1. Inside the Orange Book SYCS 653 Fall 2010 Lecture 12 Notes Wayne Patterson

2. Orange Book If you’re at all interested in computer security, you’ll need to know something about the Orange Book. As more organizations become security-conscious, as more vendors develop secure systems and products, and as more government requisitions stipulate that equipment purchases be tied to Orange Book certification, there’s more of a need to understand the Orange Book.

3. References References: The entire series of publications on computer security standards known as the “Rainbow Series Library” is on the web, through the National Computer Security Center (NCSC). The URL for the entire series is: http://www.radium.ncsc.mil/tpep/library/rainbow/ and in particular for the Orange Book (available also in text, PostScript, or PDF format): http://www.radium.ncsc.mil/tpep/library/rainbow/ 5200.28-STD.html http://www.radium.ncsc.mil/tpep/library/rainbow/ 5200.28-STD.html

4. Rainbow Series Library Document Format Information 5200.28-STD  DoD Trusted Computer System Evaluation Criteria, 26 December 1985 (Supercedes CSC-STD-001-83, dtd 15 Aug 83). (Orange Book) CSC-STD-002-85  DoD Password Management Guideline, 12 April 1985. (Green Book) CSC-STD-003-85  Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book) CSC-STD-004-85  Technical Rational Behind CSC-STD-003-85: Computer Security Requirements -- Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985. (Yellow Book)

5. Rainbow Series Library NTISSAM COMPUSEC/1-87  Advisory Memorandum on Office Automation Security Guidelines NCSC-TG-001 Ver. 2  A Guide to Understanding Audit in Trusted Systems 1 June 1988, Version 2. (Tan Book) NCSC-TG-002  Trusted Product Evaluations - A Guide for Vendors, 22 June 1990. (Bright Blue Book) see also TPEP Procedures which superceedes parts of this document.TPEP Procedures NCSC-TG-003  A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987. (Neon Orange Book)

6. Rainbow Series Library NCSC-TG-004  Glossary of Computer Security Terms, 21 October 1988. (Teal Green Book) (NCSC-WA-001-85 is obsolete) NCSC-TG-005  Trusted Network Interpretation of the TCSEC (TNI), 31 July 1987. (Red Book) NCSC-TG-006  A Guide to Understanding Configuration Management in Trusted Systems, 28 March 1988. (Amber Book) NCSC-TG-007  A Guide to Understanding Design Documentation in Trusted Systems, 6 October 1988. (Burgundy Book) see also Process Guidelines for Design Documentation which may supercede parts of this document.Process Guidelines for Design Documentation

7. Rainbow Series Library NCSC-TG-008  A Guide to Understanding Trusted Distribution in Trusted Systems 15 December 1988. (Dark Lavender Book) NCSC-TG-009  Computer Security Subsystem Interpretation of the TCSEC 16 September 1988. (Venice Blue Book) NCSC-TG-010  A Guide to Understanding Security Modeling in Trusted Systems, October 1992. (Aqua Book) NCSC-TG-011  Trusted Network Interpretation Environments Guideline - Guidance for Applying the TNI, 1 August 1990. (Red Book) NCSC-TG-013 Ver.2  RAMP Program Document, 1 March 1995, Version 2 (Pink Book)

8. Rainbow Series Library NCSC-TG-014  Guidelines for Formal Verification Systems, 1 April 1989. (Purple Book) NCSC-TG-015  A Guide to Understanding Trusted Facility Management, 18 October 1989 (Brown Book) NCSC-TG-016  Guidelines for Writing Trusted Facility Manuals, October 1992. (Yellow- Green Book) NCSC-TG-017  A Guide to Understanding Identification and Authentication in Trusted Systems, September 1991. (Light Blue Book) NCSC-TG-018  A Guide to Understanding Object Reuse in Trusted Systems, July 1992. (Light Blue Book)

9. Rainbow Series Library NCSC-TG-019 Ver. 2  Trusted Product Evaluation Questionaire, 2 May 1992, Version 2. (Blue Book) NCSC-TG-020-A  Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX® System, 7 July 1989. (Silver Book) NCSC-TG-021  Trusted Database Management System Interpretation of the TCSEC (TDI), April 1991. (Purple Book) NCSC-TG-022  A Guide to Understanding Trusted Recovery in Trusted Systems, 30 December 1991. (Yellow Book) NCSC-TG-023  A Guide to Understanding Security Testing and Test Documentation in Trusted Systems (Bright Orange Book) see also Process Guidelines for Test Documentation which may supercede parts of this document.Process Guidelines for Test Documentation

10. Rainbow Series Library NCSC-TG-024 Vol. 1/4  A Guide to Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements, December 1992. (Purple Book) NCSC-TG-024 Vol. 2/4  A Guide to Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators, 30 June 1993. (Purple Book) NCSC-TG-024 Vol. 3/4  A Guide to Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description Tutorial, 28 February 1994. (Purple Book) NCSC-TG-024 Vol. 4/4  A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document - An Aid to Procurement Initiators and Contractors (Purple Book) (publication TBA) NCSC-TG-025 Ver. 2  A Guide to Understanding Data Remanence in Automated Information Systems, September 1991, Version 2, (Supercedes CSC-STD-005-85). (Forest Green Book)

11. Rainbow Series Library NCSC-TG-026  A Guide to Writing the Security Features User's Guide for Trusted Systems, September 1991. (Hot Peach Book) NCSC-TG-027  A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems, May 1992. (Turquoise Book) NCSC-TG-028  Assessing Controlled Access Protection, 25 May 1992. (Violet Book) NCSC-TG-029  Introduction to Certification and Accreditation Concepts, January 1994. (Blue Book) NCSC-TG-030  A Guide to Understanding Covert Channel Analysis of Trusted Systems, November 1993. (Light Pink Book)

12. Rainbow Series Library Other NCSC Publications C1 Technical Report 001  Technical Report, Computer Viruses: Prevention, Detection, and Treatment, 12 March 1990 C Technical Report 79-91  Technical Report, Integrity in Automated Information Systems, September 1991. C Technical Report 32-92  The Design and Evaluation of INFOSEC systems: The Computer Security Contribution to the Composition Discussion, June 1992. C Technical Report 111-91  Integrity-Oriented Control Objectives: Proposed Revisions to the TCSEC, October 1991.

13. Rainbow Series Library NCSC Technical Report 002  Use of the TCSEC for Complex, Evolving, Mulitpolicy Systems NCSC Technical Report 003  Turning Multiple Evaluated Products Into Trusted Systems NCSC Technical Report 004  A Guide to Procurement of Single Connected Systems - Language for RFP Specifications and Statements of Work - An Aid to Procurement Initiators - Includes Complex, Evolving, and Multipolicy Systems

14. Rainbow Series Library NCSC Technical Report 005 Volume 1/5  Inference and Aggregation Issues In Secure Database Management Systems NCSC Technical Report 005 Volume 2/5  Entity and Referential Integrity Issues In Multilevel Secure Database Management NCSC Technical Report 005 Volume 3/5  Polyinstantiation Issues In Multilevel Secure Database Management Systems NCSC Technical Report 005 Volume 4/5  Auditing Issues In Secure Database Management Systems NCSC Technical Report 005 Volume 5/5  Discretionary Access Control Issues In High Assurance Secure Database Management Systems

15. Four Divisions The Orange Book defines four broad hierarchical divisions of security protection. In increasing order of trust, they are: DMinimal security CDiscretionary protection BMandatory protection AVerified protection

16. Numbered Classes Each division consists of one or more numbered classes, with higher numbers indicating a higher degree of security. For example, division C contains two distinct classes (C2 offers more security than C1); division B contains three classes ( B3 > B2 > B1 ); division A currently contains only one class.

17. Criteria Each class is defined by a specific set of criteria that a system must be awarded a rating in that class. The criteria fall into four general categories: security policy, accountability, assurance, and documentation.

18. Measurement The evaluation criteria for the Orange Book were developed with three basic objectives: Measurement: To provide users with a metric with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information. For example, a user can rely on a B2 system to be “more secure” than a C2 system.

19. Guidance Guidance: To provide guidance to manufacturers as to what to build into their trusted commercial products to satisfy trust requirements for sensitive applications.

20. Acquisition Acquisition: To provide a basis for specifying security requirements in acquisition specifications. Rather than specifying a hodge- podge of security requirements, and having vendors respond in piecemeal fashion, the Orange Book provides a clear way of specifying a coordinated set of security functions. A customer can be confident that the system he or she acquires has already been checked out for the needed degree of security.

21. What’s a Trusted System? The Orange Book defines it as: A system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information.

22. Measuring Trust How does the Orange Book measure trust? The book approaches security from two perspectives:

23. Security Policy A security policy states the rules enforced by a system’s security features; e.g. the rules governing whether a particular user is allowed to access a particular piece of information. Obviously, there are more security features in a highly secure system (B1 or higher) than in a less secure system (say, C1 or C2), although at the highest levels there are actually few differences in security features. Instead there is more “assurance.”

24. Assurance Assurance is the trust that can be placed in a system, and the trusted ways the system can be proven to have been developed, tested, documented, maintained and delivered to a customer. At the higher levels of security, there are few changes in security features, but a definite increase in the degree of assurance a user can place in the system’s architecture and security policies.

25. Assurance As the Orange Book puts it, assurance “begins [at the lowest class] with an operable access control mechanism and ends [at the highest class] with a mechanism that a clever and determined user cannot circumvent.”In the lower classes (C1, C2, B1) assurance of correct and complete design and implementation is gained mostly through testing of the security-relevant portions of the system. In the higher classes (B2, B3, and A1), assurance is derived more from system design and implementation and, at the highest level (A1 only) from formal verification tools. Assurance is described in detail later in this lecture.

26. Trusted Computing Base The concept of the trusted computing base (TCB) is central to the notion of a trusted system. The Orange Book uses the term TCB to refer to the mechanisms that enforce security in a system. The book defines the TCB as follows:

27. Trusted Computing Base The totality of protection mechanisms within a computer system -- including hardware, firmware, and software -- the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance) related to the security policy.

28. Defining the TCB Not every part of an operating system needs to be trusted. An important part of an evaluation of a computer system is to identify the architecture, assurance mechanisms, and security features that comprise the TCB, and to show how the TCB is protected from interference and tampering.

29. Reference Monitor A “reference monitor” is a concept that “enforces the authorized access relationships between subjects and objects of a system.” James Anderson, the developer of this concept, lists three design requirements that must be met by a reference monitor mechanism: Isolation: the reference monitor must be tamperproof. Completeness: the reference monitor must be invoked for every access decision, and must be impossible to bypass. Verifiability: the reference monitor must be small enough to be able to be analyzed and tested, and it must be possible to ensure that the testing is complete.

30. Security Policy A security policy is the set of rules and practices that regulate how an organization manages, protects, and distributes sensitive information. A security policy is typically stated in terms of subjects and objects. A subject is something active in the system; examples are users, processes, and programs. An object is something that a subject acts upon; examples of objects are files, directories, devices, sockets, and windows.

31. Security Policy The Orange Book defines a security policy as follows: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.

32. Policy --- Informal or Formal At the lower levels of trust (C1, C2, B1) an informally stated policy is acceptable. At the higher levels of trust (B2, B3, A1), a formally stated, mathematically precise policy is required.

33. Security Model A security model expresses a system’s security requirements precisely and without confusion. The Orange Book criteria are based on the state-machine model developed by David Bell and Leonard LaPadula in 1973. This is the first mathematical model of a multi-level secure computer system. The Orange Book describes the Bell-LaPadula model as follows:

34. Bell-LaPadula A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined and it is proven that each state transition preserves security by moving from secure state to secure state; thus, inductively proving that the system is secure. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode. The clearance/classification scheme is expressed in terms of a lattice.

35. Security Kernel A security kernel, a concept developed by Roger Schell in 1972 (or was it a security shell developed by Colonel Rogers?) is the operating system mechanism that actually implements the reference monitor concept. The security kernel is the heart of the TCB --- the resource in the computing system that supervises all system activity in according with the system’s security policy.

36. Simplicity Simplicity is a very important characteristic of the TCB. As the Orange Book puts it, “the TCB should be as simple as possible, consistent with the functions it has to perform.”

37. Security Perimeter The security kernel, as well as other security-related system functions, lies within the imaginary boundary of the TCB known as the security perimeter. In highly trusted systems, the TCB must be designed and implemented in such a way that system elements included in it are designed to perform security functions, while those elements excluded from the TCB need not be trusted.

38. Orange Book Evaluation Classes Class, Name, Examples D: Minimal security  None. Reserved for systems that are submitted to evaluation but fail. Basic operating systems for personal computers such as Windows, Mac, and MS-DOS would probably fall into this category if they were evaluated.

39. C1 C1: Discretionary security protection  IBM: MVS/RACFAlthough ordinary UNIX systems have not been submitted for formal evaluation, many people feel that such systems would get a C1.

40. C2 C2: Controlled access protection  Computer Associates International: ACF2/MVS  DEC: VAX/VMS 4.5  Gould: UTX/32SHewlett-Packard MPE V/E  Wang Labs: SVS/OS CAP 1.0

41. B1 B1: Labeled security protection  AT&T: System V/MLS  IBM: MVS/ESA  SecureWare: CMW+  UNISYS: OS 1100

42. B2 B2: Structured protection  Honeywell Information Systems: Multics  Trusted Information Systems: Trusted XENIX

43. B3 B3: Security domains  Honeywell Federal Systems: XTS-200

44. A1 A1: Verified design  Honeywell Information Systems: SCOMP  Boeing Aerospace: SNS

45. Complaints About the Orange Book Here are some of the main claims about the inadequacies of Orange: The Orange Book model works only in a government classified environment, and the higher levels of security aren’t appropriate for the protection of commercial data, where data integrity is the chief concern. The Orange Book focuses on only one aspect of security --- secrecy --- while paying little attention to the principles of accuracy, availability, and authenticity. The Orange Book emphasizes protection from unauthorized access, while most security attacks actually involve insiders. The Orange Book doesn’t address networking issues. (But the Red Book does.) The Orange Book contains a relatively small number of security ratings. A system that offers a subset of Orange Book security features, plus some very strong features in other areas not addressed by the Orange Book (for example, integrity) wouldn’t fit into any of the current ratings.

46. C1C2B1B2B3A1 Discretionary Access ControlSP Object Reuse Labels Label Integrity Exportation of Labeled Information Exportation of Multilevel Devices Exportation of Single-Level Devices Labeling Human-Readable Output Mandatory Access Control Subject Sensitivity Labels Device Labels Identification and AuthenticationAC Audit Trusted Path System ArchitectureAS System Integrity Security Testing Design Specification & Verification Covert Channel Analysis Trusted Facility Management Configuration Management Trusted Recovery Trusted Distribution Security Features User’s GuideD Trusted Facility Manual Test Documentation Design Documentation

47. The Rainbow Series and Other Sources The government has produced a number of other volumes interpreting Orange Book requirements. These are known collectively as the Rainbow Series, since each has a different cover color.

48. Colors of the Rainbow These include: Red Book  Trusted Network Interpretation Lavender Book  Trusted Data Base Management System Interpretation Green Book  Password Management Guideline Tan Book  Guide to Understanding Audit in Trusted Systems Purple Book  Guidelines for Formal Verification Systems Burgundy Book  Guide to Understanding Design Documentation in Trusted Systems