Page 115 - DCAP516_COMPUTER_SECURITY
P. 115
Unit 9: Database Security
3. Even if (1) and (2) were met, the evaluation process is very costly and imposes special Notes
restrictions on configuration control of the evaluated software.
Notwithstanding such suppositions, Red Hat Enterprise Linux 5 was certified against LSPP,
RBACPP, and CAPP at EAL4+ in June 2007. It uses Security-Enhanced Linux to implement MLS
and was the first Common Criteria certification to enforce TOE security properties with Security-
Enhanced Linux.
!
Caution Vendor certification strategies can be misleading to laypersons.
A common strategy exploits the layperson’s overemphasis of EAL level with over-certification,
such as certifying an EAL 3 protection profile (like CAPP[5]) to elevated levels, like EAL 4 or
EAL 5. Another is adding and certifying MLS support features (such as Role-Based Access Control
Protection Profile (RBACPP) and Labeled Security Protection Profile (LSPP)) to a kernel that is
not evaluated to an MLS-capable protection profile. Those types of features are services run on
the kernel and depend on the kernel to protect them from corruption and subversion. If the
kernel is not evaluated to an MLS-capable protection profile, MLS features cannot be trusted
regardless of how impressive the demonstration looks. It is particularly noteworthy that CAPP
is specifically not an MLS-capable profile as it specifically excludes self-protection capabilities
critical for MLS.
Sun Microsystems offers Solaris Trusted Extensions, as an integrated feature of the commercial
Solaris Operating System as well as OpenSolaris. In addition to the Controlled Access Protection
Profile (CAPP), and Role-Based Access Control (RBAC) protection profiles, Trusted Extensions
has also been certified at EAL4 to the Labeled Security Protection Profile (LSPP). The security
target includes both desktop and network functionality. LSPP mandates that users are not
authorized to override the labeling polices enforced by the kernel and X11 server. The evaluation
does not include a covert channel analysis. Because these certifications depend on CAPP, no
Common Criteria certifications suggest this product is trustworthy for MLS.
BAE Systems offers XTS-400, a commercial system that supports MLS at what the vendor claims
is “high assurance”. Predecessor products (including the XTS-300) were evaluated at the TCSEC
B3 level, which is MLS-Capable. The XTS-400 has been evaluated under the Common Criteria at
EAL5+ against the CAPP and LSPP protection profiles. CAPP and LSPP are both EAL3 protection
profiles that are not inherently MLS-capable, but the security target for the Common Criteria
evaluation of this product contains an enriched set of security functions that provide MLS
capability.
9.4.1 Problems in MLS
Sanitization is a problem area for MLS systems. Systems that implement MLS restrictions, like
those defined by Bell-La Padula model, only allow sharing when it does not obviously violate
security restrictions. Users with lower clearances can easily share their work with users holding
higher clearances, but not vice versa. There is no efficient, reliable mechanism by which a Top
Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to
users with Secret or lower clearances. In practice, MLS systems circumvent this problem via
privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a
file’s security classification. However, the technique is not reliable.
Covert channels pose another problem for MLS systems. For an MLS system to keep secrets
perfectly, there must be no possible way for a Top Secret process to transmit signals of any kind
to a Secret or lower process. This includes side effects such as changes in available memory or
disk space, or changes in process timing. When a process exploits such a side effect to transmit
LOVELY PROFESSIONAL UNIVERSITY 109
