C2 secure systems and the superuser

Bill Stewart 908-949-0705 erebus.att.com!wcs wcs at cbnewsh.att.com
Sun Mar 17 16:05:40 AEST 1991


In article <19104 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
> Naive users do not fully understand what the difference between a "rated"
> and an "unrated" system are - there are very real differences and

	One of the major differences is that the NCSC doesn't really
	have the resources to formally evaluate every product that wants it
	- you've got to have something new and interesting to offer, 
	and be willing to wait about 1.5 - 2 years AFTER convincing
	them to bother with you, and evaluation is for specific
	hardware configurations as well as software.  

	Most of the market is satisfied with C2 functionality,
	and doesn't really need the NSA Good Housekeeping Seal.
	This is especially important, since adding networking
	affects your Trusted Computing Base, and throws you out into
	uncharted Red Book territory, even at C2 level.
	Most customers would really rather have networking now,
	hopefully with the bigger holes patched, rather than wait
	until the general research problem is solved well enough for
	the NCSC to certify systems.  (Remember that even Verdix is
	just a "component", not a complete system.)

> To continue with the real topic, "C2" is not that "secure" of
> a rating.  If you expect the system to warn you of auditable
> events which might indicate a violation of the security policy
> you have to go to a higher level.  The only rating level between
> "C2" and MS-DOS is "C1".  There are still 3 "B" levels and an
> "A" level above "C2".  The description of "C2" is

	[ C1 + Good Auditing/Accountability + Object Reuse prevention ]

	Well, there's also D level; the TCSEC definition says:
		Level D: Thank you for sharing that. :-)
	All of the levels add increasing amounts of assurance.
	The interesting additions at B1 are Mandatory Access Control -
	you get the equivalent of "Unclassified/Secret/TopSecret",
	with system enforcement so users can't just give stuff away.
	If you trust your users, or don't trust your superuser,
	this doesn't buy you much extra, though you can gain some
	significant protection by giving the system software
	and audit trails their own classification levels, which
	regular users (or bugs) can't touch.

	B2 adds Trusted Path, Covert Channel Analysis, and Least Privilege,
	and starts to feel less like Real Unix, because you don't
	really have One All-Powerful Root any more.  Covert channel
	analysis is a real problem - something that was adequate
	protection on a 1 MIPS box may not do the job on a 200 MIPS
	multi-processor with a 500 MFLOPS add-on vector board.
-- 
				Pray for peace;
					Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
# Hacker.  System Designer.  Troublemaker.



More information about the Comp.unix.programmer mailing list