Computers at Risk: Safe Computing in the Information Age

Questions? Call 800-624-6242

About | Ordering | New

LoginRegister

| Items in cart [0]

PAPERBACK
price:$82.75
add to cart

Rights & Permissions

Free PDF Access

Free Resources

Related Titles

Computers at Risk: Safe Computing in the Information Age (1991)
Computer Science and Telecommunications Board (CSTB)

Citation Manager Export the bibliographic data for this book in your chosen format
Web Search Builder Use this book's key terms to search within this book, across our collection, or across the Web.
Skim This Chapter Skim this chapter and use this chapter's key terms to search within this book.
Reference Finder Paste in your own text to find books that relate to your topic.

Citation Manager

. "A The Orange Book." Computers at Risk: Safe Computing in the Information Age. Washington, DC: The National Academies Press, 1991.

Please select a format:

Page
245


E-mail Share on facebook Facebook Share on delicious Delicious Share on stumbleupon Stumble Share on twitter Twitter More Sharing ServicesMore

The following HTML text is provided to enhance online readability. Many aspects of typography translate only awkwardly to HTML. Please use the page image as the authoritative form to ensure accuracy.

Computers at Risk: Safe Computing in the Information Age

Class (B3): Security Domains

The class (B3) TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security-relevant events, and system recovery procedures are required. The system is highly resistant to penetration.

Class (A1): Verified Design

Systems in class (A1) are functionally equivalent to those in class (B3) in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. In keeping with extensive design and development analysis of the TCB required of systems in class (A1), more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported.

SOURCE: Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, December 1985, Appendix C, pp. 93–94.

processing. It has been codified as a military standard, making it a requirement for defense systems, and its dissemination has been directed largely to major vendors of centralized systems, notably vendors who are or who supply government contractors.

Because of its shortcomings, which have been debated in the computer security community for several years, the Orange Book must be regarded as only an interim stage in the codification of prudent protection practices.