Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!ucsd!pacbell.com!jmc From: jmc@PacBell.COM (Jerry M. Carlin) Newsgroups: comp.unix.sysv386 Subject: Re: security levels, V.4 Message-ID: <1990Nov30.165007.2125@PacBell.COM> Date: 30 Nov 90 16:50:07 GMT References: <1990Nov29.224243.2934@ico.isc.com> <1990Nov30.064557.13565@fiver> Sender: news@PacBell.COM Organization: Pacific * Bell Lines: 70 In article <1990Nov30.064557.13565@fiver> palowoda@fiver (Bob Palowoda) writes: >From article <1990Nov29.224243.2934@ico.isc.com>, by rcd@ico.isc.com (Dick Dunn): >> aris@tabbs.UUCP (Aris Stathakis) writes: >> B2??? No, you must be kidding. You *don't want* B2. (It may be required >> for something you're doing, in which case you may *need* it...but even then >> you won't *want* it.:-) The B-level security includes multi-level security and mandatory access controls. This means it implements the federal government policy of classifying things as 'secret' and 'top secret' and establishing classes of people so that someone who is working on 'Europe' cannot see secrets related to 'Asia', for example. It requires a great deal of overhead, mostly in administration since besides having a security officer to do all of this classification and reclassification; it also implments separation of duties, ie no more root. You now have many ID's with limited authority so that no one person can subvert the machine (at least theoretically). Therefore your administration costs will go up by at least a factor of two and maybe a power of 3 with MANDATORY access control. This means that to change the ownership of a file, you have to go to the security administrator and request that the change be made. Also, if a file you have is at a higher level of security, someone at a lower level of security cannot read it (or someone in a different department). The security administrator must change its classification first. This also makes things like windowing systems weird since you cannot copy a document from a 'top secret' window to a 'unclassified' window. There are people being paid lots of money to write windowing software to enforce this policy. Networkng is yet another problem. The B-level has a few IMHO useful features such as 'trusted path'. This means that a trojan program capturing login info is not possible since when you press your 'secure attention key' you are guarenteed to be talking to the 'trusted computer base' and therefore the 'real' login program. >> B2 is a higher level of security than C2. I'll leave it to the orange-book >> mavens to explain the differences; suffice it to say that if you think the >> flaming you've seen in this newsgroup about C2 is hot, you ain't seen >> nothin' yet. The levels go D (as in no security MSDOS and Mac, for example), C (discretionary access controls), B (mandatory access controls) and A which is only achieved if you can PROVE your design is secure. >> And no, B2 is not required for V.4. It's an option--I think MLS will take >> you to the B2 level. ^^^^^^^^^^^^^^ AT&T MLS is actually at the C2/B1 level. AT&T has advertised that the next release V.4.1 will be able to be run at the B-level but that it will not be required. I believe all the pieces will be modular so you do not have to run it all to use parts. BTW, you do not have to bundle the security with the OS. IBM and DEC sell add-ons that bring the os up to the C2 level. What is required is that the evaluation be done with a given configuration and that to run at that level, you have to use the configuration that was evaluated. >... How does each level of security packages >affect the devolopment cost of applications for any UNIX that uses it? >How will we know when the price/security costs are enough? The great unanswerable question. If your application is a DBMS and you are building multi-level security in then quite a bit. If your package is a word processor, probably nothing since it will be up to UNIX to enforce the security. How much is enough depends on how paranoid you are. Remember, even paranoids have enemies :-) -- Jerry M. Carlin (415) 823-2441 jmc@srv.pacbell.com To dream the impossible dream. To fight the unbeatable foe.