Xref: utzoo comp.unix.programmer:1334 alt.sources.d:1628 alt.security:1993 Path: utzoo!utgpu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!tut.cis.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnewsh!wcs From: wcs@cbnewsh.att.com (Bill Stewart 908-949-0705 erebus.att.com!wcs) Newsgroups: comp.unix.programmer,alt.sources.d,alt.security Subject: Re: C2 secure systems and the superuser Message-ID: <1991Mar17.060540.3911@cbnewsh.att.com> Date: 17 Mar 91 06:05:40 GMT References: <19103@rpp386.cactus.org> <1991Mar13.185609.21132@convex.com> <19104@rpp386.cactus.org> Organization: Here, beside the rising tide Lines: 54 In article <19104@rpp386.cactus.org> jfh@rpp386.cactus.org (John F Haugh II) writes: > Naive users do not fully understand what the difference between a "rated" > and an "unrated" system are - there are very real differences and One of the major differences is that the NCSC doesn't really have the resources to formally evaluate every product that wants it - you've got to have something new and interesting to offer, and be willing to wait about 1.5 - 2 years AFTER convincing them to bother with you, and evaluation is for specific hardware configurations as well as software. Most of the market is satisfied with C2 functionality, and doesn't really need the NSA Good Housekeeping Seal. This is especially important, since adding networking affects your Trusted Computing Base, and throws you out into uncharted Red Book territory, even at C2 level. Most customers would really rather have networking now, hopefully with the bigger holes patched, rather than wait until the general research problem is solved well enough for the NCSC to certify systems. (Remember that even Verdix is just a "component", not a complete system.) > To continue with the real topic, "C2" is not that "secure" of > a rating. If you expect the system to warn you of auditable > events which might indicate a violation of the security policy > you have to go to a higher level. The only rating level between > "C2" and MS-DOS is "C1". There are still 3 "B" levels and an > "A" level above "C2". The description of "C2" is [ C1 + Good Auditing/Accountability + Object Reuse prevention ] Well, there's also D level; the TCSEC definition says: Level D: Thank you for sharing that. :-) All of the levels add increasing amounts of assurance. The interesting additions at B1 are Mandatory Access Control - you get the equivalent of "Unclassified/Secret/TopSecret", with system enforcement so users can't just give stuff away. If you trust your users, or don't trust your superuser, this doesn't buy you much extra, though you can gain some significant protection by giving the system software and audit trails their own classification levels, which regular users (or bugs) can't touch. B2 adds Trusted Path, Covert Channel Analysis, and Least Privilege, and starts to feel less like Real Unix, because you don't really have One All-Powerful Root any more. Covert channel analysis is a real problem - something that was adequate protection on a 1 MIPS box may not do the job on a 200 MIPS multi-processor with a 500 MFLOPS add-on vector board. -- Pray for peace; Bill # Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ # Hacker. System Designer. Troublemaker.