|
Advanced
We recommend Computer System Security--An Overview as prerequisite reading for this technology description.
Trusted operating systems provide the basic
security mechanisms and services that allow a computer system to protect, distinguish, and separate classified data. Trusted operating systems have been developed since the early 1980s and began to receive National Security Agency (NSA) evaluation in 1984.
Trusted operating systems lower the security risk of implementing a system
that processes classified data. Trusted operating systems implement security
policies and accountability mechanisms in an operating system package. A
security policy is the rules and practices that determine how sensitive
information is managed, protected, and distributed
[Abrams 95]. Accountability mechanisms are the means of identifying and tracing who has had access to what data on the system so they can be held accountable for their actions.
Trusted operating systems are evaluated by the NSA National Computer Security
Center (NCSC) against a series of six requirements-level classes listed in the
table below. C1 systems have basic capabilities. A1 systems provide the most capability. The higher the rating level is, the wider the range of classified data is that may be processed.
Table 10 below shows the NCSC Evaluation Criteria Classes.
Table 10: NCSC Evaluation Criteria Classes
|
Class
|
Title
|
Number of Approved
Operating Systems in this Class
[TPEP 96]
|
|
A1
|
Verified Design
|
0
|
|
B3
|
Security Domains
|
1
|
|
B2
|
Structured Protection
|
1
|
|
B1
|
Labeled Security Protection
|
7
|
|
C2
|
Controlled Access Protection
|
5
|
|
C1
|
Discretionary Security Protection
|
No Longer Evaluated
|
A low level (C1 and C2) system provides limited discretionary access controls and identification and authentication mechanisms. Discretionary access controls identify who can have access to system data based on the need to know. Mandatory access controls identify who or what process can have access to data based on the requester having formal clearance for the security level of the data. A low-level system is used when the system only needs to be protected against human error and it is unlikely that a malicious user can gain access to the system.
A higher level (B2, B3, and A1) system provides complete mandatory and
discretionary access control, thorough security identification of data
devices, rigid control of transfer of data and access to devices, and complete
auditing of access to the system and data. These higher level systems are used
when the system must be protected against a malicious user's abuse of
authority, direct probing, and human error
[Abrams 95].
The portion of the trusted operating system that grants requesters access to
data and records the action is frequently called the reference monitor because
it refers to an authorization database to determine if access should be
granted. Higher level trusted operating systems are used in MLS hosts and
compartmented mode workstations (see Computer System Security- an Overview for overview information).
Trusted operating systems must be used to implement
multi-level security systems and to build security guards that allow systems of different security levels to be connected to exchange data. Use of a trusted operating system may be the only way that a system can be networked with other high security systems. Trusted operating systems may be required if a C4I system processes intelligence data and provides data to war fighters. Department of Defense (DoD) security regulations define what evaluation criteria must be satisfied for a multi-level system based on the lowest and highest classification of the data in a system and the clearance level of the users of the system. Using an NCSC-evaluated system reduces accreditation cost and risk. The security officer identified as the Designated Approving Authority (DAA) for secure computer systems has the responsibility and authority to review and approve the systems to process classified information. The DAA will require analysis and tests of the system to assure that it will operate securely. The DAA can accept the NCSC evaluation of a system rather than generating the data. For a B3 or A1 system, that can represent a savings of 1 to 2 years in schedule and the operating system will provide a proven set of functions.
This technology has been implemented by several vendors for
commercial-off-the-shelf (COTS) use in secure systems. As of September 1996,
the NCSC Evaluated Product List indicated that fourteen operating systems have
been evaluated as level C2, B1,B2, and B3 systems in the last three years
[TPEP 96]. The number of operating systems evaluated by class (excluding evaluations of updated versions of operating systems) is included in the table. Use of one of the approved trusted operating systems can result in substantial cost and schedule reductions for a system development effort and provide assurance that the system can be operated securely.
The heavy access control and accounting associated with high security systems can affect system performance; as such, higher performance processors, I/O, and interfaces may be required. Trusted operating systems have unique interfaces and operating controls that require special security knowledge to use and operate. Frequently COTS products that operate satisfactorily with a standard operating system must be replaced or augmented to operate with a trusted operating system.
Trusted operating systems at B2 and above enable the development of system interoperability for systems at different security levels and allow applications to perform data fusion. They are dependent on a trusted computing base that provides secure data paths and protected memory.
This technology is classified under the following categories. Select a
category for a list of related topics.
|
Name of technology
|
Trusted Operating Systems
|
|
Application category
|
Trusted Operating Systems (AP.2.4.1)
|
|
Quality measures category
|
Security (QM.2.1.5)
|
|
Computing reviews category
|
Operating System Security and Protection (D.4.6)
Computer-Communications Network Security Protection (C.2.0)
|
|
[Abrams 95]
|
Abrams, Marshall D.; Jajodia, Sushil; & Podell, Harold J. Information
Security An Integrated Collection of Essays. Los Alamitos, CA: IEEE
Computer Society Press, 1995.
|
|
[Russel 91]
|
Russel, Deborah & Gangemi, G.T. Sr. Computer Security Basics.
Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
|
|
[TPEP 96]
|
Trusted Product Evaluation Program Evaluated Product List
[online]. Available WWW
<URL:
http://www.radium.ncsc.mil/tpep/index.html> (1996).
|
|
[White 96]
|
White, Gregory B.; Fisch, Eric A.; & Pooch, Udo W. Computer System and
Network Security. Boca Raton, FL: CRC Press, 1996.
|
Tom Mills, Lockheed Martin
10 Jan 97 (original)
The Software
Engineering Institute (SEI) is a federally funded research and
development center sponsored by the U.S. Department of Defense
and operated by Carnegie Mellon University.
Copyright
2007
by Carnegie Mellon University
Terms of Use
URL: http://www.sei.cmu.edu/str/descriptions/trusted_body.html
Last Modified: 11 January 2007
|
