NCSC-TG-021
Library
No. S235,625
FOREWORD
The National Computer Security Center is
issuing the Trusted Database Management System
Interpretation as part of the Technical Guidelines
Program, through which we produce the "Rainbow Series."
In the Rainbow Series, we discuss in detail the
features of the Trusted Computer System Evaluation
Criteria (DoD 5200.28-STD) and provide guidance for
meeting each requirement. The National Computer
Security Center, through its Trusted Product Evaluation
Program, analyzes the security features of commercially
produced and supported computer systems. Together,
these programs ensure that organizations are capable of
protecting their important data with trusted computer
systems.
The Trusted Database Management System
Interpretation extends the evaluation classes of the
Trusted Computer System Evaluation Criteria to trusted
applications in general, and database management
systems in particular. It serves as an adjunct to the
Trusted Computer System Evaluation Criteria by
providing a technical context for the consideration of
entire systems constructed of parts and by presenting
database-specific interpretation of topics that require
direct comment. Thus, it is relevant to applications
which support sharing of computer services and
resources, and which enforce access control policies.
More specifically, it provides insight into the the
design, implementation, evaluation, and accreditation
of database management systems.�
This document will be used for at least one
year after the date of signature. During this period
the NCSC will gain experience using the Trusted
Database Management Systems Interpretation in several
evaluations and continue to receive comments on issues
of technical accuracy, clarity of exposition, and
utility. After this trial period, necessary changes
will be made and a revised version issued.
_____________
PATRICK R. GALLAGHER, JR.
April 1991
Director National Computer Security Center
ACKNOWLEDGMENTS
This document represents the combined effort
of participants from the research community, industry,
and government working over several years. Three major
drafts and numerous intermediary versions were
produced, reviewed, and commented upon. To name all
the contributors would be impossible. To single out a
few would be to slight a host of others who gave
unstintingly of their time and talent. To all those
who contributed to the development and refinement of
the fundamental concepts, contributed to the
development of the several predecessor versions, and�
who contributed valuable personal time and invaluable
experience in reviewing and commenting on the previous
versions, thanks is extended.
TABLE OF CONTENTS
FOREWORD i
ACKNOWLEDGMENTS iii
INTRODUCTION 1
HISTORICAL PERSPECTIVE 1
SCOPE 2
PURPOSE 2
STRUCTURE OF THE DOCUMENT 4
PART 1 TECHNICAL CONTEXT 7
TC-1 INTRODUCTION 9
TC-2 REFERENCE MONITOR PERSPECTIVE 10
TC-3 NEED FOR EVALUATION BY PARTS 11
TC-4 TCB SUBSETS 11
TC-4.1 INTRODUCTION 12
TC-4.2 TCB SUBSETS CONTEXT 13
TC-4.2.1 DEFINITION OF TCB SUBSETS 13
TC-4.2.2 MOTIVATION 13
TC-4.3 CONDITIONS FOR EVALUATION BY PARTS 14
TC-4.3.1 CANDIDATE TCB SUBSETS 14
TC-4.3.2 POLICY ALLOCATION 15
TC-4.3.3 TRUSTED SUBJECTS INCLUDED 15
TC-4.3.4 TCB SUBSET STRUCTURE 15
TC-4.3.5 SEPARATE SUBSET-DOMAINS 16
TC-4.3.6 SUPPORT FOR RVM ARGUMENTS 16
TC-4.4 EVALUATION ALTERNATIVES 17
TC-5 GENERAL INTERPRETED REQUIREMENTS 18
TC-5.1 OVERVIEW 18
TC-5.2 DETAILED REQUIREMENTS 18
TC-5.2.1 SECURITY POLICY 18
TC-5.2.1.1 Discretionary Access Control 18
TC-5.2.1.2 Object Reuse 18
TC-5.2.1.3 Labels 19
TC-5.2.1.4 Mandatory Access Control 20
TC-5.2.2 ACCOUNTABILITY 20�
TC-5.2.2.1 Identification and Authentication 20
TC-5.2.2.2 Audit 21
TC-5.2.3 ASSURANCE 22
TC-5.2.3.1 Operational Assurance 22
TC-5.2.3.2 Life-Cycle Assurance 23
TC-5.2.4 DOCUMENTATION 24
TC-5.2.4.1 Security Features User's Guide 24
TC-5.2.4.2 Trusted Facility Manual 25
TC-5.2.4.3 Test Documentation 26
TC-5.2.4.4 Design Documentation 26
TC-5.3 SUMMARY OF THE REQUIREMENTS 26
TC-5.3.1 LOCAL REQUIREMENTS 26
TC-5.3.2 GLOBAL REQUIREMENTS 27
TC-6 DESIGN CHOICES 28
TC-6.1 OVERVIEW 28
TC-6.2 A SINGLE TCB SUBSET 28
TC-6.2.1 ANALYSIS OF THE CONDITIONS 28
TC-6.2.1.1 Condition 1: Candidate TCB Subsets 28
TC-6.2.1.2 Condition 2: Policy Allocation 29
TC-6.2.1.3 Condition 3: Trusted Subjects Included 29
TC-6.2.1.4 Condition 4: TCB Subset Structure 29
TC-6.2.1.5 Condition 5: Separate Subset-Domains 29
TC-6.2.1.6 Condition 6: Support for RVM Arguments 29
TC-6.2.2 EVALUATION CONSEQUENCES 29
TC-6.3 TWO TCB SUBSETS,MEETING THE CONDITIONS 30
TC-6.3.1 ANALYSIS OF THE CONDITIONS 30
TC-6.3.1.1 Condition 1: Candidate TCB Subsets 30
TC-6.3.1.2 Condition 2: Policy Allocation 31
TC-6.3.1.3 Condition 3: Trusted Subjects Included 31
TC-6.3.1.4 Condition 4: TCB Subset Structure 31
TC-6.3.1.5 Condition 5: Separate Subset-Domains 31�
TC-6.3.1.6 Condition 6: Support for RVM Arguments 31
TC-6.3.2 EVALUATION CONSEQUENCES 32
TC-6.4 TWO TCB SUBSETS, NOT MEETING THE CONDITIONS 33
TC-6.4.1 ANALYSIS OF THE CONDITIONS 34
TC-6.4.1.1 Condition 1: Candidate TCB Subsets 34
TC-6.4.1.2 Condition 2: Policy Allocation 34
TC-6.4.1.3 Condition 3: Trusted Subjects Included 34
TC-6.4.1.4 Condition 4: TCB Subset Structure 35
TC-6.4.1.5 Condition 5: Separate Subset-Domains 35
TC-6.4.1.6 Condition 6: Support for RVM Arguments 35
TC-6.4.2 EVALUATION CONSEQUENCES 35
TC-6.5 SUMMARY 36
PART 2 INTERPRETED REQUIREMENTS 37
IR-1 OVERVIEW AND CONTEXT 39
IR-2 SUMMARY OF THE INTERPRETATIONS 39
IR-2.1 SECURITY POLICY 39
IR-2.1.1 DISCRETIONARY ACCESS CONTROL 39
IR-2.1.2 OBJECT REUSE 40
IR-2.1.3 LABELS 40
IR-2.1.4 MANDATORY ACCESS CONTROL 40
IR-2.2 ACCOUNTABILITY 40
IR-2.2.1 IDENTIFICATION AND AUTHENTICATION 40
IR-2.2.2 AUDIT 40
IR-2.3 ASSURANCE 40
IR-2.3.1 OPERATIONAL ASSURANCE 40
IR-2.3.1.1 System Architecture 40
IR-2.3.1.2 System Integrity 40
IR-2.3.1.3 Covert Channel Analysis 41
IR-2.3.1.4 Trusted Facility Management 41
IR-2.3.1.5 Trusted Recovery 41
IR-2.3.2 LIFE CYCLE ASSURANCE 41
IR-2.3.2.1 Security Testing 41
IR-2.3.2.2 Design Specification and Verification 41�
IR-2.3.2.3 Configuration Management 41
IR-2.3.2.4 Trusted Distribution 41
IR-2.4 DOCUMENTATION 42
IR-2.4.1 SECURITY FEATURES USER'S GUIDE 42
IR-2.4.2 TRUSTED FACILITY MANUAL 42
IR-2.4.3 TEST DOCUMENTATION 42
IR-2.4.4 DESIGN DOCUMENTATION 42
IR-3 LABELS 42
IR-3.1 GENERAL DISCUSSION 42
IR-3.2 SPECIFIC INTERPRETATIONS 43
IR-4 AUDIT 44
IR-4.1 GENERAL DISCUSSION 44
IR-4.2 SPECIFIC INTERPRETATIONS 45
IR-5 SYSTEM ARCHITECTURE 47
IR-5.1 GENERAL DISCUSSION 47
IR-5.2 SPECIFIC INTERPRETATIONS 47
IR-6 DESIGN SPECIFICATION AND VERIFICATION 48
IR-6.1 GENERAL DISCUSSION 48
IR-6.2 SPECIFIC INTERPRETATIONS 52
IR-7 DESIGN DOCUMENTATION 55
IR-7.1 GENERAL DISCUSSION 55
IR-7.2 SPECIFIC INTERPRETATIONS 56
APPENDIX A 59
CLASS (C1): 62
C1-1 SECURITY POLICY 62
C1-2 ACCOUNTABILITY 62
C1-3 ASSURANCE 62
C1-4 DOCUMENTATION 63
CLASS (C2): 66
C2-1 SECURITY POLICY 66
C2-2 ACCOUNTABILITY 66
C2-3 ASSURANCE 67
C2-4 DOCUMENTATION 68
CLASS (B1): 70
B1-1 SECURITY POLICY 70
B1-2 ACCOUNTABILITY 71
B1-3 ASSURANCE 73
B1-4 DOCUMENTATION 74
CLASS (B2): 77�
B2-1 SECURITY POLICY 77
B2-2 ACCOUNTABILITY 79
B2-3 ASSURANCE 81
B2-4 DOCUMENTATION 85
CLASS (B3): 89
B3-1 SECURITY POLICY 89
B3-2 ACCOUNTABILITY 91
B3-3 ASSURANCE 93
B3-4 DOCUMENTATION 98
CLASS (A1): 102
A1-1 SECURITY POLICY 102
A1-2 ACCOUNTABILITY 104
A1-3 ASSURANCE 106
A1-4 DOCUMENTATION 112
APPENDIX B 117
1. PERSPECTIVE ON ASSURANCE 119
2. PROCUREMENT OPTIONS 120
3. ALTERATION OF PREVIOUSLY EVALUATED TCB 122
4. SATISFYING RVM REQUIREMENTS 125
5. SUBSET DEPENDENCY 127
6. TAMPER RESISTANCE ARGUMENTS 131
7. RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS 132
8 CONTENT-DEPENDENT AND CONTEXT-DEPENDENT
ACCESS CONTROL 136
9. BULK LOADING OF A DATABASE 137
10. LOCAL ANALYSIS IN SYSTEM ASSESSMENT 137
11. RATING MORE COMPLEX SYSTEMS 139
GLOSSARY 141
BIBLIOGRAPHY 145
INTRODUCTION
HISTORICAL PERSPECTIVE
The Department of Defense Trusted Computer System
Evaluation Criteria (TCSEC), published in 1983 as
CSC-STD-001-83, consolidates knowledge about the degree
of trust one can place in a computer system to protect
sensitive information and organizes this knowledge into
usable criteria for system evaluation. The TCSEC was
republished as a DoD standard, DoD-5200.28-STD, in
December 1985 to provide a means of evaluating specific
security features and assurances available in "trusted,
commercially available automatic data processing system
The TCSEC's rating scale extends from a
minimal to a high level of trust with advanced security
features and sophisticated assurance measures.
Specific criteria determine each rating level and guide
system builders and evaluators in determining the level
of trust provided by specific systems. When the rating
levels are combined with environmental guidelines and
minimum security protection requirements, accreditation
decisions for specific installations can be made.
The philosophy of protection embodied in the
TCSEC requires that the access of subjects (i.e.,
processes in a domain) to objects (i.e., containers of
information) be mediated in accordance with an explicit
and well-defined security policy. At the higher
criteria classes, the "reference monitor concept" [1]
is an essential part of the system and the security
policy is modeled. There are several security policy
models that represent the desired behavior of a
reference monitor. The Bell-La Padula model [4-6] and
its Multics interpretation [3] are commonly used, but
not mandated.
The computer security research and
development that underpin the TCSEC began in the late
1960s and concentrated on secure operating systems. By
the early 1970s initial worked examples had provided a
substantial amount of information about building trust
into operating systems. Research continued throughout�
the 1970s to refine mechanisms, features, and
assurances needed to provide trusted operating systems.
Multilevel database management security
received far less research and development attention
than did secure operating systems. This was primarily
due to the perception that one could not credibly
implement a multilevel secure database management
system (DBMS) on top of an untrusted operating system
base. However, some research in multilevel secure
DBMSs (mostly theoretical) was conducted during the
1970s [15-16], and research has continued to the
present [9-14, 17-19, 22, 25-28]. By the mid 1980s,
commercially developed, trusted operating systems were
becoming available that could provide the basis for
hosting secure applications such as multilevel secure
DBMSs.
In June 1986, the National Computer Security
Center (NCSC) initiated its efforts to address the
evaluation of trusted database management systems with
an Invitational Workshop in Baltimore, Maryland.
Representatives from the research, database vendor,
commercial, and government communities met to address
issues of database management security. The attendees
met to discuss aspects of trust (defined by the TCSEC)
that were sufficiently well defined and capable of
producing repeatable and objective assessments. The
NCSC invited issue papers and prepared a discussion
agenda. The issue papers and the subcommittee
summaries were published as the Proceedings of the
National Computer Security Center Invitational Workshop
on Database Security [20].
As an outgrowth of this workshop, the NCSC
undertook the task of preparing this Trusted Database
Management System Interpretation (TDI) of the TCSEC to
focus on the special problems posed by DBMSs. A
working group was assembled to draft this
Interpretation. Three drafts were produced, with
extensive community review and public discussion. This
Interpretation is the result of the interaction within�
the general computer security and database management
communities.
SCOPE
The interpretations in this document are
intended to be used in conjunction with the TCSEC
itself; they apply to application-oriented software
systems in general, and database management systems
(DBMSs) in particular. Although the interpretations,
as noted, are general enough to apply to any software
system which supports sharing and needs to enforce
access control (e.g., transaction processing systems,
electronic mail systems), in the interest of
simplicity, the discussion, and thus the terminology,
will be directed toward DBMSs.
The interpretations are intended to be
applied primarily to commercially developed trusted
DBMSs, but can also be applied to the evaluation of
existing non-commercial DBMSs and to the specification
of security requirements for DBMS acquisitions.
PURPOSE
This Interpretation of the TCSEC has been
prepared for the following purposes:
To provide a standard to manufacturers for
security features to build into their new and planned commercial
products in order to provide widely available systems that satisfy
trust requirements (with particular emphasis on preventing the
disclosure of data) for sensitive applications,
�
To provide a metric with which to evaluate
the degree of trust that can be placed in computer systems for the
secure processing of classified and other sensitive information,
and
To provide a basis for specifying security
requirements in acquisition specifications.
With respect to the second purpose for
development of the criteria, i.e., providing a security
evaluation metric, evaluations can be delineated into
two types: (1) evaluations performed on a computer
product from a perspective that excludes the
application environment; or, (2) evaluations to assess
whether appropriate security measures have been taken
to permit the system to be used operationally in a
specific environment. The former type of evaluation is
done by the National Computer Security Center (NCSC)
through the Trusted Product Evaluation Program and is
called "formal product evaluation."
The latter type of evaluation, that is, one
done for the purpose of assessing a system's security
attributes with respect to a specific operational
mission, is known as a "certification evaluation." A
formal product evaluation does not constitute
certification or accreditation for the system to be
used in any specific application environment. The
system security certification and the formal
approval/accreditation procedure, done in accordance
with the applicable policies of the issuing agencies,
must still be followed before a system can be approved
for use in processing or handling sensitive or
classified information. Designated Approving
Authorities (DAAs) remain ultimately responsible for
specifying the security of systems they accredit.
3�
The TCSEC and this Interpretation will be
used directly and indirectly in the certification
process. Along with applicable policy, they will be
used directly as technical guidance for evaluation of
the total system and for specifying system security and
certification requirements for new acquisitions. Where
a system being evaluated for certification employs a
product that has undergone a formal product evaluation,
reports from that process will be used as input to the
certification evaluation. Moreover, the National
Security Agency plans to publish additional guidelines
to assist certifiers and help ensure consistency in
certifications of systems processing national security
informantion.
STRUCTURE OF THE DOCUMENT
The remainder of the TDI is divided into two
parts, plus two appendices and a glossary.
PART 1, "TECHNICAL CONTEXT," presents general
information about the evaluation of trusted systems
that are constructed of several parts. This discussion
is critical to trusted DBMSs built upon trusted
operating systems, but is not limited to DBMSs only.
It is included in the TDI because it is not currently
available in any previously published document. This
section reviews the central reference monitor concept,
explains the need to evaluate a system built of
well-defined parts, and develops the concept of TCB
subsets. TCB subsets provide a way of splitting a
total TCB along access control policy lines such that
an evaluation by parts can be undertaken. PART 1
concludes with an interpretation of those TCSEC
requirements which are relevant to an evaluation by
parts, and a description of the process of evaluation
by parts.
PART 2, "INTERPRETED REQUIREMENTS," provides
interpretions of those TCSEC requirements that are
either specific to DBMSs (or applications in general),�
or are particularly relevant to DBMSs. The number of
requirements that are treated explicitly is relatively
small, because many of the TCSEC requirements apply as
stated to database management systems. The
requirements treated explicitly are labels, audit,
system architecture, design specification and
verification, and design documentation.
Appendix A summarizes the interpreted
requirements for each TCSEC class and is intended to
provide an easy reference for those requiring a listing
of requirements for a specific class (e.g., B2).
Appendix B provides discussion of several topics not
directly tied to the requirements levied on trusted
DBMSs by the interpretation of the TCSEC requirements.
The TDI proper will be supplemented by a
Companion Document Series (CDS). The CDS will address
a wide spectrum of issues related to trusted DBMSs but
which are beyond the scope of this document. Community
debate about on-going topics of interest will probably
result in gradual extensions of what is known about
trusted DBMSs. Thus, volumes in the CDS will be issued
both regularly (to document the state of the community
debate) and by exception (to record new problems and
new solutions).
PART 1
TECHNICAL CONTEXT
7
TC-1 INTRODUCTION
Modern computing systems are rarely conceived
and built by a single organization. Rather, the rule
is that systems are constructed by assembling
parts?hardware, firmware, and software?produced
independently by various organizations or vendors.
This fact introduces a fundamental difficulty into the�
task of evaluating a "system" for conformance to the
trust requirements of the Trusted Computer System
Evaluation Criteria (TCSEC). [8] This difficulty stems
from the fact that assessment (either evaluation of a
product or certification of a system) entails a global
perspective of the entire system under consideration.
There are not yet widely accepted methods of factoring
the various aspects of a trust assessment and then
reassembling the results into a statement about the
whole.
These conflicting perspectives of local
production and global evaluation analysis are
particularly evident in the field of database
management, but they are by no means limited to that
field. Thus the publication of this Interpretation
requires consideration of how to deal with systems
built in parts in the absence of a general treatment of
the topic. On the other hand, any treatment of the
issue in the context of trusted database management
will have significant influence in other fields where
the same or similar problems arise, just because of
community review and NCSC publication. The approach
taken in this document is to address the issues of
evaluating systems built of parts in a way that is
independent of the field of trusted database
management. This conscious attitude of generality is
intended to make clear the distinction between the
larger system-of-parts issues and the more specific
DBMS issues.
PART 1, "TECHNICAL CONTEXT," is divided into
six sections. Section TC-2, "Reference Monitor
Perspective," summarizes the role of the reference
monitor concept in both the TCSEC and the assessing of
a system for its trust characteristics. Section TC-3,
"Need for Evaluation by Parts," deals with the need to
extend the reference monitor perspective slightly to
begin to address the evaluation of systems constructed
of separate parts. Section TC-4, "TCB Subsets," is the
heart of PART 1. That section introduces a�
conservative extension to the reference validation
mechanism, TCB subsets. This extension provides the
basis for being able to undertake evaluation of systems
built in parts in a way that allows re-use of the
results of separate evaluations (whether those
evaluations were performed before the current
evaluation was begun or whether the separate
evaluations overlap in time). Section TC-5, "General
Interpreted Requirements," outlines the application of
the TCSEC requirements to individual TCB subsets when
an evaluation by parts is being done. Section TC-6,
"Design Choices" describes the general process of
applying TCB subsets and meeting the conditions for
evaluation by parts. The treatment in this section is
general and not limited to DBMSs; DBMS-specific issues
are discussed in the appendices.
TC-2 REFERENCE MONITOR PERSPECTIVE
Building or evaluating a system for
compliance with the requirements of a particular class
in the TCSEC is based on the perspective of the Trusted
Computing Base (TCB). The notion of the TCB is central
to the entire concept of assessing systems for trust.
The reference monitor described in the Anderson report
[1] is the basis of the notion of a TCB, as described
in the TCSEC:
For convenience, these evaluation criteria
use the term Trusted Computing Base to refer to the
reference validation mechanism, be it a security
kernel, front-end security filter, or the entire
trusted computer system. [8, p. 67]
Even in those lower classes (below B2) where
the reference monitor concept and reference validation
mechanisms are not mentioned explicitly, the
perspective of the reference monitor and its
implementation as a reference validation mechanism is
present. Specifically, there are requirements for (1)
identifying the policy being enforced, (2) identifying�
subjects and objects, (3) providing evidence that the
operation of the reference validation mechanism matches
the high-level description of the user interface, and
(4) demonstrating isolation of the TCB.
Therefore, all TCSEC evaluations share the
initial conceptual steps of identifying the mediation
policy, the subjects, and the objects. Starting from a
global system perspective, the initial step is to
identify the access mediation policy that will be
enforced. One must then identify those active system
entities that are candidates for being the "subjects"
whose access to objects the TCB will mediate.
Similarly, one must identify those passive entities,
those data repositories, that are candidates for being
the "objects," access to which the TCB will mediate.
As usual, the existence of an abstraction
within a system does not make it necessarily a
reference-monitor object, i.e., one visible at the TCB
interface. This is because the TCB will make use of
system abstractions for both its internal processes and
its storage requirements. Those entities, while being
stored in system "objects," will not be available to
untrusted processes (that is, they are not exported by
the TCB). Thus the analytical, iterative step is the
separation of candidate subjects and objects into those
that are mediated by the TCB and those that are not.
The various trust classes include
requirements, at varying levels of completeness and
rigor, that the basic reference monitor perspective of
mediating access of subjects to objects be implemented
in a correct, self-protecting, and non-bypassable
manner. The core requirements of the TCSEC classes
focus on these reference monitor imperatives. The
increasingly strict requirements for visibility into
the system design and implementation (structure,
documentation, testing, configuration, and distribution
requirements) all support the notion of checking the
system's conformance to its identified intent with
regard to the subjects, objects, and policy.�
TC-3 NEED FOR EVALUATION BY PARTS
The need to be able to evaluate and certify
systems built in parts is increasingly evident. This
need is seen in a variety of contexts:
The need to evaluate and certify systems
built out of parts sold by different vendors, a
situation especially prevalent in the field of trusted
DBMSs.
The need to re-assess systems that have
undergone either small- or large-scale improvements and
are already evaluated and placed on the Evaluated
Products List (EPL).
The general problem of "families of
systems," systems that exist on a spectrum of hardware
bases or that can be customized for a user's specific
needs.
In all such cases, two related versions of a
system are largely similar. It should be possible to
undertake evaluations and certifications in such a way
that the entire assessment does not have to be re-done
for every slight variation that appears. The current
state of technology, however, places limitations on
what can be accomplished in this regard; it is not
currently possible to determine the trust
characteristics of a system on the basis of an
arbitrary collection of subparts. The overall task of
trust assessment entails so many interrelated subtasks
that the ability to separate and reassemble is not well
understood.
In this circumstance of needing to be able to
accommodate evaluation of a system built in parts and
the lack of consensus about how this can be done in a
technically sound fashion, a conservative approach must
be adopted. The following are required: (1) a clear
description of what "parts" will be considered for
separate evaluation; (2) a clear description of the�
conditions under which such an evaluation by parts will
be undertaken; and (3) a general interpretation of
TCSEC requirements as they would apply when a system is
being evaluated by parts. The "parts" that will be
considered by separate evaluation are called "TCB
subsets," the topic of Section TC-4 below.
TC-4 TCB SUBSETS
TC-4.1 INTRODUCTION
To attempt an evaluation of a TCB by
splitting it into parts, there must be available a
precise definition of what parts are candidates for
separate evaluation (that is, for evaluation by parts)
as well as any other conditions that must be satisfied
before an evaluation by parts will be undertaken. This
section defines "TCB subset" as a strict and
conservative extension of the traditional concept of
the reference validation mechanism (RVM) as a method of
delineating which parts of a TCB can be candidates for
separate evaluation. The definition of TCB subsets, as
well as explanatory and motivational material, is
included below in Section TC-4.2, "TCB Subsets
Context." Section TC-4.3 addresses the conditions that
must be satisfied by a TCB divided into a set of TCB
subsets before evaluation by parts will be undertaken.
These conditions assure that the structure of and
relationships among TCB subsets will satisfy TCSEC
requirements, especially those derived from the
reference monitor concept.
TC-4.2 TCB SUBSETS CONTEXT
TC-4.2.1 DEFINITION OF TCB SUBSETS
A TCB subset M is a set of software,
firmware, and hardware (where any of these three could�
be absent) that mediates the access of a set S of
subjects to a set O of objects on the basis of a stated
access control policy P and satisfies the properties:
1) M mediates every access to objects in O by
subjects in S;
2) M is tamper resistant; and
3) M is small enough to be subject to
analysis and tests, the completeness of which can be
assured.
M uses resources provided by an explicit set
of more primitive TCB subsets to create the objects of
O, create and manage its data structures, and enforce
the policy P. If there are no TCB subsets more
primitive than M, then M uses only hardware resources
to instantiate its objects, to create and manage its
own data structures, and to enforce its policy.
The above definition does not explicitly
prohibit an access control policy P that allows trusted
subjects. The implications for the evaluation process
when a TCB subset's policy allows or does not allow
such trusted subjects are substantial and are discussed
in Section TC-6.4. As described in TC-4.3, one of the
conditions for an evaluation by parts of a TCB made up
of TCB subsets is that all the trusted subjects of each
TCB subset be included in that TCB subset.
TC-4.2.2 MOTIVATION
The definition of "TCB subset" is intended to
parallel the definitions of the reference monitor and
reference validation mechanism found in the Anderson
report [1] and included in the TCSEC itself. "The term
Trusted Computing Base [refers] to the reference
validation mechanism, be it security kernel, front-end
security filter, or the entire trusted computer
system." [8, p. 67] "TCB subset" is defined exactly
like a reference validation mechanism, with only one
difference, that it does not necessarily extend to the
hardware. Rather, a TCB subset uses either hardware�
resources or the resources provided by other, more
primitive TCB subsets. Thus TCB subsets build on
abstract machines, either physical hardware machines or
other TCB subsets. Just like reference validation
mechanisms, a TCB subset must enforce a defined access
control policy.
TC-4.3 CONDITIONS FOR EVALUATION BY PARTS
Building or evaluating a system using the
definition of TCB subsets in the section above requires
meeting six conditions in addition to demonstrating
that the candidate TCB subsets satisfy the properties
appropriate to the evaluation target class. The
conditions are as follows:
The candidate TCB subsets are
identified;
The system policy is allocated to
the candidate TCB subsets;
Each candidate TCB subset M[i]
includes all the trusted subjects with respect to
its technical policies P[i];
The TCB subset structure or
architecture is explicitly described;
Each TCB subset occupies distinct
subset-domains; and
The more primitive TCB subsets
provide support for the RVM arguments for less primitve TCB
subsets.
These conditions are described below.
TC-4.3.1 CANDIDATE TCB SUBSETS
The first condition is that the relevant
elements of each candidate TCB subset M[i] be�
identified. The hardware, firmware, and software which
compose the TCB subset need to be clearly identified,
along with the subjects and objects. In terms of
Section TC-4.2.1, this condition is the identification
of M[i], S[i], and O[i]. There may be no objects
mediated by more than one TCB subset. That is, there
cannot be an object O that is both in O[i] and O[j].
TC-4.3.2 POLICY ALLOCATION
The next condition is policy allocation, the
description of the technical policy P[i] for each
identified M[i] along with the relation of these
policies to the system policy P. The policies P[i]
will be expressed in terms of subjects in S[i] and
objects in O[i]. Thus, to satisfy the TCSEC
requirement that the (composite) TCB enforce its stated
policy P, each rule in P must be traceable through the
structure of the candidate TCB subsets to the TCB
subset(s) where that enforcement occurs. See Sections
TC-5.2.1.1 and TC-5.2.1.4.
TC-4.3.3 TRUSTED SUBJECTS INCLUDED
Every trusted subject with respect to P[i]
must be part of the TCB subset M[i]. This condition
makes possible separate evaluation of TCB subsets with
respect to "local" requirements. When this condition
is not met, evaluation of candidate TCB subsets cannot
be guaranteed on an evaluation by parts basis. This
situation is treated in Section 6.4.
TC-4.3.4 TCB SUBSET STRUCTURE
The TCB subsets will exhibit a structure
based on the ordering implied by dependency. TCB
subset A is less primitive than TCB subset B if (a) A
directly depends on B or (b) a chain of TCB subsets
from A to B exists such that each element of the chain
directly depends on its successor in the chain. In
this case we use the phrase "TCB subset B is more
primitive than TCB subset A" synonymously.�
The sense of "directly depend" in (a) is
exactly the following: it is not possible to verify
the implementation of A with respect to its
specification without a statement about the
specification of B.
More precisely, for a candidate TCB subset M,
let sM denote the specification of M. The
specification will include, as a minimum, the statement
of the technical policy P of M. Further, let vM denote
the (engineering) demonstrations of the correct
implementation of M with respect to its specification.
A (candidate) TCB subset A "depends (for its
correctness)" on (candidate) TCB subset B if and only
if the arguments of vA assume, wholly or in part, that
sB has been implemented correctly. (See Appendix B,
item 5 for additional discussion.)
The proposed structure of TCB subsets has to
be identified. The order must be a partial order.
(Without a partial order, there could be circular
chains of dependencies that would inhibit separate
evaluations of the TCB subsets.)
TC-4.3.5 SEPARATE SUBSET-DOMAINS
The candidate TCB subsets must operate in
near isolation from each other, with the only
interaction between them being that explicitly asserted
as part of the interface. In the case of reference
monitors, many existing implementations have relied on
the domain concept [23] which supports the assertions
of non-bypassability and self protection. A natural
extension of the domain concept will be required for
isolation of TCB subsets from each other and from
non-TCB entities.
A subset-domain is a set of system domains.
Each candidate TCB subset must occupy a distinct
subset-domain such that modify-access to a TCB subset's
subset-domain is permitted only to that TCB subset and�
(possibly) to more primitive TCB subsets. This
requirement ensures that the structure of
subset-domains with respect to access is consonant with
the dependency relation among TCB subsets.
TC-4.3.6 SUPPORT FOR RVM ARGUMENTS
Candidate TCB subsets must satisfy the three
RVM properties included in the definition in TC-4.2.1
in order to complete evaluation by parts successfully.
TCB subsets that build on resources and functionality
provided by more primitive TCB subsets must rely on
assured and evaluatable characteristics of those more
primitive TCB subsets. A convincing argument must be
advanced that the features, characteristics, and
assurances provided by the more primitive TCB subsets
are capable of supporting RVM arguments for the less
primitive TCB subsets.
The first property (mediating every access)
requires that there is no way of bypassing the
mediation provided by TCB subset M for its objects,
either directly or by unexpected side-effects of
interactions with other TCB subsets. A variety of
approaches could suffice for demonstrating this
property.
The second property (tamper resistance)
requires that the policy-critical code and data for the
less primitive TCB subset be protected from any
alteration not specifically allowed by the TCB subset.
A variety of approaches could suffice for demonstrating
this property.
The third property (completeness of testing
and analysis for correctness) requires the
(engineering) demonstrations vM[i] of the correctness
of each less primitive candidate TCB subset M[i]. A
convincing argument must therefore be advanced that the
specifications sM[k] for all of the more primitive TCB
subsets M[k] on which M[i] depends will suffice for
establishing vM[i].�
TC-4.4 EVALUATION ALTERNATIVES
As noted earlier, the need to evaluate
systems whose elements are developed separately,
possibly by independent developers, results in the need
to define TCB subsets. That is not to say, however,
that design by TCB subsetting and the subsequent
evaluation by parts are the only alternatives. Rather,
there are three distinct possibilities.
A system TCB, regardless of any internal
structure, may be viewed as a single entity. In such a
case, the evaluation may proceed essentially as an
evaluation against the TCSEC. This case is examined in
Section TC-6.2.
A system TCB may be presented as a subsetted
architecture composed of a number of candidate TCB
subsets. Given that each of the candidate TCB subsets
satisfies the conditions set forth in Section TC-4.3,
an evaluation by parts is possible. This case is
described in Section TC-6.3.
It may be possible to satisfy only some of
the conditions for evaluation by parts. This situation
might arise when a previously evaluated TCB or TCB
subset is modified to accommodate the policy-enforcing
elements of a new application layer. A special case of
this situation is described in Section TC-6.4. In such
cases, depending upon the particulars, it may be
possible to realize some of the savings in evaluation
effort. However, no general statements can be made for
these cases.
TC-5 GENERAL INTERPRETED REQUIREMENTS
TC-5.1 OVERVIEW
This section provides specific
interpretations of those TCSEC requirements that are�
particularly relevant for subsetted architectures and
evaluation by parts. Its organization is derived from
the structure of the TCSEC requirements. For each
relevant TCSEC requirement there is a discussion of how
that requirement is interpreted in an evaluation by
parts.
For conciseness, only the requirements
headings applicable for A1 systems are included below.
Thus, the interpretation guidance below should be
applied only as demanded by the requirements for the
target class of the candidate trusted system. For a
system targeted at an evaluation class below A1, only
those requirements that pertain to the target class
apply to the TCB subsets making up that system.
A listing of the requirements and
interpretations by TCSEC class is presented in Appendix
A. The rationale for the applicability of the TCSEC
requirements to TCB subsets alone or to the TCB as an
entirety is described in Appendix B, item 7.
TC-5.2 DETAILED REQUIREMENTS
TC-5.2.1 SECURITY POLICY
TC-5.2.1.1 Discretionary Access Control
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
TC-5.2.1.2 Object Reuse
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB.
TC-5.2.1.3 Labels�
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Label Integrity
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Exportation of Labeled Information
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Subject Sensitivity Labels
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
Device Labels
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its objects
and has attached physical or virtual devices. Any TCB�
subset whose policy does not include such mandatory
access control or has no attached physical or virtual
devices is exempt from this requirement. This
requirement can be satisifed by the cooperative action
of more than one TCB subset.
TC-5.2.1.4 Mandatory Access Control
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
TC-5.2.2 ACCOUNTABILITY
TC-5.2.2.1 Identification and Authentication
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Similarly,
that TCB subset may rely on a mechanism in another more
primitive TCB subset to ensure that the security level
of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by
the clearance and authorization of that user. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
Trusted Path
�
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
When TCB subsets are used, the requirement
for trusted path at levels B2 and above remains
applicable to the entire TCB. The need for trusted
path "when positive TCB-to-user connection is required
(e.g., login, change subject security level)" can
require user interaction with virtually any TCB subset
within the TCB. The implementation of trusted path
could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one
TCB subset if the separate implementations together
comply with the system security policy.
TC-5.2.2.2 Audit
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or
later.
Any TCB subset wherein events may occur that
require notification of the security administrator
shall be able to do the following: (1) detect the
occurrence of these events, (2) initiate the recording�
of the audit trail entry, and (3) initiate the
notification of the security administrator. The
ability to terminate events (2) and (3) above may be
provided either in the TCB subset within which they
occur, or in the TCB subset(s) where actions that lead
to the event were initiated.
The monitoring and notification requirements
may require cooperation between multiple distinct TCB
subsets or multiple instantiations of the same TCB
subset. For example, to detect the accumulation of
events for a single user it may be necessary to collect
events from several subjects in distinct processes that
are surrogates for the same user. As another example,
there may be a single TCB subset that collects events
from a number of other TCB subset instantiations and,
based on its analysis of them, notifies the security
administrator.
TC-5.2.3 ASSURANCE
TC-5.2.3.1 Operational Assurance
System Architecture
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Similarly, the TCB must provide distinct
address spaces for untrusted processes. A most
primitive TCB subset must provide distinct address
spaces for its subjects. A less primitive TCB subset�
must make use of the distinct address space provided by
a more primitive TCB subset. A less primitive TCB
subset may provide more fine-grained distinct address
spaces, but is not required to do so.
In general, requirements specifically
referring to hardware or firmware apply only to TCB
subsets that include hardware or firmware. The
exception is the requirement that the TCB make
effective use of available hardware. This requirement
applies to those TCB subsets that use resources
provided by more primitive TCB subsets in lieu of
hardware. Those TCB subsets are required to make
effective use of the protection-relevant features
exported to it by the more primitive TCB subsets (e.g.,
execution domains, support for distinct address spaces)
to separate those elements that are protection-critical
from those that are not.
System Integrity
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
Covert Channel Analysis
This requirement applies as stated in the
TCSEC to the entire TCB. When the TCB is made up
entirely of TCB subsets meeting the conditions for
evaluation by parts, analysis of the individual TCB
subsets satisfies this requirement. Otherwise, covert
channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the
individual TCB subsets were available).
Trusted Facility Management
�
This requirement applies as stated in the
TCSEC to the entire TCB. Any "operator" or
"administrator" functions intrinsic to an individual
TCB subset must be supported by that TCB subset or by a
more primitive TCB subset.
Trusted Recovery
This requirement applies as stated in the
TCSEC to the entire TCB and to the individual TCB
subsets. The cooperative recovery actions of the TCB
subsets making up the TCB must provide trusted recovery
for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the
individual TCB subsets meet the trusted recovery
requirements).
TC-5.2.3.2 Life-Cycle Assurance
Security Testing
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
Design Specification and Verification
This requirement applies as stated in the
TCSEC to every TCB subset, with the following specific
additional interpretations.
It must be demonstrated that the security
policy enforced by the composite TCB is represented by�
the collection of policy models for the individual TCB
subsets.
The argument that the descriptive top level
specification (DTLS) and formal top level specification
(FTLS) are consistent with the TCB interface applies to
the entire TCB. There is required an explicit and
convincing description of how the set of top level
specifications (one for each TCB subset) describes the
TCB interface in terms of exceptions, errors, and
effects.
Configuration Management
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB, with the
following additional interpretation.
Because subsets of the TCB may be developed
independently, a single configuration management system
may not be feasible. However, the combination of
configuration management systems used to support all
the TCB subsets must meet all the stated requirements.
The information describing the interrelations between
separate TCB subsets and separate security policy
models falls into the category of "all documentation
and code associated with the current version of the
TCB" in the TCSEC requirements.
Trusted Distribution
This requirement applies as stated in the
TCSEC to the entire TCB. It can be met by satisfying
the requirements for each TCB subset if procedures
exist for assuring that all TCB subsets upon which a
particular TCB subset depends (that is, the more
primitive TCB subsets) are exactly the same version as
specified for the TCB subset in question.
TC-5.2.4 DOCUMENTATION�
TC-5.2.4.1 Security Features User's Guide
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
TC-5.2.4.2 Trusted Facility Manual
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the�
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
The TCB modules that contain the reference
validation mechanism must be associated with the TCB
subset to which they belong. The procedure for
generating a new TCB after modifying only one (or
several) TCB subsets must be described. This may be
accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the
affected TCB subsets.
TC-5.2.4.3 Test Documentation
This requirement applies as stated in the
TCSEC to the composite TCB.
TC-5.2.4.4 Design Documentation
This requirement applies as stated in the
TCSEC to the composite TCB, with the following specific
additional interpretations:
Requirements concerning models, FTLS and
DTLS, apply to individual TCB subsets.
The requirement concerning the description
of interfaces between modules of the TCB includes the
interfaces between TCB subsets.
The documentation of the implementation of
a reference validation mechanism must include
justification for meeting the conditions for evaluation
by parts.
The A1 requirement to describe
clearly non-FTLS internals of the TCB applies to TCB
subsets.
�
TC-5.3 SUMMARY OF THE REQUIREMENTS
The requirements interpretations in Section
TC-5.2 above can be grouped into two categories: those
that apply to individual TCB subsets and those that
apply totally or in part to the overall TCB. For
purposes of exposition, the former category will be
termed "local requirements," that is, those for which
separate analysis of the individual TCB subsets
suffices to determine compliance for the composite TCB.
The latter are termed "global requirements," that is,
those which require analysis of the entire system and
for which separate analysis of the individual TCB
subsets does not suffice.
TC-5.3.1 LOCAL REQUIREMENTS
Discretionary Access Control;
Object Reuse;
Labels (except Subject Sensitivity Labels);
Mandatory Access Control;
System Architecture (except domains for
execution and distinct address spaces);
System Integrity;
Configuration Management;
Security Features User's Guide;
Design Documentation
models,
DTLSs,
FTLSs, and
non-FTLS internals.
TC-5.3.2 GLOBAL REQUIREMENTS
Subject Sensitivity Labels;
Identification and Authentication;
Trusted Path;
Audit;
System Architecture domains for execution, and distinct
address spaces;
Covert Channel Analysis;
Trusted Facility Management;
Trusted Recovery (also applies to
individual TCB subsets);
Security Testing;
Design� Specification and Verification
correspondence between system
policy and the set of TCB subset models
consistency of TCB interface with the
set of TCB subset DTLSs, and
consistency ofTCB interface with the
set of TCB subset FTLSs;
Trusted Distribution;
Trusted Facility Manual (also applies to individual TCB
subsets);
Test Documentation; and
Design Documentation (except models, DTLSs, FTLSs, and
non-FTLS internals).
TC-6 DESIGN CHOICE
TC-6.1 OVERVIEW
This section examines the several design
choices available for constructing systems in parts and
the consequences of each when attempting to perform an
evaluation by parts. The first case described is that
of a TCB evaluated under the TCSEC without benefit of
TCB subset structuring. This case is of value for
several reasons: it serves as a reference point; it
can be considered the degenerate case of subsetting;
and it is always an option to evaluate any TCB,
regardless of internal structure, as a monolith. The
second and third cases are presented in terms of a
configuration of exactly two subsets; the
generalization to more than two TCB subsets is
straightforward. The second case is that of a
subsetted architecture that exactly satisfies the
conditions for evaluation by parts. The third case
represents a special case of an altered TCB, one which
is implemented using trusted subjects.
Note that no evaluation using TCB subsets and
evaluation by parts results in a TCB subset receiving
an evaluation rating. Rather, the entire system, with
its composite TCB, is evaluated and receives a rating.
However, evaluation by parts is intended to allow the�
results of local analysis of individual TCB subsets to
be distinguishable and separately referencable. For
further discussion of this topic, see Appendix B, item
10.
TC-6.2 A SINGLE TCB SUBSET
The evaluation of a TCB consisting of a
single TCB subset is equivalent to a straightforward
evaluation against the TCSEC. The conditions for
evaluation by parts (Section TC-4.3) reduce to
requirements found in the TCSEC itself.
TC-6.2.1 ANALYSIS OF THE CONDITIONS
TC-6.2.1.1 Condition 1: Candidate TCB
Subsets
The TCB (hardware, software, and firmware),
as distinguished from the rest of the computing system,
must be identified. This is a basic requirement for
TCSEC evaluation. Similarly, the subjects and objects
within the system must be identified. The requirement
that no more than one TCB subset mediate access to any
particular object is satisfied, because there is only
one TCB subset.
TC-6.2.1.2 Condition 2: Policy Allocation
The policy P enforced by the TCB (subset)
must be identified. The demonstration that the TCB
(subset) enforces that policy will be a description of
how the TCB performs access mediation between the
system's subjects and objects according a system-level
description of limitations on access (the technical
policy P[i] of the definition). The tracing of the
policy to the system design and behavior is part of the
stated TCSEC requirements.
?TC-6.2.1.3 Condition 3: Trusted Subjects
Included�
This condition is satisfied in the same
manner as it is in evaluations under the TCSEC.
Specifically, the TCB boundary is shown to be the
interface that is presented to untrusted subjects.
TC-6.2.1.4 Condition 4: TCB Subset Structure
Satisfaction of this condition (TC-4.3.4) is
immediate, because there is only one TCB subset.
TC-6.2.1.5 Condition 5: Separate
Subset-Domains
Satisfaction of the separate subset-domain
condition (TC-4.3.5) is identical to the C1 through A1
requirement that "the TCB maintain a domain for its own
execution that protects it from external interference
or tampering." [8, p. 13 et al.]
TC-6.2.1.6 Condition 6: Support for RVM
Arguments
Satisfaction of this condition (TC-4.3.6) is
immediate, inasmuch as there are no less primitive TCB
subsets that must be demonstrated to satisfy RVM
requirements.
TC-6.2.2 EVALUATION CONSEQUENCES
In this case, the evaluation of the (single)
TCB subset proceeds exactly like an evaluation under
the TCSEC. Demonstration that the candidate system
meets all the global and local requirements (as they
apply to the target evaluation class) includes the
consideration of each requirement as it applies
system's philosophy of protection, design,
documentation, and implementation. The system must be
shown to exhibit the properties of a reference
validation mechanism, appropriate to the target class.
TC-6.3 TWO TCB SUBSETS, MEETING THE CONDITIONS�
This case is of a TCB that consists of two
candidate TCB subsets, A and B, where A is the most
primitive TCB subset. That is, B uses the abstractions
provided by A (the objects, in particular) as its
resource for the construction and exportation of its
own abstractions. B also uses the abstractions
provided by A for its metadata (that is, internal data
structures) that make it possible for B to instantiate
its exported abstractions as well as keep records that
enable it to correctly enforce its stated policy. In
terms of the discussion of Section TC-4.3.4, TCB subset
B directly depends on TCB subset A. It will be assumed
that TCB subset A enforces mandatory and discretionary
policies on its objects and that TCB subset B enforces
a discretionary policy on the objects it exports.
Additionally, all trusted subjects of A are contained
within A. Thus, every subject of A (including all the
active entities that make up the logic of B) operates
at a single sensitivity level. It will further be
assumed for th is example that the mechanisms for
domains and thus for subset-domains are independent of
the mandatory and discretionary access control policy
enforcement mechanisms.
TC-6.3.1 ANALYSIS OF THE CONDITIONS
TC-6.3.1.1 Condition 1: Candidate TCB
Subsets
The TCB (hardware, software, and firmware),
as distinguished from the rest of the computing system,
must be identified. This is a basic requirement for
TCSEC evaluation. Similarly, the subjects and objects
within the system must be identified.
In this case, all the hardware, software, and
firmware that make up the TCB must be identified as
being part of either TCB subset A or TCB subset B. The
subjects and objects mediated by A (call them the
"A-subjects" and "A-objects" for this discussion) must
be identified. Similarly the B-subjects and B-objects
must also be identified.�
The additional requirement in Section
TC-4.3.1 that "there may not be any objects mediated by
more than one TCB subset" means that there can be no
B-object that is also an A-object.
TC-6.3.1.2 Condition 2: Policy Allocation
The policy P enforced by the whole TCB must
be identified. In addition, the policy enforced by A
(call it the A-policy), stated in terms of the
A-subjects and the A-objects, must be identified.
Similarly, the B-policy, stated in terms of the
B-subjects and the B-objects, must be identified.
TC-6.3.1.3 Condition 3: Trusted Subjects
Included
As was stated above, TCB Subset A contains
all its own trusted subjects. There may be trusted
subjects with respect to the policy of A, but all such
subjects execute in the subset-domain of A.
TC-6.3.1.4 Condition 4: TCB Subset Structure
Because B directly uses the A-objects and its
logic is embodied in A-subjects, the structure of the
TCB subsets is precisely "TCB subset A is more
primitive than TCB subset B." This is a partial order.
TC-6.3.1.5 Condition 5: Separate
Subset-Domains
Satisfaction of the separate subset-domain
condition requires that a set of domains provided by
the system be identified as being the domains
"occupied" by A and B. The domain, or domains,
occupied by A is exactly the "domain for its own
execution" found in the TCSEC requirements. The domain
or domains occupied by TCB subset B must not be
modifiable by any code or other system entity except
possibly by TCB subset A.�
TC-6.3.1.6 Condition 6: Support for RVM
Arguments
Satisfying the condition for RVM arguments
requires demonstrating the plausibility of being able
to establish the three requisite properties of an RVM.
The first property requires that no B-subject be
allowed to access B-objects without those accesses
being mediated by TCB subset B. The tamper resistance
property requires that TCB subset A provide a way that
TCB subset B can be designed and implemented such that
A-subjects that are not part of B's implementation
cannot tamper with B's policy-critical code or data.
The third RVM property must be satisfied by the
individual TCB subsets. The degree to which each TCB
subset must satisfy this property is commensurate with
the evaluation class of the TCB.
TC-6.3.2 EVALUATION CONSEQUENCES
In this case, the evaluation of the two TCB
subsets requires that each meet TCSEC requirements
applicable to each TCB subset viewed individually and
that the two TCB subsets combine in a way to meet all
the TCSEC requirements stated for the target class.
All local requirements are imposed on the two
TCB subsets, A and B, individually. If each TCB subset
can meet the requirements of the target class, viewed
as if it were a separate TCB, the only areas where
additional evaluation or accreditation work might be
required are those areas where the sum of the analysis
of the parts is not necessarily complete and
convincing. Those areas requiring additional work are
exactly the set of global requirements described in
Section TC-5.3.2.
Demonstrating that the candidate system meets
the TCSEC requirements (as they apply to the target
evaluation class) requires that both A and B be
evaluated with respect to the local requirements of the
target class and that the composite TCB be evaluated�
for global requirements. In this case, full testing of
TCB subset A against all the requirements (both local
and global) simplifies the task of demonstrating
satisfaction of the global requirements, both for B and
for the entire TCB.
Suppose, for example, that TCB subset A has
been subjected to security testing appropriate to the
target class and has been shown to be adequately
resistant to penetration attacks. This means that
within the confidence level provided by the testing
requirement, no A-subject can subvert A's enforcement
of its policy. In this situation, every active entity
in B is an A-subject and hence B can neither penetrate
A nor be induced to do so by any B-subject. Thus, no
further testing of A will be required to determine
whether the entire TCB is resistant to penetration; any
additional penetration testing can be limited to
determining the ability of B to withstand assault.
Similarly, if A has been searched for covert
channels (as required for its target class
requirements), then no further search for covert
channels will be required, either in the analysis of B
or in the overall consideration of the entire TCB.
Note that if B implements a mandatory access control
policy (e.g., integrity), then it would be necessary to
perform a covert channel analysis on B, but no further
covert channel analysis of A would be required.
The ability of users to determine the current
sensitivity level of B-subjects operating on their
behalf will have to be shown by considering the TCB
subsets A and B together. This requirement is
satisfied immediately if the argument relies
exclusively on A meeting the requirement.
TC-6.4 TWO TCB SUBSETS, NOT MEETING THE
CONDITIONS�
This case also concerns a TCB that consists
of two candidate TCB subsets, C and D. C is the most
primitive TCB subset. That is, D uses the abstractions
provided by C (the objects, in particular) as its
resource for the construction and exportation of its
own abstractions. D also uses the abstractions
provided by C for its metadata (that is, internal data
structures) that make it possible for D to instantiate
its exported abstractions as well as keep records that
enable it to correctly enforce its stated policy. In
terms of the discussion of Section TC-4.3.4, TCB subset
D directly depends on TCB subset C. Additionally, D is
trusted with respect to C. That is, some of the
C-subjects which make up TCB subset D execute as
trusted processes of C. Here also, as in the previous
example, it is assumed that C implements mandatory and
discretionary policies over its objects. Further, the
intent of D is to implement a discretionary policy over
the objects it exports. However, because D includes
subjects which are trusted relative to C's policy
demonstration of the full and correct enforcement of
the mandatory policy requires analysis of both C and D
and is no longer localized to TCB subset C. It will be
assumed that the mechanisms for domains and thus for
subset-domains are independent of the mandatory and
discretionary access control policy enforcement
mechanisms.
This case can be viewed as a special case of
a previously evaluated TCB which has been altered.
However, the alteration takes the form of a less
primitive subset which is implemented, at least in
part, with trusted subjects (i.e., some of the
C-subjects are trusted subjects which execute in the
subset-domain of D). Although this case may appear,
intuitively, to be different from that of arbitrary
alteration of a previously evaluated TCB, the example
demonstrates that such an approach makes it impossible
to perform an evaluation by parts.
TC-6.4.1 ANALYSIS OF THE CONDITIONS�
TC-6.4.1.1 Condition 1: Candidate TCB
Subsets
The identification of the TCB (hardware,
software, and firmware) as distinguished from the rest
of the computing system is a basic requirement for
TCSEC evaluation. Likewise, the subjects and objects
within the system must be identified.
In this case, all the hardware, software, and
firmware that make up the TCB must be identified as
being part of either TCB subset C or TCB subset D. The
C-subjects and C-objects mediated by C have to be
identified. Similarly the D-subjects and D-objects
must also be identified.
The additional requirement in Section
TC-4.3.1 that "there may not be any objects mediated by
more than one TCB subset" means there can be no
D-object that is also a C-object.
TC-6.4.1.2 Condition 2: Policy Allocation
The policy P enforced by the whole TCB must
be identified. In addition, the individual policy
enforced by C (call it the C-policy) must be identified
in terms of the C-subjects and the C-objects.
Similarly, the D-policy, stated in terms of the
D-subjects and the D-objects, must be stated. In this
case, the C-policy will include the strict enforcement
of a mandatory access control policy that allows
trusted subjects to execute in the subset-domains which
compose TCB subset D.
TC-6.4.1.3 Condition 3: Trusted Subjects
Included
This condition is not satisfied because D
includes at least one subject that is trusted with
respect to C. Hence a subject that is trusted with
respect to the policy of C is outside C, and evaluation
by parts is not an option. If TCB subset C had�
previously been evaluated, then this is an example of
an altered TCB, albeit a special case. The change
consists of the addition of one or more trusted
C-subjects in D whose effect on the behavior of C
cannot be predicted a priori. An assessment of the
impact of D on the behavior of C cannot be made
strictly by an examination of the trusted subjects and
the definition of C's interface. A global assessment
of C and D is required.
TC-6.4.1.4 Condition 4: TCB Subset Structure
Because D directly uses the C-objects and its
logic is embodied in C-subjects, the structure of the
TCB subsets is precisely "TCB subset C is more
primitive than TCB subset D." This is a partial order.
TC-6.4.1.5 Condition 5: Separate
Subset-Domains
Satisfying the separate subset-domain
condition (TC-4.3.5) requires identifying the set of
system domains (likely administered by the most
primitive TCB subset C) as the domains "occupied" by C
and D. The domain, or domains, occupied by C is
exactly the "domain for its own execution" found in the
TCSEC requirements. The domain or domains occupied by
TCB subset D must not be modifiable by any code or
other system entity except possibly by a part of TCB
subset C.
TC-6.4.1.6 Condition 6: Support for RVM
Arguments
Satisfying the condition for RVM arguments
requires demonstrating the plausibility of being able
to establish the three requisite properties of an RVM.
The first property requires that no B-subject be
allowed to access B-objects without those accesses
being mediated by TCB subset B. The tamper resistance
property requires that TCB subset A provide a way that
TCB subset B can be designed and implemented such that�
A-subjects that are not part of B's implementation
cannot tamper with B's policy-critical code or data.
The third RVM property must be satisfied by the
individual TCB subsets. The degree to which each TCB
subset must satisfy this property is commensurate with
the evaluation class of the TCB.
TC-6.4.2 EVALUATION CONSEQUENCES
In this example, the conditions for
evaluation by parts are not satisfied and thus, the
full potential for savings in evaluation effort cannot,
in general, be realized. A clear option in such cases
is to view the system as a monolithic TCB and proceed
accordingly. However, because this case represents an
example of an altered TCB, it admits of a wide spectrum
of specific sub-cases. Thus, if the analysis of the
system proceeds in parallel to that required for
evaluation by parts it may be possible, in special
cases, to identify elements of the analysis of the more
primitive candidate TCB subset which can be
successfully argued to be unaffected by the
alterations. Some evaluation effort, often
significant, can be saved, but unlike evaluation by
parts, how much can only be estimated by consideration
of the implementation specifics. For example, in this
specific case, the local analysis of TCB subset C
represents a reasonable candidate for analysis that
need not be redone.
TC-6.5 SUMMARY
The three cases described above illustrate
the effects of various TCB subsetting situations as
they relate to the evaluation requirements.
A monolithic evaluation proceeds exactly as
described in the TCSEC, with requirements being applied
to the entire TCB.
When all the conditions for evaluation by
parts are satisfied, considerable savings in evaluation�
effort are realized. The evaluation of a new system
configuration that includes exactly the same TCB subset
that was previously evaluated (such as the TCB subsets
A and B in the Section TC-6.3) is limited to (a) local
analysis of the individual TCB subsets (by reference to
earlier analysis, if available) and (b) a simpler
global analysis, because each TCB subset is an exact
analog of a TCB.
When the conditions for evaluation by parts
are not satisfied, no general statements can be made
about the factorability of analysis or the reusability
of previous analysis. The extent to which previous
evaluation evidence and results remain valid can be
determined only on a case-by-case basis.
PART 2
INTERPRETED REQUIREMENTS
�
IR-1 OVERVIEW AND CONTEXT
Part 2, "INTERPRETED REQUIREMENTS," provides
specific interpretations of those TCSEC requirements
which are deemed to be either DBMS-specific (or, more
generally, application-specific) or particularly
relevant to DBMSs. All of the requirements in the
TCSEC apply in any case.
For the topics included below, the
interpretations provide clarification of the TCSEC
requirements. As is the case for the TCSEC, the
interpreted requirements at any class include those
specified for that class in addition to interpretations
for lower classes that have not been superseded or
altered.
Section IR-2 presents an overall summary of
the TCSEC requirements, as interpreted in the more
detailed sections that follow. Sections IR-3 through
IR-7 address individual requirements interpretations
for labels, audit, system architecture, design
specification and verification, and design
documentation, respectively. The format is an initial
discussion of the topic in general, followed by
specific requirements and interpretations that apply to
database management systems. A listing of the
requirements and interpretations organized by TCSEC
class is presented in Appendix A.
IR-2 SUMMARY OF THE INTERPRETATIONS
This section provides specific
interpretations of those TCSEC requirements that are
particularly relevant for subsetted architectures and
evaluation by parts. Its organization is derived from
the structure of the TCSEC requirements. For each
relevant TCSEC requirement there is a discussion of how
that requirement is interpreted for a DBMS.
�
IR-2.1 SECURITY POLICY
IR-2.1.1 DISCRETIONARY ACCESS CONTROL
The requirement for discretionary access
control is not changed in the context of this document
and therefore applies as stated in the TCSEC.
IR-2.1.2 OBJECT REUSE
The requirement for object reuse is not
changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.1.3 LABELS
The requirement for labels is treated in
Section IR-3 of this document.
IR-2.1.4 MANDATORY ACCESS CONTROL
The requirement for mandatory access control
is not changed in the context of this document and
therefore applies as stated in the TCSEC. However,
there are several subtle ramifications of this
requirement of which a developer or evaluator should be
aware. A brief discussion can be found in Appendix B,
item 8, "Content-Dependent and Context-Dependent Access
Control."
IR-2.2 ACCOUNTABILITY
IR-2.2.1 IDENTIFICATION AND AUTHENTICATION
The requirement for identification and
authentication is not changed in the context of this
document and therefore applies as stated in the TCSEC.
IR-2.2.2 AUDIT�
The requirement for audit is treated in
Section IR-4 of this document.
IR-2.3 ASSURANCE
IR-2.3.1 OPERATIONAL ASSURANCE
IR-2.3.1.1 System Architecture
The requirement for system architecture is
treated in Section IR-5 of this document.
IR-2.3.1.2 System Integrity
The requirement for system integrity is not
changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.3.1.3 Covert Channel Analysis
The requirement for covert channel analysis
is not changed in the context of this document and
therefore applies as stated in the TCSEC.
IR-2.3.1.4 Trusted Facility Management
The requirement for trusted facility
management is not changed in the context of this
document and therefore applies as stated in the TCSEC.
IR-2.3.1.5 Trusted Recovery
The requirement for trusted recovery is not
changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.3.2 LIFE CYCLE ASSURANCE
IR-2.3.2.1 Security Testing�
The requirement for security testing is not
changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.3.2.2 Design Specification and
Verification
The requirement for design specification and
verification is treated in Section IR-6 of this
document.
IR-2.3.2.3 Configuration Management
The requirement for configuration management
is not changed in the context of this document and
therefore applies as stated in the TCSEC.
IR-2.3.2.4 Trusted Distribution
The requirement for trusted distribution is
not changed in the context of this document and
therefore applies as stated in the TCSEC.
IR-2.4 DOCUMENTATION
IR-2.4.1 SECURITY FEATURES USER'S GUIDE
The requirement for a security features
user's guide is not changed in the context of this
document and therefore applies as stated in the TCSEC.
IR-2.4.2 TRUSTED FACILITY MANUAL
The requirement for a trusted facility manual
is not changed in the context of this document and
therefore applies as stated in the TCSEC.
IR-2.4.3 TEST DOCUMENTATION�
The requirement for test documentation is not
changed in the context of this document and therefore
applies as stated in the TCSEC.
IR-2.4.4 DESIGN DOCUMENTATION
The requirement for design documentation is
treated in Section IR-7 of this document.
IR-3 LABELS
IR-3.1 GENERAL DISCUSSION
The labels requirements of the TCSEC are
entirely applicable to database management systems.
The basic difference between the TCSEC labeling
requirements as they apply to operating systems and
DBMSs involves which storage objects are labeled rather
than how the labels are handled. This section
discusses special considerations in implementing and
evaluating labeling mechanisms in database management
systems. Of particular importance is the selection of
the storage objects that are to be labeled.
Beginning at the B1 evaluation class, trusted
database management systems are required to associate
labels with all storage objects under their control.
The granularity of storage objects to be protected
shall be chosen by the DBMS designer.
Stored view definitions (that is, named query
commands) that are visible at the TCB boundary must be
stored in labeled objects. The TCB must mediate access
both to the view definition and to the view
instantiation (that is, the set of labeled objects
accessed as the result of executing the query command
contained in the view definition).
It has been proposed in several designs that
views be used as a mechanism to implement context- or�
content-dependent labeling. The intuitive
attractiveness of this approach is undeniable, but the
implementation details must be carefully worked out to
achieve a sound implementation. A brief discussion of
this topic can be found in Appendix B, item 8,
"Content-Dependent and Context-Dependent Access
Control."
TCB designers and evaluators may make
distinctions between objects that are explicitly
labeled or implicitly labeled. Such distinctions are
meaningful only within the confines of the TCB; all
storage objects are explicitly labeled from a point of
view outside the TCB. For example, consider an object
of one type (e.g., table or file) within the TCB that
"contains" many (reference monitor) objects of another
type (e.g., tuples and records). The file could have
an explicit label associated with it, and some of the
records could have explicit labels associated with
them. Those records that have no explicit label would
be implicitly labeled by the label of the file.
For database management systems, the objects
that store the base data of the database (e.g., files,
records, relations, and tuples), as well as those
objects that store the metadata (e.g., directories,
indices, schemas, data dictionaries, discretionary
authorization tables, recovery logs, and transaction
logs), must be labeled. Objects that need not be
labeled include internal resources that are not user
visible (e.g., printer daemon scratch files and
resource allocation tables). The requirement for
importing data (labeled and unlabeled) is the same as
in the TCSEC. For additional information, see Appendix
B, item 9, "Bulk Loading of a Database."
IR-3.2 SPECIFIC INTERPRETATIONS
CLASS (B1): LABELED SECURITY PROTECTION
There are no interpretations for this class.�
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
Sensitivity labels associated with each ADP
system resource . . . that is directly or indirectly
accessible by subjects external to the TCB shall be
maintained by the TCB.
Interpretation
Internal TCB variables that are not visible
to untrusted subjects need not be labeled, provided
that they are not directly or indirectly accessible by
subjects external to the TCB. However, it is important
to understand that such internal variables can function
as covert signaling channels when untrusted subjects
are able to detect changes in these variables by
observing system behavior.
CLASS (B3): SECURITY DOMAINS
There are no additional requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-4 AUDIT
IR-4.1 GENERAL DISCUSSION
The audit requirements of the TCSEC apply to
database management systems. This section discusses
special considerations in designing and evaluating
audit mechanisms in database management systems.�
The TCB must be capable of maintaining an
audit trail of accesses and attempted accesses to the
objects protected by the mandatory and discretionary
security policies. Two examples are given to
illustrate auditing techniques for discretionary access
control decisions.
Example 1. Consider a DBMS TCB providing discretionary
controls on defined views of the database. Because the
named object presented at the TCB interface is the view
definition (not the records instantiated through the
view), all that needs to be auditable is the use of the
view by any untrusted subject.
Example 2. Consider a DBMS TCB that enforces
discretionary access control on individual data
records. When a user enters a query, the construction
of a response may involve a search over many records
that are not returned to the user because they did not
satisfy the query. Records that do satisfy the query
but to which the user does not have access should be
auditable. Records that do not satisfy the query need
not be auditable. That is, in the context of audit,
access permission to the user and satisfaction of a
query are to be kept separate.
There is no need to audit operations that are
strictly internal to the TCB. Separate security audit
logs may be maintained by the operating system and the
database management system. Likewise, separate
identifications for the same user may be maintained by
the operating system and the database management
system. The correlation of separate audit logs may be
done either at the time they are generated or at some
later time.
The emphasis of the audit criterion is to
provide individual accountability for actions by users.
This goal is not the same as that for a backup and
recovery log. There is no requirement to integrate the
audit log with the backup and recovery log, although
such an integrated log is not prohibited.�
At the designer's discretion, there may be a
selectable capability to reduce the number of audit
records generated in response to queries that involve
many access control decisions.
IR-4.2 SPECIFIC INTERPRETATIONS
CLASS (C2): CONTROLLED ACCESS PROTECTION
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to users. That is, each
discretionary access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
CLASS (B1): LABELED SECURITY PROTECTION
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation�
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
CLASS (B2): STRUCTURED PROTECTION
There is no interpretation for the additional
requirements.
CLASS (B3): SECURITY DOMAINS
There is no interpretation for the additional
requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-5 SYSTEM ARCHITECTURE
IR-5.1 GENERAL DISCUSSION
The system architecture requirements of the
TCSEC apply to database management systems.
The interpretations provided are a
duplication of the general interpreted requirements
that apply to an evaluation by parts. They are�
included because DBMS evaluations often involve
multiple TCB subsets.
IR-5.2 SPECIFIC INTERPRETATIONS
CLASS (C1): DISCRETIONARY SECURITY
PROTECTION
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
CLASS (C2): CONTROLLED ACCESS PROTECTION
There is no interpretation for the additional
requirements.
CLASS (B1): LABELED SECURITY PROTECTION
There is no interpretation for the additional
requirements.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
The user interface to the TCB shall be
completely defined and all elements of the TCB
identified.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the�
TCB subsets as well as the user interface to the whole
TCB.
Statement from TCSEC
It shall make effective use of available
hardware to separate those elements that are
protection-critical from those that are not.
Interpretation
If the TCB is composed of multiple subsets,
each TCB subset must make use of facilities provided to
it by more primitive TCB subsets, such as support for
execution domains and for distinct address spaces, to
achieve the required separation.
CLASS (B3): SECURITY DOMAINS
There is no interpretation for the additional
requirements.
CLASS (A1): VERIFIED DESIGN
There are no additional requirements.
IR-6 DESIGN SPECIFICATION AND VERIFICATION
IR-6.1 GENERAL DISCUSSION
The design specification and verification
requirements of the TCSEC, with the related
documentation requirements, apply to database
management systems.
The interpretations provided include a
duplication of general interpreted requirements that
apply to an evaluation by parts. They are included�
because of the likelihood that a DBMS evaluation will
involve multiple TCB subsets.
In the database context, the set of
candidates for "subject" and "object" can be larger
than normally encountered in trusted operating systems.
Where a database system builds on an underlying trusted
operating system, for example, the set of candidate
subjects for the two TCB subsets includes both the
active entities created by the operating system and
those active entities created by the trusted portion of
the DBMS. The set of candidates for objects is large.
Examples are files, segments, buffers, structures,
pages, relations, tables, tuples, rows, columns,
elements, entities, relationships, procedures,
metadata, system tables, query trees, query plans,
locking mechanisms, rollback mechanisms, indices,
recovery and backup mechanisms, precalculated
operations (such as joins), view definitions, view
instantiations, constraints, authorization tables, data
dictionary tables, and audit logs.
The requirements in the TCSEC for showing how
the various representations of the system being
evaluated fit together can be represented as in Figure
IR-1. For monolithic TCBs, the policy must be stated;
the model must be developed, maintained, and shown to
be sufficient to enforce the policy; and the DTLS (FTLS
for A1) must be constructed and shown to correspond
both to the model and to the TCB implementation. These
steps allow a chain of reasoning to proceed from the
stated policy to the assertion that the system in
question actually enforces the policy.
In the case of multiple TCB subsets, the
intent is the same. Tracing all policy requirements to
the actual system implementation must be possible, and
vice versa. The current dilemma is that the theory and
techniques for subdividing a model into a set of models
(or a top level specification into a set of top level
specifications) have not yet been established.
Likewise neither theory or techniques have been�
established for composing a set of models or top level
specifications into a unified model or top level
specification. The absence of rigorous methods does
not preclude an evaluation using a subsetted TCB.
The process of mapping policy to
implementation is possible for each TCB subset, using
the same techniques required for a monolithic TCB. For
subsetted TCBs, designers and evaluators must
explicitly show how the policy, model and
specifications for each TCB subset meet the TCSEC
requirements. In addition, convincing informal
arguments must be given to show how the collection of
TCB subsets enforces the policy of the composite TCB.
Because more rigorous composition methods are
unavailable, convincing informal arguments are
appropriate for evaluation of TCBs up to and including
Class A1.
The TCSEC requirements concerning the mapping
from policy to implementation for a TCB composed of
multiple TCB subsets raise these crucial topics:
The allocation of policy to the TCB
subsets,
The relation of the models for the TCB
subsets to the overall system policy, and
The relation of the top level
specification for each TCB subset to the entire system.
Allocation of policy to the TCB subsets is a
precise division of the policy for the entire system,
as addressed in the policy allocation condition of
Section TC-4.3.
The second topic, above, requires that the
policy for each TCB subset be stated. Additionally, it
is required that there be an informal convincing
argument that the collection of models represents the
policy enforced by the entire system.�
The third topic, the way in which the set of
top level specifications for the individual TCB subsets
describes the composite TCB interface with respect to
exceptions, errors and effects, is treated in a similar
fashion. The top level specifications for each TCB
subset must meet the requirement. There is, in
addition, a requirement for an informal, convincing
description of how the set of top level specifications
describes the TCB interface with respect to exceptions,
errors, and effects. At the A1 level, there is no
requirement for additional formal specification or
formal proofs beyond the specification and proofs
specific to the individual TCB subsets.
Rather than formally composing the policies,
models, and specifications and performing a single
monolithic evaluation, a series of separate evaluations
may be performed (one for each TCB subset). The
evaluations are then tied together by presentation of
sufficient informal arguments that the individual
policies collectively represent the policy enforced by
the entire system, that the individual models
collectively represent the system's policy, that the
individual specifications represent the TCB interface,
and that the source code of each TCB subset is
consistent with its top level specification.
Note that satisfactory completion of these
requirements is logically equivalent to demonstrating
that a "unified" model for the entire TCB is consistent
with the policy enforced by the system, that a
"unified" top level specification corresponds to the
model, and that the "unified" top level
specification(s) corresponds to the source code. These
interpreted requirements, which do not mandate a
"unified" top level specification, are technically
achievable interpretations of the policy-tracing
requirements in the case of multiple TCB subsets.
IR-6.2 SPECIFIC INTERPRETATIONS�
CLASS (B1): LABELED SECURITY PROTECTION
Statement from TCSEC
An informal or formal model of the security
policy supported by the TCB shall be maintained over
the life cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
A formal model of the security policy
supported by the TCB shall be maintained over the life
cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
Statement from TCSEC
A descriptive top-level specification (DTLS)
of the TCB shall be maintained that completely and
accurately describes the TCB in terms of exceptions,
error messages, and effects.�
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the DTLS of each
TCB subset. An informal argument that the set of DTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the DTLS and in the TCB
subset's model.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
CLASS (B3): SECURITY DOMAINS
Statement from TCSEC
A convincing argument shall be given that the
DTLS is consistent with the model.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB
subsets. Enforcement of all policies must be shown to
occur in all situations (e.g., state transitions)�
required by the formal security policy model. In the
case of a discretionary access control policy, the
presence of the access control check at all identified
state transitions is the total of what is required for
demonstrating consistency between the DTLS and the
model. This may be verified by inspection of the DTLS
(that is, by visually checking that exception checks
required by the model are present in the DTLS). For
the mandatory access control policy, the DTLS must be
shown by a convincing argument to be consistent with
the model.
CLASS (A1): VERIFIED DESIGN
Statement from TCSEC
A formal top-level specification (FTLS) of
the TCB shall be maintained that accurately describes
the TCB in terms of exceptions, error messages, and
effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the FTLS of each
TCB subset. An informal argument that the set of FTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the FTLS and in the TCB
subset's model.
Statement from TCSEC
The FTLS shall be shown to be an accurate
description of the TCB interface.
Interpretation�
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
. . . a combination of formal and informal
techniques shall be used to show that the FTLS is
consistent with the model.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB
subsets. Enforcement of all policies must be shown to
occur in all situations (e.g., state transitions)
required by the formal security policy model at the
required occasions. In the case of a discretionary
access control policy, the presence of the access
control check at all identified state transitions is
the total of what is required for demonstrating
consistency between the FTLS and the model. This may
be verified by inspection of the FTLS (that is, by
visually checking that exception checks required by the
model are present in the FTLS). For the mandatory
access control policy, the FTLS must be shown by a
combination of formal and informal techniques to be
consistent with the model.
IR-7 DESIGN DOCUMENTATION
IR-7.1 GENERAL DISCUSSION
The design documentation requirement of the
TCSEC applies to database management systems.�
The interpretations provided are a
duplication of the general interpreted requirements
that apply to an evaluation by parts. They are
included because DBMS evaluations often involve
multiple TCB subsets.
IR-7.2 SPECIFIC INTERPRETATIONS
CLASS (C1): DISCRETIONARY SECURITY PROTECTION
Statement from TCSEC
If the TCB is composed of distinct modules,
the interfaces between these modules shall be
described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION
There are no additional requirements.
CLASS (B1): LABELED SECURITY PROTECTION
Statement from TCSEC
The specific TCB protection mechanisms shall
be identified and an explanation given to show that
they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and shall
include the protection mechanisms which support the
conditions for TCB subset structure and separate
subset-domains.�
CLASS (B2): STRUCTURED PROTECTION
Statement from TCSEC
The interfaces between the TCB modules shall
be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between different TCB subsets.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB
implements the reference monitor concept and give an
explanation of why it is tamper resistant, cannot be
bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
each TCB subset with respect to its specific technical
policy. In addition, there must be documented an�
informal argument that the cooperative action of the
TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is
structured to facilitate testing and to enforce least
privilege.
Interpretation
If the TCB is composed of multiple subsets,
this requirement is interpreted to apply to individual
TCB subsets as well as to the overall TCB.
CLASS (B3): SECURITY DOMAINS
Statement from TCSEC
The TCB implementation shall be informally
shown to be consistent with the DTLS.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
individual TCB subsets.
CLASS (A1): VERIFIED DESIGN
Statement from TCSEC
The TCB implementation shall be informally
shown to be consistent with the FTLS.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
individual TCB subsets.
APPENDIX A
SUMMARY OF THE
INTERPRETATIONS BY CLASS
This section is a presentation of all the
interpreted requirements organized by TCSEC class. It
includes all the requirements which are either relevant
to subsetted architectures or are DBMS-specific. Any
TCSEC requirements not explicitly identified herein
apply as stated in the TCSEC.
CLASS (C1): DISCRETIONARY SECURITY PROTECTION
C1-1 SECURITY POLICY�
C1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
C1-2 ACCOUNTABILITY
C1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
C1-3 ASSURANCE
C1-3.1 OPERATIONAL ASSURANCE
C1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for�
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
C1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
C1-3.2 LIFE CYCLE ASSURANCE
C1-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
C1-4 DOCUMENTATION
C1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection�
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
C1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.�
C1-4.3 TEST DOCUMENTATION
This requirement applies as stated in the TCSEC to the
composite TCB.
C1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the TCSEC to the
composite TCB.
Statement from TCSEC
If the TCB is composed of distinct modules,
the interfaces between these modules shall be
described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION
C2-1 SECURITY POLICY
C2-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
C2-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to
every TCB subset in the TCB.
C2-2 ACCOUNTABILITY
�
C2-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
C2-2.2 AUDIT
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or
later.
Statement from TCSEC�
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of access to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to users. That is, each
discretionary access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
C2-3 ASSURANCE
C2-3.1 OPERATIONAL ASSURANCE
C2-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Statement from TCSEC�
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
C2-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
C2-3.2 LIFE CYCLE ASSURANCE
C2-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
C2-4 DOCUMENTATION
C2-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.�
C2-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
C2-4.3 TEST DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB.�
C2-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB.
Statement from TCSEC
If the TCB is composed of distinct modules,
the interface between these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
CLASS (B1): LABELED SECURITY PROTECTION
B1-1 SECURITY POLICY
B1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
B1-1.2 OBJECT REUSE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB.
B1-1.3 LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.�
B1-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B1-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B1-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B1-2 ACCOUNTABILITY
B1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Similarly,
that TCB subset may rely on a mechanism in another more
primitive TCB subset to ensure that the security level�
of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by
the clearance and authorization of that user. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
B1-2.2 AUDIT
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or
later.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of access to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of�
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to users. That is, each
discretionary access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
B1-3 ASSURANCE
B1-3.1 OPERATIONAL ASSURANCE
B1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.�
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Similarly, the TCB must provide distinct
address spaces for untrusted processes. A most
primitive TCB subset must provide distinct address
spaces for its subjects. A less primitive TCB subset
must make use of the distinct address space provided by
a more primitive TCB subset. A less primitive TCB
subset may provide more fine-grained distinct address
spaces, but is not required to do so.
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
B1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
B1-3.1 LIFE CYCLE ASSURANCE
B1-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB�
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
B1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the
TCSEC to every TCB subset, with the following specific
additional interpretations.
It must be demonstrated that the security
policy enforced by the composite TCB is represented by
the collection of policy models for the individual TCB
subsets.
Statement from TCSEC
An informal or formal model of the security
policy supported by the TCB shall be maintained over
the life cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
B1-4 DOCUMENTATION
B1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other�
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
B1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
B1-4.3 TEST DOCUMENTATION�
This requirement applies as stated in the TCSEC to the
composite TCB.
B1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB, with the following specific
additional interpretation:
Requirements concerning models and DTLSs
apply to individual TCB subsets.
Statement from TCSEC
If the TCB is composed of distinct modules,
the interface between these modules shall be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall
be identified and an explanation given to show that
they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and shall
include the protection mechanisms which support the
conditions for TCB subset structure and separate
subset-domains.
CLASS (B2): STRUCTURED PROTECTION
B2-1 SECURITY POLICY
B2-1.1 DISCRETIONARY ACCESS CONTROL�
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
B2-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to
every TCB subset in the TCB.
B2-1.3 LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP
system resource . . . that is directly or indirectly
accessible by subjects external to the TCB shall be
maintained by the TCB
Interpretation
Internal TCB variables that are not visible
to untrusted subjects need not be labeled, provided
that they are not directly or indirectly accessible by
subjects external to the TCB. However, it is important
to understand that such internal variables can function
as covert signaling channels when untrusted subjects
are able to detect changes in these variables by
observing system behavior.
B2-1.3.1 LABEL INTEGRITY�
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B2-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B2-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
B2-1.3.4 DEVICE LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its objects
and has attached physical or virtual devices. Any TCB
subset whose policy does not include such mandatory
access control or has no attached physical or virtual
devices is exempt from this requirement. This
requirement can be satisifed by the cooperative action
of more than one TCB subset.
B2-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include�
such mandatory access control is exempt from this
requirement.
B2-2 ACCOUNTABILITY
B2-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Similarly,
that TCB subset may rely on a mechanism in another more
primitive TCB subset to ensure that the security level
of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by
the clearance and authorization of that user. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
B2-2.1.1 TRUSTED PATH
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
When TCB subsets are used, the requirement
for trusted path at levels B2 and above remains
applicable to the entire TCB. The implementation of
trusted path could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one
TCB subset if the separate implementations together
comply with the system security policy.�
B2-2.2 AUDIT
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or
later.
Any TCB subset wherein events may occur that
require notification of the security administrator
shall be able to: (1) detect the occurrence of these
events, (2) initiate the recording of the audit trail
entry, and (3) initiate the notification of the
security administrator. The ability to terminate
events (2) and (3) above may be provided either in the
TCB subset within which they occur, or in the TCB
subset(s) where actions that lead to the event were
initiated.
The monitoring and notification requirements
may require cooperation between multiple distinct TCB
subsets or multiple instantiations of the same TCB
subset. For example, to detect the accumulation of
events for a single user it may be necessary to collect
events from several subjects in distinct processes that
are surrogates for the same user. As another example,
there may be a single TCB subset that collects events
from a number of other TCB subset instantiations and,�
based on its analysis of them, notifies the security
administrator.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, inserts), not just the invocation of the
database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each�
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
B2-3 ASSURANCE
B2-3.1 OPERATIONAL ASSURANCE
B2-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Similarly, the TCB must provide distinct
address spaces for untrusted processes. A most
primitive TCB subset must provide distinct address
spaces for its subjects. A less primitive TCB subset
must make use of the distinct address space provided by
a more primitive TCB subset. A less primitive TCB
subset may provide more fine-grained distinct address
spaces, but is not required to do so.
In general, requirements specifically
referring to hardware or firmware apply only to TCB
subsets that include hardware or firmware. The
exception is the requirement that the TCB make
effective use of available hardware. This requirement
applies to those TCB subsets that use resources�
provided by more primitive TCB subsets in lieu of
hardware. Those TCB subsets are required to make
effective use of the protection-relevant features
exported to it by the more primitive TCB subsets (e.g.,
execution domains, support for distinct address spaces)
to separate those elements that are protection-critical
from those that are not.
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be
completely defined and all elements of the TCB
identified.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as the user interface to the whole
TCB.
Statement from TCSEC
It shall make effective use of available
hardware to separate those elements that are
protection-critical from those that are not.
Interpretation�
If the TCB is composed of multiple subsets,
each TCB subset must make use of facilities provided to
it by more primitive TCB subsets, such as support for
execution domains and for distinct address spaces, to
achieve the required separation.
B2-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
B2-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the
TCSEC to the entire TCB. When the TCB is made up
entirely of TCB subsets meeting the conditions for
evaluation by parts, analysis of the individual TCB
subsets satisfies this requirement. Otherwise, covert
channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the
individual TCB subsets were available).
B2-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the
TCSEC to the entire TCB. Any "operator" or
"administrator" functions intrinsic to an individual
TCB subset must be supported by that TCB subset or by a
more primitive TCB subset.
B2-3.2 LIFE CYCLE ASSURANCE
B2-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.
Otherwise, security testing of the entire TCB must be�
performed (even if the results of testing the
individual TCB subsets were available).
B2-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the
TCSEC to every TCB subset, with the following specific
additional interpretations.
It must be demonstrated that the
security policy enforced by the composite TCB is
represented by the collection of policy models for the
individual TCB subsets.
The argument that the descriptive top level
specification (DTLS) is consistent with the TCB
interface applies to the entire TCB. There is required
an explicit and convincing description of how the set
of top level specifications (one for each TCB subset)
describes the TCB interface in terms of exceptions,
errors, and effects.
Statement from TCSEC
A formal model of the security policy
supported by the TCB shall be maintained over the life
cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
Statement from TCSEC
A descriptive top-level specification (DTLS)
of the TCB shall be maintained that completely and�
accurately describes the TCB in terms of exceptions,
error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the DTLS of each
TCB subset. An informal argument that the set of DTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the DTLS and in the TCB
subset's model.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
B2-3.2.3 Configuration Management
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB, with the
following additional interpretation.
Because subsets of the TCB may be developed
independently, a single configuration management system
may not be feasible. However, the combination of
configuration management systems used to support all�
the TCB subsets must meet all the stated requirements.
The information describing the interrelations between
separate TCB subsets and separate security policy
models falls into the category of "all documentation
and code associated with the current version of the
TCB" in the TCSEC requirements.
B2-4 DOCUMENTATION
B2-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
B2-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.�
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
The TCB modules that contain the reference
validation mechanism must be associated with the TCB
subset to which they belong. The procedure for
generating a new TCB after modifying only one (or
several) TCB subsets must be described. This may be
accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the
affected TCB subsets.
B2-4.3 TEST DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB.
B2-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB, with the following specific
addditional interpretations.
Requirements concerning models and DTLSs
apply to individual TCB subsets.
The requirement concerning the description of
interfaces between modules of the TCB includes the
interfaces between TCB subsets.�
The documentation of the implementation of a
reference validation mechanism must include
justification for meeting the conditions for evaluation
by parts.
Statement from TCSEC
The interfaces between the TCB modules shall
be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall
be identified and an explanation given to show that
they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and shall
include the protection mechanisms which support the
conditions for TCB subset structure and separate
subset-domains.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall�
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB
implements the reference monitor concept and give an
explanation of why it is tamper resistant, cannot be
bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
each TCB subset with respect to its specific technical
policy. In addition, there must be documented an
informal argument that the cooperative action of the
TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is
structured to facilitate testing and to enforce least
privilege.
Interpretation
If the TCB is composed of multiple subsets,
this requirement is interpreted to apply to individual
TCB subsets as well as to the overall TCB.
CLASS (B3): SECURITY DOMAINS
B3-1 SECURITY POLICY
B3-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its�
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
B3-1.2 OBJECT REUSE
This requirement applies as stated in the TCSEC to
every TCB subset in the TCB.
B3-1.3 LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP
system resource . . . that is directly or indirectly
accessible by subjects external to the TCB shall be
maintained by the TCB
Interpretation
Internal TCB variables that are not visible
to untrusted subjects need not be labeled, provided
that they are not directly or indirectly accessible by
subjects external to the TCB. However, it is important
to understand that such internal variables can function
as covert signaling channels when untrusted subjects
are able to detect changes in these variables by
observing system behavior.
B3-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its�
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B3-1.3.2 EXPORTATION OF LABELED INFORMATION
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B3-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
B3-1.3.4 DEVICE LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its objects
and has attached physical or virtual devices. Any TCB
subset whose policy does not include such mandatory
access control or has no attached physical or virtual
devices is exempt from this requirement. This
requirement can be satisifed by the cooperative action
of more than one TCB subset.
B3-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
B3-2 ACCOUNTABILITY�
B3-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Similarly,
that TCB subset may rely on a mechanism in another more
primitive TCB subset to ensure that the security level
of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by
the clearance and authorization of that user. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
B3-2.1.1 TRUSTED PATH
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
When TCB subsets are used, the requirement
for trusted path at levels B2 and above remains
applicable to the entire TCB. The need for trusted
path "when positive TCB-to-user connection is required
(e.g., login, change subject security level)" can
require user interaction with virtually any TCB subset
within the TCB. The implementation of trusted path
could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one
TCB subset if the separate implementations together
comply with the system security policy.
B3-2.2 AUDIT�
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or at
some later time.
Any TCB subset wherein events may occur that
require notification of the security administrator
shall be able to: (1) detect the occurrence of these
events, (2) initiate the recording of the audit trail
entry, and (3) initiate the notification of the
security administrator. The ability to terminate
events (2) and (3) above may be provided either in the
TCB subset within which they occur, or in the TCB
subset(s) where actions that lead to the event were
initiated.
The monitoring and notification requirements
may require cooperation between multiple distinct TCB
subsets or multiple instantiations of the same TCB
subset. For example, to detect the accumulation of
events for a single user it may be necessary to collect
events from several subjects in distinct processes that
are surrogates for the same user. As another example,
there may be a single TCB subset that collects events
from a number of other TCB subset instantiations and,
based on its analysis of them, notifies the security
administrator.�
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, inserts), not just the invocation of the
database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be audited. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not�
be auditable. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
B3-3 ASSURANCE
B3-3.1 OPERATIONAL ASSURANCE
B3-3.1.1 System Architecture
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Similarly, the TCB must provide distinct
address spaces for untrusted processes. A most
primitive TCB subset must provide distinct address
spaces for its subjects. A less primitive TCB subset
must make use of the distinct address space provided by
a more primitive TCB subset. A less primitive TCB
subset may provide more fine-grained distinct address
spaces, but is not required to do so.
In general, requirements specifically
referring to hardware or firmware apply only to TCB
subsets that include hardware or firmware. However,
the requirement that the TCB make effective use of
hardware requires that a less primitive TCB subset make
effective use of the protection-relevant features
exported to it by the more primitive TCB subsets (e.g.,
execution domains, support for distinct address spaces)
to separate those elements that are protection-critical
from those that are not.�
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be
completely defined and all elements of the TCB
identified.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as the user interface to the whole
TCB.
Statement from TCSEC
It shall make effective use of available
hardware to separate those elements that are
protection-critical from those that are not.
Interpretation
If the TCB is composed of multiple subsets,
each TCB subset must make use of facilities provided to
it by more primitive TCB subsets, such as support for
execution domains and for distinct address spaces, to
achieve the required separation.
B3-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or�
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
B3-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the
TCSEC to the entire TCB. When the TCB is made up
entirely of TCB subsets meeting the conditions for
evaluation by parts, analysis of the individual TCB
subsets satisfies this requirement. Otherwise, covert
channel analysis of the entire TCB must be performed
(even if the results of covert channel analysis of the
individual TCB subsets were available).
B3-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the
TCSEC to the entire TCB. Any "operator" or
"administrator" functions intrinsic to an individual
TCB subset must be supported by that TCB subset or by a
more primitive TCB subset.
B3-3.1.5 TRUSTED RECOVERY
This requirement applies as stated in the
TCSEC to the entire TCB and to the individual TCB
subsets. The cooperative recovery actions of the TCB
subsets making up the TCB must provide trusted recovery
for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the
individual TCB subsets meet the trusted recovery
requirements).
B3-3.2 LIFE CYCLE ASSURANCE
B3-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.�
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
B3-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the
TCSEC to every TCB subset, with the following specific
additional interpretations.
It must be demonstrated that the security
policy enforced by the composite TCB is represented by
the collection of policy models for the individual TCB
subsets.
The argument that the descriptive top level
specification (DTLS) is consistent with the TCB
interface applies to the entire TCB. There is required
an explicit and convincing description of how the set
of top level specifications (one for each TCB subset)
describes the TCB interface in terms of exceptions,
errors, and effects.
Statement from TCSEC
A formal model of the security policy
supported by the TCB shall be maintained over the life
cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
Statement from TCSEC�
A descriptive top-level specification (DTLS)
of the TCB shall be maintained that completely and
accurately describes the TCB in terms of exceptions,
error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the DTLS of each
TCB subset. An informal argument that the set of DTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the DTLS and in the TCB
subset's model.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
A convincing argument shall be given that the
DTLS is consistent with the model.
Interpretation�
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB
subsets. Enforcement of all policies must be shown to
occur in all situations (e.g., state transitions)
required by the formal security policy model. In the
case of a discretionary access control policy, the
presence of the access control check at all identified
state transitions is the total of what is required for
demonstrating consistency between the DTLS and the
model. This may be verified by inspection of the DTLS
(that is, by visually checking that exception checks
required by the model are present in the DTLS). For
the mandatory access control policy, the DTLS must be
shown by a convincing argument to be consistent with
the model.
B3-3.2.3 CONFIGURATION MANAGEMENT
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB, with the
following additional interpretation.
Because subsets of the TCB may be developed
independently, a single configuration management system
may not be feasible. However, the combination of
configuration management systems used to support all
the TCB subsets must meet all the stated requirements.
The information describing the interrelations between
separate TCB subsets and separate security policy
models falls into the category of "all documentation
and code associated with the current version of the
TCB" in the TCSEC requirements.
B3-4 DOCUMENTATION
B3-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as�
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
B3-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
The TCB modules that contain the reference
validation mechanism must be associated with the TCB�
subset to which they belong. The procedure for
generating a new TCB after modifying only one (or
several) TCB subsets must be described. This may be
accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the
affected TCB subsets.
B3-4.3 TEST DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB.
B3-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB, with the following
addtional specific interpretations.
Requirements concerning models and DTLSs
apply to individual TCB subsets.
The requirement concerning the description of
interfaces between modules of the TCB includes the
interfaces between TCB subsets.
The documentation of the implementation of a
reference validation mechanism must include
justification for meeting the conditions for evaluation
by parts.
Statement from TCSEC
The interfaces between the TCB modules shall
be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
Statement from TCSEC�
The specific TCB protection mechanisms shall
be identified and an explanation given to show that
they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and shall
include the protection mechanisms which support the
conditions for TCB subset structure and separate
subset-domains.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB
implements the reference monitor concept and give an
explanation of why it is tamper resistant, cannot be
bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
each TCB subset with respect to its specific technical
policy. In addition, there must be documented an
informal argument that the cooperative action of the�
TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
Documentation shall describe how the TCB is
structured to facilitate testing and to enforce least
privilege.
Interpretation
If the TCB is composed of multiple subsets,
this requirement is interpreted to apply to individual
TCB subsets as well as to the overall TCB.
Statement from TCSEC
The TCB implementation shall be informally
shown to be consistent with the DTLS.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
individual TCB subsets.
CLASS (A1): VERIFIED DESIGN
A1-1 SECURITY POLICY
A1-1.1 DISCRETIONARY ACCESS CONTROL
The discretionary access control requirements
apply as stated in the TCSEC to every TCB subset whose
policy includes discretionary access control of its
subjects to its objects. Any TCB subset whose policy
does not include such discretionary access control is
exempt from this requirement.
A1-1.2 OBJECT REUSE�
This requirement applies as stated in the TCSEC to
every TCB subset in the TCB.
A1-1.3 LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
Statement from TCSEC
Sensitivity labels associated with each ADP
system resource . . . that is directly or indirectly
accessible by subjects external to the TCB shall be
maintained by the TCB
Interpretation
Internal TCB variables that are not visible
to untrusted subjects need not be labeled, provided
that they are not directly or indirectly accessible by
subjects external to the TCB. However, it is important
to understand that such internal variables can function
as covert signaling channels when untrusted subjects
are able to detect changes in these variables by
observing system behavior.
A1-1.3.1 LABEL INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
A1-1.3.2 EXPORTATION OF LABELED INFORMATION�
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
A1-1.3.3 SUBJECT SENSITIVITY LABELS
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
A1-1.3.4 DEVICE LABELS
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its objects
and has attached physical or virtual devices. Any TCB
subset whose policy does not include such mandatory
access control or has no attached physical or virtual
devices is exempt from this requirement. This
requirement can be satisifed by the cooperative action
of more than one TCB subset.
A1-1.4 MANDATORY ACCESS CONTROL
This requirement applies as stated in the
TCSEC to every TCB subset whose policy includes
mandatory access control of its subjects to its
objects. Any TCB subset whose policy does not include
such mandatory access control is exempt from this
requirement.
A1-2 ACCOUNTABILITY
A1-2.1 IDENTIFICATION AND AUTHENTICATION
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the�
TCB subsets making up the TCB must satisfy the
requirement.
If the TCB is composed of TCB subsets, one
TCB subset may either rely on a mechanism in another
TCB subset to provide identification and authentication
services or provide the services directly. Similarly,
that TCB subset may rely on a mechanism in another more
primitive TCB subset to ensure that the security level
of subjects external to the TCB that may be created to
act on behalf of the individual user are dominated by
the clearance and authorization of that user. Each TCB
subset may maintain its own identification and
authentication data or one central repository may be
maintained. If each TCB subset has its own data, then
the information for each individual user must be
consistent among all subsets.
A1-2.1.1 TRUSTED PATH
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the
TCB subsets making up the TCB must satisfy the
requirement.
When TCB subsets are used, the requirement
for trusted path at levels B2 and above remains
applicable to the entire TCB. The need for trusted
path "when positive TCB-to-user connection is required
(e.g., login, change subject security level)" can
require user interaction with virtually any TCB subset
within the TCB. The implementation of trusted path
could be localized in a single TCB subset.
Alternatively, it could be implemented in more than one
TCB subset if the separate implementations together
comply with the system security policy.
A1-2.2 AUDIT
This requirement applies as stated in the
TCSEC to the entire TCB. The cooperative action of the�
TCB subsets making up the TCB must satisfy the
requirement.
A TCB subset may maintain its own security
audit log, distinct from that maintained by more
primitive TCB subsets, or it may use an audit interface
provided by a different TCB subset allowing the audit
records it generates to be processed by that TCB
subset.
If the TCB subset uses different user
identifications than a more primitive TCB subset, there
shall be a means to associate audit records generated
by different TCB subsets for the same individual with
each other, either at the time they are generated or at
some later time.
Any TCB subset wherein events may occur that
require notification of the security administrator
shall be able to: (1) detect the occurrence of these
events, (2) initiate the recording of the audit trail
entry, and (3) initiate the notification of the
security administrator. The ability to terminate
events (2) and (3) above may be provided either in the
TCB subset within which they occur, or in the TCB
subset(s) where actions that lead to the event were
initiated.
The monitoring and notification requirements
may require cooperation between multiple distinct TCB
subsets or multiple instantiations of the same TCB
subset. For example, to detect the accumulation of
events for a single user it may be necessary to collect
events from several subjects in distinct processes that
are surrogates for the same user. As another example,
there may be a single TCB subset that collects events
from a number of other TCB subset instantiations and,
based on its analysis of them, notifies the security
administrator.
Statement from TCSEC�
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, inserts), not just the invocation of the
database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be audited. If the total audit requirement is met by
the use of more than one audit log, a method of
correlation must be available.
Statement from TCSEC
The TCB shall be able to create, maintain,
and protect from modification . . . an audit trail
of accesses to the objects it protects.
Interpretation
Auditable events, in the case of a database
management system, are the individual operations
initiated by untrusted users (e.g., updates,
retrievals, and inserts), not just the invocation of
the database management system. The auditing mechanism
shall have the capability of auditing all mediated
accesses which are visible to the user. That is, each
discretionary access control policy decision and each
mandatory access control policy decision shall be
auditable. Individual operations performed by trusted
software, if totally transparent to the user, need not
be auditable. If the total audit requirement is met by�
the use of more than one audit log, a method of
correlation must be available.
A1-3 ASSURANCE
A1-3.1 OPERATIONAL ASSURANCE
A1-3.1.1 SYSTEM ARCHITECTURE
This requirement applies as stated in the
TCSEC to every TCB subset, with the following
additional interpretations.
The TCB must provide domains for execution
that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.
A most primitive TCB subset must provide domains for
execution. A less primitive TCB subset must make use
of domains provided by a more primitive TCB subset. A
less primitive TCB subset may provide further execution
domains but is not required to do so.
Similarly, the TCB must provide distinct
address spaces for untrusted processes. A most
primitive TCB subset must provide distinct address
spaces for its subjects. A less primitive TCB subset
must make use of the distinct address space provided by
a more primitive TCB subset. A less primitive TCB
subset may provide more fine-grained distinct address
spaces, but is not required to do so.
In general, requirements specifically
referring to hardware or firmware apply only to TCB
subsets that include hardware or firmware. However,
the requirement that the TCB make effective use of
hardware requires that a less primitive TCB subset make
effective use of the protection-relevant features
exported to it by the more primitive TCB subsets (e.g.,
execution domains, support for distinct address spaces)
to separate those elements that are protection-critical
from those that are not.�
Statement from TCSEC
The TCB shall maintain a domain for its own
execution that protects it from external interference
or tampering.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to each TCB subset.
Statement from TCSEC
The user interface to the TCB shall be
completely defined and all elements of the TCB
identified.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as the user interface to the whole
TCB.
Statement from TCSEC
It shall make effective use of available
hardware to separate those elements that are
protection-critical from those that are not.
Interpretation
If the TCB is composed of multiple subsets,
each TCB subset must make use of facilities provided to
it by more primitive TCB subsets, such as support for
execution domains and for distinct address spaces, to
achieve the required separation.
A1-3.1.2 SYSTEM INTEGRITY
This requirement applies as stated in the
TCSEC to every TCB subset that includes hardware or�
firmware. Any TCB subset that does not include
hardware or firmware is exempt from this requirement.
A1-3.1.3 COVERT CHANNEL ANALYSIS
This requirement applies as stated in the TCSEC to the
entire TCB. When the TCB is made up entirely of TCB
subsets meeting the conditions for evaluation by parts,
analysis of the individual TCB subsets satisfies this
requirement. Otherwise, covert channel analysis of the
entire TCB must be performed (even if the results of
covert channel analysis of the individual TCB subsets
were available).
A1-3.1.4 TRUSTED FACILITY MANAGEMENT
This requirement applies as stated in the
TCSEC to the entire TCB. Any "operator" or
"administrator" functions intrinsic to an individual
TCB subset must be supported by that TCB subset or by a
more primitive TCB subset.
A1-3.1.5 TRUSTED RECOVERY
This requirement applies as stated in the
TCSEC to the entire TCB and to the individual TCB
subsets. The cooperative recovery actions of the TCB
subsets making up the TCB must provide trusted recovery
for the overall TCB. Otherwise, trusted recovery
evaluation must address the entire TCB (even if the
individual TCB subsets meet the trusted recovery
requirements).
A1-3.2 LIFE CYCLE ASSURANCE
A1-3.2.1 SECURITY TESTING
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
satisfies the requirement for the entire TCB.�
Otherwise, security testing of the entire TCB must be
performed (even if the results of testing the
individual TCB subsets were available).
A1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION
This requirement applies as stated in the
TCSEC to every TCB subset, with the following specific
additional interpretations.
It must be demonstrated that the security
policy enforced by the composite TCB is represented by
the collection of policy models for the individual TCB
subsets.
The argument that the descriptive top level
specification (DTLS) and formal top level specification
(FTLS) are consistent with the TCB interface applies to
the entire TCB. There is required an explicit and
convincing description of how the set of top level
specifications (one for each TCB subset) describes the
TCB interface in terms of exceptions, errors, and
effects.
Statement from TCSEC
A formal model of the security policy
supported by the TCB shall be maintained over the life
cycle of the ADP system and demonstrated to be
consistent with its axioms.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the security
policy of each TCB subset. An informal argument that
the set of policy models represents the "security
policy supported by the [composite] TCB" must be
provided.
Statement from TCSEC�
A descriptive top-level specification (DTLS)
of the TCB shall be maintained that completely and
accurately describes the TCB in terms of exceptions,
error messages, and effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the DTLS of each
TCB subset. An informal argument that the set of DTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the DTLS and in the TCB
subset's model.
Statement from TCSEC
A formal top-level specification (FTLS) of
the TCB shall be maintained that accurately describes
the TCB in terms of exceptions, error messages, and
effects.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to the FTLS of each
TCB subset. An informal argument that the set of FTLSs
accurately describes the TCB must be provided.
If there is a multifaceted policy (e.g., both
mandatory access control and discretionary access
control policies) in a particular TCB subset, then all
facets must be represented in the FTLS and in the TCB
subset's model.
Statement from TCSEC
The FTLS shall be shown to be an accurate
description of the TCB interface.�
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
A convincing argument shall be given that the
DTLS is consistent with the model.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB
subsets. Enforcement of all policies must be shown to
occur in all situations (e.g., state transitions)
required by the formal security policy model. In the
case of a discretionary access control policy, the
presence of the access control check at all identified
state transitions is the total of what is required for
demonstrating consistency between the DTLS and the
model. This may be verified by inspection of the DTLS
(that is, by visually checking that exception checks
required by the model are present in the DTLS). For
the mandatory access control policy, the DTLS must be
shown by a convincing argument to be consistent with
the model.
Statement from TCSEC
. . . a combination of formal and informal
techniques shall be used to show that the FTLS is
consistent with the model.
Interpretation�
If the TCB is composed of multiple TCB
subsets, this requirement applies to individual TCB
subsets. Enforcement of all policies must be shown to
occur in all situations (e.g., state transitions)
required by the formal security policy model at the
required occasions. In the case of a discretionary
access control policy, the presence of the access
control check at all identified state transitions is
the total of what is required for demonstrating
consistency between the FTLS and the model. This may
be verified by inspection of the FTLS (that is, by
visually checking that exception checks required by the
model are present in the FTLS). For the mandatory
access control policy, the FTLS must be shown by a
combination of formal and informal techniques to be
consistent with the model.
A1-3.2.3 CONFIGURATION MANAGEMENT
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB, with the
following additional interpretation.
Because subsets of the TCB may be developed
independently, a single configuration management system
may not be feasible. However, the combination of
configuration management systems used to support all
the TCB subsets must meet all the stated requirements.
The information describing the interrelations between
separate TCB subsets and separate security policy
models falls into the category of "all documentation
and code associated with the current version of the
TCB" in the TCSEC requirements.
A1-3.2.4 TRUSTED DISTRIBUTION
This requirement applies as stated in the
TCSEC to the entire TCB. It can be met by satisfying
the requirements for each TCB subset if procedures
exist for assuring that all TCB subsets upon which a
particular TCB subset depends (that is, the more�
primitive TCB subsets) are exactly the same version as
specified for the TCB subset in question.
A1-4 DOCUMENTATION
A1-4.1 SECURITY FEATURES USER'S GUIDE
This requirement applies as stated in the
TCSEC to every TCB subset in the TCB. This collection
of guides must include descriptions of every TCB subset
in the TCB and explicit cross-references to other
related user's guides to other TCB subsets, as
required. In addition, interactions between mechanisms
within different TCB subsets must be clearly described.
A1-4.2 TRUSTED FACILITY MANUAL
This requirement applies as stated in the
TCSEC to the TCB and to every TCB subset in the TCB.
This requirement can be met by providing a
set of manuals, one for each distinct (non-replicated)
TCB subset. Each manual shall address the functions
and privileges to be controlled for the associated TCB
subset. Additionally, it must clearly show the
interfaces to, and the interaction with, more primitive
TCB subsets. The manual for each TCB subset shall
identify the functions and privileges of the TCB
subsets on which the associated TCB subset depends.
Also, the TCB subset's manual shall identify which, if
any, configuration options of the more primitive TCB
subsets are to be used for the composite TCB to operate
securely.
Any pre-defined roles supported (e.g.,
database administrator) by the TCB subset shall be
addressed.
The means for correlating multiple audit logs
and synonymous user identifications from multiple TCB
subsets (if such exist) shall also be addressed.�
The trusted facility manual shall describe
the composite TCB so that the interactions among the
TCB subsets can be readily determined. Other manuals
may be referenced in this determination. The manuals
that address the distinct modules of the TCB and the
generation of the TCB need to be integrated with the
other trusted facility manuals only to the extent that
they are affected by the use and operation (versus the
development) of the composite TCB.
The TCB modules that contain the reference
validation mechanism must be associated with the TCB
subset to which they belong. The procedure for
generating a new TCB after modifying only one (or
several) TCB subsets must be described. This may be
accommodated by independent regeneration of the
individual TCB subsets or by regeneration of only the
affected TCB subsets.
A1-4.3 TEST DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB.
A1-4.4 DESIGN DOCUMENTATION
This requirement applies as stated in the
TCSEC to the composite TCB, with the following specific
additional interpretations:
Requirements concerning models, FTLS and
DTLS, apply to individual TCB subsets.
The requirement concerning the description of
interfaces between modules of the TCB includes the
interfaces between TCB subsets.
The documentation of the implementation of a
reference validation mechanism must include
justification for meeting the conditions for evaluation
by parts.�
The A1 requirement to describe clearly
non-FTLS internals of the TCB applies to TCB subsets.
Statement from TCSEC
The interfaces between the TCB modules shall
be described.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and the
interfaces between TCB subsets.
Statement from TCSEC
The specific TCB protection mechanisms shall
be identified and an explanation given to show that
they satisfy the model.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to each TCB subset and shall
include the protection mechanisms which support the
conditions for TCB subset structure and separate
subset-domains.
Statement from TCSEC
The descriptive top-level specification
(DTLS) shall be shown to be an accurate description of
the TCB interface.
Interpretation
If the TCB is composed of multiple subsets,
this requirement applies to the interface between the
TCB subsets as well as to the user interface of the
composite TCB. The TCB interface description shall
include an explanation of how to describe the total TCB�
accurately, in the context of the multiple TCB subset
DTLSs.
Statement from TCSEC
Documentation shall describe how the TCB
implements the reference monitor concept and give an
explanation of why it is tamper resistant, cannot be
bypassed, and is correctly implemented.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
each TCB subset with respect to its specific technical
policy. In addition, there must be documented an
informal argument that the cooperative action of the
TCB subsets makes the TCB itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC
The TCB implementation shall be informally
shown to be consistent with the DTLS.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
individual TCB subsets.
Statement from TCSEC
The TCB implementation shall be informally
shown to be consistent with the FTLS.
Interpretation
If the TCB is composed of multiple TCB
subsets, this requirement is interpreted to apply to
individual TCB subsets.�
Statement from TCSEC
Documentation shall describe how the TCB is
structured to facilitate testing and to enforce least
privilege.
Interpretation
If the TCB is composed of multiple subsets,
this requirement is interpreted to apply to individual
TCB subsets as well as to the overall TCB.
APPENDIX B
GENERAL ITEMS
1. PERSPECTIVE ON ASSURANCE
This Trusted Database Management System
Interpretation (TDI) of the Trusted Computer System
Evaluation Criteria (TCSEC) derives its perspective on�
assurance directly from the reference monitor concept
as recorded in the Anderson Report [1] and as embodied
in the TCSEC. In both the reference monitor concept
and in the TCSEC, the assessment of a system for trust
characteristics involves a single, global review of the
system at issue. That same perspective of an even,
global review of a candidate trusted database
management system (DBMS) is present in the TDI, in that
only complete systems will be considered for
assessment. That is, neither software packages in
isolation nor systems that satisfy only a subset of the
TCSEC. requirements will be considered for evaluation
or accreditation. The interpretation of requirements,
both in Part 1, "Technical Context," and Part 2,
"Interpreted Requirements," is consistent with both
community experience in designing and assessing trusted
systems, and the precedents of the reference monitor
concept and the TCSEC. The interpretations, therefore,
provide special guidance for the task of evaluating (or
accrediting) candidate systems composed of
distinguishable parts. However, the interpretations
neither attenuate nor delete TCSEC requirements.
It is worth noting that the introduction of
the TCSEC with its metric for the evaluation of whole
systems had as one goal the simplification of the task
of accrediting computer systems for use in the
processing of sensitive information. The evaluation
process was not intended to replace the accreditation
process but to provide input to that process. It must
be recognized that there will be occasions when a
fielded suite of computer systems, each evaluated
against the TCSEC requirements at a particular class,
will not be able to be assigned a TCSEC class, nor is
it necessary to be able to make such an assignment.
The accreditation decision includes the assessment of
risk of a particular system configuration in a
particular environment; a decision to connect a suite
of TCSEC evaluated systems may have to be made without
a uniformly applied TCSEC-like assessment over the
entire system.
�
2. PROCUREMENT OPTIONS
The Trusted Computing System Evaluation
Criteria (TCSEC) and its published interpretations,
including this Trusted Database Management System
Interpretation, have as a primary purpose the
"provision [of] a basis for specifying security
requirements in acquisition specifications." [8, p.
2] In the area of trusted DBMS and trusted systems that
include database management functionality, there is a
range of options open to an acquisition organization.
These options need to be understood by the acquisition
managers and their staffs to allow them the greatest
possible flexibility in matching operational
requirements with a combination of available products
and the state of the art in system integration and
development.
The fundamental point is the distinction
between the target trust class (that is, C1, C2, B1,
B2, B3, or A1) needed for a particular installation and
the degree of trusted DBMS functionality that is
required. Succinctly, a system that requires a
particular level of trust (B2, for example) and DBMS
functionality does not necessarily require an evaluated
trusted DBMS at the level of B2. In fact, if the
statement of required capability allows it, meeting the
requirement without a trusted DBMS could well be the
preferred risk-reducing approach. This is generally
true because the more sophisticated the trusted DBMS
requirement, the more likely it is that the current
vendor base will not be able to supply the needed
functionality (with the requisite assurance) from the
normal product line. Further, even if one can specify
carefully just what additional assured capability is
needed so that a program-specific development can be
undertaken, the lack of community experience and
consensus on advanced trusted DBMS issues and
implementations introduces the potential for
significant programmatic, schedule, and cost risks.�
Although a full description of options for
the acquisition manager is beyond the scope of this
document, a representative description of some of the
options that could be considered is included below.
The options include (1) multiple copies of a DBMS
running at different levels, each maintaining
single-level databases; (2) a single copy of a DBMS,
but with each database maintained at a single
sensitivity level (i.e., no sharing of data between
databases); (3) a single copy supporting single level
databases, but with limited sharing, perhaps of a
"snapshot" nature; and (4) DBMSs that allow databases
that include data of several sensitivity levels. This
option admits of subcases from the very simple to the
very complex.
To illustrate the options listed above,
consider a command post where a commander's staff uses
a single computer system. Included on the staff are
logistics, weather, and intelligence organizations,
each dealing with information of differing (maximum)
sensitivity. If all three organizations require
similar DBMS functions, there might be a variety of
ways to provide that functionality.
(1) If the product DBMS-1 suited the needs of
each of the organizations and there were no requirement
to share data between them, then three copies of DBMS-1
could be used, running at, for example, TOP SECRET,
SECRET, and CONFIDENTIAL, respectively, and maintaining
separate single-level databases. If the organizational
missions do not require multilevel operations or
sharing, this option could be perfectly suited to the
operational need. In this case, every copy of DBMS-1
would be running as an application outside the TCB and
would not have to be evaluated at all, neither as a
product nor as a developed system. The advantages of
this option are that commercial, off-the-shelf systems
can be used (both the DBMS and the underlying trusted
operating system) and no evaluation risk is entailed.
The disadvantages are the limited flexibility and the
hidden fact that the installation procedures for many�
DBMSs require the insertion of code into the heart of
the underlying computer system, insertions that would
un dermine the evaluation rating and thus the
confidence in the trusted operating system.
(2) A cost advantage could be realized in the
preceding case if there were a product, DBMS-2, such
that a single copy could provide DBMS functionality at
all three levels. This capability requires that the
base trusted operating system and the DBMS itself are
designed so that the DBMS code uses scratch space to
allow the code to be shared without the potential for
mixing control or metadata in workspaces, indices, and
stacks. Not all commercial DBMSs have this property,
so this option will be less available than case (1).
Note that in this case also, the databases themselves
are single-level and the workspace used by the DBMS
itself will have to be single-level.
(3) If the operational requirements are that
the intelligence and logistics organizations must have
access to the weather data maintained by the weather
organization, the simplest technical solution would be
to periodically provide a snapshot of the needed
weather data for use by the other organizations. The
database management system DBMS-2 above could provide a
solution in this case if a portion of the weather
database could be copied onto diskette (or even into
another file) for the other organizations to
incorporate into their own DBMS operations. The
disadvantage of this approach is that the information
will not be as current as that available to the weather
organization itself. Frequently, however, that lack of
currency may be a reasonable price to pay for the
enormous reductions in cost and risk in procurement and
maintenance.
(4) If the operational requirements will not
allow anything less than real-time sharing of
information, then DBMS-2 will not be sufficient. At
this point, the operational requirements have forced
the inclusion of the most sophisticated solution to a�
trusted system with DBMS requirements, a true
multilevel DBMS. In this case, it remains a valuable
goal to minimize the complexity of the needed sharing.
If the DBMS is providing a functionality that looks
like tables to the user, then it is less complex if
each table is at a single level than if each row (or
each column) could be at a different sensitivity level.
The most complex situation is when each entry in the
table could be at a different sensitivity level.
During the procurement and development process, it
would be worthwhile to structure the procurement to
favor solutions that are as simple as possible from a
multilevel trusted DBMS standpoint.
3. ALTERATION OF PREVIOUSLY EVALUATED TCB
The discussion in Part 1, "Technical Context"
arose from consideration of the conditions under which
it is possible to add an application layer, such as a
DBMS, to another TCB in such a way as to allow the
system rating to be determined by evaluating the system
elements (i.e., the subsets) separately. The benefit
to both the applications vendor and the evaluators
derives from the fact that the DBMS operates as an
untrusted subject relative to the underlying TCB (even
though the DBMS enforces its own policy). Therefore,
there is no need to re-examine previous evaluation
evidence; any and all actions performed by the
application layer are completely constrained in
accordance with the security policy defined for the
underlying TCB.
The savings in evaluation effort is
predicated on the assumption that the vendor of the
application layer makes no changes of any kind to the
other TCB. In effect, the argument made by the vendor
is as follows:
(a) The underlying TCB enforces policy P[i].
The validity of the claims about the underlying TCB has
already been established, and these claims remain valid�
because the underlying TCB has not been altered in any
way and because the DBMS is completely constrained by
that policy (i.e., P[i] cannot be violated by any
action of the DBMS).
(b) The application is a TCB subset which
enforces policy P[k].
(c) Thus, the policy enforced by the
composite system (i.e., the policy enforced at the user
interface of the composite TCB) is merely a combination
of the policies of the individual TCB subsets.
Because there is neither theory nor
experience which allows one to make general, a priori
statements about the effects of arbitrary changes, any
alterations to a previously evaluated product must, in
general, be considered to result in a product whose
security attributes, and thus whose rating, is unknown.
Thus, if the previously evaluated product is altered,
argument (a) cannot be made merely by referencing the
published evaluation report. It becomes the
responsibility of the DBMS vendor to state P[i] (i.e.,
identify the policy enforced by the altered product)
and to demonstrate that the implementation satisfies
the appropriate TCSEC requirements. Hence, at least
some evaluation evidence focused on the underlying TCB
must be provided by the vendor of the application
layer. The amount of evidence required will be
determined by the type, extent, and amount of change,
as well as the characteristics of the original TCB.
This is not to say, however, that changes
always invalidate all previous evaluation evidence.
Rather, that there is no way to predict what effect
arbitrary change will have on that evidence. Clearly,
some changes will invalidate a substantial part, if not
all, of the previous evaluation results, requiring a
completely new evaluation. In some cases it will be
virtually impossible to determine the full effect of
even relatively simple changes, whereas in other
instances it may be possible to determine the effects�
of at least some changes quite precisely. In a
well-modularized system, changes to the internals of a
module might be shown to have no functional or security
effect outside of the module. Even changes to the
module that alter its interface might be shown to have
effects which do not propagate beyond those modules
which have a direct interface to the altered module.
In either case however, at least some
evidence must be produced about the underlying, altered
TCB. Thus, the vendor who alters the product which is
hosting his application becomes responsible for any and
all evidence required to substantiate the claims being
made for both the application and the underlying TCB.
In fact, it is always the case that the DBMS
vendor is responsible for all the evidence required to
demonstrate that the system (i.e., the trusted
components of the application plus the underlying TCB)
has the level of trust claimed for it. In the case of
strict subsetting for evaluation by parts, in which the
application is layered onto an unaltered,
previously-evaluated TCB, part of the evidence is
satisfied by referencing the previous evaluation
results and the commercially-available specifications
for that portion of the system. However, if the
previously evaluated TCB has been altered, the
applications vendor is now responsible for
demonstrating that the underlying TCB has the level of
trust being claimed for it. How much, if any, of the
previous evaluation evidence is still valid is a matter
to be resolved.
The development of the subsetting notion has
been motivated by the need for evaluating systems whose
elements may have been developed by different vendors.
Consequently, the discussion of TCB subsets has been
largely focused on the topic of extending the policy
enforcement attributes of previously evaluated TCBs.
However, the notion of TCB subsetting provides a
perfectly general design method. A TCB can be
structured and policy enforcement allocated to simplify�
both analysis and evaluation. To the extent that each
TCB subset in a subsetted system satisfies the
conditions of TC-4.3, the evaluation can be factored
along policy lines, and a rating for the composite
system determined.
4. SATISFYING RVM REQUIREMENTS
The evaluation of a system whose TCB is made
up of a set of TCB subsets follows a logical flow that
makes it an orderly process. The initial step is
satisfying the conditions for evaluation by parts.
Those conditions are as follows:
Identification of the candidate TCB
subsets;
Allocation of the policy (the clear
statement of the technical policies enforced by the
individual TCB subsets, stated in terms of the subjects
and objects for that TCB subset);
Demonstration that each candidate TCB
subset contains its own trusted subjects;
Specification of the structure of the TCB
subsets (as a collection of abstract machines);
Identification of sets of domains (called
"subset-domains") assigned for the execution of the
individual TCB subsets; and
Identification of what externally stated
properties of TCB subsets will be used to argue
convincingly and independently for the RVM nature of
each of the constituent TCB subsets.
The successful completion of this step,
especially the "support for RVM arguments" will result
in a conditional approval of two items: a set of goals
in the evaluation of the more primitive TCB subsets and�
the feasibility of being able to argue the RVM
properties of less primitive TCB subsets using no more
information about the more primitive TCB subsets than
the identified goals. The goals for the more primitive
TCB subsets will be a set of mechanisms,
characteristics, or properties whose proper, assured
functioning will have to be demonstrated. Examples are
domain mechanisms, mandatory integrity policy
enforcement mechanisms, and a special category of
object with associated content-preservation guarantees.
These mechanisms or characteristics or properties are
strictly a function of the more primitive TCB subset
and will have to be evaluated and approved in a
(possibly) later part of the evaluation process. The
conditional approval of the feasibility of constructing
an independent RVM argument for less primitive TCB
subsets relies on an interplay between the proposed
mechanisms of the more primitive TCB subset and the
anticipated needs of the RVM argument for the less
primitive TCB subset.
The next steps of the evaluation process,
with regards to the reference validation mechanism
requirements, involve the independent evaluation of the
TCB subsets. TCB subsets that have been identified as
providing features or mechanisms on which other TCB
subsets will rely for RVM arguments will have to be
demonstrated to provide the stated mechanisms with the
same level of assurance as the target evaluation class
of the entire system. If all the identified mechanisms
can be validated, the conditional approval of the
"support for RVM arguments" condition remains
unchanged. If some mechanism cannot be properly
established from either a functional or an assurance
perspective, then the conditional approval of that
portion of the "support" condition is withdrawn and the
evaluation effort must regroup.
TCB subsets that were projected to be able to
complete RVM arguments successfully using no more than
the identified "support" mechanisms and features will
have to have full RVM arguments advanced and accepted�
by the evaluation team. There are three possible
outcomes: (1) it could be shown that the TCB subset in
question does not meet the RVM requirements; (2) it
could be shown, using the external descriptions and
assurances of the mechanisms of the more primitive TCB
subsets, that the less primitive TCB subset does meet
the RVM requirements; or (3) it might be impossible to
determine whether or not the TCB subset meets the
requirements. In case (1), the TCB subset failed to
meet its reference validation mechanism requirements
and the design team must regroup. In case (2), the TCB
subset satisfies its reference validation mechanism
requirements. In case (3), the conditional approval of
the "support for RVM arguments" condition will be
withdrawn and the design and evaluation teams will have
to agree on an alternate course of action.
In the case that an attempt to establish RVM
properties for a less primitive TCB subset could not be
completed (case (3) above), it might well be that
additional mechanisms or features of the more primitive
TCB subset would allow the RVM arguments to be
completed successfully. In that case, the evaluation
team and the design team would have to establish a new,
augmented set of mechanisms for the "support"
condition. The evaluation could then continue with the
new mechanism requiring validation by the evaluation
team and the argument for the RVM properties of the
less primitive TCB subset having to be re-attempted.
It is important to note that the dependency
of the less primitive TCB subsets on the assured
policies and RVM supporting mechanisms makes it
imperative that the evaluation of the whole TCB be done
by a single evaluation team through the final
determination that the system complies with the full
set of requirements for the target class. Thus, in
particular, an evaluation team addressing an evaluation
by parts (including the case of a TCB subset that has
been previously evaluated and placed on the EPL) must
be kept together for the entire evaluation. Local
evaluation of one TCB subset does not justify�
dissolving the responsible subteam. Later results,
global or local to another TCB subset, could require a
full evaluation team current on all aspects of the
evaluated configuration. This does not mean, of
course, that the original evaluation team for a
previously evaluated EPL product has to be reassembled.
A new team, part of which may be delegated prime
responsibility for that TCB subset, suffices, as long
as the full team is kept together for the whole
evaluation.
5. SUBSET DEPENDENCY
For candidate TCB subset M, sM denotes the
specification of M, including as a minimum, the
statement of the technical policy P of M. The term vM
denotes the (engineering) demonstrations of the
correctness of the implementation of M with respect to
its specification. A (candidate) TCB subset A "depends
(for its correctness)" on (candidate) TCB subset B if
and only if the arguments within vA assume the
correctness of the implementation of B with respect to
sB.
In less precise terms, the specification sM
defines what M is supposed to do. M does whatever its
implementation allows, features and all. How well M
does compared to what sM says it should do is
encompassed in the engineering arguments vM. If, in
the argument vA, one has to assume that all or part of
sB accurately describes what B does, A "depends" on B
for its correctness.
Example 1: Use of Provided Objects
Suppose TCB subset B provides "file" as a
mediated object under its technical policy P[B] and
that candidate TCB subset A uses B-files to store data
and executables. If vA uses the fact that different
B-files are distinct and access to them is constrained
by the technical policy P[B] (assumptions that are�
nearly certain to apply), then vA is relying on the
fact that sB and B match and in this case, A depends on
B.
Example 2: Mutually Suspicious Systems
Suppose A and B are mutually suspicious
airline reservation systems hosted in two
interconnected systems belonging to two distinct
organizations. It is assumed that sA and sB both
provide for a capability to accept reservations over
the network from "foreign" systems using a mutually
defined protocol. The protocol is carefully and
completely specified (within both sA and sB) and both
vA and vB demonstrate, to the desired level of
satisfaction, that A and B are correct with respect to
sA and sB, respectively. A does not depend for its
correctness on B because sA is complete: for whatever
sequence of bits it receives from B, sA specifies
exactly what behavior A must exhibit, and vA
demonstrates that it does exhibit that behavior.
Similarly, B does not depend upon A for its
correctness. Neither A nor B depends on the other.
There may well exist a "system specification"
that specifies the desired behavior of the entire
system, but that is irrelevant to the arguments that A
and B are individually correct with respect to their
own specifications. It may even be the case that both
A and B are individually correct, while the combined
system is incorrect with respect to the "system
specification." That is, two correct subsystems can be
combined improperly with respect to the desired "system
specification."
Example 3: Use of Remotely Provided Functionality
Suppose A is a mail server and B a generic
SQL DBMS. The specification sA (as might be expected)
makes no mention of a DBMS; it simply specifies the
interface behavior (to its human clients) of the mail
system. In vA, however, we find that the software for�
A uses tables provided by B to store messages. A and B
are on separate, interconnected machines. Neither sB
nor vB make mention of the mail system at all. As in
the preceding example, sB completely specifies the
behavior of B for all received bit patterns and
sequences. Here, A depends upon B, but B does not
depend on A. Note that data flow in both directions is
completely legitimate and does not compromise in any
way the "integrity" (correctness) of B. Dependency is
distinct from "data flow."
This example shows that a superficial
examination of the "architecture" of a domain structure
is insufficient to determine which candidate TCB
subsets depend upon other TCB subsets. Superficially,
this architecture is the same as the example of
mutually suspicious systems above, but here A depends
on B. It also shows that an examination of the
interface specifications is insufficient. Finally, it
shows that dependency is not the same as the notion of
"privilege" (as normally understood in the context of
operating systems to mean loosened restrictions on
allowed functions and accesses), because there is in
this example no sense in which B has access to all of
A's internal structures. It only has access to some of
them.
Example 4: Use of Locally Provided Functionality
Suppose A and B are the mail server and SQL
DBMS of the preceding example, except that A is
implemented in a less privileged ring than B. That is,
the interconnect is replaced by a ring-crossing service
call. Obviously, A still depends on B and B does not
depend on A. The change is that now B has potential
access to any of A's structures. The general rule for
the use of domain protection mechanisms (such as rings)
is that if B is privileged with respect to A, then A
necessarily depends on B (simply by virtue of B's
privilege to access any of A's structures). Thus, a
detailed examination of sA and vA is unnecessary to
establish dependency.�
Cautionary Example
Suppose that A and B are "mutually
dependent"; that is, A depends on B and B depends on A.
This means that vA assumes that B is implemented
correctly with respect to sB, and vB assumes that A is
implemented correctly with respect to sA. Further
suppose that both vA and vB are valid (reasonable and
compelling). One would hope that it follows from this
that both A and B are correct. Unfortunately, this is
not always the case.
If A and B are both correct with respect to
sA and sB, then vA is a valid argument with a true
premise and is therefore true. The same is true for B
and vB.
Suppose, however, that A is implemented
incorrectly with respect to sA and B is implemented
incorrectly with respect to sB. vA is a valid argument
with a false premise; it is thus valid but (possibly)
untrue. Similarly, vB is valid but (possibly) untrue.
This case shows that it is quite possible for vA and vB
to both be valid while A and B are both (individually)
incorrectly implemented.
What has been exposed here is a hidden case
of circular reasoning: the argument that A is correct
is based on the assumption that B is correct, and the
argument that B is correct is based on the assumption
that A is correct. Thus, vA depends (circularly) on
the assumption that A is correct, and vA reduces to the
following tautology:
if vA is correct with respect to sA then vA is correct
with respect to sA.
It is thus possible in principle for mutually dependent
subsystems A and B to have vA and vB to be logically
valid while either A or B, or both, are incorrect with
respect to their specifications (sA or sB).�
To make this result concrete, consider two
airline reservation systems, A and B, based on the
mutually suspicious systems of example 2 above.
Suppose that A maintains information about all flights
originating or terminating in the United States while B
maintains information about flights originating or
terminating in Europe. Assume sA includes a statement
that A will generate flight itineraries from an origin
to a destination, with appropriate provision for
connections. "Appropriate provision for connections"
means allowing enough time to change planes without
requiring passengers to wait an excessive period of
time. Further assume that sB includes a similar
statement. From the assumption that A meets sA and B
meets sB, one can construct a valid argument that A
meets its specification sA for itineraries orginating
or terminating in either the U.S. or Europe. A
similarly valid argument can be made about B. If,
however, A stores flight segment times in the local
time of the airport and B stores them i n Greenwich
Mean Time, an itinerary generated by either A or B that
relies on information from the other will be incorrect
because of the time differences. Thus, A will not
generate accurate, timely flight itineraries, even
though a valid argument that it does can be
constructed. This difficulty arises from the
presumption that A and B are mutually dependent.
6. TAMPER RESISTANCE ARGUMENTS
The requirement to demonstrate that
individual TCB subsets exhibit the reference validation
mechanism tamper resistance property deserves special
attention. In a subsetted architecture there are two
(related) aspects to this requirement. The first is
the ability of a less primitive TCB subset to maintain
control over access to the objects that implement its
logic and data structures. The second is establishing
the assurance that policy-critical or
correctness-critical data used by a TCB subset is
persistent (that is, that it does not change or become�
contaminated with other data between the execution of
instructions).
A less primitive TCB subset will be using
objects and subjects provided by a more primitive TCB
subset. Thus, policy-critical data will be stored in
objects that are provided by the more primitive TCB
subset rather than in some system entity created and
maintained by the less primitive TCB subset itself.
One part of the tamper resistance argument focuses on
being able to demonstrate that no alteration of either
the policy-critical data or of the TCB subset's code is
possible. That is, no system entity external to a TCB
subset (with the possible exception of more primitive
TCB subsets upon which it depends) should be capable of
causing arbitrary changes to that TCB subset's code or
data structures. If a third, not more primitive TCB
subset (or a subject totally outside the TCB) were able
to gain access to an object where policy-critical data
was stored, the tamper resistance property could not be
established for the TCB subset in question. For a
most-primitive TCB subset, a wide variety of techniques
could be used to limit access to an object in which
such policy-critical data is stored (e.g., prohibition
on the sharing of objects, strict ownership control of
the ability to extend access permission, and mandatory
access controls). Similarly, the conditions for
evaluation by parts require that the system designer
identify a set of mechanisms and their assured
properties as the basis for demonstrating tamper
resistance for each TCB subset.
The second topic is the assurance that the
contents of the objects that store a TCB subset's
policy-critical data not change except through the
execution of that TCB subset's logic. If a data
structure that identified an exported object (such as
tables or tuples or entities) were to have extraneous
data inserted by a more primitive TCB subset (for
example, as a result of garbage collection or the
random action of memory management), then no basis
would exist for arguments concerning the correct�
implementation of the less primitive TCB subset. For a
most primitive TCB subset (which includes supporting
hardware), the argument that the policy-critical data
is kept current and correct can be made strictly on the
basis of that TCB subset. However, when a TCB subset
obtains resources from a more primitive TCB subset, the
argument cannot be made strictly on the basis of the
design of the TCB subset. Rather, the argument must
proceed from assured mechanisms provided by more
primitive TCB subsets. This is exactl y analogous to
the case of a reference validation mechanism for which
one relies on mechanisms not strictly included in the
design of the policy-enforcing elements to establish
the requisite properties of non-bypassability and
tamper resistance. A variety of mechanisms might
provide a basis for demonstrating that the
implementation of a TCB subset is correct, even though
resources are obtained from a more primitive TCB subset
(e.g., type-enforcement).
7. RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS
Section TC-5, "General Interpreted
Requirements," lists the requirements of the TCSEC
according to how the requirements apply to a TCB made
up of more than one TCB subset. The general rationale
for distinguishing which requirements can be satisfied
by independent analysis and consideration of the TCB
subsets was to consider the requirements one at a time
to determine whether satisfaction of the requirement by
the individual TCB subsets would necessarily mean that
the entire system satisfies the stated requirement.
For some requirements, such as those for certain
documentation, it is clear that the requirement is
factorable; that is, it is satisfied for the composite
TCB if it is satisfied for each of the TCB subsets
individually. For other requirements, individual
system characteristics could make factorability of a
requirement patently obvious, but not all systems would
enjoy such simple factorability. An example would be
trusted path requirements for security-related events:�
if all security-related ev ents occur in the most
primitive TCB subset, satisfaction of the requirement
by that TCB subset suffices to demonstrate that the
system meets the requirement, but for systems that have
security-relevant events in less primitive TCB subsets,
some explanation of the cooperative action of the TCB
subsets would be required. For still other
requirements, one can expect that the satisfaction of
the requirement for the entire system will always
require some explanation of the cooperative action of
the constituent TCB subsets. Provision of a coherent
audit record across events in several TCB subsets is in
this category.
In the paragraphs below, a brief rationale
for identifying requirements as wholly or partially
global is provided. Those requirements that are not
listed are considered to be completely local.
Subject Sensitivity Labels
At level B2 and above, the TCSEC requires the
following:
The TCB shall immediately notify a terminal
user of each change in the security level associated
with that user during an interactive session. A
terminal user shall be able to query the TCB as desired
for a display of the subject's complete sensitivity
level.
For subsetted architectures, the user
interface could be to a TCB subset that does not
support a mandatory access control policy. Thus, a
change noted by a more primitive TCB subset that does
support such a policy would have to be relayed to the
user, possibly through cooperative action of the full
set of TCB subsets. Similarly, a request by a terminal
user for the complete sensitivity level could be
initially received by a TCB subset that does not
support a mandatory access control policy and will
require cooperation between TCB subsets to determine�
the complete subject sensitivity level and to provide
that information to the requesting user.
Identification and Authentication
The identification and authentication
requirements in the TCSEC address the need to correctly
associate authorizations with subjects. In a TCB made
of several TCB subsets, it is possible that only one of
the TCB subsets will provide identification and
authentication, which will be used by all the less
primitive TCB subsets. Alternatively, identification
and authentication may be provided directly in more
than one TCB subset. In either case, the TCB subsets
have to work cooperatively to use identification and
authentication data for uniquely identifying users and
for associating users with auditable actions.
Trusted Path
At B2, the only required uses of trusted path
are login and authentication. At B3 and above,
occasions "when a positive TCB-to-user connection is
required (e.g., login, change subject security level)"
are included. In both cases, a system vendor may
choose to use trusted path for situations where the
security-relevant event could be recognized or handled
in more than one TCB subset. On those occasions, the
careful coordination of all the involved TCB subsets in
the correct handling of trusted path situations must be
shown. If a single TCB subset implements trusted path
and all the invocations of trusted path are limited to
that TCB subset (that is, the flow of control in
responding to a trusted path initiation never leaves
the TCB subset until the response is completed), then
nothing further would be required. The description of
the limitation of trusted path to a single TCB subset
will suffice for the global part of the requirement,
leaving only the demonstration of local satisfaction of
the requireme nt by the identified TCB subset.
Audit�
If each of several TCB subsets meets the
audit requirements locally, then there is the issue of
whether the set of audit records meets the requirements
of being able to note and record individual user
actions, and at B3 and above, to be able to initiate
required action. If not all the TCB subsets meet the
audit requirements locally, then the requirements must
be satisfied by the cooperative action of the set of
TCB subsets. In both cases, consideration of the audit
characteristics of all the TCB subsets has to be part
of determining that the entire TCB meets the audit
requirements.
System Architecture
For many of the system architecture
requirements, demonstrating that a requirement is
satisfied by all of the consitituent TCB subsets is
sufficient to demonstrate that it is satisfied for the
composite TCB. The requirements for the "TCB [to]
maintain a domain for its execution" and for the TCB to
"maintain process isolation through the provision of
distinct address spaces" could be satisfied by the
entire TCB without each constituent TCB meeting the
requirement.
The requirement for the TCB to maintain a
domain for its execution implies the need for each TCB
subset to have a domain for its own execution, isolated
from both untrusted portions of the system and from
less primitive TCB subsets. The exact wording of the
TCSEC requirement could be read as disallowing a less
primitive TCB subset from occupying a domain provided
by a more primitive TCB subset and to allocate its
subjects to domains that do not have access to its own
domain: the verb "maintain" could be (erroneously)
read as requiring each TCB subset to create and
maintain its own domain for execution. The proper
interpretation is that the TCB as a whole must provide
and maintain such domains for execution, rather than
each individual TCB subset.�
Similarly, the exact wording of the TCSEC
requirement on the "maintain[ing] of process isolation
through the provision of distinct address spaces" could
be read as requiring each TCB subset to provide
distinct address spaces. The proper interpretation is
that the TCB as a whole must provide and maintain
process isolation, either through provision and
subsequent use of distinct address spaces, or through
provision of distinct address spaces by every TCB
subset.
Covert Channel Analysis
This requirement applies as stated in the
TCSEC to the entire TCB. When the TCB is made up
entirely of TCB subsets meeting the conditions for
evaluation by parts, analysis of the individual TCB
subsets suffices to satisfy this analysis requirement.
Otherwise, covert channel analysis must address the
entire TCB (even if the result of covert channel
analyses of the individual TCB subsets were available).
Trusted Facility Management
The ability to run a trusted system facility
properly applies to the combination of TCB subsets
making up the TCB. This requirement should not be
difficult to meet, provided that the individual TCB
subsets meet the requirement and the interactions
between the TCB subsets at the facility management
level are clear.
Trusted Recovery
In the case of "an ADP system failure or
other discontinuity," each TCB subset in a B3 or above
system needs to be able to recover "without a
protection compromise." Further, the recovery actions
of distinct TCB subsets needs to be coordinated and
combined so that the resulting system is not only
recovered as far as each TCB subset is concerned, but
is also recovered as a composite TCB.�
Security Testing
This requirement applies as stated in the
TCSEC to the entire TCB. If a TCB consists of TCB
subsets meeting the conditions for evaluation by parts,
the satisfaction of the requirements by each TCB subset
suffices to satisfy the requirement for the entire TCB.
Otherwise, security testing must include testing of the
entire TCB (even if the results of testing the
individual TCB subsets are available).
Design Specification and Verification
For many of the design specification and
verification requirements, demonstrating that a
requirement is satisfied by all of the consitituent TCB
subsets is sufficient to demonstrate that it is
satisfied for the composite TCB. The requirements for
a "formal model of the security policy supported by the
TCB" and that the DTLS at B3 and the FTLS at A1 "be an
accurate description of the TCB interface" apply in a
limited way to the entire TCB.
After complying security models are provided
for the individual TCB subsets, a convincing argument
is required to explain how the set of models represents
abstractly the policy of the entire system.
After complying top-level specifications
(DTLS at B3 and FTLS at A1) are provided for the
individual TCB subsets, an explicit and convincing
description of how the set of top-level specifications
describe the TCB interface with respect to exceptions,
errors and effects must also be provided.
8. CONTENT-DEPENDENT AND CONTEXT-DEPENDENT ACCESS
CONTROL
An attractive proposition in a database
managment system is to implement access controls that
depend in some way on the values of the data in a�
storage object or the context in which the information
is accessed. For example, one might desire to limit
access to all personnel records in a database according
to the salary value (content-dependent access rules).
On the other hand, a company's earnings report might be
held in confidence until announced at the stockholders'
meeting, at which time it is public information
(context-dependent access rules).
This document does not encourage or endorse
mandatory access control on storage objects that are
based on the content of data values or on the context
in which the information is viewed. Given that these
are research topics, it is prudent to take this
conservative stance. Research and current practice are
insufficient to allow definitive guidance on such
implementations.
9. BULK LOADING OF A DATABASE
The bulk loading of a database into (perhaps
thousands of) database objects must be done with care.
If the data to be loaded are unlabeled, it may not be
practical to require an authorized user to examine the
data to be loaded into each object and assign it a
sensitivity label. Instead it may be more practical to
assign labels to the data according to the sensitivity
label of the single-level device that is used to import
it. In this way, bulk loading may be done in
single-level stages.
Even importing labeled multilevel data may
prove difficult. The imported data records may be
organized on the input device in accordance with their
logical structure, not their sensitivity levels. For
some trusted DBMS architectures, this requires that the
TCB first separate the data by sensitivity levels and
subsequently load the data into the database as
single-level structures.�
Another problem with bulk loading of labeled
data is granularity. It may be that the labeling
granularity of data on the input device is different
from the labeling granularity supported by the
receiving trusted DBMS. As an example, the data being
imported may be labeled at the file or field level, and
the importing DBMS may support labeling at the tuple
level. In such instances, the data would have to be
mapped into objects of the proper labeling granularity
as the data are being imported.
10. LOCAL ANALYSIS IN SYSTEM ASSESSMENT
The ability to distinguish and separately
reference the results of local analysis of TCB subsets
is a primary aspect of evaluation by parts, and the
benefits which accrue are apparent in two, closely
related, cases that arise in evalutions by parts.
These may be thought of as dealing with the problems of
"hosting" and "porting" although they are actually two
aspects of the same problemthat of assessing a trusted
system constructed of previously evaluated parts.
For the first case (i.e., that of "hosting"),
consider an operating system which has been evaluated
against the TCSEC requirements and has received a
rating. Thus, the operating system is a TCB for which
both the local and global analysis has been done. The
results of the local analysis can now be used to
support the evaluation of a TCB made up of the
operating system (or, the more primitive TCB subset)
and any proposed TCB extension (or, less primitive TCB
subset). Suppose, for example, that vendor A chooses
the rated operating system as the host for a DBMS
product, which implements an access control policy. As
described in TC-6, it is now possible, under the
correct conditions, to re-use the results of the local
analysis of the host operating system in developing a
rating for the composite system. Even for those cases
not meeting all the conditions for evaluation by parts,
it may be possible that some, if not most, of the�
previous results are still valid. If vendor B also
chooses the rated operating system as the host for his
DBMS product, it will be possible (again, under the
proper conditions) to develop a rating for the (new)
composite system without having to repeat the local
analysis of the host operating system. As an alternate
case, suppose a site has need of an electronic mail
service as well as the DBMS utility. The mail utility
will operate in a peer-entity relation with the trusted
DBMS utility (i.e., both the mail service and the DBMS
depend on the host operating system, but neither
depends on the other). Again, having the results of
the local analysis of the host operating system eases
the burden of assessing the security characteristics of
the user interface to the composite system made up of
the mail system and the host operating system. In
short, the ability to distinguish and separately
reference the results of the local analysis of the host
operating system makes it feasible to evaluate the
effect of adding arbitrary trusted applications, only
by performing the local analyis for the application and
any global analysis required.
For the second case, (i.e., that of
"porting") the question becomes that of determining the
effect of moving a known trusted application, such as a
DBMS, across arbitrary host systems. Assume that a
trusted DBMS product meeting the conditions for
evaluation by parts has been evaluated on some trusted
host, and a rating determined for the composite system.
Clearly, the results of the local analysis of the
trusted application available are also applicable to
the analysis of a composite system made up of the
trusted application and a different host operating
system. Thus, having the local analysis of the trusted
application will ease the evaluation burden associated
with porting of trusted applications to different
hosts. To the extent that the conditions for
evaluations by parts have been satisfied, the local
analysis of the application is valid by reference.
Hence only the local analysis of the host operating
system and the requisite global analysis is needed to�
assess the security attributes of the new composite
system.
11. RATING MORE COMPLEX SYSTEMS
The view taken by the TCSEC is that of an
"atomic" TCB; the TCB is seen to be a single entity
which is, in some sense, homogeneous. This allows a
relatively simple measure (i.e., the digraphs) to be
assigned to the TCB. However, real systems may be more
complex, resulting in the inability of a single, simple
rating to convey the full complexity of the system.
This is implicitly recognized in TCSEC evaluation
reports and EPL entries, in which credit may be given
to a vendor for meeting TCSEC (functional) requirements
beyond those necessary to satisfy the rating (e.g., the
B3 discretionary access control feature in a C2 TCB).
In short, systems which reflect straightforward
implementations or extensions of the TCSEC can
accurately be described with a single digraph. On the
other hand, adding complexity to systems may violate
assumptions which underlie the TCSEC rating system,
requiring a more complex description if accuracy is to
be achieved.
If a TCB made up of TCB subsets is consistent
with the TCSEC assumptions on homogeneity, then a
simple digraph suffices for a full and accurate
description of the security properties of the product.
However, to the extent that a subsetted architecture
introduces complexity not captured by the digraphs, the
simple TCSEC ratings cannot be applied to the composite
system. More specifically, for a subsetted TCB to
achieve a single rating, all the requirements of that
class must be satisfied. For example, if a
discretionary access control-enforcing DBMS TCB subset
is added onto a previously evaluated B3 product, the
entire system can achieve a B3 rating if it could also
have achieved the B3 rating evaluated as a monolith.
That is, the new TCB subset must also satisfy all the
assurance and architectural requirements of B3.
Consider a candidate TCB subset which
enforces a discretionary access control policy over a�
new type of object, targeted at a host system which has
already been evaluated at the B3 level. Examples are a
database management system providing discretionary
access control over tuples, a transaction processor
providing discretionary access control over
transactions, and a message system providing
discretionary access control over messages. If the
candidate TCB subset meets all the C2 requirements, the
problem is what rating will be assigned to the
composite system. To designate it a "C2" is clearly
inaccurate, as well as being unfair to the original B3
product vendor. To designate it "B3" may be equally
inaccurate, and it creates ambiguity in the meaning of
the metric used for comparing systems. In fact,
depending on the details of the specific candidate, the
composite system could legitimately be rated at any
level from C2 to B3 under a TCSEC evaluation.
The TCSEC rating system assumes a measure of
homogeneity which the above example violates thus
invalidating the very basis upon which a single digraph
may be assigned. Hence, a subsetted system such as
described above, will have to be characterized with a
more complex description than a single digraph.
Although this may seem undesirable, it will be a more
accurate description of the system, and it provides
sufficient information to allow system designers and
accreditors to make decisions about sufficiency of
security for their specific applications. In essence,
such an approach is necessary for recognizing the
additional complexity which can be introduced by
architectures which allow system elements to be
developed separately.
GLOSSARY
candidate TCB subset The identification of the
hardware, firmware, and software that make up the
proposed TCB subset, along with the identification of�
its subjects and objects; one of the conditions for
evaluation by parts.
content-dependent access control Access control in
which access is determined by the value of the data to
be accessed.
context-dependent access control Access control in
which access is determined by the specific
circumstances under which the data is being accessed.
database management system A computer system whose
main function is to facilitate the sharing of a common
set of data among many different users. It may or may
not maintain semantic relationships among the data
items.
DBMS Abbreviation for "database management system."
depends A TCB subset A depends (for its correctness)
on TCB subset B if and only if the (engineering)
arguments of the correct implementation of A with
respect to its specification assume, wholly or in part,
that the specification of B has been implemented
correctly.
domain The set of objects that a subject has the
ability to access.
dominated by Security level A is dominated by
security level B if (1) the clearance/classification in
A is less than or equal to the clearance/classification
in B, and (2) the set of access approvals (e.g.,
compartment designators) in A is contained in the set
of access approvals in B (i.e., each access approval
appearing in A also appears in B). This dominance
relation is a special case of a partial order.
dominates "Security level B dominates security level
A" is synonymous with "security level A is dominated by
security level B." See "dominated by."�
global requirements Those which require analysis of
the entire system and for which separate analysis of
the individual TCB subsets does not suffice. See
Section TC-5.3.2 for a summary list.
lattice A partially ordered set for which every pair
of elements has a greatest lower bound and a least
upper bound.
local requirements Those for which separate analysis
of the individual TCB subsets suffices to determine
compliance for the composite TCB. See Section TC-5.3.1
for summary list.
metadata (1) Data referring to other data; data
(such as data structures, indices, and pointers) that
are used to instantiate an abstraction (such as
"process," "task," "segment," "file," or "pipe"). (2)
A special database, also referred to as a data
dictionary, containing descriptions of the elements
(e.g., relations, domains, entities, or relationships)
of a database.
monolithic TCB A TCB that consists of a single TCB
subset.
object A passive entity that contains or receives
information. Access to an object potentially implies
access to the information it contains. Examples of
objects are: records, blocks, pages, segments, files,
directories, directory trees, and programs, as well as
bits, bytes, words, fields, processors, video displays,
keyboards, clocks, printers, network nodes, etc.
partial order A relation that is symmetric (a is
related to a), transitive (if a is related to b and b
is related to c, then a is related to c), and
antisymmetric (if a is related to b and b is related to
a, then a and b are identical.)
primitive An ordering relation between TCB subsets
based on dependency (see "depends" above). A TCB�
subset B is more primitive than a second TCB subset A
(and A is less primitive than B) if (a) A directly
depends on B or (b) a chain of TCB subsets from A to B
exists such that each element of the chain directly
depends on its successor in the chain.
reference monitor concept An access control concept
that refers to an abstract machine that mediates all
accesses to objects by subjects.
reference validation mechanism "An implementation of
the reference monitor concept . . . that validates
each reference to data or programs by any user
(program) against a list of authorized types of
reference for that user." It must be tamper proof,
must always be invoked, and must be small enough to be
subject to analysis and tests, the completeness of
which can be assured. [1]
security policy The set of laws, rules, and
practices that regulate how an organization manages,
protects, and distributes sensitive information.
storage object An object that supports both read and
write accesses.
subject An active entity, generally in the form of a
person, process, or device that causes information to
flow among objects or changes the system state.
Technically, a process/domain pair.
subset-domain A set of system domains. For
evaluation by parts, each candidate TCB subset must
occupy a distinct subset domain such that modify-access
to a domain within a TCB subset's subset-domain is
permitted only to that TCB subset and (possibly) to
more primitive TCB subsets.
TCB subset A set of software, firmware, and hardware
(where any of these three could be absent) that
mediates the access of a set S of subjects to a set O�
of objects on the basis of a stated access control
policy P and satisfies the properties:
(1) M mediates every access to objects O by
subjects in S;
(2) M is tamper resistant; and
(3) M is small enough to be subject to
analysis and tests, the completeness of which can be
assured.
technical policy The set of rules regulating access
of subjects to objects enforced by a computer system.
Trusted Computing Base (TCB) The totality of
protection mechanisms within a computer system
including hardware, firmware, and software the
combination of which is responsible for enforcing a
security policy. A TCB consists of one or more
components that together enforce a unified security
policy over a product or system. The ability of a TCB
to correctly enforce a security policy depends solely
on the mechanisms within the TCB and on the correct
input by system administrative personnel of parameters
(e.g., a user's clearance) related to the security
policy.
trusted subject A subject that is permitted to have
simultaneous view- and alter-access to objects of more
than one sensitivity level.
user Any person who interacts directly with a
computer system.
view That portion of the database that satisfies the
conditions specified in a query.
view definition A stored query; sometimes loosely
referred to as a "view."�
BIBLIOGRAPHY
1. J. P. Anderson, "Computer Security Technology
Planning Study," ESD-TR-73-51 (AD-758206), J. P.
Anderson Co., October 1972.
2. J. P. Anderson, "On the Feasibility of Connecting
RECON to an External Network," Technical Report, J. P.
Anderson Co., March 1981.
3. D. E. Bell and L. J. La Padula, "Secure
Computer Systems: Unified Exposition and Multics
Interpretation," MTR-2997, (AY/W 020 445), The MITRE
Corporation, Bedford, Massachusetts, July 1975.
4. D. E. Bell and L. J. La Padula, "Secure
Computer Systems: Mathematical Foundations,"
MTR-2547-I, (AD 770 768), The MITRE Corporation,
Bedford, Massachusetts, March 1973.
5. L. J. La Padula and D. E. Bell, "Secure
Computer Systems: A Mathematical Model," MTR 2547-II,
(AD 771 543), The MITRE Corporation, Bedford,
Massachusetts, May 1973.
6. D. E. Bell, "Secure Computer Systems: A
Refinement of the Mathematical Model," MTR 2547-III,
(AD 780 528), The MITRE Corporation, Bedford,
Massachusetts, December 1973.�
7. D. E. Bell, "Secure Computer Systems: A Network
Interpretation," Proceedings of the Second Aerospace
Computer Security Conference, McLean Virginia, December
2-4, 1986, pp. 32-39.
8. Department of Defense, Department of Defense
Trusted Computer System Evaluation Criteria, DOD
5200.28-STD, December 1985.
9. D. E. Denning, "Cryptographic Checksums for
Multilevel Database Security," Proceedings of the IEEE
Symposium on Security & Privacy, Oakland, California,
April 29-May 2, 1984, pp. 52-61.
10. D. E. Denning, "Commutative Filters for Reducing
Inference Threats in Multilevel Database Systems,"
Proceedings of the IEEE Symposium on Security &
Privacy, Oakland, California, April 22-24, 1985, pp.
134-146.
11. E. B. Fernandez, R. C. Summers, and C. Wood,
Database Security and Integrity, Boston, Massachusetts:
Addison Wesley, 1981.
12. C. Garvey and A. Wu, "ASD Views," Proceedings of
the Fourth Aerospace Computer Security Applications
Conference, Orlando, Florida, December 1988, pp.
85-95.
13. R. D. Graubart and J. P. L. Woodward, "A
Preliminary Naval Surveillance DBMS Security Model,"
Proceedings of the IEEE Symposium on Security &
Privacy, Oakland, California, April 26-28, 1982, pp.
21-37.
14. R. D. Graubart, "The Integrity-Lock Approach to
Secure Database Management," Proceedings of the IEEE
Symposium on Security & Privacy, Oakland, California,
April 29-May 2, 1984, pp. 62-74.�
15. M. J. Grohn, "A Model of a Protected Data
Management System," ESD-TR-76-289, I. P. Sharp
Associates, Ltd., June 1976.
16. T. H. Hinke, M. Schaefer et al., "Secure Data
Management System," RADC-TR-75-266 (AD-A019201), System
Development Corporation, Santa Monica, California,
November 1975.
17. C. E. Landwehr, C. L. Heitmeyer, and J.
McLean, "A Security Model for Military Message
Systems," ACM Transactions on Computer Systems, Vol.
2, No. 3, August 1984, pp. 198-222.
18. T. F. Lunt, D. E. Denning, P. G. Neumann, R.
R. Schell, M. Heckman, and W. R. Shockley, "Final
Report Vol. 1: Security Policy and Policy
Interpretation for a Class A1 Multilevel Secure
Relational Database System," Computer Science
Laboratory, SRI International, Menlo Park, California,
1988.
19. J. McHugh and B. M. Thuraisingham, "Multilevel
Security Issues in Distributed Database Management
Systems," Computers & Security, Vol. 7, No. 4,
Elsevier Advanced Technology Publications, August 1988,
pp. 387-396.
20. National Computer Security Center, Proceedings of
the National Computer Security Center Invitational
Workshop on Database Security, Baltimore, Maryland,
June 17-20, 1986.
21. P. A. Rougeau and E. D. Sturms, "The Sybase
Secure Dataserver: A Solution to the Multilevel Secure
DBMS Problem," Proceedings of the 10th National
Computer Security Conference, Baltimore, Maryland,
September 21-24, 1987, pp. 211-215.
22. M. Schaefer, ed., Multilevel Data Management
Security, Air Force Studies Board, Committee on�
Multilevel Data Management Security, National Academy
Press: Washington, D.C., 1983.
23. M. D. Schroeder and J. H. Saltzer, "A Hardware
Architecture for Implementing Protection Rings,"
Communications of the ACM, Vol. 15, No. 3, March
1972, pp.157-170.
24. W. R. Shockley and R. R. Schell, "TCB Subsets
for Incremental Evaluation," Proceedings of the Third
Aerospace Computer Security Conference, Orlando,
Florida, December 7-11, 1987, pp. 131-139.
25. P. Stachour and B. Thuraisingham, "Design of LDV
- A Multilevel Secure Database Management System," IEEE
Transactions on Knowledge and Data Engineering, Vol.
2, No. 2, June 1990, pp. 190-209.
26. M. Stonebraker, "Operating System Support for
Database Management," Communications of the ACM, Vol.
24, No. 7, July 1981, pp. 412-418.
27. Unisys Corporation, "Secure Distributed Database
Management System," Final Technical Report, Rome Air
Development Center Technical Report, RADC-TR-89-314,
Vol. 1-5, December 1989.
28. J. Wilson, "Views as the Security Objects in a
Multi-level Secure Relational Database Management
System," Proceedings of the 1988 IEEE Symposium on
Security & Privacy, Oakland, California, April 18-21,
1988, pp. 70-84.