Topic: Trusted Computer System Evaluation Criteria (TCSEC)

[Pez]

Trusted Computer System Evaluation Criteria (TCSEC)

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.
 
The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985, TCSEC was replaced by the Common Criteria international standard originally published in 2005.

Fundamental objectives and requirements
 
The Orange Book or DoDD 5200.28-STD was canceled by DoDD 8500.1 on October 24, 2002.
 
Policy
 
The security policy must be explicit, well-defined and enforced by the computer system. There are two basic security policies:
 Mandatory Security Policy - Enforces access control rules based directly on an individual's clearance, authorization for the information and the confidentiality level of the information being sought. Other indirect factors are physical and environmental. This policy must also accurately reflect the laws, general policies and other relevant guidance from which the rules are derived.
 Marking - Systems designed to enforce a mandatory security policy must store and preserve the integrity of access control labels and retain the labels if the object is exported.
 Discretionary Security Policy - Enforces a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
 
Accountability
 
Individual accountability regardless of policy must be enforced. A secure means must exist to ensure the access of an authorized and competent agent which can then evaluate the accountability information within a reasonable amount of time and without undue difficulty. There are three requirements under the accountability objective:
 Identification - The process used to recognize an individual user.
 Authentication - The verification of an individual user's authorization to specific categories of information.
 Auditing - Audit information must be selectively kept and protected so that actions affecting security can be traced to the authenticated individual.
 
Assurance
 
The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the above requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements:
 Assurance Mechanisms
 Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery
 Life-cycle Assurance : Security Testing, Design Specification and Verification, Configuration Management and Trusted System Distribution
 Continuous Protection Assurance - The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes.
 
Documentation
 
Within each class there is additional documentation set which addresses the development, deployment and management of the system rather than its capabilities. This documentation includes:
 Security Features User's Guide, Trusted Facility Manual, Test Documentation and Design Documentation
 
Divisions and classes
 
The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.
 
Each division and class expands or modifies as indicated the requirements of the immediately prior division or class.
 
D — Minimal protection
 Reserved for those systems that have been evaluated but that fail to meet the requirements for a higher division
 
C — Discretionary protection
C1 — Discretionary Security Protection Identification and authentication
 Separation of users and data
 Discretionary Access Control (DAC) capable of enforcing access limitations on an individual basis
 Required System Documentation and user manuals
 
C2 — Controlled Access Protection More finely grained DAC
 Individual accountability through login procedures
 Audit trails
 Object reuse
 Resource isolation
 

B — Mandatory protection
B1 — Labeled Security Protection Informal statement of the security policy model
 Data sensitivity labels
 Mandatory Access Control (MAC) over selected subjects and objects
 Label exportation capabilities
 All discovered flaws must be removed or otherwise mitigated
 Design specifications and verification
 
B2 — Structured Protection Security policy model clearly defined and formally documented
 DAC and MAC enforcement extended to all subjects and objects
 Covert storage channels are analyzed for occurrence and bandwidth
 Carefully structured into protection-critical and non-protection-critical elements
 Design and implementation enable more comprehensive testing and review
 Authentication mechanisms are strengthened
 Trusted facility management is provided with administrator and operator segregation
 Strict configuration management controls are imposed
 
B3 — Security Domains Satisfies reference monitor requirements
 Structured to exclude code not essential to security policy enforcement
 Significant system engineering directed toward minimizing complexity
 Security administrator role defined
 Audit security-relevant events
 Automated imminent intrusion detection, notification, and response
 Trusted system recovery procedures
 Covert timing channels are analyzed for occurrence and bandwidth
 An example of such a system is the XTS-300, a precursor to the XTS-400
 

A — Verified protection
A1 — Verified Design Functionally identical to B3
 Formal design and verification techniques including a formal top-level specification
 Formal management and distribution procedures
 An example of such a system is Honeywell's Secure Communications Processor SCOMP, a precursor to the XTS-400
 
Beyond A1 System Architecture demonstrates that the requirements of self-protection and completeness for reference monitors have been implemented in the Trusted Computing Base (TCB).
 Security Testing automatically generates test-case from the formal top-level specification or formal lower-level specifications.
 Formal Specification and Verification is where the TCB is verified down to the source code level, using formal verification methods where feasible.
 Trusted Design Environment is where the TCB is designed in a trusted facility with only trusted (cleared) personnel.


Trusted Computer System Evaluation Criteria (TCSEC) Rainbow Series

The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center.

Objective
 
These standards describe a process of evaluation for trusted systems. In some cases, U.S. government entities (as well as private firms) would require formal validation of computer technology using this process as part of their procurement criteria. Many of these standards have influenced, and have been superseded by, the Common Criteria.
 
The books have nicknames based on the color of its cover. For example, the Trusted Computer System Evaluation Criteria was referred to as "The Orange Book." In the book entitled Applied Cryptography, security expert Bruce Schneier states of NCSC-TG-021 that he "can't even begin to describe the color of [the] cover" and that some of the books in this series have "hideously colored covers." He then goes on to describe how to receive a copy of them, saying "Don't tell them I sent you."

Most significant Rainbow Series books

Rainbow Series

Document                        Title                                                          Date                      Color
5200.28-STD   DoD Trusted Computer System Evaluation Criteria    1983 August 15     Orange Book

CSC-STD-002-85   DoD Password Management Guideline                1985 April 12        Green Book

CSC-STS-003-85   Guidance for applying TCSEC in Specific Environments      1985 June 25    Light Yellow Book

CSC-STS-004-85   Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements      1985 June 25    Yellow Book

NCSC-TG-001    A Guide to Understanding Audit in Trusted Systems     1988 June 1    Tan Book

NCSC-TG-002    Trusted Product Security Evaluation Program       1990 June 22    Bright Blue Book

NCSC-TG-003    Discretionary Access Control in Trusted Systems       1987 September 30   Neon Orange Book

NCSC-TG-004    Glossary of Computer Security Terms     1988 October 21      Teal Green

NCSC-TG-005    Trusted Network Interpretation     1987 July 31      Red Book

NCSC-TG-006    Configuration Management in Trusted Systems     1988 March 28       Amber Book

NCSC-TG-007   A Guide to Understanding Design Documentation in Trusted Systems       1988 October 6   Burgundy Book

NCSC-TG-008   A Guide to Understanding Trusted Distribution in Trusted Systems          1988 December 15   Dark Lavender Book

NCSC-TG-009   Computer Security Subsystem Interpretation of the TCSEC             1988 September 16    Venice Blue Book

NCSC-TG-010   A Guide to Understanding Security Modeling in Trusted Systems                    1992 October        Aqua Book

NCSC-TG-011   Trusted Network Interpretation Environments Guideline (TNI)              1990 August 1        Red Book

NCSC-TG-013   RAMP Program Document             1989              Pink Book

NCSC-TG-013 V2   RAMP Program Document version 2               1995 March 1           Pink Book

NCSC-TG-014   Guidelines for Formal Verification Systems            1989 April 1        Purple Book

NCSC-TG-015  Guide to Understanding Trusted Facility Management    1989 October 18        Brown Book

NCSC-TG-016   Guidelines for Writing Trusted Facility Manuals       1992 October           Yellow-Green Book

NCSC-TG-017   Identification and Authentication in Trusted Systems       1991 September        Light Blue Book

NCSC-TG-018   Object Reuse in Trusted Systems                  1992 July            Light Blue Book

NCSC-TG-019   Trusted Product Evaluation Questionnaire             1992 May 2           Blue Book

NCSC-TG-020   Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System  1989 July 7   Silver Book

NCSC-TG-021   Trusted Database Management System Interpretation of the TCSEC (TDI)         1991 April      Purple Book

NCSC-TG-022   Trusted Recovery in Trusted Systems               1991 December 30        Yellow Book

NCSC-TG-023   Security Testing and Test Documentation in Trusted Systems        1993 July         Bright Orange Book

NCSC-TG-024 Vol. 1/4  Procurement of Trusted Systems: An Introduction to Procurement Initiators on Computer Security Requirements  1992 December    Purple Book

NCSC-TG-024 Vol. 2/4  Procurement of Trusted Systems: Language for RFP Specifications and Statements of Work   1993 June 30     Purple Book

NCSC-TG-024 Vol. 3/4  Procurement of Trusted Systems: Computer Security Contract Data Requirements List and Data Item Description   1994 February 28   Purple Book

NCSC-TG-024 Vol. 4/4  Procurement of Trusted Systems: How to Evaluate a Bidder's Proposal Document        Publication TBA          Purple Book

NCSC-TG-025  Guide to Understanding Data remanence in Automated Information Systems.              1991 September            Forest Green Book

NCSC-TG-026  Writing the Security Features User's Guide for Trusted Systems             1991 September          Hot Peach Book

NCSC-TG-027  Information System Security Officer Responsibilities for Automated Information Systems           1992 May                    Turquoise Book

NCSC-TG-028 Assessing Controlled Access Protection                  1992 May 25        Violet Book

NCSC-TG-029  Certification and Accreditation Concepts               1994 January         Blue Book

NCSC-TG-030  Covert channel Analysis of Trusted Systems         1993 November      Light Pink Book



In popular culture
 
The 1995 movie Hackers contained a reference to the Rainbow Books that showed Dade naming off a series of six books, the second of them being the Orange Book ("Computer security criteria, DoD standards") and the sixth being the Red Book ("NSA Trusted Networks. Otherwise known as the Ugly Red Book that won’t fit on a shelf") from this series. Phreak called them "those Crayola books" and Cereal replied, "Oh yeah, Technicolor rainbow." However the other books, such as the Peter Norton "pink shirt book", are not part of the Rainbow Series.

[Pez]

This is the base for all who work seriously with computer security.
Perhaps something to pin to the top of the page if it is not to match hardcore.