB, sensitivity
labels shall accurately and unambiguously represent the
nternal labels and shall be associated with the information
being exported.
+ Interpretation
The phrase "exported by the TCB" is understood to
nclude transmission of information from an object in one
component to an object in another component. Information
transferred between NTCB partitions is addressed in the Sys-
tem Integrity Section. The form of internal and external
(exported) sensitivity labels may differ, but the meaning
correct association of sensitivity labels with the informa-
tion being transported across the network is preserved.
_________________________
- See Jueneman, R. R., "Electronic Document Authenti-
cation," IEEE Network Magazine, April 1987, pp 17-23.
____ _______ ________
As mentioned in the Trusted Facility Manual Section,
encryption transforms the representation of information so
that it is unintelligible to unauthorized subjects.
Reflecting this transformation, the sensitivity level of the
ciphertext is generally lower than the cleartext. It fol-
lows that cleartext and ciphertext are contained in dif-
ferent objects, each possessing its own label. The label of
the cleartext must be preserved and associated with the
ciphertext so that it can be restored when the cleartext is
cleartext is associated with a single-level device, the
label of that cleartext may be implicit. The label may also
be implicit in the key.
When information is exported to an environment where it
s subject to deliberate or accidental modification, the TCB
assure the accuracy of the labels. When there is a manda-
tory integrity policy, the policy will define the meaning of
ntegrity labels.
+ Rationale
Encryption algorithms and their implementation are out-
may be implemented in a separate device or may be incor-
encryption mechanism herein. If encryption methodologies are
employed in this regard, they shall be approved by the
National Security Agency (NSA). The encryption process is
components in which it is implemented.
The encryption mechanism is not necessarily a mul-
tilevel device or multilevel subject, as these terms are
used in these criteria. The process of encryption is mul-
tilevel by definition. The cleartext and ciphertext inter-
faces carry information of different sensitivity. An
encryption mechanism does not process data in the sense of
ciphertext interfaces on the encryption mechanism must be
the data is established by a trusted individual and impli-
citly associated with the interface; the Exportation to
Single-Level Devices criterion applies.
If the interface is multilevel, then the data must be
labeled; the Exportation to Multilevel Devices criterion
applies. The network architect is free to select an accept-
able mechanism for associating a label with an object. With
the object.
through the encryption key. That is, the encryption
key uniquely identifies a sensitivity level. A sin-
gle or private key must be protected at the level of
the data that it encrypts.
+ Statement from DoD 5200.28-STD
The TCB shall designate each communication channel and I/O
this designation shall be done manually and shall be audit-
able by the TCB. The TCB shall maintain and be able to
audit any change in the sensitivity level or levels associ-
ated with a communications channel or I/O device.
+ Interpretation
Each communication channel and network component shall
be designated as either single-level or multilevel. Any
change in this designation shall be done with the cognizance
and approval of the administrator or security officer in
charge of the affected components and the administrator or
be auditable by the network. The NTCB shall maintain and be
able to audit any change in the device labels associated
ciated with a multilevel communication channel or component.
The NTCB shall also be able to audit any change in the set
of sensitivity levels associated with the information which
can be transmitted over a multilevel communication channel
or component.
+ Rationale
Communication channels and components in a network are
analogous to communication channels and I/O devices in
tilevel (i.e., able to distinguish and maintain separation
among information of various sensitivity levels) or single-
level. As in the TCSEC, single-level devices may only be
attached to single-level channels.
The level or set of levels of information that can be
only change with the knowledge and approval of the security
officers (or system administrator, if there is no security
officer) of the network, and of the affected components.
This requirement ensures that no significant security-
affected parties.
+ Statement from DoD 5200.28-STD
When the TCB exports an object to a multilevel I/O device,
the sensitivity label associated with that object shall also
be exported and shall reside on the same physical medium as
the exported information and shall be in the same form
(i.e., machine-readable or human-readable form). When the
TCB exports or imports an object over a multilevel communi-
cations channel, the protocol used on that channel shall
labels and the associated information that is sent or
+ Interpretation
The components, including hosts, of a network shall be
nterconnected over "multilevel communication channels,"
multiple single-level communication channels, or both, when-
ever the information is to be protected at more than a sin-
the only information needed to correctly associate a sensi-
tivity level with the exported information transferred over
the multilevel channel between the NTCB partitions in indi-
vidual components. This protocol definition must specify the
(i.e., the machine-readable label must uniquely represent
the sensitivity level).
The "unambiguous" association of the sensitivity level
of accuracy as that required for any other label within the
NTCB, as specified in the criterion for Label Integrity.
This may be provided by protected and highly reliable direct
link protection in which any errors during transmission can
be readily detected, or by use of a separate channel. The
+ Rationale
This protocol must specify the representation and
Access Control Policies section in Appendix B. The mul-
tilevel device interface to (untrusted) subjects may be
mplemented either by the interface of the reference moni-
tor, per se, or by a multilevel subject (e.g., a "trusted
vides the labels based on the internal labels of the NTCB
The current state of the art limits the support for
mandatory policy that is practical for secure networks.
Reference monitor support to ensure the control over all the
operations of each subject in the network must be completely
nvoked by this subject must be contained in the same com-
The secure state of an NTCB partition may be affected
by events external to the component in which the NTCB parti-
tion resides (e.g., arrival of a message). The effect
occurs asynchronusly after being initiated by an event in
another component or partition. For example, indeterminate
component, the arrival of the message in the NTCB partition
n another component, and the corresponding change to the
s executing concurrently, to do otherwise would require
ably not even desirable. Therefore, the interaction between
NTCB partitions is restricted to just communications between
the device(s) can send/receive data of more than a single
level. For broadcast channels the pairs are the sender and
ntended receiver(s). However, if the broadcast channel
carries multiple levels of information, additional mechanism
(e.g., cryptochecksum maintained by the TCB) may be required
to enforce separation and proper delivery.
A common representation for sensitivity labels is
needed in the protocol used on that channel and understood
by both the sender and receiver when two multilevel devices
(in this case, in two different components) are intercon-
nected. Each distinct sensitivity level of the overall net-
Within a monolithic TCB, the accuracy of the sensi-
tivity labels is generally assured by simple techniques,
e.g., very reliable connections over very short physical
connections, such as on a single printed circuit board or
over an internal bus. In many network environments there is
a much higher probability of accidentally or maliciously
ntroduced errors, and these must be protected against.
+ Statement from DoD 5200.28-STD
Single-level I/O devices and single-level communication
channels are not required to maintain the sensitivity labels
of the information they process. However, the TCB shall
nclude a mechanism by which the TCB and an authorized user
level of information imported or exported via single-level
communication channels or I/O devices.
+ Interpretation
Whenever one or both of two directly connected com-
mation of different sensitivity levels, or whenever the two
level in common, the two components of the network shall
communicate over a single-level channel. Single-level com-
tion they process. However, the NTCB shall include a reli-
able communication mechanism by which the NTCB and an
authorized user (via a trusted path) or a subject within an
NTCB partition can designate the single sensitivity level of
nformation imported or exported via single-level communica-
tion channels or network components. The level of informa-
tion communicated must equal the device level.
+ Rationale
Single-level communications channels and single-level
components in networks are analogous to single level chan-
nels and I/O devices in stand-alone systems in that they are
not trusted to maintain the separation of information of
are therefore implicit; the NTCB associates labels with the
explicit part of the bit stream. Note that the sensitivity
level of encrypted information is the level of the cipher-
text rather than the original level(s) of the plaintext.
+ Statement from DoD 5200.28-STD
The ADP system administrator shall be able to specify the
labels. The TCB shall mark the beginning and end of all
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the output. The TCB
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the page. The TCB shall,
by default and in an appropriate manner, mark other forms of
_________________________
output that the labels refer to; the non-hierarchical category
component shall include all of the non-hierarchical categories of
the information in the output the labels refer to, but no other
non-hierarchical categories.
+ Interpretation
This criterion imposes no requirement to a component
that produces no human-readable output. For those that do
s defined to the network shall have a uniform meaning
across all components. The network administrator, in con-
able to specify the human-readable label that is associated
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system and
tions.
+ Statement from DoD 5200.28-STD
The TCB shall immediately notify a terminal user of each
change in the sensitivity level associated with that user
able to query the TCB as desired for a display of the
+ Interpretation
An NTCB partition shall immediately notify a terminal
user attached to its component of each change in the sensi-
tivity level associated with that user.
+ Rationale
The local NTCB partition must ensure that the user
understands the sensitivity level of information sent to and
from a terminal. When a user has a surrogate process in
another component, adjustments to its level may occur to
maintain communication with the user. These changes may
occur asynchronously. Such adjustments are necessitated by
mandatory access control as applied to the objects involved
n the communication path.
+ Statement from DoD 5200.28-STD
The TCB shall support the assignment of minimum and maximum
+ Interpretation
This requirement applies as written to each NTCB parti-
tion that is trusted to separate information based on sensi-
tivity level. Each I/O device in a component, used for com-
munication with other network components, is assigned a dev-
ce range, consisting of a set of labels with a maximum and
minimum. (A device range usually contains, but does not
necessarily contain, all possible labels "between" the max-
mum and minimum, in the sense of dominating the minimum and
being dominated by the maximum.)
The NTCB always provides an accurate label for informa-
tion exported through devices. Information exported or
mported using a single-level device is labelled implicitly
by the sensitivity level of the device. Information
exported from one multilevel device and imported at another
must be labelled through an agreed-upon protocol, unless it
s labelled implicitly by using a communication link that
always carries a single level.
Information exported at a given sensitivity level can
be sent only to an importing device whose device range con-
tains that level or a higher level. If the importing device
mporting device range. Relabelling should not occur other-
+ Rationale
The purpose of device labels is to reflect and con-
the physical environment in which the devices are located.
The information transfer restrictions permit one-way
communication (i.e., no acknowledgements) from one device to
another whose ranges have no level in common, as long as
each level in the sending device range is dominated by some
level in the receiving device range. It is never permitted
to send information at a given level to a device whose range
view.)
+ Statement from DoD 5200.28-STD
The TCB shall enforce a mandatory access control policy over
all resources (i.e., subjects, storage objects, and I/O dev-
ces) that are directly or indirectly accessible by subjects
external to the TCB. These subjects and objects shall be
assigned sensitivity labels that are a combination of
categories, and the labels shall be used as the basis for
mandatory access control decisions. The TCB shall be able
to support two or more such sensitivity levels. (See the
Mandatory Access Control interpretations.) The following
ndirectly accessible by these subjects. A subject can
the subject's sensitivity level is greater than or equal to
the hierarchical classification of the object's sensitivity
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. A subject can
the subject's sensitivity level is less than or equal to the
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. Identification
and authentication data shall be used by the TCB to authen-
ticate the user's identity and to ensure that the sensi-
tivity level and authorization of subjects external to the
TCB that may be created to act on behalf of the individual
user are dominated by the clearance and authorization of
that user.
+ Interpretation
Each partition of the NTCB exercises mandatory access
control policy over all subjects and objects in its com-
tion encompasses all mandatory access control functions in
ts component that would be required of a TCB in a stand-
alone system. In particular, subjects and objects used for
communication with other components are under the control of
the NTCB partition. Mandatory access control includes
cy.
Conceptual entities associated with communication
between two components, such as sessions, connections and
virtual circuits, may be thought of as having two ends, one
n each component, where each end is represented by a local
object. Communication is viewed as an operation that copies
nformation from an object at one end of a communication
entities, such as datagrams and packets, exist either as
nformation within other objects, or as a pair of objects,
one at each end of the communication path.
The requirement for "two or more" sensitivity levels
can be met by either secrecy or integrity levels. When
there is a mandatory integrity policy, the stated require-
ments for reading and writing are generalized to: A subject
can read an object only if the subject's sensitivity level
nates the subject's sensitivity level. Based on the
ntegrity policy, the network sponsor shall define the domi-
nance relation for the total label, for example, by combin-
ng secrecy and integrity lattices. -
+ Rationale
An NTCB partition can maintain access control only over
above, the NTCB partition must maintain access control over
all subjects and objects in its component. Access by a sub-
n another component requires the creation of a subject in
the remote component which acts as a surrogate for the first
The mandatory access controls must be enforced at the
nterface of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti-
tion. This mechanism creates the abstraction of subjects
and objects which it controls. Some of these subjects out-
mplement part of an NTCB partition's mandatory policy,
e.g., by using the ``trusted subjects" defined in the Bell-
LaPadula model.
The prior requirements on exportation of labeled infor-
mation to and from I/O devices ensure the consistency
between the sensitivity labels of objects connected by a
communication path. As noted in the introduction, the net-
overall mandatory network security policy and the connection
oriented abstraction. For example, individual data-carrying
entities such as datagrams can have individual sensitivity
labels that subject them to mandatory access control in each
component. The abstraction of a single-level connection is
connection is realized by single-level subjects that neces-
The fundamental trusted systems technology permits the
DAC mechanism to be distributed, in contrast to the require-
ments for mandatory access control. For networks this
_________________________
- See, for example, Grohn, M. J., A Model of a Pro-
_ _____ __ _ ___
tected Data Management System, ESD-TR-76-289, I. P.
______ ____ __________ ______
Sharp Assoc. Ltd., June, 1976; and Denning, D .E.,
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M.
and Shockley, W., Secure Distributed Data Views, Secu-
______ ___________ ____ _____ ____
____ ______ ___ ______________ ___ _ _____ __ ________
el Secure Relational Database System,SRI International,
__ ______ __________ ________ ______
November 1986.
the exception.
The set of total sensitivity labels used to represent
all the sensitivity levels for the mandatory access control
(combined data secrecy and data integrity) policy always
forms a partially ordered set. Without loss of generality,
this set of labels can always be extended to form a lattice,
by including all the combinations of non-hierarchical
categories. As for any lattice, a dominance relation is
always defined for the total sensitivity labels. For admin-
strative reasons it may be helpful to have a maximum level
_ _ _ ______________
+ Statement from DoD 5200.28-STD
The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB
s expected to mediate. Furthermore, the TCB shall maintain
authentication data that includes information for verifying
the identify of individual users (e.g., passwords) as well
as information for determining the clearance and authoriza-
tions of individual users. This data shall be used by the
TCB to authenticate the user's identity and to ensure that
the sensitivity level and authorization of subjects external
to the TCB that may be created to act on behalf of the indi-
vidual user are dominated by the clearance and authorization
of that user. The TCB shall protect authentication data so
that it cannot be accessed by any unauthorized user. The
TCB shall be able to enforce individual accountability by
bility of associating this identity with all auditable
actions taken by that individual.
+ Interpretation
The requirement for identification and authentication
of users is the same for a network system as for an ADP sys-
tem. The identification and authentication may be done by
the component to which the user is directly connected or
tication server. Available techniques, such as those
applicable in the network context. However, in cases where
the NTCB is expected to mediate actions of a host (or other
network component) that is acting on behalf of a user or
_________________________
= Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, CSC-STD-002-85
____
authentication of the host (or other component) in lieu of
dentification and authentication of an individual user, so
long as the component identifier implies a list of specific
users uniquely associated with the identifier at the time of
ts use for authentication. This requirement does not apply
to internal subjects.
Authentication information, including the identity of a
user (once authenticated) may be passed from one component
to another without reauthentication, so long as the NTCB
thorized disclosure and modification. This protection shall
of mechanism) as pertains to the protection of the authenti-
cation mechanism and authentication data.
+ Rationale
The need for accountability is not changed in the con-
text of a network system. The fact that the NTCB is parti-
tioned over a set of components neither reduces the need nor
mposes new requirements. That is, individual accountabil-
ty is still the objective. Also, in the context of a net-
tability" can be satisfied by identification of a host (or
other component) so long as the requirement for traceability
to individual users or a set of specific individual users
uncertainty in traceability because of elapsed time between
changes in the group membership and the enforcement in the
access control mechanisms. In addition, there is no need in
a distributed processing system like a network to reauthen-
ticate a user at each point in the network where a projec-
tion of a user (via the subject operating on behalf of the
user) into another remote subject takes place.
The passing of identifiers and/or authentication infor-
mation from one component to another is usually done in sup-
trol (DAC). This support relates directly to the DAC
ferent NTCB partition than the one where the user was
authenticated. Employing a forwarded identification implies
additional reliance on the source and components along the
basis of determining a sensitivity label for a subject, it
must satisfy the Label Integrity criterion.
An authenticated identification may be forwarded
between components and employed in some component to iden-
tify the sensitivity level associated with a subject created
to act on behalf of the user so identified.
+ Statement from DoD 5200.28-STD
The TCB shall support a trusted communication path between
tself and USERS FOR USE WHEN A POSITIVE TCB-TO-USER CONNEC-
TION IS REQUIRED (E.G., LOGIN, CHANGE SUBJECT SENSITIVITY
LEVEL). Communications via this TRUSTED path shall be
ACTIVATED exclusively by a USER OR THE TCB AND SHALL BE
LOGICALLY AND UNMISTAKABLY DISTINGUISHABLE FROM OTHER PATHS.
+ Interpretation
A trusted path is supported between a user (i.e.,
user is directly connected.
+ Rationale
When a user logs into a remote component, the user id
s transmitted securely between the local and remote NTCB
cation and Authentication.
Trusted Path is necessary in order to assure that the
user is communicating with the NTCB and only the NTCB when
ticate user, set current session sensitivity level). How-
ever, Trusted Path does not address communications within
the NTCB, only communications between the user and the NTCB.
communication then the component need not contain mechanisms
for assuring direct NTCB to user communications.
The requirement for trusted communication between one
NTCB partition and another NCTB partition is addressed in
the System Architecture section. These requirements are
this trusted communication between one NTCB partition and
another NTCB partition will be used in conjunction with the
trusted path to implement trusted communication between the
user and the remote NTCB partition.
+ Statement from DoD 5200.28-STD
The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit
trail of accesses to the objects it protects. The audit
s limited to those who are authorized for audit data. The
TCB shall be able to record the following types of events:
use of identification and authentication mechanisms,
ntroduction of objects into a user's address space (e.g.,
file open, program initiation), deletion of objects, actions
taken by computer operators and system administrators and/or
events. The TCB shall also be able to audit any override of
the audit record shall identify: date and time of the event,
user, type of event, and success or failure of the event.
For identification/authentication events the origin of
address space and for object deletion events the audit
able to selectively audit the actions of any one or more
users based on individual identify and/or object sensitivity
level. The TCB shall be able to audit the identified
events that may be used in the exploitation of covert
RITY AUDITABLE EVENTS THAT MAY INDICATE AN IMMINENT VIOLA-
TION OF SECURITY POLICY. THIS MECHANISM SHALL BE ABLE TO
HOLDS ARE EXCEEDED AND, IF THE OCCURRENCE OR ACCUMULATION OF
THESE SECURITY RELEVANT EVENTS CONTINUES, THE SYSTEM SHALL
TAKE THE LEAST DISRUPTIVE ACTION TO TERMINATE THE EVENT.
+ Interpretation
This criterion applies as stated. The sponsor must
not distinguishable by the NTCB alone (for example those
dentified in Part II), the audit mechanism shall provide an
nterface, which an authorized subject can invoke with
audit records shall be distinguishable from those provided
by the NTCB. In the context of a network system, "other
architecture and network security policy) might be as fol-
lows:
lishing a connection or a connectionless association
between processes in two hosts of the network) and
its principal parameters (e.g., host identifiers of
the two hosts involved in the access event and user
identifier or host identifier of the user or host
that is requesting the access event)
each access event using local time or global syn-
chronized time
ditions (e.g., potential violation of data
integrity, such as misrouted datagrams) detected
during the transactions between two hosts
component leaving the network and rejoining)
In addition, identification information should be
ncluded in appropriate audit trail records, as necessary,
to allow association of all related (e.g., involving the
network system may provide the required audit capability
(e.g., storage, retrieval, reduction, analysis) for other
components that do not internally store audit data but
transmit the audit data to some designated collection com-
audit data due to unavailability of resources.
In the context of a network system, the "user's address
events, to include address spaces being employed on behalf
of a remote user (or host). However, the focus remains on
users in contrast to internal subjects as discussed in the
DAC criterion. In addition, audit information must be
The capability must exist to audit the identified
events that may be used in the exploitation of covert
must be able to audit those events locally that may lead to
the exploitation of a covert storage channel which exist
because of the network.
THE SPONSOR SHALL IDENTIFY THE SPECIFIC AUDITABLE
EVENTS THAT MAY INDICATE AN IMMINENT VIOLATION OF SECURITY
MULATION OF SUCH EVENTS MUST BE ABLE TO NOTIFY AN APPROPRI-
ATE ADMINISTRATOR WHEN THRESHOLDS ARE EXCEEDED, AND TO INI-
TIATE ACTIONS WHICH WILL RESULT IN TERMINATION OF THE EVENT
HOLD OF UNSUCCESSFUL LOGIN ATTEMPTS WITHIN A PERIOD OF TIME
+ Rationale
For remote users, the network identifiers (e.g., inter-
net address) can be used as identifiers of groups of indivi-
maintenance that would be required if individual identifica-
tion of remote users was employed. In this class (C2), how-
ever, it must be possible to identify (immediately or at
dentifier. In all other respects, the interpretation is a
of a network system. Identification of covert channel
events is addressed in the Covert Channel Analysis section.
BECAUSE OF CONCURRENCY AND SYNCHRONIZATION PROBLEMS, IT
MAY NOT BE POSSIBLE TO DETECT IN REAL TIME THE ACCUMULATION
OF SECURITY AUDITABLE EVENTS THAT ARE OCCURRING IN DIFFERENT
NTCB PARTITIONS. HOWEVER, EACH NTCB PARTITION THAT HAS BEEN
ALLOCATED AUDIT RESPONSIBILITY MUST HAVE THE CAPABILITY TO
DETECT THE LOCAL ACCUMULATION OF EVENTS, TO NOTIFY THE PAR-
TITION SECURITY ADMINISTRATOR AND/OR THE NETWORK SECURITY
ADMINISTRATOR, AND TO INITIATE ACTIONS WHICH WILL RESULT IN
TERMINATION OF THE EVENT LOCALLY.
_ _ _ _________
+ Statement from DoD 5200.28-STD
The TCB shall maintain a domain for its own execution that
by modification of its code or data structures). The TCB
nternally structured into well-defined largely independent
modules. It shall make effective use of available hardware
to separate those elements that are protection-critical from
those that are not. The TCB modules shall be designed such
that the principle of least privilege is enforced. Features
n hardware, such as segmentation, shall be used to support
logically distinct storage objects with separate attributes
(namely: readable, writable). The user interface to the TCB
dentified. THE TCB SHALL BE DESIGNED AND STRUCTURED TO
USE A COMPLETE, CONCEPTUALLY SIMPLE PROTECTION MECHANISM
WITH PRECISELY DEFINED SEMANTICS. THIS MECHANISM SHALL PLAY
A CENTRAL ROLE IN ENFORCING THE INTERNAL STRUCTURING OF THE
TCB AND THE SYSTEM. THE TCB SHALL INCORPORATE SIGNIFICANT
USE OF LAYERING, ABSTRACTION AND DATA HIDING. SIGNIFICANT
SYSTEM ENGINEERING SHALL BE DIRECTED TOWARD MINIMIZING THE
COMPLEXITY OF THE TCB AND EXCLUDING FROM THE TCB MODULES
THAT ARE NOT PROTECTION-CRITICAL.
+ Interpretation
The system architecture criterion must be met individu-
ally by all NTCB partitions. Implementation of the require-
ment that the NTCB maintain a domain for its own execution
s achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis-
tinct domain in the overall network system, this also satis-
fies the requirement for process isolation through distinct
address spaces in the special case where a component has
only a single subject.
The NTCB must be internally structured into well-
tion so structured. The NTCB controls all network resources.
These resources are the union of the sets of resources over
nside the NTCB) belonging to different NTCB partitions,
must be protected against external interference or tamper-
ng. For example, a cryptographic checksum or physical
means may be employed to protect user authentication data
exchanged between NTCB partitions.
Each NTCB partition must enforce the principle of least
be structured so that the principle of least privilege is
enforced in the system as a whole.
THE NTCB MUST BE DESIGNED AND STRUCTURED ACCORDING TO
THE NETWORK SECURITY ARCHITECTURE TO USE A COMPLETE, CONCEP-
TUALLY SIMPLE PROTECTION MECHANISM. FURTHERMORE, EACH NTCB
SIGNIFICANT SYSTEM ENGINEERING SHOULD BE DIRECTED
TOWARD MINIMIZING THE COMPLEXITY OF EACH NTCB PARTITION, AND
OF THE NTCB. CARE SHALL BE TAKEN TO EXCLUDE MODULES (AND
COMPONENTS) THAT ARE NOT PROTECTION-CRITICAL FROM THE NTCB.
IT IS RECOGNIZED THAT SOME MODULES AND/OR COMPONENTS
MAY NEED TO BE INCLUDED IN THE NTCB AND MUST MEET THE NTCB
REQUIREMENTS EVEN THOUGH THEY MAY NOT APPEAR TO BE DIRECTLY
MODULES/COMPONENTS IS NECESSARY FOR THE CORRECT OPERATION OF
THE PROTECTION-CRITICAL MODULES AND COMPONENTS. HOWEVER,
THE NUMBER AND SIZE OF THESE MODULES/COMPONENTS SHOULD BE
KEPT TO A MINIMUM.
Each NTCB partition provides isolation of resources
(within its component) in accord with the network system
architecture and security policy so that "supporting ele-
ments" (e.g., DAC and user identification) for the security
mechanisms of the network system are strengthened compared
to C2, from an assurance point of view, through the provi-
As discussed in the Discretionary Access Control sec-
tion, the DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
assurance requirements for the design and implementation of
the DAC shall be those of class C2 for all networks of class
C2 or above.
+ Rationale
The requirement that the NTCB be structured into
modules and meet the hardware requirements applies within
the NTCB partitions in the various components.
The principle of least privilege requires that each
user or other individual with access to the system be given
only those resources and authorizations required for the
n the system it must be enforced in every NTCB partition
that supports users or other individuals. For example,
NTCB partition (e.g., games) lessens the opportunity of dam-
age by a Trojan Horse.
The requirement for the protection of communications
between NTCB partitions is specifically directed to subjects
that are part of the NTCB partitions. Any requirements for
THERE ARE CERTAIN PARTS OF A NETWORK (MODULES AND/OR
COMPONENTS) THAT MAY NOT APPEAR TO BE DIRECTLY PROTECTION-
CRITICAL IN THAT THEY ARE NOT INVOLVED IN ACCESS CONTROL
DECISIONS, DO NOT DIRECTLY AUDIT, AND ARE NOT INVOLVED IN
THE IDENTIFICATION/AUTHENTICATION PROCESS. HOWEVER, THE
SECURITY OF THE NETWORK MUST DEPEND ON THE CORRECT OPERATION
OF THESE MODULES AND/OR COMPONENTS. AN EXAMPLE OF THIS IS A
SINGLE LEVEL PACKET SWITCH. ALTHOUGH IT MAY NOT NORMALLY BE
FERENT MESSAGE STREAMS. IF THE SWITCH DOES NOT OPERATE
CORRECTLY, DATA COULD GET MIXED, AND UNAUTHORIZED ACCESS
COULD RESULT. THEREFORE, THESE MODULES/COMPONENTS MUST BE
APPLICABLE TO THE POLICY ELEMENT(S) FOR WHICH THEY ARE
RESPONSIBLE.
+ Statement from DoD 5200.28-STD
Hardware and/or software features shall be provided that can
be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
+ Interpretation
Implementation of the requirement is partly achieved by
and firmware elements of each component's NTCB partition.
Features shall also be provided to validate the identity and
correct operation of a component prior to its incorporation
n the network system and throughout system operation. For
example, a protocol could be designed that enables the com-
cally and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability
to respond. NTCB partitions shall provide the capability to
Intercomponent protocols implemented within a NTCB
tion in the case of failures of network communications or
ndividual components. The allocation of mandatory and dis-
cretionary access control policy in a network may require
communication between trusted subjects that are part of the
NTCB partitions in different components. This communication
s normally implemented with a protocol between the subjects
as peer entities. Incorrect access within a component shall
not result from failure of an NTCB partition to communicate
+ Rationale
The first paragraph of the interpretation is a
text of a network system and partitioned NTCB as defined for
these network criteria.
NTCB protocols should be robust enough so that they
zed failure. The purpose of this protection is to preserve
the integrity of the NTCB itself. It is not unusual for one
or more components in a network to be inoperative at any
time, so it is important to minimize the effects of such
failures on the rest of the network. Additional integrity
and denial of service issues are addressed in Part II.
IT SHOULD BE CLEAR THAT SOME INTEGRITY AND DENIAL OF
SERVICE FEATURES CAN RESIDE OUTSIDE THE NTCB. OTHERWISE ALL
SOFTWARE IN A NETWORK WOULD BE IN THE NTCB. EVERY PIECE OF
SOFTWARE THAT HAS AN OPPORTUNITY TO WRITE TO SOME DATA OR
CAUSE DENIAL OF SERVICE TO SOME EXTENT. FOR EXAMPLE, IT IS
NECESSARY TO "TRUST" TELNET TO CORRECTLY TRANSLATE USER
DATA, AND TO EVENTUALLY TRANSMIT PACKETS. FTP ALSO HAS TO
BE "TRUSTED" TO NOT INAPPROPRIATELY MODIFY FILES, AND TO
ATTEMPT TO COMPLETE THE FILE TRANSFER. THESE PROTOCOLS CAN
BE DESIGNED, HOWEVER TO EXIST OUTSIDE THE NTCB (FROM A PRO-
TECTION PERSPECTIVE). IT IS BENEFICIAL TO DO THIS TYPE OF
SECURITY ENGINEERING SO THAT THE AMOUNT OF CODE THAT MUST BE
TRUSTED TO NOT DISCLOSE DATA IS MINIMIZED. PUTTING EVERY-
THING INSIDE THE NTCB CONTRADICTS THE REQUIREMENT TO PERFORM
"SIGNIFICANT SYSTEM ENGINEERING ... DIRECTED TOWARD ...
EXCLUDING FROM THE TCB MODULES THAT ARE NOT PROTECTION CRIT-
B3. IF EVERYTHING HAS TO BE IN THE TCB TO ENSURE DATA
WILL BE CONSIDERABLY LESS ASSURANCE THAT DISCLOSURE PROTEC-
TION IS MAXIMIZED.
+ Statement from DoD 5200.28-STD
The system developer shall conduct a thorough search for
COVERT CHANNELS and make a determination (either by actual
measurement or by engineering estimation) of the maximum
bandwidth of each identified channel. (See the Covert Chan-
nels Guideline section.)
+ Interpretation
The requirement, including the TCSEC Covert Channel
Guideline, applies as written. In a network, there are
additional instances of covert channels associated with com-
munication between components.
+ Rationale
The exploitation of network protocol information (e.g.,
OF FREQUENCY OF TRANSMISSION CAN RESULT IN COVERT TIMING
CHANNELS. The topic has been addressed in the literature.-
+ Statement from DoD 5200.28-STD
The TCB shall support separate operator and administrator
functions. THE FUNCTIONS PERFORMED IN THE ROLE OF A SECU-
RITY ADMINISTRATOR SHALL BE IDENTIFIED. THE ADP SYSTEM
ADMINISTRATIVE PERSONNEL SHALL ONLY BE ABLE TO PERFORM SECU-
RITY ADMINISTRATOR FUNCTIONS AFTER TAKING A DISTINCT AUDIT-
ABLE ACTION TO ASSUME THE SECURITY ADMINISTRATOR ROLE ON THE
ADP SYSTEM. NON-SECURITY FUNCTIONS THAT CAN BE PERFORMED IN
THE SECURITY ADMINISTRATION ROLE SHALL BE LIMITED STRICTLY
TO THOSE ESSENTIAL TO PERFORMING THE SECURITY ROLE EFFEC-
TIVELY.
_________________________
- See, for example, Girling, C. G., "Covert Channels
n LAN's," IEEE Transactions on Software Engineering,
____ ____________ __ ________ ___________
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A.,
Snow, D. P., and Karger, P. A., Limitations of End-to-
___________ __ ___ __
End Encryption in Secure Computer Networks, MITRE
___ __________ __ ______ ________ ________
Technical Report, MTR-3592, Vol. I, May 1978 (ESD TR
+ Interpretation
This requirement applies as written to both the network
as a whole and to individual components which support such
+ Rationale
It is recognized that based on the allocated policy
elements some components may operate with no human inter-
face.
+ Statement from DoD 5200.28-STD
THAT, AFTER AN ADP SYSTEM FAILURE OR OTHER DISCONTINUITY,
RECOVERY WITHOUT A PROTECTION COMPROMISE IS OBTAINED.
+ Interpretation
THE RECOVERY PROCESS MUST BE ACCOMPLISHED WITHOUT A
TINUITY OF ANY NTCB PARTITION. IT MUST ALSO BE ACCOMPLISHED
AFTER A FAILURE OF THE ENTIRE NTCB.
+ Rationale
THIS IS A STRAIGHT-FORWARD EXTENSION OF THE REQUIREMENT
CONTINUE TO OPERATE NORMALLY. THIS MAY BE A SECURITY-
RELEVANT EVENT; IF SO IT MUST BE AUDITED.
+ Statement from DoD 5200.28-STD
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation. A
team of individuals who thoroughly understand the specific
mplementation of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and
testing. Their objectives shall be: to uncover all design
and implementation flaws that would permit a subject exter-
nal to the TCB to read, change, or delete data normally
enforced by the TCB; as well as to assure that no subject
(without authorization to do so) is able to cause the TCB to
enter a state such that it is unable to respond to
communications initiated by other users. The TCB shall be
FOUND RESISTANT to penetration. All discovered flaws shall
be removed or neutralized and the TCB retested to demon-
TCB implementation is consistent with the descriptive top-
level specification. NO DESIGN FLAWS AND NO MORE THAN A FEW
CORRECTABLE IMPLEMENTATION FLAWS MAY BE FOUND DURING TESTING
AND THERE SHALL BE REASONABLE CONFIDENCE THAT FEW REMAIN.
(See the Security Testing Guidelines.)
+ Interpretation
Testing of a component will require a testbed that
exercises the interfaces and protocols of the component
ncluding tests under exceptional conditions. The testing
of a security mechanism of the network system for meeting
this criterion shall be an integrated testing procedure
nvolving all components containing an NTCB partition that
mplement the given mechanism. This integrated testing is
additional to any individual component tests involved in the
evaluation of the network system. The sponsor should iden-
tify the allowable set of configurations including the sizes
of the networks. Analysis or testing procedures and tools
tions. A change in configuration within the allowable set
of configurations does not require retesting.
The testing of each component will include the intro-
component that will attempt to read, change, or delete data
normally denied. If the normal interface to the component
conduct such a test, then this portion of the testing shall
use a special version of the untrusted software for the com-
The results shall be saved for test analysis. Such special
versions shall have an NTCB partition that is identical to
that for the normal configuration of the component under
evaluation.
The testing of the mandatory controls shall include
tests to demonstrate that the labels for information
mported and/or exported to/from the component accurately
the component for use as the basis for its mandatory access
control decisions. The tests shall include each type of
component.
The NTCB must be FOUND RESISTANT to penetration. This
applies to the NTCB as a whole, and to each NTCB partition
n a component of this class.
+ Rationale
The phrase "no subject (without authorization to do so)
s able to cause the TCB to enter a state such that it is
unable to respond to communications initiated by other
users" relates to the security services (Part II of this
TNI) for the Denial of Service problem, and to correctness
of the protocol implementations.
Testing is an important method available in this
evaluation division to gain any assurance that the security
mechanisms perform their intended function. A major purpose
of testing is to demonstrate the system's response to inputs
to the NTCB partition from untrusted (and possibly mali-
cious) subjects.
In contrast to general purpose systems that allow for
the dynamic creation of new programs and the introductions
of new processes (and hence new subjects) with user speci-
fied security properities, many network components have no
method for introducing new programs and/or processes during
their normal operation. Therefore, the programs necessary
for the testing must be introduced as special versions of
the software rather than as the result of normal inputs by
the test team. However, it must be insured that the NTCB
evaluation.
Sensitivity labels serve a critical role in maintaining
the security of the mandatory access controls in the net-
of the labels for information communicated between com-
cit labels for single-level devices. Therefore the testing
for correct labels is highlighted.
The requirement for testing to demonstrate consistency
between the NTCB implementation and the DTLS is a straight-
forward extension of the TCSEC requirement into the context
of a network system.
+ Statement from DoD 5200.28-STD
A formal model of the security policy supported by the TCB
that is proven and demonstrated to be consistent with its
axioms. A descriptive top-level specification (DTLS) of the
TCB shall be maintained that completely and accurately
and effects. It shall be shown to be an accurate descrip-
tion of the TCB interface. A CONVINCING ARGUMENT SHALL BE
GIVEN THAT THE DTLS IS CONSISTENT WITH THE MODEL.
+ Interpretation
The overall network security policy expressed in this
model will provide the basis for the mandatory access con-
trol policy exercised by the NTCB over subjects and storage
objects in the entire network. The policy will also be the
basis for the discretionary access control policy exercised
by the NTCB to control access of named users to named
objects. Data integrity requirements addressing the effects
of unauthorized MSM need not be included in this model. The
overall network policy must be decomposed into policy ele-
ments that are allocated to appropriate components and used
as the basis for the security policy model for those com-
The level of abstraction of the model, and the set of
model, will be affected by the NTCB partitioning. Subjects
and objects must be represented explicitly in the model for
the partition if there is some network component whose NTCB
ble to individual network components are manifest. Global
network policy elements that are allocated to components
The requirements for a network DTLS are given in the
Design Documentation section.
+ Rationale
The treatment of the model depends to a great extent on
the degree of integration of the communications service into
a distributed system. In a closely coupled distributed sys-
tem, one might use a model that closely resembles one
appropriate for a stand-alone computer system.
In ALL cases, the model of each partition will be
expected to show the role of the NTCB partition in each kind
of component. It will most likely clarify the model,
although not part of the model, to show access restrictions
mplied by the system design; for example, subjects
objects containing data units at the same layer of protocol.
The allocation of subjects and objects to different proto-
col layers is a protocol design choice which need not be
+ Statement from DoD 5200.28-STD
During development and maintenance of the TCB, a configura-
tion management system shall be in place that maintains con-
trol of changes to the descriptive top-level specification,
other design data, implementation documentation, source
code, the running version of the object code, and test fix-
tures and documentation. The configuration management sys-
tem shall assure a consistent mapping among all documenta-
tion and code associated with the current version of the
TCB. Tools shall be provided for generation of a new ver-
tools for comparing a newly generated version with the pre-
vious TCB version in order to ascertain that only the
ntended changes have been made in the code that will actu-
ally be used as the new version of the TCB.
+ Interpretation
The requirement applies as written, with the following
extensions:
for each NTCB partition.
entire system. If the configuration management sys-
tem is made up of the conglomeration of the confi-
guration management systems of the various NTCB par-
titions, then the configuration management plan must
address the issue of how configuration control is
applied to the system as a whole.
+ Rationale
Each NTCB partition must have a configuration manage-
ment system in place, or else there will be no way for the
NTCB as a whole to have an effective configuration manage-
ment system. The other extensions are merely reflections of
the way that networks operate in practice.
_ _ _ _____________
+ Statement from DoD 5200.28-STD
A single summary, chapter, or manual in user documentation
TCB, interpretations on their use, and how they interact
+ Interpretation
This user documentation describes user visible protec-
tion mechanisms at the global (network system) level and at
the user interface of each component, and the interaction
among these.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system as defined for these
network criteria. Documentation of protection mechanisms
teria for trusted computer systems that are applied as
appropriate for the individual components.
+ Statement from DoD 5200.28-STD
A manual addressed to the ADP system administrator shall
be controlled when running a secure facility. The procedures
for examining and maintaining the audit files as well as the
administrator functions related to security, to include
changing the security characteristics of a user. It shall
of the protection features of the system, how they interact,
to operate the facility in a secure manner. The TCB modules
that contain the reference validation mechanism shall be
dentified. The procedures for secure generation of a new
TCB from source after modification of any modules in the TCB
ENSURE THAT THE SYSTEM IS INITIALLY STARTED IN A SECURE
MANNER. PROCEDURES SHALL ALSO BE INCLUDED TO RESUME SECURE
SYSTEM OPERATION AFTER ANY LAPSE IN SYSTEM OPERATION.
+ Interpretation
This manual shall contain specifications and procedures
to assist the system administrator(s) maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address the following:
network;
leave the network (e.g., by crashing, or by being
disconnected) and then rejoin;
security of the network system; (For example, the
manual should describe for the network system
administrator the interconnections among components
that are consistent with the overall network system
architecture.)
(e.g., down-line loading).
indicate which components of the network may change
without others also changing.
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
The components of the network that form the NTCB must
be identified. Furthermore, the modules within an NTCB par-
tition that contain the reference validation mechanism (if
any) within that partition must be identified.
The procedures for the secure generation of a new ver-
PROCEDURES FOR STARTING EACH NTCB PARTITION IN A SECURE
STATE SHALL BE SPECIFIED. PROCEDURES MUST ALSO BE INCLUDED
TO RESUME SECURE OPERATION OF EACH NTCB PARTITION AND/OR THE
NTCB AFTER ANY LAPSE IN SYSTEM OR SUBSYSTEM OPERATION.
+ Rationale
There may be multiple system administrators with
other forms of security in order to achieve security of the
network. Additional forms include administrative security,
Extension of this criterion to cover configuration
aspects of the network is needed because, for example,
to achieve a correct realization of the network architec-
ture.
As mentioned in the section on Label Integrity, cryp-
tography is one common mechanism employed to protect commun-
cation circuits. Encryption transforms the representation
of information so that it is unintelligible to unauthorized
of the ciphertext is generally lower than the cleartext. If
encryption methodologies are employed, they shall be
approved by the National Security Agency (NSA).
The encryption algorithm and its implementation are
outside the scope of these interpretations. This algorithm
and implementation may be implemented in a separate device
or may be a function of a subject in a component not dedi-
cated to encryption. Without prejudice, either implementa-
tion packaging is referred to as an encryption mechanism
The requirements for descriptions of NTCB generation
and identification of modules and components that form the
NTCB are straightforward extensions of the TCSEC require-
ments into the network context. In those cases where the
vendor does not provide source code, an acceptable procedure
tion.
GIVEN THE NATURE OF NETWORK SYSTEMS (E.G., VARIOUS COM-
SYSTEM MUST CONTINUE OPERATION WITHOUT THAT COMPONENT), IT
NECESSARY TO KNOW HOW TO RESUME SECURE OPERATION OF THE NTCB
AFTER ANY PARTITION HAS BEEN DOWN.
+ Statement from DoD 5200.28-STD
The system developer shall provide to the evaluators a docu-
ment that describes the test plan, test procedures that show
+ Interpretation
The "system developer" is interpreted as "the network
establish the context in which the testing was or should be
conducted. The description should identify any additional
test components that are not part of the system being
evaluated. This includes a description of the test-relevant
functions of such test components and a description of the
nterfacing of those test components to the system being
evaluated. The description of the test plan should also
configuration and sizing.
+ Rationale
The entity being evaluated may be a networking subsys-
tem (see Appendix A) to which other components must be added
to make a complete network system. In that case, this
nterpretation is extended to include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
The bandwidths of covert channels are used to determine
the suitability of a network system for a given environment.
The effectiveness of the methods used to reduce these
bandwidths must therefore be accurately determined.
+ Statement from DoD 5200.28-STD
Documentation shall be available that provides a description
of the manufacturer's philosophy of protection and an expla-
nation of how this philosophy is translated into the TCB.
The interfaces between the TCB modules shall be described.
A formal description of the security policy model enforced
by the TCB shall be available and an explanation provided to
The specific TCB protection mechanisms shall be identified
and an explanation given to show that they satisfy the
model. The descriptive top-level specification (DTLS) shall
be shown to be an accurate description of the TCB interface.
Documentation shall describe how the TCB implements the
tamper resistant, cannot be bypassed, and is correctly
mplemented. THE TCB IMPLEMENTATION (I.E., IN HARDWARE,
FIRMWARE, AND SOFTWARE) SHALL BE INFORMALLY SHOWN TO BE CON-
SISTENT WITH THE DTLS. THE ELEMENTS OF THE DTLS SHALL BE
SHOWN, USING INFORMAL TECHNIQUES, TO CORRESPOND TO THE ELE-
MENTS OF THE TCB. Documentation shall describe how the TCB
s structured to facilitate testing and to enforce least
nvolved in restricting the channels. All auditable events
that may be used in the exploitation of known covert storage
channels shall be identified. The bandwidths of known
covert storage channels, the use of which is not detectable
by the auditing mechanisms, shall be provided. (See the
Covert Channel Guideline section.)
+ Interpretation
Explanation of how the sponsor's philosophy of protec-
tion is translated into the NTCB shall include a description
of how the NTCB is partitioned. The security policy also
the NTCB modules shall include the interface(s) between NTCB
exist. The sponsor shall describe the security architecture
and design, including the allocation of security require-
ments among components.
The documentation includes both a system description
and a set of component DTLS's. The system description
addresses the network security architecture and design by
ones are trusted, and in what way they must cooperate to
be provided for each trusted network component, i.e., each
component containing an NTCB partition. Each component DTLS
component. BOTH THE SYSTEM DESCRIPTION AND EACH COMPONENT
DTLS SHALL BE SHOWN CONSISTENT WITH THOSE ASSERTIONS IN THE
MODEL THAT APPLY TO IT. Appendix A addresses component
evaluation issues.
TO SHOW THE CORRESPONDENCE BETWEEN THE DTLS AND THE
NTCB IMPLEMENTATION, IT SUFFICES TO SHOW CORRESPONDENCE
BETWEEN EACH COMPONENT DTLS AND THE NTCB PARTITION IN THAT
COMPONENT.
As stated in the introduction to Division B, the spon-
monitor concept. The security policy model must be a model
for a reference monitor.
The security policy model for each partition implement-
ng a reference monitor shall fully represent the access
control policy supported by the partition, including the
and/or integrity. For the mandatory policy the single domi-
nance relation for sensitivity labels, including secrecy
and/or integrity components, shall be precisely defined.
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system as
tion, such as description of components and description of
operating environment(s) in which the networking subsystem
or network system is designed to function, is required else-
In order to be evaluated, a network must possess a
coherent Network Security Architecture and Design. (Inter-
connection of components that do not adhere to such a single
coherent Network Security Architecture is addressed in the
Security Architecture must address the security-relevant
Design specifies the interfaces and services that must be
ncorporated into the network so that it can be evaluated as
a trusted entity. There may be multiple designs that con-
form to the same architecture but are more or less incompa-
tible and non-interoperable (except through the Interconnec-
tion Rules). Security related mechanisms requiring coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms having no visible
nterfaces are not specified in this document but are left
as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components can be assem-
bled into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and unambi-
Network Security Architecture and Design must be evaluated
to determine that a network constructed to its specifica-
tions will in fact be trusted, that is, it will be evaluat-
able under these interpretations.
The term "model" is used in several different ways in a
network context, e.g., a "protocol reference model," a "for-
mal network model," etc. Only the "security policy model" is
addressed by this requirement and is specifically intended
to model the interface, viz., "security perimeter," of the
n the TCSEC. It must be shown that all parts of the TCB
are a valid interpretation of the security policy model,
.e., that there is no change to the secure state except as
4.0 DIVISION A: VERIFIED PROTECTION
_ _ ________ _ ________ __________
This division is characterized by the use of formal security
methods to assure that the mandatory and discretionary secu-
quired to demonstrate that the NTCB meets the security re-
quirements in all aspects of design, development and imple-
mentation.
4.1 CLASS (A1): VERIFIED DESIGN
_ _ _____ __ ________ ______
SYSTEMS IN CLASS (A1) ARE FUNCTIONALLY EQUIVALENT
TO THOSE IN CLASS (B3) IN THAT NO ADDITIONAL
ARCHITECTURAL FEATURES OR POLICY REQUIREMENTS ARE
ADDED. THE DISTINGUISHING FEATURE OF SYSTEMS IN
THIS CLASS IS THE ANALYSIS DERIVED FROM FORMAL
DESIGN SPECIFICATION AND VERIFICATION TECHNIQUES
AND THE RESULTING HIGH DEGREE OF ASSURANCE THAT
THE NTCB IS CORRECTLY IMPLEMENTED. THIS ASSURANCE
IS DEVELOPMENTAL IN NATURE, STARTING WITH A FORMAL
MODEL OF THE SECURITY POLICY AND A FORMAL TOP-
LEVEL SPECIFICATION (FTLS) OF THE DESIGN.
INDEPENDENT OF THE PARTICULAR SPECIFICATION
LANGUAGE OR VERIFICATION SYSTEM USED, THERE ARE
FIVE IMPORTANT CRITERIA FOR CLASS (A1) DESIGN
VERIFICATION:
+ A FORMAL MODEL OF THE SECURITY POLICY MUST BE
CLEARLY IDENTIFIED AND DOCUMENTED, INCLUDING A
MATHEMATICAL PROOF THAT THE MODEL IS CONSISTENT
WITH ITS AXIOMS AND IS SUFFICIENT TO SUPPORT THE
SECURITY POLICY.
+ AN FTLS MUST BE PRODUCED THAT INCLUDES ABSTRACT
DEFINITIONS OF THE FUNCTIONS THE NTCB PERFORMS
AND OF THE HARDWARE AND/OR FIRMWARE MECHANISMS
THAT ARE USED TO SUPPORT SEPARATE EXECUTION
DOMAINS.
+ THE FTLS OF THE NTCB MUST BE SHOWN TO BE CON-
SISTENT WITH THE MODEL BY FORMAL TECHNIQUES WHERE
POSSIBLE (I.E., WHERE VERIFICATION TOOLS EXIST)
AND INFORMAL ONES OTHERWISE.
+ THE NTCB IMPLEMENTATION (I.E., IN HARDWARE,
FIRMWARE, AND SOFTWARE) MUST BE INFORMALLY SHOWN
TO BE CONSISTENT WITH THE FTLS. THE ELEMENTS OF
THE FTLS MUST BE SHOWN, USING INFORMAL TECH-
NIQUES, TO CORRESPOND TO THE ELEMENTS OF THE
NTCB. THE FTLS MUST EXPRESS THE UNIFIED PROTEC-
TION MECHANISM REQUIRED TO SATISFY THE SECURITY
POLICY, AND IT IS THE ELEMENTS OF THIS PROTECTION
MECHANISM THAT ARE MAPPED TO THE ELEMENTS OF THE
NTCB.
+ FORMAL ANALYSIS TECHNIQUES MUST BE USED TO IDEN-
TIFY AND ANALYZE COVERT CHANNELS. INFORMAL TECH-
NIQUES MAY BE USED TO IDENTIFY COVERT TIMING
CHANNELS. THE CONTINUED EXISTENCE OF IDENTIFIED
COVERT CHANNELS IN THE SYSTEM MUST BE JUSTIFIED.
IN KEEPING WITH THE EXTENSIVE DESIGN AND DEVELOP-
MENT ANALYSIS OF THE NTCB REQUIRED OF SYSTEMS IN
CLASS (A1), MORE STRINGENT CONFIGURATION MANAGE-
MENT IS REQUIRED AND PROCEDURES ARE ESTABLISHED
FOR SECURELY DISTRIBUTING THE SYSTEM TO SITES. A
SYSTEM SECURITY ADMINISTRATOR IS SUPPORTED.
THE FOLLOWING ARE MINIMAL REQUIREMENTS FOR SYSTEM
ASSIGNED A CLASS (A1) RATING:
_ _ _ ________ ______
+ Statement from DoD 5200.28-STD
+ Interpretation
The network sponsor shall describe the overall network
cy is an access control policy having two primary com-
nclude a discretionary policy for protecting the informa-
tion being processed based on the authorizations of indivi-
cy statement shall describe the requirements on the network
to prevent or detect "reading or destroying" sensitive
nformation by unauthorized users or errors. The mandatory
that it supports. For the Class B1 or above the mandatory
nformation that reflects its sensitivity with respect to
ciated with users to reflect their authorization to access
that are not authorized to use the network at all (e.g., a
user attempting to use a passive or active wire tap) or a
legitimate user of the network who is not authorized to
access a specific piece of information being protected.
Note that "users" does not include "operators," "system
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network sys-
tem, for example, by defining membership of a group. These
ndividuals may also have the separate role of users.
SECRECY POLICY: The network sponsor shall define the
form of the discretionary and mandatory secrecy
policy that is enforced in the network to prevent
unauthorized users from reading the sensitive infor-
mation entrusted to the network.
DATA INTEGRITY POLICY: The network sponsor shall
define the discretionary and mandatory integrity
policy to prevent unauthorized users from modifying,
viz., writing, sensitive information. The defini-
tion of data integrity presented by the network
sponsor refers to the requirement that the informa-
tion has not been subjected to unauthorized modifi-
cation in the network. The mandatory integrity pol-
icy enforced by the NTCB cannot, in general, prevent
modification while information is being transmitted
between components. However, an integrity sensi-
tivity label may reflect the confidence that the
information has not been subjected to transmission
errors because of the protection afforded during
transmission. This requirement is distinct from the
requirement for label integrity.
+ Rationale
The word "sponsor" is used in place of alternatives
(such as "vendor," "architect," "manufacturer," and
"developer") because the alternatives indicate people who
may not be available, involved, or relevant at the time that
a network system is proposed for evaluation.
A trusted network is able to control both the reading
and writing of shared sensitive information. Control of
tion. A network normally is expected to have policy require-
ments to protect both the secrecy and integrity of the
nformation entrusted to it. In a network the integrity is
frequently as important or more important than the secrecy
to be enforced by the network must be stated for each net-
the policy is faithfully enforced is reflected in the
evaluation class of the network.
This control over modification is typically used to
control the potential harm that would result if the informa-
tion were corrupted. The overall network policy require-
ments for integrity includes the protection for data both
transmitted in the network. The access control policy
enforced by the NTCB relates to the access of subjects to
objects within each component. Communications integrity
addressed within Part II relates to information while being
transmitted.
The mandatory integrity policy (at class B1 and above)
n some architectures may be useful in supporting the link-
age between the connection oriented abstraction introduced
n the Introduction and the individual components of the
network. For example, in a key distribution center for
end-to-end encryption, a distinct integrity category may be
assigned to isolate the key generation code and data from
The mandatory integrity policy for some architecture
may define an integrity sensitivity label that reflects the
been subject to random errors in excess of a stated limit
nor to unauthorized message stream modification (MSM) -.
The specific metric associated with an integrity sensitivity
label will generally reflect the intended applications of
the network.
+ Statement from DoD 5200.28-STD
The TCB shall define and control access between named users
and named objects (e.g., files and programs) in the ADP sys-
tem. The enforcement mechanism (e.g., access control lists)
objects and shall provide controls to limit propagation of
access rights. The discretionary access control mechanism
that objects are protected from unauthorized access. These
access controls shall be capable of specifying, for each
named object, a list of named individuals and a list of
access to that object. Furthermore, for each such named
object, it shall be possible to specify a list of named
ndividuals and a list of groups of named individuals for
to an object by users not already possessing access
_________________________
- See Voydock, Victor L. and Stephen T. Kent, "Secu-
___
______ _______
+ Interpretation
The discretionary access control (DAC) mechanism(s) may
be distributed over the partitioned NTCB in various ways.
Some part, all, or none of the DAC may be implemented in a
no subjects acting as direct surrogates for users), such as
a public network packet switch, might not implement the DAC
mechanism(s) directly (e.g., they are unlikely to contain
access control lists).
Identification of users by groups may be achieved in
various ways in the networking environment. For example,
the network identifiers (e.g., internet addresses) for vari-
ous components (e.g., hosts, gateways) can be used as iden-
tifiers of groups of individual users (e.g., "all users at
Host A," "all users of network Q") so long as the individu-
als involved in the group are implied by the group identif-
er. For example, Host A might employ a particular group-id,
for which it maintains a list of explicit users in that
the group-id under the conditions of this interpretation.
For networks, individual hosts will impose need-to-know
controls over their users on the basis of named individuals
- much like (in fact, probably the same) controls used when
there is no network connection.
When group identifiers are acceptable for access con-
trol, the identifier of some other host may be employed, to
eliminate the maintenance that would be required if indivi-
C2 and higher, however, it must be possible from that audit
exactly the individuals represented by a group identifier at
the time of the use of that identifier. There is allowed to
be an uncertainty because of elapsed time between changes in
the group membership and the enforcement in the access con-
trol mechanisms.
The DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
all the physical resources of the system and from them
creates the abstraction of subjects and objects that it con-
trols. Some of these subjects and objects may be used to
mplement a part of the NTCB. When the DAC mechanism is
Assurance section) for the design and implementation of the
DAC shall be those of class C2 for all networks of class C2
or above.
When integrity is included as part of the network dis-
cretionary security policy, the above interpretations shall
be specifically applied to the controls over modification,
viz, the write mode of access, within each component based
on identified users or groups of users.
+ Rationale
In this class, the supporting elements of the overall
DAC mechanism are required to isolate information (objects)
that supports DAC so that it is subject to auditing require-
ments (see the System Architecture section). The use of
network identifiers to identify groups of individual users
could be implemented, for example, as an X.25 community of
nterest in the network protocol layer (layer 3). In all
other respects, the supporting elements of the overall DAC
mechanism are treated exactly as untrusted subjects are
treated with respect to DAC in an ADP system, with the same
A typical situation for DAC is that a surrogate process
for a remote user will be created in some host for access to
objects under the control of the NTCB partition within that
assigned and maintained for each such process by the NTCB,
tially the same discretionary controls as access by a pro-
cess acting on behalf of a local user would be. However,
tions of the assigned user identification is permitted.
The most obvious situation would exist if a global
able on demand to every host, (i.e., a name server existed)
It is also acceptable, however, for some NTCB parti-
tions to maintain a database of locally-registered users for
ts own use. In such a case, one could choose to inhibit
the creation of surrogate processes for locally unregistered
users, or (if permitted by the local policy) alternatively,
to permit the creation of surrogate processes with
dentify the process as executing on behalf of a member of a
the words concerning audit in the interpretation is to pro-
vide a minimally acceptable degree of auditability for cases
be a capability, using the audit facilities provided by the
network NTCB partitions involved, to determine who was
logged in at the actual host of the group of remote users at
the time the surrogate processing occured.
Associating the proper user id with a surrogate process
s the job of identification and authentication. This means
that DAC is applied locally, with respect to the user id of
the surrogate process. The transmission of the data back
across the network to the user's host, and the creation of a
copy of the data there, is not the business of DAC.
Components that support only internal subjects impact
the implementation of the DAC by providing services by which
nformation (e.g., a user-id) is made available to a com-
file at Host B. The DAC decision might be (and usually
ted from Host A to Host B.
Unique user identification may be achieved by a variety
of mechanisms, including (a) a requirement for unique iden-
tification and authentication on the host where access takes
addresses authenticated by another host and forwarded to the
of a network-wide unique personnel identifier that could be
authenticated and forwarded by another host as in (b) above,
or could be authenticated and forwarded by a dedicated net-
cols which implement (b) or (c) are subject to the System
Architecture requirements.
Network support for DAC might be handled in other ways
than that described as "typical" above. In particular, some
form of centralized access control is often proposed. An
access control center may make all decisions for DAC, or it
may share the burden with the hosts by controlling host-to-
to their objects by users at a limited set of remote hosts.
between the connection oriented abstraction (as discussed in
the Introduction) and the overall network security policy
for DAC. In all cases the enforcement of the decision must
be provided by the host where the object resides.
There are two forms of distribution for the DAC mechan-
sm: implementing portions of the DAC in separate com-
the NTCB partition in a component. Since "the ADP system"
s understood to be "the computer network" as a whole, each
network component is responsible for enforcing security in
the mechanisms allocated to it to ensure secure implementa-
tion of the network security policy. For traditional host
a few approaches, such as virtual machine monitors, support
DAC outside this interface.
In contrast to the universally rigid structure of man-
DAC policies tend to be very network and system specific,
For networks it is common that individual hosts will impose
controls over their local users on the basis of named
ndividuals-much like the controls used when there is no
network connection. However, it is difficult to manage in a
centralized manner all the individuals using a large net-
together so that the controls required by the network DAC
other components. A gateway is an example of such a com-
The assurance requirements are at the very heart of the
concept of a trusted system. It is the assurance that
environment, as reflected, for example, in the Environments
Guideline-. In the case of monolithic systems that have DAC
ntegral to the reference monitor, the assurance require-
ments for DAC are inseparable from those of the rest of the
clearer distinction due to distributed DAC. The rationale
for making the distinction in this network interpretation is
that if major trusted network components can be made signi-
ficantly easier to design and implement without reducing the
ability to meet security policy, then trusted networks will
be more easily available.
+ Statement from DoD 5200.28-STD
All authorizations to the information contained within a
allocation or reallocation to a subject from the TCB's pool
of unused storage objects. No information, including
encrypted representations of information, produced by a
that obtains access to an object that has been released back
to the system.
+ Interpretation
The NTCB shall ensure that any storage objects that it
controls (e.g., message buffers under the control of a NTCB
access. This requirement must be enforced by each of the
NTCB partitions.
_________________________
- Guidance for Applying the Department of Defense
________ ___ ________ ___ __________ __ _______
Trusted Computer System Evaluation Criteria in Specific
_______ ________ ______ __________ ________ __ ________
Environments, CSC-STD-003-85.
____________
+ Rationale
In a network system, storage objects of interest are
things that the NTCB directly controls, such as message
buffers in components. Each component of the network system
must enforce the object reuse requirement with respect to
the storage objects of interest as determined by the network
be under the control of the NTCB partition. A buffer
assigned to an internal subject may be reused at the discre-
tion of that subject which is responsible for preserving the
ntegrity of message streams. Such controlled objects may
be implemented in physical resources, such as buffers, disk
network switches.
+ Statement from DoD 5200.28-STD
Sensitivity labels associated with each ADP system resource
(e.g., subject, storage object, ROM) that is directly or
ndirectly accessible by subjects external to the TCB shall
be maintained by the TCB. These labels shall be used as the
basis for mandatory access control decisions. In order to
mport non-labeled data, the TCB shall request and receive
from an authorized user the sensitivity level of the data,
and all such actions shall be auditable by the TCB.
+ Interpretation
Non-labeled data imported under the control of the NTCB
labels of the single-level device used to import it. Labels
may include secrecy and integrity- components in accordance
network sponsor. Whenever the term "label" is used
throughout this interpretation, it is understood to include
both components as applicable. Similarly, the terms
"single-level" and "multilevel" are understood to be based
on both the secrecy and integrity components of the policy.
The mandatory integrity policy will typically have require-
ments, such as the probability of undetected message stream
modification, that will be reflected in the label for the
ntegrity label may be assigned based on mechanisms, such as
cryptography, used to provide the assurance required by the
tected from tampering and are always invoked when they are
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Computer Systems," ESD-TR-76-372, MTR-
the basis for a label.
If the security policy includes an integrity policy,
all activities that result in message-stream modification
violation of the integrity policy. The NTCB shall have an
automated capability for testing, detecting, and reporting
those errors/corruptions that exceed specified network
ntegrity policy requirements. Message-stream modification
(MSM) countermeasures shall be identified. A technology of
adequate strength shall be selected to resist MSM. If
encryption methodologies are employed, they shall be
approved by the National Security Agency.
All objects must be labeled within each component of
the network that is trusted to maintain separation of multi-
objects associated with single-level components will be
dentical to the level of that component. Objects used to
tures, such as routing tables, must be labeled to prevent
unauthorized access and/or modification.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system and partitioned NTCB as
multilevel device is regarded as a trusted subject in which
the security range of the subject is the minimum-maximum
ce.
The sensitivity labels for either secrecy or integrity
or both may reflect non-hierarchical categories or hierarch-
cal classification or both.
For a network it is necessary that this requirement be
applied to all network system resources at the (B2) level
and above.
The NTCB is responsible for implementing the network
ntegrity policy, when one exists. The NTCB must enforce
that policy by ensuring that information is accurately
transmitted from source to destination (regardless of the
number of intervening connecting points). The NTCB must be
able to counter equipment failure, environmental disrup-
tions, and actions by persons and processes not authorized
to alter the data. Protocols that perform code or format
conversion shall preserve the integrity of data and control
nformation.
The probability of an undetected transmission error may
be specified as part of the network security policy so that
the acceptability of the network for its intended
application may be determined. The specific metrics (e.g.,
associated with the data while it is processed within a com-
operational environments (e.g., crisis as compared to logis-
tic) will have different integrity requirements.
The network shall also have an automated capability of
testing for, detecting, and reporting errors that exceed a
threshold consistent with the operational mode requirements.
The effectiveness of integrity countermeasures must be esta-
blished with the same rigor as the other security-relevant
Cryptography is often utilized as a basis to provide
Detection Codes (MDC)-, may be used. The adequacy of the
encryption or MDC algorithm, the correctness of the protocol
logic, and the adequacy of implementation must be esta-
blished in MSM countermeasures design.
+ Statement from DoD 5200.28-STD
Sensitivity labels shall accurately represent sensitivity
levels of the specific subjects or objects with which they
are associated. When exported by the TCB, sensitivity
labels shall accurately and unambiguously represent the
nternal labels and shall be associated with the information
being exported.
+ Interpretation
The phrase "exported by the TCB" is understood to
nclude transmission of information from an object in one
component to an object in another component. Information
transferred between NTCB partitions is addressed in the Sys-
tem Integrity Section. The form of internal and external
(exported) sensitivity labels may differ, but the meaning
correct association of sensitivity labels with the informa-
tion being transported across the network is preserved.
As mentioned in the Trusted Facility Manual Section,
encryption transforms the representation of information so
that it is unintelligible to unauthorized subjects.
Reflecting this transformation, the sensitivity level of the
ciphertext is generally lower than the cleartext. It fol-
lows that cleartext and ciphertext are contained in
_________________________
- See Jueneman, R. R., "Electronic Document Authenti-
cation," IEEE Network Magazine, April 1987, pp 17-23.
____ _______ ________
of the cleartext must be preserved and associated with the
ciphertext so that it can be restored when the cleartext is
cleartext is associated with a single-level device, the
label of that cleartext may be implicit. The label may also
be implicit in the key.
When information is exported to an environment where it
s subject to deliberate or accidental modification, the TCB
assure the accuracy of the labels. When there is a manda-
tory integrity policy, the policy will define the meaning of
ntegrity labels.
+ Rationale
Encryption algorithms and their implementation are out-
may be implemented in a separate device or may be incor-
encryption mechanism herein. If encryption methodologies are
employed in this regard, they shall be approved by the
National Security Agency (NSA). The encryption process is
components in which it is implemented.
The encryption mechanism is not necessarily a mul-
tilevel device or multilevel subject, as these terms are
used in these criteria. The process of encryption is mul-
tilevel by definition. The cleartext and ciphertext inter-
faces carry information of different sensitivity. An
encryption mechanism does not process data in the sense of
ciphertext interfaces on the encryption mechanism must be
the data is established by a trusted individual and impli-
citly associated with the interface; the Exportation to
Single-Level Devices criterion applies.
If the interface is multilevel, then the data must be
labeled; the Exportation to Multilevel Devices criterion
applies. The network architect is free to select an accept-
able mechanism for associating a label with an object. With
the object.
through the encryption key. That is, the encryption
key uniquely identifies a sensitivity level. A sin-
gle or private key must be protected at the level of
the data that it encrypts.
+ Statement from DoD 5200.28-STD
The TCB shall designate each communication channel and I/O
this designation shall be done manually and shall be audit-
able by the TCB. The TCB shall maintain and be able to
audit any change in the sensitivity level or levels associ-
ated with a communications channel or I/O device.
+ Interpretation
Each communication channel and network component shall
be designated as either single-level or multilevel. Any
change in this designation shall be done with the cognizance
and approval of the administrator or security officer in
charge of the affected components and the administrator or
be auditable by the network. The NTCB shall maintain and be
able to audit any change in the device labels associated
ciated with a multilevel communication channel or component.
The NTCB shall also be able to audit any change in the set
of sensitivity levels associated with the information which
can be transmitted over a multilevel communication channel
or component.
+ Rationale
Communication channels and components in a network are
analogous to communication channels and I/O devices in
tilevel (i.e., able to distinguish and maintain separation
among information of various sensitivity levels) or single-
level. As in the TCSEC, single-level devices may only be
attached to single-level channels.
The level or set of levels of information that can be
only change with the knowledge and approval of the security
officers (or system administrator, if there is no security
officer) of the network, and of the affected components.
This requirement ensures that no significant security-
affected parties.
+ Statement from DoD 5200.28-STD
When the TCB exports an object to a multilevel I/O device,
the sensitivity label associated with that object shall also
be exported and shall reside on the same physical medium as
the exported information and shall be in the same form
(i.e., machine-readable or human-readable form). When the
TCB exports or imports an object over a multilevel communi-
cations channel, the protocol used on that channel shall
labels and the associated information that is sent or
+ Interpretation
The components, including hosts, of a network shall be
nterconnected over "multilevel communication channels,"
multiple single-level communication channels, or both, when-
ever the information is to be protected at more than a sin-
the only information needed to correctly associate a sensi-
tivity level with the exported information transferred over
the multilevel channel between the NTCB partitions in indi-
vidual components. This protocol definition must specify the
(i.e., the machine-readable label must uniquely represent
the sensitivity level).
The "unambiguous" association of the sensitivity level
of accuracy as that required for any other label within the
NTCB, as specified in the criterion for Label Integrity.
This may be provided by protected and highly reliable direct
link protection in which any errors during transmission can
be readily detected, or by use of a separate channel. The
+ Rationale
This protocol must specify the representation and
Access Control Policies section in Appendix B. The mul-
tilevel device interface to (untrusted) subjects may be
mplemented either by the interface of the reference moni-
tor, per se, or by a multilevel subject (e.g., a "trusted
vides the labels based on the internal labels of the NTCB
The current state of the art limits the support for
mandatory policy that is practical for secure networks.
Reference monitor support to ensure the control over all the
operations of each subject in the network must be completely
nvoked by this subject must be contained in the same
component.
The secure state of an NTCB partition may be affected
by events external to the component in which the NTCB parti-
tion resides (e.g., arrival of a message). The effect
occurs asynchronusly after being initiated by an event in
another component or partition. For example, indeterminate
component, the arrival of the message in the NTCB partition
n another component, and the corresponding change to the
s executing concurrently, to do otherwise would require
ably not even desirable. Therefore, the interaction between
NTCB partitions is restricted to just communications between
the device(s) can send/receive data of more than a single
level. For broadcast channels the pairs are the sender and
ntended receiver(s). However, if the broadcast channel
carries multiple levels of information, additional mechanism
(e.g., cryptochecksum maintained by the TCB) may be required
to enforce separation and proper delivery.
A common representation for sensitivity labels is
needed in the protocol used on that channel and understood
by both the sender and receiver when two multilevel devices
(in this case, in two different components) are intercon-
nected. Each distinct sensitivity level of the overall net-
Within a monolithic TCB, the accuracy of the sensi-
tivity labels is generally assured by simple techniques,
e.g., very reliable connections over very short physical
connections, such as on a single printed circuit board or
over an internal bus. In many network environments there is
a much higher probability of accidentally or maliciously
ntroduced errors, and these must be protected against.
+ Statement from DoD 5200.28-STD
Single-level I/O devices and single-level communication
channels are not required to maintain the sensitivity labels
of the information they process. However, the TCB shall
nclude a mechanism by which the TCB and an authorized user
level of information imported or exported via single-level
communication channels or I/O devices.
+ Interpretation
Whenever one or both of two directly connected com-
nformation of different sensitivity levels, or whenever the
two directly connected components have only a single sensi-
tivity level in common, the two components of the network
components and single-level communication channels are not
tion they process. However, the NTCB shall include a reli-
able communication mechanism by which the NTCB and an
authorized user (via a trusted path) or a subject within an
NTCB partition can designate the single sensitivity level of
nformation imported or exported via single-level communica-
tion channels or network components. The level of informa-
tion communicated must equal the device level.
+ Rationale
Single-level communications channels and single-level
components in networks are analogous to single level chan-
nels and I/O devices in stand-alone systems in that they are
not trusted to maintain the separation of information of
are therefore implicit; the NTCB associates labels with the
explicit part of the bit stream. Note that the sensitivity
level of encrypted information is the level of the cipher-
text rather than the original level(s) of the plaintext.
+ Statement from DoD 5200.28-STD
The ADP system administrator shall be able to specify the
labels. The TCB shall mark the beginning and end of all
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the output. The TCB
output) with human-readable sensitivity labels that prop-
erly1 represent the sensitivity of the page. The TCB shall,
by default and in an appropriate manner, mark other forms of
_________________________
formation in the output that the labels refer to; the
non-hierarchical category component shall include all
of the non-hierarchical categories of the information
n the output the labels refer to, but no other non-
+ Interpretation
This criterion imposes no requirement to a component
that produces no human-readable output. For those that do
s defined to the network shall have a uniform meaning
across all components. The network administrator, in con-
able to specify the human-readable label that is associated
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system and
tions.
+ Statement from DoD 5200.28-STD
The TCB shall immediately notify a terminal user of each
change in the sensitivity level associated with that user
able to query the TCB as desired for a display of the
+ Interpretation
An NTCB partition shall immediately notify a terminal
user attached to its component of each change in the sensi-
tivity level associated with that user.
+ Rationale
The local NTCB partition must ensure that the user
understands the sensitivity level of information sent to and
from a terminal. When a user has a surrogate process in
another component, adjustments to its level may occur to
maintain communication with the user. These changes may
occur asynchronously. Such adjustments are necessitated by
mandatory access control as applied to the objects involved
n the communication path.
+ Statement from DoD 5200.28-STD
The TCB shall support the assignment of minimum and maximum
+ Interpretation
This requirement applies as written to each NTCB parti-
tion that is trusted to separate information based on sensi-
tivity level. Each I/O device in a component, used for com-
munication with other network components, is assigned a dev-
ce range, consisting of a set of labels with a maximum and
minimum. (A device range usually contains, but does not
necessarily contain, all possible labels "between" the max-
mum and minimum, in the sense of dominating the minimum and
being dominated by the maximum.)
The NTCB always provides an accurate label for informa-
tion exported through devices. Information exported or
mported using a single-level device is labelled implicitly
by the sensitivity level of the device. Information
exported from one multilevel device and imported at another
must be labelled through an agreed-upon protocol, unless it
s labelled implicitly by using a communication link that
always carries a single level.
Information exported at a given sensitivity level can
be sent only to an importing device whose device range con-
tains that level or a higher level. If the importing device
mporting device range. Relabelling should not occur other-
+ Rationale
The purpose of device labels is to reflect and con-
the physical environment in which the devices are located.
The information transfer restrictions permit one-way
communication (i.e., no acknowledgements) from one device to
another whose ranges have no level in common, as long as
each level in the sending device range is dominated by some
level in the receiving device range. It is never permitted
to send information at a given level to a device whose range
view.)
+ Statement from DoD 5200.28-STD
The TCB shall enforce a mandatory access control policy over
all resources (i.e., subjects, storage objects, and I/O dev-
ces) that are directly or indirectly accessible by subjects
external to the TCB. These subjects and objects shall be
assigned sensitivity labels that are a combination of
categories, and the labels shall be used as the basis for
mandatory access control decisions. The TCB shall be able
to support two or more such sensitivity levels. (See the
Mandatory Access Control interpretations.) The following
ndirectly accessible by these subjects. A subject can
the subject's sensitivity level is greater than or equal to
the hierarchical classification of the object's sensitivity
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. A subject can
the subject's sensitivity level is less than or equal to the
level and the non-hierarchical categories in the subject's
categories in the object's sensitivity level. Identification
and authentication data shall be used by the TCB to authen-
ticate the user's identity and to ensure that the sensi-
tivity level and authorization of subjects external to the
TCB that may be created to act on behalf of the individual
user are dominated by the clearance and authorization of
that user.
+ Interpretation
Each partition of the NTCB exercises mandatory access
control policy over all subjects and objects in its com-
tion encompasses all mandatory access control functions in
ts component that would be required of a TCB in a stand-
alone system. In particular, subjects and objects used for
communication with other components are under the control of
the NTCB partition. Mandatory access control includes
cy.
Conceptual entities associated with communication
between two components, such as sessions, connections and
virtual circuits, may be thought of as having two ends, one
n each component, where each end is represented by a local
object. Communication is viewed as an operation that copies
nformation from an object at one end of a communication
entities, such as datagrams and packets, exist either as
nformation within other objects, or as a pair of objects,
one at each end of the communication path.
The requirement for "two or more" sensitivity levels
can be met by either secrecy or integrity levels. When
there is a mandatory integrity policy, the stated require-
ments for reading and writing are generalized to: A subject
can read an object only if the subject's sensitivity level
nates the subject's sensitivity level. Based on the
ntegrity policy, the network sponsor shall define the domi-
nance relation for the total label, for example, by combin-
ng secrecy and integrity lattices. -
+ Rationale
An NTCB partition can maintain access control only over
above, the NTCB partition must maintain access control over
all subjects and objects in its component. Access by a sub-
n another component requires the creation of a subject in
the remote component which acts as a surrogate for the first
The mandatory access controls must be enforced at the
nterface of the reference monitor (viz. the mechanism that
controls physical processing resources) for each NTCB parti-
tion. This mechanism creates the abstraction of subjects
and objects which it controls. Some of these subjects out-
mplement part of an NTCB partition's mandatory policy,
e.g., by using the ``trusted subjects" defined in the Bell-
LaPadula model.
The prior requirements on exportation of labeled infor-
mation to and from I/O devices ensure the consistency
between the sensitivity labels of objects connected by a
communication path. As noted in the introduction, the net-
overall mandatory network security policy and the connection
oriented abstraction. For example, individual data-carrying
entities such as datagrams can have individual sensitivity
labels that subject them to mandatory access control in each
component. The abstraction of a single-level connection is
connection is realized by single-level subjects that neces-
The fundamental trusted systems technology permits the
DAC mechanism to be distributed, in contrast to the require-
ments for mandatory access control. For networks this
_________________________
- See, for example, Grohn, M. J., A Model of a Pro-
_ _____ __ _ ___
tected Data Management System, ESD-TR-76-289, I. P.
______ ____ __________ ______
Sharp Assoc. Ltd., June, 1976; and Denning, D .E.,
Lunt, T. F., Neumann, P. G., Schell, R. R., Heckman, M.
and Shockley, W., Secure Distributed Data Views, Secu-
______ ___________ ____ _____ ____
____ ______ ___ ______________ ___ _ _____ __ ________
el Secure Relational Database System,SRI International,
__ ______ __________ ________ ______
November 1986.
the exception.
The set of total sensitivity labels used to represent
all the sensitivity levels for the mandatory access control
(combined data secrecy and data integrity) policy always
forms a partially ordered set. Without loss of generality,
this set of labels can always be extended to form a lattice,
by including all the combinations of non-hierarchical
categories. As for any lattice, a dominance relation is
always defined for the total sensitivity labels. For admin-
strative reasons it may be helpful to have a maximum level
_ _ _ ______________
+ Statement from DoD 5200.28-STD
The TCB shall require users to identify themselves to it
before beginning to perform any other actions that the TCB
s expected to mediate. Furthermore, the TCB shall maintain
authentication data that includes information for verifying
the identify of individual users (e.g., passwords) as well
as information for determining the clearance and authoriza-
tions of individual users. This data shall be used by the
TCB to authenticate the user's identity and to ensure that
the sensitivity level and authorization of subjects external
to the TCB that may be created to act on behalf of the indi-
vidual user are dominated by the clearance and authorization
of that user. The TCB shall protect authentication data so
that it cannot be accessed by any unauthorized user. The
TCB shall be able to enforce individual accountability by
bility of associating this identity with all auditable
actions taken by that individual.
+ Interpretation
The requirement for identification and authentication
of users is the same for a network system as for an ADP sys-
tem. The identification and authentication may be done by
the component to which the user is directly connected or
tication server. Available techniques, such as those
applicable in the network context. However, in cases where
the NTCB is expected to mediate actions of a host (or other
network component) that is acting on behalf of a user or
_________________________
= Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, CSC-STD-002-85
____
authentication of the host (or other component) in lieu of
dentification and authentication of an individual user, so
long as the component identifier implies a list of specific
users uniquely associated with the identifier at the time of
ts use for authentication. This requirement does not apply
to internal subjects.
Authentication information, including the identity of a
user (once authenticated) may be passed from one component
to another without reauthentication, so long as the NTCB
thorized disclosure and modification. This protection shall
of mechanism) as pertains to the protection of the authenti-
cation mechanism and authentication data.
+ Rationale
The need for accountability is not changed in the con-
text of a network system. The fact that the NTCB is parti-
tioned over a set of components neither reduces the need nor
mposes new requirements. That is, individual accountabil-
ty is still the objective. Also, in the context of a net-
tability" can be satisfied by identification of a host (or
other component) so long as the requirement for traceability
to individual users or a set of specific individual users
uncertainty in traceability because of elapsed time between
changes in the group membership and the enforcement in the
access control mechanisms. In addition, there is no need in
a distributed processing system like a network to reauthen-
ticate a user at each point in the network where a projec-
tion of a user (via the subject operating on behalf of the
user) into another remote subject takes place.
The passing of identifiers and/or authentication infor-
mation from one component to another is usually done in sup-
trol (DAC). This support relates directly to the DAC
ferent NTCB partition than the one where the user was
authenticated. Employing a forwarded identification implies
additional reliance on the source and components along the
basis of determining a sensitivity label for a subject, it
must satisfy the Label Integrity criterion.
An authenticated identification may be forwarded
between components and employed in some component to iden-
tify the sensitivity level associated with a subject created
to act on behalf of the user so identified.
+ Statement from DoD 5200.28-STD
The TCB shall support a trusted communication path between
tself and users for use when a positive TCB-to-user connec-
tion is required (e.g., login, change subject sensitivity
level). Communications via this trusted path shall be
activated exclusively by a user or the TCB and shall be
logically and unmistakably distinguishable from other paths.
+ Interpretation
A trusted path is supported between a user (i.e.,
user is directly connected.
+ Rationale
When a user logs into a remote component, the user id
s transmitted securely between the local and remote NTCB
cation and Authentication.
Trusted Path is necessary in order to assure that the
user is communicating with the NTCB and only the NTCB when
ticate user, set current session sensitivity level). How-
ever, Trusted Path does not address communications within
the NTCB, only communications between the user and the NTCB.
communication then the component need not contain mechanisms
for assuring direct NTCB to user communications.
The requirement for trusted communication between one
NTCB partition and another NCTB partition is addressed in
the System Architecture section. These requirements are
this trusted communication between one NTCB partition and
another NTCB partition will be used in conjunction with the
trusted path to implement trusted communication between the
user and the remote NTCB partition.
+ Statement from DoD 5200.28-STD
The TCB shall be able to create, maintain, and protect from
modification or unauthorized access or destruction an audit
trail of accesses to the objects it protects. The audit
s limited to those who are authorized for audit data. The
TCB shall be able to record the following types of events:
use of identification and authentication mechanisms,
ntroduction of objects into a user's address space (e.g.,
file open, program initiation), deletion of objects, actions
taken by computer operators and system administrators and/or
events. The TCB shall also be able to audit any override of
the audit record shall identify: date and time of the event,
user, type of event, and success or failure of the event.
For identification/authentication events the origin of
address space and for object deletion events the audit
able to selectively audit the actions of any one or more
users based on individual identify and/or object sensitivity
level. The TCB shall be able to audit the identified
events that may be used in the exploitation of covert
s able to monitor the occurrence or accumulation of secu-
tion of security policy. This mechanism shall be able to
mmediately notify the security administrator when thres-
these security relevant events continues, the system shall
take the least disruptive action to terminate the event.
+ Interpretation
This criterion applies as stated. The sponsor must
not distinguishable by the NTCB alone (for example those
dentified in Part II), the audit mechanism shall provide an
nterface, which an authorized subject can invoke with
audit records shall be distinguishable from those provided
by the NTCB. In the context of a network system, "other
architecture and network security policy) might be as fol-
lows:
lishing a connection or a connectionless association
between processes in two hosts of the network) and
its principal parameters (e.g., host identifiers of
the two hosts involved in the access event and user
identifier or host identifier of the user or host
that is requesting the access event)
each access event using local time or global syn-
chronized time
ditions (e.g., potential violation of data
integrity, such as misrouted datagrams) detected
during the transactions between two hosts
component leaving the network and rejoining)
In addition, identification information should be
ncluded in appropriate audit trail records, as necessary,
to allow association of all related (e.g., involving the
network system may provide the required audit capability
(e.g., storage, retrieval, reduction, analysis) for other
components that do not internally store audit data but
transmit the audit data to some designated collection com-
audit data due to unavailability of resources.
In the context of a network system, the "user's address
events, to include address spaces being employed on behalf
of a remote user (or host). However, the focus remains on
users in contrast to internal subjects as discussed in the
DAC criterion. In addition, audit information must be
The capability must exist to audit the identified
events that may be used in the exploitation of covert
must be able to audit those events locally that may lead to
the exploitation of a covert storage channel which exist
because of the network.
The sponsor shall identify the specific auditable
events that may indicate an imminent violation of security
mulation of such events must be able to notify an appropri-
ate administrator when thresholds are exceeded, and to ini-
tiate actions which will result in termination of the event
f the accumulation continues. For example, when the thres-
s exceeded, login shall be inhibited for a specific time
+ Rationale
For remote users, the network identifiers (e.g., inter-
net address) can be used as identifiers of groups of indivi-
maintenance that would be required if individual identifica-
tion of remote users was employed. In this class (C2), how-
ever, it must be possible to identify (immediately or at
dentifier. In all other respects, the interpretation is a
of a network system. Identification of covert channel
events is addressed in the Covert Channel Analysis section.
Because of concurrency and synchronization problems, it
may not be possible to detect in real time the accumulation
of security auditable events that are occurring in different
NTCB partitions. However, each NTCB partition that has been
allocated audit responsibility must have the capability to
tition security administrator and/or the network security
administrator, and to initiate actions which will result in
termination of the event locally.
_ _ _ _________
+ Statement from DoD 5200.28-STD
The TCB shall maintain a domain for its own execution that
by modification of its code or data structures). The TCB
nternally structured into well-defined largely independent
modules. It shall make effective use of available hardware
to separate those elements that are protection-critical from
those that are not. The TCB modules shall be designed such
that the principle of least privilege is enforced. Features
n hardware, such as segmentation, shall be used to support
logically distinct storage objects with separate attributes
(namely: readable, writable). The user interface to the TCB
dentified. The TCB shall be designed and structured to
use a complete, conceptually simple protection mechanism
a central role in enforcing the internal structuring of the
TCB and the system. The TCB shall incorporate significant
use of layering, abstraction and data hiding. Significant
complexity of the TCB and excluding from the TCB modules
that are not protection-critical.
+ Interpretation
The system architecture criterion must be met individu-
ally by all NTCB partitions. Implementation of the require-
ment that the NTCB maintain a domain for its own execution
s achieved by having each NTCB partition maintain a domain
for its own execution. Since each component is itself a dis-
tinct domain in the overall network system, this also satis-
fies the requirement for process isolation through distinct
address spaces in the special case where a component has
only a single subject.
The NTCB must be internally structured into well-
tion so structured. The NTCB controls all network resources.
These resources are the union of the sets of resources over
nside the NTCB) belonging to different NTCB partitions,
must be protected against external interference or tamper-
ng. For example, a cryptographic checksum or physical
means may be employed to protect user authentication data
exchanged between NTCB partitions.
Each NTCB partition must enforce the principle of least
be structured so that the principle of least privilege is
enforced in the system as a whole.
The NTCB must be designed and structured according to
the network security architecture to use a complete, concep-
tually simple protection mechanism. Furthermore, each NTCB
Significant system engineering should be directed
toward minimizing the complexity of each NTCB partition, and
of the NTCB. Care shall be taken to exclude modules (and
components) that are not protection-critical from the NTCB.
It is recognized that some modules and/or components
may need to be included in the NTCB and must meet the NTCB
modules/components is necessary for the correct operation of
the protection-critical modules and components. However,
the number and size of these modules/components should be
kept to a minimum.
Each NTCB partition provides isolation of resources
(within its component) in accord with the network system
architecture and security policy so that "supporting ele-
ments" (e.g., DAC and user identification) for the security
mechanisms of the network system are strengthened compared
to C2, from an assurance point of view, through the provi-
As discussed in the Discretionary Access Control sec-
tion, the DAC mechanism of a NTCB partition may be imple-
mented at the interface of the reference monitor or may be
assurance requirements for the design and implementation of
the DAC shall be those of class C2 for all networks of class
C2 or above.
+ Rationale
The requirement that the NTCB be structured into
modules and meet the hardware requirements applies within
the NTCB partitions in the various components.
The principle of least privilege requires that each
user or other individual with access to the system be given
only those resources and authorizations required for the
n the system it must be enforced in every NTCB partition
that supports users or other individuals. For example,
NTCB partition (e.g., games) lessens the opportunity of dam-
age by a Trojan Horse.
The requirement for the protection of communications
between NTCB partitions is specifically directed to subjects
that are part of the NTCB partitions. Any requirements for
There are certain parts of a network (modules and/or
components) that may not appear to be directly protection-
critical in that they are not involved in access control
the identification/authentication process. However, the
of these modules and/or components. An example of this is a
nvolved directly in enforcing the discretionary security
ferent message streams. If the switch does not operate
correctly, data could get mixed, and unauthorized access
could result. Therefore, these modules/components must be
ncluded in the NTCB and must meet the NTCB requirements
applicable to the policy element(s) for which they are
+ Statement from DoD 5200.28-STD
Hardware and/or software features shall be provided that can
be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
+ Interpretation
Implementation of the requirement is partly achieved by
and firmware elements of each component's NTCB partition.
Features shall also be provided to validate the identity and
correct operation of a component prior to its incorporation
n the network system and throughout system operation. For
example, a protocol could be designed that enables the com-
cally and validate each other's correct response. The pro-
tocol shall be able to determine the remote entity's ability
to respond. NTCB partitions shall provide the capability to
Intercomponent protocols implemented within a NTCB
tion in the case of failures of network communications or
ndividual components. The allocation of mandatory and dis-
cretionary access control policy in a network may require
communication between trusted subjects that are part of the
NTCB partitions in different components. This communication
s normally implemented with a protocol between the subjects
as peer entities. Incorrect access within a component shall
not result from failure of an NTCB partition to communicate
+ Rationale
The first paragraph of the interpretation is a
text of a network system and partitioned NTCB as defined for
these network criteria.
NTCB protocols should be robust enough so that they
zed failure. The purpose of this protection is to preserve
the integrity of the NTCB itself. It is not unusual for one
or more components in a network to be inoperative at any
time, so it is important to minimize the effects of such
failures on the rest of the network. Additional integrity
and denial of service issues are addressed in Part II.
It should be clear that some integrity and denial of
cause denial of service to some extent. For example, it is
necessary to "trust" TELNET to correctly translate user
be "trusted" to not inappropriately modify files, and to
attempt to complete the file transfer. These protocols can
be designed, however to exist outside the NTCB (from a pro-
tection perspective). It is beneficial to do this type of
trusted to not disclose data is minimized. Putting every-
thing inside the NTCB contradicts the requirement to perform
"significant system engineering ... directed toward ...
excluding from the TCB modules that are not protection crit-
cal," which removes the primary difference between B2 and
B3. If everything has to be in the TCB to ensure data
ntegrity and protection against denial of service, there
tion is maximized.
+ Statement from DoD 5200.28-STD
The system developer shall conduct a thorough search for
covert channels and make a determination (either by actual
measurement or by engineering estimation) of the maximum
bandwidth of each identified channel. (See the Covert Chan-
nels Guideline section.) FORMAL METHODS SHALL BE USED IN THE
ANALYSIS.
+ Interpretation
The requirement, including the TCSEC Covert Channel
Guideline, applies as written. In a network, there are
additional instances of covert channels associated with com-
munication between components. THE FORMAL METHODS SHALL BE
USED IN THE ANALYSIS OF EACH INDIVIDUAL COMPONENT DESIGN AND
+ Rationale
The exploitation of network protocol information (e.g.,
of frequency of transmission can result in covert timing
channels. The topic has been addressed in the literature.-
+ Statement from DoD 5200.28-STD
The TCB shall support separate operator and administrator
functions. The functions performed in the role of a secu-
administrative personnel shall only be able to perform secu-
able action to assume the security administrator role on the
ADP system. Non-security functions that can be performed in
the security administration role shall be limited strictly
_________________________
- See, for example, Girling, C. G., "Covert Channels
n LAN's," IEEE Transactions on Software Engineering,
____ ____________ __ ________ ___________
Vol. SE-13, No. 2, February 1987; and Padlipsky, M. A.,
Snow, D. P., and Karger, P. A., Limitations of End-to-
___________ __ ___ __
End Encryption in Secure Computer Networks, MITRE
___ __________ __ ______ ________ ________
Technical Report, MTR-3592, Vol. I, May 1978 (ESD TR
to those essential to performing the security role effec-
tively.
+ Interpretation
This requirement applies as written to both the network
as a whole and to individual components which support such
+ Rationale
It is recognized that based on the allocated policy
elements some components may operate with no human inter-
face.
+ Statement from DoD 5200.28-STD
that, after an ADP system failure or other discontinuity,
+ Interpretation
The recovery process must be accomplished without a
tinuity of any NTCB partition. It must also be accomplished
after a failure of the entire NTCB.
+ Rationale
This is a straight-forward extension of the requirement
nto the network context, and takes into account that it is
continue to operate normally. This may be a security-
+ Statement from DoD 5200.28-STD
The security mechanisms of the ADP system shall be tested
and found to work as claimed in the system documentation. A
team of individuals who thoroughly understand the specific
mplementation of the TCB shall subject its design documen-
tation, source code, and object code to through analysis and
testing. Their objectives shall be: to uncover all design
and implementation flaws that would permit a subject exter-
nal to the TCB to read, change, or delete data normally
enforced by the TCB; as well as to assure that no subject
(without authorization to do so) is able to cause the TCB to
enter a state such that it is unable to respond to communi-
cations initiated by other users. The TCB shall be found
that they have been eliminated and that new flaws have not
been introduced. Testing shall demonstrate that the TCB
mplementation is consistent with the descriptive top-level
correctable implementation flaws may be found during testing
and there shall be reasonable confidence that few remain.
MANUAL OR OTHER MAPPING OF THE FTLS TO THE SOURCE CODE MAY
FORM A BASIS FOR PENETRATION TESTING. (See the Security
Testing Guidelines.)
+ Interpretation
Testing of a component will require a testbed that
exercises the interfaces and protocols of the component
ncluding tests under exceptional conditions. The testing
of a security mechanism of the network system for meeting
this criterion shall be an integrated testing procedure
nvolving all components containing an NTCB partition that
mplement the given mechanism. This integrated testing is
additional to any individual component tests involved in the
evaluation of the network system. The sponsor should iden-
tify the allowable set of configurations including the sizes
of the networks. Analysis or testing procedures and tools
tions. A change in configuration within the allowable set
of configurations does not require retesting.
The testing of each component will include the intro-
component that will attempt to read, change, or delete data
normally denied. If the normal interface to the component
conduct such a test, then this portion of the testing shall
use a special version of the untrusted software for the com-
The results shall be saved for test analysis. Such special
versions shall have an NTCB partition that is identical to
that for the normal configuration of the component under
evaluation.
The testing of the mandatory controls shall include
tests to demonstrate that the labels for information
mported and/or exported to/from the component accurately
the component for use as the basis for its mandatory access
control decisions. The tests shall include each type of
component.
The NTCB must be found resistant to penetration. This
applies to the NTCB as a whole, and to each NTCB partition
n a component of this class.
+ Rationale
The phrase "no subject (without authorization to do so)
s able to cause the TCB to enter a state such that it is
unable to respond to communications initiated by other
users" relates to the security services (Part II of this
TNI) for the Denial of Service problem, and to correctness
of the protocol implementations.
Testing is an important method available in this
evaluation division to gain any assurance that the security
mechanisms perform their intended function. A major purpose
of testing is to demonstrate the system's response to inputs
to the NTCB partition from untrusted (and possibly mali-
cious) subjects.
In contrast to general purpose systems that allow for
the dynamic creation of new programs and the introductions
of new processes (and hence new subjects) with user speci-
fied security properities, many network components have no
method for introducing new programs and/or processes during
their normal operation. Therefore, the programs necessary
for the testing must be introduced as special versions of
the software rather than as the result of normal inputs by
the test team. However, it must be insured that the NTCB
evaluation.
Sensitivity labels serve a critical role in maintaining
the security of the mandatory access controls in the net-
of the labels for information communicated between com-
cit labels for single-level devices. Therefore the testing
for correct labels is highlighted.
The requirement for testing to demonstrate consistency
between the NTCB implementation and the FTLS is a straight-
forward extension of the TCSEC requirement into the context
of a network system.
+ Statement from DoD 5200.28-STD
A formal model of the security policy supported by the TCB
that is proven and demonstrated to be consistent with its
axioms. A descriptive top-level specification (DTLS) of the
TCB shall be maintained that completely and accurately
and effects. A FORMAL TOP-LEVEL SPECIFICATION (FTLS) OF THE
TCB SHALL BE MAINTAINED THAT ACCURATELY DESCRIBES THE TCB IN
TERMS OF EXCEPTIONS, ERROR MESSAGES, AND EFFECTS. THE DTLS
AND FTLS SHALL INCLUDE THOSE COMPONENTS OF THE TCB THAT ARE
ARE VISIBLE AT THE TCB INTERFACE. THE FTLS SHALL BE SHOWN
to be an accurate description of the TCB interface. A con-
vincing argument shall be given that the DTLS is consistent
TECHNIQUES SHALL BE USED TO SHOW THAT THE FTLS IS CONSISTENT
WITH THE MODEL. THIS VERIFICATION EVIDENCE SHALL BE CON-
SISTENT WITH THAT PROVIDED WITHIN THE STATE-OF-THE-ART OF
THE PARTICULAR NATIONAL COMPUTER SECURITY CENTER-ENDORSED
FORMAL SPECIFICATION AND VERIFICATION SYSTEM USED. MANUAL
OR OTHER MAPPING OF THE FTLS TO THE TCB SOURCE CODE SHALL BE
+ Interpretation
The overall network security policy expressed in this
model will provide the basis for the mandatory access con-
trol policy exercised by the NTCB over subjects and storage
objects in the entire network. The policy will also be the
basis for the discretionary access control policy exercised
by the NTCB to control access of named users to named
objects. Data integrity requirements addressing the effects
of unauthorized MSM need not be included in this model. The
overall network policy must be decomposed into policy ele-
ments that are allocated to appropriate components and used
as the basis for the security policy model for those com-
The level of abstraction of the model, and the set of
model, will be affected by the NTCB partitioning. Subjects
and objects must be represented explicitly in the model for
the partition if there is some network component whose NTCB
ble to individual network components are manifest. Global
network policy elements that are allocated to components
AN FTLS FOR A NETWORK CONSISTS OF A COMPONENT FTLS FOR
EACH UNIQUE TRUSTED NETWORK COMPONENT, PLUS ANY GLOBAL
DECLARATIONS AND ASSERTIONS THAT APPLY TO MORE THAN ONE COM-
GLOBAL MANDATORY POLICY ELEMENTS ALLOCATED TO THAT COM-
SHARED DECLARATIONS, IS THE NETWORK FTLS. EACH COMPONENT
FTLS SHALL DESCRIBE THE INTERFACE TO THE NTCB PARTITION OF
+ Rationale
The treatment of the model depends to a great extent on
the degree of integration of the communications service into
a distributed system. In a closely coupled distributed sys-
tem, one might use a model that closely resembles one
appropriate for a stand-alone computer system.
In all cases, the model of each partition will be
expected to show the role of the NTCB partition in each kind
of component. It will most likely clarify the model,
although not part of the model, to show access restrictions
mplied by the system design; for example, subjects
objects containing data units at the same layer of protocol.
The allocation of subjects and objects to different proto-
col layers is a protocol design choice which need not be
THE FTLS MUST REPRESENT THE UNDERLYING REFERENCE MONI-
TOR AND ANY SUBJECTS IMPLEMENTING THE MANDATORY POLICY.
OTHER POLICY ELEMENTS DISTRIBUTED IN NTCB SUBJECTS (SEE THE
REPRESENTED BY THE FTLS.
+ Statement from DoD 5200.28-STD
During THE ENTIRE LIFE-CYCLE, I.E. DURING THE DESIGN,
DEVELOPMENT, and maintenance of the TCB, a configuration
management system shall be in place FOR ALL SECURITY-
RELEVANT HARDWARE, FIRMWARE, AND SOFTWARE that maintains
control of changes to THE FORMAL MODEL, the descriptive AND
FORMAL top-level SPECIFICATIONS, other design data, imple-
mentation documentation, source code, the running version of
the object code, and test fixtures and documentation. The
configuration management system shall assure a consistent
mapping among all documentation and code associated with the
current version of the TCB. Tools shall be provided for
Also available shall be tools, MAINTAINED UNDER STRICT CON-
FIGURATION CONTROL, for comparing a newly generated version
only the intended changes have been made in the code that
BINATION OF TECHNICAL, PHYSICAL, AND PROCEDURAL SAFEGUARDS
SHALL BE USED TO PROTECT FROM UNAUTHORIZED MODIFICATION OR
DESTRUCTION THE MASTER COPY OR COPIES OF ALL MATERIAL USED
TO GENERATE THE TCB.
+ Interpretation
The requirement applies as written, with the following
extensions:
for each NTCB partition.
entire system. If the configuration management sys-
tem is made up of the conglomeration of the confi-
guration management systems of the various NTCB par-
titions, then the configuration management plan must
address the issue of how configuration control is
applied to the system as a whole.
ALL MATERIAL USED IN GENERATING A NEW VERSION OF THE
NTCB AND EACH NTCB PARTITION MUST BE PROTECTED, REGARDLESS
OF WHERE IT PHYSICALLY RESIDES.
+ Rationale
Each NTCB partition must have a configuration manage-
ment system in place, or else there will be no way for the
NTCB as a whole to have an effective configuration manage-
ment system. The other extensions are merely reflections of
the way that networks operate in practice.
THIS NEW REQUIREMENT EXPLICITLY MANDATES THE PROTECTION
OF MATERIAL USED TO GENERATE AN NTCB PARTITION, EVEN WHEN
THE GENERATION OCCURS BY DOWN-LINE LOADING OF A REMOTE COM-
+ Statement from DoD 5200.28-STD
A TRUSTED ADP SYSTEM CONTROL AND DISTRIBUTION FACILITY SHALL
BE PROVIDED FOR MAINTAINING THE INTEGRITY OF THE MAPPING
BETWEEN THE MASTER DATA DESCRIBING THE CURRENT VERSION OF
THE TCB AND THE ON-SITE MASTER COPY OF THE CODE FOR THE
CURRENT VERSION. PROCEDURES (E.G., SITE SECURITY ACCEPTANCE
TESTING) SHALL EXIST FOR ASSURING THAT THE TCB SOFTWARE,
FIRMWARE, AND HARDWARE UPDATES DISTRIBUTED TO A CUSTOMER ARE
EXACTLY AS SPECIFIED BY THE MASTER COPIES.
+ Interpretation
THIS REQUIREMENT APPLIES AS STATED, WITH THE ADDITIONAL
REQUIREMENT THAT, IF DOWN-LINE LOADING IS USED, THERE MUST
BE A TRUSTED METHOD OF GENERATING, SENDING, AND LOADING ANY
SOFTWARE INVOLVED.
+ Rationale
THIS IS A STRAIGHTFORWARD EXTENSION OF THE REQUIREMENT
_ _ _ _____________
+ Statement from DoD 5200.28-STD
A single summary, chapter, or manual in user documentation
TCB, interpretations on their use, and how they interact
+ Interpretation
This user documentation describes user visible protec-
tion mechanisms at the global (network system) level and at
the user interface of each component, and the interaction
among these.
+ Rationale
The interpretation is an extension of the requirement
nto the context of a network system as defined for these
network criteria. Documentation of protection mechanisms
teria for trusted computer systems that are applied as
appropriate for the individual components.
+ Statement from DoD 5200.28-STD
A manual addressed to the ADP system administrator shall
be controlled when running a secure facility. The procedures
for examining and maintaining the audit files as well as the
administrator functions related to security, to include
changing the security characteristics of a user. It shall
of the protection features of the system, how they interact,
to operate the facility in a secure manner. The TCB modules
that contain the reference validation mechanism shall be
dentified. The procedures for secure generation of a new
TCB from source after modification of any modules in the TCB
ensure that the system is initially started in a secure
manner. Procedures shall also be included to resume secure
+ Interpretation
This manual shall contain specifications and procedures
to assist the system administrator(s) maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address the following:
network;
leave the network (e.g., by crashing, or by being
disconnected) and then rejoin;
security of the network system; (For example, the
manual should describe for the network system
administrator the interconnections among components
that are consistent with the overall network system
architecture.)
(e.g., down-line loading).
indicate which components of the network may change
without others also changing.
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
The components of the network that form the NTCB must
be identified. Furthermore, the modules within an NTCB par-
tition that contain the reference validation mechanism (if
any) within that partition must be identified.
The procedures for the secure generation of a new ver-
Procedures for starting each NTCB partition in a secure
to resume secure operation of each NTCB partition and/or the
NTCB after any lapse in system or subsystem operation.
+ Rationale
There may be multiple system administrators with
other forms of security in order to achieve security of the
network. Additional forms include administrative security,
Extension of this criterion to cover configuration
aspects of the network is needed because, for example,
to achieve a correct realization of the network architec-
ture.
As mentioned in the section on Label Integrity, cryp-
tography is one common mechanism employed to protect commun-
cation circuits. Encryption transforms the representation
of information so that it is unintelligible to unauthorized
of the ciphertext is generally lower than the cleartext. If
encryption methodologies are employed, they shall be
approved by the National Security Agency (NSA).
The encryption algorithm and its implementation are
outside the scope of these interpretations. This algorithm
and implementation may be implemented in a separate device
or may be a function of a subject in a component not dedi-
cated to encryption. Without prejudice, either implementa-
tion packaging is referred to as an encryption mechanism
The requirements for descriptions of NTCB generation
and identification of modules and components that form the
NTCB are straightforward extensions of the TCSEC require-
ments into the network context. In those cases where the
vendor does not provide source code, an acceptable procedure
tion.
Given the nature of network systems (e.g., various com-
s imperative to know both how to securely start up an NTCB
necessary to know how to resume secure operation of the NTCB
after any partition has been down.
+ Statement from DoD 5200.28-STD
The system developer shall provide to the evaluators a docu-
ment that describes the test plan, test procedures that show
SOURCE CODE SHALL BE GIVEN.
+ Interpretation
The "system developer" is interpreted as "the network
establish the context in which the testing was or should be
conducted. The description should identify any additional
test components that are not part of the system being
evaluated. This includes a description of the test-relevant
functions of such test components and a description of the
nterfacing of those test components to the system being
evaluated. The description of the test plan should also
configuration and sizing.
THE MAPPING BETWEEN THE FTLS AND THE NTCB SOURCE CODE
MUST BE CHECKED TO ENSURE TO THE EXTENT POSSIBLE THAT THE
FTLS IS A CORRECT REPRESENTATION OF THE SOURCE CODE, AND
THAT THE FTLS HAS BEEN STRICTLY ADHERED TO DURING THE DESIGN
AND DEVELOPMENT OF THE NETWORK SYSTEM. THIS CHECK MUST BE
DONE FOR EACH COMPONENT OF THE NETWORK SYSTEM FOR WHICH AN
FTLS EXISTS.
+ Rationale
The entity being evaluated may be a networking subsys-
tem (see Appendix A) to which other components must be added
to make a complete network system. In that case, this
nterpretation is extended to include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
The bandwidths of covert channels are used to determine
the suitability of a network system for a given environment.
The effectiveness of the methods used to reduce these
bandwidths must therefore be accurately determined.
+ Statement from DoD 5200.28-STD
Documentation shall be available that provides a description
of the manufacturer's philosophy of protection and an expla-
nation of how this philosophy is translated into the TCB.
The interfaces between the TCB modules shall be described.
A formal description of the security policy model enforced
by the TCB shall be available and an explanation provided to
The specific TCB protection mechanisms shall be identified
and an explanation given to show that they satisfy the
model. The descriptive top-level specification (DTLS) shall
be shown to be an accurate description of the TCB interface.
Documentation shall describe how the TCB implements the
tamper resistant, cannot be bypassed, and is correctly
mplemented. The TCB implementation (i.e., in hardware,
firmware, and software) shall be informally shown to be con-
elements of the FTLS shall be shown, using informal tech-
niques, to correspond to the elements of the TCB. Documen-
tation shall describe how the TCB is structured to facili-
tate testing and to enforce least privilege. This documen-
tation shall also present the results of the covert channel
analysis and the tradeoffs involved in restricting the chan-
nels. All auditable events that may be used in the exploi-
tation of known covert storage channels shall be identified.
The bandwidths of known covert storage channels, the use of
HARDWARE, FIRMWARE, AND SOFTWARE MECHANISMS NOT DEALT WITH
REGISTERS, DIRECT MEMORY ACCESS I/O) SHALL BE CLEARLY
DESCRIBED.
+ Interpretation
Explanation of how the sponsor's philosophy of protec-
tion is translated into the NTCB shall include a description
of how the NTCB is partitioned. The security policy also
the NTCB modules shall include the interface(s) between NTCB
exist. The sponsor shall describe the security architecture
and design, including the allocation of security require-
ments among components.
The documentation includes both a system description
and a set of component DTLS's. The system description
addresses the network security architecture and design by
ones are trusted, and in what way they must cooperate to
be provided for each trusted network component, i.e., each
component containing an NTCB partition. Each component DTLS
component. Both the system description and each component
DTLS shall be shown consistent with those assertions in the
model that apply to it. Appendix A addresses component
evaluation issues.
To show the correspondence between the FTLS and the
NTCB implementation, it suffices to show correspondence
between each component FTLS and the NTCB partition in that
component.
As stated in the introduction to Division B, the spon-
monitor concept. The security policy model must be a model
for a reference monitor.
The security policy model for each partition implement-
ng a reference monitor shall fully represent the access
control policy supported by the partition, including the
and/or integrity. For the mandatory policy the single domi-
nance relation for sensitivity labels, including secrecy
and/or integrity components, shall be precisely defined.
+ Rationale
The interpretation is a straightforward extension of
the requirement into the context of a network system as
tion, such as description of components and description of
operating environment(s) in which the networking subsystem
or network system is designed to function, is required else-
In order to be evaluated, a network must possess a
coherent Network Security Architecture and Design. (Inter-
connection of components that do not adhere to such a single
coherent Network Security Architecture is addressed in the
Security Architecture must address the security-relevant
Design specifies the interfaces and services that must be
ncorporated into the network so that it can be evaluated as
a trusted entity. There may be multiple designs that con-
form to the same architecture but are more or less incompa-
tible and non-interoperable (except through the Interconnec-
tion Rules). Security related mechanisms requiring coopera-
tion among components are specified in the design in terms
of their visible interfaces; mechanisms having no visible
nterfaces are not specified in this document but are left
as implementation decisions.
The Network Security Architecture and Design must be
available from the network sponsor before evaluation of the
network, or any component, can be undertaken. The Network
Security Architecture and Design must be sufficiently com-
the construction or assembly of a trusted network based on
the structure it specifies.
When a component is being designed or presented for
evaluation, or when a network assembled from components is
assembled or presented for evaluation, there must be a
Design are satisfied. That is, the components can be assem-
bled into a network that conforms in every way with the Net-
tion indicates.
In order for a trusted network to be constructed from
components that can be built independently, the Network
Security Architecture and Design must completely and
unambiguously define the security functionality of com-
be evaluated to determine that a network constructed to its
evaluatable under these interpretations.
The term "model" is used in several different ways in a
network context, e.g., a "protocol reference model," a "for-
mal network model," etc. Only the "security policy model" is
addressed by this requirement and is specifically intended
to model the interface, viz., "security perimeter," of the
n the TCSEC. It must be shown that all parts of the TCB
are a valid interpretation of the security policy model,
.e., that there is no change to the secure state except as
Part II: Other Security Services
____ __ _____ ________ ________
_ ____________
Part I of this Interpretation contains interpretations
of the Department of Defense Trusted Computer System Evalua-
tion Criteria (TCSEC), DOD 5200.28-STD. Part I deals with
controlling access to information. Part II contains addi-
tional network security concerns. These concerns differen-
tiate the network environment from the stand-alone computer.
Some concerns take on increased significance in the network
environment; other concerns do not exist on stand-alone com-
analysis underlying Part I. The criteria in this Part II
address these concerns in the form of additional security
between Part I and Part II is minimized as much as possible.
However, when an overlap occurs the association between the
concerns addressed in both parts is defined. Part II ser-
vices may be provided by mechanisms outside the NTCB.
_ _ _______ ___ _____
This Part II addresses network security disjoint from
as a basis for the Part II evaluation. Part II includes
teria. As described below, Part II evaluations differ from
ever: to provide guidance to network managers and accredi-
tors as to the reliance they can place in security services.
These evaluations are input to the accreditor's decisions
concerning the operational mode and range of sensitive
nformation entrusted to the network.
The network sponsor shall identify the security ser-
vices offered by his system or component(s). Those services
_ _ ________ ____
The general form of Part II criteria is a relatively
brief statement, followed by a discussion of functionality,
Functionality refers to the objective and approach of a
_____________
formance. Alternative approaches to achieving the desired
functionality may be more suitable in different applications
environments.
Strength of mechanism refers to how well a specific
________ __ _________
approach may be expected to achieve its objectives. In some
cases selection of parameters, such as number of bits used
n a checksum or the number of permutations used in an
encryption algorithm, can significantly affect strength of
mechanism.
Assurance refers to a basis for believing that the
_________
functionality will be achieved; it includes tamper resis-
tance, verifiability, and resistance against circumvention
or bypass. Assurance is generally based on analysis involv-
ng theory, testing, software engineering, validation and
verification, and related approaches. The analysis may be
formal or informal, theoretical or applied.
For example, consider communications integrity protec-
tion against message stream modification. A functionality
correction; also one may select whether it is sufficient to
fied duration, or a specified probability of an undetected
error. Available mechanisms include parity, longitudinal
cryptographic checkfunction. The strength of the CRC is
measured in the probability of an undetected error; this is
There is no assurance of security associated with any of the
mentioned mechanisms except cryptographic checkfunction.
The algorithms are well known; an adversary could change
message contents and recalculate the non-cryptographic
checkfunction. The recipient would calculate the checkfunc-
tion and not discover that the message had been manipulated.
A cryptographic checkfunction would be resistant to such
manipulation.
_ _ __________ _______
Part II evaluations are qualitative, as compared with
the hierarchically-ordered ratings (e.g., C1, C2, ...)
____ _______
fair, and good. Services not offered by the sponsor will be
____ ____
assigned a rating of not offered. For some services it will
___ _______
be most meaningful to assign a rating of none or present.
_______
The term none is used when the security service is not
offered. In some cases the functionality evaluations may be
limited to present or none.
The assurance rating for each service is bounded by the
ntegrity of the service depends on the protection of the
NTCB. Table II-1 relates the Part II assurance rating to
the minimum corresponding Part I evaluation ratings.
These Part II evaluations tend to be more qualitative
and subjective, and will exhibit greater variance than the
valuable information concerning the capabilities of the
evaluated systems and their suitability for specific appli-
cations environments. If functionality, strength of mechan-
sm, and assurance are separately evaluated then a term may
be applied to each. In some cases the strength of mechanism
may be expressed quantitatively as a natural consequence of
the technology (e.g., the number of bits in a CRC, the par-
ticular function employed); this quantitative measure of
The Part II evaluations may also be expected to exhibit
a greater sensitivity to technological advances than the
vices as compared to the theoretical foundation of Part I.
Research advances may help change this situation. As the
tions may also be expected to increase. Therefore, a rating
may become dated and may change upon reevaluation.
In general, mechanisms that only protect against
accidents and malfunctions cannot achieve an evaluation of
vide protection against deliberate attacks in order to
obtain at least a good evaluation.
The summary report of a network product will contain
the rating reflecting the Part I evaluation plus a paired
list of Part II services and the evaluation for each. For
example, network product XYZ might be rated as follows: [B2,
offered, security service-3: none, ... ,security service-n:
(functionality: good, strength of mechanism: fair,
assurance: good)]. In some cases where the security service
s addressed outside this document (e.g., COMSEC), the
evaluation from the external source may be reflected in the
evaluation report. In such cases, the terms used will
_ _ ____________ __ ___ ___ ____________
An effort is underway to extend the ISO Open System
appropriately in the circumstances for which protection of
communications between open systems is required." - Fami-
liarity with OSI terminology is assumed in this discussion.
The scope of this security addendum "provides a general
_________________________
- ISO 7498/Part 2 - Security Architecture, ISO / TC
___ ____ ____ _ ________ ____________
the positions within the Reference Model where the services
and mechanisms may be provided."
There is considerable overlap between the OSI Security
Addendum and Part II. At the time of writing, the OSI docu-
ment is evolving, making it difficult to exactly define the
to be modified in the future.
Some of the security services identified in the OSI
Security Addendum are covered by Part I of this Interpreta-
tion; others are addressed in Part II. The emphasis is on
making sure that all services are covered. The distinction
between the security service and the mechanism that imple-
ments the service is less strong in this Interpretation than
n the OSI Security Addendum. The OSI Addendum generally
addresses Functionality, occasionally addresses Strength of
Mechanism, and rarely addresses Assurance, while in this
factor.
The scope of the OSI Security Addendum is limited: "OSI
Security is not concerned with security measures needed in
end systems, installations and organizations except where
these have implications on the choice and position of secu-
tation include OSI concerns as a proper subset.
_ _ _________ ________ ________ ___ _ ________ ___________
The enumeration of security services in Part II is
choose to employ in a specific network for a specific
environment. But not all security services will be equally
mportant in a specific environment, nor will their relative
mportance be the same among different environments. The
network management has to decide whether the rating achieved
by a network product for a specific criterion is satisfac-
tory for the application environment.
As an abstract example, consider the network product
minimum, security service-2: not offered, ... ]. The
management of network K may decide that they do not require
effect the acceptability of the XYZ product; however, the
management of network Q may decide that security service-2
s essential, so the absence of this service disqualifies
than good is unacceptable, thereby disqualifying product
As a more concrete example, consider an application
environment where wire-tapping is not a threat, such as
aboard an airplane or in an underground bunker. A Local
Area Network (LAN) in such an environment can be physically
tion because the system exists within a protected perimeter.
and access control based on labels provide sufficient pro-
tection if sufficient mechanisms exist to protect the
ntegrity of the labels. Cryptographic mechanisms are
environment involves passage through unprotected space,
management may decide that a LAN must provide integrity pro-
tection employing a cryptographic mechanism.
_ _______ _________ __________
This section addresses assurance approaches applicable
to many security services.
The logic of the protocols and the implementation of
countermeasures may be shown correct and effective by formal
methods where possible (i.e., where tools exist) and infor-
mal ones otherwise.
To provide assurance that the security service can
methods of real and simulated testing can be applied,
ncluding:
1. Functional testing
2. Periodic testing
3. Penetration testing
4. Stress testing
5. Protocol testing for deadlock, liveness, and other
security properties of the protocol suites
In addition, the trusted computer base provides an exe-
cution environment that is extremely valuable in enhancing
the assurance of a variety of security services. The dis-
cretionary and mandatory access controls can be employed in
the design and implementation of these services to segregate
unrelated services. Thus, service implementation that is
complex and error-prone or obtained from an unevaluated sup-
TCB ensures that the basic protection of the security and
ntegrity- of the information entrusted to the network is
not diluted by various supporting security services identi-
fied in this Part II. See also the discussion of Integrity
n the Supportive Primitives section.
In general, assurance may be provided by implementing
these features in a limited set of subjects in each applica-
ble NTCB partition whose code and data have a unique manda-
tory integrity level to protect against circumvention and
tampering.
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Computer Systems," ESD-TR-76-372, MTR-
Assurance of trustworthiness of the design and imple-
mentation of Part II mechanisms may be related to the
assurance requirements in Part I. The following factors are
dentified as contributing to an assurance evaluation: ser-
vice design and implementation, service testing, design
and distribution.
_ _ _______ ______ ___ ______________ _______
An evaluation rating of fair indicates that the imple-
mentation of the service employs the provisions of the TCB
for a distinct address space. In addition, the implementa-
tion of the service is internally structured into well-
available hardware to separate those elements that are
s designed such that the principle of least privilege is
enforced; and the user interface is completely defined and
all elements relevant to the service are identified.
An evaluation rating of good indicates that the ser-
vice, in addition, incorporates significant use of layering,
abstraction and data hiding; and employs significant system
engineering directed toward minimizing complexity and
_ _ _______ _______ _______
With respect to security testing, an evaluation of
minimum indicates that the service was tested and found to
unauthorized user to bypass or otherwise defeat the security
constraints and objectives; and that testing included a
mproper modification of data used by the service, either by
external software or by errors in the implementation of the
An evaluation rating of fair indicates that, in addi-
tion to the minimum factors, a team of individuals who
thoroughly understand the specific implementation subjected
ts design documentation, source code, and object code to
through analysis and testing with the objectives of uncover-
ng all design and implementation flaws that would permit a
the purpose of the service. A fair evaluation indicates
that all discovered flaws were removed or neutralized and
the system retested to demonstrate that they have been elim-
nated and that new flaws have not been introduced. Testing
An evaluation rating of good indicates that, in addi-
tion to the fair factors, the system is more resistant to
a few correctable implementation flaws were found during
testing and there is reasonable confidence that few remain.
Manual or other mapping of the specifications to the source
code may form a basis for testing.
_ _ ______ _____________ ___ ____________ _______
With respect to design specification and verification,
an evaluation rating of minimum indicates that an informal
model of the properties of the service is maintained over
the life cycle of the system. Additional requirements for
an evaluation rating of fair have not been defined.
An evaluation rating of good indicates that, in addi-
tion, a formal model of the properties of the service is
maintained over the life cycle of the system and demon-
maintained that completely and accurately describes it in
terms of exceptions, error messages, and effects.
_ _ _____________ __________ _______
With respect to configuration management, an evaluation
maintenance of the service, a configuration management sys-
tem was in place that maintained control of changes to
tion, source code, the running version of the object code,
test fixtures, test code, and documentation.
An evaluation rating of fair indicates that, in addi-
tion, the configuration management system assures a con-
newly generated version with the previous version in order
to ascertain that only the intended changes have been made
n the code.
An evaluation rating of good indicates that, in addi-
tion, configuration management covers the entire life-
cycle; that it applies to all firmware, and hardware that
unauthorized modification or destruction the master copy or
copies of all material used to generate the implementation
of the service.
_ _ ____________ _______
There are currently no requirements for minimum and
fair evaluation ratings.
With respect to distribution, an evaluation rating of
between the master data describing the current version of
the service and the master copy of the code for the current
version. Procedures (e.g., site security acceptance test-
ng) shall exist for assuring that the software, firmware,
and hardware updates distributed are exactly as specified by
the master copies.
_ __________ __________
This subsection describes mechanisms and assurance
techniques that apply across multiple security services.
They are grouped together here for convenience and are
Encryption is a pervasive mechanism for many security
The information in this Section 7 is provided as background
and support for the services addressed in Section 8.
_ _ ___ __________ _________
_ _ _ _____________ _______
Encryption is a tool for protecting data from comprom-
se or modification attacks. Through its use, release of
message content and traffic analysis can be prevented; mes-
and masquerading can be detected. For example, an ISO docu-
ment-, describing the use of encipherment techniques in com-
munications architectures, has been published as a U.S.
member body contribution for consideration as cryptographic
environment. Encryption is probably the most important and
threat; sometimes it is even confused with being a service.
Use of the encryption mechanism leads to a requirement
for key management (e.g., manually or in the form of key
_ _ _ ________ __ _________ _______
The strength of a cryptographic cipher is determined by
mathematical and statistical analysis; the results are typi-
cally expressed in the workfunction required for unauthor-
zed decryption. In many cases this analysis is classified;
the results are available only as a statement of the highest
level of classified data which may be protected by use of
the mechanism.
When encryption is used in networks, it may be combined
logic, and the adequacy of implementation, are primary fac-
tors in assessing the strength of Data Confidentiality using
_________________________
- Addendum to the Transport Layer Protocol Definition
________ __ ___ _________ _____ ________ __________
for Providing Connection Oriented End-to-End Crypto-
___ _________ __________ ________ ___ __ ___ ______
_______ ____ __________ _____ _ __ ___ _____ ______
cryptography techniques. Algorithms are characterized by
the National Security Agency on a pass/fail basis in terms
of the sensitivity of the information which the encryption
algorithm is approved to protect.
_ _ _ _________ _______
The analysis of encryption techniques is quite dif-
ferent from the formal specification and verification tech-
nology employed as the basis of trust in the TCSEC. Much of
this analysis is classified. Consequently, assurance of
encryption techniques will be provided by the National Secu-
be given.
_ _ _________
_ _ _ _____________ _______
Protocols are a set of rules and formats (semantic and
entities in a network. Their design and implementation is
crucial to the correct, efficient, and effective transfer of
nformation among network systems and sub-systems.
Many network security services are implemented with the
tocol result in failures and deficiencies in the security
One class of design, or logical, deficiencies in proto-
cols are those having some form of denial of service as a
consequence. This class includes deadlocks, livelocks,
unspecified receptions, lack-of-liveness, and non-executable
nteractions. A protocol with one of these design flaws can
cease to function under circumstances that can occur during
normal operation but which were not anticipated by the
Another class of design concerns are typical of proto-
cols that must work despite various kinds of random
nterference or communication difficulties, such as noise,
message loss, and message reordering. It should be noted
that most networks are designed in a layered fashion, in
that if one layer provides protection from certain types of
communication difficulties, higher layers need not address
those problems in their design.
A third class of design deficiency might occur in pro-
tocols that are expected to work in the presence of mali-
cious interference, such as active wiretapping. Such proto-
cols should have countermeasures against Message Stream
Modification (MSM) attacks.
_ _ _ ________ __ _________ _______
Protocol deficiencies may lie either in their design or
their implementation. By an implementation deficiency is
meant a lack of correspondence between a protocol specifica-
tion and its implementation in software.
_ _ _ _________ _______
Assurances of implementation correctness may be
addressed by techniques such as design specification and
verification, and testing.
Ideally, all of the network protocol functions would be
verified to operate correctly. However, verification of
large amounts of code is prohibitively expensive (if not
mpossible) at the current state-of-the-art, so the code to
be verified must be kept to an absolute minimum. It seems
feasible to split up a complex protocol (e.g., the TCP) into
trusted portions (i.e., the software that performs
other software) so that only the security-related portions
must be shown to meet the requirements of Part I. However,
there is a general concern about the extent to which trusted
untrusted portions.
Methods for assuring the design correctness of proto-
cols involve the use of tools and techniques specially
oriented toward the kinds of problems peculiar to protocols.
Either formal methods, or testing, or both, may be used.
Some assurance in design correctness may be obtained
model or technique found in the literature if it is known to
address the kinds of problems likely to arise. This
assurance is lessened to the extent that the actual protocol
_ _ _ _ ______ _______
Formal techniques of protocol definition and validation
actual protocols to verify the absence of deadlocks,
livelocks, and incompleteness for design verification. When
the state-of-the-art of formal tools is inadequate, or when
the sponsor decides not to employ formal tools, informal
methods may be used. The evaluation of protocol specifica-
tion and verification should indicate which assurance tools
Formal methods for protocol specification and verifica-
tion are typically based on a finite-state machine concept,
extended in one of various ways to represent the concurrency
and communication properties characteristic of networks.
Communicating sequential machines and Petri nets have been
used as a functional modeling context for protocols, and
experimental automated verification tools based on these
models have been developed. Different models and tools may
need to be used depending on the design objective for which
assurance is desired.
To the extent that the protocol model and implementa-
tion permit separation by layers, the functional model,
applied to individual layers or sets of adjacent layers.
Generally, the assurances obtained about protocols in one
layer are conditional on, or relative to, assurances for
_ _ _ _ _______
Protocol testing is another method to assure the
correctness of the protocols other than formal verification.
conformance to standards such as X.25, TCP, and TP4 with a
moderate level of success.
The type of testing called for can be referred to as
conformance testing and penetration testing. The purpose of
fidence on the correct operation of the protocols.
Objectives should be to uncover design and implementa-
tion flaws that would cause the protocols to perform their
functions incorrectly, and to determine if the Message
Stream Modification (MSM) countermeasures are effective, if
applicable. They may attempt to uncover all kinds of logi-
cal deficiencies, such as deadlocks, livelocks, unspecified
tions. All discovered flaws should be corrected and the
mplementations retested to demonstrate that they have been
eliminated and that new flaws have not been introduced. For
a successful conclusion to a test suite, no design flaws and
no more than a few correctable implementation flaws may be
found during testing, and there should be reasonable confi-
tocol specification to the source code may form a basis for
testing.
Protocols should be thoroughly analyzed and tested for
their responses to both normal and abnormal data type mes-
mode of operation both in controlled environment and in the
environment of deployment.
_ _____________
The section headings in these Part II Documentation
criteria are the same as those employed for Part I Documen-
tation criteria. The documentation produced in response to
both sets of criteria may optionally be combined or pub-
lished separately, as the sponsor sees fit.
_ _ ________ ________ ____ _ _____
A single summary, chapter, or manual in user documenta-
tion shall describe the Part II security services, guide-
lines on their use, and how they interact with one another.
This user documentation describes security services at
the global (network system) level, at the user interface of
each component, and the interaction among these.
_ _ _______ ________ ______
A manual addressed to the network and component sub-
and privileges that should be controlled to maintain network
administrator functions related to security services. It
of the network security services, how they interact, and
facility procedures, warnings, and privileges that need to
be controlled in order to maintain network security.
The software modules that provide security services
of new security service object modules from source after
modification of source code shall be described. It shall
nclude the procedures, if any, required to ensure that the
network is initially started in a secure manner. Procedures
after any lapse in operation.
This manual shall contain specifications and procedures
to assist the system administrator to maintain cognizance of
the network configuration. These specifications and pro-
cedures shall address:
network.
leave the network (e.g., by crashing or by being
disconnected) and then rejoin.
indicate which security services may change without
others also changing.
The physical and administrative environmental controls
all communications links must be physically protected to a
certain level).
_ _ ____ _____________
A document shall be provided that describes the test
tional testing.
The description of the test plan should establish the
context in which the testing was or should be conducted.
The description should identify any additional test com-
This includes a description of the test-relevant functions
of such test components, and a description of the interfac-
ng of those test components to the system being evaluated.
The description of the test plan should also demonstrate
that the tests adequately cover the network security policy.
The tests should also include network configuration and siz-
ng.
As identified in Appendix A, the entity being evaluated
may be a networking subsystem to which other components must
be added to make a complete network system. In that case,
test documentation must include contextual definition
because, at evaluation time, it is not possible to validate
the test plans without the description of the context for
testing the networking subsystem.
_ _ ______ _____________
Documentation shall be available that provides a
explanation of how this philosophy is translated into the
be stated.
The system description addresses the network security
architecture and design by specifying the security services
n the network, and in what way they must cooperate to sup-
ferent policies to communicate, the relationships between
the policies shall be defined.
_ ________ ________ ________
This section contains specific security services that
may be provided in networks. The structure of the specific
n Table II-2. This table shows the network security con-
cerns addressed, the criteria for each concern, and the
evaluation range for each criterion.
_ _ ______________ _________
Communications integrity is a collective term for a
number of security services. These services, described
below, are all concerned with the accuracy, faithfulness,
non-corruptibility, and believability of information
transfer between peer entities through the computer communi-
cations network.
Integrity is an important issue. However, there is
considerable confusion and inconsistency in the use of the
term. The term is used to address matters such as con-
cation access control (write, append, delete, update) and
the credibility of information that is read by a process.-
The mechanisms that can be used to enforce communica-
tion integrity have some strong similarities to the mechan-
sms that are used to enforce discretionary and mandatory
access controls. Integrity in Part I is concerned with
access control, specifically the ability of subjects to
modify objects. This should be contrasted with the Part II
concerns for communications integrity described below.
_ _ _ ______________
+ Functionality
_____________
The network should ensure that a data exchange is esta-
blished with the addressed peer entity (and not with an
entity attempting a masquerade or a replay of a previous
establishment). The network should assure that the data
less association, it is known as Data Origin Authentication.
Attempts to create a session under a false identity or
_________________________
- See, for example, Biba, K.J., "Integrity Considera-
tion for Secure Systems," ESD-TR-76-372, MTR-3153, The
Mitre Corporation, Bedford, MA, April 1977; and Juene-
man, R. R., "Electronic Document Authentication," IEEE
____
Network Magazine, April 1987, pp 17-23.
_______ ________
authentication is an appropriate countermeasure.
Authentication generally follows identification, estab-
lishing the validity of the claimed identity providing pro-
tection against fraudulent transactions. Identification,
authentication, and authorization information (e.g., pass-
Available techniques which may be applied to peer
authentication mechanisms are:
1. Something known by the entity (e.g., passwords)
2. Cryptographic means
3. Use of the characteristics and/or possessions of
the entity
The above mechanisms may be incorporated into the (N)-
layer peer-to-peer protocol to provide peer entity authenti-
cation.
To tie data to a specific origin, implicit or explicit
dentification information must be derived and associated
may include verification through an alternate communications
channel, or a user-unique cryptographic authentication.
When encryption is used for authentication service, it
can be provided by encipherment or signature mechanisms. In
conventional private-key cryptosystems, the encryption of a
message with a secret key automatically implies data origin
authenticity, because only the holder of that key can pro-
authentication provided by the conventional private-key
cryptosystem can protect both sender and receiver against
third party enemies, but it cannot protect against fraud
committed by the other. The reason is that the receiver
knowing the encryption key, could generate the encrypted
form of a message and forge messages appearing to come from
the sender. In the case where possible disputes that may
arise from the dishonesty of either sender or receiver, a
In public-key cryptosystems, message secrecy and
message/sender authenticity are functionally independent.
To achieve authenticity, the message is "decrypted" with the
that does not conceal the message. If both secrecy and
authenticity are required, a public-key signature scheme
must be used. This subject is extensively addressed in the
_________________________
= The Directory - Authentication Framework (Mel-
___ _________ ______________ _________ ___
bourne, April 1986), ISO/CCITT Directory Convergence
______ _____ ____
Document #3.
Basis for Rating: Presence or absence.
Evaluation Range: None or present.
+ Strength of Mechanism
________ __ _________
The security provided by the passwords mechanism is
very sensitive to how passwords are selected and protected.
The security provided by a password depends on composition,
lifetime, length, and protection from disclosure and substi-
tution. Password Management Guidance is contained in a
When cryptographic techniques are used, they may be
combined with "hand-shaking" protocols and "liveness"
assurance procedures to protect against masquerading and
by:
1. Synchronized clocks
2. Two and three ways handshakes
3. Non-repudiation services provided by digital sig-
nature and/or notarization mechanisms
The strength of the ciphers, the correctness of the
using cryptography techniques. See also the Encryption
Mechanism section.
Basis for Rating: In order to obtain a rating of good
using passwords, such usage must conform to Password Manage-
ment Guidance-. The strength of a cryptographic mechanism
Evaluation Range: None to good.
+ Assurance
_________
Basis for rating assurance is concerned with guarantee-
ng or providing confidence that features to address authen-
tication threats have been implemented correctly and that
the control objectives of each feature have been actually
and accurately achieved.
This assurance may be addressed by analysis of the
ncludes password scheme and/or cryptographic algorithm
analysis and the automated protocol testing for deadlock,
_________________________
- Department of Defense Password Management Guide-
__________ __ _______ ________ __________ _____
line, National Computer Security Center, CSC-STD-002-
____
liveness, and other security properties of the "hand-
Many of the assurance approaches are common to other
may be employed for peer entity authentication. These
mechanisms, and their assurance, are discussed in a separate
Basis for Rating: See the General Assurance Approaches
Evaluation Range: None to good.
_ _ _ ______________ _____ _________
Communications Field Integrity refers to protection of
any of the fields involved in communications from unauthor-
zed modification. Two well-known fields are the protocol-
nformation (a.k.a. header) field and the user-data field.
A protocol-data-unit (PDU) (a.k.a. packet, datagram) always
contains protocol-information; user-data is optional.
Other division and identification of fields are possi-
ble. Some communications systems identify such fields as
control and priority. For generality, this section refers
to any field as containing data; this data may in fact be
fied field. For convenience, the term data integrity will
be used synonymously with communications field integrity.
Data integrity may be provided on a selective field basis;
It should be mentioned that in a layered protocol the
combination of layer N protocol-information plus layer N
user-data is considered to be all user-data in layer N-1.
the relationship between PDUs and messages. Each PDU may
constitute an independent message, or a sequence of PDUs may
constitute a single message.
+ Functionality
_____________
Data integrity service counters active threats and pro-
tects data against unauthorized alteration. The network
from source to destination (regardless of the number of
ntermittent connecting points). The network should be able
to counter both equipment failure as well as actions by per-
cols that perform code or format conversion will preserve
the integrity of data and control information.
The network should also have an automated capability of
testing for, detecting, and reporting errors that exceed a
threshold.
Since communication may be subject to jamming/spoofing
attack, line and node outages, hardware and software
failures, and active wiretapping attacks, there should exist
effective countermeasures to counter possible communications
threats. The countermeasures may include policy, procedures,
automated or physical controls, mechanisms, and protocols
means.
Basis for Rating: Data Integrity service may be
evaluated according to its ability to detect integrity vio-
lations. The following progression relates features and
evaluation.
Functionality would be evaluated as minimum if either
of the following two levels of features were provided:
1. Integrity of a single connectionless PDU. This
takes the form of determining whether a received
PDU has been modified.
2. Integrity of selected fields within a connection-
less PDU. This takes the form of determining
whether the selected fields have been modified.
Functionality would be evaluated as fair if, in addi-
tion, either of the following two levels of features were
1. Integrity of selected fields transferred over a
connection. This takes the form of determining
whether the selected fields have been modified,
inserted, deleted, or replayed.
2. Integrity of all user-data on a protocol layer
connection. This service detects any modifica-
tion, insertion, deletion, or replay of any PDU of
an entire PDU sequence with no recovery attempted.
Functionality would be evaluated as good if, in addi-
tion, the following feature is provided:
Integrity of all user-data on a protocol layer con-
nection. This service detects any modification,
insertion, deletion, or replay of any PDU of an
entire PDU sequence with recovery attempted.
Evaluation Range: None to good.
+ Strength of Mechanism
________ __ _________
Policy, procedures, automated or physical controls,
mechanisms, and protocols should exist for ensuring that
unauthorized message stream modification, such as altera-
tion, substitution, reordering, replay, or insertion. Mes-
dentified and shown to be effective. A technology of ade-
quate strength should be selected to resist MSM.
The probability of an undetected error should be speci-
fied as an indication of the strength of mechanism. The net-
cation errors/corruptions that exceed specified network
Basis for Rating: When encryption is used in networks,
t is combined with network protocols to protect against
unauthorized data modification. The strength of the
ciphers, the correctness of the protocol logic, and the ade-
quacy of implementation are three primary factors in assess-
ng the strength of Data Integrity using cryptography tech-
niques. See the Encryption Mechanism section for further
nformation.
Evaluation Range: None to good.
+ Assurance
_________
Basis for rating: Assurance is concerned with guaran-
_____ ___ ______
teeing or providing confidence that features to address Data
the control objectives of each feature have been actually
and accurately achieved.
Many of the assurance approaches for data integrity are
common to other security services. See the General
Assurance section for further information.
Evaluation Range: None to good.
_ _ _ ___ ___________
+ Functionality
_____________
Non-repudiation service provides unforgeable proof of
This service prevents the sender from disavowing a leg-
timate message or the recipient from denying receipt. The
network may provide either or both of the following two
forms:
1. The recipient of data is provided with proof of
origin of data that will protect against any
attempt by the sender to falsely deny sending the
data or its contents.
2. The sender is provided with proof of delivery of
data such that the recipient cannot later deny
receiving the data or its contents.
Basis for Rating: Presence or absence of each of the
two forms.
Evaluation Range: None or present.
Discussion: Digital signatures are available techniques
that may be applied to non-repudiation mechanisms. Digital
1. Signing a data unit
2. Verifying a signed data unit
The signing process typically employs either an enci-
The verification process involves using the public pro-
cedure and information to determine whether the signature
It is essential that the signature mechanism be
unforgeable and adjudicable. This means that the signature
can only be produced using the signer's private information,
and in case the signer should disavow signing the message,
t must be possible for a judge or arbitrator to resolve a
message.
Digital signature schemes are usually classified into
one of two categories: true signatures or arbitrated signa-
tures. In a true signature scheme, signed messages produced
by the sender are transmitted directly to the receiver who
verifies their validity and authenticity. In an arbitrated
the sender to the receiver via an arbitrator who serves as a
notary public. In the latter case, a notarization mechanism
s needed.
Both public-key and conventional private-key cryptosys-
tems can be utilized to generate digital signatures. When a
message M is to be signed by a private-key cryptosystem, the
along with it. In a public-key implementation, when a mes-
key is applied to M before transmitting it. Thus, the signa-
ture is presented by the resulting transformed message.
+ Strength of Mechanism
________ __ _________
Basis for Rating: The strength and trustworthiness
the underlying cryptography implementing digital signature
mechanism, the correctness of the protocol logic, and the
adequacy of protocol implementation. Additional information
may be found in the separate sections addressing these sub-
Evaluation Range: None to good.
+ Assurance
_________
Basis for Rating: Assurance is concerned with guaran-
teeing or providing confidence that features to provide
non-repudiation service have been implemented correctly and
that the control objectives of each feature have been actu-
ally and accurately achieved.
This assurance is addressed by analysis of the logic of
the protocols and the implementation of the digital signa-
ture mechanisms to show correctness and effectiveness by
formal methods where possible (i.e., where tools exist) and
nformal ones otherwise.
The information in the General Assurance, Encryption
Mechanisms, and Protocols sections also applies.
Evaluation Range: None to good.
_ _ ______ __ _______
Assurance of communications availability would probably
be more properly identified as a service, while denial-of-
s traditional to employ denial of service as the identifier
of this topic.
DOS detection is highly dependent on data integrity
checking/detection mechanisms. Other mechanisms relating to
numbers, frame counts) are also measures of DOS protection.
A denial-of-service condition exists whenever the
throughput falls below a pre-established threshold, or
access to a remote entity is unavailable. DOS also exists
basis. Priority and similar mechanisms should be taken into
account in determining equity. If a connection is active, a
DOS condition can be detected by the maximum waiting time
(MWT) or the predetermined minimum throughput. However,
of a connection has no way of determining when the next
s thus unable to detect a DOS attack that completely cuts
off the flow of packets from that entity.
Denial of service conditions should be considered for
all services being provided by the network. As discussed
below for specific services, depending on the strength of
mechanism the network should be able to detect, recover,
and/or resist denial of service conditions. The specific
conditions, which the network will address, are determined
through the use of informal models, such as Mission(s)
Model, Threat Model, Life Cycle Model, and Service Oriented
Model. The network manager or sponsor shall determine the
network's denial of service requirements and shall establish
the desired service criteria accordingly.
_ _ _ __________ __ __________
+ Functionality
_____________
The security features providing resistance against DOS
external attacks and the objectives that each feature will
achieve may include the following:
of redundancy throughout the network components
(i.e., network nodes, connectivity, and control
capability) may enhance reliability, reduce single-
point-of-failure, enhance survivability, and provide
excess capacity.
nance and program down-loading to network nodes for
software distribution, and to provide initialization
and reconfiguration after removing failed or faulty
components and replacing with replaced components
can isolate and/or confine network failures, accom-
modate the addition and deletion of network com-
ponents, and circumvent a detected fault.
functions utilizing a distributed control capability
to reduce or eliminate the possibility of disabling
the network by destroying or disabling one or a few
network control facilities, and a flexible control
capability which is able to respond promptly to
emergency needs, such as increase in traffic or
quick restoration, can improve the capability to
respond promptly to the changes in network topology
and network throughput thereby enhancing survivabil-
ity and continuity of operation, perhaps by enforc-
ing precedence and preemption on traffic handling.
deal with network failures and to maintain con-
tinuity of operations of a network including the
following features: error/fault detection, fault
treatment, damage assessment (analysis on effects of
failures), error/failure recovery, component/segment
crash recovery, and whole network crash recovery.
interest separation through creation of logical sub-
nets with disjoint non-hierarchical mandatory access
control categories, and protection of control infor-
mation from active wiretapping.
Basis for Rating: The network should ensure some
minimum specified continuing level of service. The follow-
ng service would be considered minimum:
a) Detect conditions that would degrade service below
a pre-specified minimum and would report such
degradation to its operators.
The following service would be considered fair:
b) Service that would continue in the event of equip-
ment failure and actions by persons and processes
not authorized to alter the data. The resiliency
may be provided by redundancy, alternate facili-
ties, or other means. The service provided may be
degraded and/or may invoke priorities of service.
The following service would be considered good:
c) The same as (a), but with automatic adaptation.
Evaluation Range: None to good.
+ Strength of Mechanism
________ __ _________
Network operational maintenance is based on mechanisms
ng. It may be nearly impossible to guarantee sufficiently
In addition to rigorous analysis to assure algorithmic
correctness in dealing with the "internal failures" (e.g.,
component, segment, or system failures caused by errors in
countermeasures shall also be employed against "external
attacks" such as physical attacks.
Basis for Rating: For each DOS feature defined above,
t is possible to assign a rating such as none, minimum,
fair, and good for the assessment of a network's "DOS
For example, major ways of providing fault-tolerant
mechanisms include:
1. Error/fault detection
2. Fault treatment
3. Damage assessment (analysis on effects of
failures)
4. Error/failure recovery
5. Component/segment crash recovery
6. Whole network crash recovery
Evaluation Range: None to good.
+ Assurance
_________
Assurance is concerned with guaranteeing or providing
confidence that features to address DOS threats have been
mplemented correctly and that the objectives of each
feature have been actually and accurately achieved.
This assurance may be addressed by analysis for weak-
ness or anomalous behavior of the resource allocation
models, protocol models, or resource allocation models which
can be analyzed for deadlock, liveness, and other security
Basis for Rating: To provide assurance that the network
can respond to various forms of denial of service condi-
tions, the following methods may be employed:
1. Simulation
2. Testing
a. Functional
b. Periodic
c. Penetration
3. Measurement under extreme conditions
Distribution, as discussed as one of the General
Assurance Factors, can increase the assurance that the
text of deployment of new software and in crash recovery.
ncrease assurance.
Evaluation Range: None to good.
_ _ _ ________ _____ ___ __________ __________
+ Functionality
_____________
Mechanisms for addressing DOS are often protocol based
and may involve testing or probing. Any communications
availability service should consider using existing communi-
cations protocol mechanisms where feasible so as not to
ncrease network overhead. DOS mechanisms add overhead that
may have some adverse impact on network performance. The
benefits of value-added functions should offset the resul-
tant performance cost.
For example, in order to detect throughput denial of
ng. The measured transmission rate shall be compared with
a predetermined minimum to detect a DOS condition and
activate an alarm.
Another example is a protocol to detect failure to
This protocol would determine the remote entity's ability to
A request-response mechanism such as "are-you-there"
message exchange may be employed to detect DOS conditions
mechanism involves the periodic exchange of "hello", and
"are-you-there" messages between peer entities to verify
that an open path exists between them; such a mechanism
Based on the ability to respond and the response time to the
entity can be determined and the DOS condition can be
Request-response mechanisms have been known to crash
networks when coupled with hardware failures and/or abnormal
loading. Incompatibilities also sometimes show up when dis-
tion.
Basis for Rating: The number of protocol based mechan-
sms could be used for evaluation. If only one mechanism
might be rated as fair. If more than three mechanisms were
Evaluation Range: None to good.
+ Strength of Mechanism
________ __ _________
Basis for Rating: Network protocol robustness may
analysis to assure protocol correctness in dealing with the
"internal failures" and against "external attacks" are
appropriate ways of establishing strength of mechanism.
Evaluation Range: None to good.
+ Assurance
_________
Assurance is concerned with guaranteeing or providing
confidence that features to address DOS threats have been
mplemented correctly and that the objectives of each
feature have been actually and accurately achieved.
Basis for Rating: This assurance may be addressed by
analysis for weakness or anomalous behavior of the network
theoretic models, hierarchical service models, petri nets,
or resource allocation models which can be analyzed for
To provide assurance that the network can response to
various forms of external attacks, the following methods may
be employed:
1. simulation
2. testing
- functional
- periodic
- penetration
3. measurement under extreme conditions
Distribution, as discussed as one of the General
Assurance Factors, can increase the assurance that the
text of deployment of new software and in crash recovery.
ncrease assurance.
Evaluation Range: None to good.
_ _ _ _______ __________
+ Functionality
_____________
DOS resistance based on a system/message integrity
measure is two- tiered. Tier one deals with communications
maintenance). These tiers for the most part operate
ndependently.
Network management and maintenance in tier two deals
not necessarily be a good measure of proper performance.
Loading above capacity, flooding, replays, and protocol
an acceptable level and/or cause selective outages. Manage-
ment protocols, such as those which configure the network or
monitor its performance, are not described well by the
existing protocol reference models.
A DOS attack may cause disruption of more than one peer
entity association. For this reason detection and correc-
tion may be implemented in tier two. The detection of a
by the layer management functions of those entities. The
function, and the corrective action is a system management
function.
Basis for Rating: Presence or absence.
Evaluation Range: None or present.
+ Strength of Mechanism
________ __ _________
Network operational maintenance is based on mechanisms
(e.g., update of routing tables).
Basis for Rating: Integrity and adequacy of control in
a network are the keys in coping with denial of service con-
(e.g., component, segment, or system failures caused by
errors in resource allocation policy or mechanism implemen-
tation), countermeasures shall also be employed against
"external attacks," such as physical attacks and attacks
against network control.
Based on these characterizations, a set of ratings can
be assigned to each category under the fault tolerance
feature and an overall rating can then be determined for a
network's strength in providing "fault tolerance mechan-
sms".
Evaluation Range: None to good.
+ Assurance
_________
Basis for Rating: Assurance may be addressed by
analysis for weakness or anomalous behavior of the network
management policy/mechanisms of the network using various
formal models such as queuing theoretic models, hierarchical
models which can be analyzed for deadlock, liveness, and
other security properties.
Distribution, as discussed as one of the General
Assurance Factors, can increase the assurance that the
text of deployment of new software and in crash recovery.
ncrease assurance.
Evaluation Range: None to good.
_ _ __________ __________
Compromise protection is a collective term for a number
of security services. These services, described below, are
all concerned with the secrecy, or non-disclosure of infor-
mation transfer between peer entities through the computer
communications network. Physical security, such as pro-
tected wireways, can also provide transmission security. The
network manager or sponsor must decide on the balance
between physical, administrative, and technical security.
This document only addresses technical security.
_ _ _ ____ _______________
+ Functionality
_____________
Data confidentiality service protects data against
unauthorized disclosure. Data confidentiality is mainly
compromised by passive wiretapping attacks. Passive attacks
consist of observation of information passing on a link.
Release of message content to unauthorized users is the fun-
Prevention of release of message contents can be accom-
Encryption Mechanism section.) The granularity of key dis-
tribution is a trade-off between convenience and protection.
Fine granularity would employ a unique key for each sensi-
tivity level for each session; coarse granularity would
employ the same key for all sessions during a time period.
The network must provide protection of data from unau-
thorized disclosure. Confidentiality can have the following
features:
1. Confidentiality of all user-data on a specific
protocol layer connection. Note: depending on use
and layer, it may not be appropriate to protect
all data, e.g., expedited data or data in a con-
nection request.
2. Confidentiality of all user-data in a single con-
nectionless datagram
3. Confidentiality of selected fields within the
user-data of an PDU
Basis for Rating: Presence or absence of each feature.
Evaluation Range: None or present.
+ Strength of Mechanism
________ __ _________
Physical protection and encryption are the fundamental
techniques for protecting data from compromise. Through
their use, release of message content and traffic analysis
can be prevented.
Basis for Rating: The evaluation of data confidential-
ty mechanisms is outside the scope of this document. The
cognizant authorities will evaluate the mechanisms relative
to a specific environment according to their own rules and
Evaluation Range: Sensitivity level of data approved to
+ Assurance
_________
Basis of rating: Assurance is concerned with guarantee-
_____ __ ______
ng or providing confidence that features to address Data
Confidentiality threats have been implemented correctly and
that the control objectives of each feature have been actu-
ally and accurately achieved. Blacker is an example of such
an application of a TCB for high assurance of data confiden-
tiality.
Many of the assurance approaches for data confidential-
ty are common to other security services. See the General
Assurance section for further information.
Evaluation Range: None to good.
_ _ _ _______ ____ _______________
+ Functionality
_____________
Traffic flow confidentiality service protects data
against unauthorized disclosure. Traffic analysis is a
compromise in which analysis of message length, frequency,
and protocol components (such as addresses) results in
nformation disclosure through inference.
Traffic flow confidentiality is concerned with masking
the frequency, length, and origin-destination patterns of
communications between protocol entities. Encryption can
effectively and efficiently restrict disclosure above the
transport layer; that is, it can conceal the process and
application but not the host computer node.
The OSI Addendum- notes: "Traffic padding mechanisms
can be used to provide various levels of protection against
traffic analysis. This mechanism can be effective only if
the traffic padding is protected by a confidentiality
_________________________
- ISO 7498/Part 2 - Security Architecture, ISO / TC
___ ____ ____ _ ________ ____________
Basis for Rating: Presence or absence.
Evaluation Range: None or present.
+ Strength of Mechanism
________ __ _________
Physical protection, encryption, and traffic padding
are the fundamental countermeasures for traffic analysis.
Basis for Rating: The evaluation of traffic confiden-
_____ ___ ______
tiality mechanisms are outside the scope of this document.
The cognizant authorities will evaluate the mechanisms rela-
tive to a specific environment according to their own rules
and procedures.
Evaluation Range: Sensitivity level of data approved to
+ Assurance
_________
Basis for rating: Assurance is concerned with guaran-
_____ ___ ______
teeing or providing confidence that features to address
Traffic Confidentiality threats have been implemented
correctly and that the control objectives of each feature
Many of the assurance approaches for traffic confiden-
tiality are common to other security services. See the Gen-
eral Assurance section for further information.
Evaluation Range: None to good.
_ _ _ _________ _______
+ Functionality
_____________
"Routing control is the application of rules during the
cally secure sub-networks, relays, or links. End-systems
may, on detection of persistent manipulation attacks, wish
to instruct the network service provider to establish a con-
nection via a different route. Data carrying labels may be
forbidden by the security policy to pass through certain
nection (or the sender of a connectionless data unit) may
networks, links or relays be avoided."
_________________________
- ISO 7498/Part 2 - Security Architecture, ISO / TC
___ ____ ____ _ ________ ____________
For example, there are national laws and network
administration policies governing individual privacy rights,
encryption, and trans-border data flow. A user in a end
nformation should not flow.
Basis for Rating: Presence or absence.
Evaluation Range: None or present.
+ Strength of Mechanism
________ __ _________
Basis for Rating: The factors discussed under Suppor-
tive Primitives (Section 7) apply.
Evaluation Range: None to good.
+ Assurance
_________
Basis for Rating: The General Assurance Approaches
apply.
Evaluation Range: None to good.
Table II-1. Part II Assurance Rating Relationship to Part I Evaluation
_____ __ _ ____ __ _________ ______ ____________ __ ____ _ __________
(note: Table not included)
Table II-2. Evaluation Structure for the Network Security Services
_____ __ _ __________ _________ ___ ___ _______ ________ ________
(note: Table not included)
Appendix A
________ _
Evaluation of Network Components
__________ __ _______ __________
A.1. Purpose
_ _ _______
Part I of this Trusted Network Interpretation (TNI)
Evaluation Criteria (TCSEC) appropriate for evaluating a
network of computer and communication devices as a single
the Network Trusted Computing Base (NTCB), which is physi-
cally and logically partitioned among the components of the
network. These interpretations stem from the recognition
that networks form an important and recognizable subclass of
ADP systems with distinctive technical characteristics that
allow tailored interpretations of the TCSEC to be formulated
for them.
An extension of this view of networks can be taken:
that a trusted network represents a composition of trusted
components. This view is sound, consistent with the first,
and useful. The approach to evaluation of a network sug-
of the components to arrive at an overall rating class for
the network. This approach aids in the assigning of an
overall network evaluation class in two ways: 1) it allows
for the evaluation of components which in and of themselves
for the reuse of the evaluated component in different net-
This approach to evaluation does not negate or override
any of the interpretations presented in Part I of this docu-
ment, which describe the global characteristics of a trusted
network. In order to present a unified and self-consistent
exposition within Part I of the document, a deliberate
choice was made to express the basic network interpretations
n terms of the view that networks are instances of ADP sys-
tems to which the TCSEC are applied on a system-wide basis.
This choice allows Part I to follow the TCSEC closely
because the basic structural model underlying the TCSEC,
that of a system with a single Trusted Computer Base (TCB),
This appendix provides guidance for the evaluation of
the individual components of a trusted network. The com-
application of the total network interpretations expressed
to support the eventual evaluation of a network or network
the Part I interpretations. Note that Part II applies to
components without further interpretation. No implication
s intended in this appendix that all networks must be com-
complete network could be evaluated as a whole using the
cal cases, however, the techniques presented here for con-
composition into an evaluatable whole, constitutes a viable
and attractive means for actually conducting the evaluation
of the system under Part I interpretations.
Three major issues must be confronted by the architect
or evaluator of a trusted system when the partitioned
viewpoint is applied:
1. How is the network to be partitioned in such a way
that evaluation of individual components will sup-
port eventual evaluation of the entire network?
2. What evaluation criteria should be applied to each
component when rating that component?
3. How can the composition of rated components be
evaluated?
The first of these issues is addressed in the separate
Appendix B, Rationale Behind NTCB Partitions. The remaining
two issues are addressed in this Appendix: the first, in
Section A.1.1 presents a taxonomy (classification
ture for individual components.
Section A.2 presents techniques and guidelines for the
composition of rated processing components to achieve par-
ticular system ratings for the assembled network. This gui-
the policy elements supported where these are organized into
the four broad policy areas of Mandatory Access Controls,
Discretionary Access Controls, Identification and Authenti-
cation, and Audit support.
Section A.3 presents specific evaluation guidance in
terms of the network interpretations articulated in Part I
of this document, to allow individual processing components
to be rated preparatory to their utilization in a trusted
network. The sections are organized according to component
type, as defined in section A.1.1. For each component type,
the applicable interpretations, from Part I, are provided,
organized according to rating class.
A.1.1. Component Taxonomy and Rating Structure
_ _ _ _________ ________ ___ ______ _________
The primary difference between a processing component,
a stand-alone ADP system is that as a stand-alone system all
of the TCSEC requirements for a particular class must be
met: for policy requirements (i.e., what features the sys-
tem must support) the intent of the TCSEC is to enforce a
collection of features which are felt to be operationally
complete and consistent for a total system. In the context
of a larger system, however, it may well be (and usually is)
the case that the set of policy-related features to be sup-
one component for the system are supplied by another.
In rating a product for potential use as a network com-
ts security properties exactly: in practice, we shall be
content to identify the component as being of a particular
type (which identifies the general policy elements the com-
dentifies the assurance levels provided for each supported
feature), and the target architecture. The description of
the target architecture shall include a description of the
In order to limit the number of component types we
break the ``maximal'' set of policy-related features,
ndependent categories which can be characterized as sup-
Access Controls (DAC), Audit, and Identification and Authen-
tication. (In various tables and text in the remainder of
this appendix, these categories will be given the one-letter
A given component can be intended (by the component
combination of M, D, A or I functionality. Logically, then,
there are sixteen different component types which can be
the sixteen possible combinations of M, D, A, and I theoret-
cally possible. Of these combinations one (no M, no D, no
A, no I) typifies a component intended (or required) to
enforce no security policy whatsoever, and therefore has no
TCSEC requirements to meet and need not be evaluated. How-
ever, it is still possible to utilize such components as
The remaining component types are denoted M, D, A, I, MD,
MA, MI, DA, DI, IA, MDA, MDI, MIA, IAD, and MIAD with the
obvious meanings (for example, an "MIA component" supports
aspects of Mandatory, Audit, and Authentication and ID poli-
cies, with the exact features provided being specified in
Table A1. Component Type Maximum and Minimum Class
COMPONENT TYPE MIN CLASS MAX CLASS
M B1 A1
D C1 C2+
I C1 C2
A C2 C2+
DI C1 C2+
DA C2 C2+
IA C2 C2+
IAD C2 C2+
MD B1 A1
MA B1 A1
MI B1 A1
MDA B1 A1
MDI B1 A1
MIA B1 A1
MIAD B1 A1
In addition to a type based upon the policy elements
class, the component must meet all of the guidelines for
that rating level for the applicable component type provided
n section A.3. In general, these guidelines are straight-
forward interpretations of the TCSEC for the subset of pol-
cy features to be provided. Each component type has a max-
mum and minimum class listed in Table A1 below. To achieve
a particular class, a component must meet appropriate
The maximum class for each component type is derived
from the TCSEC, and is that evaluation class which imposes
the highest requirement relevant to the component type.
Similarly, the lowest class available for each component
type is the TCSEC evaluation class which first imposes a
Exceptions to this general approach have been made for
the requirements for DAC and Audit support at the B3 level
as the additional support for these policy categories at
these levels (namely, the provision of ACL's for DAC and for
assurance provided for the B3 MAC support. It is considered
more appropriate to use the notation of C2+ for component
types including D or A, but not M which meet the functional
Components including support for I may be required to
(at possibly relatively low levels of assurance) or both DAC
and MAC (at relatively high levels of assurance). There-
fore, rating levels ranging from C1 to A1 for type I com-
the need for added assurance for the label integrity for the
MAC label information, rather than any additional require-
ments for features.
Components including support for I are required to pro-
vide Identification and Authentication which supports the
DAC Policy. The TCSEC Identification-Authentication
n M Components, since this requirement is in essence estab-
lishing a security label for a user.
Components of multiple types have been given minimum
and maximum levels based upon meaningful combinations of the
ncluded types.
It might be noted in passing that a C1 stand-alone sys-
tem has exactly the same certification requirements as a C1
DI component, a C2 system as a C2 IAD component, and B1-A1
A.2. Composition Rules
_ _ ___________ _____
A.2.1. Purpose
_ _ _ _______
In order for a (sub)system composed of components to be
assigned a rating, the components that make up the network
must be interconnected in such a way that the connections do
not violate the assumptions made at the time the components
evaluatable (sub)system and the method for assigning a rat-
ng to a (sub)system conforming to the rules.
This section does not consider the relative risk of
utilizing the evaluated (sub)system to separate data at
various levels of sensitivity: that is the role of the
environmental security requirements, such as those of Com-
____
_____ ________ ____________ ________ ___ ________ ___
Department of Defense Trusted Computer System Evaluation
__________ __ _______ _______ ________ ______ __________
Criteria in Specific Environments, CSC-STD-003-85. This
________ __ ________ ____________
a (sub)system which is composed of more than one component.
The rating assigned indicates a minimum level of security as
Components must provide interfaces to support the other
The composition rules are divided up according to the
evaluated components (i.e., Mandatory Access Control, Dis-
cretionary Access Control, Audit, and Identification-
Authentication).
A.2.2. Discretionary Access Control (D-Only) Composition
_ _ _ _____________ ______ _______ _ ____ ___________
Rules
_____
The rules presented below are based on the concept of
components. Specifically, the rules presented in this sec-
tion deal with the composition of a component with respect
to the DAC Policy of the Network. It is expected that the
composition of a D-Component will require significant
engineering and system architectural consideration.
When a D-Component is evaluated, it will be evaluated
against some stated Network DAC Policy and a stated target
Network Security Architecture. Included in the component
ng DAC decisions. The stated protocol will be evaluated to
assure that it is sufficient to support the target Network
DAC Policy (e.g., if the Network DAC Policy is that access
be designated down to the granularity of a single user, then
an Identification Protocol which maps all users into a sin-
The type of Components discussed below, D-Components,
are components that have received a rating relative to DAC
(e.g., C1-C2+ D-Only Component, C1-C2+ DI Component, B1-A1
MD Component, etc.). The rules of this section are con-
cerned only with the composition of these components with
A.2.2.1. Composition of Two D-Components
_ _ _ _ ___________ __ ___ _ __________
Whenever two D-Components are directly connected the
from one component to the other (for the purposes of making
DAC decisions) must be the same in both components. It must
be the case that the Identification Passing Protocol pro-
vided by the composed component must support the Identifica-
tion Passing Protocol of the target Network Architecture.
nation of the DAC Policy provided by one component over the
named objects under its control and by the DAC Policy pro-
vided by the other component over the named objects under
ts control) must be shown to be able to support the target
Network DAC Policy.
A.2.2.2. Discretionary Access Control Policy Composition
_ _ _ _ _____________ ______ _______ ______ ___________
Rating
______
Given that a component is composed as described above,
the evaluation class assigned to the composed component,
assigned to any D-Component within the composed component.
A.2.3. Identification-Authentication (I-Only) Composition
_ _ _ ______________ ______________ _ ____ ___________
Rules
_____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the Identifi-
cation and Authentication Policy of the Network. It is
expected that the composition of an I-Component will require
consideration.
When an I-Component is evaluated it will be evaluated
against some stated Network Identification-Authentication
n the component definition will be a statement of the sup-
Authentication Information, and the interfaces provided by
the I-Component. The composition of two I-Components must
maintain the protocol which supports the Identification-
Authentication Policy of the Network. In addition the
nterfaces provided by the composed I-Component, which sup-
A.2.3.1. Identification-Authentication Composition Rating
_ _ _ _ ______________ ______________ ___________ ______
Given that a component is composed as described above,
the evaluation class assigned to the composed component,
A.2.4. Audit (A-Only) Composition Rules
_ _ _ _____ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the Audit
of an A-Component will require significant engineering and
When an A-Component is evaluated it will be evaluated
against some stated Network Audit Policy and a stated target
Network architecture. Included in the component definition
tion of two A-Components must maintain the protocol which
A.2.4.1. Audit Composition Rating
_ _ _ _ _____ ___________ ______
Given that a component is composed as described above,
the evaluation class assigned to the composed component,
class assigned to any A-Component within the composed com-
A.2.5. Mandatory Access Control (M-Only) Composition Rules
_ _ _ _________ ______ _______ _ ____ ___________ _____
The rules presented below are based on the concept of
(at the physical layer) components. Specifically, the rules
component with respect to the MAC Policy of the Network.
The MAC Composition Rules provide a strong guarantee
that if the network is composed of directly connected,
evaluated components, and each connection meets the MAC
Composition Rules, the Network MAC Policy will be supported.
These rules permit the recursive definition of a component
based on the MAC Policy.
The MAC Composition Rules are divided into two sec-
tions. The first section addresses the composition of a
component from two directly connected components with mul-
tilevel devices at each end of the connection. The second
each end of the connection.
The type of Components discussed below, M-Components,
are components which have received a rating relative to the
MAC Policy (e.g., B1-A1 M-Only Components, B1-A1 MD-
Components, B1-A1 MI-Components, etc.).
A.2.5.1. Multilevel Devices
_ _ _ _ __________ _______
Whenever two M-Components are directly connected, via a
communication channel, with a multilevel device at each end
of the connection, the labeling protocol (as required by the
Exportation to Multilevel Devices requirements, sections
be the same at the network interface to both devices.
Whenever two Class B1 M-Component are directly con-
nected, the range of sensitivity labels denoted by the max-
mum and minimum levels (System High and System Low) associ-
ated with each of the Class B1 M-Components must be the
for Class B1.)
Whenever a Class B1 M-Component is directly connected
to a Class B2-A1 M-Component, the range of sensitivity
labels denoted by the maximum and minimum levels (System
High and System Low) associated with the Class B1 M-
Component must be the same as the range of sensitivity
labels denoted by the maximum and minimum levels associated
Whenever two Class B2-A1 M-Components are directly con-
nected with a multilevel device at each end of the connec-
tion, the range of sensitivity labels denoted by the maximum
and minimum levels associated with the each of the connected
A.2.5.2. Single-Level Devices
_ _ _ _ ______ _____ _______
Whenever two M-Components are directly connected with a
Whenever two Non-M-Components are directly connected
the maximum sensitivity level of data processed by the two
Non-M-Components must be the same.
A.2.5.3. Mandatory Access Control Policy Composition Rating
_ _ _ _ _________ ______ _______ ______ ___________ ______
Given that a component is composed as described in sec-
tions 2.5.1 and 2.5.2 above, the evaluation class assigned
to the composed component, with regard to MAC, will be the
A.2.6. DI-Component (D-Only and I-Only) Composition Rules
_ _ _ __ _________ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the DAC Pol-
cy and the Identification-Authentication Policy of the Net-
tural consideration.
Whenever an I-Component and a D-Component are composed
to form a DI-Component the DI-Component must preserve the
Network DAC Policy of the D-Component. This implies that,
nformation and returning data might be required for each
DAC interface. This protocol must be able to support the
Network DAC policy. (Note that if the Network DAC policy is
being a "member of the network group", i.e., is a legitimate
user of another component, then the DAC interface may not
In addition, for class C2 and above, the composed DI-
Component must preserve the Audit Interface(s) used for
exporting audit information from the D-Component and the I-
Component. This implies that the DI-Component must provide
a means for exporting audit information generated by actions
taken within each of its parts.
The DI-Component may provide Identification-
Authentication support services to other components. In
this case the Identification Interface of the DI-Component
must be defined and a protocol established for this inter-
face which is able to support the Network I/A Policy. In
this case the DI-Component may be further composed with
other D-Only Components to form new DI-Components, using the
However, it is not necessary that the DI-Component pro-
vide Identification-Authentication services to other com-
MI-Components, etc.) which are also self sufficient with
If the composed DI-Component supports directly con-
nected users then the DI-Component must, minimally, meet all
the requirements for a Class C1 Network System.
A.2.6.1. DI-Component Composition Rating
_ _ _ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C1, the
evaluation class assigned to the composed DI-Component, will
be C1.
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2, the
evaluation class assigned to the composed DI-Component, will
be equal to the evaluation class of the D-Component.
A.2.7. DA (D-Only and A-Only) Composition Rules
_ _ _ __ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the DAC Pol-
cy and the Audit Policy of the Network. It is expected
that the composition of a DA-Component will require signifi-
cant engineering and system architectural consideration.
Whenever an A-Component and a D-Component are composed
to form a DA-Component, the DA-Component must preserve the
Network DAC Policy of the D-Component. This implies that,
nformation and returning data, might be required for each
DAC interface. This protocol must be able to support the
Network DAC policy. (Note that if the Network DAC policy is
being a "member of the network group", i.e., is a legitimate
user of another component, then the DAC interface may not
The DA-Component may provide Audit support services to
other components. In this case the Audit Interface of the
DA-Component must be defined and a protocol established for
this interface, which is able to support the Network Audit
Components, using the rules defined above.
However, it is not necessary that the DA-Component pro-
vide Audit services to other components. In this case the
DA-Component may only be composed with other components
(i.e., DA-Components, MIAD-Components, MA-Components, etc.)
that are also self sufficient with respect to Audit ser-
vices.
A.2.7.1. DA-Component Composition Rating
_ _ _ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the D-Component has an evaluation class of at least
C2, the evaluation class assigned to the composed DA-
Component, will be the rating of the lowest class assigned
to either of the two components which make up the composed
component.
A.2.8. IA (I-Only and A-Only) Composition Rules
_ _ _ __ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the
the Network. It is expected that the composition of a IA-
Component will require significant engineering and system
architectural consideration.
Whenever an IA-Component is composed of an I-Component
connected to an A-Component, the IA-Component must preserve
both the Network Audit Interface and Protocol of the A-
Component and the Network Identification-Authentication
that the composed IA-Component must provide an Audit Inter-
face as well as a Identification-Authentication Interface. A
Audit Interface. This protocol must be able to support the
Network Audit Policy. In addition, a protocol, for receiv-
ng Identification-Authentication data and returning authen-
ticated user-ids, must be defined for each Identification
A.2.8.1. IA-Component Composition Rating
_ _ _ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component has an evaluation class of at least
C2, the evaluation class assigned to the composed IA-
Component, will be the rating of the A-Component.
A.2.9. MD (M-Only and D-Only) Composition Rules
_ _ _ __ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy and the DAC Policy of the Network. It is expected that
the composition of an MD-Component will require significant
engineering and system architectural consideration.
Whenever an MD-Component is composed from an M-
Component directly connected to a D-Component, the composi-
tion rules, with respect to the MAC Policy, are that the M-
Component must only connect to the D-Component via a
must be the same as the maximum sensitivity level of data
vided by the MD-Component via direct connections to the D-
Component must be at the level of the D-Component.
The composition rules, with respect to the DAC Policy,
are that any network interfaces provided by the MD-Component
(including those which only involve direct connections to
the M-Component) must support the Identification Passing
DAC policy is defined such that access decisions are based
on the user being a ``member of the network group'', i.e.,
s a legitimate user of another component, then the DAC
nterface may not require any identifiers to be passed to
the DI-Component.)
In addition, the composed MD-Component must ensure that
any external requests for access to data under the control
of the composed component are subject to both the MAC and
DAC Policies of the original M and D Components.
A.2.9.1. MD-Component Composition Rating
_ _ _ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the D-Component has an evaluation class of C2, the
evaluation class assigned to the composed MD-Component, will
be either B1 (if the evaluation class of the M-Component is
B1) or B2 (if the evaluation class of the M-Component is
Given that a component is composed as described above,
and that the D-Component has an evaluation class of C2+, the
evaluation class assigned to the composed MD-Component, will
be equal to the evaluation class of the M-Component.
A.2.10. MI (M-Only and I-Only) Composition Rules
_ _ __ __ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy and the Identification-Authentication Policy of the Net-
tural consideration.
Whenever an MI-Component is composed from an M-
Component directly connected to an I-Component, the composi-
tion rules, with respect to the MAC Policy, are that the M-
Component must only connect to the I-Component via a
must be the same as the maximum sensitivity level of data
vided by the MI-Component via direct connections to the I-
Component must be at the level of the I-Component.
In addition, the composed MI-Component must preserve
the Audit Interface(s) used for exporting audit information
from the M-Component and the I-Component. This implies that
the MI-Component must provide a means for exporting audit
nformation generated by actions taken within each of its
The MI-Component may provide Identification-
Authentication support services to other components. In
this case the Identification Interface of the MI-Component
must be defined and a protocol established for this inter-
face, which is able to support the Network I/A Policy. In
this case the MI-Component may be further composed with
other M-Only Components to form new MI-Components, using the
However, it is not necessary that the MI-Component pro-
vide Identification-Authentication services to other com-
DI-Components, etc.) that are also self sufficient with
The composed MI-Component must assure that MAC Policy
and the Identification-Authentication Policy of the Network
s supported on any direct User connections to the MI-
Component. This implies that if the M-Component supports
tocol on these connections such that Identification-
Authentication information may be exchanged (with the I-
Component) which will fully support the IA Policy of the
Network.
A.2.10.1. MI-Component Composition Rating
_ _ __ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2, the
evaluation class assigned to the composed MI-Component will
be equal to the evaluation class of the M-Component.
A.2.11. MA (M-Only and A-Only) Composition Rules
_ _ __ __ _ ____ ___ _ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy and the Audit Policy of the Network. It is expected
that the composition of an MA-Component will require signi-
ficant engineering and system architectural consideration.
Whenever an MA-Component is composed from an M-
Component directly connected to an A-Component, the composi-
tion rules, with respect to the MAC Policy, are that the M-
Component must only connect to the A-Component via a
must be the same as the maximum sensitivity level of data
network interfaces provided by the MA-Component via direct
connections to the A-Component must be at the level of the
A-Component.
The MA-Component may provide Audit support services to
other components. In this case the Audit Interface of the
MA-Component must be defined and a protocol established for
this interface which is able to support the Network Audit
Components, using the rules defined above.
However, it is not necessary that the MA-Component
the MA-Component may only be composed with other components
(i.e., MA-Components, MIAD-Components, DA-Components, etc.)
vices.
A.2.11.1. MA-Component Composition Rating
_ _ __ _ __ _________ ___________ ______
Given that a component is composed as described above,
and that the A-Component has an evaluation class of C2, the
evaluation class assigned to the composed MA-Component, will
be either B1 (if the evaluation class of the M-Component is
B1) or B2 (if the evaluation class of the M-Component is
Given that a component is composed as described above,
and that the A-Component has an evaluation class of C2+, the
evaluation class assigned to the composed MA-Component will
be equal to the evaluation class of the M-Component.
A.2.12. IAD Composition Rules
_ _ __ ___ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the DAC Pol-
cy, the Identification-Authentication Policy, and the Audit
of a IAD-Component will require significant engineering and
Whenever a IAD-Component is composed from directly con-
nected components, the IAD-Component must conform to the
composition rules for a DI-Component, a DA-Component, and an
nected users then the IAD-Component must, minimally, meet
all the requirements for a Class C2 Network System.
A.2.12.1. IAD-Component Composition Rating
_ _ __ _ ___ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component and D-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed IAD-Component will be C2.
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2 and
the D-Component has an evaluation class of C2+, the evalua-
tion class assigned to the composed IAD-Component will be
the evaluation class of the A-Component.
A.2.13. MDA Composition Rules
_ _ __ ___ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy, the DAC Policy, and the Audit Policy of the Network.
consideration.
Whenever a MDA-Component is composed from directly con-
nected components, the MDA-Component must conform to the
composition rules for an MD-Component, an MA-Component, and
a DA-Component.
A.2.13.1. MDA-Component Composition Rating
_ _ __ _ ___ _________ ___________ ______
Given that a component is composed as described above,
and that the A-Component has an evaluation class of C2, and
the D-Component has an evaluation class of C2 or higher, the
evaluation class assigned to the composed MDA-Component will
be either B1 (if the evaluation class of the M-Component is
B1) or B2 (if the evaluation class of the M-Component is
Given that a component is composed as described above,
and that the D-Component and A-Component each have an
evaluation class of C2+, the evaluation class assigned to
the composed MDA-Component will be equal to the evaluation
class of the M-Component.
A.2.14. MDI Composition Rules
_ _ __ ___ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy, the DAC Policy, and the Identification-Authentication
of a MDI-Component will require significant engineering and
Whenever a MDI-Component is composed from directly con-
nected components, the MDI-Component must conform to the
composition rules for an MD-Component, an MI-Component, and
a DI-Component.
A.2.14.1. MDI-Component Composition Rating
_ _ __ _ ___ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component and the D-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed MDA-Component will be either B1 (if the evaluation
class of the M-Component is B1) or B2 (if the evaluation
class of the M-Component is greater than B1).
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2, and
the D-Component has an evaluation class of C2+, the evalua-
tion class assigned to the composed MDI-Component will be
equal to the evaluation class of the M-Component.
A.2.15. MIA Composition Rules
_ _ __ ___ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy, the Identification-Authentication Policy, and the Audit
of a MIA-Component will require significant engineering and
Whenever a MIA-Component is composed from directly con-
nected components, the MIA-Component must conform to the
composition rules for an MI-Component, an MA-Component, and
a IA-Component.
A.2.15.1. MIA-Component Composition Rating
_ _ __ _ ___ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component and the A-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed MIA-Component, will be either B1 (if the evaluation
class of the M-Component is B1) or B2 (if the evaluation
class of the M-Component is greater than B1).
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2 and
the A-Component has an evaluation class of C2+, the evalua-
tion class assigned to the composed MIA-Component, will be
equal to the evaluation class of the M-Component.
A.2.16. MIAD Composition Rules
_ _ __ ____ ___________ _____
The rules presented below are based on the concept of
Specifically, the rules presented in this section deal with
the composition of a component with respect to the MAC Pol-
cy, the DAC Policy, the Identification-Authentication Pol-
cy, and the Audit Policy of the Network. It is expected
that the composition of a MIA-Component will require signi-
ficant engineering and system architectural consideration.
Whenever an MIAD-Component is composed from directly
connected components, the MIAD-Component must conform to the
composition rules for an MIA-Component, an MDA-Component, an
MDI-Component, and a IAD-Component. If the MIAD-Component
must, minimally, meet all the requirements for a Class B1
Network System.
A.2.16.1. MIAD-Component Composition Rating
_ _ __ _ ____ _________ ___________ ______
Given that a component is composed as described above,
and that the I-Component and the D-Component each have an
evaluation class of C2, the evaluation class assigned to the
composed MIAD-Component will be either B1 (if the evaluation
class of the M-Component is B1) or B2 (if the evaluation
class of the M-Component is greater than B1).
Given that a component is composed as described above,
and that the I-Component has an evaluation class of C2, and
the D-Component and the A-Component each have an evaluation
class of C2+, the evaluation class assigned to the composed
MIAD-Component will be equal to the evaluation class of the
M-Component.
A.3. Guidelines for Specific Component Evaluation
_ _ __________ ___ ________ _________ __________
A.3.1. Mandatory Only Components (M-Components)
_ _ _ _________ ____ __________ _ __________
Mandatory Only Components are components that provide
network support of the MAC Policy as specified in the Net-
Evaluation TCSEC. M-Components do not include the mechan-
sms necessary to completely support any of the 3 other net-
Audit) as defined in the Interpretation.
M-Components belong to one of four classes B1, B2, B3,
and A1 (as defined by the requirements below).
M-Components are rated according to the highest level
for which all the requirements of a given class are met.
A.3.1.1. Overall Interpretation
_ _ _ _ _______ ______________
In the requirements referenced, TCB will be understood
to refer to the NTCB Partition of the M-Component. Also any
mean "the M-Component shall produce audit data about any
auditable actions performed by the M-Component". In addi-
tion the M-Component shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.1.2. Generally Interpreted Requirements
_ _ _ _ _________ ___________ ____________
The requirements listed in the Table A2 apply directly
to M-Components as interpreted in Part I of this
nterpretation.
Table A2. M-Component Requirements That Can Be Applied
_____ __ _ _________ ____________ ____ ___ __ _______
Without Further Interpretation
_______ _______ ______________
(NOTE: Table not included)
A.3.1.3. Specifically Interpreted Requirements
_ _ _ _ ____________ ___________ ____________
The following requirements require additional interpre-
tation as indicated. -
A.3.1.3.1. Subject Sensitivity Labels
_ _ _ _ _ _______ ___________ ______
+ Criteria
(Class B2 - Section 3.2.1.3.3; Class B3 -
Section 3.3.1.3.3; Class A1 - Section 4.1.1.3.3)
+ Interpretation
An M-Component need not support direct terminal input
n which case this requirement is not applicable. Any M-
Component which does support direct terminal input must meet
_________________________
- For brevity, the following TCSEC sections contain
terpretation being interpreted, instead of the actual
the requirement as stated.
+ Rationale
The only way that a user can change the current level
of the session is to be directly connected to a component
that supports the MAC Policy. If the user is directly con-
nected to a component that does not support the MAC Policy
then the user will always operate at the level of the com-
must meet the requirements as stated. M-Components which
may be part of the network which do not directly communicate
user is directly communicating.
A.3.1.3.2. Trusted Path
_ _ _ _ _ _______ ____
+ Criteria
(Class B2 - Section 3.2.2.1.1; Class B3 -
Section 3.3.2.1.1; Class A1 - Section 4.1.2.1.1)
+ Interpretation
An M-Component need not support direct user input
(e.g., the M-Component may not be attached to any user I/O
not applicable. Any M-Component which does support direct
communication with users must meet the requirement as
users must provide mechanisms which establish the clearance
of users and associate that clearance with the users current
+ Rationale
Trusted Path is necessary in order to assure that the
user is communicating with the TCB and only the TCB when
ticate user, set current session security level). However,
Trusted Path does not address communications within the TCB,
only communications between the user and the TCB. If,
therefore, an M-Component does not support any direct user
communication then the M-Component need not contain mechan-
sms for assuring direct TCB to user communications.
In the case where an M-Component does support direct
user communication the Clearance of the user must be esta-
blished by the M-Component. There are three possible means
of providing this support: a) all direct user connections
are via single-level channels, where the maximum level of
the channel equals the minimum level of the channel, and
level of the channel; in this case there may exist no secu-
alone, b) some direct user connections are via single-level
channels, where the maximum level of the channel does not
equal the minimum level of the channel, and physical access
to the channel implies clearance to the maximum level of the
channel, c) some direct user connections are via single-
level channels, where the maximum level of the channel does
not equal the minimum level of the channel, and the M-
Component contains some internal mechanism for mapping the
user clearance to the range on the channel. The first two
options map the user clearance to the activities of the user
through external means. The third option requires some
nternal mechanism. Such a mechanism might be a user
d/password/clearance database maintained by the M-
Component. Another acceptable mechanism might be a protocol
and interface definition within the M-Component for obtain-
ng such information (via a multilevel channel - the channel
s multilevel because it is passing labels, i.e., the user
clearance) from some other M-Component.
A.3.1.3.3. System Architecture
_ _ _ _ _ ______ ____________
+ Criteria
(Class B1 - Section 3.1.3.1.1; Class B2 - Section
3.2.3.1.1; Class B3 - Section 3.3.3.1.1; Class A1 -
Section 4.1.3.1.1)
+ Interpretation
An M-Component must meet the requirement as stated. In
this interpretation the words "The user interface to the TCB
the interface between the reference monitor of the M-
Component and the subjects external to the reference monitor
+ Rationale
The M-Component may not have a direct user interface
but is expected to support subjects which are not part of
the TCB. It is important that the interface between the TCB
and subjects external to the TCB be completely defined.
(Note that in such a case the subjects are always internal
to the component, viz., are "internal subjects").
A.3.1.3.4. Covert Channel Analysis
_ _ _ _ _ ______ _______ ________
+ Criteria
(Class B2 - Section 3.2.3.1.3; Class B3 -
Section 3.3.3.1.3; Class A1 - Section 4.1.3.1.3)
+ Interpretation
An M-Component must meet the requirement as stated. In
addition, if the analysis indicates that channels exist that
need to be audited (according to the Covert Channel Analysis
Guideline), the M-Component shall contain a mechanism for
making audit data (related to possible use of covert chan-
nels) available outside of the M-Component (e.g., by passing
the data to an audit collection component).
+ Rationale
If an M-Component contains covert channels that need
to be audited the M-Component must produce the audit data
nels in the network occur in an M-Component, the M-Component
must be the source of the audit record which records the
A.3.1.3.5. Security Testing
_ _ _ _ _ ________ _______
+ Criteria
(Class B1 - Section 3.1.3.2.1; Class B2 -
Section 3.2.3.2.1; Class B3 - Section 3.3.3.2.1; Class
A1 - Section 4.1.3.2.1)
+ Interpretation
An M-Component must meet the requirement as stated
except for the words ``normally denied under the ... discre-
tionary security policy,'' which are not applicable to an
M-Component.
+ Rationale
An M-Component does not support a discretionary secu-
A.3.1.3.6. Design Specification and Verification
_ _ _ _ _ ______ _____________ ___ ____________
+ Criteria
(Class B1 - Section 3.1.3.2.2; Class B2 - Section
3.2.3.2.2; Class B3 - Section 3.3.3.2.2; Class A1 -
Section 4.1.3.2.2)
+ Interpretation
An M-Component must meet the requirement as stated.
Security Policy is interpreted to mean the MAC Policy
those portions of a reference monitor model that are
the representation of the current access set and the sensi-
tivity labels of subjects and objects, and the Simple Secu-
Model).
A.3.1.3.7. Trusted Facility Manual
_ _ _ _ _ _______ ________ ______
+ Criteria
(Class B1 - Section 3.1.4.2; Class B2 - Section 3.2.4.2;
Class B3 - Section 3.3.4.2; Class A1 - Section 4.1.4.2)
+ Interpretation
An M-Component must meet the requirement as stated
except for the words ``The procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
of a user", shall not be applicable to an M-Component.
+ Rationale
An M-Component does not maintain the audit files nor
these mechanisms need to be defined in the Trusted Facility
Manual. The M-Component also does not maintain user infor-
mation.
A.3.1.4. Representative Application of M-Components
_ _ _ _ ______________ ___________ __ _ __________
As an example of an M-Component, consider a MLS packet
as shown in Figure A1. This component supports 16 levels
and 64 categories for non-discretionary access classes. The
MLS packet switch is rated as an A1 M-Component against the
Such an A1 M-Component may, as an example, be used in a
network as a Multilevel Packet Switch. The M-Component
could be configured with several single-level channels and
assume that the multilevel channels each have a maximum of
Top Secret and a minimum of Secret. Also imagine that the
Multilevel channels are directly connected to B2 hosts each
The single-level channels are directly connected to C2 hosts
ning at dedicated Top Secret. One of the Dedicated Top
Secret Hosts and one of the Dedicated Secret Hosts would be
M-Component. In this fashion one could create a network
cate with each other as well as with the single-level hosts.
The separation necessary for such communications would be
Secure Packet Switch. It is noted that the composition
evaluation class of B2 for the overall NTCB.
A.3.2. Discretionary Only Components (D-Components)
_ _ _ _____________ ____ __________ _ __________
Discretionary Only Components are components that pro-
vide network support of the DAC Policy as specified in the
Network Interpretation of the DoD Trusted Computer System
Evaluation TCSEC. D-Components do not include the mechan-
sms necessary to completely support any of the three other
network policies (i.e., MAC, Identification-Authentication,
and Audit) as defined in the Interpretation.
D-Components belong to one of three classes, C1, C2,
and C2+ (as defined by the requirements below).
D-Components are rated according to the highest level
for which all the requirements of a given class are met.
A.3.3. Overall Interpretation
_ _ _ _______ ______________
In the requirements referenced, TCB will be understood
to refer to the NTCB Partition of the D-Component. Also any
mean "the D-Component shall produce audit data about any
auditable actions performed by the D-Component." In addi-
tion the D-Component shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.3.1. Generally Interpreted Requirements
_ _ _ _ _________ ___________ ____________
The requirements listed in Table A3 apply directly to
D-Components as interpreted in Part I of this interpreta-
tion.
A.3.3.2. Specifically Interpreted Requirements
_ _ _ _ ____________ ___________ ____________
The following requirements require additional interpre-
tation as indicated. -
_________________________
- For brevity, the following TCSEC sections contain
terpretation being interpreted, instead of the actual
A.3.3.2.1. Trusted Facility Manual
_ _ _ _ _ _______ ________ ______
+ Criteria
(Class C1 - Section 2.1.4.2; Class C2 - Section 2.2.4.2;
Class C2+ - Section 2.2.4.2)
+ Interpretation
A D-Component must meet the requirement as stated
except for the words ``The procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
+ Rationale
A D-Component does not maintain the audit files, nor
audit component, and these mechanisms need to be defined in
the Trusted Facility Manual.
A.3.3.2.2. Design Documentation
_ _ _ _ _ ______ _____________
+ Criteria
(Class C1 - Section 2.1.4.4; Class C2 - Section 2.2.4.4;
Class C2+ - Section 2.2.4.4)
+ Interpretation
A D-Component must meet the requirement as stated. In
addition the Design Documentation must include a description
of the protocol used by the D-Component to communicate Sub-
other components. This protocol must be shown to be suffi-
cient to support the DAC policy enforced by the D-Component.
+ Rationale
A D-Component does not maintain the user
use some form of authenticated user identification as a
basis for making DAC decisions. Such information must be
tocol. The protocol used by the D-Component may vary, but
t must be shown to be adequate to support the DAC policy
n from a given port would be associated with the access
be adequate to support a DAC policy of access granted, or
A.3.3.3. Representative Application of D-Components
_ _ _ _ ______________ ___________ __ _ __________
As an example of a D-Component, consider a system that
n Figure A2. The system is rated as a C2+ D-Component
against the requirements described above.
Figure A2. Representative Application of D-Components
______ __ ______________ ___________ __ _ __________
B1: box wid 1.15i ht .95i "Class B3" "Host" B2: box wid
tion" "Facility)" at B1.e +(3i,0) B3: box wid 1.15i ht .96i
"Class C2+" "D-Component" "(Single Level" "File Server" at
B2.s -(1.75i,.30i) B4: box wid 1.85i ht .96i "Class C2"
"Host" "(Network Identification &" "Authentication" "Facili-
ty)" at B1.s -(0,1.05i) B5: box wid 1.15i ht .96i "Class A1"
"Host" at B2.s -(0,1.05i) B6: box invis "(S)" at B1.e
+(.50i,.30i) B7: box invis "(S)" at B2.w -(.50i, -.30i) B8:
box invis "(S)" at B4.e +(.50i,.2) B9: box invis "(S)" at
B5.w -(.50i,.2) A1: arrow <-> from B4.e to (B3.s.x-
(B3.s.x+.2,B5.w.y) to (B3.s.x+.2,B3.s.y) A3: arrow left 1i
from B6.c +(.48,-.15i) A4: arrow right 1i from B7.c
-(.48i,.15i) A5: arrow down .39i from A4.w A6: arrow down
Such a C2+ D-Component may, as an example, be used in a
network as a Single Level File Server. The D-Component
could be configured with several communication channels
(each of which would be connected to single-level devices
leaving the system to be connected to other single-level
to be connected to single-level secret devices. The docu-
mentation associated with the D-Component must specify the
must be followed on each connection to the component. In
addition the documentation must specify the protocol used to
output audit information. The audit protocol must be
exactly the same as the protocol of the audit node to which
t is attached. It is noted that the composition rules of
Section A.2 result in an evaluation class of B3 for the
overall NTCB.
A.3.4. Identification-Authentication Only Components (I-
_ _ _ ______________ ______________ ____ __________ _
Components)
__________
Identification-Authentication Only Components are com-
Authentication Policy as specified in the Network Interpre-
tation of the DoD Trusted Computer System Evaluation TCSEC.
completely support any of the three other network policies
(i.e., MAC, DAC, and Audit) as defined in the Interpreta-
tion.
I-Components belong to one of two classes, C1 and C2
(as defined by the requirements below).
I-Components are rated according to the highest level
for which all the requirements of a given class are met.
A.3.4.1. Overall Interpretation
_ _ _ _ _______ ______________
In the requirements referenced, TCB will be understood
to refer to the NTCB Partition of the I-Component. Also any
mean "the I-Component shall produce audit data about any
auditable actions performed by the I-Component.'' In addi-
tion the I-Component shall contain a mechanism for making
the audit data available to an audit collection component.
A.3.4.2. Generally Interpreted Requirements
_ _ _ _ _________ ___________ ____________
The requirements listed in Table A4 apply directly to
tion.
Table A4. I-Component Requirements That Can Be Applied
_____ __ _ _________ ____________ ____ ___ __ _______
Without Further Interpretation
_______ _______ ______________
(Note: Table not included)
A.3.4.3. Specifically Interpreted Requirements
_ _ _ _ ____________ ___________ ____________
The following requirements require additional interpre-
tation as indicated. -
A.3.4.3.1. Trusted Facility Manual
_ _ _ _ _ _______ ________ ______
_________________________
- For brevity, the following TCSEC sections contain
terpretation being interpreted, instead of the actual
+ Criteria
(Class C1 - Section 2.1.4.2; Class C2 - Section 2.2.4.2;
Class C2+ - Section 2.2.4.2)
+ Interpretation
An I-Component must meet the requirement as stated
except for the words ``The procedures for examining and
maintaining the audit files as well as...''. These words are
nterpreted to mean "the mechanisms and protocols associated
+ Rationale
An I-Component does not maintain the audit files, nor
audit component, and these mechanisms need to be defined in
the Trusted Facility Manual.
A.3.4.3.2. Design Documentation
_ _ _ _ _ ______ _____________
+ Criteria
(Class C1 - Section 2.1.4.4; Class C2 - Section 2.2.4.4;
Class C2+ - Section 2.2.4.4)
+ Interpretation
An I-Component must meet the requirement as stated. In
addition the Design Documentation must include a description
of the protocol used by the I-Component to export Authenti-
cated Subject Identifiers to other components.
+ Rationale
The Authenticated Identifiers provided by an I-
Component will not be primarily used on the I-Component
tself but instead will be used by other Components enforc-
ng the network DAC policy. It is therefore necessary for
the I-Component to define the protocol which it will use to
A.3.4.4. Representative Application of I-Components
_ _ _ _ ______________ ___________ __ _ __________
As an example of an I-Component, consider a system
nected to single-level devices with the same access class).
As part of the example, consider the TAC to be an
unclassified TAC (i.e., accessible through the phone system
the system to be connected to other single-level unclassi-
fied components or, in the case of multi-level components,
to be connected to single-level unclassified devices. All
authentication is done in the TAC, and Authenticated Ids are
basis for DAC decisions and audit entries. The documenta-
tion associated with the I-Component must specify the proto-
col used to pass user-ids to the attached components. This
tocol used to output audit information. The audit protocol
must be exactly the same as the protocol of the audit com-
B3 for the overall NTCB.
A.3.5. Audit Only Components (A-Components)
_ _ _ _____ ____ __________ _ __________
Audit Only Components are components which provide net-
TCSEC. A-Components do not include the mechanisms necessary
to completely support any of the three other network poli-
cies (i.e., MAC, DAC, and Identification-Authentication) as
A-Components belong to one of two classes C2 and C2+
(as defined by the requirements below). (The difference
between a C2 A-Component and a C2+ A-Component is the sup-
A-Components are rated according to the highest level
for which all the requirements of a given class are met.
A.3.5.1. Overall Interpretation
_ _ _ _ _______ ______________
In the requirements referenced, TCB will be understood
to refer to the NTCB Partition of the A-Component.
A.3.5.2. Generally Interpreted Requirements
_ _ _ _ _________ ___________ ____________
The requirements listed in Table A5 apply directly to
A-Components as interpreted in Part I of this interpreta-
tion.
A.3.5.3. Specifically Interpreted Requirements
_ _ _ _ ____________ ___________ ____________
The following requirements require additional interpre-
tation as indicated. -
_________________________
- For brevity, the following TCSEC sections contain
terpreted, instead of the actual requirements.
A.3.5.3.1. Design Documentation
_ _ _ _ _ ______ _____________
+ Criteria
(Class C2 - Section 2.2.4.4; Class C2+ - Section 2.2.4.4)
+ Interpretation
An A-Component must meet the requirement as stated. In
addition the Design Documentation must include a description
of the protocol used by the A-Component to import Audit Data
from other nodes.
+ Rationale
The Audit component will potentially be used for col-
lection of audit data generated on many different com-
the information to the A-component in a form that will allow
the A-Component to create an audit record. The mechanism
for defining the acceptable form of information is the pro-
tocol used by the audit component.
A.3.5.4. Representative Application of A-Components
_ _ _ _ ______________ ___________ __ _ __________
As an example of an A-Component, consider a system that
s rate C2+ against the requirements described above.
As part of the example, consider the A-Component to be
operating at System High (Top Secret) collecting information
from several components through single-level (Top Secret)
channels. The A-Component provides auditing functions for
the network as a whole. The A-Component defines an audit
cate information to the A-Component which results in the
creation of audit records. Note that in this example the
Auditor (i.e., the person responsible for reviewing audit
files) is accessing the A-Component through an operators
console attached to the A-Component. In a different
A-Component via another component, in which case the A-
Component would be responsible for enforcing an access con-
trol policy that defined which users (i.e., the auditor)
could view audit data. This would require the A-Component
to establish a user-id passing protocol much like a D-
Component. It is noted that the composition rules of Sec-
tion 3 result in an evaluation class of B3 for the overall
NTCB.
Figure A1. Representative Application of M-Components
______ __ ______________ ___________ __ _ __________
(Note: Figure not included)
Table A3. D-Component Requirements That Can Be Applied
_____ __ _ _________ ____________ ____ ___ __ _______
Without Further Interpretation
_______ _______ ______________
(Note: Table not included)
Figure A3. Representative Application of I-Component
______ __ ______________ ___________ __ _ _________
(Note: Figure not included)
Table A5. Audit Component Requirements That Can Be Applied
_____ __ _____ _________ ____________ ____ ___ __ _______
Without Further Interpretation
_______ _______ ______________
(Note: Table not included)
Appendix B
________ _
Rationale Behind NTCB Partitions
_________ ______ ____ __________
B.1. Purpose
_ _ _______
Part I of this Trusted Network Interpretation (TNI)
Evaluation Criteria (TCSEC) appropriate for evaluating a
network of computer and communication devices as a single
the Network Trusted Computing Base (NTCB), which is physi-
cally and logically partitioned among the components of the
network. Implicit to this approach is the view that the
network to be evaluated (including the interconnected hosts)
s analogous to a single stand-alone computer system, and
can therefore be evaluated using the TCSEC under appropriate
nterpretation. It is the purpose of this appendix to pro-
vide the main technical rationale and illustrative examples
of help to the sponsors and evaluators of networks and net-
cleanly partitioned into components in a way that will
facilitate its eventual evaluation and certification. It is
and philosophical. Therefore, readers whose interest is
tion may choose not to study this appendix in detail.
The separate Appendix A, providing Interpretations for
the Evaluation of Network Components, rests upon this view
as well: the evaluation of particular network components is
viewed as a useful preliminary step for the eventual evalua-
tion of the network as a whole, which must proceed, however,
n the context of an overall network architecture providing
a clean decomposition of an overall network security policy
nto policies for the individual components. The overall
architecture and design will, once individual component
evaluations have been finished, support the final evaluation
of the network as a sound composition of trusted elements,
each enforcing its allocated policy, and together enforcing
the policy defined for the entire network. Specific guide-
lines for actually partitioning the various network policy
elements to components are presented under the relevant
that such a partitioning is possible is presented here.
It is emphasized that the view of what a network is
(and how its NTCB may be partitioned into NTCB partitions
completely contained in individual network components)
the evaluation and assignment to the network of a single
certification as meeting the TCSEC criteria for a given
evaluation class. It is recognized that this goal may not
be appropriate for every circumstance, or meet the needs of
The risk assessment and accreditation of such systems is an
mportant and interesting problem. It is not, however, the
entire network which is to support a network security policy
_ ______
B.2. Background and Overview
_ _ __________ ___ ________
B.2.1. Organization of this Appendix
_ _ _ ____________ __ ____ ________
The material within this appendix is organized as fol-
lows. Section B.3 discusses some considerations for properly
formulating the policy to be enforced by the network NTCB,
and its allocation to the various components of the network.
Section B.4 presents an argument supporting the adequacy of
the partitioned NTCB view and the conclusion that the refer-
ence monitor for an entire network may be implemented as a
collection of locally autonomous reference monitors. Sec-
tion B.5 discusses the idealization of intercomponent com-
munications channels, assumed as an axiom in Section B.4, in
the context of real communications channels, and provides
nsight into when the techniques of communications security,
and when the techniques of trusted systems technology are
applicable. Section B.6 provides additional rationale sup-
B.3. Security Policy
_ _ ________ ______
The TCSEC Glossary defines ``Security Policy'' as ``the
organization manages, protects, and distributes sensitive
nformation''. It should be noted that ``Security Policy''
s a distinct notion from that of ``Formal Security Policy
Model'' and a ``Security Policy Model''. The ``Security
trolling the access of people to information.
______
Because a Security Policy concerns, by definition, the
access of people to sensitive information and includes both
manner that is free of computer, network, or communication
network ultimately is possible only if a single, uniform
network security policy can be adopted by the organizations
by the network and its components. The existence of such a
network is to be used to allow the sharing of information
among many organizations, the definition of a mutually
acceptable Security Policy applicable to that sharing must
be an early goal during the design of the network if the
bility is desired.
B.3.1. Mandatory Access Control Policies
_ _ _ _________ ______ _______ ________
One may observe that, for those access controls nor-
mally denoted as ``Mandatory Access Controls'', the defini-
tion of a mutually acceptable joint policy may be expected
to be relatively straightforward, as such controls are
based, by definition, upon the comparison of a label denot-
ng the sensitivity of the information contained within an
nformation repository with a user clearance denoting the
formal authorization of a user to access that information.
The definition of a jointly acceptable policy may involve
the merging of several systems of classifications and clear-
ances into a unified system; in practice, if the systems in
use by the various organizations are not already identical,
those responsible for the protection of information within
each organization must determine which external user clear-
ances will be honored as an adequate basis for providing
access to which classes of information.
It may also be true that a particular organization may
__
or private institutions may be so characterized)-. It is
class and clearance level (i.e., every user belonging to the
nstitution has clearance to access all information belong-
ng to the institution, except as refined by less rigorous
access controls). Thus, it could well be that an overall
for an arbitrary collection of institutions wishing to share
nformation using a network, can be resolved in a relatively
ssues and effects of particular decisions are easy to
understand.
B.3.2. Discretionary Access Control Policies
_ _ _ _____________ ______ _______ ________
Turning to those policies characterizable as involving
Discretionary Access Controls, one finds substantially
might adopt. The notion of ``Discretionary Access Con-
trols'', as defined in the TCSEC Glossary, involves the res-
triction of access by users to information based upon the
dentity of the users or their membership in a particular
access to an object containing information to pass that
authorization to other users or groups either directly, or
_________________________
- See, for example, Steven B. Lipner, ``Non-
Discretionary Controls for Commercial Applications'',
____ ___________ __ ___ ____ _________ __ ________ ___
_______
ndirectly (viz., by copying it and providing authorization
to access the copy). Within these limits, there is an
extremely broad range of permissible policies, differing in
the modes of access that may form the basis for controls,
and the mechanisms that may be defined for users to limit or
expect, therefore, that when designing a network, the formu-
lation of an overall Discretionary Policy by a group of
organizations may require a period of intensive generaliza-
tion of policy. Moreover, the overall policy resulting from
this activity may be expected to depend, to a relatively
large extent, upon the underlying capabilities and func-
tionality ascribed to the network.
B.3.3. Supporting Policies
_ _ _ __________ ________
In addition to the basic access control policies (man-
tional capabilities relating to the accountability of indi-
viduals for their security-relevant actions. These capabil-
ties are usually thought of as comprising ``supporting''
effective enforcement and monitoring of the basic access
Accountability requirements are comprised of two major
cy, and audit policy. The former supports both mandatory
and discretionary access control policy by specifying the
of an individual prior to permitting access, is the basis
for determining the clearance of an individual in the case
of mandatory access policy, is the basis for determining the
ary access policy, and is the basis for recording the iden-
tity of the individual taking or causing an auditable
action.
Audit policy proper provides for the recording of those
for the security-relevant actions they take.
The supporting policies adopted by different organiza-
tions may differ even more widely than discretionary access
control policies. The task of formulating a mutually
acceptable set of overall supporting policies may be
expected to be even more challenging for the sponsors of a
network than for discretionary policy.
B.3.4. Formal Security Policy Model
_ _ _ ______ ________ ______ _____
As defined in the TCSEC, a Formal Security Policy Model
Whereas the objective of stating Security Policy is to
authority, the purpose of a Formal Security Policy Model is
to serve as a precise starting point in the chain of argu-
ments leading to the higher levels of assurance required for
Class B2; it is not introduced earlier because the chain of
arguments needed for lower evaluation classes does not
this observation is that the definition of a Formal Security
Model is not a gratuitous requirement, but serves the pur-
Current practice requires a formal security policy
model only for the access control policies to be enforced.
The model is a representation of the reference monitor for a
tion is strongly influenced by the technical characteristics
of the system to be built, as the feasibility and economy of
constructing the chain of assurance arguments needed to sup-
tially increased by utilizing a model that has an intui-
tively attractive resemblance to the abstractions of sub-
As previously described, the reference monitor for a
kernels for individual components. In order to obtain the
mulated for each such component. We would argue, however,
that it is too restrictive to require that the formal model
for each security kernel be the same, or that an overall
model be formulated for the network, provided that each
model is shown by convincing arguments to correctly
component. As the only function of a formal model is to
and designers of network components should be free to choose
that model which will most efficiently serve this purpose,
model be an accurate representation of the Security Policy
to be enforced by the component.
B.3.5. Summary of Policy Considerations for a Network
_ _ _ _______ __ ______ ______________ ___ _ _______
In summary, a precondition for the evaluation of a
networked system of computers is the formulation of overall
mandatory (when applicable), discretionary, and supporting
organizations involved, and stated in terms of people
accessing information (i.e., free, to the extent feasible,
of computer and network jargon). In the case of mandatory
to involve the relatively straightforward issues of how
clearances in use by one organization are to relate to the
nformation access classes in use by another organization:
the formulation of appropriate discretionary and supporting
cantly influenced by the particular network architecture
chosen.
B.4. Derivation of the Partitioned NTCB View
_ _ __________ __ ___ ___________ ____ ____
B.4.1. Introduction to the Partitioned NTCB Concept
_ _ _ ____________ __ ___ ___________ ____ _______
Using the definitions provided above, the following
conclusion may be stated: if it is supposed (1) that a sub-
time, (2) that it may directly access only objects within
ts component, (3) that every component contains a component
(and enforce the same access control policy), and (4) that
all communications channels linking components do not
compromise the security of the information entrusted to
them, one may conclude that the total collection of com-
network. The conclusion follows because (1) all network
accesses are mediated (because there are no non-local
accesses); and (2) the network reference monitor cannot be
tampered with (because none of its component reference moni-
tors can be tampered with), and it is simple enough to vali-
s assured if the correct operation of each of its component
against access across components prevents the introduction
of additional complexity).
It is useful, before expanding this basic argument
examine briefly the individual preconditions (axioms) that
must be met in order for the conclusion to be valid, and
be achieved within the current state of network technology.
Generally, the crucial step the sponsors and architects of a
ts partitioning into components and communication channels
n such a way that all of the axioms can be easily validated
by the evaluators.
The first axiom is that regarding confinement of sub-
notion of a subject as a pair is adequate
to fulfill this axiom, provided it is recognized that limit-
ng the access of subjects to objects within the same com-
than one component. It follows that no subject may ``move''
from one component to another. Even if we permit (as is
execution begins in a remote component a new subject has
been introduced (because there has been a change in protec-
tion domains).
The second axiom requires that a subject be able to
the subject is associated. The major theoretical issue to
be confronted is to understand how information may be
transmitted between components without the sharing of
objects between them. This issue is explored in some depth
n Section B.5. Logically, the connection of components by
an ideal communication channel is viewed as involving the
transfer of information from one device to another without
the existence of an intermediate object. (i.e., information
``in motion'' is not regarded as an object - a view which
``comes to rest'' within the destination component - and is
then within an object again). This view is consistent with
the TCSEC Glossary definition of ``object'' which includes
the sentence, ``Access to an object potentially implies
access to the information it contains''. For a Security-
Compliant communication channel (discussed in Section
B.6.2), there are no subjects with potential access to the
nformation being transmitted while it is in transit: it is
_____ __ __ __ _______
therefore unnecessary (and misleading) to treat such infor-
mation as an object. (This argument is invalid for complex
channels, which contain internal subjects, which is the rea-
The third axiom requires that every component contain a
component reference monitor which enforces that part of the
network access control policy relevant to subjects and
objects within the component. In validating this axiom, it
s important to understand that for certain components, a
for a dedicated component for which all subjects and objects
zation and sensitivity, respectively, so that no local
access attempts need be denied on the basis of policy
enforcement). It is logically equivalent, in such cases, to
claim that there is a reference monitor (which never does
anything) or that there is no reference monitor (because
nothing ever needs to be done). It is also important to
understand that each reference monitor need only to enforce
that subset of access control policy relevant (in terms of
the network system architecture) to the local accesses pos-
The fourth axiom requires that communications channels
between components not compromise the security of sensitive
nformation entrusted to them. Establishing that this axiom
s actually met is a complex problem with some issues dealt
tion for use. A detailed discussion of the issues involved
s provided in Section B.6 of this Appendix. Until that
components of the network, and their composition into a com-
B.4.2. Overview of the Argument for a Partitioned NTCB
_ _ _ ________ __ ___ ________ ___ _ ___________ ____
To present the concept of a partitioned NTCB, and show
analogous to a network of ``loosely-coupled'' NTCB parti-
tions is described as running upon a single, stand-alone
computer system with a TCB assumed to be evaluatable in
terms of the existing Criteria. A series of transformations
s then performed upon the simulation, that convert it into
the hypothesized network with a single, partitioned NTCB.
This argument is meant to demonstrate that the notion of
NTCB partitions is conceptually sound and does not require a
effect, the argument serves as a constructive proof
(although informally stated) that a trusted network is sim-
B.4.3. Characterization of the Target Monolithic System
_ _ _ ________________ __ ___ ______ __________ ______
Consider first a multiprocessor, multiprogrammed monol-
thic computer system, presumed to conform to the TCSEC Cri-
teria at, for example, a Class B2 level or higher. It has a
Formal Security Policy Model, e.g., the Bell and LaPadula
model, and it has been shown that the system is a valid
nterpretation of that model. In the presumed system, sup-
concurrently executing processors, which are tightly-coupled
on a single bus. (Worked examples of such systems targeted
for Class B2 or higher exist). Since this is a monolithic
tiprogramming operating system, it can support a given pro-
cess on any processor, which can (potentially) access any
memory segments it may need to share with any other process
on any other processor. Additionally, each process can use
calls to the TCB. In particular, assume that there are
available multilevel I/O channels which can be controlled by
multilevel trusted processes executing under the control of
the TCB. Each multilevel channel conforms to the concept of
a connected multilevel device as identified in the TCSEC
Criteria.
B.4.4. Characterization of the Loosely-Coupled Trusted Net-
_ _ _ ________________ __ ___ _______ _______ _______ ____
____
Next, consider an arbitrary network architecture, con-
network interface units, hosts, etc.) processing information
at various levels, connected with communication channels,
viz., (1) each subject is confined to a single component,
(2) no subject may access an object within a different com-
are interconnected via a multilevel communications subnet
(which may itself be composed of components and simple com-
munications channels. Subjects within one component can (by
nteracting with the appropriate device drivers) cause
nformation to be exchanged between components in a secure
Note that a point-to-point connection may be abstracted
as a pair of devices (one at each end) linked by a communi-
cation medium. A broadcast channel may be abstracted as a
munication medium. The hypothesized network may contain
both single-level and multi-level connections.
B.4.5. Simulation of the Network on the Monolithic System
_ _ _ __________ __ ___ _______ __ ___ __________ ______
The proposed system may be simulated in a very natural
Each component subject (in the network) is simulated as
a single subject (on the monolithic target system.) For rea-
there is a processor available for each network component.
All of the communication devices are provided as I/O
as appropriate. For each device, it is supposed that there
s a server subject, which correctly implements the protocol
ascribed to the communication channel and, for multilevel
trusted subject. As each device is local to a processing
node in the network system, it is made local to the associ-
ated processor in the monolithic computer system (i.e., it
s accessible only by that processor).
Finally, the I/O devices are linked using the appropri-
ate physical media, (which is considered to be external to
the system): in pairs, for point-to-point channels, and in
The simulation is now an accurate representation of the
thic system, it is secure to the degree of assurance
ascribed to the monolithic system, subject, of course, to
the provision of appropriate levels of communication secu-
a network must have to be simulated in the way described.
B.4.6. Transformation of the Monolithic Simulation to a
_ _ _ ______________ __ ___ __________ __________ __ _
Distributed System
___________ ______
It is instructive to examine certain of the properties
of the network simulation.
It may be observed that there are no application memory
a single network component to a single processor of the
monolithic system, and from the rule (for the network) that
no subjects access objects in a different component.
Furthermore subjects executing on different processors
mechanisms provided by the TCB; all inter-processor communi-
cation is provided by means of the I/O device protocols
embedded in the I/O device drivers, which are part of the
TCB. Moreover, the (correct) operation of these protocols
usable in the network being simulated, and thus presumably
Thus, outside of the security kernel, no memory seg-
ments are shared by any two processes running on different
all application segments may be moved (without effect) to
the appropriate processor-local memory address space. Sup-
copies of the TCB code may also be removed to the local
memory address space of each processor without effect.
Similarly, internal TCB data structures that have elements
that are accessed only by a single processor can be removed
to the local memory of that processor without effect.
It may be noted (based upon available worked examples)
that the only data structures within the TCB, that must be
____
ever, in the simulation just described, there are no such
all via external communication channels), and the only
none.
Thus, in the particular network simulation described,
underlying TCB, that potential is never exercised. The par-
titioning of code and data described allows the internal
titioned and removed to processor local memory throughout,
nal restructuring in no way affects the operation of the
Criteria (for the specific application).
Another result of the described partitioning and local-
zation of the TCB is that no communication ever takes place
over the system bus: all of the TCB tables may be locked
locally so that no inter-processor communication within the
TCB is required, and there are no global memory segments.
affecting either the operation of the system or its compli-
ance (in this particular case) with the Criteria. An
nteresting observation is that no single step in the res-
tructuring described can be regarded as changing the fact
that the collection of processors is utilizing a single TCB,
tion that impels one to conclude that a single TCB can be
The resulting partitioned TCB is now examined. Within
the TCB are a set of (trusted or untrusted, as appropriate)
attempting to utilize that device). The driver subject, its
code, and its data may therefore be removed from the TCB
the device is local. Again, the system remains a valid
nterpretation of the model, and remains compliant with the
Criteria.
The resulting system still has only one TCB, parti-
tioned among a number of asynchronous processors, with the
code and data for supporting various devices provided only
local devices. The only links between the physical proces-
____
channels provided. These channels are afforded, it has been
assumed, the appropriate levels of physical security by com-
munications security techniques, just as they would be if
they were media connecting a computer to a remote terminal:
the provision of this physical security is an axiom in the
_____
context of evaluating the validity of the system from a
``computer security'' point of view. (This is discussed
fully in section B.6, as the importance of communications
must not be trivialized).
Each processor, and its associated devices, is now
a single TCB, which has, however, been transformed into a
______
collection of TCB partitions, each of which is responsible
for enforcing access control policy within its ``local par-
tition'', or component.
The TCB in a particular box may now be replaced by an
equivalent TCB (that is, a TCB with the same top-level
adherence to the TCSEC Criteria. In fact, both the hardware
and software TCB bases within a partition could be replaced,
as long as the replacement has the same (or greater) evalua-
tion class and completely honors the interface protocols
(and thus, for example, correctly receives and transmits
labeled datagrams) defined for the devices connecting it it
Finally, the particular Formal Security Policy Models
upon which the TCBs within each box are based might be
allowed to differ without adverse impact, so long as each
model used was a valid representation of the single Network
Security Policy to be enforced, as allocated to the activi-
ties of the application subjects within the box.
B.4.7. Conclusions Regarding the Simulation Argument
_ _ _ ___________ _________ ___ __________ ________
This informal argument shows how a network of process-
ng nodes, which are ``locally autonomous'' (with respect to
their enforcement of a global Security Policy for access
controls), can be simulated upon a clearly evaluatable
monolithic system with a security kernel, and, in turn, how
that system can be physically partitioned into a confedera-
tion of components, each with its own TCB partition. The
ts essential features, and is clearly in harmony with the
ntent of the TCSEC Criteria. This argument provides an
ntuitive basis for the interpretation of the Criteria pro-
vided in the TNI. It also shows the sense in which the col-
lection of NTCB partitions may be viewed as forming a single
______
NTCB: there is a single NTCB because there is a single Secu-
each NTCB partition upon its local subjects and objects
(i.e., upon the resources it controls).
Of significance for the design and evaluation of net-
that under the assumptions that an overall Network Security
between components function correctly, (i.e., maintain the
clearances, and names of objects), there is no compelling
cessing node be obtained using the same Formal Security Pol-
cy Model.
B.5. Cooperation Among Partitions
_ _ ___________ _____ __________
In this section we focus on that part of the NTCB out-
mplementation of supporting policies and typically carried
out by trusted subjects. Some non-kernel NTCB functions are
essentially the same as those normally provided in a non-
networked trusted computer system, such as login authentica-
tion of local users. Such functions in an NTCB partition
can be understood in terms of the services they perform
Other non-kernel NTCB functions provide distinctively
network-related services that can best be understood in the
context of the network security architecture. We shall
essential task of these functions is to implement a protocol
for conveying security-critical information between trusted
not an end in itself, but a means to accomplish services for
of a single-level communications channel. While each com-
ts own end of a channel, a trusted protocol is required to
coordinate the changes.
In this section there will be two brief examples illus-
trating the relationship between a network security archi-
tecture and an associated trusted network service. One
example network uses trusted network interface units and
encryption. After the examples, design specification and
verification of trusted network services will be discussed.
B.5.1. Trusted Interface Unit Example
_ _ _ _______ _________ ____ _______
Consider a network in which untrusted hosts operating
at various single security levels communicate through
trusted network interface units (TIU's) that send and
munication subnet. The function of a TIU is to place mes-
labels on incoming messages, so that hosts may send and
accreditation.
Because the communication subnet carries messages at
all levels, the I/O device connecting any TIU and the subnet
s single-level system-high. But the connection between any
TIU and its host is at the level of the host. Thus, a TIU
for a low-level host must contain a trusted subject that
There is a trusted protocol in this example, though it
s relatively trivial, since it merely identifies a header
field in each message that should contain a sensitivity
label, and perhaps also a checksum to guard against
transmission errors. A protocol of this kind is required
tilevel communications channel. See section 3.1.1.3.2.1 of
B.5.2. End-to-End Encryption Example
_ _ _ ___ __ ___ __________ _______
Consider a network in which hosts operating at various
cessors (TFE's) that send and receive encrypted messages
over a public communication subnet. Suppose that the TFE's
obtain encryption keys at the level of the information to be
to the network in the same way as a host. A key is sent
from the KDC to a TFE upon request, using an appropriately
certified protocol that authenticates both the requester and
the new key.
The purpose of key distribution is really to support a
trusted local service within the TFE, namely, the ability to
transform classified messages from the host into unclassi-
fied encrypted messages suitable for transmission over the
Part of the trusted network service is implemented
of information being communicated, and must also decide, on
the basis of an access control policy, which TFE's may share
keys. A single level subject in the KDC at the level of the
nformation which the key is for does not necessarily
ous levels must correctly implement a certain policy and a
certain protocol.
B.5.3. Design Specification and Documentation
_ _ _ ______ _____________ ___ _____________
To obtain the level of assurance needed for systems of
Evaluation Class A1, a formal top-level specification (FTLS)
of the NTCB is required, including a component FTLS for each
NTCB partition. As in the case of stand-alone computer sys-
tems, non-kernel portions of the NTCB must be specified even
though they support policies that are not part of the access
control policy represented in the formal security policy
model. In particular, software supporting trusted network
Where a trusted network service supporting the manda-
tory policy depends on a protocol, the protocol will neces-
As a minimum, the role of the trusted subject in each NTCB
to understand a protocol by looking at each participating
n which the lines have been sorted by character. For pur-
exhibits the interactions between participants, and the
correspondence between this representation and the relevant
Just as the FTLS of a stand-alone TCB contains
tables, the FTLS of an NTCB contains representations of pro-
tocol entities and concepts, such as connections, where they
occur, such as in trusted network service specifications.
In the end-to-end encryption example, correspondence of
the FTLS to the trusted network services supporting policy
that all data transmitted over the communication subnet is
encrypted with the proper key (e.g., for the correct secu-
n accordance with its access control restrictions. Both
tions between hosts. In the trusted interface unit example,
the correspondence should show that each TIU marks and
checks message labels in accordance with a given host label.
B.5.4. Summary
_ _ _ _______
Some non-kernel NTCB functions in a network may be
characterized as trusted network services. They provide
trusted protocols to implement security-critical cooperation
between trusted subjects in different NTCB partitions.
Showing correspondence between the FTLS for these services
and their supporting policies implies proving certain pro-
architecture.
B.6. Communication Channels Between Components
_ _ _____________ ________ _______ __________
In this section the communication channels used to con-
nect components are examined more closely, with the goal of
understanding when the characteristics of a particular chan-
nel are relevant to the security characteristics of the sys-
tem, how the characteristics of such a channel are to be
evaluated and related to the overall evaluation of the net-
ment of the adequacy of the network to support a particular
application of it preceding its accreditation.
The discussion is organized into the following major
channel'' is related to the technical terminology provided
by the TCSEC Glossary. In section B.6.2, the notion of a
``Security-Compliant communication channel'' is defined.
The remaining parts of the section discuss the important
cases of channels that are single-level and multilevel (in
the mandatory policy sense).
B.6.1. Basic Notion of A Communication Channel
_ _ _ _____ ______ __ _ _____________ _______
For the purposes of the TNI the network is viewed as a
communication channels. The term ``communication channel''
s used as a refinement of the term ``channel'', defined in
the TCSEC Glossary as ``an information transfer path within
a system.'' The term may also refer to the mechanism by
architecture be formulated in sufficient detail that all
communication channels are Security-Compliant as defined
below.
``Point-to-point'' communication channels are discussed
first. The notions of ``communication channel'' and ``I/O
nel is viewed as consisting of two I/O devices (each local
to the component it is attached to) coupled by a communica-
tions medium (which may in reality consist of a complex
arrangement of internal devices, switches, and communica-
tions links). From the point of view of the components,
nformation is transmitted via the transmitting and receiv-
ng devices in a sufficiently error-free, physically secure
fashion to merit the particular labels associated with the
and evaluator of a particular network to confirm that this
condition is met to an appropriate level of assurance,
This requirement, which is a boundary condition upon which
the evaluation of the NTCB partition itself, will typically
be met by a combination of error-detection and recovery
techniques, cryptographic techniques, and other communica-
tions security techniques as addressed in Section 9 of Part
(Note: Figure not included)
Figure B1. Point-to-point communication channel.
For example, two processing nodes connected by a single
channel would be modeled as shown in Figure B1. Here, we
to communicate, via I/O Device D2, with processing component
more complicated.) Subject S1 in component P1 may transmit
nformation to a subject S2 in P2 as follows: each subject
obtains an object of the appropriate class for use as a
buffer. Each subject attaches its locally available device.
Subject S1 in P1 then transmits the information in its
buffer to D1; subject S2 receives the information via D2 in
ts buffer. Note that in this description, it was quite
unnecessary to introduce the notion of either a shared
object or a shared device. Of course, the details of the
nter-communication will depend upon a shared communications
Broadcast communication channels are only slightly dif-
ferent, from the point of view adopted within the TNI, from
a receiver, a transmitter, or a transceiver in nature. It
s assumed that anything transmitted by a transmitter can be
the communication protocols being executed by the various
action by a particular receiver.)
B.6.2. Security-Compliant Channels as the Basis for Evalua-
_ _ _ ________ _________ ________ __ ___ _____ ___ _______
tion
____
Communication channels in trusted network architecture
must be Security-Compliant. A channel is Security-Compliant
________ _________
f the enforcement of the network policy depends only upon
characteristics of the channel either (1) included in the
evaluation, or (2) assumed as a installation constraint and
clearly documented in the Trusted Facility Manual. The first
approach tends to produce evaluated network systems whose
tion or configuration choices. The second approach yields
evaluated network systems whose security is more strongly
conditioned upon the appropriateness of installation or con-
figuration choices; however, the conditions and limitations
of the evaluation are clearly documented.
The overall security of the network can be assessed by
verifying the correctness of the NTCB partitions (an evalua-
tion issue) and by verifying that the required environmental
constraints documented for all communications channels are,
n fact, met by the installation (an accreditation issue).
The thrust of this section is to show that channels that are
not Security-Compliant may be reduced to Security-Compliant
channels so that the resulting architecture will support a
viable network evaluation. Three general techniques are
available for rendering a channel Security-Compliant: 1) the
utilization of the channel for security-critical transmis-
NTCB partitions of the components linked by the channel; 2)
end-to-end communications technologies (such as encryption)
may be installed and evaluated as part of the linked NTCB
and 3) constraints on the intrinsic characteristics assumed
for the channel may be documented in the Trusted Facilities
Manual. The last approach, in effect, reserves determination
of the adequacy of a particular channel to the accreditor:
the evaluation proper will be based upon a communications
channel, which will be assumed to have the desired charac-
teristics.
The evaluation effort is focused upon establishing the
correctness of the technique, or combination of techniques
employed. The adequacy of the mechanisms is an accreditation
ssue. For example, the issues related to the adequacy of
A channel can be made Security-Compliant by using a
combination of the above techniques: cryptographic sealing,
for example, addresses the issues of both prevention of
unauthorized modification and error-detection. In evaluating
each channel, three vulnerabilities related to external
environmental factors and one related to internal exploita-
tion must be addressed. They are as follows:
modification of sensitive information in transit
information, (e.g., non-delivery, misdelivery, and
delivery of erroneous data) the delivery of which is
required for the correct operation of the NTCB (such
as audit records or inter-partition security coordi-
nation)
critical data, such as transmitted security labels,
due to noise. (Note that changes due to unauthor-
ized modification are categorized as a communica-
tions security problem)
mechanisms to signal information covertly
The use of a channel as a covert signaling mechanism
analysis of the channel drivers, which are part of the
linked NTCB partitions, is performed. See the Covert Chan-
nel Analysis section in Part I. Techniques for addressing
the remaining three vulnerabilities are listed below.
The first vulnerability, to the security of sensitive
nformation in transit, must be addressed by one or more of
the following techniques:
Manual that the installed channel be completely con-
tained within an adequate security perimeter
(thereby deferring an assessment of compliance to
accreditation)
munications security techniques which are documented
and evaluated as part of the NTCB partitions linked
by the channel
transmission of non-sensitive information by means
of controls internal to the NTCB partitions linked
by the channel
Vulnerability of a channel to the unreliable delivery
of security-critical information must be addressed by one or
more of the following techniques:
Manual that the channel be comprised of intrinsi-
cally reliable media and devices (thereby deferring
an assessment of compliance to accreditation)
cols for the reliable transmission of information
within the NTCB partitions coupled by the channel,
which will thereby be evaluated for correctness
delivery of which is not critical to the functioning
of the NTCB, by means of controls internal to the
NTCB partitions linked by the channel, which will
thereby be evaluated for correctness
Vulnerability of a channel to noise, which may comprom-
se the correctness of security-relevant data (such as secu-
ng techniques:
Manual that the channel be comprised of intrinsi-
cally noise- free media and devices (thereby defer-
ring an assessment of compliance to accreditation)
reduction techniques within the NTCB partitions
linked by the channel, which will thereby be
evaluated for correctness
noise-free delivery of which is not critical to the
functioning of the NTCB, by means of controls inter-
nal to the NTCB partitions linked by the channel,
which will thereby be evaluated for correctness
Three example scenarios are provided below, showing how
these techniques might be employed.
Example A. Two loosely-coupled trusted coprocessors,
_______ _
one in active use and the other in ``hot standby'', are to
be linked by a dedicated communications channel.
Significant amounts of dynamic, security-relevant data will
be exchanged over this channel. The channel must be trusted
to preserve label integrity and provide reliable and noise-
free delivery of security-critical data. Noise is not a
environment.
The simplest evaluation strategy would be to document
the required environmental constraints in the Trusted Facil-
ties Manual: that the channel be placed within the
``system-high'' security perimeter, and that it be comprised
of intrinsically reliable and noise-free media and devices.
During evaluation the proper documentation of these con-
nel in the physical installation to them would be an accred-
tation issue which, in this case, would (apparently) be
easy to verify. This evaluation approach would have the
advantage of allowing replacement of the original channel
evaluation (although the system would have to be accredited
again).
Example B. Numerous single-level hosts (at several
_______ _
levels) are interconnected via a multilevel packet switch,
munities of hosts of the same level. Communications between
level of each host is determined at the switch by internally
labeling the hard-wired communication ports. The communica-
tion channel must be secure (separation of data of different
levels must be maintained), but it need be neither reliable
nor noise-free (from the point of view of security).
Two quite different approaches might be regarded as
first, (and most natural), the architecture would be refor-
mulated to show the packet switch as a network component,
connected to each host with a single-level channel. Network
nels be constrained to be located within an appropriate
tained), and that no security-critical information requiring
either reliability or fidelity is transmitted over them. The
the first during accreditation.
A second (radical) approach would be to insist that the
case, it is difficult to see how the required Security-
Compliance is to be attained while encompassing the packet
not in use, and it is obvious that sensitive information is
being transmitted. The sponsor could document a constraint
upon the interconnection of hosts that the (nominally
tion, but it is also then dropped from the description of
the network being evaluated, and is replaced by ``nomi-
nally'' Security-Compliant point-to-point channels, docu-
mented in the Trusted Facilities Manual. The decision to use
a particular multilevel packet switch to meet the documented
bility of the accreditor of such a system alone. In effect,
originally envisioned system)
Example C. Two trusted multilevel systems are to con-
_______ _
noisy, unreliable, and insecure. The data is to be encrypted
and cryptographically sealed. Reliable transmission is
enforced by non-NTCB software. (This is not security-
an insecurity).
The communications security and cryptographic sealing
techniques must be included within the evaluated NTCB parti-
tions. Assessment of their correctness will be part of the
evaluation, and assessment of their adequacy, based upon the
true sensitivity of the information transferred, will be
ability, the NTCB internal control mechanisms preventing the
utilization of the channel for security data needing to be
transmitted reliably must be documented and evaluated (in
this case, the argument is probably the degenerate case:
that no such information exists.) See, for example, the
Encryption Mechanism section in Part II.
B.6.3. TCSEC Criteria for Multilevel Communication Channels
_ _ _ _____ ________ ___ __________ _____________ ________
In this section, those TCSEC Criteria relevant to the
utilization of communication channels within networks are
examined, from the point of view of countering internal
threats. As the Criteria for Class A1 are the most
classes, they are the basis for the discussion.
The Class A1 Criteria (Section 4.1.1.3.4) requires that
``the TCB shall support the assignment of minimum and max-
mum security levels to all attached physical devices.'' The
basis for making this designation is also stated in Section
the physical environments in which the devices are
located''.
In the case of a communication channel connecting com-
nterpreted to include the environment of the devices and
the medium linking them. The range of access classes (from
the Network Mandatory Access Control Policy) to be assigned
to the channel must take into account the physical security
afforded to the medium, the communications security tech-
niques that have been applied to the secure information
being transmitted through the medium, the physical accessi-
bility of the devices involved in the channel, and the
ntended use of the channel from an architectural point of
view for the network. Within these constraints, the Cri-
teria cited requires that the devices comprising the channel
be appropriately labeled (with, it may be inferred, locally
``appropriate'' internal labels). For example, a particular
channel may be designed to support the transmission of
UNCLASSIFIED through SECRET information. The receivers and
transmitters coupling the transmission medium to the hosts
(assuming all hosts receive and transmit at all levels) must
be labeled within each host with whatever the local internal
labels are designating the UNCLASSIFIED through SECRET
ment to interpret properly a network Security Policy for
each NTCB partition.
In addition to the labeling of devices coupling network
may exist, the TCSEC requires, for multi-level channels,
that all information exported to, and imported from, the
channel be properly labeled: ``when exported by the TCB,
the information being exported'' (Section 4.1.1.3.2); furth-
ermore, ``when the TCB exports or imports an object [sic]
over a multilevel channel, the protocol used on that channel
tivity labels and the associated information that is sent or
these Criteria appears to be straightforward: in the context
of a network communication channel, they imply that informa-
tion be properly labeled when it is exported, that there be
a shared protocol between the exporting and importing dev-
ces which unambiguously and correctly maintains the label-
_____________ ___ _________
nformation association, and that the resulting imported
label be honored by the receiving NTCB partition. Note that
the requirement for integrity relative to label-data associ-
ations is clearly stated and need not be hypothesized as a
B.6.4. Single-Level Communication Channels
_ _ _ ______ _____ _____________ ________
The Criteria states that ``the TCB shall support the
assignment of minimum and maximum security levels to all
attached physical devices'' which ``enforce constraints
mposed by the physical environments in which devices are
located'' (Section 4.1.1.3.4). Note that this capability is
___
or ``multilevel''. The distinguishing characteristic of
``single-level devices and channels'' is stated in Section
tion they process''. Thus, a device and/or channel which
by definition, ``single-level''.
There are two cases: the minimum and maximum security
levels of the devices coupling the channel to the processing
nodes may be all the same, or not.
The case in which all of the minimum and maximum secu-
communication channels) of a channel which is to transmit
nformation of a single, invariant, sensitivity level.
It is also possible that the minimum and maximum ranges
of the various devices associated with a single-level chan-
nel are not all the same. In this case, the channel may
carry unlabeled information, but of only one sensitivity
level at a time. It is the responsibility of each NTCB par-
tition coupled to the channel to prevent the transmission of
nformation of a sensitivity level different from the
current level of the channel in accordance with Section
the TCB and an authorized user reliably communicate to
or exported via single-level communication channels or I/O
that single-level channels may be defined as part of the
network architecture which can be manually shifted from the
transmission of one level of unlabeled information to
another by an authorized user. The natural interpretation
of the criterion cited above is that a reliable protocol
must exist for informing each NTCB partition involved in
controlling access to the channel that a change in level has
been ordered, prior to the transmission of any information
over the channel (so that the ``implied'' label can be
correctly assigned by each NTCB partition to information
B.7. Miscellaneous Considerations
_ _ _____________ ______________
B.7.1. Reference Monitor, Security Kernel, and Trusted Com-
_ _ _ _________ _______ ________ ______ ___ _______ ____
______ ____
The notion of a ``reference monitor'' is the primary
abstraction allowing an orderly evaluation of a stand-alone
computer system with respect to its abilities to enforce
both mandatory and discretionary access controls for the
The TCSEC Glossary defines the ``Reference Monitor Con-
cept'' as ``an access control concept that refers to an
abstract machine that mediates all accesses to objects by
ncludes the notion of protection, the abstraction itself is
ndependent of any particular access control policy. The
abstraction assumes that a system is comprised of a set of
active entities called ``subjects'' and a set of passive
entities called ``objects''. The control over the relation-
objects by subjects, is mediated by the reference monitor in
trol policy being enforced, are permitted by the reference
monitor. The reference monitor is thus the manager of the
the monitor is that there is a well-defined interface, or
``perimeter'', between the reference monitor itself and the
viding protection, the implementation of a reference monitor
must be (1) tamper-proof, (2) always invoked, and (3) simple
enough to support the analysis leading to a high degree of
assurance that it is correct.
The hardware and software components of a computer sys-
tem implementing a reference monitor meeting these princi-
Glossary as ``the hardware, firmware, and software elements
of a Trusted Computing Base that implement the reference
monitor concept. It must mediate all accesses, be protected
___
from modification, and be verifiable as correct''.
From this definition, it is apparent that a ``security
kernel'' (if there is one) is always part of the TCB of a
computer system, defined as ``the totality of protection
mechanisms within a computer system - including hardware,
firmware, and software - the combination of which is respon-
Trusted Computing Base to correctly enforce a security pol-
cy depends solely on the mechanisms within the TCB and on
the correct input by system administrative personnel of
sms involved in the implementation of supporting policies,
nvolved only with the enforcement of access control poli-
cies.
B.7.2. Network Trusted Computer Base and Reference Monitor
_ _ _ _______ _______ ________ ____ ___ _________ _______
The notions of a TCB, and, for the higher evaluation
classes, security kernel and reference monitor can, with
tion of trusted networks without significant change. In
network (including mechanisms provided by connected host
that an evaluated network has a single NTCB, as the NTCB is,
______
by definition, the totality of enforcement mechanisms for
________
the stated policy.
For the higher evaluation classes the TCSEC requires,
n effect, that a reference monitor be implemented as part
of the TCB. This, at least in theory, is not the only con-
ceivable technology for implementing a highly-assured system
(one could envision a completely verified system, for
nstance); however, it appears to be the only current tech-
nology with a proven track record, and within the current
For these reasons, the Part I of the TNI takes a prag-
matic stance with regard to specifying interpretations for
Trusted Networks: that the TCSEC notions of ``reference mon-
tor'' and ``security kernel'' be applied in the network
NTCB of a Trusted Network of class B2 or above must contain
the physical realization of a reference monitor which medi-
ates all references within the networked system of subjects
to objects, is tamperproof, and is small enough, in aggre-
B.7.3. NTCB Partitions
_ _ _ ____ __________
The view taken of a ``network system'' throughout the
TNI is that the network can be partitioned into ``com-
cation capabilities. Given such a decomposition, the func-
tions of the NTCB must be allocated in some coherent way to
the various components of the network.
The following terminology is introduced: the totality
of hardware, firmware, and software mechanisms within a sin-
(i.e., every part of the network system, including hosts, is
accounted for) and disjoint (i.e., no parts are shared
between components), the NTCB partitions collectively are a
true partition of the NTCB; they are non-overlapping and
complete.
For Mandatory Access Control Policy, a large and useful
class of networks can be envisioned, which allows a clean
ng partitions can be evaluated relative to enforcement of
mandatory access controls using conservative interpretations
of the TCSEC, and the correctness of the composition of
these components into a network enforcing the overall policy
for mandatory access controls is easily confirmable as well.
For sponsors wishing to obtain an overall evaluation class
for a network system, such a ``partitionable'' network
architecture should be chosen.
Concisely, the network architecture must have the fol-
lowing salient features: (1) subjects and objects within
multilevel processing components are given the usual TCSEC
nterpretation; (2) subjects and objects are confined
________
(In practice, this means there are no directly accessible,
the access-relevant security state of the subjects and
objects within a component, is maintained locally by the
NTCB partition of that component. (It may be the case that
nformation representing the components state may be distri-
buted to other components for the purpose of overall network
control, recovery, etc. but the decision to permit or
available state information.
A network of host processors and peripherals, intercon-
nected according to these rules, may be roughly described,
control of the two security kernels, to a subject in another
component. However, the basic principle to be seen at this
(i.e., constrained to be by a subject within a component to
an object within that component), all accesses are mediated
by the security kernel within a component. Thus, the total-
ty of all of the security kernels within the system is ade-
quate to mediate all accesses made within the system.
B.8. Summary and Conclusions
_ _ _______ ___ ___________
In this Appendix, the rationale for the partitioning of
the NTCB into a set of cooperating, loosely-coupled NTCB
viewed as a locally autonomous reference monitor, enforcing
the access of local subjects to local objects and devices.
Because the partitioning is carefully constrained to reflect
the lack of sharing of objects among components, (while
allowing the transmission of information between components
through shared physical media), the aggregate of locally
autonomous NTCB partitions is adequate to mediate all
accesses of subjects to objects and thus is adequate to form
the basis for a reference monitor for the entire network
nterpreted as an individual Formal Security Policy Model
for each component enforcing access controls, suffices to
meets the requirements of the Security Policy. The postu-
lated network architecture and design (that are presented by
the network sponsor) suffices to allow evaluation of the
APPENDIX C
________ _
Interconnection of Accredited AIS
_______________ __ __________ ___
C.1. Purpose
_ _ _______
As was discussed in the Introduction to this document,
there are many "networks" that can not be meaningfully
evaluated as a ``single trusted system'' because they are
evaluation rating can adequately reflect the trust that can
be placed in the "network". The purpose of this Appendix is
to provide guidance concerning how to interconnect systems
n such a way that mandatory security policies are not
violated.
C.1.1. Problem Statement
_ _ _ _______ _________
The interconnected accredited Automated Information
System (AIS) view is an operational perspective which recog-
nizes that parts of the network may be independently
created, managed, and accredited. Interconnected accredited
AIS consist of multiple systems (some of which may be
trusted) that have been independently assigned accreditation
mation that may be simultaneously processed on that system.
ces" with which neighboring systems can send and receive
nformation. Each AIS is accredited to handle sensitive
nformation at a single level or over a range of levels.
An example of when the interconnected accredited AIS
view is necessary is a network consisting of two A1 systems
and two B2 systems, all of which are interconnected and all
of which may be accessed locally by some users. It is easy
to see that, if we regard this as a single trusted system,
t would be impossible for it to achieve a rating against
accurate reflection of the trust that could be placed in the
two A1 systems and interconnections between them. The sin-
ng.
While it provides much less information about a system
than does a meaningful evaluation rating, taking the inter-
connected accredited AIS view of the network provides gui-
C.1.2. Component Connection View and Global Network View
_ _ _ _________ __________ ____ ___ ______ _______ ____
There are two aspects of the Interconnected Accredited
AIS view of a network that must be addressed: the component
connection view and the global network view. These two
views are discussed below and will be examined in greater
Any AIS that is connected to other AIS must enforce an
"Interconnection Rule" that limits the sensitivity levels of
nformation that it may send or receive. Using the com-
taining the separation of multiple levels of information
must decide locally whether or not information can be sent
or received. This view, then, does not require a component
to know the accreditation ranges of all other components on
the network; only of its immediate neighbors (i.e., those
In addition to the Interconnection Rule, there may be
other constraints placed on a network to combat potential
addressing some of the other constraints placed on a net-
accreditation ranges of all components of the system. These
accreditation ranges are taken into account when determining
the system. In this way, the potential damage that can
occur when information is compromised or modified can be
limited to an acceptable level.
An example of a problem for which constraints may be
lem." This occurs when AIS are interconnected in such a way
that the potential damage from unauthorized disclosure or
modification is above an acceptable level. The network
ting the accreditation ranges of AISs that can be intercon-
nected.
C.2. Accreditation Ranges and the Interconnection Rule
_ _ _____________ ______ ___ ___ _______________ ____
C.2.1. Accreditation Ranges
_ _ _ _____________ ______
The AIS accreditation range reflects the judgement of
the accreditor on the ability of the component to appropri-
ately segregate and manage information with respect to its
network connections in accord with the designated sensi-
tivity levels. An ADP system that has been accredited for
(stand-alone) system high operation would be assigned an
accreditation range having a single sensitivity level equal
to the system high sensitivity level of the system. Such a
levels of information processed. All the information
exported from such a system must be labeled with the
manual review to assign a lower level. A multilevel
(stand-alone) AIS might be assigned an accreditation range
equal to the entire set of levels processed. In this case,
the label of the exported data is equal to the actual level
of the data processed within the accredited range.
In a network context, the accreditation range bounds
the sensitivity levels of information that may be sent
(exported) to or received (imported) from other components.
each component will be assigned single-valued accreditation
Consider an example, illustrated in Figure C1, which
uses accreditation ranges along with an approach based on
the Environmental Guidelines.- Component A is a class B2
_____________ __________
through SECRET. Component B is a class A1 system and has an
accreditation range of CONFIDENTIAL through TOP SECRET.
Thus, if Component A has a direct connection to Component B,
the accreditation ranges provide a basis for both components
to be assured that any data sent or received will not
"exceed" (that is, will be dominated by) SECRET in its clas-
Figure C1. Accreditation Ranges Illustrated
______ __ _____________ ______ ___________
(Note: Figure not included)
C.2.2. Interconnection Rule
_ _ _ _______________ ____
A multilevel network is one in which some users do not
A multilevel network therefore is one that processes a range
of sensitive information, which must be protected from unau-
thorized disclosure or modification.
Each component of the network must be separately
accredited to operate in an approved security mode of opera-
tion and for a specific accreditation range. The component
s accredited to participate in the network at those levels
and only those levels.
According to this definition, a multilevel network may
comprise a mixture of dedicated, system high, compartmented,
controlled, and multilevel components, where two or more
ments, and/or some users do not have all formal access
approvals.
The following requirement must be met in multilevel
networks.
_________________________
- Security Requirements: Guidance for Applying the
________ ____________ ________ ___ ________ ___
Department of Defense Trusted Computer System Evalua-
__________ __ _______ _______ ________ ______ ______
tion Criteria in Specific Environments,CSC-STD-003-85
____ ________ __ ________ ____________
C.2.2.1. Information Transfer Restrictions
_ _ _ _ ___________ ________ ____________
Each I/O device used by an AIS to communicate with
other AIS must have a device range associated with it. The
levels (in which case the device is referred to as mul-
tilevel), and it must be included within the AIS accredita-
tion range.
Information exported or imported using a single-level
mported at another must be labeled through an agreed-upon
cation link that always carries a single level.
Information exported at a given security level can be
that level or a higher level. If the importing device range
beled upon reception at a higher level within the importing
C.2.2.2. Discussion
_ _ _ _ __________
The purpose of device labels is to reflect and con-
The information transfer restrictions permit one-way
communication (i.e., no acknowledgements) from one device to
another whose ranges have no level in common, as long as
each level in the sending device range is dominated by some
level in the receiving device range. It is never permitted
to send information at a given level to a device whose range
It is not necessary for an AIS sending information to
another AIS through several other AISs to know the accredi-
tation range of the destination system, but it may be bene-
ficial to network performance; if the originator knows that
the information cannot be delivered, then it will not try to
In the case of interconnected accredited AISs, the
accreditation of a component system and the device ranges of
ts network interface devices are set by a component
administrator in agreement with the network administrator.
These ranges are generally static, and any change in them is
considered to be a reconfiguration of the network.
In summary, then, if the Interconnection Rule is fol-
lowed, information will never be improperly sent to a com-
C.3. The Global Network View
_ _ ___ ______ _______ ____
The above rule applies for communication between any
two (or more) accredited systems. However, it does not
enforce any of the additional constraints that may be placed
on a network. Even when all components have been evaluated
(either against the TCSEC, or against Appendix A of this
may be other potential security problems. In order to
address these problems, it is necessary to adopt a global
view of the network. That is, it is no longer determinable
locally whether or not a constraint is being satisfied.
Two global concerns will be discussed below. One con-
cern is the propagation of local risk; the other is the cas-
cading problem.
C.3.1. Propagation of Local Risk
_ _ _ ___________ __ _____ ____
The Environmental Guidelines recommend minimum classes
of trusted systems for specific environments. The recommen-
minimum architectural requirements and assurance appropriate
to counter a specific level of risk.
In many cases, operational needs have led to the
accreditation of systems for multilevel operation that would
not meet the requirements of the recommended class. While
the increased risk may be accepted by the users of a partic-
ular AIS, connection of such an AIS to a network exposes
users of all other AISs in the network to the additional
Consequently, when an unevaluated AIS, or one that does
not meet the class recommended for its accreditation, is
considered, such as one-way connections, manual review of
transmissions, cryptographic isolation, or other measures to
limit the risk it introduces.
C.3.2. The Cascading Problem
_ _ _ ___ _________ _______
One of the problems that the interconnection rule does
not address is the cascading problem. The cascading problem
_________ _______
exists when a penetrator can take advantage of network con-
nections to compromise information across a range of secu-
any of the component systems he must defeat to do so. Cas-
cading is possible in any connected network that processes a
n others as well.
As an example of the cascading problem, consider two
classifications of information, as shown in Figure C2.
System A processes SECRET and TOP SECRET information, and
all users are cleared to at least the SECRET level. System
B processes CONFIDENTIAL and SECRET information, and all
users are cleared to at least the CONFIDENTIAL level.
While the risk of compromise in each of these systems
s small enough to justify their use with two levels of
nformation, the system as a whole has three levels of
nformation, increasing the potential harm that could be
caused by a compromise. When they are connected so that
SECRET information can pass from one to the other, a pene-
trator able to defeat the protection mechanisms in these
CONFIDENTIAL level.
Figure C2. Cascade Problem, Illustration 1
______ __ _______ _______ ____________ _
(Note: Figure not included)
Consider this chain of events: a penetrator (1) over-
comes the protection mechanism in System A to downgrade some
TOP SECRET information to SECRET; (2) causes this informa-
tion to be sent over the network to System B; and (3) over-
comes the protection mechanism in System B to downgrade that
C.3.2.1. Problem Identification
_ _ _ _ _______ ______________
There are various approaches, with different degrees of
complexity and precision, for recognizing a potential cas-
cading problem. Two of these approaches will be addressed
n this Appendix. The first is a fairly simple test that
can ensure that a network does not have a cascading problem:
___
the nesting condition. The second, discussed in Section
_______ _________
C.4, is a less conservative but much more complex heuristic
that takes into account the connectivity of the network and
the evaluation classes of the component AIS.
The nesting condition is satisfied if the accreditation
n common) or nested, i.e., one is included within the
other. In most cases, the nesting condition is enough to
this is a somewhat conservative test; there are cases where
the nesting condition fails, but there is actually no cas-
cading problem.
Example 1: Consider the situation illustrated in Fig-
ure C1. The accreditation range of Component A is nested
tained within C-TS). Therefore, the nesting condition is
Example 2: Consider the situation illustrated in Fig-
ure C2. The accreditation ranges of System A and System B
are not disjoint; neither is one completely contained within
the other. Therefore, the nesting condition fails, and a
cascading condition is indicated.
Example 3: Consider the situation illustrated in Fig-
ure C3. Again, the nesting condition does not hold, because
the accreditation range of System B is neither disjoint from
nor contained in that of Systems A and C. A cascading con-
n this Appendix that Figure C3 actually does not contain a
cascading condition, due to the presence of the end-to-end
encryption devices.
C.3.2.2. Solutions
_ _ _ _ _________
When a cascading problem is to be addressed, there are
trusted system at appropriate nodes in the network, so that
a penetrator will be forced to overcome a protection mechan-
sm commensurate with the seriousness of the potential
compromise. In the example depicted in Figure C2, If either
ficient according to the Environmental Guidelines for a
Another possible solution is to eliminate certain net-
end encryption. End-to-end encryption allows hosts that need
to communicate to do so, while eliminating additional
unnecessary cascading risk on the path from one to the
other.
Figure C3. Cascade Problem, Illustration 2 (End-to-End Encryption)
______ __ _______ _______ ____________ _ ___ __ ___ __________
(Note: Figure not included)
In Figure C3, suppose that System A needs only to com-
municate with System C, and B is just an intermediate node.
The possible cascade from TOP SECRET in A to CONFIDENTIAL in
B can be avoided by applying end-to-end encryption from A to
C, since encrypted data from A can be released at the CONFI-
DENTIAL level in B without compromise.
Note that end-to-end encryption is of no help in the
Figure C2 example, since the systems participating in the
cascade were required to communicate.
In some situations where the potential for a cascading
tions, as described above, generally requires coordination
between attacks on two connected systems. It may be possi-
ble to determine, in individual cases, that opportunities
for this kind of coordination, in the form of common
On a more global scale, one might divide the network
nto communities, with respect to the possibility of cascad-
ng. If connections between one community and another were
believed not to support a cascade threat, then a cascading
analysis would be performed only within each community.
C.3.2.3. Networks of Evaluated Systems
_ _ _ _ ________ __ _________ _______
If the systems to be interconnected can be assigned
evaluation classes, the ratings of these systems can be used
as input to analysis procedures for detecting the cascade
conditions necessary for the absence or presence of a cas-
cade problem.
An assertion called the Cascade Condition will be
_______ _________
n terms of the evaluation ratings of the interconnected
tions between them.
Some definitions are needed in order to state the cas-
cade condition formally. The terminology given below is
meant to be used only in the context of this section.
A protection region is a pair (h,s) such that h is a
__________ ______ _ _ _
network component and s is a sensitivity level processed by
_
component h.
_
A step is an ordered pair of protection regions
____
(h1,s1), (h2,s2) such that either
__ __ __ __
__ __ __ __ __
link), or
__ __
A path is a sequence of protection regions such that
____
each consecutive pair of regions is a step.
A path is a sequence of protection regions that may be
traversed, step by step, by data. A step along a network
link is possible either when there is a direct communica-
tions link from one component to the other carrying
nformation at a given level, or when there is an indirect,
end-to-end encrypted connection in which intermediate com-
be) a covert channel.
Given a host h, let L(h) be the minimum clearance of
_ _ _
users of h. Given a sensitivity level s, one can use the
_ _
Environmental Guidelines to determine the minimum evaluation
class C(s,h) required for a system with the associated risk
_ _ _
ndex. The requirement for open environments should be used
unless all systems on the path are closed. Note that C(s,h)
_ _ _
_
L(h) is greater than zero.
_ _
With these definitions, we can now state the Cascade
_______
Condition:
_________
For any path (h1,s1),...,(hn,sn) such that sn = L(hn)
__ __ __ __ __ _ __
and C(s1,hn) is at least B1, there must exist at least one
_ __ __
__ __ __ _ __ _ __ __ _
class of hi is at least C(s1,hn), and si is not dominated by
__ _ __ __ __
__ _
This condition can be paraphrased by saying that every
__
available to an insufficiently cleared user of hn must over-
__
come the protection mechanism in a component of class at
least C(s1,hn).
_ __ __
C.4. EXAMPLE: An Heuristic Procedure for Determining if an
_ _ _______ __ _________ _________ ___ ___________ __ __
_______________ ______ __ _______
There should be some way of determining whether a sys-
tem has a risk index that is too great for its evaluation
Given the goal of not allowing a greater risk than is recom-
mended by the Environmental Guidelines, the following is an
tems and determine if they fall within the bounds prescribed
by the Environmental Guidelines. (In formal terms, this
algorithm is an approximate test for the Cascade Condition,
not intended to be prescriptive: it is merely one way of
examining the problem. There are doubtless many other ways
that are just as valid.
Furthermore, as any heuristic algorithm, this cannot be
through trial and error; it produces reasonable results
(e.g., it disallows systems when it seems prudent; it recom-
mends levels of security that are consistent with the
Environmental Guidelines).
This algorithm should not be taken to be anything more
than intended; it does not magically solve all network secu-
ous systems.
The following describes an algorithm for determining
Guidelines. The algorithm is based on the idea of dividing
up a network into groups (where a group is defined to be a
tion i.e., send and receive data at a common sensitivity
level, and have an evaluation Class at or below a given
level).
The risk presented by any given group can be compared
to the maximum allowed risk, as defined by the Yellow Book
for a system at the given evaluation class, to determine if
any community presents an unacceptable risk.
the network. This table, illustrated in Table C1,
should include for each component the following
information: Component ID, Evaluation Class, Range
of Security Classifications at which the component
sends data to the network, List of Security Classif-
ications at which the component receives data from
the network, Maximum of (highest level of data
received from network and highest level of data pro-
cessed by component), Minimum of (clearance of the
user with the lowest clearance of the users with
direct access to the component and lowest level of
data sent to the network from the component).
Table C1. Example Entry:
_____ __ _______ _____
(Note: Table not included)
Table Maximum and a Network Table Minimum. The Net-
work Table Evaluation Class will be the highest
evaluation class of any component listed in the
table. (In Table C1, this is A1.) The Network
Table Maximum will be the maximum of the Maximums
associated with all the components listed in the
table which send data to the network. (This is
determined by taking the highest entry in the "Max-
imum" column; in Table C1, it is TS.) The Network
Table Minimum will be the minimum of the Minimums
associated with all the components listed in the
table which receive data from the network. (This is
determined by taking the lowest entry in the
"Minimum" column; in Table C1, this is FOUO.)
than B1, (i.e, A1, B3, or B2) then tables for each
evaluation class lower than the Class of the Network
Table, must be produced, down to table(s) for the C1
class. These tables will be produced for each
evaluation class by first listing any one component
whose evaluation class is less than or equal to the
evaluation class for the table. Then, add to the
table all components that meet all of the following
conditions:
a) They have an evaluation class less than or
equal to the class of the table.
b) They receive data from the network at a level
that is being sent by a component who is
already in the table.
c) They send data to the network at a level that
is equal to or less than any node already in
the table.
Network Table Evaluation Class of each table is com-
pared to the Maximum and Minimum for the Table with
regard to the rules specified by the Environmental
Guidelines.
the Environmental Guidelines then the Network passes
the assurance requirements. If any of the Tables
provide a greater risk index than is permitted by
the Environmental Guidelines then the Network pro-
vides a high level of risk, and should not be con-
nected as currently designed.
Table C2. B2 TABLE 1
_____ __ __ _____ _
(Note: Table not included)
Table C3. B2 TABLE 1, EXTENDED
_____ __ __ _____ _ ________
(Note: Table not included)
Table C4:
_____ __
Table C4(a). B2 TABLE 1
_____ __ _ __ _____ _
(Note: Table not included)
Table C4(b). B2 TABLE 2
_____ __ _ __ _____ _
(Note: Table not included)
C.4.1. Example B2 Table
_ _ _ _______ __ _____
As an example consider Table C2. This represents a B2
table under construction with a single entry. If in the net-
and could receive and send at C-S, this node would be added
to the table, producing Table C3. In contrast if there
existed in the network a B2 node that could receive at S-TS
but could only send at TS, this node would not be added to
Table C3 but could be used to start a second B2 table.
There would then be a set of two tables, represented in
Table C4.
C.4.2. Sample Network and Tables
_ _ _ ______ _______ ___ ______
A sample network is illustrated in Figure C4. The
tables that are produced for it are given in Tables C5(a)
through C5(h).
Notice at the B2 level the network is represented by
two tables, C5(b) and C5(c). This is due to the fact that
one of the components (Component C) is a receive-only com-
themselves due to the fact that they never can affect the
consideration to make with such components is whether they
are receiving data at a level dominated by the approved max-
mum processing level for the component.)
Notice at the B1 level the components are each in a
table by themselves (Tables C5(d), C5(e), and C5(f)). This
s due to the fact that although Component B may receive
a level lower than that sent by E (i.e., B can only send TS,
never Confidential or Unclassified). Thus there is no
"added" risk in having B receive data from E. If it were the
case the B could send data at a level lower than (or equal
to) E then they would be included in the same table since
they present an added (or equal) risk.
C.5. Environmental Considerations
_ _ _____________ ______________
Because of the very nature of networks, it is necessary
to say something about the assumptions made with respect to
addressed by this Appendix, the issues are also important in
the interconnected accredited AIS view. Therefore, this sec-
tion presents a brief description of some of the important
considerations. The interested reader is referred to Part
It is not, repeat, NOT the intent of this Appendix to
circumstances. Rather, it is to identify the requirements,
and where known, common methods of achieving the desired
This Appendix establishes the requirement for integrity
and the requirement to preserve the integrity of both con-
trol data and information in any other network.
C.5.1. Communications Integrity
_ _ _ ______________ _________
The accreditor(s) will define transmission accuracy
ments involved in the interconnection of the components will
argument that they meet the requirements. Since absolute
transmission accuracy is not possible, a capability of test-
ng for, detecting and reporting errors will be demon-
of cryptographic checksums, protected wireways, and reliable
Hardware and/or software will be provided that can be
used to periodically validate the correct operation of all
elements involved in interconnecting two accredited com-
Trusted communications paths will be provided between
network elements whenever secure element-to-element communi-
cations are required. (Initialization, cryptographic key
management, change of subject or object security levels or
access authorizations, etc.)
C.5.2. Denial of Service
_ _ _ ______ __ _______
The accreditor(s) will define denial of service condi-
tions relative to the services being provided by the inter-
connected components. Hardware and or software will be pro-
vided to periodically assure the accessibility of the inter-
connected components.
C.5.3. Data Content Protection
_ _ _ ____ _______ __________
Where classified information or sensitive but unclassi-
fied information is to be exchanged between logically con-
nected components, it is the responsibility of each of the
DAAs to assure that the content of their communication is
_______
of providing this protection include cryptography, and Pro-
tected Wireline Distribution Systems (PWDS).
Where the connection infrastructure is operated by a
of the individual DAA to determine whether this protection
s adequate for the information to be exchanged.
Figure C4. A Sample Network
______ __ _ ______ _______
(Note: Figure not included)
Component ID Permitted Operations
A Send and Receive data from C through TS
B Send and Receive TS-only
C Can Receive only audit records,
all of which are treated as TS
D Can Send and Receive C through TS
E Can Send and Receive S-only
F Send and Receive S and TS data
Table C5(a). NETWORK TABLE
_____ __ _ _______ _____
NETWORK TABLE EVAL CLASS = A1
NETWORK TABLE MAXIMUM = TS
NETWORK TABLE MINIMUM = C
ENVIRONMENTAL GUIDELINES RULING = OK
(Note: Table not included)
(Note: since there are no B3 components, the B3 tables are
identical to the B2 tables and are therefore not reproduced
here.)
Table C5(b). B2 TABLE 1 Table C5(c). B2 TABLE 2
_____ __ _ __ _____ _ _____ __ _ __ _____ _
TABLE EVAL CLASS = B2 TABLE EVAL CLASS = B2
TABLE MAXIMUM = TS TABLE MAXIMUM = TS
TABLE MINIMUM = S TABLE MINIMUM = TS
ENV. GUIDELINES RULING= OK ENV. GUIDELINES RULING= OK
(Note: Tables not included)
Table C5(d). B1 TABLE 1 Table C5(e). B1 TABLE 2
_____ __ _ __ _____ _ _____ __ _ __ _____ _
TABLE EVAL CLASS = B1 TABLE EVAL CLASS = B1
TABLE MAXIMUM = S TABLE MAXIMUM = TS
TABLE MINIMUM = S TABLE MINIMUM = TS
ENV. GUIDELINES RULING = OK ENV. GUIDELINES RULING = OK
(Note: Table not included)
Acronyms
________
ACL - Access Control List
ADP - Automatic Data Processing
AIS - Automated Information System
ARPANET - Advanced Research Projects Agency Network
COMSEC - Communications Security
CPU - Central Processing Unit
CRC - Cyclic Redundancy Code or Cyclic Redundancy Check
DAA - Designated Approving Authority
DBMS - Data Base Management System
DAC - Discretionary Access Control
DDN - Defense Data Network
DoD - Department of Defense
DoDIIS - Department of Defense Intelligence Information System
DOS - Denial-of-service
DTLS - Descriptive Top-Level Specification
E3 - End-to-end Encryption
FTLS - Formal Top-Level Specification
FTP - File Transfer Protocol
KDC - Key Distribution Center
LAN - Local Area Network
LRC - Longitudinal Redundancy Check
MAC - Mandatory Access Control
MDC - Manipulation Detection Code
MSM - Message Stream Modification
MWT - Maximum Waiting Time
NSA - National Security Agency
NTCB - Network Trusted Computing Base
OSI - Open System Interconnection
ROM - Read Only Memory
SACDIN - Strategic Air Command Digital Network
TAC - Terminal Access Controller
TCB - Trusted Computer Base
TCP - Transmission Control Protocol
TELNET - Network Virtual Terminal Protocol
TLS - Top Level Specification
TCSEC - Trusted Computer System Evaluation Criteria
TFE - Trusted Front-end Processor
TIU - Trusted Network Interface Unit
TNI - Trusted Network Interpretations
VMM - Virtual Machine Monitor
Glossary
________
- A -
_
Access - (1) A specific type of interaction between a
tion from one to the other. (2) The ability and the means
necessary to approach, to store or retrieve data, to commun-
cate with, or to make use of any resource of an ADP system.
Access control - (1) The limiting of rights or capabil-
ties of a subject to communicate with other subjects, or to
use functions or services in a computer system or network.
(2) Restrictions controlling a subject's access to an
object.
Access control list - (1) A list of subjects authorized
for specific access to an object. (2) A list of entities,
together with their access rights, which are authorized to
Accountability - the quality or state which enables
actions on an ADP system to be traced to individuals who may
then be held responsible. These actions include violations
and attempted violations of the security policy, as well as
allowed actions.
Accreditation - the managerial authorization and appro-
val, granted to an ADP system or network to process sensi-
tive data in an operational environment, made on the basis
of a certification by designated technical personnel of the
extent to which design and implementation of the system meet
achieving adequate data security. Management can accredit a
level recommended (e.g., by the Requirements Guideline-) for
the certification level of the system. If management
accredits the system to operate at a higher level than is
appropriate for the certification level, management is
accepting the additional risk incurred.
Accreditation range - of a host with respect to a par-
ticular network, is a set of mandatory access control levels
_________________________
- Security Requirements: Guidance for Applying the
________ ____________ ________ ___ ________ ___
Department of Defense Trusted Computer System Evalua-
__________ __ _______ _______ ________ ______ ______
tion Criteria in Specific Environments,CSC-STD-003-85
____ ________ __ ________ ____________
for data storage, processing, and transmission. The accredi-
tation range will generally reflect the sensitivity levels
of data that the accreditation authority believes the host
can reliably keep segregated with an acceptable level of
accreditation range is given. Thus, although a host system
might be accredited to employ the mandatory access control
levels CONFIDENTIAL, SECRET, and TOP SECRET in stand-alone
operation, it might have an accreditation range consisting
of the single value TOP SECRET for attachment to some net-
Audit trail - (1) A set of records that collectively
tracing from original transactions forward to related
mation collected or used to facilitate a Security Audit.
Authentication - (1) To establish the validity of a
claimed identity. (2) To provide protection against fraudu-
lent transactions by establishing the validity of message,
- B -
Bell-LaPadula Model - a formal state transition model
of computer security policy that describes a set of access
control rules. In this formal model, the entities in a com-
objects. The notion of a secure state is defined and it is
ng from secure state to secure state; thus, inductively
s compared to the classification of the object and a deter-
mination is made as to whether the subject is authorized for
the specific access mode. The clearance/classifications
tice, Simple Security Property, *-Property. For further
nformation see Bell, D. Elliott and LaPadula, Leonard J.,
Secure Computer Systems: Unified Exposition and MULTICS
______ ________ _______ _______ __________ ___ _______
______________
(AD/A 020 445)
- C -
Category - a grouping of objects to which an non-
Certification - the technical evaluation of a system's
approval/accreditation process, that establishes the extent
to which a particular system's design and implementation
meet a set of specified security requirements.
Closed user group - a closed user group permits users
belonging to a group to communicate with each other, but
members of the group.
Communication channel - the physical media and devices
one component of a network to (one or more) other com-
Communication link - the physical means of connecting
one location to another for the purpose of transmitting
and/or receiving data.
Compartment - a designation applied to a type of sensi-
tive information, indicating the special handling procedures
to be used for the information and the general class of peo-
the designation of information belonging to one or more
categories.
Component - a device or set of devices, consisting of
network. A component is a part of the larger system, and
may itself consist of other components. Examples include
modems, telecommunications controllers, message switches,
technical control devices, host computers, gateways, commun-
cations subnets, etc.
Component Reference Monitor - an access control concept
that refers to an abstract machine that mediates all access
to objects within a component by subjects within the com-
Compromise - a violation of the security system such
that an unauthorized disclosure of sensitive information may
Confidentiality - the property that information is not
made available or disclosed to unauthorized individuals,
entities, or processes.
Configuration control - management of changes made to a
throughout the development and operational life of the sys-
tem.
Connection - a liaison, in the sense of a network
nterrelationship, between two hosts for a period of time.
The liaison is established (by an initiating host) for the
the period of time is the time required to carry out the
ntent of the liaison (e.g., transfer of a file, a chatter
the sense of this glossary) will coincide with a host-host
connection (in a special technical sense) established via
TCP or equivalent protocol. However a connection (liaison)
can also exist when only a protocol such as IP is in use (IP
time). Hence, the notion of connection as used here is
ndependent of the particular protocols in use during a
liaison of two hosts.
Correctness - the extent to which a program satisfies
ts specifications.
Covert channel - a communications channel that allows a
the system's security policy. A covert channel typically
communicates by exploiting a mechanism not intended to be
used for communication. See Covert storage channel and
Covert timing channel. Compare Overt channel.
Covert storage channel - a covert channel that involves
the direct or indirect writing of a storage location by one
location by another process. Covert storage channels typi-
cally involve a finite resource (e.g., sectors on a disk)
that is shared by two subjects at different security levels.
Covert timing channel - a covert channel in which one
use of system resources (e.g., CPU time) in such a way that
this manipulation affects the real response time observed by
the second process.
- D -
Data confidentiality - the state that exists when data
s held in confidence and is protected from unauthorized
Data integrity - (1) The state that exists when compu-
terized data is the same as that in the source documents and
or destruction. (2) The property that data has not been
exposed to accidental or malicious alteration or destruc-
tion.
Dedicated Security Mode - the mode of operation in
to and controlled for the processing of one particular type
or classification of information, either for full-time
operation or for a specific period of time. Compare Mul-
tilevel Security Mode, System High Security Mode.
Denial of service - the prevention of authorized access
to system assets or services, or the delaying of time criti-
cal operations.
Descriptive top-level specification (DTLS) - a top-
level specification that is written in a natural language
(e.g., English), an informal program design notation, or a
combination of the two.
Discretionary access control (DAC) - a means of res-
tricting access to objects based on the identity of subjects
and/or groups to which they belong. The controls are dis-
cretionary in the sense that: (a) A subject with a certain
access permission is capable of passing that permission
(perhaps indirectly) on to any other subject; (b) DAC is
often employed to enforce need-to-know; (c) Access control
may be changed by an authorized individual. Compare to Man-
Domain - the set of objects that a subject has the
ability to access.
Dominated by (the relation) - a security level A is
clearance/classification in A is less than or equal to the
clearance/classification in B and the set of access appro-
vals (e.g., compartment designators) in A is contained in
(the set relation) the set of access approvals in B (i.e.,
each access approval appearing in A also appears in B).
Depending upon the policy enforced (e.g., non-disclosure,
ntegrity) the definition of "less than or equal to" and
"contained in" may vary. For example, the level of an
object of high integrity (i.e., an object which should be
modifiable by very trustworthy individuals) may be defined
to be "less than" the level of an object of low integrity
(i.e., an object which is modifiable by everyone).
Dominates (the relation) - security level B dominates
- E -
Exploitable channel - any channel that is usable or
Base.
- F -
Flaw - an error of commission, omission, or oversight
n a system that allows protection mechanisms to be
bypassed.
Flaw hypothesis methodology - a system analysis and
for the system are analyzed and then flaws in the system are
tized on the basis of the estimated probability that a flaw
actually exists and, assuming a flaw does exist, on the ease
of exploiting it and on the extent of control or compromise
t would provide. The prioritized list is used to direct
the actual testing of the system.
Formal proof - a complete and convincing mathematical
argument, presenting the full logical justification for each
The formal verification process uses formal proofs to show
the truth of certain properties of formal specification and
for showing that computer programs satisfy their specifica-
tions. Automated tools may (but need not) be used to formu-
late and/or check the proof.
Formal security policy model - a mathematically precise
the way in which the system progresses from one state to
another, and a definition of a "secure" state of the system.
To be acceptable as a basis for a TCB, the model must be
all assumptions required by the model hold, then all future
techniques include: state transition models, temporal logic
models, denotational semantics models, algebraic specifica-
tion models. See also: Bell-LaPadula Model, Security Pol-
cy Model.
Formal top-level specification (FTLS) - a Top-Level
Specification that is written in a formal mathematical
language to allow theorems showing the correspondence of the
Formal verification - the process of using formal
between a formal specification of a system and a formal
between the formal specification and its program implementa-
tion.
Functional testing - the portion of security testing in
correct operation.
- H -
Hierarchical decomposition - the ordered, structured
Host - any computer-based system connected to the net-
nformation exchange across the communications network.
This definition encompasses typical "mainframe" hosts, gen-
eric terminal support machines (e.g., ARPANET TAC, DoDIIS
NTC), and workstations connected directly to the communica-
tions subnetwork and executing the intercomputer networking
contain the protocol software needed to perform information
exchange; a workstation (by definition) is a host because it
- I -
Integrity - See data integrity and integrity policy.
Integrity Policy - a security policy to prevent unau-
thorized users from modifying, viz., writing, sensitive
nformation. See also Security Policy.
Internal subject - a subject which is not acting as
ated with any user but performs system-wide functions such
as packet switching, line printer spooling, and so on. Also
known as a daemon or a service machine.
- L -
Label - see Security Label and Sensitivity Label.
Lattice - a partially ordered set for which every pair
of elements has a greatest lower bound and a least upper
bound.
Least privilege - this principle requires that each
of authorized tasks. The application of this principle lim-
ts the damage that can result from accident, error, or
unauthorized use.
- M -
Mandatory access control - a means of restricting
access to objects based on the sensitivity (as represented
by a label) of the information contained in the objects and
the formal authorization (i.e., clearance) of subjects to
access information of such sensitivity.
Multilevel device - a device that is used in a manner
that permits it to simultaneously process data of two or
more security levels without risk of compromise. To accom-
Multilevel secure - a class of system containing infor-
mation with different sensitivities that simultaneously per-
mits access by users with different security clearances and
needs-to-know, but prevents users from obtaining access to
nformation for which they lack authorization.
Multilevel Security Mode - the mode of operation that
allows two or more classification levels of information to
be processed simultaneously within the same system when some
users are not cleared for all levels of information present.
Compare Dedicated Security Mode, System High Security Mode.
- N -
Network architecture - the set of layers and protocols
(including formats and standards that different
tives) which define a Network.
Network component - a network subsystem which is
evaluatable for compliance with the trusted network
nterpretations, relative to that policy induced on the com-
Network connection - A network connection is any logi-
cal or physical path from one host to another that makes
the other. An example is a TCP connection. But also, when
a host transmits an IP datagram employing only the services
of its "connectionless" Internet Protocol interpreter, there
s considered to be a connection between the source and the
Network Reference Monitor - an access control concept
that refers to an abstract machine that mediates all access
to objects within the network by subjects within the net-
Network security - the protection of networks and their
ts critical functions correctly and there are no harmful
Network security architecture - a subset of network
architecture specifically addressing security-relevant
ssues.
Network sponsor - the individual or organization that
s responsible for stating the security policy enforced by
the network, for designing the network security architecture
to properly enforce that policy, and for ensuring that the
network is implemented in such a way that the policy is
enforced. For commercial, off-the- shelf systems, the net-
network system, the sponsor will normally be the project
manager or system administrator.
Network System - a system which is implemented with a
collection of interconnected network components. A network
Network trusted computing base (NTCB) - the totality of
s responsible for enforcing a security policy. (See also
Trusted Computing Base.)
NTCB Partition - the totality of mechanisms within a
as allocated to that component; the part of the NTCB within
a single network component.
- O -
Object - a passive entity that contains or receives
nformation. Access to an object potentially implies access
to the information it contains. Examples of objects are:
tory trees, and programs, as well as bits, bytes, words,
fields, processors, video displays, keyboards, clocks,
Object reuse - the reassignment of a medium (e.g., page
frame, disk sector, magnetic tape) that contained one or
more objects to some subject. To be securely reassigned,
contained object(s).
OSI Architecture - the International Organization for
Standardization (ISO) provides a framework for defining the
communications process between systems. This framework
ncludes a network architecture, consisting of seven layers.
The architecture is referred to as the Open Systems Inter-
connection (OSI) model or Reference Model. Services and the
model are defined by international standards. From a sys-
tems viewpoint, the bottom three layers support the com-
next three layers generally pertain to the characteristics
of the communicating end systems, and the top layer supports
the end users. The seven layers are: 1. Physical Layer:
the physical connection. It defines the functional and pro-
cedural characteristics of the interface to the physical
circuit: the electrical and mechanical specifications are
considered to be part of the medium itself. 2. Data Link
Layer: Formats the messages. Covers synchronization and
error control for the information transmitted over the phy-
error checking" is one way to describe this layer. 3.
Network Layer: Selects the appropriate facilities. Includes
tem where the communicating application is: segmentation and
tion. 4. Transport Layer: Includes such functions as multi-
connection, and segmenting data into appropriately sized
to-end control of data reliability. 5. Session Layer:
Selects the type of service. Manages and synchronizes
conversations between two application processes. Two main
types of dialogue are provided: two-way simultaneous (full-
control functions similar to the control language in com-
tion is delivered in a form that the receiving system can
understand and use. Communicating parties determine the for-
mat and language (syntax) of messages: translates if
Layer: Supports distributed applications by manipulating
nformation. Provides resource management for file
transfer, virtual file and virtual terminal emulation, dis-
tributed processes and other applications.
Overt channel - an overt channel is a path within a
network which is designed for the authorized transfer of
- P -
Passive - (1) A property of an object or network object
that it lacks logical or computational capability and is
unable to change the information it contains. (2) Those
threats to the confidentiality of data which, if realized,
the intercommunicating systems (e.g., monitoring and/or
Penetration - the successful violation of a protected
Penetration testing - the portion of security testing
n which the penetrators attempt to circumvent the security
features of a system. The penetrators may be assumed to use
all system design and implementation documentation, which
may include listings of system source code, manuals, and
circuit diagrams. The penetrators work under no constraints
other than those that would be applied to ordinary users or
mplementors of untrusted portions of the component.
Privacy - (1) the ability of an individual or organiza-
tion to control the collection, storage, sharing, and dis-
The right to insist on adequate security of, and to define
authorized users of, information or systems. Note: The con-
cept of privacy cannot be very precise and its use should be
avoided in specifications except as a means to require secu-
legislation.
Process - a program in execution. It is completely
characterized by a single current execution point
(represented by the machine state) and address space.
Protection-critical portions of the TCB - those por-
tions of the TCB whose normal function is to deal with the
control of access between subjects and objects. See also
Subject, Object, Trusted Computer Base.
Protection philosophy - an informal description of the
overall design of a system that delineates each of the pro-
tection mechanisms employed. A combination (appropriate to
the evaluation class) of formal and informal techniques is
used to show that the mechanisms are adequate to enforce the
- R -
Read - a fundamental operation that results only in the
flow of information from an object to a subject.
Read access - permission to read information.
Reference monitor concept - an access control concept
that refers to an abstract machine that mediates all
accesses to objects by subjects. See also Security Kernel.
Reliability - the extent to which a system can be
expected to perform its intended function with required pre-
cision.
Resource - anything used or consumed while performing a
function. The categories of resources are: time, informa-
tion, objects (information containers), or processors (the
ability to use information). specific examples are: CPU
time; terminal connect time; amount of directly-addressable
memory; disk space; number of I/O requests per minute, etc.
- S -
Secrecy Policy - a security policy to prevent unauthor-
zed users from reading sensitive information. See also
Security Policy
Security architecture - the subset of computer archi-
tecture dealing with the security of the computer or network
Security-Compliant Channel - A channel is Security-
Compliant if the enforcement of the network policy depends
only upon characteristics of the channel either (1) included
n the evaluation, or (2) assumed as a installation con-
Manual.
Security Kernel - the hardware, firmware, and software
elements of a Trusted Computing Base (or Network Trusted
Computing Base partition) that implement the reference moni-
tor concept. It must mediate all accesses, be protected
___
from modification, and be verifiable as correct.
Security label - see Sensitivity label.
Security level - the combination of hierarchical clas-
Security policy - the set of laws, rules, and practices
that regulate how an organization manages, protects, and
Security policy model - an informal presentation of a
formal security policy model.
Security testing - a process used to determine that the
and that they are adequate for a proposed application
environment. This process includes hands-on functional
testing, penetration testing, and verification. See also:
Functional Testing, Penetration Testing, Verification.
Sensitivity label - A piece of information that
n the object. Sensitivity labels are used by the NTCB as
the basis for mandatory access control decisions.
Sensitivity level - See Security level.
Simple security property - a Bell-LaPadula security
model rule allowing a subject read access to an object only
f the security level of the subject dominates the security
level of the object.
Single-level device - a device that is used to process
*-property (star property) - a Bell-LaPadula security
model rule allowing a subject write access to an object only
f the security level of the subject is dominated by the
Storage object - an object that supports both read and
Subject - an active entity, generally in the form of a
among objects or changes the system state. Technically, a
Subject security level - a subject's security level is
equal to the security level of the objects to which it has
both read and write access. A subject's security level must
always be dominated by the clearance of the user the subject
s associated with.
System - an assembly of computer and/or communications
of classifying, sorting, calculating, computing, summariz-
ng, transmitting and receiving, storing and retrieving data
System High - the highest security level supported by a
System High Security Mode - the mode of operation in
vide discretionary protection between users. In this mode,
the entire system, to include all components electrically
and/or physically connected, must operate with security
measures commensurate with the highest classification and
clearances and authorization for all information contained
n the system. All system output must be clearly marked
the information has been reviewed manually by an authorized
ndividual to ensure appropriate classifications and that
caveats have been affixed. Compare Dedicated Security Mode,
Multilevel Security Mode.
System Low - the lowest security level supported by a
System Security Officer (SSO) - the person responsible
for the security of a system. The SSO is authorized to act
n the "security administrator" role. Functions that the
SSO is expected to perform include: auditing and changing
- T -
Top-level specification (TLS) - a non-procedural
Typically a functional specification that omits all imple-
mentation details.
Trap-door - a hidden software or hardware mechanism
that permits system protection mechanisms to be circum-
vented. It is activated in some non-apparent manner (e.g.,
Trojan horse - a computer program with an apparently or
actually useful function that contains additional (hidden)
functions that surreptitiously exploit the legitimate
authorizations of the invoking process to the detriment of
file for the creator of the Trojan Horse.
Trusted channel - a mechanism by which two NTCB parti-
tions can communicate directly. This mechanism can be
activated by either of the NTCB partitions, cannot be imi-
tated by untrusted software, and maintains the integrity of
nformation that is sent over it. A trusted channel may be
needed for the correct operation of other security mechan-
sms.
Trusted computer system - a system that employs suffi-
cient hardware and software integrity measures to allow its
use for processing simultaneously a range of sensitive or
classified information.
Trusted computing base (TCB) - the totality of protec-
tion mechanisms within a computer system -- including
s responsible for enforcing a security policy. It creates
a basic protection environment and provides additional user
ty of a trusted computing base to correctly enforce a secu-
and on the correct input by system administrative personnel
of parameters (e.g., a user's clearance) related to the
Trusted functionality - that which is determined to be
correct with respect to some criteria, e.g. as established
by a security policy. The functionality shall neither fall
Trusted path - a mechanism by which a person at a ter-
minal can communicate directly with the Trusted Computing
Base. This mechanism can only be activated by the person or
the Trusted Computing Base and cannot be imitated by
untrusted software.
Trusted software - the software portion of a Trusted
Computing Base.
Trusted subject - a subject that is part of the TCB.
trusted not to actually do so. For example in the Bell-
LaPadulla model a trusted subject is not constrained by the
*-property and thus has the ability to write sensitive
nformation into an object whose level is not dominated by
the (maximum) level of the subject, but it is trusted to
only write information into objects with a label appropriate
for the actual level of the information.
- U -
User - any person who interacts directly with a network
to interact with the system and those people who interact
Note that "users" does not include "operators," "system pro-
officers," and other system support personnel. They are
Manual and the System Architecture requirements. Such indi-
viduals may change the system parameters of the network sys-
tem, for example by defining membership of a group. These
ndividuals may also have the separate role of users.
- V -
Verification - the process of comparing two levels of
Virus - malicious software, a form of Trojan horse,
- W -
Write - a fundamental operation that results only in
the flow of information from a subject to an object.
Write access - permission to write an object.
References
__________
Abrams, M. D. and H. J. Podell, Tutorial: Computer and Net-
________ ________ ___ ____
____ ________
Addendum to the Transport Layer Protocol Definition for Pro-
________ __ ___ _________ _____ ________ __________ ___ ____
viding Connection Oriented End-to-End Cryptographic Data
______ __________ ________ ___ __ ___ _____________ ____
__________ _____ _ __ ___ _____ ______
WG 3, N 37, January 10, 1986.
Biba K. J., Integrity Considerations for Secure Computer
_________ ______________ ___ ______ ________
Systems, MTR-3153, The MITRE Corporation, June 1975; ESD-
_______
TR-76-372, April 1977.
Bell, D. Elliot and LaPadula, Leonard J., Secure Computer
______ ________
Systems: Unified Exposition and Multics Interpretation, MTR
_______ _______ __________ ___ _______ ______________
Denning, D .E., Lunt, T. F., Neumann, P. G., Schell, R. R.,
Heckman, M. and Shockley, W., Secure Distributed Data
______ ___________ ____
Views, Security Policy and Interpretation for a Class A1
_____ ________ ______ ___ ______________ ___ _ _____ __
Multilevel Secure Relational Database System, SRI Interna-
__________ ______ __________ ________ ______
tional, November 1986.
Girling, C. G., "Covert Channels in LAN's," IEEE Transac-
____ ________
tions on Software Engineering, Vol. SE-13, No. 2, February
_____ __ ________ ___________
Grohn, M. J., A Model of a Protected Data Management Sys-
_ _____ __ _ _________ ____ __________ ____
tem, ESD-TR-76-289, I. P. Sharp Assoc. Ltd., June, 1976.
___
``Integrity and Inference Group Report,'' Proceedings of the
___________ __ ___
National Computer Security Center Invitational Workshop on
________ ________ ________ ______ ____________ ________ __
Database Security, Baltimore, MD, 17-20 June 1986.
________ ________
___ ____ ____ _ ________ ____________
/ N1528 / WG 1 Ad hoc group on Security, Project 97.21.18,
September 1986.
Jueneman, R. R, "Electronic Document Authentication," IEEE
____
Network Magazine, April 1987, pp 17-23.
_______ ________
Lipner, Steven B., ``Non-Discretionary Controls for Commer-
cial Applications'', IEEE Proceedings of the 1982 Symposium
____ ___________ __ ___ ____ _________
on Security and Privacy, April 26-28, 1982, Oakland, CA.
__ ________ ___ _______
National Computer Security Center, Department of Defense
__________ __ _______
________ __________ _________
National Computer Security Center, Department of Defense
__________ __ _______
Trusted Computer Security Evaluation Criteria, DOD 5200.28-
_______ ________ ________ __________ ________
STD, December 1985.
National Computer Security Center, Security Requirements:
________ ____________
Guidance for Applying the Department of Defense Trusted Com-
________ ___ ________ ___ __________ __ _______ _______ ____
_____ ______ __________ ________ __ ________ ____________
CSC-STD-003-85, 25 June 1985.
_______
tions of End-to-End Encryption in Secure Computer Networks,
_____ __ ___ __ ___ __________ __ ______ ________ ________
The MITRE Corporation, MTR-3592, Vol. I, May 1978 (ESD TR
The Directory - Authentication Framework (Melbourne, April
___ _________ ______________ _________ _________ _____
____
Voydock, Victor L. and Stephen T. Kent, "Security Mechanisms
n High-Level Network Protocols," Computing Surveys, Vol.
_________ _______
_________________________
bility.