Page 114 - DCAP516_COMPUTER_SECURITY
P. 114
Computer Security
Notes This is a paraphrase of the CNSSI 4009 glossary definition for Multi-Level Security.
Note that the UCDMO (the US government lead for cross domain and multi-level secure systems)
created a Cross Domain Multi-Level category on its baseline of accredited systems, which is
synonymous with multi-level security.
MLS allows easy access to less-sensitive information by higher-cleared individuals, and it allows
higher-cleared individuals to easily share sanitized documents with less-cleared individuals. A
sanitized document is one that has been edited to remove information that the less-cleared
individual is not allowed to see.
An MLS operating environment often requires a highly trustworthy information processing
system often built on an MLS operating system, but not necessarily. Most MLS functionality can
be supported by a system composed entirely from untrusted computers, although it requires
multiple independent computers linked by hardware security-compliant channels. An example
of hardware enforced MLS is Asymmetric Isolation. If a single computer is being used in MLS
mode, then that computer must use a trusted operating system (OS). Because all information in
an MLS environment is physically accessible by the OS, strong logical controls must exist to
ensure that access to information is strictly controlled. Typically this involves mandatory access
control that uses security labels, like the Bell-La Padula model.
Customers that deploy trusted operating systems typically require that the product complete a
formal computer security evaluation. The evaluation is stricter for a broader security range,
which are the lowest and highest classification levels the system can process. The Trusted
Computer System Evaluation Criteria (TCSEC) was the first evaluation criteria developed to
assess MLS in computer systems. Under that criteria there was a clear uniform mapping between
the security requirements and the breadth of the MLS security range. Historically few
implementations have been certified capable of MLS processing with a security range of
Unclassified through Top Secret. Among them were Honeywell’s SCOMP, USAF SACDIN, NSA
Blacker, and Boeing’s MLS LAN, all under TCSEC, 1980s vintage and Intel 80386-based. Currently,
MLS products are evaluated under the Common Criteria. In late 2008, the first operating system
(more below) was certified to a high evaluated assurance level (EAL) - EAL 6+ / High Robustness,
under the auspices of a U.S. government program requiring multi-level security in a high threat
environment. While this assurance level has many similarities to that of the old Orange Book A1
(such as formal methods), the functional requirements focus on fundamental isolation and
information flow policies rather than higher level policies such as Bell-La Padula. Because the
Common Criteria decoupled TCSEC’s pairing of assurance (EAL) and functionality (Protection
Profile), the clear uniform mapping between security requirements and MLS security range
capability documented in CSC-STD-004-85 has largely been lost when the Common Criteria
superseded the Rainbow Series.
Did u know? Freely available operating systems with some features that support MLS
include Linux with the Security-Enhanced Linux feature enabled and FreeBSD.
Security evaluation was once thought to be a problem for these free MLS implementations for
three reasons:
1. It is always very difficult to implement kernel self protection strategy with the precision
needed for MLS trust, and these examples were not designed to or certified to an MLS
protection profile so they may not offer the self protection needed to support MLS.
2. Aside from EAL levels, the Common Criteria lacks an inventory of appropriate high
assurance protection profiles that specify the robustness needed to operate in MLS mode.
108 LOVELY PROFESSIONAL UNIVERSITY
