http://jos.org
compiled by,
Ray Shpeley
© 1997
Department of Defense Trusted Computer System
Evaluation Criteria,
TCSEC DOD 5200.28-STD
for JOS org use only
Networking concerns are covered in a (to be released) companion paper on JOS Red Book Requirements.
Implementation issues and examples of Orange Book requirements are covered in the Rainbow Series of books.
Scaling concerns are important to JOS requirements. JOS must be scalable from minimal security to the Orange Book B1 class (the B1 security class has been chosen as an example security requirement for a JOS intranet/internet server application). At the B2 class and above, documentation, assurance and delivery considerations become predominant. These are outside the current scope of JOS requirements and are mentioned for reference purposes only.
The Orange Book requirements outline only a portion of all available security requirements classes. These classes are diverse, with many overlapping requirements. The Orange book provides a concise and organized definition of security requirements classes and for this reason it was chosen as a basis for this reference document. A good understanding of the Orange Book security classes provides a framework for understanding other security requirements classes.
Some JOS requirements dependancies are discussed as requirements considerations.
The glossary contains detailed descriptions of the terms used throughout this document.
Computer security encompasses many aspects of security: locking the computer room and machine, protecting login accounts with passwords, using file protection to keep data from being destroyed, encrypting network communications lines, and using special shields to keep electromagnetic emanations from leaking from the computer. These are all necessary computer security considerations. In contrast this document focuses on computer system security.
The four primary methods of protection in computer system security are system access controls, data access controls, system security and administration, and system design. Attacks by viruses, worms, trojan horses, bombs, trap doors, spoofs and other forms of malicious logic, while system security issues, are beyond the scope of this document.
The Orange Book defines four broad heirarchal divisions of security protection. In increasing order of trust, they are minimal security, discretionary protection, mandatory protection and verified protection.
The purpose of the Orange Book is to outline evaluation criteria with the objectives of measurement, guidance and acquisition. These criteria constitute a uniform set of basic requirements and evaluation classes for assessing the effectiveness of security controls built into systems.
While many efforts have been made in the Orange Book to construct secure operational environments, there is an inherent weakness in the mathematical formal proof concept of the B3 and A1 levels. According to Godel's Incompleteness Theorem, no algorithm, or calculational procedure, that uses mathematical proofs can prove its own validity. That isn't to say that the formal models of the B3 and A1 levels are not successful - just that they are flawed in their concept.
Security is a human endeavour. As such, when designing secure environments we must be aware that every design will eventually be broken, and that it is vigilance which is the real security.
The O'Reilly and Associates book, Computer Security Basics by Deborah Russell and G. T. Gangemi Sr., is an excellent first resource for computer security. While this document provides an introduction and reference to the Orange Book, the O'Reilly book covers many other salient points not addressed here.
Evaluations must be performed for systems with particular configurations on particular platforms. A system such as UNIX cannot be evaluated apart from its implementation on a particular piece of hardware.
The following chart is adapted from the book, Computer Security Basics, by Deborah Russell and G. T. Gangemi Sr.
| · | no requirements for this class |
| # | new or enhanced requirements for this class |
| * | no additional requirements for this class |
refer to the Orange Book glossary for an explanation of each term