Evaluation Criteria of Systems Security Controls

By Lawrence C. Miller, Peter H. Gregory

Evaluation criteria provide a standard for quantifying the security of a computer system or network. These criteria include the Trusted Computer System Evaluation Criteria (TCSEC), Trusted Network Interpretation (TNI), European Information Technology Security Evaluation Criteria (ITSEC), and the Common Criteria.

Trusted Computer System Evaluation Criteria (TCSEC)

The Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, is part of the Rainbow Series developed for the U.S. DoD by the National Computer Security Center (NCSC). It’s the formal implementation of the Bell-LaPadula model. The evaluation criteria were developed to achieve the following objectives:

  • Measurement: Provides a metric for assessing comparative levels of trust between different computer systems.
  • Guidance: Identifies standard security requirements that vendors must build into systems to achieve a given trust level.
  • Acquisition: Provides customers a standard for specifying acquisition requirements and identifying systems that meet those requirements.

The four basic control requirements identified in the Orange Book are

  • Security policy: The rules and procedures by which a trusted system operates. Specific TCSEC requirements include
    • Discretionary access control (DAC): Owners of objects are able to assign permissions to other subjects.
    • Mandatory access control (MAC): Permissions to objects are managed centrally by an administrator.
    • Object reuse: Protects confidentiality of objects that are reassigned after initial use. For example, a deleted file still exists on storage media; only the file allocation table (FAT) and first character of the file have been modified. Thus residual data may be restored, which describes the problem of data remanence. Object-reuse requirements define procedures for actually erasing the data.
    • Labels: Sensitivity labels are required in MAC-based systems. Specific TCSEC labeling requirements include integrity, export, and subject/object labels.
  • Assurance: Guarantees that a security policy is correctly implemented. Specific TCSEC requirements (listed here) are classified as operational assurance requirements:
    • System architecture: TCSEC requires features and principles of system design that implement specific security features.
    • System integrity: Hardware and firmware operate properly and are tested to verify proper operation.
    • Covert channel analysis: TCSEC requires covert channel analysis that detects unintended communication paths not protected by a system’s normal security mechanisms. A covert storage channel conveys information by altering stored system data. A covert timing channel conveys information by altering a system resource’s performance or timing.

A systems or security architect must understand covert channels and how they work in order to prevent the use of covert channels in the system environment.

º Trusted facility management: The assignment of a specific individual to administer the security-related functions of a system. Closely related to the concepts of least privilege, separation of duties, and need-to-know.

º Trusted recovery: Ensures that security isn’t compromised in the event of a system crash or failure. This process involves two primary activities: failure preparation and system recovery.

º Security testing: Specifies required testing by the developer and the National Computer Security Center (NCSC).

º Design specification and verification: Requires a mathematical and automated proof that the design description is consistent with the security policy.

º Configuration management: Identifying, controlling, accounting for, and auditing all changes made to the Trusted Computing Base (TCB) during the design, development, and maintenance phases of a system’s lifecycle.

º Trusted distribution: Protects a system during transport from a vendor to a customer.

  • Accountability: The ability to associate users and processes with their actions. Specific TCSEC requirements include
    • Identification and authentication (I&A): Systems need to track who performs what activities.
    • Trusted Path: A direct communications path between the user and the Trusted Computing Base (TCB) that doesn’t require interaction with untrusted applications or operating-system layers.
    • Audit: Recording, examining, analyzing, and reviewing security-related activities in a trusted system.
  • Documentation: Specific TCSEC requirements include
    • Security Features User’s Guide (SFUG): User’s manual for the system.
    • Trusted Facility Manual (TFM): System administrator’s and/or security administrator’s manual.
    • Test documentation: According to the TCSEC manual, this documentation must be in a position to “show how the security mechanisms were tested, and results of the security mechanisms’ functional testing.”
    • Design documentation: Defines system boundaries and internal components, such as the Trusted Computing Base (TCB).

The Orange Book defines four major hierarchical classes of security protection and numbered subclasses (higher numbers indicate higher security):

  • D: Minimal protection
  • C: Discretionary protection (C1 and C2)
  • B: Mandatory protection (B1, B2, and B3)
  • A: Verified protection (A1)

These classes are further defined in this table.

TCSEC Classes

Class Name Sample Requirements
D Minimal protection Reserved for systems that fail evaluation.
C1 Discretionary protection (DAC) System doesn’t need to distinguish between individual users and types of access.
C2 Controlled access protection (DAC) System must distinguish between individual users and types of access; object reuse security features required.
B1 Labeled security protection (MAC) Sensitivity labels required for all subjects and storage objects.
B2 Structured protection (MAC) Sensitivity labels required for all subjects and objects; trusted path requirements.
B3 Security domains (MAC) Access control lists (ACLs) are specifically required; system must protect against covert channels.
A1 Verified design (MAC) Formal Top-Level Specification (FTLS) required; configuration management procedures must be enforced throughout entire system lifecycle.
Beyond A1 Self-protection and reference monitors are implemented in the Trusted Computing Base (TCB). TCB verified to source-code level.

You don’t need to know specific requirements of each TCSEC level for the CISSP exam, but you should know at what levels DAC and MAC are implemented and the relative trust levels of the classes, including numbered subclasses.

Major limitations of the Orange Book include that

  • It addresses only confidentiality issues. It doesn’t include integrity and availability.
  • It isn’t applicable to most commercial systems.
  • It emphasizes protection from unauthorized access, despite statistical evidence that many security violations involve insiders.
  • It doesn’t address networking issues.

Trusted Network Interpretation (TNI)

Part of the Rainbow Series, like TCSEC (discussed in the preceding section), Trusted Network Interpretation (TNI) addresses confidentiality and integrity in trusted computer/communications network systems. Within the Rainbow Series, it’s known as the Red Book.

Part I of the TNI is a guideline for extending the system protection standards defined in the TCSEC (the Orange Book) to networks. Part II of the TNI describes additional security features such as communications integrity, protection from denial of service, and transmission security.

European Information Technology Security Evaluation Criteria (ITSEC)

Unlike TCSEC, the European Information Technology Security Evaluation Criteria (ITSEC) addresses confidentiality, integrity, and availability, as well as evaluating an entire system, defined as a Target of Evaluation (TOE), rather than a single computing platform.

ITSEC evaluates functionality (security objectives, or why; security-enforcing functions, or what; and security mechanisms, or how) and assurance (effectiveness and correctness) separately. The ten functionality (F) classes and seven evaluation (E) (assurance) levels are listed in the following table.

ITSEC Functionality (F) Classes and Evaluation (E) Levels mapped to TCSEC levels

(F) Class (E) Level Description
NA E0 Equivalent to TCSEC level D
F-C1 E1 Equivalent to TCSEC level C1
F-C2 E2 Equivalent to TCSEC level C2
F-B1 E3 Equivalent to TCSEC level B1
F-B2 E4 Equivalent to TCSEC level B2
F-B3 E5 Equivalent to TCSEC level B3
F-B3 E6 Equivalent to TCSEC level A1
F-IN NA TOEs with high integrity requirements
F-AV NA TOEs with high availability requirements
F-DI NA TOEs with high integrity requirements during data communication
F-DC NA TOEs with high confidentiality requirements during data communication
F-DX NA Networks with high confidentiality and integrity requirements

You don’t need to know specific requirements of each ITSEC level for the CISSP exam, but you should know how the basic functionality levels (F-C1 through F-B3) and evaluation levels (E0 through E6) correlate to TCSEC levels.

Common Criteria

The Common Criteria for Information Technology Security Evaluation (usually just called Common Criteria) is an international effort to standardize and improve existing European and North American evaluation criteria. The Common Criteria has been adopted as an international standard in ISO 15408. The Common Criteria defines eight evaluation assurance levels (EALs), which are listed in the following table.

The Common Criteria

Level TCSEC Equivalent ITSEC Equivalent Description
EAL0 N/A N/A Inadequate assurance
EAL1 N/A N/A Functionally tested
EAL2 C1 E1 Structurally tested
EAL3 C2 E2 Methodically tested and checked
EAL4 B1 E3 Methodically designed, tested, and reviewed
EAL5 B2 E4 Semi-formally designed and tested
EAL6 B3 E5 Semi-formally verified design and tested
EAL7 A1 E6 Formally verified design and tested

You don’t need to know specific requirements of each Common Criteria level for the CISSP exam, but you should understand the basic evaluation hierarchy (EAL0 through EAL7, in order of increasing levels of trust).