Fred Cohen & Associates

Copyright(c) Management Analytics, 1995 - All Rights Reserved

                                   CONTENTS


          FOREWORD. . . . . . . . . . . . . . . . . . . . . . . . . . . .i

          ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . ii

          PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . .v

          INTRODUCTION. . . . . . . . . . . . . . . . . . . . . . . . . .1


                             PART I:  THE CRITERIA

          1.0  DIVISION D:  MINIMAL PROTECTION. . . . . . . . . . . . . .9

          2.0  DIVISION C:  DISCRETIONARY PROTECTION. . . . . . . . . . 11
               2.1   Class (C1):  Discretionary Security Protection . . 12
               2.2   Class (C2):  Controlled Access Protection. . . . . 15

          3.0  DIVISION B:  MANDATORY PROTECTION. . . . . . . . . . . . 19
               3.1   Class (B1):  Labeled Security Protection . . . . . 20
               3.2   Class (B2):  Structured Protection . . . . . . . . 26
               3.3   Class (B3):  Security Domains. . . . . . . . . . . 33

          4.0  DIVISION A:  VERIFIED PROTECTION . . . . . . . . . . . . 41
               4.1   Class (A1):  Verified Design . . . . . . . . . . . 42
               4.2   Beyond Class (A1). . . . . . . . . . . . . . . . . 51


                      PART II:  RATIONALE AND GUIDELINES

          5.0  CONTROL OBJECTIVES FOR TRUSTED COMPUTER SYSTEMS. . . . . 55
               5.1   A Need for Consensus . . . . . . . . . . . . . . . 56
               5.2   Definition and Usefulness. . . . . . . . . . . . . 56
               5.3   Criteria Control Objective . . . . . . . . . . . . 56

          6.0  RATIONALE BEHIND THE EVALUATION CLASSES. . . . . . . . . 63
               6.1   The Reference Monitor Concept. . . . . . . . . . . 64
               6.2   A Formal Security Policy Model . . . . . . . . . . 64
               6.3   The Trusted Computing Base . . . . . . . . . . . . 65
               6.4   Assurance. . . . . . . . . . . . . . . . . . . . . 65
               6.5   The Classes. . . . . . . . . . . . . . . . . . . . 66

          7.0  THE RELATIONSHIP BETWEEN POLICY AND THE CRITERIA . . . . 69
               7.1   Established Federal Policies . . . . . . . . . . . 70
               7.2   DoD Policies . . . . . . . . . . . . . . . . . . . 70
               7.3   Criteria Control Objective For Security Policy . . 71
               7.4   Criteria Control Objective for Accountability. . . 74
               7.5   Criteria Control Objective for Assurance . . . . . 76

          8.0  A GUIDELINE ON COVERT CHANNELS . . . . . . . . . . . . . 79


          9.0  A GUIDELINE ON CONFIGURING MANDATORY ACCESS CONTROL
               FEATURES . . . . . . . . . . . . . . . . . . . . . . . . 81

          10.0  A GUIDELINE ON SECURITY TESTING . . . . . . . . . . . . 83
                10.1 Testing for Division C . . . . . . . . . . . . . . 84
                10.2 Testing for Division B . . . . . . . . . . . . . . 84
                10.3 Testing for Division A . . . . . . . . . . . . . . 85


          APPENDIX A:  Commercial Product Evaluation Process. . . . . . 87

          APPENDIX B:  Summary of Evaluation Criteria Divisions . . . . 89
          
          APPENDIX C:  Sumary of Evaluation Criteria Classes. . . . . . 91

          APPENDIX D:  Requirement Directory. . . . . . . . . . . . . . 93

          GLOSSARY. . . . . . . . . . . . . . . . . . . . . . . . . . .109

          REFERENCES. . . . . . . . . . . . . . . . . . . . . . . . . .115
Contents

Copyright(c) Management Analytics, 1995 - All Rights Reserved
