TCSEC: The Orange Book
TCSEC Purpose

Trusted Computer System Evaluation Criteria

Purpose:


Provides the basic requirements for assessing the
effectiveness of computer security controls built into
a computer system.
Used to evaluate, classify, and select systems being
considered as platforms for computing resources.
TCSEC: Orange Book


Metrics – provides a metric (classification) for
determining the level of trust assigned to a
computing system.
Guidance – provides guidance on how to
design a trusted computing system along with
their associated data and services
Orange Book: Metrics


Measurement of a system's security is
quantified using a classification system.
The Classes are:

D-

C1 & C2

B1, B2, B3

A1

A is more secure than D

2 is more secure than 1.
Orange Book: Metrics



D applies to any system that fails to meet any of
the higher level security classes.
The other levels have increasing security
requirements.
A1 systems are rare.
Metrics: C1
•
Identification and authentication (user id &
password)
•
Separation of users and data
•
DAC – capable of enforcing access controls
•
Example: Basic Unix/Linux OS
Metrics: C2
•
C1 plus
•
More sophisticated DAC
•
Audit trails
•
System documentation and user manuals.
Metrics B1
•
C2 plus
•
Use of hierarchical sensitivity labels
•
Discovered weaknesses must be mitigated
Metrics B2
•
B1 plus
•
Security policy must be defined and
documented
•
Access controls for all subjects and objects
Metrics: B3
•
B2 plus
•
Automated imminent intrusion detection,
notification and response.
Metrics: A1
•
B3 +
•
System is capable of secure distribution (can
be transported and delivered to a client with
the assurance of being secure)
Orange Book Security Criteria

Security Policy

Accountability

Assurance

Documentation
1. Security Policy

The set of rules and practices that regulate how
an organization manages, protects, and
distributes information.
1. Security Policy



The policy is organized into subjects and
objects.
Subjects act upon objects

Subjects – processes and users.

Objects – data, directories, hardware, applications
A well defined protocol determines if a subject
can be permitted access to an object.
2. Accountability




The responsibilities of all who come in contact
with the system must be well defined.
Identification (… the process to identify a user)
Authentication (… as in, authenticated to
access specific resources)
Auditing (...accumulating and reviewing log
information and all actions can be traced to a
subject)
3. Assurance


The reasonable expectation that the security
policy of a trusted system has been
implemented correctly.
Assurance is organized into

Operational assurance

Life-cycle assurance
3a. Organizational Assurance

Security policy is maintained in the overall
design and operation of the system.

Example: Users of the system have an assurance
that access controls are enforced
3b. Life-cycle Assurance

Insuring the system continues to meet the
security requirements over the lifetime of the
system.


Updates to the software and hardware must be
considered
The expectation that the system remains
operational (is available) over its lifetime
4. Documentation Requirements

Security Features User's Guide

Trusted Facility Manual

Test Documentation

Design Documentation
Documentation: Security Features
User's Guide

Aimed at the ordinary (non-privileged) users.

General usage policy

*Instructions on how to effectively use the system

Description of relevant security features
Documentation: Trusted Facility
Manual

Aimed at the S.A. Staff

How the system is configured and maintained

Includes the day-to-day required activities
Documentation: Test
Documentation

Instructions on how to test the required security
mechanisms
Documentation: Design
Documentation


Define the boundaries of the system
A complete description of the hardware and
software.

Complete system design specifications

Description of access controls
The Orange Book
• The Orange book has been superseded by the
Common Criteria