NT's C2 rating

Fri Mar 22 05:59:26 PST 1996

At 02:30 PM 3/21/96 -0800, David Loysen <dwl at hnc.com> wrote:
>I don't see any reason a C2 or B2 system can't be networked to another
>system(s) with the same classification. But that isn't really what I meant.
>Can you make a firewall system that is C2 compliant? Isn't this what you
>would need in order to connect a C2 system or network to another non secure
>network, (i.e. the internet)?

Leaving out Red Book details (since back when I last read the Red Book,
nobody really had any general solutions to the problems), the problem is that
the Orange Book demands that for C-level and above, the operating system
must know the identity of all the users so it can track file, process,
and authentication accesses, and for B1 and up, it also needs to know
what users are allowed to use what security levels and what levels they're
actually operating at.

1) It's difficult to do that - you have to trust the messages coming over
a wire from the other machine to tell you who they're from, unless you can
be sure there's only one user per wire.  That means you need a mechanism
for trusting the other machine, a mechanism for communicating that trust,
a shared or mappable mechanism for identifying users, etc.
That takes a certain amount of work even when you control all the machines
that your machine can talk to, which you often can't (e.g. on an outer
firewall.)

2) To _certify_ a system for general use (as opposed to certifying a specific
instantiation of a system), you need to be sure that it will be installed
and maintained in a way that will provide that identification and assurance.
That's even harder, because you either need cryptographic authentication
and session control, or else you need a way to guarantee that the system
you're certifying only talk to machines that are administered in coordination
with it, in spite of being installed by some Army grunt or military contractor
who may RTFM but isn't a security wizard.  And in the C2-certification biz,
"cryptographic" means "something you got from the NSA", because they're the
ones who do military crypto, and they tend not to trust software.
Fortezza cards may do this stuff ok....

3) The networking code becomes part of the Trusted Comptuting Base,
which means you have to be able to verify that it can't mess with anything
that you don't want it messing with, and if it supports more than one
simultaneous user, it's got to be able to keep track of sessions and
communicate them reliably to the OS and TCB.  That works relatively well
for serial-port user logins and maybe uucp.  

TCP/IP, on the other hand, is typically implemented down in the guts of the OS,
partly because IP needs to talk to hardware a lot, partly because it's
often easier to do the TCP and IP together, partly for "speed", and partly
because it's much more efficient to hand stuff to multiple users from kernel
space than to hand it up to a user-space application which then IPCs things
back through the kernel to their destination user processes.
It also tends to have various pieces running as root, either to access
hardware or protected parts of the software, or to make it easier
to transfer ownership of information to processes owned by different users.
(Yes, this is a Unix-centric view, but other systems tend to do similar stuff.)

This makes it difficult to verify that it's clean (hey, parts of it are
tough enough to get working really well, much less bug-free), and
it's even tougher at higher levels like B2 that want Least Privilege
rather than having a SuperUser root that can do everything.
Root stuff is just basically dangerous anyway.  And B1-level OSs often run
the TCB (including root) at System Low to make sure no regular user can 
mess with it, which makes it hard for root-owned processes to write up to users.

#--
#			Thanks;  Bill
# Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281
# "At year's end, however, new government limits on Internet access threatened
# to halt the growth of Internet use.  [...] Government control of news media 
# generally continues to depend on self-censorship to regulate political and
# social content, but the authorities also consistently penalize those who
# exceed the permissible."  - US government statement on China...

"SigFiles of Unusual Size?  I don't believe they exist!"