C2 secure systems and the superuser
Bill Stewart 908-949-0705 erebus.att.com!wcs
wcs at cbnewsh.att.com
Sun Mar 17 16:05:40 AEST 1991
In article <19104 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
> Naive users do not fully understand what the difference between a "rated"
> and an "unrated" system are - there are very real differences and
One of the major differences is that the NCSC doesn't really
have the resources to formally evaluate every product that wants it
- you've got to have something new and interesting to offer,
and be willing to wait about 1.5 - 2 years AFTER convincing
them to bother with you, and evaluation is for specific
hardware configurations as well as software.
Most of the market is satisfied with C2 functionality,
and doesn't really need the NSA Good Housekeeping Seal.
This is especially important, since adding networking
affects your Trusted Computing Base, and throws you out into
uncharted Red Book territory, even at C2 level.
Most customers would really rather have networking now,
hopefully with the bigger holes patched, rather than wait
until the general research problem is solved well enough for
the NCSC to certify systems. (Remember that even Verdix is
just a "component", not a complete system.)
> To continue with the real topic, "C2" is not that "secure" of
> a rating. If you expect the system to warn you of auditable
> events which might indicate a violation of the security policy
> you have to go to a higher level. The only rating level between
> "C2" and MS-DOS is "C1". There are still 3 "B" levels and an
> "A" level above "C2". The description of "C2" is
[ C1 + Good Auditing/Accountability + Object Reuse prevention ]
Well, there's also D level; the TCSEC definition says:
Level D: Thank you for sharing that. :-)
All of the levels add increasing amounts of assurance.
The interesting additions at B1 are Mandatory Access Control -
you get the equivalent of "Unclassified/Secret/TopSecret",
with system enforcement so users can't just give stuff away.
If you trust your users, or don't trust your superuser,
this doesn't buy you much extra, though you can gain some
significant protection by giving the system software
and audit trails their own classification levels, which
regular users (or bugs) can't touch.
B2 adds Trusted Path, Covert Channel Analysis, and Least Privilege,
and starts to feel less like Real Unix, because you don't
really have One All-Powerful Root any more. Covert channel
analysis is a real problem - something that was adequate
protection on a 1 MIPS box may not do the job on a 200 MIPS
multi-processor with a 500 MFLOPS add-on vector board.
--
Pray for peace;
Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
# Hacker. System Designer. Troublemaker.
More information about the Comp.unix.programmer
mailing list