C2 secure systems and the superuser

Daniel P. Faigin faigin at aerospace.aero.org
Mon Mar 18 12:17:48 AEST 1991 

In article <1991Mar17.060540.3911 at cbnewsh.att.com>, wcs at cbnewsh.att.com (Bill
Stewart 908-949-0705 erebus.att.com!wcs) writes: 

> Most of the market is satisfied with C2 functionality, and doesn't
> really need the NSA Good Housekeeping Seal.  

Correction. Most of the COMMERCIAL market. The ratings are there to help the
DoD side of things. This goes along with the Agency's charter. If it ever gets
the budget, the commercial side will probably be happer with NIST.

> This is especially important, since adding networking affects your Trusted
> Computing Base, and throws you out into uncharted Red Book territory, even
> at C2 level.

I wouldn't say the TNI (red book) is uncharted. It is a different way of
thinking. It is charted, as there are evaluations working against it.

> Most customers would really rather have networking now, hopefully with the
> bigger holes patched, rather than wait until the general research problem is
> solved well enough for the NCSC to certify systems.  

The NCSC does not certify systems. That is up to the accrediting agency that
determines that the residual risk for a particular system in a particular
installation is acceptable. The NCSC only rates systems.

As for networks, yes, it is a problem that many systems on the EPL do not
support real-life configurations. Vendors also have to accept a risk when they
go into "uncharted territory". If systems don't get submitted in real-life
configurations, they don't get evaluated in real-life configurations. 

What happens in real-life is that the accreditor must look at the changes to
the system from the EPL configuration, and decide that the risk is acceptable.
For this to be "a good thing", the accreditor must be given (and be capable of
understanding) the nuances of the additional information.

> B2 adds Trusted Path, Covert Channel Analysis, and Least Privilege, and
> starts to feel less like Real Unix, because you don't really have One
> All-Powerful Root any more.

More importantly for Unix, B2 adds requirements in the area of system
architecture that make it difficult, if not impossible, for retrofitted Unix
systems. 

Daniel
--
[W]:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 213/336-8228
[Email]:faigin at aerospace.aero.org               [Vmail]:213/336-5454 Box#3149
"A consensus means that everyone agrees to say collectively what no one 
believes individually" -- Abba Eban

More information about the Comp.unix.programmer mailing list