Appendix A The Orange Book
The Department of Defense's Trusted Computer System Evaluation Criteria, or Orange Book, contains criteria for building systems that provide specific sets of security features and assurances (U.S. DOD, 1985d; see Box A.1). However, the Orange Book does not provide a complete basis for security:
Its origin in the defense arena is associated with an emphasis on disclosure control that seems excessive to many commercial users of computers. There is also a perception in the marketplace that it articulates defense requirements only.
It specifies a coherent, targeted set of security functions that may not be general enough to cover a broad range of requirements in the commercial world. For example, it does not provide sufficient attention to information integrity and auditing. It says little about networked systems (despite the attempts made by the current and anticipated versions of the Trusted Network Interpretation, or Red Book (U.S. DOD, 1987). Also, it provides only weak support for management control practices, notably individual accountability and separation of duty.
The Orange Book process combines published system criteria with system evaluation and rating (relative to the criteria) by the staff of the National Computer Security Center. This process provides no incentive or reward for security capabilities that go beyond, or do not literally answer, the Orange Book's specific requirements.
Familiarity with the Orange Book is uneven within the broader community of computer manufacturers, managers, auditors, and insurers, and system users. Its definitions and concepts have not been expressed in the vocabulary typically used in general information
BOX A.1 SUMMARY OF EVALUATION CRITERIA CLASSES
The classes of systems recognized under the trusted computer systems evaluation criteria are as follows. They are presented in the order of increasing desirability from a computer security point of view.
Class (D): Minimal Protection
This class is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.
Class (C1): Discretionary Security Protection
The Trusted Computing Base (TCB) of a class (C1) system nominally satisfies the discretionary security requirements by providing separation of users and data. It incorporates some form of credible controls capable of enforcing access limitations on an individual basis, i.e., ostensibly suitable for allowing users to be able to protect project or private information and to keep other users from accidentally reading or destroying their data. The class (C1) environment is expected to be one of cooperating users processing data at the same level(s) of sensitivity.
Class (C2): Controlled Access Protection
Systems in this class enforce a more finely grained discretionary access control than (C1) systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.
Class (B1): Labeled Security Protection
Class (B1) systems require all the features required for class (C2). In addition, an informal statement of the security policy model, data labeling, and mandatory access control over named subjects and objects must be present. The capability must exist for accurately labeling exported information. Any flaws identified by testing must be removed.
Class (B2): Structured Protection
In class (B2) systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in class (B1) systems to be extended to all subjects and objects in the ADP system. In addition, covert channels are addressed. The TCB must be carefully structured into protection-critical and non-protection-critical elements. The TCB interface is well-defined and the TCB design and implementation enable it to be subjected to more thorough testing and more complete review. Authentication mechanisms are strengthened, trusted facility management is provided in the form of support for system administrator and operator functions, and stringent configuration management controls are imposed. The system is relatively resistant to penetration.
Class (B3): Security Domains
The class (B3) TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security-relevant events, and system recovery procedures are required. The system is highly resistant to penetration.
Class (A1): Verified Design
Systems in class (A1) are functionally equivalent to those in class (B3) in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. In keeping with extensive design and development analysis of the TCB required of systems in class (A1), more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported.
SOURCE: Department of Defense Trusted Computer System Evaluation Criteria, DOD 5200.28-STD, December 1985, Appendix C, pp. 93–94.
processing. It has been codified as a military standard, making it a requirement for defense systems, and its dissemination has been directed largely to major vendors of centralized systems, notably vendors who are or who supply government contractors.
Because of its shortcomings, which have been debated in the computer security community for several years, the Orange Book must be regarded as only an interim stage in the codification of prudent protection practices.