NAVAL POSTGRADUATE SCHOOL Monterey California 00 ' NO V 12 194 j THESIS A STUDY OF COMPUTER SECURITY POLICIES FOR THE INDONESIAN NAVY by Antonius Herusutopo June 1993 5 Thesis Co-Advisor Prof Timothy J Shimeall Thesis Co-Advisor Prof Roger Stemp Approved for public release distribution is unlimited 93-27500 ll XIi ll l l l o S 0 0 0 0 S 0 S 0 0 -- SEZr jV 'AbisHRIS PAGE REPORT DOCUMENTATION PAGE UNCLASSIFIED lb RESTRICTIVE MARKINGS la REPORT SECURITY CLASSIFICATION 2a DISTRIBUTION AVAILABILITY OF REPORT SCURIY UTHOITY3 CASSIICATON Approved for public release 2b DECLASSIFICATION DOWNGRADING SCHEDULE distribution V unl imited 4 FPERFORMING ORGANIZATION REPORT NUMBER S NAME OF gELRFORMBt G ORGANIZATION oifp uter Science Vept 7a NAME OF MONITORING ORGANIZATiON 6b OFFICE SYMBOL Naval Postgraduate School itapplicable CS I Naval Postgraduate School 7b ADDRESS 6c ADDRESS t City State and ZIP Code Monterey CA 93943-5000 otrv 8a NAME OF FUNDiNG SPONSORING ORGANIZATION i 0 5 MONITORING ORGANIZATION REPORT NUMBERtS C 8b OFFICE SYMBOL if applicabi e 0 itv State and ZIP Cooc 34- o 9 PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 8c ADDRESS City State and ZIP Code 10 SOURCE OF FUNDING NUMBERS PROGRAM ELEMENT NO PROJECT NO TASK W' A NO K Foy'iurj NO 11 TITLE Include Security Classification A STUDYOF COMPUTER SECURITY POLICIES FOR THE INDONESIAN NAVY 0 I1ll Q2 PERy9ONfkLAU THORfS Anton ius Hieru sutopo 1 bTM YyQ-EOT Matr nesis 14 DATE OEE OF REPORT Year Month Day June 1993 Fe views expressed in this thesis are those ot 013 91 FROM TO 00 93 15 AEcI 1137 16 SPLMNAYNTiIN t e author and o not ret 717clIi official policy or position of the United States Department of Defense or the Indonesian Government 18 SUBJECT TERMS Continue on reverse it necessary and identity by block numben CODES 17COSATI FIELD GROUP 0 SUB GROUP SECURITY COMPUTER policy Indonesian Navy 19 ABSTRACT Continue on reverse it necessary and identity by block number The Indonesian Navy recognized the need for a computer security program over ten years ago The% published their first computer security regulation in 19XI But that regulation is now obsolete because of the advances in1 technology and increased availability of powerful computer systems As computer systems become 11ig19CV moreT complicated easier to use more interconnected and more important they become more vulnerable to hlackers terrorist and disgruntled employees This thesis demonstrates the need for an updated computer security regulation To adid in meeting2 that nleed the thesis proposes a security program for the Indonesian Navy that is based on the multilevel trusted Computer criteria published by the NCSC in the 'Orange Book' the Canadian Trusted Product Evaluation Criteria and ITSE ' The proposed program includes additional regulations concerning physical security data security Integrity and availability and recommended trusted evaluation guide 20 DSRBTOAALBLT 3UNCLASSIFIED'UNLIMITED 22 FASRC AS RPT Fg$OIVID UAL IND DO FORM 1473 84 VAR E SAME 1A RC EUIYCASFCT JDTIC USERS UNCLASSIFIED j22b TELEPHONE include Area Code 22g 83 APR edition may be used until exhausted All other editions are obsolete iESMO SECURITY CLASSIFICATION OF THIS PAGE UNCLASS IFIED 9 Approved for public release distribution is unlimited A STUDY OF COMPUTER SECURITY POLICIES FOR THE INDONESIAN NA VY S by Antonius Heruswtopo Major Indonesian Navy B E Electronics Engineering Naval Electronic % School 1972 Submitted in partial fulfillment of the requirements for the degree of MASTER OF C MPUTER SCIENCE o from the NAVAL POST RAI UATE SCHOOL June 93 Author S - foniics Hel'UNU toI o -A- Approved By ___ _ Timothy J S 4 meall Thesis Co-Advisor RogffSten Thesis CI-Advisor CDR Gar Deparmrriy ghes Chairman f C Cmp uter Science ii 0S 0 0 0 0 S S X ABSTRACT The Indonesian Navy recognized the need for a computer security program over ten years ago They published their first computer security regulation in 1981 But that regulation is now obsolete because of the advances in technology and the increased availability of powerful computer systems As computer systems become bigger more complicated easier to u ic more inteiwunacttcd and more important they become more vulnerable to hackers terrorist and disgruntled employees This thesis demonstrates the need for an updated computer security regulation To add in meeting that need the thesis proposes a security program for the Indonesian Navy that is based on the multilevel trusted computer criteria published by the NCSC in the 'Orange 0 0 Book' the Canadian Trusted Product Evaluation Criteria and ITSEC The proposed program includes additional regulations concerning physical security data security integrity and availability and recommended trusted evaluation guide Stc o Lff A' q--' 0tr' ' r 4S VVI K-- - 1 - oiii S 5 0 0 0 0 0 0 0 0 X 0 TABLE OF CONTENTS INTRODUCTION If A COM PUTER SECURITY IN GENERAL I B COM PUTER SYSTEM S IN INDONESIA 3 C THESIS OBJECTIVES 5 D THESIS ORGANIZATION 5 0 0 FOUNDATIONAL CONCEPTS OF COMPUTER SECURITY 7 A COM PUTER SYSTEM S INTEGRITY I Physical Integrity 2 Software and Data Integrity I1 a Intern a l T h reat I I T rapd oo rs I01 2 Viruses Ii 3 Trojan Horses 13 4 Coven Channels 13 5 W orms 13 b 3 B 7 N External Threat Resumption after a Crisis 0 0 14 14 PRIVACY i5 1 Theft Preventions 17 2 Disposal of Sensitive Media 19 3 Emanation Protection 20 4 User Authentication 21 0 0 iv o o o oo o o 5 2 4 a Rivest-Shamir-Adelman RSA encryption b Data Encryption Standard DES 25 24 C COST EFFECTIVENESS D MULTILEVEL SECURITY AS A PRIMARY PART OF SECURITY 27 POLICY 2x I M odels for M ultilevel Security 29 a M onitor M odel 31 b Lattice M odel 32 c Bell-LaPadulla M odel 32 2 D atabase Security 33 3 N etw ork Security 35 4 a International Standards Organization ISO Model 36 b E ncryption in N etw ork 36 c Port Protection 37 M ultilevel Security C riteria a U S DoD Trusted Computer System Evaluation Criteria TCSEC b c 41 European Community Advisory Group Information Technology d E 39 The Canadian Trusted Computer Product Evaluation Criteria C T C PEC 5 38 Security Evaluation Criteria ITSEC 42 U K Technical Criteria for Security Evaluation 45 The Need for M ultilevel Security SU M M A R Y 46 46 v o o o oo o oS Iil REVIEW AND CRITIQUE OF THE CURRENT COMPUTER SECURITY POLICY OF THE INDONESIAN NAVY A THE COMPUTER SYSTEMS USED BY THE INDONESIAN NAVY 4X B CURRENT POLICIES AND STANDARDS IN THE INDONESIAN C D IV 4S X N A V Y 49 I Perso nnel Security 50 2 P hy sical S ec urity 50 3 System D evelopm ent 51 4 Planning and Operating Security 51 5 Perso nal R espo nsibility 52 THE POLICY NEEDS TO BE UPDATED 53 I The Proliferation of Viruses Trojan Horses and Worms 53 2 Powerful Personal Computers are Becoming Widely Available 53 3 Networked and Distributed Processing Systems 53 53 4 Rapid Technological Development 5 Increasing Reliance on Computer Systems for National Security 54 6 M ultilevel Security M LS S U M M A R Y B C 54 55 POLICY FOR THE INDONESIAN NAVY A 54 56 THE NEED FOR A POLICY IN COMPUTER SYSTEMS 56 I Policy M aker R esponsibility 57 2 Evaluation Criteria as the First Step 57 THE NEED FOR THE INDONESIAN NAVY 5X 1 Criteria for the Indonesian Navy 58 2 Security O rganization 64 SU M M A R Y 0 0 65 0 vi 0S 0 0 0 0 0 0 0 0 0 00 V CONCLUSIONS AND RECOMMENDATIONS 66 A REGULATION CONCERNING PHYSICAL SECURITY 66 B REGULATION CONCERNING DATA SECURITY INTEGRITY AND A V A IL A B IL IT Y C D O 0 66 RECOMMENDED TRUSTED EVALUATION GUIDE 7 I Interm ed iate A ctions 6O 2 L ong T erm A ctions 6X S U M M A R Y 69 APPENDIX RECOMMENDED TRUSTED SYSTEM EVALUATION GUIDE 7 L IST O F R E F E R E N C E S 123 IN IT IA L D IST R IB U T IO N L IST 125 0 0 0 0 vii 0 0 0 0 0 0 0 0 0 0 i lIST OF FIGURES Figure I View of a Sec ure System 73 viii o o o oo o o0 A ACKNOWLEI GMENT Grateful acknowledgment must be made to several individuals who have given me help ideas and encouragement during the process of writing this thesis I ould Like to acknowledge the late Professor Uno R Kodres who encouraged me to start krtring a thesis and my thesis advisor Professor Timothy 1 Shimeall and Roger Stemp ho gake their knowledge and support throughout this process I would like to thank my thesis editor Phil Anderson who greatly assisted me to in the actual writing of the thesis Thank also to RearAdmiral Sutanto and Commodore L Handoko who encouraged and supported in my thesis efforts Finally special thanks to my wife and my children Wiwiek Bona A i and Bayu Herusutopo for their support and patience during the past two years at the Naval Postgraduate School ix o o oo o o o o 4 x- 1 INTROI UcTION A CO MPPTER SECtURITY IN ENERAI As computer systems have developed they have produced spectacular changes 1ii many organizations affecting everything from office correspondence and personnel data processing to real-time process control With computer systems great amounts of paper records are no longer needed reducing storage requirements and the time needed to search records 'omputer systems have brought many improvements This valuable tool requires protection That protection is what computer security is all about 'omputer security means protecting the computer and everything that is associated with it These associative items include the room or building the terminals and printers the cabling and the storage devices such as disks and tapes Most importantly computer security means protecting the information in the system RUSS9I p X1 For many years computers were isolated from the outside world Security required only securing the room or the building and controlling the people that progratntr- d or operated the computers Links to the outside were unusual Computer security threats were rare and were basically concerned with insiders authorized users misusing accounts theft and 'Nandalisln IHOLB9I p 61 A good lock and a security guard were enough to secure the computer from any physical attack With ihe development of communication networks computers were connected to one another first by specially-engineered dedicated lines and then by common telephone lines Now many systems are in private offices and labs often managed by individuals employed outside a computer center Many of these systems are connected to the Internet where they have access to and can be accessed by systems around the world The United 00 States Europe Asia and Australia are all connected IHOLB l p 61 Many of these computer systems such as the systems used in banking operate 24 hours a day Thus the definition of computer security has grown well past the locked room with a guard at the door While the fundamental concepts of computer security protect the information and the equipment are the same applying these principles is much more complicated Computer security consists of maintaining three characteristics secrecy integrity and availability IPFLEX9 p 41 Secrecy also called confidentiality means that only authorized persons can access the information assets Integrity means that only authorized persons can modify the information Availability means that the information is always available for authorized use The effectiveness of a security program is highly dependent on the attitudes and amount of security training that the personnel using the system have To maintain its value the security program must continually be reviewed for effectiveness and relevance In every organization security should be made an integral component of the corporate culture and made a personal issue for all In many quarters there is still a lack of security awareness among corporate and organization managers Quite often any awareness that does exist is limited to the more obvious physical requirements I DITT9gI p 301 To create a secure operating environment the computer system must be viewed in terms of what can damage it or compromise the information it contains That is it must be reviewed in terms of its vulnerabilities Any occurrence that can damage the system at one of these vulnerable points is a threat Computer security is concerned with identifying the threats to the system and protecting against those threats RUSS91 p I I1 Russel and Ganggemi IRUSS9I p 12 divide threats into three 3 categories natural unintentional and intentional A typhoon or an earthquake -nay not intend to do damage but can destroy the system The curious employee that walks over to a new 2 4 terminal and spills a cup of coffee into the monitor probably did not intended to destroy I any equipment but the system must be secured against him as well as the digruntled employee that did not get promoted and tries to erase all the financial reports for the last 0 three years A comprehensive computer security program must recognize and plan tor all these disasters and many more B COMPUTER SYSTEMS IN INDONESIA The computer industry is very young in Indonesia In general computers are a great luxury Very few persons or industries have access to computers Common society S computers as very clever things They don't believe they can use these clever thing Managers view computers as devices made by men and therefore very unreliable Schools and universities do not offer computer science as a separate course of study Rather courses are offered as part of another curriculum such as electrical engineering Furthermore there is almost no industrial base the majority of all hardware and software is imported from Japan and the United States with some components imported from Korea China and Singapore The threats to the computer and information systems can be very sophisticated As In many countries there are always individuals that are much more capable than the general public If a terrorist group wanted to hurt the government and they could not recruit a local person with the necessary expertise they could hire someone from another country Because most people are unsophisticated it is easy for the system operators and users to become careless about enforcing the security program This provides just the opening that a hacker needs Additionally due to the lack of copyright laws and the relatively high price of new software there is a tremendous amount of passing copies from user to user providing optimum conditions for spreading viruses and worms The computer security regulations must deal with both of these threats 3 o I o I I I 0i I I I I o I oo I o I I oo 0 o I I I Currently there are several mainframe computers that are being used by industry and government The banking industry was the first industry to utilize an information system primarily to automate their accounting systems however it is still unusual to see a teller with a front-end terminal There are two 2 primary reasons for this first acquisition and installation are still relatively expensive Second and perhaps harder to overcome 0 managers do not trust the tellers to send information directly to the computer Network connections between the main office and the branch offices have not been installed yet mainly because security problems have not been resolved The biggest government user of automation is the Department of Defense DoD The DoD currently uses computers mainly in support of personnel payroll and logistics management As real-time computing has advanced the DoD is increasingly developing and acquiring computers for combat systems As a result of this growing reliance upon real-time information systems the Department of Defense built a computer center to I support the software used in combat systems Several other Government offices use computers to support their efforts Computers are used for producing documents such as ID cards and drivers licences But use is limited to the larger cities because of the lack of spare parts and maintenance personnel in the 0 rural areas The telecommunications network is still too immature to support modem connections The backbone systems are terrestrial and satellite microwave with some S larger cities using sea cables The phone system itself is not computerized it relies almost exclusively on human operators Cross talk and interference are routine problems because of physical plant limitations And there is insufficient channel capacity for the voice traffic 0 alone The use of more satellite capacity is the best chance for increased modern activity As indicated above there is no commercial software development in Indonesia Both operating system software and application software originates in the United States or 4 o I0m 08 il i ii 0 o o ill0 S oo I o S o I 0 in Japan One barrier to local software production is the lack of effective copyright protection Software piracy is a regular occurrence because of the weak laws These laws will have to be strengthened before there is an incentive to write computer programs C THESIS OBJECTIVES Since the current standards and regulations in use by the Indonesian Navy Aere S written in 1981 and today the Navy is installing a series of computers operating over a local area network LAN which is expected to grow until it is interconnected nationwide than the objectives in writing this thesis are I To conduct a literature search of computer security articles 2 Review and critique of the current computer security policies of the Indonesian Navy 3 D To develop a strategic computer security policy for the Indonesian Navy THESIS OR ANIZATION This thesis is presented in five 5 chapters Chapter 11 provides the fundamental concepts of computer security what standard regulations are needed and provides a preliminary threat assessment and the controls needed to protect it It also explains some models for Multilevel Security and some security issues from the United States United Kingdom Germany and Canada 0 Chapter III is a review of the current computer security policy of the Indonesian Navy the computer systems being used and the policy elements that need to be upgraded Chapter IV outlines the need for a computer security policy for the Indonesian Navy and proposes an evaluation guide for the Indonesian Navy as a basic step for implementing multilevel security in computer systems Chapter V includes a summary conclusion and o o o oo m inu o innI nIi S o I IEmi i I I5 recommendations These recommendations define immediate intermediate and long term actions should be taken concerning computer security The appendix contains the recommended Trusted Evaluation Guide for use by the Indonesian Navy 0 0 0 0 0 00 0 0 0 16 0 II FOUNDATIONAL CONCEPTS OF COMPUTER SECURITY There are several concepts that serve as a foundation for a good computer security program maintaining system integrity protecting privacy and building a cost-etfective security program The best method for satisfying these criteria is a trusted multilesel security system To achieve the goals of computer security that is mnaintaininig the three characteristics of privacy integrity and cost-effectiveness the first thing to do is recognize the threats to the computer system By recognizing the potential threat the actions to defend against those threats can be defined A COMPUTER SYSTEM INTEGRITY The first step is to physically isolate and protect the system The goal is to keep hostile forces out of the system Second if the hostile force gets into the system then the system must be able to identify contain and record the actions of the infiltrator Finally it is important to establish sound backup procedures to facilitate recovery in event of complete contamination or destruction of the computer system Maintaining computer system integrity begins with securing the system against the most basic threats storms floods power failures and progresses up to the most sophisticated threats espionage agents planted in user organizations electronic eavesdropping and computer hackers with their own advanced computers The organization cannot install a security system and forget about it the system must be constantly reviewed to keep pace with the evolving threat and re-evaluated against the growing dependency of the user organizations on the automated systems 7 I Physical Integrity O Physical protection is the most important measure of computer system security 0 39 If the physical security of the system is not guaranteed then the system can not be considered secure This physical protection includes the guard the room and building construction the door lock fences around the building etc These protect the system from 0 natural disaster human vandals interception and unauthorized user ILANE85 p 13 -IS PFLEX9 p 437 - 442 and RUSS9g p 238 - 240J1 Natural disasters like floods fires earthquakes lightning power loss heat etc constitute a threat to the physical integrity of a computer system Not only is the physical hardware at risk but also the information residing in the system In many cases the information is more valuable then the hardware itself IPFLES9 p 4381 0 One natural threat is water which can easily damage the electronic components and electrical systems used to support it Water damage can occur because of the flooding of a river or the sea a hard rain or even a leaking water pipe To prevent this kind of disaster the computer system should be placed in a room high enough to be unreachable by water that rises from the ground In addition to flooding water falling from above the equipment is also o dangerous This is usually caused by a leaking water pipe above the equipment or a leaking roof or ceiling In order to prevent this kind of disaster the administrator should regularly inspect the possible sources of water damage Secondly rolls of plastic sheeting 0 should be mounted on the walls of the computer room so that the equipment can be covered in a matter of minutes in case of an emergency Fire is another natural disaster that can cause great damage quickly In order to 0 prevent this kind of damage water is not recommended since water also damages the electronic devices A fire resistant wall and door and a windowless room for the computer o u nn io mn m o imnnmm mnmnnu o oo m m mmnu m o I o0 I installation is suggested in order to slow the spread of fire from adjacent rooms gases are Furthermore smoke detectors and automatic fire extinguishers using inert recommended for fire suppression Electrical power systems are critical to computer systems If the power is suddenly lost or drops below a certain value the possibility ot losing code or data that is not yet saved becomes almost certain To prevent loss of code or data caused by a power loss an uninterruptible power supply is recommended An uninterruptible power supply stores electrical energy luring normal operation and is automatically turned on when the power is lost Protection against spikes or surges of electrical power is also required If a spike exceeds the specified level of the equipment then it can damage the electronic1 components In order to prevent this a surge suppressor is needed Heat is another natural problem common to tropical countries like Indonesia Electronic components inside the computer system are sensitive to heat If the heat exceeds a certain level then the components may work improperly or sustain damage Preventing the accumulation of excessive heat requires a continuous flow of cold air Humans also pose a threat to the physical integrity of the systems Vandals and disgruntled employees may intentionally damage the system and users and visitors may unintentionally cause damage All of these are threats to the physical integrity of the computer system o Defending against vandals is an important feature of physical protection Vandals are different from natural disasters since the damage is intentionally or unintentionally caused by people They can be disgruntled employees bored operators saboteurs or people that get a thrill from destroying things If their tool of destruction is something that is big enough to see such as a sledge hammer then they can be stopped before they damage the equipment If they use small items such a car key or even a paper 9 410 o clip to disable a disk drive then it will difficult to detect them before they strike A strict visitor control policy will help reduce this threat 0 Physical damage remains the greatest threat to computer security The next section explains threats against software and data integrity 2 0 Software And Data Integrity Attacks on the software and data are more difficult to prevent and track since the damage may not be visible but they can completely disrupt the operation of the system 0 Deletion or modification of valuable data can cause grave damage to individuals organizations or even whole nations The damage caused by or actions done by human threats may go completely unnoticed by the operators until the results from the system differ from what is required on a given situation 0 The threat to software can also come from an unintended source Some programs produce unintended results degrade system efficiency or destroy data While this is not deliberate sabotage the effects are significant and must be mitigated In an ideal world damage to a system by unintended results would be prevented but research and practice in the area of system reliability has shown that this ideal protection is unlikely in the foreseeable future a 0 Internal Threat The most difficult threat to counter comes from inside the organization itself A malicious worker can introduce a virus or do many kinds of damage to the system which may be done in a such manner that it remains undiscovered for a long time Furthermore an innocent employee may damage the system without realizing it A hardworking employee may bring work home infect his disk and bring it back to work and infect the system Good backups archiving and antivirus software will mitigate most of iO 100 o 0 I o i o oo I o i o IN Ul li l li the damage caused by infection A system of file protections not modifiable by ordinary software will prevent the spread of many viruses Depending on the security of the computer system it may be possible tor all employee to change the classification of a file An employee with a high-level security clearance who can access a highly-classified file may intentionally or unintentionally change the classification of a file to a lower level or disclose it to an unauthorized employee or an external agent any of which could cause great damage Modification of the software must also be controlled Without such controls changing a little code in a program can be done by anyone The program may seem to work well hut in a specialized condition the program will tail PFLEXL p 71 One example of this type of modification is a time bomb An infected program will work %ell in almost all - ases but upon detecting a specific condition such as a system load level or the name of a certain operation the program will fail or do some other damage to the system 0 Programs need to be secured since they can be used to exploit vulnerabilities in computing system in one of two ways First they can intercept or modify data on behalf of users not authorized to access the data Second they can exploit service flaws in system to allow system access to unauthorized users and inhibit the use of legitimate users Some programs commonly used to access data and affect computer services are described belowk I Trapdoors A trapdoor is a secret undocumented entry point into a 0 module It is usually inserted during program development for testing maintenance and debugging purposes Sometimes it is not removed and as a result it exposes the system to 0 modification during execution IPFLE99 p 170 and RUSS91 p 851 2 Viruses Viruses are programs that can infect other programs by modifying them IPFLE89 p 1781 All viruses require a host and the range and rate of the II 0 0 0 0 0 0 S S S 0 spread of the infection depends on sharing and transitivity of programs or data Viruses O must have access to other programs and data in order to spread Thus limiting sharing c an limit viral infections Viruses are prevalent inpersonal computers because so much sott are swapped between users that it is easy for viruses to spread to different systems The %%eak copyright laws in Indonesia is one reason that there is so much swapping there The positive side is that software is being developed to combat viruses and can be imported from developed countries The use of anti-viral software should be stipulated in the security regulation A virus program has three parts The first is a marker that is used determine if a program has been previously infected signature byte The second iS to the infector which seeks out potential carriers and is responsible for the infection process The third part is an optional trigger that upon determining that current conditions match an activation segment trigger the manipulator The fourth part is the manipulator that is 0 responsible for carrying out the program's designed task Viruses are categorized as either overwriting or non-overwriting Overwriting viruses are the easiest to write and do not increase the length of the host 0 program They actually overwrite the code of the host programs and as a result the host program will generally produce an error during execution A non-overwriting virus appends itself to the host program and causes 0 an increase in the file size actually it copies a portion of the host's code and appends it to the end of the file then overwrites the other portion During execution the virus checks the trigger and if applicable executes the manipulation code Once completed it then moves 0 the host's copied portion of code to the front of the file and executes the host code normally 12 0 0 0 0 0 0 41 S S Viruses have some known weaknesses All viruses have markers and the host program has to be executed in order to execute the viruses' codes They must o change some segment therefore they leave tracks of their presence r There are many types of viruses boot sector viruses system software viruses application software viruses hardware viruses placed by actually modifying the S hardware buffered viruses that install themselves in RAM live and die viruses that remain for a certain period then remove themselves and hide and seek viruses that move to different areas of the system A few of the ways to limit the spread of viruses are complete isolation of infected systems ubdivision ot data and programs write protect all disks that are not to be written to don't share disks on the tly encryption and limiting transitive llo% i o information A to B B to C thus A to C 3 Trojan Horses A Trojan horse is a program that performs a hidden function in addition to its stated functions A virus can carry a Trojan horse program such 0 that the infected programs perform an unintended function IPFLEX9 p 172 and RUSS91 p 831 4 Covert channels A covert channel is a program that leaks information to people who should not have it they are a hidden means to communicate information They are best suited to situations where small amounts of data are needed IPFLES9 p 0 1751 5 Worms A worm is a program that can run independently and can propagate a fully working version of itself on other machines Worms do not need a host they are self propagating and stand-alone Not all worms are malicious as a matter of fact some worms are beneficial they perform automatic file compression and backup PFLE89 p 178 and RUSS9l p 821 13 0 0 0 0 0 0 0 0 0 0 -A b External Threat U Any outsider who has a connection with computer system may succeed in 0 infiltrating the organi'ation and 'gainingaccess to the computer system Then he can read 4 modify delete or copy the sottware or data This is an external threat that should he considered 0 As the Indonesian Navy starts to develop Local Area Networks LAN and computer systems become inter-connected it will be easier to conduct attacks on one system from several remote hosts or many systems from one host The modification of 0 data in a system is very difficult to recognize and to track since the host may not know that some of its information has heen Modified by an unauthorized person An external intruder typically attempts to access a computer system through 0 the telecommunications netw orks Several different types of attack may be attempted and once access to the system has been achieved the intruder may cause significant harm to the system or the data 0 Threats to hardware software or data may cause severe damage to a computer system The next section explains what steps can be taken to minimize the damage if all the planning fails to prevent damage 3 0 Resumption after a Crisis Security planners must assume that eventually they will fail and the system will suffer severe damage A recovery plan is needed in order to get the computer system working as soon as possible It can be achieved effectively if there is enough preparation It has been mentioned above that damage to the computer system can happen to the hardware software or data To prepare for damage to the information backup copies are needed If the damage is to the equipment then a backup facility is needed IPFLEX9 p 442 - 447 and RuSS9I p 9 6 1 14 0 0 A backup is a copy of all the software and data residing in the computer system A periodic backup needs to be performed so that the loss is limited to the work done during the interval between backups However if the backup copy is maintained in the same place or near the same place that the computer system is located then it can be rendered useless because the backup copy can also be destroyed during the crisis I'hus backups should be stored off-site Just as the data and programs are backed up the hardware can be backed up Either a cold or a hot site can be used based on the criticality of the system A cold site is used when the system is relatively less critical and time to outfit the facility is available A cyold site has space power and air conditioning If the primary site is destroyed or severely damaged then new equipment is installed and the operation is moved to the backup site A hot site is used when the applications are critical A hot site is a computer facility with an installed and ready-to-run computing system PFLE89 p 4441 A hot site not only has the space power and air-conditioning but also a complete computer system All that is required to get operational is load the latest backups and begin processing Obviously to prepare and maintain a hot site is very expensive and can only be justified when losing the processing system for several days or weeks would be more expensive Hot sites are reserved for systems processing critical data and applications B PRIVACY There are certain differences between privacy and security Privacy is 0 a characterization of the special interest we have in being free from certain kinds of intrusion IJOHN85 p 1941 Privacy is strongly rooted in ethics and morals James Martin's definitions show the important distinction between privacy and security Data security refers to protection of data against accidental or o intentional disclosure unauthorized modifications and destruction Privacy refers to the rights of individuals and 0 15 0 0000 0 0 0 0 0 4 organizations to determine for themselves when how and to what extent information about them is to be transmitted to others vMART73 p 51 The value of intormational privacy depend on the situation and the ownership condition of the information itself An individuah bank balance is important to the individual but compromising it is not likely to damage national security It anl important 5 company is taken over by foreign competitors because private financial intorination %Aas compromised then national security may very well be damaged Additionally the perceived value of privacy varies from culture to culture Societies establish and enforce privacy laws very differently with liberal societies providing the greatest protections and totalitarian societies the weakest Whatever the society there is some cultural or legal protection of privacy 0 With improvements in computing systems most private individual data is being entered into computer records For example in the military some information may only be read by the commanding officer other information may be read by all otticers and some 0 information by all officers and enlisted However all this information may be kept in computer records As a consequence privacy may be lost if the security system is inadequate Absolute privacy requires absolute security There are no systems that provide 0 absolute security but a trusted system will provide the best possible protection available It is obvious that the technology of privacy is closely related to security however privacy is an issue that goes far beyond the computer system Furthermore 0 implementation of security to protect individual privacy in a computer system should be calculated according to its cost effectiveness despite the inherent diffiLulties in establishing the value of an individual's privacy to the organization installing the security 0 system James Martin defines four 4 levels of safeguards needed to protect the privacy of individuals IMART73 p 32 -331 The first is locking the data in the system so that 0 16 o1 I II I oII I I oI II II 0 unauthorized user cannot read modify delete or copy it The second is an appropriate system philosophy that specifies how the computer system should act on the individual data how the system will control which person can access each kind of data what data should not be collected and what classification should he assigned to the data The third level defines administrative controls and the fourth defines legal controls The legal controls are defined by existing law concerning the protection of privacy in the computer system The law concerning privacy depends on the culture and national philosophy In the liberal society the individual privacy is stated clearly but in some other countries the laws protecting privacy especially those concerned with computer technology do not exist yet I Theft Prevention Unauthorized visitors can cause three problems stealing machines or data destroying machines or data or compromising the data which can be very dangerous if the data is very sensitive IPFLE89 p 44 4 1 Some precautions can be taken to protect S against theft such as security guards fences locks magnetic stripe cards electronic cards and even gluing weighting chaining and alarming portable devices Security guards fences and locks are classical examples of theft prevention 0 Guards have an advantage in that they can make a record of persons who access the facility However guards must be employed 24 hours a day And as human beings thev have human weaknesses that can be exploited such as boredom inaccuracies illness etc As a result their reports may be inaccurate and they may even be so careless that they fail to catch a thief On the other hand locks are much simpler and cheaper to use but they may not produce the record that is desired The best system is a combination of guards fences and locks 17 I ill IIIN lanI nin'Il Il im I 0 More sophisticated controls use magnetic stripe cards or cards with radio transmitters or other electronic identification system These systems can interface with a computer system which can automatically prepare an access report The disad'hantage is that they can he lost or stolen and the tinder can have access to the tacilitv To prevent unauthorized persons from getting into the facility the cards can he supplemented hy a keypad at the door that requires some kind of entry code from the person trying to get in Reducing portability of the equipment will also reduce the risk of theft Portability has increased as more powerful and expensive devices are built to fit on a desk top Some facilities use these kinds of computers for intertacing with a mainframe Even input output devices such as printers are now portable devices Since it is portable it is easy to steal Steps must be taken to reduce theft but excessive measures can make the system difficult to use by the very persons it was installed to support Measures commonly used to protect the equipment include adding weights gluing the equipment to a table chaining or locking the equipment down or installing alarms The weights and glue make it difficult to move the equipment if there is a problem Chains locks and alarmns are better in these situations because they can be undone relatively quickly In addition to securing the equipment attention must be given to taking care of sensitive files Printing a sensitive file should only be done when unauthorized personnel are away from the printers One option is to configure the system so that classified files can only print on a printer in a secured area 0 The last method for controlling theft is to install detectors in the door These detectors can sense individuals coming into or leaving the facility If used in combination with smart cards the detectors can even record which person comes and goes This can 0 help reduce unauthorized traffic But to prevent authorized users from taking equipment the equipment can have internal marking devices that will set off the alarms if they are carried through the exit 0 19 0 0 00 0 0 0 0 IAN 4 d Ideally software theft will also be countered Specifically the securitv -ystei will prevent unauthorized copying of software Since the original software itself is left unchanged in the system the owner has no indication that a theft has occurred Interception is another serious threat to computer security- To illustrate a repairman from outside the organization is responsible for repairing any damage om malfunctions in the computer equipment He can install a device that will be able to read data and transmit it to a receiver that is outside of the secured area Hence valuable or critical data is compromised To avoid this the technicians should submit to the same clearance procedures that the operators submit to 2 I isposal of Sensitive Media Disposal of sensitive media may create a vulnerability Media containimn sensitive information often needs to be disposed of The media can be paper magnetic tape or disks printer ribbons or even paper tape They may have to be disposed of because they are no longer useful such as outdated reports or the magnetic media may he damaged But even damaged media can be reconstructed if it falls into unfriendly hands The media must be destroyed beyond any ability to extract useful information There are many ways to dispose of these material IPFLE89 p 4461 0 Shredders are the most common devices to use They can be used to destroy paper printer ribbons floppy disks and Some tapes The disadvantage is that the most common shredders cut the media into long strips that in the case of paper can be reconstructed and read In these cases shredding is only an intermediate step to burning The reason to shred the paper before burning it is that the burning is then much more thorough 0 There are several ways to destroy the information on magnetic media The most common is to overwrite the data several times with different characters But this takes a 19 I I mi lii i l Il ln Il Ba l0 6 certain program or utility For many years users thought they were destroying their files by deleting them but most operating systems only released the disk space back to the system The data could remain on the disk and some other person could recover it w ith another utility To prevent this a w'rite-three-times utility must he used when learing Hiles o0 media This can be a very time consuming requirement but it iS necessary to protect the 0 data Another way to erase the data is to use a magnetic degausser A degausser is a powerful magnet that realigns the magnetic particle and destroying the patterns that stored the data Some degaussers are moved over the media others are built so that the media passes through the magnets This can he an effective method but the degaussers must be tested periodically to ensure that the field strength meets the specifications 3 Emanation Protection Emanation protection is divided into two categories They are protection from outside emanations that can affect the operation of a system and control of emanations from the computer devices that can be detected outside the controlled area PFLE 9 p 447- 4411 First emanations that affect operations can originate inside or outside the facility Many components of a computer system are Sensitive to magnetic ftuctuations For example a floppy disk is sensitive to the magnetic fields produced by the electromagnets in devices such as telephones printers and monitors The data on the disk can be ruined by these fields if the disk is set on or too close to this type of device The administrator should stress the vulnerabilities of magnetic media to the workers Secondly the emanations from the equipment can be intercepted by persons outside the are controlled by the users of the system In some cases these emanations can be demodulated and the data that the machine was processing at the time is compromised 20 200 0 A standard acceptable level of emanations and proper control procedures should he determined and included in the security regulation Some methods of control are using low emanation dev ices TEMPEST approved shielding the room or using shielded containers around the worst equipment and expanding the controlled area to a point that the emanations are no longer detectable 4 User Authentication Computers need to verify users with authentication mechanisms usually at the time they log on Authentication mechanisms are generally divided into three categories 0 something you know like a password something you have like smart card and some unique attribute such as a finger print IRlSS9 I p 5 7 -5XI The most common authentications used on computer systems are passwords 0 They are e sy to implement and a person only needs to remember his password to access the system The password is a string of characters a word that the computer is 0 programed to ask for when the user logs onto the system PHLE89 p 2261 The effectiveness of is limited by their length and the number of legal characters allowed iti each position Because they are limited in length and because they must be remembered by people with many things to remember they are vulnerable to attack 0 Basically there are five different attacks that can be used to break a password system They are try all possible passwords try many probable words try words likely to be used by an individual user try to find the system password file and to ask the user 0 Trying all the possible passwords is called the exhaustive attack or brute force method If given unlimited time and attempts the user will find the right word This method can be frustrated by using words in excess of seven characters and using all the 0 letters upper and lower case numbers and characters on the keyboard 2 21 0 0 The probable password approach attempts to use common words that users are likely to use Because passwords are to be remembered most people Ill attempt to make one that makes sense A random string oftcharacters is difficult to remember so the user will choose a word or a group ot letters that is almost a word This narrows the uni erse that the intruder needs to try and greatly increases his chance of penetration The next method is to identify a particular user and learn as much about him or her as is possible Then the intruder can build a list that the user is likely to pick a password from such as the name of a child a pet a favorite car or fiction character or anything else that the user favors The smaller the list of words that the attacker needs to try the greater his chance ot success Finding the system password file is a different kind ot approach If the attacker can get any level of access to the system he can try to find the list of passwords This will allow him to access anything on the system Because the list is so powerful the systems administrator must take steps to protect it such as locking the file so that only the administrator can access it and encrypting the file so that it can not be read by the intruder if it is discovered Getting the password from a user is the easiest way of penetrating the system Sometimes a group that works together will share their passwords to simplify the work This will make the work simpler but it will also weakens security There are several choices that the security administrator and users can do to enhance the security value of the passwords This selection is provided by Pfleeger IPFLEX9 p 232 - 233 and RUSS9I p 611 I Use more than A-Z 2 Choose tong Passwords 3 Avoid actual names or words 4 Choose unlikely passwords 0 22 o 0oNl 0i 0 o o 00 oo o 00 o0 00 5 Change p asswords regularlyO 6 Don't write them downI 7 D on t tell anl-vot1'l else The suggestion above should be stated clearly in the regulation concerning password selection criteria A more sophisticated authentication system uses identifications and passwsords followed by a challenge and response interchange The system asks different questions each time and must be replied to with correct answers therefore it is also called one-time password This authentication system is secure since interpretation of passwords is very difficult However it is limited by the capability of people to remember the response Another kind of password system uses a passphrase which is a longer version ot a password A passphrase consists of a number of words to form an easy to remember phrase Passphrase are easier for users to remember and since the are longer than passwords they are inherently more secure A limitation of passphrases is that they require more memory to store Smart cards or tokens can eliminate need for people to remember passwords One example is the magnetic stripe cards used by banks for automatic teller machine service The disadvantage of tokens or smart cards is that they are easy to lose A perfect authentication system that can never be lost and has nothing to remember uses a personal characteristic such as a fingerprint retina pattern or the user's voice pattern They give high a high level of assurance and reliability since each personal characteristic for each person is unique The disadvantage is that these systems are very expensive PFLE89 p 391 -3921 0 23 o oo 0 o o I oo 0 oS 0 0u 0l u 0 5 Encryption and ecryption Encryption and decryption are computer security methods used to make it 0 difficult for intruders to read a y data even if they do break into the system Encryption is a process of encoding data and programs so that they are meaningless without the algorithm and the key The clear message is called plaintext and the encrypted torm is 0 called ciphertext The reverse process of transforming ciphertext back into plaintext is called decryption IPFLEXY p 231 To ensure protection it is important to study the ciphertext regularly to ensure that it can not be easily decoded without the key 0 There are many encryption and decryption methods such as substitution and permutation transposition In the development of codes cryptographers work on encryption algorithms which are hard to break that is they develop encryptions such that 0 breaking the encryption is equivalent to finding an object in a search space that has been proven to require more than polynomial time to search i e the search is NP-completej Presently three encryption methods are known that are hard to break although they are 0 not proved yet to fit in this category the Merkle-Hellman knapsack encryption the Rivest-Shamir-Adelman RSA encryption and the Data Encryption Standard DES The Merkle-Hellman encryption was shown to have serious design weaknesses so we only discuss the Rivest-Shamir-Adelman RSA encryption which has remained secure until this time and is used in some European countries and the Data Encryption 0 Standard DES that is broadly used in the United States a Rivest-Shamir-Adelman RSA Encryption The RSA encryption algorithm was introduced in 1978 aind remains secure to this time The RSA algorithm uses a solution of number theory complicated by the difficulty of determining the prime factors of a target 24 o 0 - 0 o o 0 n oo o 0 0 o0 0 0 I Basically the RSA algorithm operates with arithmetic mod n Tho keys d and e are used for decryption and encryption A key is a certain value of integer that used 0 I to encrypt or decrypt a text these keys only known by the sender and receiver of the messages The plaintext P and the ciphertext C are treated as positive integers A plaintext P is encrypted into a ciphertext C by C Pemod n And to decrypt the ciphertext use P Cdmod n The encryption key e and decryption key d are chosen such that p pejdmod n Due to the symmetry property of modular arithmetic these encryption and decryption formulas are mutually inverse and commutative hence P Cdmod n Peldmod n Pd emod n The encryption key consists of a pair of integers e and n and the decryption keys are d and n To ensure that an intruder will take a very long time to break the ciphertext these integers should be large First choose n as a product of two primes p and q which are two large prime numbers Next a relatively large integer e is chosen relativelyv prime to p - I q - I Finally select d such that exd Imod p-I o q-I Choosing numbers which are large and prime increases the difficulty to 0 break the RSA algorithm IPFLE89 p 1011 b Data Encryption Standard DES The Data Encryption Standard DES was developed by U S Government for 0 use by the general public It has been accepted as a cryptographic standard by the U S and other countries IPFLES9 p 106 - 1211 25 41 00S000S0 0 0 By design DES is composed of substitution and permutations transposition U' The exploitation of these two techniques are repeated for 16 cycles each cycle stacked on top of the others he plaintext is encrypted in blocks of 64 bits the key used it is also h4 bits long although only 56 hits are needed and it can be thanged as needed The substitutions provide confusion by systematically substituting one bit pattern for another the permutations provide confusion by reordering the bits The DES algorithm uses only standard arithmetic and logical operations with results limited to 64 bits Theretore it can be implemented in current software and also on a single-purpose integrated circuits In fact several DES chips are already commercially available The DES algorithm starts by dividing the plaintext input into blockks of 64 bits and then transforming them using 64 bit keys The 64 bit input data blocks are prepermuted by the initial permutation and broken into 32 bit right and left halves Then the following process is applied 16 times I The right half side is expanded from 32 to 4U hits by expansion permutation it permutes the order of the bits and repeats certain hits This expansion has two 2 purposes first to make the intermediate halves of the cipherlext comparable in size 0 to the key second to provide a longer result that can be compressed later on 2 The 64 bit key is cut into a 56 bit key by deletion ofevery Sth parity bit then split into 28 bits right and left side each of them are shifted left by a number of bits then pasted back again After being shifted and pasted back again the key is reduced from 56 to 48 bits by permuted choice 3 The 48 bit key is combined with the 48 bit expanded right half side of ciphertext done in sub I 4 The 48 bit result is divided into eight six bit blocks each block Bi is operated by an S-box Si which performs substitution replacing 6 bits of data with 4 bits 26 o m0 H 0 o 0 Uie o oo 0 0 o0 o 0 n 0 l II -0 S 5 The 32 bit result eight four bit blocks is then permuted by a straight o permutation P-box 6 The 32 bit permuted result is combined in X-OR functions with the 32 bit left side to perform a new right half for the next cycle 7 The old right half side becomes the new left half side for the new cyNcle Then the cycle is repeated fifteen times At the end of sixteenth cycle the right and left half sides are pasted together and by applying inverse initial permutation to get the output The same algorithm is used to decrypt the ciphertext only the key applied to decrypt is used in reverse order of the encryption key The only known weaknesses in this algorithm are weak keys and semi-weak keys Weak keys occur if the bits of the key are all zeroes or all ones it does not change in permutation and substitution the semi-weak keys are keys with obvious patterns For other keys this algorithm is secure C COST EFFECTIVENESS One of the most important measures for evaluating a computer security policy is to 0 ensure that expenditures on security yield cost-effective benefits Although this may seem obvious it is possible to be misled about where the primar ffort is needed IHOLB9I p 101 One method used to determine cost-effective measure is rick analysis Risk analysis 0 estimates how much it will cost to prevent damage or to recover from specified damage or loss Pfleeger defines six 6 basic steps required for a thorough risk analysis IPFLE9t p 0 4591 They are identify assets determine vulnerabilities estimate likelihood of exploitation compute expected annual loss survey applicable controls and their costs and project annual saving of control The person performing the assessment identifies the 27 0600000 00 assets by listing the system components including hardware software data people documentation supplies etc To calculate the replacement cost of software and data may 0 be as straightforward as tinding the hill or as complicated as estimating the number it man-hours to reproduce a study or rewrite a program In addition to the replacement cost the analyst must estimate the cost of disclosure such as having a ship destroyed Ibcause its planned route was compromised Determining the vulnerabilities means taking into account all the possible threats to the computer system Some of the possible threats are natural disasters human vandals unauthorized access disclosure of intormation denial ot service etc Of course authorized persons have a need to access or disclose information Security controls must allow authorized users to access tiles they are authmrtzed to use without letting them access files or programs that exceed their authority In the past this was accomplished through physically separated redundant systems It is now technologically possible to operate a multilevel security system MLS that permits multiple users with varying clearance levels and access abilities also otodifferent levels of sensitivity to use the same system without compromising security The next step is estimating the likelihood of exploitation There are several ways to do this using statistical tables observing the number of occurrence% in a given amount ot 0 time or by group consensus The annual loss expectancy can be calculated hased on the value of an asset and the determination of the likelihood of exploitation Next a survey of applicable controls to prevent the exploitation of vulnerabilities and a revised calculation 0 of annual lost expectancy is performed This yields the cost of securing the system and provides a measure of the cost effectiveness of the recommended controls 0 MULTILEVEL SECURITY AS A PRIMARY PART OF SECURITY POLICY D Computer security mechanisms are needed to ensure that all information residing on a system is protected from being lost modified or disclosed by either malicious or careless 28 0S 0 0 0 0 0 0 0 0 0 S 0 users To provide protection Russell and Gangemi define four 4 primary functions that a computer security system should perform IRtSS9o1 p 561 First to ensure that unauthorized users cannot get into the system a system access control is required There are several different access control methods that can be applied like password systems challenge-response systems passphrases longer version A passwords tokens or smart cards and personal characteristics such fingerprints retinal patterns and voice recognition systems Second data access controls must define who can access what data and for what purpose Through this the system will support the discretionary access controls that define which other people can read or modify the data system files records fields user permissions and programn permissions It is also possible to use mandatory access controls in which case the system enforces access to objects based upon clearance levels This is required for multilevel security Third system and security administrators perform the off-line procedures to prevent possibility of breaking the security system for example by clearly delineating administrator responsibilities by training users appropriately and by monitoring users to make sure that security policies are observed The last step is taking advantage of basic hardware and software characteristics in system design to perform appropriate protections for example segmenting memory to protect between critical and noncritical data I Models for Multilevel Security Multilevel security has been modeled after the security classification system 0 used in the military The military system is divided into four 4 ranks sometimes called classitications unclassified confidential secret and top secret In the same way the users' access is also defined by their ranks for example in the Indonesian Navy commanding officers can access the top secret information officers can access the secret information and enlisted can only access unclassified information 29 Bi Basically the criteria define ten 10 distinct classes of security functionality 0 0 One security principle mentioned by Pfleeger I PFLEXg p 2461 Is the principle of least privilege The principle says a subject should have access to the fewest objects 0 needed for subiect to work successfully This can be explained using the military example above a commanding officer with permission to access a top secret rank information is still able to read the secret rank confidential rank and unclassitied rank intormation Furthermore information access is limited by the need-to-know rule access to sensitive data is allowed only to subjects who needs to know that data to perform their jobs To enforce the need-to-know restriction the system may use the compartment method partitioning a rank into compartments Users 0 are only able to access compartments with information relevant to their lob For example a commanding officer may not access all compartments in the top secret information rank but only the part o relevant to his job As a result it is possible for information to belong to more than one compartment For instance a list of the foreign merchant ships that sail through the 0 passage way of Indonesia may be divided into compartments For example the Indonesian Navy serving as the cost guard must patrol the passage way The ships on patrol have access to the complete compartment the entire list while other ships and activities can 0 onrly acIcess information on a certain number of ships or sub-compartments A class or classification is combination of rank and compartments The users are allowed to access classified information if they have certain clearances These clearances 0 indicate that the users are trusted to access the information up to a certain level of classification Similar to the information class the clearance of the user also defined as combination of rank and compartment o Recall that the user is a subject S and he or she wants to access to a piece of information called an object 0 Then S can access 0 if the clearance level of the subject S at least as high as the information 0 30 0 the subject S has a need-to-kn v clearance about all information in the compartment In mathematical formula the above relation can be expressed 0 _S if and only if rank 0 rankS and compartments0 z compartmentsS The relation y_ is used to limit the sensitivity of a subject that can be accessed to an object and the relation _- indicates that the compartment of the object is the compartment for which the subject has a need-to-know It is known that sensitivity requirements are hierarchical and need-to-know requirements are nonhierarchical There are many models proposed for multilevel security MLS In this thesis only three 3 will be described since they are used by U S DoD Trusted Computer System Evaluation Criteria TCSEC for references They are the monitor model the lattice model which can be applied to military environment and the Bell-LaPadulla model a Monitor Model The monitor model is implemented by using gates between users or subjects 0 and objects If a user wants to access an object then he or she invokes the monitor sometimes called a reference monitor The monitor takes the request for access and consults the access control information The contents of the access information file 0 determines if access is granted There are two major disadvantages to using monitors First if the monitor is heavily used it becomes bottleneck Second it controls only direct accesses However this S model is used as reference in TCSEC PFLE89 p 243 - 2441 31 0 0 b Lattice Model A lattice is a mathematical structure of elements under a relational operator 0 I PFLE89 p 24X1 The relation in the military model is defined through its rank and it is similar to the mathematical relations In mathematical relations e use transitive and antisymmetric properties which are defined as tollooos 0 transitive property if a b and b c then a c 0 antisymmetric property if a--b and bVa then a b Similar to the military example above the transitive property i also applied to ranking property Every enlisted is subordinate to a petty officer and the petty otficer il 0 subordinate to an officer then the officer subordinates the enlisted Obviously the antisymmetric property is also applied in the military since it is impossible that two 0 members of the same rank will subordinate each other c Bell-LaPadullaModel The Bell-LaPadulla model is an information flow model which identifies allowable paths of information flow in a secure system One purpose oi maximfluil exploitation of computing machines is permitting the machines to work concurrently It is different from the computing devices of past years where machines that processed sensitive data were separated from machines that processed unclassified data Now a machine should be able to operate with two 2 or more sensitivity levels together without leakage from the higher level to the lower level 0 The Bell-LaPadulla model gives two properties that are used to handle security of data in the multiple levels Basically the models cover a set of subjects S and a 32 II set of objects 0 For every subject y in 4 S and object o in 0 there is a fixed security class and CWO Then the two properties can be defined as follow s IPFLE89 p 25011 1 Simple security property A subject s may have read access to an object 2 onl'y if 'o - % Star property A subject A who 0 has reud access to an object o may have write access to an object p only if C o y_Cip The simple security property is just like the military security model and the star S property is used to prevent transferring a high level data by an authorized subject into a lower level sensitivity 2 Database Security The majority of applications used by the Indonesian Navy involve databases rather than dedicated system such as combat systems on warships This is understandable since using databases yields advantages such as shared access minimal redundancy data consistency since one changed value affects all users at once data integrity and controlled access However the safe exploitation of databases requires security measures such as physical database integrity logical database integrity element integrity auditability access control user authentication and availability I PFLE89 p 3041 Some situations that affect integrity do damage to the entire database The element integrity refers to their correctness or accuracy The DBMS maintains the integrity of each item in three ways field checks access control and change log Auditability is desirable in order to determine who did what and prevent incremental access However maintaining an audit trail of all accesses is impractical 33 o unnmun nnnnllmmnunn nn mmmmmnn n mmnmnnlnNilmm since it is slow and takes a large amount of memory Databases are logically separated by user access privilege The database administrator determines ho gets access to the data at the field record or element level and the DBMS enforce this policy granting or denying access to all specified data Lsually the D BMS run on op i 0 S Ahich means that there is no trusted path to the O S and the DBMS must be suspicious ot intormation supplied by o the O S including user authentication As a result the DBMS must do its own authentication Availability should be considered as arbitration of two users' request for the same record and the withholding of some non-protected data to avoid revealing 0 protected data Problems in reliability and integrity can occur when modifying data It a single field of data is being updated then halt of the field may aioA old data if multiple fields are being updated then no single field reflects an obvious error To avoid these problems a two phase update technique is the used In the first phase the intent phase the DBMS gathers information and other resources needed to perform the update but makes no 0 changes to the database In the second phase the commit phase the DBMS writes a commit flag to the database and the DBMS makes a permanent change If the system fails during second phase the database may contain incomplete data but this can be repaired 0 by re-performing all the activities of the second phase Sensitive data management is also another problem Sensitive data is data that should not be made public IPFLE89 p 3141 One problem securing a database is 0 preventing disclosure There are five types of disclosure exact value of data lower and upper bound of them negative result of them existence of them and probable value of them 0 One way to obtain sensitive data is using inference that is deriving sensitive data from nonsensitive data This attack can be a direct or indirect attack Indirect attacks consist of sum infer a value from reported sum count combined with the sum to 0 34 0 produce some even more revealing result median requires finding selections haNmni one point of intersection which happens to be exactly in the middle tracker attack adds I additional record to be retrieved for two difference queries the two sets c ancel each othei ut leaving only the statistic desired and linear system vulnerability it may be possible to determine a series of queries that returns results relating to several different sets There are three basic ways to control the inference problem The first i to suppress sensitive data values insuring that they are not provided and rejecting the query without a response This may mean rejecting a request that is legitimate if ansswering the request would reveal sensitive data The second is concealing the exact value by providing an answer that is almost correct The third way is tracking % hat the user knos s so that each user that accessed a record can be identified if that record is disclosed Multilevel databases offer more than two levels of security and are based upon military security model explained previously Multilevel databases have three characteristics first the security of a single element may differ from the security of other elements of the same record or from records with the same attributes thus security is implemented for individual elements Second several grades of security may he needed and may represent ranges of allowable knowledge and which may overlap typically the security grades form a lattice Third the security of an aggregate may differ from the security of the individual elements 3 Network Security o A computing network is a computing environment with more than one independent processor It is usually connected through the available communications 0 network PFLEX9 p 3651 Although the communications system in Indonesia is still too immature to support a computing network the communications system is being upgraded 35 I I UI mI Iiu u nnI i Hiam0 and a computer network will be installed To help understand how tc inplement network security a network model is described below a InternationalStandards Organization ISO Model The International Standard Organization has dcvelhIcd 1 comnputer communication network model called the Open System Interconnection i l i-dcl I PFLE89 p 3661 There are seven layers in the OSI wkhich range from the user applications to the physical media connections The lowest layer is the physical layer where the physical signal transmissions o must be compatible at the bit level This layer is controlled by the hardwvare The second layer is the data link layer which is also controlled by the hardyare Thi layer control' communications management functions such as transmission recovery message separation into frames optional encryption headers and trailers and error detection The third layer is the network layer it is the responsibility of the network manager Routing and blocking o messages into packets is done in this layer The fourth layer is the transport layer it is also the responsibility of the network manager Flow control priority of service and adding information concerning the logical connection is controlled here The tifth layer is the session layer It is the responsibility of the operating system and establishes user-to-user sessions tleader- t show the sender receiver and packet sequence and recovery are added here The sixth layer is the presentation layer where the system utilities break message into 0 blocks and compress text Finally the seventh layer is the application layer which is the responsibility of the user's program This is where the messages that go over the network are initiated b Encryption in Networks The vulnerable points of the computer networks are obvious Since the information flows through an open medium that is interceptible by the attacker steps must 36 0 S0 0 0 0 0 0 0 4 be taken to keep him from being able to read it once he intercepts it There are twAo encryption schemes that can be used to conceal the plaintext from the intruder They are link encryption and end-to-end encryption I Link encryption It is performed in the low-level protocol layers tirst and second layer Data is encrypted just before it is placed on the physical communication link and the encryption process is invisible to user Encryption protects the messages as they flow through the transmission media but the messages are still in plaintext inside the hosts This means that a message is vulnerable if it passes through a host that is not secure It is most appropriate to use link encryption when the transmission line is the greatest point of vulnerability 2 End-to-End Encryption It is performed in the highest layers the sixth and seventh layers Data is in encrypted form throughout the network and the user is involved in the encryption process The messages are not in plaintext inside any of the intermediate hosts that they pass through End-to-end encr ' ption reduces the vulnerabilities when a message must be passed through several hosts any of which may be insecure It is most appropriate when untrusted systems may be attached to the network c 0 PortProtection Port protection is used to prevent unauthorized access through the network to connected computer systems The data flowing through a network is protected by network security which was described in the previous section However to prevent an S unauthorized user accessing a computer system through the network the data ports must be protected The dial-in modem is an especially vulnerable point 4 One kind of modem port protection is the automatic call-back With this device every time a user dials into the system the computer accepts the user ID and then breaks the phone connection It then finds the approved phone number for that user and 37 o oo IIS I 5 IIII 5 o o I II oo o I I I calls the user back When an unauthorized user dials into the computer system and identifies himself as an authorized user the computer system will call the legitimate user instead of the unauthorized user The disadvantage of this kind ot protection is that a user can only dial into the computer from specific place and special arrangements must he made for a user traveling with a portable computer Another kind of protection is differentiated access rights Differentiated access rights limits the access to sensitive data when that access is attempted over a modem even though the user has access over a local terminal To access the sensitive file 0 he or she must use an approved site Another protection is the silent modem The silent modem does not answer an incoming call by sending carrier tone the way that a normal modem does it waits lor 0 the initiating modem to send tone and then answers In this manner the modem does not identify itself as being a computer system until it is convinced that it is being called by another computer Finally node authentication is used to authenticated other nodes on the network With this kind of authentication scheme no node will pass traffic to another node until that node has authenticated itself 4 Multilevel Security Criteria There are many kinds of multilevel security implemented differently by many of the countries that exploit computer system as a main resource in their information systems Some of the multilevel security evaluation criteria produced by these countries are discussed here 38 l 0 0 n lmmm mmmmmmmmmnmmmnmmmmm 0 a U S DoD Trusted Computer System Evaluation Criteria TCSEC i In 1983 the U S Government published the DoD Trusted Computer System Evaluation Criteria TCSEC often referred to the Orange Book This book waos first reviewed and republished in 19X5 as DoD standard 52 H 2X-STD I NCSCS5 p 7-501 This document defines four 4 broad hierarchical divisions for the protection of computer systems They are D minimal security C discretionary protection B mandatory protection and A verified protection These broad criteria are further refined to reflect varying degrees of security within each divisions Higher numbers ithin each divisions reflect greater security The correct levels in order ot increasing leels ot trust are as follows I NCSCX5 app C and PFLEX9 p 2X4 - 2 so I I Class D Minimal Protection This class is reserved tor 5 vStel that failed the evaluation In fact no security characteristic is needed for this clas 2 Class CI Discretionary Security Protection In this c ass the minimum standard must satisfy the discretionary access control and be implemented by the 0 separation of users and data The enforcement mechanism defined in this class specifies access limitation to control the data and allow the users to protect their own data Identification and authentication are needed in this class Users need to identify themselves to access the system and the system protects the authentication data 3 Class C2 Controlled Access Protection The discretionary access control is enforced to a finer degree in this class than in class Cl Protection must be implemented to the single user level In this class the object reuse policy is implemented so that the residue or unused object cannot be used by anyone else In addition an audit trail is required for this class so that all accesses or attempted accesses can be traced back to an individual 39 00 0 4 Class B I Labelled Security Protection The dliscretionary access control and object reuse is implemented in a similar fashion to the C2 class In addition the requirements of informal statement of security policy model data labelling and mandatory access control over named subjects and obiects are added The labelling of exported information is required Any flaws identified by testing must be removed 5 Class B2 Structured Protection In this class the discretionary and mandatory access control policy enforcement methods mentioned in class B I must be extended to all subjects and objects The system must be divided into protection-critical and non-protection-critical sections In addition the audit trail system authentication mechanisnm and the trusted path must he strengthened The design specification and implementation are subjected to extended testing and review Covert channel analysis must be present Trusted facility management is provided by support for system administration and operator functions and configuration management controls are extended This system is relatively resistant to penetration 6 Class B3 Security Domains In class B3 the trusted recovery must be added to the required elements in B2 The discretionary access control audit trail and trusted path are further enhanced and the system must satisfy the reference monitor 0 requirements The security functions must be tamperproof and must be small enough for extensive testing and analysis Significant system engineering during design and implementation are needed in order to minimize its complexity i e using layering abstraction and information hiding This system is highly resistant to penetration 7 Class Al Verified Design In class Al trusted distribution is added Systems in this class are functional equivalents of the systems in class B3 The formal model design specification and verification in this system will result in a high degree of assurance This system requires formal analysis of covert channels 40 0 The 'Orange Book is recognized as first document to define multilevel security and many countries have developed their evaluation criteria based on this book b The CanadianTrusted Computer Product Evaluation Criteria CTCPEC 4 The Canadian government recently established the Canadian Trusted Computer Product Evaluation Criteria CTCPEC however the complete document has S not been published yet Basically this document 1 explained as the Canadian interpretation of U S DoD 52 0 28-STD TCSEC ICSSC9l p xi The document is divided into five 5 categories or levels ConfidentialitV Integrity Availability Accountability and Assurance Compared to the range Book which is divide into four 4 groups or requirements security politcy a ccoL untability assurance and documentation CTCPEC addresses one of the criticisms of the 'Oranlge Book CTCPEC adds the area of insuring availability as a major component of computer security The deeper levels of availability are not yet defined since this document is still in 0 development 0 Each category is split into classes and similar to TCSEC each ot them is refined into varying levels Confidentiality is split into four 4 classes Discretionary CD Mandatory CM Partitions CP and Object Reuse CR Depending on the range S each class has a range level indicated by a number bchind it for example CD- I is Confidentiality Discretionary Protection level one I The range level varies for every class depending on the hierarchical base Compared to the groups of requirements in Orange Book the three Jasses in CTCPEC which are discretionary mandatory and object reuse are interpretations of the security policy in the Orange Book The partitions class describes the compartments S which address the labelling system in the security policy of the Orange Book 41 o 0 o o oo o I0i i0 o l 0 l lI II As with Confidentiality Integrity is split into three 3 distinct classes I' Discretionary Protection Id Mandatory Protection IM and Separation of Duties IIS 0 and each class has range levels The basic structure of the integrity criteria is expected to follow that of the confidentiality criteria Furthermore Accountability describing who is split into 3 distinlct classes Identification and Authentication WI Audit WA and Trusted Path WT These criteria are drawn directly from the Orange Book Finally Assurance another word for trust is one I class and covers the range ot Operational Trust TO Life Cycle Trust TL and Documentation TD The assurance criteria are used to establish the degree to which evidential support and subsequent reasoning exists about how the chosen product's mechanisms and design 'ill support the specified product security policy throughout the life of the product These assurance criteria are directly extracted from the TCSEC c European Community Advisory Group Information Technology Security 0 Evaluation Criteria ITSEC Security The European Community advisory group developed the Information Evaluation Criteria ITSEC published in 1992 Currently this book is known as Europe's White Book This book harmonized the criteria of France Germany the Netherlands and the United Kingdom Like the CTCPEC this book also frequently referenced the U S TCSEC In addition to the White Book the German Information Security Agency Zentralstelle fur Sicherheit in der Informationstechnik published Criteria for the Evaluation of trustworthiness of Information Systems in July 1989 At the Book same time France developed the same criteria in the so-called Blue-White-Red SCSSI The U K also produce a similar criteria for security evaluation ISOG191 p 91 42 o 0 0I0l0ll o o oo o n mi0 o0 i n 0mn Basically the criteria define ten 110 distinct classes of security functionality which is based upon classes defined in the German National criteria and seven 7 distinct classes of Assurance IDITT9 1 p 2 69 and RuSS9l p 319-3211 The ten 10 classes of security functionality are I FI Discretionary Security Protection This class is derived from -Orange Book class C I 2 F2 Controlled Access Protection This class is derived from Orange Book class C2 3 F3 Labelled Security Protection This class is derived from Orange Book class B1 4 F4 St'uctured protection This class is derived from Orange Book class B2 5 F5 Security Domains This class is derived from Orange Book class B3 A 1 6 F6 High Integrity for data and programs A distinct class for systems with high integrity in contrast to confidentiality requirements for data and programs It's particularly appropriate for database systems 7 F7 High Availability A distinct class for systems with high standards 0 for either a complete system or a special function of a system It's particularly appropriate for process control systems 8 F8 High Integrity during data communication A distinct class for systems with high standards for safeguarding data integrity during data communication 43 0 SI I0I I I I I I I I I 0 0I 0 9 F9 High confidentiality during data communication A distinct class for systems with high standards of confidentiality of data during data comnmunica ion WV's particularly appropriate for cryptographic systems 1 U FI U Networks with high demands on confidentiality and integrity A distinct class for networks with high demands for the confidentiality and integrity r o the o information to be coommunicated It's particularly appropriate when sensitive information needs to be communicated over insecure e g public networks And the seven 7 assurance levels are o H1 EU Inadequate confidence Roughly equivalent to Orange Book class D assurance 2 El Tested Roughly equivalent to Orange Book class CI assurance 3 E2 Configuration contrnl and controlled distribution Roughly equivalent to Orange Book class C2 assurance 4 E3 Access to detailed design and source code Roughly equivalent to Oranie Book class B I assurance 5 E4 Rigorous vulnerability analysis Roughly equivalent to Orange Book class B2 assurance 6 ES Demonstrates correspondence between detailed design and source code Roughly equivalent to Orange Book class B3 assurance 7 E6 Formal models and formal descriptions linked by formal correspondences Roughly equivalent to Orange Book class A I assurance 44 S000 0 0 0 0 0 d U K Technical Criteriafor Security Evaluation ' e U' K also developed the Technical Criteria for Security Evaluation which was published in February I X9 IDIT7ll9 p 26X1 This document specifies security functionality in two complementary ways I Security Prerequisites define a set of axiomatic statements about the S properties required of a system to provide for maintenance 2 Claims Language defines a language that is used to describe the features in a form suitable for use as a standard for evaluation 0 The Security prerequisites are categorized in two types Security controls which are enforceable X I to X6 and Security objectives that are not entorceable YI to 0 Y5 The enforceable security controls are 1 XI Accountability 2 0 X2 Authentication 3 X3 Permission 4 X4 Object Protecti3n 5 X5 Object Reuse 6 X6 No Repudiation 0 And security objectives that are not enforceable are 0 t I Y I No Addition 2 Y2 No Loss 3 Y3 Confinement 4 Y4 Timeliness 5 Y5 No Denial of Resources 0 45 II A table inside this document is used to match the security claim phrase which is satisfied by each security prerequisites From this a matching evaluation level can be found as level from L I to L6 5 The Need for Multilevel Security In the previous section one method to ensure that computer svtem security works perfectly is data access control The best known way to implement it is the multilevel security model Multilevel security data bases require two or more levels of security for both the data elements and the users of one data base IPFLE89 p 3291 Data in the system is segmented into parts that have their own classification every user in this system also has his own level that indicates permission to access data One example is the United States military security model Every user in the system has a level t' security and the file has a level The level of the user defines what kind of data level can be accessed Subsection one 1 in this section described how the military models work If the Indonesian Navy is to complete every mission and task it must continue to develop its information technology Computers and communication networks move information around at the speed of light The Navy began moving into the information age more that ten years ago with a stand-alone computer They are now upgrading the communications infrastructure to support local and wide area networks Multilevel security offers the Navy the opportunity to protect the nation's secrets while keeping up with the demands for speed and reduced costs E SUMMARY The first problem in implementing a computer security system is identifying the threats to the computer system This chapter described several threats to computer security threats to the physical system to the software and to the data The threats were also divided into internal or external threats These threats are due to the system integrity 46 Iis privacy Several controls to protect against these threats are also described in this chapter as ell as an approach to determining cost effectiveness The next chapter reviews the 40 current policies of the Indonesian Navy regarding computer security - n Bil Il 47 lnnn m I i m H ll B ll0 0 III REVIEW AND CRITIQUE OF THE CURRENT COMPUTER SECURITY POLICY OF THE INDONESIAN NAVY A THE CoMPUTER SYSTEMS ISEI BY TiE INI NESIAN NAVY The first computers procured by the Indonesian Navy were analog computer that were installed on war ships to calculate gun trajectories and control existing weapon systems These computers controlled mechanical linkages and gears The software was not susceptible to viruses because it was not able to generate corrupted copies of itself or other software The only computer security required was physical security In the early 19 7 '% the Indonesian Navy developed an information center to support more sophisticated general-purpose digital computers The first system installed in the center was an liternational Business Machine IBM mainframe model 371 The primary uses were administrative personnel management and payroll functions Because of the centralized design and operation of early mainframe computers security needs were limited to personnel security and physical security In the late 1970's the Indonesian Navy continued the modernization program by purchasing new ships These ships were built and outfitted in Europe and included modern digital computerized weapon-control systems These computer systems were built by HSA Holland a subsidiary of Philips The software used in this system was written or modified by HSA Holland at the time of manufacture and in accordance with the Indonesian Navy's specifications Because of the real-time processing requirement the systems were all coded in assembly language To promote standardization the next order of ships used the same fire-control systems To support these ships the Navy expanded the computer center They added a Digital Equipment Corporation DEC VAX-I 1 750 running VAX VMS The software 48 mmm m mmmmmmnm mm m o m mmo m mmmm0 0 4 and hardware have been upgraded as needed and other facilities have been added as the center outgrew its original building At this point in the center's development the computer systems were still isolated and physical and personnel security were all that % as required The next step in the Navy's use of computers was the introduction of personal 0 desktop systems to further support administrative and logistics functions Because of Indonesia's poor quality telephone lines the computers still operated in a stand-alone manner o Now the Navy intends to install local-area networks as the first phase of a program to develope a data-communications network that %%illconnect ail the computer systems Thi will greatly complicate the security requirements B CURRENT POLICIES AND STANDARDS IN THE INDONESIAN NAVY Naval Chief of Staff Regulation No JUKNIK 6 VI XI dated 201 June 19XI is the current regulation that establishes standards of information systems The regulation is a combination of reference material that was supplied by the manufacturers of the Navy's systems and literature that was found in other countries The regulation focused on personnel threats from inside the organization because there were no known attempts at unauthorized access by hackers or spies Threats to the data were perceived to come from the computer center personnel and were compensated for by organizational structure Threats from outside the computer centers were nullified with physical security such as guards and locks Regulation No JUKNIK 6 Vi Xl defines four organizational responsibilities for every computer center and Navy office equipped with a computer system They are I Personnel security 2 Physical security 49 o 3 System development 4 Planning and operating security In addition to the organizational responsibilities there is great emphasis that every user is personally responsible for securing information I 0 Personnel Security Personnel security requires that each person with access to a computer sy te1fl must have a security clearance with a prescribed level of access That person may then use the files that are at or below his or her access level Prior to using a file with a higher 0 access level he or she must be granted clearance by the information security administrator Even government officials are required to be granted access before being allowed to have the information in a computerized file This restriction extends to the 0 maintenance personnel Maintenance personnel will either have a clearance and access to the highest level of information stored on the machine or they will be supervised at all 0 times by personnel that do ha e ihle appropriate clearance and access 2 Physical Security The physical security requirements are the most precise because the threats are the most obvious and most predictable The effect of natural disasters such as floods storms and fires can be predicted and mitigated through site location and construction standards and this regulation has stated the common equipment and backups to be used against them Computer network security is also discussed in a global and theoretical manner since the network itself was not completed at the time the regulation was written Document security stresses the destruction of paper products and does not adequately address the control and destruction of electronic media such as disks and tape or electronic messages such as E-mail and electronically transferred files 50 o1lila II I I Il ig II II -I I I0 3 System Development The section on system development addresses the need for standard procedures and documentation Every program file should be validated and verified before it is accepted for use on the system To record faults in the operation of the computer system the regulation specifies a log book or journal The use of an automated journal that would automatically record discrepancies and report them to the system administrator and security administrator is not discussed Therefore the effectiveness of the recording and reporting system rely almost completely on the human operators Individual ethics morality and dependability are the major components of this critical reporting system 4 Planning and Operating Security The section concerning planning and operating system security specifics the required plans and procedures to ensure the secure use of the system This includes instructions for authenticating and validating source data before entering it into the computer system The use of cryptographic devices for protecting communications and data and the requirements for security checks of the communications channels are in this section Also included are requirements for equipment layouts to ensure such things as the placement of terminals to prevent viewing by unauthorized personnel System security includes file access hardware integrity and Software integrity File access is controlled by passwords badge reading assigning file attributes such as read write and execute to each individual and even by limiting access to certain files to specific terminal addresses The regulation specifies regular and as-needed changes of passwords and badges to maintain security Maintaining hardware integrity is essential for the secure operation of a computer system The regulation mentions several methods for ensuring aspects of hardware integrity They include read after write parity checks check sums check digits 51 00 SI II I ll I Il lll I l B lie l hash and counts and sequence numbers All these methods will verify some aspect of system integrity But along with adding to the cost of the computer system security devices in the hardware impact the computer performance ILANEX5 p 551 There is very little discussion in the regulation of how to determine the effective trade-off between cost performance and security This section also lists several requirements to insure software integrity but it is very unclear what the original author or authors were trying to accomplish The regulation states that violations of software integrity can be detected by observing the file number and by automatically verifying the programs code Unauthorized variations in the code or the tile number indicate a violation The program must be prevented from losing corrupting or copying data The operating system must be capable of controlling the data transfer between the processor and on-line devices fully protect the memory and be able to interrupt system and peripheral devices as needed It should also be able to limit access of maintenance personnel to authorized levels and procedures And the erasure of classified information must be conducted and verified in such a manner that there is no residue This section must be rewritten to clarify the instructions as well as to reflect current technoiogy 5 Personal Responsibility Finally the regulation stresses the individual userfs responsibilities concerning information security These responsibilities are stressed as an ethical issue instead of a 0 regulatory issue Security depends on every person who uses the information bearing in mind that the information is to be used for the good of all Indonesians When that occurs all are aware of the meaning of security and how important it is 52 I0 o o oo I0 0 o 0 0 o0 0 0I C THE P i ICY NEEDS TO BE IUPI ATED l There are many reasons that the polices and standards now used by the Indonesian Navy need to be updated The most obvious reason is that technology has changed so much Since Regulation No JUKNIK 6 VI XI was written in 19X8 the regulation has become obsolete The techniques of hackers crackers and spies have kept pace with tihe advances in technology and the Navy will be vulnerable until its security regulations and security programs recognize and deal with these threats Several matters that are inadequately addressed or not addressed at all are I 0 The Proliferation Of Viruses Trojan Horses And Worms There is no definite time %hen the term cOmputer virus 'as' L o1Mi hut the 10da when Dr Frederick Cohen published his thesis about computer viruses t X seemo to mark the first published reference At least his thesis marks the time when the treat of viruses began to be explored by computer scientists Since the regulation was written three 0 years before Dr Cohen's thesis the work on this kind of program sabotage needs to be included 2 Powerful Personal Computers Are Becoming Widely Available With the proliferation of powerful personal computers available at modest prices it is becoming more common for professionals to have a computer to work on at home Since these computers are not subject to the same protections as the ones in the office they can be the source of infections and attacks The regulation must deal with persons moving files between their systems at home and their systems at the office 3 Networked And Distributed Processing Systems 0 As the telecommunications systems are improved computer networks and distributed computing systems will become more prevalent Because the number of entry 53 0 S S S S 0 0 0 0 4 points for an attacker is increased the controls are harder to implement A major problcm X for commanders and administrators is that for the first time terminals and systems that can be the source of an attack on their systems are not under their control Thus for them to have confidence in their security they must believe that all systems security on the network is the same This is easiest to accomplish by placing the requirements ill a regulation that applies to all organizations on the network 4 Rapid Technological D evelopment The technology of computer security has developed quite rapidly inl industrialized nations as a result of miscellaneous attacks on their systems Indonesia us a developing country can be a purchaser of much of this computer security technology Security regulations must make provisions for the on-going review of technological 0 developments and their insertion into the Navy's systems 5 Increasing Reliance On Computer Systems For National Security The primary task of the Indonesian Navy is defense of Indonesia from possible attacks Because the Navy is relying more and more on computer systems to accomplish its missions the effect of a successful attack on the computer systems is becoming ever more serious The regulation must provide guidance to all levels of administration for protecting against this threat 6 Multi Level Security MLS Regulation No JUKNIK 6 VI 81 was written prior to the public discussion of multilevel security MLS so it does not include any reference to the concept MLS has many advantages in terms of cost savings and reduced overhead Because all information S can exist on one system regardless of security classification redundant systems do not have to be purchased installed and administered Databases do not have to be replicated and 54 4 0 00000 6 -j maintained on multiple systems and more efficient use can he made of all equipment The O potential savings are immense MLS will be an important component of the next security SI regulation 1 SUMMARY This chapter reviewed the current computer security policy of the Indonesian NaUvy which is implemented in Naval Chief of Staff Regulation No JUKNIK 6 VI Xl dated 201 June 1981 The regulation codifies the policy governing computer security in the late seventies Due to advances in computer technology the infrastructure that supports it and our growing reliance on computer systems new policies are needed to ensure that those systems are available when we want to use them The next chaptei proposes changes to Indonesia's existing policies to reflect current technological advance o 55 ooo o n o u o n I oo oS 0I I 0 -J IV POLICY FOR THE INDONESIAN NAVY Having studied the foundational concepts of computer security and reviewing the existing regulations about computer security in the Indonesian Navy we can now determine what actions are required to improve the policy that is already in place A THE NEED FOR A COMPUTER SECURITY POLICY The goal of developing a policy on computer security is to define the organization' expectations of proper computer and network use and to define procedures to prevent and respond to security incidents In order to do this aspects of the particular organization should be considered Since this policy is developed for the Indonesian Navy the organizational goals concern the safety and unity of the whole nation To achieve these goals of national security computer security must be a top priority of all users of computer % y 'tcms However not all information in the Indonesian Navy can be considered top secret some of it may be secret confidential or even unclassified Thus the most effective system to have is a multilevel security MLS system However since the implementation of a multilevel security system is costly and since some systems now owned by the Indonesian Navy are still useful the policy must address an evaluation criteria that evaluates existing as well as proposed systems In this manner the machines that fail the evaluation for processing a certain classification of information may still be used to process information at a lower classification The second function of the evaluation criteria will be to assess the suitability of proposed equipment Using the criteria will aide the security and acquisition personnel insure that new systems and components support the approved security architecture 56 I Policy Maker Responsibility Policy creation must be a joint effort by technical personnel who understand the full ramifications of the proposed policy and the implementation of the policy and the decision makers who have the power to enforce the policy A policy that is neither implementable nor enforceable is useless In the Indonesian Navy the policy should be established by the joint effort of the Naval Data Collection and Information System Naval Telecommunication and Electronic Directorate Naval Sensor Weapon and Command Directorate as the technical personnel and Naval Security Directorate and Naval Operation Directorate as the decision maker who enforce the policy Furthermore the directorates mentioned above will have their own responsibilities in the security organization form for computer system 2 Evaluation Criteria as the First Step Chapter III described some of the old models of computer systems adopted by the Indonesian Navy As a developing country establishing a new system by discarding an existing system is a very costly action especially if computer production is dependent on a foreign country To avoid spending money for replacing every computing system with new equipment to exactly implement the multilevel security the existing equipment may be used for a lower classification of information An evaluation criteria is needed in order to define the classification of existing equipment Certain levels of information may be kept or processed on these older systems based on the classification of the equipment In addition this evaluation guide will be used to develop a new system or purchase an available system to be used by the Navy to support any tasks that are suitable 57 0 0 for automation It is clear that the Navy needs a new guide The next task is to choose tile published criteria that is the most applicable to the Navy's requirements B THlE NEEDS OF THE INDONESIAN NAVY The first published criteria tor evaluating multilevel se urity tellis I the I'rusted Computer System Evaluation Criteria developed by the 1' S Government t'sini this L uide as a baseline other countries de%eloped evaluation criteria of their o n- They are 'anada Germany the 1' K the Netherlands France Australia and New Zealand Germany the U K the Netherlands and France went on to develop a harmonized criteria tor thel European Community I Criteria for the Indonesian Navy Indonesia needs to hao e an evaluation criteria for the computer systems that are already installed as well as those that they will procure in the future The Indonesian Nav y as a military organization exploits computer systems to support its operations Since the Nasv is a complex organization %kith different classifitc'ation rle eIs Ot information they ill benefit from a multilevel security criteria The Indonesian Navy imports all of the hardware and softtwrare that it use As a consequence the criteria they adopt should match the machines being imported Th1 mainframe computer systems are mainly imported from the L' S and personal computers are imported from Asian countries So it is important that the first evaluation criteria should refer to the U S products In other words they should adopt a policy based on the Orang e Book However the Orange Book from the U S Government must be supported by the rainbow series which is too large and complicated to be adopted by the Navy at this time Currently the information technology and the infrastructure possessed by the Indonesian Navy does not require this complicated approach III The ITSEC from European Community are not straight-forward evaluation criteria but depend on the technical judgements of experts in each country This occurred because the ITSEC is a harmonized criteria from several countries in Europe This would be difficult for the Indonesian Navy to adopt because they do not have the experts to interpret the ITSEC The Canadian Government directly interprets the 'Orange Book in the Canadian Trusted Computer Product Evaluation Criteria It is a simple publication and with small modifications can be adapted to the Indonesian Navy The purposes of the recommended Trusted Evaluation Guide TEG which is adapted from Canadian Trusted Computer Product Evaluation Criteria are a Mleasurement o To provide Indonesian Navy with a metric with which to evaluate the degree of trust that can be placed in computer products used for processing of sensitive 0 information b Guidance To provide a guide to contractors manufacturers as to what security features to build into their new and planned commercial products in order to produce widely available products that satisfy trust requirements for sensitive applications In Chapter If it was noted that the Canadian Trusted Computer Product 0 Evaluation Criteria CTCPEC is divided into five categories or levels Confidentiality Integrity Availability Accountability and Assurance The recommended Trusted Evaluation Guide is also divided in the same way a detailed description of each of these 0 areas can be found in section D of the appendix 0 59 i0 00 0 0 -0 0 0 0 0 Since many documents refer to the U S Trusted Computer System Evaluation Criteria TCSEC it is useful to provide a mapping of the classes found in the recommended Trusted Evaluation Guide TEG for the Indonesian Navy to those found inI the TCSEC a Confidentiality mappings ConfidentialityiDiscretionary Protection TEG TCSEC CDO DI CDI CI CD2 C2 - B2 CD3 B3 - A I Confidentiality Mandatory Protection TEG TCSE CM D - C2 CMI BI CM2 B2 CM3 B3 - A Confidentiality Partitions TEG TCSEC CPO D - C2 CPI not available CP2 B2 - BIi CP3 B3 - Al 60 S I I0 Confidentiality Object Reuse b TE rSEC CRO D - CI CRI C2 - AI Integrity mappings Integrity Discretionary Protection TE TCSEC ID D-AI - Integrity Mandatory Protection TElG I' 2SE ' IM to D - A I Integrity Separation of Duties TE TCSEC ISO D ISI CI -C2 IS2 BI - B2 IS3 B3 - AI IS4 not available 61 00 oQo o I 0I I0lll ll II l0nl o llI0 oo o 0 I c Accountability Who mappings Accountability Identification and Authentication TE TCSEC WIl D WI Cl W12 C2 WD3 BI-AI TE TCSEC' WAO D - CI WAI C2 WA2 BI WA3 B2 WA4 B3 - Al1 Accountability Audit S Accountability Trusted Path rE rCSEC WTfl D - BI WTI B2 WT3 B33- AI 62 0 IIIIIII0 0 d Assurance Trust mappings Assurance Operational Trust TE TCSEC TOO D TO Cl TO2 C2 T03 BI T04 B2 T05 B3 T06 AI Assurance Life Cycle Trust 0 TE TCSEC TL D TLI Cl TL2 C2 TL3 BI TL4 B2 TL5 B3 TL6 AI 0 0 S 63 000 0 00 0 00 0 Assurance Documentation TEG TCSEC TDO D TDI CI TD2 C2 TD3 BI TD4 B2 TD5 B3 TD6 Al 0 0 0 From this mnapping it is clear that there is a close correspondence between the 0 proposed Trusted Evaluation Guide TEG and the U S TCSEC which may aid in performing cost effective evaluations of systems 2 Security Organization 0 It was mentioned in Chapter 11 that individual users play the primary role in information security However there is a need for a formal executive body that is responsible for the computer security organization In the Indonesian Navy existing 0 executive bodies may be assigned additional responsibilities concerning computer security The Naval Data Collection and Information System as the incubator for information systems in the Navy will be given the main responsibility for securing information systems It will also act as the administrator that executes the regulation concerning computer systems This body has the Navy's experts in computer technology 0 The Naval Telecommunication and Electronic Directorate will be responsible for securing the computer network In this body there is a special section that works with the 0 64 0 00 0 0 0 0 0 0 0 encryption and decryption techniques With this experience it can direct the use ot encryption and decryption in the computer system The Naval Sensor Weapon and Command Directorate is responsible for the combat information systems on hoard the ships This information concerns combat information and is considered top secret This body must clearly understand the %value t information and how to secure it All the organizations listed above have responsibilities in the technical areas ot computer security In order to enforce the security regulations the executise body wvhich has the power to enforce the regulations must be involved The Naval Security Directorate has primary responsibility in all aspects ot security in the Navy Therefore it has responsibility for computer security as- ell It ' ill inspect the implementation of security in all of the Naval organizations that possess computer systems This directorate needs to create a section with the primary responsibility for computer security policy and inspections The Naval Operations Directorate as the top management level has the power and responsibility to see that the security regulation is implemented thoroughly C SUMMARY S An etffective cornputer security policy supports the goals and missions o the organization The goals and missions of the Indonesian Navy is nothing less than preserving the security and unity of Indonesia Computer systems will continue to grow in importance as a tool for accomplishing those missions An effective security evaluation program is essential to guarantee that the tool will be available when needed The criteria to support such a program was laid out in this chapter The next chapter contains the recommendations to implement an effective security program 65 SI l lllll IIIl Il I I II IIIllI l S V CONCLUSIONS AND RECOMMENDATIONS 0 Having studied the concept of ideal computer security and reviewed % hathas been done by the Indonesian Navy it is obvious that the computer security regulation needs to be updated This is especially true for the sections dealing with physical and communications security as well as data security integrity and availability There are several actions that the Indonesian Navy needs to take to impro e its computer security posture Some actions should be taken immediately some policies and procedures will take 12 to IX months to develop ahid implement y%hile others ill take many years These recommendations are explained below A RE ULATIONS CONCERNIN PHYSICAL SECURITY There is a need to more clearly state the security requirements in Regulation No JU KNIK 6 VI X I The advanced technology available today can be applied to the physiLal security of computer systems The amoum and sophistication of the technology used should be balanced by the amount and value of the information in the system For example to protect an area where top secret information is processed may require 0 sophisticated authentication devices such a magnetic stripe cards or a retinal pattern reader REGULATIONS CONCERNIN DATA SECURITY INTEGRITY AND B AVAILABILITY The regulations concerning data security need to be updated to reflect the developments in information technology The networked and distributed computing systems are already being installed in the headquarters starting with a local area network 66 0 0 0 0 0 0 0 00 Obviously with this development the threats to data ecunty integrity and aailabilitV become greater The regulation should be Llearly written to cover these increased threats Regulations concerning %irus protection also need to be %ritten since the Regulation No JUKNIK 6 VI XI was written before viruses were known This i %ery important since the environment in Indonesia is so favorable for spreading %iruss troin one computer to another The Indonesian Navy needs to protect its systems With antivirus programs and procedures The programs need to be updated regularly because ne and more sophisticated viruses are being developed all the time A connection Aith an anti irus sottware manufacturer is recommended so that every product update is immediately available Until then messages should be sent to all organizations using computer systems prohibiting disks that were used on nongovernment computers from being used oin government computers C RECOMlMEND ED TRUSTED EVAIUATJE N EdUlI E As a military organization that has several degrees of information sensitivity the Indonesian Navy needs to implement multilevel security MLS in certain critical areas that deal with classified information The recommended Trusted Evaluation Guide proposed for the Indonesian Navy in the appendix is adapted from the Canadian Trusted Computer Product Evaluation Criteria CTCPEC with minor modifications This is because the CTCPEC is such a clear and simplified interpretation of the Orange Book The Orange Book requires the entire rainbow series which is more than the Indonesian Navy requires at this time 67 S I llII I I III i ll I I0 4 I Intermediate Actions The evaluation guide proposed in this thesis is not yet complete The chapter covering data availability still needs to be written in order to have a complete definition ot security Furthermore this evaluation needs to be expand in scope so that products from all over the world can be evaluated since Indonesia may import systems from all osyer tile world When the evaluation guide is completed and adopted a trusted computing architecture must be developed that will guide all computer purchases for the Navy All communications links will be analyzed and prioritized by risk and the most vulnerable links will be encrypted an'i funds are make available 2 0 Long Term Actions The evaluation guide should be automated so that it will accelerate and simplify evaluations A software system that accepts characteristic values of a system and automatically produces the required classification based on the evaluation guide will produce consistent results Very quickly This will increase use of the evaluation criteria and possibly reduce the time it will take to achieve a trusted network In a nonautomated system for conducting evaluations several highly skilled individuals are required Automation is highly recommended since the Indonesian Navy currently possesses few experts with the required skills to perform evaluations In addition the U S Federal Government together with Canadian Government are developing joint standards in evaluating a computer products These actions may be followed by harmonization with European countries The proposed Trusted Evaluation Guide positions Indonesia to participate in these efforts As trusted systems and components are procured they will replace the untrusted systems currently in use This will strengthen the entire security posture of the Indonesian 68 S I I I I i nl lllm illi nl0 I Navy But empirical and validation studies that measure the effect of the statements in the N evaluation guide is needed D SUMMARY Taking these steps will enable the Navy to plug many of the most dangerous holes 0 immediately design a balanced security program in the near future and build a trusted multilevel computing environment over time In the end the Indonesian Navy will have a security system that is versatile effective and efficient This is a goal well worth working 0 towards 0 0 0 0 0 69 0 0 0 0 0 0 0 0 0 0 APPENDIX RECOMMENI ED TRUSTED EVALUATION GUIDE I INTRODUCTION A HISTORICAL PERSPECTIVE The criteria presented in this document are based on the U S Department of Detense Trusted Computer System Evaluation Criteria DoD 520 0 2-STD which evolved from the earlier NIST and MITRE evaluation material 0 B SCOPE The trusted computer product evaluation criteria defined in this documcnt apply primarily to trusted commercially available electronic data processing ED ' products 0 Included are two distinct sets of requirements 1 Specific Security Feature Requirements The spl-cific feature requirements encompass the capabilities typically found in information processing products employing general-purpose operating systems that are distinct from application programs being supported However specific security feature requirements may also apply to specific products with their own functional requirements applications or special environments e g communications processors process control computers and embedded products in general 70 0 40 o --00 oo o 4 o 0 0 0 II 2 4 Assurance Requirements 5 The assurance requirements on the other hand apply to products that coyer the full range ot computing environments from dedicated controllers to full range multilevel secure resource sharing products C PURPOSE S The criteria have been developed to serve a number of intended purposes I To provide the Indonesian Navy with a metric with which to evaluate the degree of trust that can be placed in computer products used for the processing of sensiti'e information and To provide a guide to manufacturers as to what security feature to buld into 2 their new and planned commercial products in order to produce idely aailable products that satisfy trust requirements for sensitive applications With respect to the first purpose for the development of criteria i e providing the Indonesian Navy with a security evaluation scale evaluations can be delineated inii two types 1 An evaluation can be performed on a computer product from a perspective that excludes consideration of a specific application environment 2 An assessment can be done to determine whether appropriate security measures have been taken or can be taken to permit the product to be used operationally in a specific application environment This type of evaluation is more commonly known as a risk assessment It must be understood that the completion of the first type of evaluation i e a formal product evaluation under the Trusted Product Evaluation Program does not constitute certification approval for the product to be used in any specific application environment The evaluation report only provides a trusted computer product's strengths and 71 o S S o o oo o Ili0 mlll 0 o I 0l ll0l l 4m weaknesses from a computer security point of %iew A risk assessment and the formal appro al done in accordance w ith the applicable policies of the Indonesian N % n the instivititonI and ot must still he tollo ed bet ore a p0rodut hich intend to use the prodi can he appros cd tor use in processing or handlino classified intorination in a particulai application Directorate Security remain ultimatel ' reponsbIlC 1tot pe01 IfL the1 security requirements for their respectie EDP systems The tri ted c omputer product e aluation criteria w ilI be used directl and indire Cctl in the certification and appro al processes The criteria ykill he used directl as techni al ifviii guidance for e aluation of a product heine considered for certitication and for specLIt certification require'mtfents for such a product Where a candidate product hein e aluatcd for certification eniplo s as a subsystem another product that has alrc ad udid oi_ e an evaluation under the Trusted Product e aluation Program reports from the et aluation of the subsystemr %killhe used as input to the evaluation of the candidate product The criteria will he uVed indirectly as reference durinL the risk assesment proess Technical data w ill be furnished to deWilners e aluators and irC toraIte S C uitV to support their needs for making decisions 1 111 S TIRrITY REQ 1'IREWIFN'IS FT'I'NA IENT I 7 o 'TER An discussion M computer securitv nece ssarilv starts from a statement o t requirement i e what really means to call a computer product secure In general a secure product w ill control through use of specific security features access to in ormation v ithin the control ot the product such that only properly authorized indi iduals or processes operating on their behalf will have access to read write create or delete information Figure 1 graphically illustrated the basic thought of the basic structure of a secure system Six fundamental requirements are derived from this basic statement objectie four deal with what needs to be provided to control access to information and 72 0 0 0 0 0 0 0 tvwo deal %ith how one can obtain credible assurances that this is accomplished in a trusted computer product Process Figure I View of a Secure System I Subjects objects and Processes as Entities Unlike the traditional view of subjects and objects espoused by the NCSC this Recommended Trusted Evaluation Guide's view of each is isomorphic To view each entity one must view it from the perspective of the TCB In this way one can see that each entity is an entity with at least the following attributes a Name What is the name of the entity i e user ID name of file etc 73 b Label Designated level of operation This is set at login time tor subjects and known for processes and objects c Mlultilevel Is the entity capable of multilevel access ' d DiscretionaryAccess Restrictions What are the discretionary access restrictions to the entity ' e Duty list What are the entity's predefined duties ' This creates an isomorphic set ot entities Subject I'ser Process Data Object which are accessed in an orthogonal way The methods of access for objects are identical to those for subjects and processes This allows for users to he viewed as multilevel dev ices as are most input output devices Also a user kould log in with a specific label associated w ith himself This label would to the TUB look identical to labels associated with various objects and process throughout the system 2 Security Policy There mu it be an explicit security policy enforced by the product This policy would consist at least one of confidentiality integrity availability and accountability A level of assurance would be determined relative to the strength of the mechanisms within the product enforcing the security policy 74 0 0 0 0 0 0 0 3 Confidentiality 0 a Requirement i Discretion Given identified subjects and objects there must be a set of rules that are used by the product to determine whether a gien subject Can be permitted to L ain access to a specific object b Requirement 2 Compartmentalization Given well defined compartments be they hierarch cal or not the product must be able to determine the compartment at which the subject is working and the level At the object to which the ubject wishes access and authorize or not access to the ohjlett accordini to the defined security policy ot the product c Requirement 3 Marking Confidentiality labels must be associated with objects In order to control operations on access to information stored in a computer according to the rules of a mandatory security policy it must be possible to mark every object with a label that reliably identifies the object's sensitivity level e g classification area of work etc and or the process authorization accorded those subjects who may potentially access the object 4 Integrity a Requirement 4 Separationof Duties Given well defined duties the product shall ensure that any subject's attempt to access an object is properly authorized as defined by the security policy Any attempt to access an object other than by a known path will be disallowed and appropriately recorded 75 Il 0 i i 0 5 Availability Not Yet Complete 6 Accountability a 0 Requirement 5 Identification Individual subjects must be identified Each access to iiitormatiofl must hC mediated based on who is accessing the information and %%hatclasses of intormiation they are authorized to deal with This identification and authorization information must he securely maintained by the computer product and be associated with every active element that performs some security-relevant action in the product b Requirement 6 Accountability Audit information must be selectively kept and protected so that portion to the audit record reflecting a security breach can be used to track down the responsibility party A trusted product must be able to record the occurrences of security-relevant events in an audit log The capability to select the audit events to be recorded is necessary to minimize the expense of 'iuditing and to allow efficient analysis Audit data must be protected from modification and unauthorized destruction to permit detection and aftero the -fact investigations of security violations 7 Assurance a Requirement 7 Assurance The computer product must contain hardware software mechanisms that can be independently evaluated to provide sufficient assurance that the product enforces requirements one through six above In order to assure that the six requirements of Security Policy Marking Identification and Accountability are enforced by a computer product there must be some identified and unified collection of hardware and software controls that perform those functions These mechanisms are typically embedded in the 76 i i o operating system and are designed to carry out the assigned tasks in a secure manner The basit for trusting such product mechanisms in their operational setting must be clearly 0 dOcumnented such that it is possible to independently examine the evidence to e aluate their sufficiency b Requirement 8 Continuous Protection 0 The trusted mechanisms that enforce these fundamental requirements ust be continuously protected against tampering and or unauthorized Changes No omputer prooluct can be considered truly secure if the basic hardv are and ott% ineLhamnism m 7 0 that enforce the security policy are themselves subject to unauthorized mlodtiftiatilonl M subversion The continuous protection requiremient has dirct impIIL it m 1i1tl hni uo houit the computer product s life-cycle E o STRUCTURE OF THE DI OCUMENT This document is divided into six parts The first part covers the introduction and the 0 following five parts present the detailed criteria which relate to the fundamental requirements descri bed above F STRUCTURE OFTHE CRITERIA 0 The criteria are divided into five categories Confidentiality Integrity Availability Accountability and Assurance Each category contains classes which are generally 0 ordered in a hierarchical manner with the highest division being reserved for products providing the most comprehensive security features Each division and class represents a major improvement in the features or assurance one can place in the product for the 0 protection of sensitive information As improvements in the features are exposed within each of the five categories a level is assigned This level increases as the features increase Each category is numbered 77 @ 0 0 0 0III 0 IIIm 0I l 0mI I 0 following a logical and linear path commencing at zero i0 and orking up ards Readers should not make the mistake of assuming that the levels of one category directly correlate to those of another Although two levels ithin toxo distinc t categories ma'i he numbered the same they do not necessarily detine I classitication hierarchy It one ie' s the document as a set of five distinct criteria which are coupled by way ot a constraint oone will ha% e a better understanding of the structure The breadth of Levels found % thin each category is defined below Confidentiality Confidentiality is split into tour distinct classes Discretionari Mandatory Partitions and bject Reuse Each o t these 'lasses have a range of levels Integrity 0 Confidentiality Discretionary Protection CD - CD 3 Confidentiality Mandatory Protection CM Confidentiality Partitions 'P 0 - 'P 4 Confidentiality ObJect Re-use CR I - CR I Integrity is split into three distinct classes - C'M 3 Discretionary Mandatory and Separation of Duties Each oit thesw 'las cs ha e a ranee of levels Integrity Discretionary Protection ID I - ID 3 Integrity Mandatory Protection IM 0 - IM 3 Integrity Separation-of-Duties IS U - IS 4 0 Availability Unknown at the present time 78 0 0 0000 00 0 Accountability Accountability is split into three distinct classes Identification and Authentication Audit and Trusted Path Each ot these 'lasses have a range of levels Assurance Accountability Identification Authentication WI - WI Accountability Audit WA II - WA 3 Accountability Trusted Path WT - WT 2 Assurance is one class This class covers the following range 0 Assurance Operational Trust TO 0 - TO 6 Assurance Life ' ICTrust T'L I A' surance Documentjtion TD FL 6 - TD T h6 00 79 Sm H ialaa d mmmli mnia m omi imIIa a i0 Il CONFIDEINTIALITY Confidentiality is broken down into onstituent 0 omponents Each component describes a distinct and separate portion of the hole we call Confidentialitv These components are discretionary protection mandatory protection partitions 111d OhiCLi reuse A DISCRETIONARY PROTEuCiON Levc within this division provide for discretionary protection at the control ot the ow ner 1 Level CI -0 Noncompliant This level Confidentiality Discretionary Protection Level 0 CD-O is reserved for those products which have been evaluated but fail to meet the requirements of any of the Discretionary Protection required by confidentiality 2 Level CD-l Discretionary Security Protection A confidentiality Discretionary Protection Level I CD-I s 'stemn nominally satisfies discretionary protection requirements by providing separations of users and data It incorporates some form of credible controls capable of enforcing access limitations on an individual basis i e suitable for allowing users to be able to protect private information and to keep other users from accidentally reading or destroying their data The CD- I environment is expected to be one of cooperating users processing data at the same level s of sensitivity The product shall define and control access between named users and named objects e g files and programs The enforcement mechanism shall allow users to 90 ooo o o S oo -- iX o - specify and control sharing of named objects by named individuals or defined groups ut named individuals or both 3 Level l -2 Uontrolled Access Protection Confidentiality Discretionary Protection Level 2 hen elorth 'D-21 product enforce a more finely grained discretionary protection than CD- I products and prov ide a 0 limited form of resource isolation The product protection mechanisims shall define and control access betvseen named users and named objects e g files and program The enforcement mechanism 0 shall allowk users to specify and control sharing of those oblects by named indiv iduals or defined groups of indiv iduals or by both and shall pro%ide control to propagat ron ol jilmit access rigzhts The discretionary protection mechanism shall provide that oblects are 0 protected from unauthorized access This protection shall be capable of including or excluding access to granularity of a single user Access permission to an object by users lot 0 already possessing access permission shall only be assigned by authorized users 4 Level CI -3 Enhanced Controlled Access Protection Confidentiality Discretionary Protection Level 3 henceforth 'D-3 products enforce a more finely grained discretionary protection and provide a much stronger form of resource isolation than CD-2 products The product protection mechanisms shall define and control access between named users and named objects e g files and programs in the EDP system The enforcement mechanism shall allow users to specify and control sharing of those objects and shall provide controls to limit propagation of access rights The discretionary protection mechanism shall provide that objects are protected from unauthorized access This protection shall be capable of specifying for each such named object a list of named individuals and a list of groups of named individuals with their respective modes of access 81 Sl 0 0ib Si0 0 0 I 0IIII II0 to that object Furthermore for each such named object it shall be possible to specitfy a list of named individuals and a list of groups of named indi iduals for which no access is to he 0 given Access permission to an object by users not already possessing access permission shall only be assigned by authorized users B MANDATORY PROTECTtION Products in this division must include mechanisms %hich use label to entorce a set ot mandatory protection rules The labels must be associated % ithall objects in the product The system deeloper must provide the security policy model on uhich tile protection mechanisms are based and must furnish a specification tor the prote tion mechanismns I Level C Nt-l Noncompliant This level Confidentiality Mandatory Protection Lexel 0i M-0j is reserxed for those products which have been evaluated but fail to meet the requirements of any of the Mandator- Protection required by confidentiality 2 Level CM-I Labelled Security Protection An informal statement of the security policy model data labelling and mandatory protection over named subjects and oh'e ts must be provided The apabililtv must exist for accurately labelling exported information a Labels Labels associated with each subject and storage object under its control e g process file segment device shall be maintained by the TCB These labels shall be used as the basis for mandatory protection decisions In order to import non-labelled data the TCB shall request and receive from an authorized user the label of the data and all such actions shall be auditable by the TCB 82 I 0i 0 oo 0 oo o 0 00 o0 II Label Accuracy Labels shall accurately represent the sensiti%ity ot the4 specific sub ects or objects with %hich they are associated When exported by the 'B labels shall accurately and unambiguously represent the internal labels and hall he associated with the information being exported 2 Exportation of Labelled Information The TCB shall designate each communication channel and I O device as either sincle-level or multile el Any change in this designation shall be done manually The TCB shall maintain any change in the label associated % ith a communication channel or I O de%ice a Exportation to Multilexel De%ices When TUB exports an obhleLt to a multilevel 1 0 de- ice the label associated %k ith that ohlect shall also he e p rted and shall reside on the same physical medium as the exported information and hall be in the same 0 form i e machine-readable or human-readable form When T B exports or impo ts an object over a multilevel communication channel the protocol used i on that channel shall provide for the unambiguous pairing between the labels and the associated information that S is sent or received b Exportation to Single-level Devices Single-level I O devices and sincle-level communication channels are not required to maintain the labels of the information they process However the TCB shall include a mechanism by which the TCB and an authorized user reliably communicate to designate the label of information imported or exported via single-level communication channels or I O devices c Labelling Human-Readable Output The EDP system administrator shall be able to specify the printable label names associated with exported labels The TCB shall mark the beginning and end of all human-readable paged hardcopy output e g line printer output with human-readable labels that properly represent the sensitivity of the output The TCB shall by default mark the top and bottom of each page of human X3 0 5 0 0 0 0 0 0 0 0 4 readable paged hardcopy output e g line printer output %ith human-readable labels that properly represent the overall sensitivity of the output or that properly represent the sensitivity of the information on the page The TCB shall by default and in an appropriate manner mark other torlns ot human-readable labels that properly represent the sensiti itv of the output 3 Level CNI-2 Structured Protection In Confidentiality Mandatory Protection Level 2 CM-2 systems the TCB is based on a clearly defined and documented formal security policy model that require' the 0 inandatory protection enforcement found in CM- I systems to be extended to all subletts and oojects in the EDP system The T 'B must be carefully structured into prolctionl0 critical elements a Labels Sensitivity labels associated with each EDP system resource e g subject storage object ROM that is directly or indirectly accessible by subject external to the TCB shall be maintained by the TCB These labels shall be used as the basis for mandatory protection decisions- In order to import non-labelled data the TUB shall request and receive from an authorized user the sensitivity level of the data and All such ac1tio0s shall be auditable by the TCB I Label Accuiacy Sensitivity labels shall accurately represent the 0 sensitivity of the specific subjects or objects with which they are associated When exported by the TCB sensitivity labels shall accurately and unambiguously represent the internal labels and shall be associated with the information being exported 0 2 Exportation of Labelled Information The TCB shall specify each communication channel and I O device as either single-level or multilevel Any change in 94 S o o - this designation shiaiI be done inanuallv The TCB shall maintain anyv Lhange in the4 NeilsItiy it N eveeIN as sociated i th a commun Ic at ion ch annelI or 1 0 device a Exportat Ion ito MuIt ilevelI De iices When TU'B export' aniob Iect to a multilevel 1 O dlevice the sensiti imy label associated Aith that object hall also he exported and shall reside on the same physical medliuml as the exported information andl shall he in the same torm ii e machine-readable or hutnan-readtable 1 2 r When T 'B exports or inmport an object over a multilevel commifunication tchannel the protocol used onl that channel hall provide tor the unambiguous pairing het keen the labels atid the associatedl informiation that is sent or recei ecl 0 E xportatton to Sini le-le el lDei ks Singlele Ic single- evecl conimunc1111atton chatinels are not reqluiredl to maintain the I 1 '0 de ikcN and ensini itv labels it the information they' process Hoss eser the TUB shall include a muechanmism hv w IncIi the TCB and an authorized user reliablv communicate to designate the sensiti% iv information imported or exported %a Ningle- level communication chaninels or 1 0 des c tcC LabelIIin L Hutnan -Reada ble Output The EDP system ad min istrator shall be able to specify the printable label names associated wkith exported labels The TUB shall mark the liegmnning and end oft all humnan-readable paged hardcopy mIwpSt e g Iife 0 printer Output %kith human-readable labels that properly represent the sensitivity of the output The TUB shall by default mark the top and bottomn of each page with humanreadable sensitivity els that properly represent the overall sensitivity of the output or that properly represent the sensitivity of the informnation on the page The TUB shall by default and in an appropriate manner mark other forms of human-readable output e g maps graphics with human-readable sensitivity labels that properly represent the sensitivity of the output Any override of these inarKing defaults shall he auditable by the TUB 00S000 0 0 0 3 Subject Sensitivity Labels The TCB shall immediately notify a terminal user of each change in the sensitivity associated with that user during an interactive session A terminal user shall be able to query the TCB as desired for a display of' the subject's complete sensitivity label 4 Device Labels The TCB shall support the assignment of Inininmum and S maximum sensitivity to all attached physical devices These sensitivity shall he used by kie TCB to enforce constraint imposed by the physical environments in which the devices are located 4 S Level CM-3 Security Domains The Confidentiality Mandatory Protection Level 3 CM-3 TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects be tamper-proof and be small enough to be subjected to analysis and test To this end the TCB is structured to exclude code not essential to security policy enforcement with significant system engineering during TCB design and implementation directed toward minimizing its complexity A security administrator is supported audit mechanisms are expanded to signal security-relevant events and system recovery procedures are required The system is highly resistant to penetration a Labels Sensitivity labels associated with each EDP system resource e g subject 0 storage object ROM that is directly or indirectly accessible by subject external to the TCB shall be maintained by the TCB These labels shall be used as the basis for mandatory protection decisions In order to import non-labelled data the TCB shall request and S receive from an authorized user the sensitivity level of the data and all such actions shall be auditable by the TCB 86 0 J I Label Accuracy Sensitivity label - hall ac cuiately lepresent the sensitivity of the specific subjects or objects with which they are associated When exported by the TCB sensitivity labels shall accurately and unambiguously represent the internal labels and shall be associated with the information being exported 2 Exportation of Labelled Information The TCB shall designate each 0 communication channel and I O device as either single-level or multilevel Any change in this designation shall be done manually and shall be auditable by the TCB The TCB shall maintain and be able to audit any change in the sensitivity levels associated with a o communication channel or I O device a Exportation to Mlultilev el De%ices When TU B exports fIl OhlCL tI a multilevel I O device the sensitivity label associated with that object hall also be o exported and shall reside on the same physical medium as the exported information and shall be in the same form i e machine readable or human-readable form When the TCB exports or imports an object over a multilevel communication channel the protocol used 0 0 on that channel shall provide for the unambiguous pairing between the sensitivity labels and the associated information that is sent or received b Exportation to Single-level Devices Single-level I O devices and single-level communication channels are not required tn maintain the sensitivity labels of the information they process However the TCB shall include a mechanism by which the TCB and an authorized user reliably communicate to designate the sensitivity of information imported or exported via single-level communication channels or I O devices c Labelling Human-Readable Output The EDP system administrator shall be able to specify the printable label names associated with exported sensitivity labels The TCB shall mark the beginning and end of all human-readable paged hardcopy output e g line printer output with human-readable sensitivity labels that properly represent the 97 0 0 00 000 0 0 00 s-ensitivty of the output 'Me TCB shall by defau t mnark the top and bottom of each page Ni of human-readable paged hardcopy output e g line printer output w -ith human-readable sensitivity labels of the output or that properly represent the sensitivity of the information on the page The TCB shall by default and in an appropriate manner mark other ornms ot human-readable output with sensitivity labels that properly represent the sensiti ity of the output Any override of these marking defaults shall be auditable by the TCB 3 Subject Sensitivity Labels The TCB shall immediately notify a terminal user of each change in the sensitivity associated with that user during an interactiN e session 6 A terminal user shall be able to query the TCB as desired for a display of the subjects complete sensitivity label 4 and Device Labels The TCB shall support the assignment of minimum maximum sensitivity to all attached physical devices These sensitivity shall be used by the T CB to enforce constraint imposed by the physical environments in which the devices are located C PARTrIIONS HIERARCHIES AND COMPARTMENTS I 0 Level CP-41 Noncompliant This level Confidentiality Partitions Hierarchies and Compartments Level 1 CP-0 is reserved for those products which have been evaluated but fail to meet the 0 requirements of any of the Partitions requirements of confidentiality 2 Level CP- I Compartments The TCB shall enforce a mandatory protection policy over all subjects and storage objects under its control i e processes files segments devices These subjects and objects shall be assigned labels that designate partitions of data which can be combined in specific structures defined by the security policy as described by the TCB These labels 99 0 0 6 0 0 0 0 0 S 0 shall be used as the basis for mandatory protection decisions The protection mechanism shall he able to support multiple compartments which shall separate user workspaces into well defined and protected areas 3 Level CP-2 Compartmentalized Hierarchies The TCB shall enforce a mandatory protection policy over all resources i e subjects storage objects and I O devices that are directly or indirectly accessible by subjects external to the TCB These subjects and objects shall be assigned hierarchical levels and non-hierarchical compartments and these shall be used as the basis for mandatory protection decisions The TCB shall be able to support multiple hierarchical levels each capable of containing multiple non-hierarchical components 4 Level CP-3 Multiple Compartmentalized Hierarchies The TCB shall enforce a mandatory protection policy over all resources i e subjects storage objects and I O devices that are directly or indirectly accessible by subjects external to the TCB These subjects and objects shall be assigned hierarchical levels and non-hierarchical compartments and these shall be used as the basis for mandatory protection decisions The TCB shall be able to support at least two distinct hierarchies each of which is capable of containing multiple non-hierarchical compartments 5 Level CP-4 Embedded Hierarchies and Compartments The TCB shall enforce a mandatory protection policy over all resources i e subjects storage objects and 1 O devices that are directly or indirectly accessible by subjects external to the TCB These subjects and objects shall be assigned hierarchical levels and non-hierarchical compartments and these shall be used as the basis for mandatory protection decisions The TCB shall be able to support multiple hierarchical X9 S levels each capable of containing multiple non-hierarchical components each of which contain embedded hierarchies and compartments The TCB shall be able to support at least three embedded levels I OBJECT RE IUSE I Level CR-0 Noncompliant This level Confidentiality Object Re-Use Level 0 CR- is reserved for those products which have been evaluated but fail to meet the requirements of any of the object reuse controls required by confidentiality 2 Level CR-I Object Re-Use All authorizations to the information contained within a storage object shall be revoked prior to initial assignment allocation or reallocation of the object to a subject from the product's pool of unused storage objects No information produced by a prior subject's action is to be available to any subject that obtain access to an object that has been released S back to the system Encrypted representations of information will only be considered as unavailable if the encryption mechanism has been specifically approved for such an 5 application by the certification authority 90 SU i a um n m i ill INTEGRITY o 4 The Integrity Criteria for the Indonesian Navy are being developed as the loose form dual of the confidentiality criteria The basic structure of the integrity criteria is cxpected to follow that of the confidentiality criteria and will be based on recent work in the area ot integrity by Clark and Wilson and others It would be helpful if any efforts by the NCSC in this area were available The following sections contains the proposed structure of the integrity criteria A l IS RETII NARY PRT 'rECTIO N Levels within this division provide for discretionary protection - at the Lcontrol of the owner I Level ID-0 Noncompliant This level Integrity Discretionary Protection Level 0 ID-0 is reserved for those products which have been evaluated but fail to meet the requirements of any of the Discretionary Protection required by integrity 2 Level M-I Discretionary Execution Protection An Integrity Discretionary Protection Level 1 ID-I product nominally satisfies the discretionary requirements by providing separation of users and data It incorporates some form of credible controls capable of enforcing access limitations on an individual basis The TCB shall define and control execution of named processes by named subjects e g users processes in the ADP system The enforcement mechanism e g self group public controls execution control lists etc shall allow users to specify and control 91 L execution of named processes by named individuals or defined groups of individuals or 3 J o by both and shall provide controls to limit propagation of execution rights Level I1 -2 I iscretionary Execution Protection -it The TCB shall define and control execution oft named processes hy named subjects e g users processes in the ADP system The enforcement mechanism e g self 0 group public controls execution lists etc shall allow users to specit y and control execution of named processes by named individuals or defined groups of individuals or by both and shall provide controls to limit propagation of execution rights The discretionary execution control mechanism shall either by explicit action or by default pro- ide that processes are protected from unauthorized invocation These exetutioil controls shall be capable of including execution to the granularity of a single subject e g 0 user process etc Invocation privileges shall only be assigned by authorized users 4 Level ID-3 Discretionary Execution Protection The TCB shall define and control execution of named processes by named subjects e g users processes in the ADP system The enforcement mechanism e g self group public controls execution lists etc shall allow users to specify and control execution of named processes by named individuals or defined groups of individuals or by both and shall provide controls to limit propagation of execution rights These execution controls shall be capable of specifying for each named process a list of named subjects and a list of groups of named subjects with invocation privileges for a named process Furthermore for each such named process it shall be possible to specify a list of groups of named subjects for which no invocation privilege to a named process is to be given 92 o m m m mmmmm o o m0o0mmm oo m m00 0 o o0 B MANI ATORY PROTECTION I Level IM-11 Noncompliant 0 This level is reserved for those products that have been evaluated but fail to meet t the requirements for a higher level 2 Level IMN-I Mandatory Execution Protection The TCB shall enforce a mandatory execution control policy over all processes These processes shall be assigned integrity labels and the labels shall be used as the basis for mandatory execution control decisions The TCB shall be able to support N or more integritv dotmains Requirements for invocation privileges shall be specilied by n authorized subject external to T 'B Identitication and authentication data hall he used by the TCB to authenticate the identify of a user invoking a process and to ensure that the integrity attributes of the subjects external to the TCB that are invoked on behalf of the individual user are consistent with the integrity attributes of that user Note 'are consistent with must be defined 3 Level IM-2 Mandatory Execution Protection The TCB shall enforce a mandatory execution control policy over all processes 0 that can be directly or indirectly invoked by subjects external to the TCB Requirements for direct or indirect invocation of any process by any subject external to the TCB shall be specified by an authorized subject external to the TCB Identification and authentication o data shall be used by the TCB to authenticate the identify of a user invoking a process and to ensure that the integrity attributes of the subjects external to the TCB that are invoked on behalf of the individual user are consistent with the integrity attributes of that user 0 Note are consistent with must be defined 93 0 0 C SEPARATION OF DUTIES Products in this division must include mechanisms by which to separate and define 0 various functions within the system The granularity defined by the system relates directly to the level which it attains I 0 Level IS-O Noncompliant This level Separation of Duties Level 0 IS-0 is reserved for those productts which have been evaluated but fail to meet the requirements of any of the separation of 0 duties required by the integrity criteria 2 Level IS-I Basic Separation The system is broken down into two domains User and System Administratoli This form of separation is considered minimal and may not he sufficient for more secure systems It must be shown that two domains are separate and that a user caan not become system administrator except from specific verified locations i e system console 3 Level IS-2 Administrative Separation The system separates users by type System Administrator Operator User etc Each user has specific tasks which are attached to the user type Each user type is unique 0 and non-overlapping 4 Level IS-3 Administrative Compartmentalization The system separates users by type System Administrator Operator User etc but each is restricted to the form of on-line interaction Some administrative tasks are mutually exclusive while others can not be done on a live system Each user type is mapped out and defined in terms of interaction with the other Some administrative duties must be done in two-man rule requiring two distinct user types to be active for a specific duty to 94 o o o oo o o be accomplished Certain duties shall require that the system he unavailable to normal users such as system recovery and backup 5 Level IS-4 Logical Separation The system is broken down into domains corresponding to Lt ogICJl ulses ot the system Each domain is non-overlapping and self-contained compartmentahized I' ers from one domain can not transfer over or enter the domains of other user 9 i o a i -- o o 0 0 IV AVAILABILITY Not Yet Complete a 0 i I V ACCOUNTABILITY 0 The accountability criteria are draw n directly trom the T 'SE ' onideration %ill be given to developing them further based on requirements to more completely suppor-t integrity issues A IDENTIFI 'ATII N ANI AUTHENTICATIO N I Level WI-iI Noncompliant T'his level A 'ccountabilitv Idenitification And Authentication Le ci 0I Wl- Ii i reserved for those products whi h ha e been ealuated under the A ocOuItabilitv Identification And Authentication Criteria but ha e failed to meet the requirements for a higher evaluation class 2 Level WI-I I iscretionary Security Protection User shall be required to identify themselves to he TCB before beginning to perform any other actions that the TCB i expected to mediate Furthermore the TCB hall use a protected mechanisms to authenticate the user's identity The TCB shall protect authentication data so that it cannot he accessed by any unauthorized user 3 Level WI-2 Controlled Access Protection User shall be required to identify themselves to the TCB before beginning to perform any other actions that the TCB is expected to mediate Furthermore the TCB shall use a protected mechanisms to authenticate the user's identity The TCB shall protect authentication data so that it cannot be accessed by any unauthorized user The TCB shall be able to enforce individual accountability by providing the capability to uniquely identify 97 0 0 '1 each individual EDP system user The TCB shall also provide the capability of associatingl this identity with all auditable actions taken by that individual 4 0 Level WI-3 Labelled Security Protection User shall be required to identify themselves to the TCB before hevinning to 0 perform any other actions that the TCB is expected to mediate Furthermore the TCB shall maintain authentication data that includes information for verifying the identity ot individual users e g passwords as well as information for determining the clearance and 0 authorizations of individual users This data shall be used by the TCB to authenticate the user's identity The TCB shall protect authentication data so that it cannot be accessed by any unauthorized user The TUB shall be able to enforce individual accountability by 0 providing the capability to uniquely identify each individual EDP system user The TUB shall also provide the capability of associating this identity with all auditable actions taken by that individual B AUDI TI I Level WA-U Noncompliant This level Accountability Audit Level U WA-U is reserved for those products 0 which have been evaluated under the Accountability Audit Criteria but have failed to mneet the requirements for a higher evaluation class 2 Level WA-I Controlled Access Protection The TCB shall be able to create maintain and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects The audit data shall be protected by the TCB so that read access to it is limited to those who are authorized for audit data The TCB shall be able to record at minimum the following type of events user of identification and authentication mechanisms introduction of objects into 98 J- oo tI o o0 6 a user's address space e g file open program initiation deletion of objects actions taken by computer operators and system administrator and or system security officers and other X 0 security relevant events For each recorded event the audit record shall identify date and time of the event user type of event and success or failure of the event For identification authentication events the origin of request e g terminal ID shall be included in the audit 0 record For events that introduce an object into a user's address space and for object deletion events the audit record shall include the name of the object The EDP system administrator shall be able to selectively audit the action of any one or more users based on individual identity 3 Level WA-2 Labelled Security Protection protect from moditication or The TCB shall be able to create maintain and unauthorized access or destruction an audit trail of accesses to the objects it protects The audit data shall be protected by the TCB so that read access to it is limited to those who are at minimum the following type authorized for audit data The TCB shall be able to record of events user of identification and authentication mechanisms introduction of objects into a user's address space e g file open program initiation deletion of objects actions taken by computer operators and system administrator and or system security officers and other security relevant events The TCB shall also be able to audit any override of humanreadable output markings For each recorded event the audit record shall identify date and time of the event user type of event and success or failure of the event For identification authentication events the origin of request e g terminal ID shall be included in the audit record Foi events that introduce an object into a user's address space and for object deletion events the audit record shall include the name of the object and the object's sensitivity The EDP system administrator shall be able to selectively audit the actions of any one or more users based on individual identity and or object sensitivity 99 0 -j S 4 Level WA-3 Structured Protection The TCB shall be able to create maintain and protect from modification or XJ 0 unauthorized access or destruction an audit trail of accesses to the objects it protects The audit data shall be protected by the TCB so that read access to it is lilmited to those ho are authorized for audit data The TCB shall be able to record at minimum the tohloing type S of events user of identification and authentication mechanisms introduction ot objects into a user's address space e g file open program initiation deletion of objects actions taken by computer operators and system administrator and or system security officers and other 0 security relevant events The TCB shall also be able to audit any override of humanreadable output markings For each recorded event the audit record shall identity late and time of the event user type of event and success or failure of the event For identification 0 authentication events the origin of request e g terminal ID shall be included in the audit record For events that introduce an object into a user s address space and for object deletion events the audit record shall include the name of the object and the object's S sensitivity The EDP system administrator shall be able to selectively audit the action of any one or more users based on individual identity and or object sensitivity The TCB shall be able to audit the identified events that may be used in the exploitation of covert storage channels 5 Level WA-4 Security Domains The TCB shall be able to create maintain and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects The audit data shall be protected by the TCB so that read access to it is limited to those who are authorized for audit data The TCB shall be able to record at minimum the following type of events user of identification and authentication mechanisms introduction of objects into a user's address space e g file open program initiation deletion of objects actions taken 10o a IIIIIIIlnllnnlS 0 S -A by computer operators and system administrator and or system security officers and other security relevant events The TCB shall also he able to audit any override ot humanreadable output markings For each recorded event the audit record shall identify date and time of the event user type of event and success or failure of the event For identification authentication events the origin of request e g terminal ID shall be included in the udit record For events that introduce an object into a user's address space and for object deletion events the audit record shall include the name of the object and the object s sensitivity The EDP system administrator shall be able to selectively audit the action of any one or more users based on individual identity and or object sensitivity The EDP system administrator shall he able to selectively audit the actions of any one or more users based on individual identity and or object security level The TCB shall he able to audit the identified events that may be used in the exploitation of covert storage channels The TCB shall contain a mechanism that is able to monitor the occurrence or accumulation of security auditable events that may indicate an Imminent violation of security policy This mechanism shall be able to immediately notify the security administrator when threshold are exceeded and if the occurrence or accumulation of these security relevant events continues the system shall take the least disruptive action to terminate the event c rRUSTEID PATH I Level WT-0 Noncompliant This level Accountability Trusted Path Level WT-0 is reserved for those products that have been evaluated under the Accountability Trusted Path Criteria but have failed to meet the requirements for a higher evaluation class 101 a u I mii In m l al n II nu 00 2 Level WT-1I Structured Protection The TCB shall support a trusted communication path between itself and user for 0 initial login and authentication Communications via this path shall be initiated exclusively by a user 3 Level WT-2 Security Domains The TCB shall support a trusted communication path between itself and user for use when a positive TCB-to-user connection is required e g login change subject sensitivity Communications via this trusted path shall be activated exclusively by a user or the TCB and shall be logically isolated and unmistakably distinguishable from other paths 1 o 102 o nnn o- S m mmnS o o nu mmm oo o I I I o0 I X 0 VI ASSURANCE The assurance criteria are used to establish the degree to which evidential support and subsequent reasoning exists about the degree to which the chosen product mechanisms and design will throughout the life of a product support the specified product security policy The initial draft of the assurance criteria directly extracted from the TCSEC Additional factors such as the development environment hardware design control intrusion detection will be considered for further specification of the criteria A OPERATIONAL I'RIsT 0 Product Integrity For all levels of operational trust hardware and or software features shall provided that can be used to periodically validate the correct operation of the on-site hardware and 0 firmware elements of the TCB I Level TO-0 Noncompliant This level Assurance Operational Trust Level 0 TO-U is reserved for those products which have been evaluated but fail to meet the requirements of any of the operational trust mechanisms required by assurance 2 Level To-I Vendor Assured 0 a ProductArchitecture The TCB shall maintain a domain for its own execution that protects it from external interference of tampering e g by modification of its code or data structures Resources controlled by the TCB may be a defined subset of the subjects and objects in the EDP product 103 ILO o o o oo o o - 3 Level TO-2 Independently rested a ProductArchitecture The TCB shall maintain a domain for its own execution that protects it fromr external interference of tampering e g by modification ot its code or data structures Resources controlled by the TCB may be a defined subset or the subjects and oblects in the EDP product The TCB shall isolate the resources to be protected so that they are subject to the protection and auditing requirements 4 Level'lr -3 independently Assured a ProductArchitecture The TCB shall maintain a domain for its own execution that protects it trom S external interference of tampering e g by modification of its code or data structures Resources controlled by the TCB may be a defined subset of the subjects and objects in the EDP product The TCB shall maintain process isolation through the provision of distinct address space under its control The TCB shall isolate the resources to be protected so that thev are subject to the protection and auditing requirements 5 Level T o-4 Structured Design a ProductArchitecture The TCB shall maintain a domain for its own execution that protects it from external interference of tampering e g by modification of its code or data structures The TCB shall maintain process isolation through the provision of distinct address spaces under this control The TCB shall be internally structured into well-defined largely independent modules It shall make effective use of available hardware to separate those elements that are protection-critical from those that are not The TCB modules shall be designed such that the principle of least privilege is enforced Features in hardware such as segmentation I 14 o IN I lmmmll ll Ia 'lll0 0 S shall be used to support logically distinct storage objects with separate attributes namelv readable writeable The user interface to the TCB shall be completely defined and all elements of the TCB identified b Coven Channel Analysis The product developer shall conduct a thorough search for covert storage 0 channels and make a determination either by actual measurement or by engineering estimation of the maximum bandwidth of each identified channel c 0 Trusted Facility Management The TCB shall support separate operator and system administrator functions 6 Level TO-5 Rigorous I esign Security Domains 0 a Product Architecture The TCB shall maintain a domain for its own execution that protects it from 0 0 external interference of tampering e g by modification of its code or data structures The TCB shall maintain process isolation through the provision of distinct address spaces under this control The TCB shall be internally structured into well-defined largely independent 0 modules It shall make effective use of available hardware to separate those elements that are protection-critical from those that are not The TCB modules shall be designed such that the principle of least privilege is enforced Features in hardware such as segmentation 0 shall be used to support logically distinct storage objects with separate attributes namely readable writeable The user interface to the TCB shall be completely defined and all elements of the TCB identified The TCB shall be designed and structured to use a complete conceptually simple protection mechanism with precisely defined semantics This mechanism shall play a central role in enforcing the internal structuring of the TCB and the product The TCB shall incorporate significant use of layering abstraction and data 5 105 S 000 0 0 0 0 0 0 0 hiding Significant product engineering shall be directed toward minimizing the complexity of the TCB and excluding from the TCB modules that are no protection-critical b Covert Channel Analysis The product developer shall conduct a thorough search for covert torage channels and make a determination either by actual measurement or by engineering 0 estimation of the maximum bandwidth of each identified channel c Trusted Facility Management The TCB shall support separate operator and system administrator function The functions performed in the role of a security administrator shall be letiled The EDP product administrative personnel shall only be able to perform security adlmlnstrator functions after taking a distinct auditable action to assume the security administrator role on the EDP product Non-security fur tions that can be performed in the security administration role shall be limited strictly to those essential to performing the security role effectively d Trusted Recovery Procedures and or mechanisms shall be provided to assure that after an EDP product failure of other discontinuity recovery without a protection compromise is obtained 7 Level TO-6 Formal Design a ProductArchitecture The TCB shall maintain a domain for its own execution that protects it from external interference of tampering e g by modification of its code or data structures The TCB shall maintain process isolation through the provision of distinct address spaces under this control The TCB shall be internally structured into well-defined largely independent 106 0S 0 modules It shall make effective use of available hardware to separate those elements that are protection- ritical from those that are not The TCB modules shall be designed such that 0 the principle of least privilege is enforced Feature% in hardvware such as segmentation shall be used to support logically distinct storage oblects with separate attributes namely readable writeable The user interface to the TCB shall be completely detined and all elements of the TCB identified The TCB shall be desiened and structured to use a complete conceptually simple protection mechanism %k ith precisely defined emnantIcs This mechanism shall play a central role in enforcing the internal structuring of the TUB and the product The TCB shall incorporate significant use of layering abstraction and data hiding Significant product engineering shall be directed toward minimizing the complexitv of the TCB and excluding from the TCB modules that are no protection-critical b Covert ChannelAnalysis The product developer shall conduct a thorough search for covert storage channels and make a determination feither by actual measurement or by engineering estimation of the maximum bandwidth of each identified channel Formal methods shall be use in the analysis c 0 Trusted Facility Management The TCB shall support separate operator and system administrator functions The functions performed in the role of a security administrator shall be identified The EDP product administrative personnel shall only be able to perform security administrator functions after taking a distinct auditable action to assume the security administrator role on the EDP product Non-security functions that can be performed in the security administration role shall be limited strictly to those essential to performing the security role effectivelv 0 107 0 S 0050 0 d Trusted Recovery X Procedures and or mechanisms shall be pro%ided to assure that atter an EDP 0 product failure ot other discontinuity recovery without a protection compromise is obtained B LIFE CYCLE TRUST o Configuration Management levels I - 5 During development and maintenance of any TCB a configuration management system shall be in place that maintains control of changes to the descriptive top-level specification other design data implementation documentation source code the runnine version ot the obiect code and test fixtures and documnentation l'he ont iLur-atI0o 0 management product shall assure a consistent mapping among all documentation and code associated with the current version of the TCB Tools shall be provided for generation of a new version of the TCB from source code Also available shall be tools for comparing a newly generated version with the previous TCB version in order to ascertain that only the intended changes have been made in the code that will actually be used as the new version of the TCB I 0 Level TL-0 Noncompliant This level Assurance Life Cycle Trust Level 0 TO-0 is reserved for those 0 products which have been evaluated but fail to meet the requirements of any of the life cycle trust mechanisms required by assurance 2 Level TL-I Vendor Assured 0 a Security Testing The security mechanisms of the EDP product shall be tested and found to work as claimed in the product documentation Testing shall be done to assure that there 0 108 0 iiim0 iii 0 0 0 0 0 0 0 0 0 0 are no obvious ways for an unauthorized user to by pass or otherwise defeat the security protection mechanisms of the TCB 3 Level TIL-2 Independently Tested a Security Testing The security mechanisms of the EDP product shall be tested and found to work as claimed in the product documentation Testing shall be done to assure that there are no obvious ways for an unauthorized user to by pass or otherwise defeat the security protection mechanisms of the TCB Testing shall also include a search for obvious flaws that would allow % iolationof resource isolation or that would permit unauthorized access to the audit or authentication data 0 4 Level TL-3 Independently Assured a Security Testing 0 The security mechanisms of the EDP product shall be tested and found to work as claimed in the product documentation A team of individuals who thoroughly understand the specific implementation of the TCB shall subject its design documentation 0 source code and object code to thorough testing Their objectives shall be to uncover all design and implementation flaws that would permit a subject external to the TCB to read change or delete data normally denied under the mandatory or discretionary security policy enforced by the TCB as well as to assure that no subject without authorization to do so is able to cause the TCB to enter a state such that it is unable to respond to communications initiated by other users All discovered flaws shall be removed or neutralized and the TCB 0 retested to demonstrate that they have been eliminated and that new flaws have not been introduced 0 109 0000 0 0 0 0 0il0 b Design Specification and Verification An informal or formal model of the security policy supported by the FCB shall be maintained over the life cycle of the EDP product and demonstrated to be consisted with its axioms 5 Level TL-4 Structured Design a Security Testing The security mechanisms of the EDP product shall he tested and found to work as claimed in the product documentation A team of individuals who thoroughly understand the specific implementation of the T B shall subiect its design documentatioM source coode and ohiect code to thorough analysis and testing Their ohjecti es shall he to uncover all design and implementation flaws that would permit a sub ject external to the TCB to read change or delete data normally denied under the mandatory or discretionary security policy enforced by the TCB as well as to assure that no suhJect without authorization to do so is able to cause the TCB to enter a state such that it is unable to respond to communications initiated by other users The TCB shall be found relatively resistant to penetration All discovered flaws shall be corrected and the TCB retested to demonstrate that they have been eliminated and that ne' tlaws have not been introduced Testing shall demonstrate that the TCB implementation is consistent with the descriptive top-level specification b Design Specification and Verification A formal model of the security policy supported by the TCB shall be maintained over the life cycle of the EDP product that is proven consistent with its axioms 0 A descriptive top-level specification DTLS of the TCB shall be maintained that 110 completely and accurately describes the TCB in terms of exceptions error messages and X effects It shall be shown to be an accurate description of the TCB interface 6 r Level l -5 Rigorous I esign Security Domains a Security Testing The security mechanisms of the EDP product shall be tested and found to work as claimed in the product documentation A team of individuals who thoroughly understand the specific implementation of the TCB shall subject its design documentation source code and object code to thorough analysis and testing Their objectives shall be to uncover all design and implementation flasks that %ould permit a subject external to the T Bto read chanue or delete data normally denied under the manldatorv or discretionary security policy enforced by the TCB as well as to assure that no subject iWithout authorization to do so is able to cause the TCB to enter a state such that it is unable to respond to communications initiated by other users The TCB shall be found relatively resistant to penetration All discovered flaws shall be corrected and the TU'B S retested to demonstrate that they have been eliminated and that new flaws have not been introduced Testing shall demonstrate that the TCB implementation is consistent with the descriptive top-level specification flaws and No design no more than a few correctable implementation flaws may be found during testing and there shall be reasonable confidence that few remain 0 b Design Specification and Verification A formal model of the security policy supported by the TCB shall be maintained over the life cycle of the EDP product that is proven consistent with its axioms 0 A descriptive top-level specification DTLS of the TCB shall be maintained th completely and accurately describes the TCB in terms of exceptions or messages and 1 0 0 0 0 0 0 98 effects It shall be shown to he an accurate description of the TCB interface A convincing argument shall he given that the DTLS is consistent with the model 7 Level 1 -O Formal D esign a Security Testing 0 The security mechanisms of the EDP product shall he tested and found to work as claimed in the product documentation A team of individuals who thoroughly understand the specific implementation of the TCB shall subject its design documentation source code and obiect code to thorough analysis and testing Their objective' shall be to uncover all design and implementation tlay- that would permit a suhlect external to the T 'B to read change or delete data normally denied under the mandatory or discretionary security policy enforced by the TCB as well as to assure that no subject %ithout authorization to do so is able to cause the TCB to enter a state such that it is unable to respond to communications initiated by other users The TCB shall be found relatively resistant to penetration All discovered flaws shall be corrected and the TCB retested to demonstrate that they have been eliminated and that new flaws have not been introduced Testing shall demonstrate that the TCB implementation is consistent with the descriptive top-level specification No design flaws and no more than a few correctable implementation flaws may be found during testing and there shall be reasonable confidence that few remain Manual or other mapping of the FTLS to the source code may form a basis for penetration testing b Design Specification and Verification A formal model of the security policy supported by the TCB shall be 6 maintained over the life cycle of the EDP product that is proven consistent with its axioms A descriptive top-level specification DTLS of the TCB shall be maintained that 112 oq q oo o o completely and accurately describes the TCB in terms of exceptions error messages and effects A formal top-level specification FTLS of the TCB shall be maintained that accurately describes the TCB in terms of exceptions error messages and effects The DTLS and FTLS shall include those components of the TCB that are implemented as hardware and or firmware if their properties are visible at the TCB interlace The FTLS shall be shown to be an accurate description of the TCB interface A convincing argument shall be given that the DTLS is consistent with the model and a combination of formal and informal techniques shall be used to show that the FTLS is consistent with the model This verification evidence shall be consistent with that provided within the state-of-the-art of the particular Indonesian Navy-endorsed formal specification and verification system used A mapping manual otherwise of the FTLS to the TCB source shall be performed to provide evidence of correct implementation c ConfigurationManagement Level 6 Additional Requirements This section supercedes the configuration management requirements of level o TL- 1 to TL-5 for level TL-6 only During the entire life-cycle i e during the design development and maintenance of the T B a configuration management system shall he in place for all 0 security-relevant hardware firmware software that maintains control of changes to the formal model the descriptive and formal top-level specifications other design data implementation documentation source code the running version of the object code and o test fixtures and documentation The configuration management system shall assure a consistent mapping among all documentation and code associated with the current version of the TCB Tools shall be provided for generation of a new version of the TCB from source 0 code Also available shall be tools maintained under strict configuration control for comparing a newly generated version with the previous TCB version in order to ascertain 0 113 S00 0 0 0 0 that only the intended changes have been made in the code that will actually he used as the new version of TCB A combination of technical physical and procedural safeguard shall he used to protect from an unauthorized modification or destruction the master copy or copies of all material used to generate the TCB 0 d Trusted Distribution A trusted EDP product control and disutibution facility shall be provided for maintaining the integrity of the mapping between the master data describing the current 0 version of the TCB and the on-site master copy of the code for the current version Procedures e g site security acceptance testing shall exist for assuring that the TCB software firmware and hardware updates distributed to a customer are exactly v specified 0 by the master copies C DOCUMENTATI N I 0 Level TI - Noncompliant This level Assurance Documentation Level TD-0 is reserved for those products which have been evaluated but fail to meet the requirements of any of the 0 documentation required by assurance 2 Level TI -l Vendor Assured o a Documentation I Security Feature User's Guide A single summary chapter or manual in user documentation shall describe the protection mechanisms provided by the TCB 0 guidelines on their use and how they interact with one another 0 114 0 0 0 0 0 0 0 0 00 I 2 Trusted Facility Manual A manual addressed to the EDP product administrator shall present cautions about functions and privileges that should he controlled when running a secure facility 3 Test Documentation The product developer shall pro ide to the evaluators a document that describes the test plan test procedures that show hoes the security mechanisms were tested and result of the security mechanism ' functional testine 4 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and an explanation oo how this philosophy is translated into the TCB If the TCB is composed of distinct modules the interfaces between these modules shall be described 3 Level TI -2 Independently Trested a Documentation I Security Feature User's Guide A single summary chapter or manual In user documentation shall descnbe the protection mechanisms provided hy the TCB guidelines on their use and how they interact with one another 2 Trusted Facility Manual A manual addressed to the EDP product administrator shall present cautions about functions and privileges that should he controlled when running a secure facility The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given 3 Test Documentation The product developer shall provide to the evaluators a document that describes the test plan test procedures that show how the security mechanisms were tested and result of the security mechanisms' functional testing 115 S 0 '1 I 4 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and an explanation of hot this philosophy is translated into the TCB If the TCB is composed of distinct modules the interfaces between these modules shall be described 4 0 Level TD-3 Independently Assured a Documentation I Security Feature User's Guide A single sunmary chapter or manual in user documentation shall describe the protection mechanisms provided by the TCB guidelines on their use and hoV they interact with one another 2 Trusted Facility Manual A manual addressed to the EDP product 0 administrator shall present cautions about functions and privileges that should he controlled when running a secure facility The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall he given 0 The manual shall describe the operator and system administrator functions related to security to include changing the security characteristics of a user It shall provide guidelines on the consistent and effective use of the protection features of the product how 0 they interact how to securely generate a new TCB and facility procedures warnings and privileges that need to be controlled in order to operate the facility in a secure manner 3 Test Documentation The product developer shall provide to the evaluators a document that describes the test plan test procedures that show how the security mechanisms were tested and result of the security mechanisms' functional testing 4 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and an explanation of how this philosophy is translated into the TCB If the TCB is composed of distinct modules the 116 I' II IIIIII IIIIIIII IIII mIIIII I I 1 o I interfaces between these modules shall be described An informal or formal description of security policy model enforced by the TCB shall be available and an explanation provided 0 to show that it I- sufficient to enforce the security policy The specific TCB protection mechanisms shall be identified and an explanation given to how that they satisfy the model 5 Level TD-4 Structured Design a Documentation ScLurity Feature L'Ucr's Guide A sing e summary chaptem or manual in user documentation shall describe the protection mechanisms provided by the TUB guidelines on their use and how they interact Awith one another 2 Trusted Facility Manual A manual addressed to the EDP product administrator shall present cautions about functions and privileges that should be controlled when running a secure facility The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given The manual shall describe the operator and system administrator functions related to security to include changing the security characteristics of a user It shall provide guidelines on the consistent and effective use of the protection features of the product how they interact how to securely generate a new TCB and facility procedures warnings and privileges that need to be controlled in order to operate the facility in a secure manner The TCB modules that contain the reference validation mechanism shall be identified The procedures for secure generation of a new TCB from source after modification of any modules in the TCB shall be described 3 Test Documentation The product developer shall provide to the evaluators a document that describes the test plan test procedures that show how the 117 4 security mechanisms were tested and result of the security mechanisms functional testing used to reduce covern It shall include results of testing the effectiveness of the methods u-i channel bandwidth 4 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and all explanation of how this 0 philosophy is translated into the TCB The interfaces between the TCB module shall be described A formal description of security policy model enforced by the TCB shall be available and proven that it is sufficient to enforce the security policy The specific TCB S protection mechanisms shall be identified and an explanation given to sho% that they satisfythe model The descriptive top-level specification DTLS shall be shown to he alm accurate description of the TCB interface Documentation shall describe how the TUB 0 implements the reference monitor concept and give an explanation why it is tamper resistant cannot be bypassed and is correctly implemented Documentation shall describe how the TCB is structured to facilitate testing and to enforce least privilege This 0 documentation shall also present the results of the covert channel analysis and the tradeoffs involved in restricting the channels All auditable events that may be used in the exploitation of known covert storage channels shall be identified The bandwidth of known 0 covert storage channels the use of which is not detectable by the auditing mechanisms shall be provided 6 Level TI -5 Rigorous Design Security Domains a Documentation 1 Security Feature User's Guide A single summary chapter or manual in user documentation shall describe the protection mechanisms provided by the TCB guidelines on their use and how they interact with one another 00 n IS ul II n 0 6 2 Trusted Facility Manual A manual addressed to the EDP product administrator shall present cautions about functions and privileges that should be controlled 0 when running a secure facility The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall he given The manual shall describe the operator and system administrator tunctions related to security to include changing the security characteristics of a user It shall provide guidelines on the consistent and effective use of the protection features of the product how they interact how to securely generate a new TCB and tacility procedures warnings and privileges that need to be controlled in order to operate the facility in a secure manner The TCB modules that contain the reference validation mechanism shall be identified The procedures for secure generation of a new TCB from source after modification of any modules in the TCB shall be described It shall include the procedures to ensure that the product is initially started in a secure manner Procedures shall also be included to resume secure product operation after any lapse in product operation 3 Test Documentation The product developer shall provide to the evaluators a document that describes the test plan test procedures that show how the security mechanisms were tested and result of the security mechanisms' functional testing It shall include results of testing the effectiveness of the methods used to reduce covert channel bandwidth 4 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and an explanation of how this philosophy is translated into the TCB The interfaces between the TCB modules shall be described A formal description of security policy model enforced by the TCB shall be available and proven that it is sufficient to enforce the security policy The specific TCB protection mechanisms shall be identified and an explanation given to show that they 119 0 satisfy the model The descriptive top-level specification DTLS shall be shown to be anl accurate description of the TCB interface Documentation shall describe how the TCB 0 j 0 implements the reference monitor concept and give an explanation why it is tamper resistant cannot be bypassed and is correctly implemented The TCB implementation i e _ in hardware firmware and software shall be informally shown to be consistent with the DTLS The elements of the DTLS shall be shown using informal techniques to correspond to the elements of the TCB Documentation shall describe how the TCB is structured to facilitate testing and to enforce least privilege This documentation shall also present the results of the covert channel analysis and the trade-offs involved in restricting the channels All auditable events that may be used in the exploitation of known covert storage channels shall be identified The bandwidth of known covert storage channels the use ot which is not detectable by the auditing mechanisms shall be provided 7 Level TI -6 Formal Design a Documentation I Security Feature User's Guide A single summary chapter or manual in user documentation shall describe the protection mechanisms provided by the TCB guidelines on their use and how they interact with one another 2 Trusted Facility Manual A manual addressed to the EDP product administrator shall present cautions about functions and privileges that should be controlled 0 when running a secure facility The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given The manual shall describe the operator and system administrator functions related to security to include changing the security characteristics of a user It shall provide guidelines on the consistent and effective use of the protection features of the product how 120 0 they interact how to securely generate a new TCB and facility procedures warnings and privileges that need to be controlled in order to operate the facility in a secure manner The 0 TCB modules that contain the reference validation mechanism shall be identified The procedures for secure generation of a new TCB trom source after modification of any modules in the TCB shall be described It shall include the procedures to ensure that the product is initially started in a secure manner Procedures shall also be included to resume secure product operation after any lapse in product operation 0 3 Test Documentation The product developer shall provide to the evaluators a document that describes the test plan test procedures that show how the security mechanisms were tested and result of the security mechanisms functional testing It shall include results of testing the effectiveness of the methods used to reduce covert 0 channel The results of the mapping between the formal top-level specification and the TCB source code shall be given 4 0 Design Documentation Documentation shall be available that provides a description of the manufacturer's philosophy of protection and an explanation of how this philosophy is translated into the TCB The interfaces between the TCB modules shall be 0 described A formal description of security policy model enforced by the TCB shall be available and proven that it is sufficient to enforce the security policy The specific TCB protection mechanisms shall be identified and an explanation given to show that they satisfy the model The descriptive top-level specification DTLS shall be shown to be an accurate description of the TCB interface Documentation shall describe how the TCB implements the reference monitor concept and give an explanation why it is tamper resistant cannot be bypassed and is correctly implemented The TCB implementation i e in hardware firmware and software shall be informally shown to be consistent with the formal top-level specification FTLS The elements of the FTLS shall be shown using 121 - j - I I I I II I I II 0 0 informal techniques to correspond to the elements of the TCB Documentation shall describe how the TCB is structured to facilitate testing and to enforce least privilege This 3' documentation shall also present the results of the covert channel analysis and the tradeoffs involved in restricting the c hannels All auditable events that may he used in the exploitation of known covert storage channels shall be identified The bandwidth of known covert storage channels the use of which is not detectable by the auditing mechanisms shall be provided Hardware firmware and software mechanisms not dealt AIth in the DTLS but strictly internal to the TCB e g mapping registers direct memory access I 0 shall be clearly described o o o oo o o o 122 n ii o0 o I m nn mm m n 0 LIST OF REFERENCES I BUCK571 Buckles R A Ideas Inventions and Patents How to Develop and Protect Them John Wiley Sons Inc 1957 CSSC911 Canadian System Security Centre Communications Security Establishment Government of Canada The Canadian Trusted Computer Product Evaluation Criteriaversion 2 1e 1991 I DITT9 Dittrich K et al Computer Security andl Inormation Inh' ritv Proceeding of the Sixth IFIP International Conference on Computer Security and Information Integrity in our Changing World IFIP Sec '0 Espoo Helsinki Finland 23 - 25 May 1990 Elsevier Science Publisher B V 1990 IGREE751 Greenawalt K Legal Protections of Privacy Final Report to the ffice of Telecommunications Policy Executive Office of the President for sale by Superintendent of Documents U S Government Printing Office 1975 HOLB91 Holbrook P Site Securitv Handbook Network Working Group July 1991 IJOHN851 Johnson D G and Snapper J W Ethical Issues in the Use of Computers Wadsforth Publishing Company 1985 LANE851 Lane V P Security of Computer Rased hinformation Sy tems MacMillan Education Ltd 1985 1MART731 Martin J Security Accuracv and Privacv in Computer SY stems PrenticeHall Inc 1973 NCSCX5 National Computer Security Center's Technical Guideline Program Department ol Defense DoD Trusted Computer System Evaluation Criteria TCSEC Orange book 19X5 PFLE89 Pfleefger C P Security in Computing Prentice Hall 1989 RUSS9Il Russel D and G T Gangemi Sr Computer Security Basics O'Reilley Associates Inc 1991 SOG191 Senior Officials Group - Information System Security Commission of the European Communities Directorate XIII F Information Technology Security Evaluation Criteria ITSEC Department of Trade and Industry London June 1991 123 0 0 0 ISTON92J IWEIS921 Stone H S -Copyrights and Author Responsibilities IEEE omput 'r December 1992 Committee on Public Weksband S P and Goodman S E News from the Policy International Software Piracy- IEEE Computer November 1992 3' 0 0 1 124 o o 0 o o oo o o 0mw 0 0 0 0 2 it NJ INITIAL IHSTRIBIUTION LIST 0 Defense Technical Information 'enter Cameron Station Alexandria VA 22304-6145 Dudley Knox Library Code 52 Naval Postgraduate School Monterey CA 93943-5002 Chairman Code CS Computer Science Department Na al Postgraduate School Monterey CA 93943 Dr Timothy J Shimeall Computer Science Department Code CSSm Naval Postgraduate School Monterey CA 93943 Dr Roger Stemp Computer Science Department Code CSSp Naval Postgraduate School Monterey CA 93943 0 'ommander Naval Coinputei nd Telecommunication Command 4401 Massachusetts Ave N W Washington DC 20394 - 5000 Defense Information Systems Agency TFEF 3701 North Fairfax Dr Arlington VA 22203 - 1713 Commander Naval Training Command DANKODIKAL Morokrembangan Surabaya Indonesia 125 o o o oo o o0 112 0 Director Naval Education iDIRDIKAL Indonesian Naval Headquarters 0 Cilangkap Jakarta Indonesia Maj Antonius Herusutopo IDN JI Kalamisani I1 Ujung Surabaya 60155 Indonesia 0 I SI I II 126 I 0                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu