CONTENTS OF THIS DIRECTORY -------------------------- pottinger94.ps: Pottinger, G. Proof Requirements in the Orange Book: Origins, Implementation, and Implications. Mathematical Sciences Institute, Conell University, Ithaca, NY, February 11, 1994. A report prepared for NRL under contract N000173-93-P-G934. The DoD Trusted Computer System Evaluation Criteria, commonly known as the Orange Book, define a method for evaluating computer systems that are intended to enforce security requirements. An evaluated system will be placed in one of seven linearly ordered classes, ranging from class D, the lowest, through classes C1, C2, B1, B2, B3, to A1, the highest. To meet the criteria for classes B2 and higher, a system must provide a formal model of the security policy it enforces, and some form of evidence that the implemented system conforms to that model. At the highest level, a formal specification of the Trusted Computing Base is required. This report provides a historical overview of the technical and organizational developments that led to the writing of the Orange Book and examines the effects its proof requirements have had in several different developments. Appendices summarize the evaluation classes, list the publications produced by the National Computer Security Center to date, and document the gradual population of the Evaluated Products List. The PostScript version of the report should be viewable with Pageview and is formatted for two-sided printing. Printing it on a single-sided printer will produce a master that is suitable for generating two-sided copies. -------------------- SP-prelimCFP95.tex: Preliminary Call For Papers for the 1995 IEEE Symposium for Research in Security and Privacy. LaTeX format. -------------------- mclean-sp94.ps: McLean, J. "A General Theory of Composition for Trace Sets Closed Under Selective Interleaving Functions," Proceedings of 1994 IEEE Symposium on Research in Security and Privacy, IEEE Press, 1994. -------------------- ITCSEC.ps Contains the 12 January 1995 version of the Interpreted TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA Requirements. From the Introduction: This document has been created to provide clarification of the reuqirements as stated in the TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC). The TCSEC was created many years ago and attempted to, in most cases, provide general statements of security related criteria. But in its years of application, evaluators and users have found that the types of systems being evaluated have evolved from the example systems the TCSEC was based on (e.g., from mainframes to workstations), the general criteria are sometimes difficult to apply to a specific situation, and, occasionally, criteria are missing or not correct. To improve this situation, the Nationa Security Agency (NSA) produces interpretations of the TCSEC. Some major interpretations are for technology that was not sufficiently addressed in the TCSEC such as networks (TRUSTED NETWORK INTERPRETATION (TNI)), and database management systems (TRUSTED DATABASE MANAGEMENT SYSTEM INTERPRETATION (TDI)). This document, by contrast, contains interpretations resulting from specific questions raised during evaluations, and attempts to build a body of "case law" by addressing system-specific clariifcations rather than providing generaal, all-encompassing interpretations. PATdesign.ps Contains the May 1994 version of the Process Action Team (PAT) Guidance Working Group document, "Form and Content of Vendor Design Documentation." >From the document's Introduction: The Trusted Product Evaluation Program (TPEP) evaluation process for products in the lower assurance classes (C2-B1) separates design advice for security features from actual evaluation of a trusted product. The purpose of this report is to specify the form and content of the vendor design documentation that is required before an evaluation can begin. The requirements for vendor design documentation are based on the Trusted Computer System Evaluation Criteria (TCSEC) and accumulated evaluation experience. The design documentation requirements detailed here are intended to make it easier for standard vendor design documentation to be used for evaluation purposes. The new approach requires summary documents (defined below) that provide a "roadmap" to the architecture, interfaces, and protection features of the product. [...] The specific information in this document concerns evaluation of operating systems at the C2 and B1 levels. PATtest.ps Contains the May 1994 version of the Process Action Team (PAT) Guidance Working Group document, "Form and Content of Vendor Test Documentation." >From the document's Introduction: This document discusses security testing and related documentation required for the Trusted Computer System Evaluation Criteria (TCSEC) evaluation process for C2-B1 candidate systems. This document describes each of the required documents; provides a suggested methodology for creating the test documenation; and discusses issues related to security testing, such as recommended Trusted Computing Base (TCB) coverage, the security test suite and test tools, test evidence, and evaluation team testing. Testing activities in the evaluation process itself are discussed in appendix A. This document provides specfic recommendations for operating systems. Guidance concerning higher assurance systems and other topics, including networks and databases, will be developed later. The general information in this document should be useful for evaluations of all types.