exportation of labeled information
The process of a
trusted system
that, when
writing
information to a
system,
continues to have protection mechanisms associated with it. Assigning
security levels
to output devices and writing
sensitivity labels
along with data are two ways used to secure
exported
information. Every
I/O device
and
communications channel
in a system must be designated as
multilevel
or
single-level.
Any changes to these designations must be able to be
audited.
Typically, a
system administrator
designates devices during system installation and setup.
exportation to multilevel devices
The
Orange Book
requires that the
system
have some way to associate a
security level
with information
written
to a
multilevel
device. Mechanisms may differ for different systems and different types of devices. Files
written to such devices must have
sensitivity labels
attached to them (usually written in a header preceding the data in the file). This prevents a
user
from bypassing system controls by simply copying a sensitive file to another, untrusted
system or device. The system must support a way of specifying the lowest and the highest
security levels allowed for data being written to it. In most
trusted systems,
only non-removable disks are
categorized
as multilevel devices.
exportation to single-level devices
The process of
writing
information to a
system
that supports only one particular sensitivity level. The level specified is usually
dependant on its physical location or the inherent
security
of the device type. Usually workstations, printers, communication ports, and removeable media
are characterized as
single-level
devices. Output sent to these devices is not required to be
labeled
with the
security level
of the
exported
information, although many
trusted systems
do label such output. The
Orange Book
does require that there be some way (system or procedural) to designate the single level of
information being sent to the device.
file protection
See
file protection class.
file protection class
A code associated with a file that indicates the file type and associated file
access.
Typical classes are public (anyone can
read
or change the file), read-only (anyone can read, but only the owner and the
system administrator
can
write
the file), and private (only the owner and the system administrator can read or change
the file).
file security
Protection of files stored on a computer
system
through
discretionary access control
and/or
mandatory access control.
flaw
An error, ommission, or loophole in a
system
that allows
security
mechanisms to be bypassed.
formal model
See
formal security model.
formal proof
From the
Orange Book
definition: "A complete and convincing mathematical argument, presenting the full logical
justification for each proof step, for the truth of a theorem or set of theorems. The
formal verification
process uses formal proofs to show the truth of certain properties of formal specification
and for showing that computer programs satisfy their specifications."
formal security model
From the
Orange Book
definition: "A mathematically precise statement of a
security policy.
To be adequately precise, such a
model
must represent the initial state of a
system,
the way in which the system progresses from one state to another, and a definition
of a "secure" state of the system. To be acceptable as a basis for a
TCB,
the model must be supported by a
formal proof
that if the initial state of the system satisfies the definition of the "secure" state and
if all assumptions required by the model hold, then all future states of the system will be
secure. Some
formal modelling
techniques include: state transition models, temporal logic models, denotional semantics models,
algebraic specification models."
formal top-level specification (FTLS)
A
formal security model
top-level specification
for the
TCB.
It is also used to prove the
system's
security policy.
formal verification
An automated tool used in designing and testing highly
trusted systems.
The process of using
formal proofs
to demonstrate two types of consistency:
1. Design
verification:
consistency between a formal specification of a
system
and a formal
security policy
model.
2. Implementation verification: consistency between a formal specification of a system and
its high-level program implementation.
gateway
Typically, a
system
that is attached to two systems, devices, or
networks
that otherwise do not communicate with each other. Communications from one system or network
to another are routed through the gateway. A gateway system may be used as a guardian or
"firewall" between
trusted
and
untrusted systems
or networks. The gateway filters out any information that's not allowed to pass from the
trusted system
to the untrusted system, or vice versa.
granularity
The relative fineness or coarseness by which a mechanism can be adjusted. In the Orange
Book, the phrase "to the granularity of a single
user"
means that an
access control
mechanism can be adjusted to include or exclude any single user.
group
A set of
users
in a
system.
A system
security policy
may give certain
access
rights to every member of a group.
guidance
An
Orange Book
evaluation criteria. It provides guidelines to manufacturers as to what to build into their
trusted
commercial products to satisfy trust
requirements
for sensitive applications.
identification
The process of telling a
system
the
identity
of a
subject.
Usually, this is done by entering a name or presenting a
token
to the system. See also
authentication.
identity
A means of establishing a correspondence between a
subject
and how the subject is represented to the
system.
identification and authentication
See
identification,
and
authentication.
impersonation
Posing as an
authorized user,
usually in an attempt to gain
access
to a
system.
Synonymous with
masquerade.
import
Transfer of information into a
system.
Often used to refer to the transfer of information from an
untrusted system
to a
trusted system.
information label
A
label
associated with a particular
subject
or
object
in a
system
(eg. file, process, window). Information labels are used in
compartmented mode
workstations
and are similar to
sensitivity labels.
However, they differ from sensitivity labels in several ways:
1. In addition to a
classification
and a set of
categories,
information labels also contain dissemination markings and handling caveats (eg. EYES ONLY).
2. They simply represent the sensitivity of the information in the subject or object;
in contrast, sensitivity labels are used to make
access decisions.
3. They are automatically adjusted as the information content of a subject or object
changes (for example, the contents of a window); in contrast, sensitivity labels remain
static.
information level
The
security level
implied by an information
label's
classification
and
categories.
integrity
A
security principle
that keeps information from being modified or otherwise corrupted either maliciously
or accidentally. Integrity protects against forgery or tampering. Synonymous with
accuracy.
I/O device
A hardware device that performs input/output functions for the
system.
It generally refers to a serial, printer, mouse, SCSI, MIDI, firewire or any other port
that may transmit information into or out of the system, or directly affect the operation
of the system.
kernel
The innermost ring of
system
software that performs the fundamental (or core) functions of the system. Also see
security kernel.
key
In
cryptography,
a secret value that's used to
encrypt
and
decrypt
messages. A sequence of symbols (often a large number) that's usually known only to the sender
and the receiver of the message.
keystroke system
A
system
that compares a pattern of keystrokes with a stored pattern to determine whether there's
a match.
label integrity
Ensures that the
sensitivity labels
associated with
subjects
and
objects
are accurate representations of the
security levels
of these subjects and objects even in the event of
system integrity
problems. For example, a
user
edits a TOP SECRET file to remove all TOP SECRET and SECRET information (leaving
only unclassified information), and then changes the sensitivity level to UNCLASSIFIED. If
the
system
crashes at this point, the file may contain TOP SECRET data in a file
labeled
UNCLASSIFIED - a clear violation of label
integrity.
labeling
In a
system
supporting
mandatory access controls,
the assignment of
sensitivity labels
to every
subject
or
object
in the system.
labeling human-readable output
The
Orange Book
has very clear
requirements
for how to label hard-copy output (output that people see). This includes pages of printed
output, maps, graphics, and other displays. The
system administrator
must have some way of specifying the
labels
that are to appear on the output. Hardcopy output must be labeled at both the beginning and
the end of the document with labels representing the overall sensitivity of the output. Also
the top and bottom of each page must be labeled to reflect the overall sensitivity of the
output or the specific sensitivity of the information on that page.
labeled security protection
The B1
system
class. B1 (and higher) systems support
mandatory access controls.
The
system architecture
must more rigorously separate the
security-related
portions of the system from those that are not security-related. Documentation must include a
model
of the
security policy
supported by the system. It need not be a mathematical one, but it must be a clear statement
of the rules enforced by the system's
security features.
Testing is more stringent.
labels
A
user's
sensitivity label
specifies the sensitivity level, or level of
trust,
associated with that user; a user's sensitivity label is usually called a
clearance.
A file's sensitivity label specifies the level of trust that a user must have to be able to
access
that file.
layering
An ordering of
layers
in a heirarchy such that the lower layers may perform certain basic functions and the higher
layers may perform more complex functions.
layers
Part of a structured, heirarchical design of
system
functions. Layers communicate with each other through calls via clearly defined interfaces.
least privilege
In terms of
system architecture,
processes have no more
privilege
than they need to perform their function. Only those modules that really need complete
system
privileges are to be located in the
security kernel
(eg. the innermost ring). Other, less critical, modules should call on more privileged
routines only as needed and only for the duration of the needed operation.
logic bomb
See
bomb.
login
The process of
identifying
oneself to, and having one's
identity
authenticated
by, a computer
system.
malicious logic
Code that is included in a
system
for an
unauthorized
purpose.
mandatory access control (MAC)
An
access
policy
that restricts access to
system
objects
(eg. files, directories, devices) based on the sensitivity of the information in the object
(represented by the object's
label)
and the
authorization
of the
subject
(usually represented by the
user's
clearance)
to access information at that sensitivity level. "Mandatory" means that the system
enforces the policy; users do not have the discretion to share their files. Contrast with
discretionary
access control.
mandatory protection
See
mandatory access control.
masquerade
Posing as an
authorized user,
usually in an attempt to gain
access
to a
system.
Synonymous with
impersonation.
measurement
An
Orange Book
evaluation criteria. It provides
users
with a metric with which to assess the degree of
trust
that can be placed in computer
systems
for the secure processing of classified or other
sensitive information.
For example, a
user
can rely on a
B2
system to be "more secure" than a
C2
system.
message authentication
Ensuring, typically with a
message authentication code,
that a message received (usually via a
network)
matches the message sent.
message authentication code
A code calculated during
encryption
and appended to a message. If the message authentication code calculated during
decryption
matches the appended code, the message was not altered during transmission.
minimal security
The D
system
class. The
Orange Book
lists no
requirements
for this class, "...reserved for systems that have been evaluated but that fail to meet the
requirements for a higher
evaluation class."
model
A representational tool used in defining behaviours and characteristics of a thing or
system.
Also see
security model.
multilevel
Used to describe data or devices. Multilevel
security
allows
users
at different sensitivity levels to
access
a
system
concurrently. The system permits each user to access only the data that he or she is
authorized
to access. A multilevel device is one on which a number of different levels of data can
be processed. Contrast with
single-level.
need to know
A
security principle
stating that a
user
should have
access
only to the data he or she needs to perform a particular function.
network
A data communications
system
that allows a number of systems and devices to communicate with each other.
node
A
system
connected to a
network.
object
From the
Orange Book
definition: "A passive entity that contains or receives information.
Access
to an object potentially implies access to the information it contains. Examples of objects
are: records, blocks, pages, segments, files, directories, directory trees, and programs,
as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers,
network
nodes,
etc."
object reuse
Object reuse
requirements
protect files, memory, and other
objects
in a
trusted system
from being accidentally
accessed
by
users
who aren't
authorized
to access them. They address what happens when these objects are reassigned. Object reuse
features provide
security
by ensuring that when an object - for example, a
login
ID - is assigned, allocated, or reallocated, the object doesn't contain data left over from
previous usage. This also includes insuring that print buffers, print spoolers, disk caches,
display buffers, X Window System objects, memory blocks, disk blocks and
password
buffers are erased.
one-way encryption
Used in
password
protection, it means that the password is never
decrypted
into its original form. It is a means of ensuring that passwords remain
confidential
within the
layers
of a
system.
open security environment
An environment in which at least one of the following conditions is true:
1. Application developers do not have sufficient
clearance
or
authorization
to provide an acceptable presumption that they have not introduced
malicious logic.
2. Configuration control does not provide sufficient
assurance
that applications are protected against the introduction of malicious logic prior
to and during the operation of
system
applications.
operational assurance
Confidence that a
trusted system's
architecture and implementation enforce the
system's
security policy.
In the
Orange Book,
the set of operational
assurances
includes
system architecture,
system integrity,
covert channel analysis,
and
trusted recovery.
orange book
First released in August of 1983, the Department of Defense Trusted Computer System
Evaluation Criteria (TCSEC) is commonly refered to as the Orange Book because of the
colour of its cover. It is an abstract, very concise description of computer
security requirements.