TCSEC {Trusted Computer System Evaluation Criteria} ---------------------------------------------------------------------------- [Divsion]: D Class: N/A Type: Minimal Protection Highlights: This division contains only one class. It is reserved for those systems that have been evaluated but fail to meet requirements for a higher division. Examples: MS-DOS machines, Apple Macintosh machines - - - - - - - - - - [Divsion]: C Discretionary Protection Synopsis: Classes in this division provide for discretionary protection and accountability of subjects and actions they initiate. Class: 1 Type: Discretionary Security Protection Highlights: Provides discretionary security requirements by seperating users and data. Incorparates some form of credible controls capable of enforcing access limitations on an individual basis. The class C1 environment is expected to one of cooperating users processing data at the same levels of security. Examples: Unix (some) Class: 2 Type: Controlled Access Protection Highlights: Systems in this class enforce a more finely grained discretionary access control system than C1. Users are individually held accountable for actions through login procedures, auditing of security related events, and resource isolation. Examples: Unix (some), VMS, Windows NT, Primos, SVS/OS CAP, OSF/1 - - - - - - - - - - [Divsion]: B Mandatory Protection Synopsis: The notion of a Trusted Computing Base that preserves the integrity of sensitivity labels and uses them to enforce a set of mandatory access control rules is a major requirement of this division. Systems in this division must carry the sensivity labels with major data structures in the system. The system developer must also provide a security policy model specification on which the TCB is based. Class: 1 Type: Labeled Protection Highlights: All requirements from C2. In addition an informal statement fo the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. The capability must exist for accuratley labeling exported information (hardcopy, etc...). Examples: CMW+, OSF/1 (optional), OS 1100 Class: 2 Type: Structured Protection Highlights: In B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in B1 to be extended to allsubjects and objects in the system. In addition, covert channels are addressed. Authentication mechanisms are strengthened, trusted facility management is provided in the form of support for system administrator and operator functions, and stringent configuration management controls are imposed. The system is relatively resistent to penetration. Examples: Multics, Trusted XENIX Class: 3 Type: Security Domain Highlights: B3 systems must satisfy reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and testing. The TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during design to minimize complexity. Support is added for a security administrator, audit mechanisms are expanded to signal security related events, and system recovery procedures are required. The system highly resistant to penetration. Examples: XTS-200 (?) - - - - - - - - - - [Divsion]: A Verified Protection Synopsis: Characterized by the use of formal security verification methods to assure that the mandatory and discretionary security controls empployed in the system are can effectively protect classified or other sensitive information stored or processed by the system. Extensive documentation is required to demonstrate that the TCB meets the security requirements in all aspects of design, development, and implementation. Class: 1 Type: Verified Design Highlights: Functionally equivalent to B3 systems, A1 systems differ in the level of assurance. A1 systems undergo intense analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. Examples: SCOMP, SNS 3/14/95 -----------------------------------------------------------------------------