lecture 21 overview. what is a trusted system? functional correctness enforcement of integrity...
TRANSCRIPT
![Page 1: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/1.jpg)
Lecture 21 Overview
![Page 2: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/2.jpg)
What is a Trusted System?
• Functional correctness
• Enforcement of integrity
• Limited privilege
• Appropriate confidence level
CS 450/650 Fundamentals of Integrated Computer Security 2
![Page 3: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/3.jpg)
Security Policy
• A security policy is a statement of the security we expect the system to enforce
• A system can be trusted only in relation to its security policy– that is, to the security needs the system is
expected to satisfy
CS 450/650 Lecture 21: Trusted Operating System 3
![Page 4: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/4.jpg)
Military Security policy
Unclassified
Restricted
Confidential
Secret
Top
Secret
CS 450/650 Lecture 21: Trusted Operating System 4
![Page 5: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/5.jpg)
Access to Information
• Information access is limited by the need-to-know rule
• Compartment: Each piece of classified information may be associated with one or more projects called compartments
CS 450/650 Lecture 21: Trusted Operating System 5
Unclassified
Restricted
Confidential
Secret
Top SecretCompartment 1
Compartment 3Compartment 2
![Page 6: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/6.jpg)
Classification & Clearance
• <rank; compartments>– class of a piece of information
• Clearance: an indication that a person is trusted to access information up to a certain level of sensitivity
• <rank; compartments>– clearance of a subject
CS 450/650 Lecture 21: Trusted Operating System 6
![Page 7: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/7.jpg)
Dominance Relation
• We say that s dominates o (or o is dominated by s) if o <= s
For a subject s and an object o,
o <= s if and only if
rank(o) <= rank(s) and
compartments(o) is subset of compartments(s)
• A subject can read an object if the subject dominates the object.
CS 450/650 Lecture 21: Trusted Operating System 7
![Page 8: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/8.jpg)
Models of Security
• Security models are used to– Test a particular policy for completeness and
consistency– Document a policy– Help conceptualize and design an implementation– Check whether an implementation meets the
requirements
CS 450/650 Lecture 21: Trusted Operating System 8
![Page 9: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/9.jpg)
Lattice Model
Upper bound
Lower bound
CS 450/650 Lecture 21: Trusted Operating System 9
![Page 10: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/10.jpg)
Bell-La Padula Model
• Formal description of the allowable paths of information flow in a secure system
• Set of subjects and another set of objects
• Each subject s has a fixed security clearance C(s)• Each object o has a fixed security class C(o)
CS 450/650 Lecture 21: Trusted Operating System 10
![Page 11: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/11.jpg)
Bell-La Padula Model
• Two properties characterize the secure flow of information:
– A subject s may have read access to an object o only if C(o) <= C(s)
– A subject s who has read access to an object o may have write access to an object p only if C(o) <= C(p)• Prevents write-down
CS 450/650 Lecture 21: Trusted Operating System 11
![Page 12: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/12.jpg)
Illustration
o1
s1 o2
o3
s2 o4
o5
Low
High
o5
s2
Object
Subject
CS 450/650 Lecture 21: Trusted Operating System 12
Write
Write
ReadRead
ReadRead
Write
Write
![Page 13: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/13.jpg)
• Command– Conditions and primitive operations
Harrison, Ruzzo, and Ullman Model
S1 S2 S3 O1 O2 O3
S1 control Owner
read
S2 control Owner
Read
write
read Owner
execute
S3 control read read execute
CS 450/650 Lecture 21: Trusted Operating System 13
![Page 14: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/14.jpg)
HRU Model (cont.)• HRU allows state of the protection system to be
changed by a well defined set of commands:– Add subject s to M– Add object o to M– Delete subject s from M– Delete object o from M– Add right r to M[s,o]– Delete right r from M[s,o]– Owner can change rights of an object
CS 450/650 Lecture 21: Trusted Operating System 14
![Page 15: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/15.jpg)
Take Grant Model
• Unlimited number of subjects and objects• States and state transitions• Directed graph
• Four primitive operations:– take– create– grant– revoke
CS 450/650 Lecture 21: Trusted Operating System 15
![Page 16: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/16.jpg)
Take Grant Model (Cont.)
O2
O1O3
S1
S2
S3
read
read
read
execute
execute
Read, write
CS 450/650 Lecture 21: Trusted Operating System 16
![Page 17: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/17.jpg)
Trusted OS Design
• OS is a complex system– difficult to design– Adding the responsibility of security enforcement
makes it even more difficult
• Clear mapping from security requirements to the design
• Design must be checked using formal reviews or simulation
• Requirements design testing
CS 450/650 Lecture 21: Trusted Operating System 17
![Page 18: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/18.jpg)
Security Design Principles
• Least privilege– users, programs, fewest privilege possible
• Economy of mechanism– small, simple, straight forward
• Open design– extensive public scrutiny
• Complete mediation– every attempt must be checked
CS 450/650 Lecture 21: Trusted Operating System 18
![Page 19: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/19.jpg)
Security Design Principles
• Permission based– denial of access is the default
• Separation of privilege– more than one condition
• Least common mechanism– the risk of sharing
• Ease of use– unlikely to be avoided
CS 450/650 Lecture 21: Trusted Operating System 19
![Page 20: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/20.jpg)
OS Functions
CS 450/650 Lecture 21: Trusted Operating System 20
![Page 21: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/21.jpg)
Security features in ordinary OS
• Authentication of users– password comparison
• Protection of memory– user space, paging, segmentations
• File and I/O device access control– access control matrix
• Allocation & access control to general objects– table lookup
CS 450/650 Lecture 21: Trusted Operating System 21
![Page 22: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/22.jpg)
Security features in ordinary OS
• Enforcement of sharing– integrity, consistency
• Fair service– no starvation
• Interprocess communication & synchronization– table lookup
• Protection of OS protection data– encryption, hardware control, isolation
CS 450/650 Lecture 21: Trusted Operating System 22
![Page 23: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/23.jpg)
Trusted OS Functions
CS 450/650 Lecture 21: Trusted Operating System 23
![Page 24: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/24.jpg)
Security features of Trusted OS• Identification and Authentication• Mandatory and Discretionary Access Control• Object reuse protection • Complete mediation (all accesses are checked)• Trusted path • Accountability and Audit (security log)• Audit log reduction• Intrusion detection (patterns of normal system
usages, anomalies)CS 450/650 Lecture 21: Trusted Operating System 24
![Page 25: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/25.jpg)
Lecture 22
Trusted Operating Systems (cont)
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
![Page 26: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/26.jpg)
Kernel
• OS part that performs lowest level functions
User tasks
OS
OS Kernel
Hardware
CS 450/650 Lecture 22: Trusted Operating System 26
![Page 27: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/27.jpg)
Security Kernel• responsible for enforcing security mechanisms of
the entire OS• Coverage– ensure that every access is checked
• Separation– security mechanisms are isolated from the rest of OS
and from user space easier to protect
• Unity– all security mechanisms are performed by a single set
of code easier to trace problemsCS 450/650 Lecture 22: Trusted Operating System 27
![Page 28: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/28.jpg)
Security Kernel
• Modifiability– security mechanism changes are easier to make
and test
• Compactness– relatively small
• Verifiability– formal methods , all situations are covered
CS 450/650 Lecture 22: Trusted Operating System 28
![Page 29: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/29.jpg)
Reference Monitor• portion of a security kernel that controls
accesses to objects• Collection of access controls for– Devices, Files, Memory, Interprocess
communication, Other objects
• It must be– Always invoked when any object is accessed– Small enough
• analysis, testing
– Tamperproof
O
S
O O
SS
Gate
CS 450/650 Lecture 22: Trusted Operating System 29
![Page 30: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/30.jpg)
Trusted Computing Base (TCB)
• Everything in the trusted OS necessary to enforce security policy
• System element on which security enforcement depends:– Hardware• processors, memory, registers, and I/O devices
– Processes• separate and protect security-critical processes
CS 450/650 Lecture 22: Trusted Operating System 30
![Page 31: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/31.jpg)
Trusted Computing Base (TCB)
• System element on which security enforcement depends (cont):– Primitive files• security access control database,
identification/authentication data
– Protected memory• reference monitor can be protected against tampering
– Interprocess communication• e.g., reference monitor can invoke and pass data
securely to audit routine
CS 450/650 Lecture 22: Trusted Operating System 31
![Page 32: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/32.jpg)
TCB and Non-TCB Code
Primitive I/O
Basic Operations
Clocks, timing
Interrupt handling
Hardware:registers memory
Capabilities
Applications
Utilities
User request interpreter
…
Segmentation, paging, memory management
TCB
Non-TCB
CS 450/650 Lecture 22: Trusted Operating System 32
![Page 33: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/33.jpg)
TCB monitors basic interactions
• Process activation
• Execution domain switching
• Memory Protection
• I/O operation
CS 450/650 Lecture 22: Trusted Operating System 33
![Page 34: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/34.jpg)
Combined Security Kernel / OS System
User tasks
OS
OS Kernel
Hardware
Security activity
OS Kernel:
- HW interactions
- Access control
OS:
- Resource allocation
- Sharing
- Access control
- Authentication functionsCS 450/650 Lecture 22: Trusted Operating System 34
![Page 35: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/35.jpg)
Separate Security Kernel
User tasks
OS
Security Kernel
Hardware
Security Kernel:
-Access control
-Authentication functions
OS:
- Resource allocation
- Sharing
- Hardware interactions
CS 450/650 Lecture 22: Trusted Operating System 35
![Page 36: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/36.jpg)
Separation
• Physical Separation
• Temporal Separation
• Cryptographic Separation
• Logical separation (isolation)
CS 450/650 Lecture 22: Trusted Operating System 36
![Page 37: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/37.jpg)
Virtualization
• OS emulates or simulates a collection of a computer system’s resources
• Virtual Machine: Collection of real or simulated hardware facilities– processor, memory, I/O devices
CS 450/650 Lecture 22: Trusted Operating System 37
![Page 38: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/38.jpg)
Virtual machine
Real System ResourcesReal System Resources
Real OSReal OS
Virtual Virtual
MachineMachine
User 1User 1
Virtual Virtual
MachineMachine
User 2User 2
Virtual Virtual
MachineMachine
User 3User 3
CS 450/650 Lecture 22: Trusted Operating System 38
![Page 39: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/39.jpg)
IBM MVS/ESA
• Virtualization is used to provide logical separation that gives the user the impression of physical separation– Each user feels that he/she has a separate
machine
• Paging System– Each user’s virtual memory space can be as large
as the total addressable space
CS 450/650 Lecture 22: Trusted Operating System 39
![Page 40: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/40.jpg)
Layered OS
Hardware
Security functions
Synchronization, allocation
Scheduling, sharing, MM
File system, device allocation
Utility functions
Compilers, database
User processes
OS kernel
Security kernel
OS
CS 450/650 Lecture 22: Trusted Operating System 40
![Page 41: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/41.jpg)
Modules operating in Different Layers
Least trusted code
Most
trusted code
User interface
User ID lookup
Data comparison
Data update
User Authentication moduleCS 450/650 Lecture 22: Trusted Operating System 41
![Page 42: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/42.jpg)
Assurance• Testing– based on the actual product being evaluated,
• not on abstraction
• Verification– each of the system’s functions works correctly
• Validation– developer is building the right product
• according to the specification
CS 450/650 Lecture 22: Trusted Operating System 42
![Page 43: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/43.jpg)
Testing• Observable effects versus internal structure• Can demonstrate existence of a problem, – but passing tests does not imply absence of any
• Hard to achieve adequate test coverage within reasonable time– inputs & internal states
• hard to keep track of all states
• Penetrating Testing– tiger team analysis, ethical hacking
• Team of experts in design of OS tries to crack systemCS 450/650 Lecture 22: Trusted Operating System 43
![Page 44: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/44.jpg)
Formal verification
• The most rigorous method• Rules of mathematical logic to demonstrate
that a system has certain security property
• Proving a Theorem– Time consuming– Complex process
CS 450/650 Lecture 22: Trusted Operating System 44
![Page 45: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/45.jpg)
Entry
min A[1]
i 1
i i + 1
i > n
min < A[i]
min A[i]
Exityes
noyes
no
Example: find minimum
CS 450/650 Lecture 22: Trusted Operating System 45
![Page 46: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/46.jpg)
Finding the minimum value
AssertionsP: n > 0 Q: n > 0 and
1 i n and min A[1]
R: n > 0 and S: n > 0 and1 i n and i = n + 1 and
for all j 1 j i -1 for all j 1 j i -1 min A[j] min A[j]
CS 450/650 Lecture 22: Trusted Operating System 46
![Page 47: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/47.jpg)
Validation
• Requirements checking– system does things it should do• also, system does not do things it is not supposed to do
• Design and code reviews– traceability from each requirement to design and
code components
• System testing– data expected from reading the requirement
document can be confirmed in the actual running of the system
CS 450/650 Lecture 22: Trusted Operating System 47
![Page 48: Lecture 21 Overview. What is a Trusted System? Functional correctness Enforcement of integrity Limited privilege Appropriate confidence level CS 450/650](https://reader035.vdocument.in/reader035/viewer/2022062715/56649d825503460f94a67680/html5/thumbnails/48.jpg)
Evaluation• Review: requirements, design, implementation,
assurance• US “Orange Book” Evaluation – Trusted Computer System Evaluation Criteria (TCSEC)
• European ITSEC Evaluation– Information Technology Security Evaluation Criteria
• US Combined Federal Criteria– 1992 jointly buy NIST and NSA
CS 450/650 Lecture 22: Trusted Operating System 48