Levels of Operating System Security


The following is a discussion of an optional topic, which is somewhat more sophisticated than the previous material.

As you have seen, UNIX provides a variety of security features. These include user identification and authentication through login names and passwords, discretionary access control through permissions, file encryption capabilities, and audit features, such as the last login record. However, general-purpose UNIX Systems do not provide for the level of security required for sensitive applications, such as those found in governmental and military applications.

The U.S. Department of Defense has produced standards for different levels of computer system security These standards have been published in the Trusted Computer System Evaluation Criteria document. The Trusted Computer System Evaluation Criteria is commonly known as the “Orange Book,” because of its bright orange cover. Computer systems are submitted by vendors to the National Computer Security Center (NCSC) for evaluation and rating.

There are seven levels of computer security described in the “Orange Book.” These levels are organized into four groups-A, B, C, and D-of decreasing security requirements. Within each division, there are one or more levels of security, labeled with numbers. From the highest level of security to the lowest, these levels are A1, B3, B2, B1, C2, C1, and D. All the security requirements for a lower level also hold for all higher levels, so that every security requirement for a B1 system is also a requirement for a B2, B3, or A1 system as well.

Minimal Protection (Class D)

Systems with a Class D rating have minimal protection features. A system does not have to pass any tests to be rated as a Class D system. If you read news stories about hackers breaking into “government computers,” they are likely to be class D systems, which contain no sensitive military data.

Discretionary Security Protection (Class C1)

For a system to have a C1 level, it must provide a separation of users from data. Discretionary controls need to be available to allow a user to limit access to data. Users must be identified and authenticated.

Controlled Access Protection (Class C2)

For a system to have a C2 level, a user must be able to protect data so that it is available to only single users. An audit trail that tracks access and attempted access to objects, such as files, must be kept. C2 security also requires that no data be available as the residue of a process, so that the data generated by the process in temporary memory or registers is erased.

Labeled Security Protection (Class B1)

Systems at the B1 level of security must have mandatory access control capabilities. In particular, the subjects and objects that are controlled must be individually labeled with a security level. Labels must include both hierarchical security levels, such as “unclassified,” “secret,” and “top secret,” and categories (such as group or team names). Discretionary access control must also be present.

Structured Protection (Class B2)

For a system to meet the B2 level of security, there must be a formal security model. Covert channels, which are channels not normally used for communications but that can be used to transmit data, must be constrained. There must be a verifiable top-level design, and testing must confirm that this design has been implemented. A security officer must be designated who implements access control policies, while the usual system administrator only carries out functions required for the operation of the system.

Security Domains (Class B3)

The security of systems at B3 level must be based on a complete and conceptually simple model. There must be a convincing argument, but not a formal proof, that the system implements the design. The capability of specifying access protection for each object, and specifying allowed subjects, the access allowed for each, and disallowed subjects must be included. A reference monitor, which takes users’ access requests and allows or disallows access on the basis of access control policies, must be implemented. The system must be highly resistant to penetration, and the security must be tamperproof. An auditing facility must be provided that can detect potential security violations.

Verified Design (Class A1)

The capabilities of a Class A1 system are identical to those of a Class B3 system. However, the formal model for a Class A1 system must be formally verified as secure.

The Level of UNIX Security

Most UNIX variants (including those based on SVR4) meet most and all of the security requirements of the C2 Class. Enhanced versions of UNIX System V Release 4 have been developed that meet the requirements for different levels of operating system security An example of a version of UNIX System V that has been enhanced to meet the requirements of the B1 class is UNIX System V/MLS (Multi-Level Security).




UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net