security levels, V.4

[Jerry M. Carlin]

In article <1990Nov30.064557.13565 at fiver> palowoda at fiver (Bob Palowoda) writes:
>From article <1990Nov29.224243.2934 at ico.isc.com>, by rcd at ico.isc.com (Dick Dunn):
>> aris at tabbs.UUCP (Aris Stathakis) writes:
>> B2???  No, you must be kidding.  You *don't want* B2.  (It may be required
>> for something you're doing, in which case you may *need* it...but even then
>> you won't *want* it.:-)

The B-level security includes multi-level security and mandatory access
controls. This means it implements the federal government policy of
classifying things as 'secret' and 'top secret' and establishing
classes of people so that someone who is working on 'Europe' cannot
see secrets related to 'Asia', for example. It requires a great deal
of overhead, mostly in administration since besides having a security
officer to do all of this classification and reclassification; it also
implments separation of duties, ie no more root. You now have many
ID's with limited authority so that no one person can subvert the
machine (at least theoretically).

Therefore your administration costs will go up by at least a factor of two 
and maybe a power of 3 with MANDATORY access control. This means that to 
change the ownership of a file, you have to go to the security administrator 
and request that the change be made.  Also, if a file you have is at a 
higher level of security, someone at a lower level of security cannot read 
it (or someone in a different department). The security administrator must 
change its classification first.

This also makes things like windowing systems weird since you cannot
copy a document from a 'top secret' window to a 'unclassified' window.
There are people being paid lots of money to write windowing software
to enforce this policy.  Networkng is yet another problem.

The B-level has a few IMHO useful features such as 'trusted path'. This
means that a trojan program capturing login info is not possible since
when you press your 'secure attention key' you are guarenteed to be
talking to the 'trusted computer base' and therefore the 'real' login
program.

>> B2 is a higher level of security than C2.  I'll leave it to the orange-book
>> mavens to explain the differences; suffice it to say that if you think the
>> flaming you've seen in this newsgroup about C2 is hot, you ain't seen
>> nothin' yet.

The levels go D (as in no security MSDOS and Mac, for example), C
(discretionary access controls), B (mandatory access controls) and A
which is only achieved if you can PROVE your design is secure.

>> And no, B2 is not required for V.4.  It's an option--I think MLS will take
>> you to the B2 level.                 ^^^^^^^^^^^^^^

AT&T MLS is actually at the C2/B1 level. AT&T has advertised that the
next release V.4.1 will be able to be run at the B-level but that it will
not be required. I believe all the pieces will be modular so you do not
have to run it all to use parts. BTW, you do not have to bundle the
security with the OS. IBM and DEC sell add-ons that bring the os up to
the C2 level. What is required is that the evaluation be done with a
given configuration and that to run at that level, you have to use the
configuration that was evaluated.

>... How does each level of security packages
>affect the devolopment cost of applications for any UNIX that uses it?
>How will we know when the price/security costs are enough?

The great unanswerable question. If your application is a DBMS and you
are building multi-level security in then quite a bit. If your package
is a word processor, probably nothing since it will be up to UNIX
to enforce the security. How much is enough depends on how paranoid you
are. Remember, even paranoids have enemies :-)
--
Jerry M. Carlin	(415) 823-2441 jmc at srv.pacbell.com
To dream the impossible dream. To fight the unbeatable foe.