






Trusted Database Management  System Interpretation




Trusted Database Management  System Interpretation



NCSC-TG-021


Library


No.  S235,625
FOREWORD



The National Computer Security Center is issuing the Trusted Database
Management  System Interpretation as part of the Technical Guidelines
Program, through which we produce the "Rainbow Series."


In  the  Rainbow  Series, we discuss in detail  the features of
the Trusted Computer  System Evaluation Criteria (DoD 5200.28-STD)
and provide  guidance for meeting each requirement.   The   National
 Computer Security Center, through its Trusted Product Evaluation
Program, analyzes the security features of commercially produced
 and  supported  computer  systems.  Together, these programs
ensure that organizations are capable of protecting their  important
data with  trusted computer systems.


The   Trusted   Database   Management  System Interpretation 
extends the  evaluation classes  of the Trusted Computer System
 Evaluation Criteria to trusted applications   in  general,  and
  database  management systems in particular.  It serves  as an
adjunct to the Trusted   Computer   System   Evaluation   Criteria
 by providing a technical context  for the consideration of entire
systems  constructed of parts and  by presenting database-specific
interpretation of topics that require direct comment.   Thus,
it is relevant  to applications which   support  sharing   of
 computer   services  and resources, and  which enforce access
 control policies. More  specifically, it  provides insight  into
the  the design,  implementation, evaluation,  and accreditation
of database management systems.


This document  will be used for  at least one year after  the
date of signature.   During this period the  NCSC  will  gain
  experience  using  the  Trusted Database  Management Systems
Interpretation  in several evaluations and continue to  receive
comments on issues of  technical  accuracy,  clarity  of  exposition,
 and utility.   After this  trial period,  necessary changes will
be made and a revised version issued.


PATRICK  R. GALLAGHER,  JR.


April   1991 


Director National Computer Security Center
ACKNOWLEDGMENTS



This document represents  the combined effort of participants
from  the research community, industry, and government working
over several years.  Three major drafts   and   numerous   intermediary
  versions  were produced,  reviewed, and  commented upon.   To
name all the contributors would be  impossible.  To single out
a few  would  be  to  slight  a  host  of others who gave unstintingly
 of their time  and talent.  To  all those who  contributed to
 the development  and refinement of the   fundamental   concepts,
   contributed   to   the development  of the  several predecessor
 versions, and who contributed  valuable personal time  and invaluable
experience in reviewing and  commenting on the previous versions,
thanks is extended.
TABLE OF CONTENTS



          FOREWORD       i


 ACKNOWLEDGMENTS      iii


 INTRODUCTION      1


           HISTORICAL PERSPECTIVE    1


                    SCOPE     2


                    PURPOSE      2


                    STRUCTURE OF THE DOCUMENT    4


          PART 1 TECHNICAL CONTEXT     7


                    TC-1 INTRODUCTION     9


                    TC-2 REFERENCE MONITOR PERSPECTIVE   10


                    TC-3 NEED FOR EVALUATION BY PARTS   11


                    TC-4 TCB SUBSETS     11


                    TC-4.1 INTRODUCTION    12


                    TC-4.2 TCB SUBSETS CONTEXT    13


                    TC-4.2.1 DEFINITION OF TCB SUBSETS   13


                    TC-4.2.2 MOTIVATION    13


                    TC-4.3 CONDITIONS FOR EVALUATION BY PARTS
 14


                    TC-4.3.1 CANDIDATE TCB SUBSETS   14


                    TC-4.3.2 POLICY ALLOCATION    15


                    TC-4.3.3 TRUSTED SUBJECTS INCLUDED   15


                    TC-4.3.4 TCB SUBSET STRUCTURE   15


                    TC-4.3.5 SEPARATE SUBSET-DOMAINS   16


                    TC-4.3.6 SUPPORT FOR RVM ARGUMENTS   16


                    TC-4.4 EVALUATION ALTERNATIVES   17


                    TC-5 GENERAL INTERPRETED REQUIREMENTS   18


                    TC-5.1 OVERVIEW     18


                    TC-5.2 DETAILED REQUIREMENTS    18


                    TC-5.2.1 SECURITY POLICY    18


                    TC-5.2.1.1 Discretionary Access Control  18


                    TC-5.2.1.2 Object Reuse    18


                    TC-5.2.1.3 Labels     19


                    TC-5.2.1.4 Mandatory Access Control   20


                    TC-5.2.2 ACCOUNTABILITY    20


                    TC-5.2.2.1 Identification  and Authentication
    20


                    TC-5.2.2.2 Audit     21


                    TC-5.2.3 ASSURANCE     22


                    TC-5.2.3.1 Operational Assurance   22


                    TC-5.2.3.2 Life-Cycle Assurance   23


                    TC-5.2.4 DOCUMENTATION    24


                    TC-5.2.4.1 Security Features User's Guide
 24


                    TC-5.2.4.2 Trusted Facility Manual   25


                    TC-5.2.4.3 Test Documentation   26


                    TC-5.2.4.4 Design Documentation   26


                    TC-5.3 SUMMARY OF THE REQUIREMENTS   26


                    TC-5.3.1 LOCAL REQUIREMENTS    26


                    TC-5.3.2 GLOBAL REQUIREMENTS    27


                    TC-6 DESIGN CHOICES    28


                    TC-6.1 OVERVIEW     28


                    TC-6.2 A SINGLE TCB SUBSET    28


  TC-6.2.1 ANALYSIS OF THE CONDITIONS   28


                    TC-6.2.1.1 Condition 1: Candidate TCB Subsets
 28


                    TC-6.2.1.2 Condition 2: Policy Allocation
 29


TC-6.2.1.3 Condition 3: Trusted Subjects Included 29


                    TC-6.2.1.4 Condition 4: TCB Subset Structure
     29


                    TC-6.2.1.5 Condition 5: Separate Subset-Domains
  29


TC-6.2.1.6 Condition 6: Support for RVM Arguments 29


                    TC-6.2.2 EVALUATION CONSEQUENCES   29


                    TC-6.3 TWO TCB SUBSETS,MEETING THE CONDITIONS
 30


                    TC-6.3.1 ANALYSIS OF THE CONDITIONS   30


                    TC-6.3.1.1 Condition 1: Candidate TCB Subsets
 30


                    TC-6.3.1.2 Condition 2: Policy Allocation
 31


TC-6.3.1.3 Condition 3: Trusted Subjects Included 31


                    TC-6.3.1.4 Condition 4: TCB Subset Structure
     31


                    TC-6.3.1.5 Condition 5: Separate Subset-Domains
 31


TC-6.3.1.6 Condition 6: Support for RVM Arguments 31


TC-6.3.2 EVALUATION CONSEQUENCES   32


TC-6.4 TWO TCB SUBSETS, NOT MEETING THE CONDITIONS 33


                    TC-6.4.1 ANALYSIS OF THE CONDITIONS   34


                    TC-6.4.1.1 Condition 1:  Candidate TCB Subsets
 34


                    TC-6.4.1.2 Condition 2:  Policy Allocation
 34


TC-6.4.1.3 Condition 3:  Trusted Subjects Included 34


                    TC-6.4.1.4 Condition 4:  TCB Subset Structure
    35


                    TC-6.4.1.5 Condition 5:  Separate Subset-Domains
 35


TC-6.4.1.6 Condition 6:  Support for RVM Arguments 35


                    TC-6.4.2 EVALUATION CONSEQUENCES   35


                    TC-6.5 SUMMARY     36


          PART 2 INTERPRETED REQUIREMENTS    37


                    IR-1 OVERVIEW AND CONTEXT    39


                    IR-2 SUMMARY OF THE INTERPRETATIONS   39


                    IR-2.1 SECURITY POLICY    39


                    IR-2.1.1 DISCRETIONARY ACCESS CONTROL   39


                    IR-2.1.2 OBJECT REUSE    40


                    IR-2.1.3 LABELS     40


                    IR-2.1.4 MANDATORY ACCESS CONTROL   40


                    IR-2.2 ACCOUNTABILITY    40


                    IR-2.2.1 IDENTIFICATION AND AUTHENTICATION
 40


                    IR-2.2.2 AUDIT     40


                    IR-2.3 ASSURANCE     40


                    IR-2.3.1 OPERATIONAL ASSURANCE   40


                    IR-2.3.1.1 System Architecture   40


                    IR-2.3.1.2 System Integrity    40


                    IR-2.3.1.3 Covert Channel Analysis   41


                    IR-2.3.1.4 Trusted Facility Management   41


                    IR-2.3.1.5 Trusted Recovery    41


                    IR-2.3.2 LIFE CYCLE ASSURANCE   41


                    IR-2.3.2.1 Security Testing    41


IR-2.3.2.2 Design Specification and Verification  41


                    IR-2.3.2.3 Configuration Management   41


                    IR-2.3.2.4 Trusted Distribution   41


                    IR-2.4 DOCUMENTATION    42


                    IR-2.4.1 SECURITY FEATURES USER'S GUIDE  42


                    IR-2.4.2 TRUSTED FACILITY MANUAL   42


                    IR-2.4.3 TEST DOCUMENTATION    42


                    IR-2.4.4 DESIGN DOCUMENTATION   42


                    IR-3 LABELS     42


                    IR-3.1 GENERAL DISCUSSION    42


                    IR-3.2 SPECIFIC INTERPRETATIONS   43


                    IR-4 AUDIT     44


                    IR-4.1 GENERAL DISCUSSION    44


                    IR-4.2 SPECIFIC INTERPRETATIONS   45


                    IR-5 SYSTEM ARCHITECTURE    47


                    IR-5.1 GENERAL DISCUSSION    47


                    IR-5.2 SPECIFIC INTERPRETATIONS   47


                    IR-6 DESIGN SPECIFICATION AND VERIFICATION
 48


                    IR-6.1 GENERAL DISCUSSION    48


                    IR-6.2 SPECIFIC INTERPRETATIONS   52


                    IR-7 DESIGN DOCUMENTATION    55


                    IR-7.1 GENERAL DISCUSSION    55


                    IR-7.2 SPECIFIC INTERPRETATIONS   56


          APPENDIX A      59


                    CLASS (C1):      62


                    C1-1 SECURITY POLICY    62


                    C1-2 ACCOUNTABILITY    62


                    C1-3 ASSURANCE     62


                    C1-4 DOCUMENTATION     63


                    CLASS (C2):      66


                    C2-1 SECURITY POLICY    66


                    C2-2 ACCOUNTABILITY    66


                    C2-3 ASSURANCE     67


                    C2-4 DOCUMENTATION     68


                    CLASS (B1):      70


                    B1-1 SECURITY POLICY    70


                    B1-2 ACCOUNTABILITY    71


                    B1-3 ASSURANCE     73


                    B1-4 DOCUMENTATION     74


                    CLASS (B2):      77


B2-1 SECURITY POLICY    77


                    B2-2 ACCOUNTABILITY    79


                    B2-3 ASSURANCE     81


                    B2-4 DOCUMENTATION     85


                    CLASS (B3):      89


                    B3-1 SECURITY POLICY    89


                    B3-2 ACCOUNTABILITY    91


                    B3-3 ASSURANCE     93


                    B3-4 DOCUMENTATION     98


                    CLASS (A1):      102


                    A1-1 SECURITY POLICY    102


  A1-2 ACCOUNTABILITY    104


                    A1-3 ASSURANCE     106


                    A1-4 DOCUMENTATION     112


          APPENDIX B      117


                    1.  PERSPECTIVE ON ASSURANCE    119


                    2.  PROCUREMENT OPTIONS    120


                    3.  ALTERATION OF PREVIOUSLY EVALUATED TCB
       122


                    4.  SATISFYING RVM REQUIREMENTS   125


                    5.  SUBSET DEPENDENCY    127


                    6.  TAMPER RESISTANCE ARGUMENTS   131


                    7.  RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS
 132


                    8   CONTENT-DEPENDENT AND  CONTEXT-DEPENDENT


            ACCESS CONTROL    136


                    9.  BULK LOADING OF A DATABASE   137


                    10.  LOCAL ANALYSIS IN SYSTEM ASSESSMENT 
137


                    11.  RATING MORE COMPLEX SYSTEMS   139


          GLOSSARY       141


          BIBLIOGRAPHY      145
INTRODUCTION

HISTORICAL PERSPECTIVE



The  Department  of  Defense  Trusted  Computer System Evaluation
 Criteria  (TCSEC),  published  in  1983  as CSC-STD-001-83, consolidates
knowledge about the degree of trust one can place  in a computer
system to protect sensitive information and organizes this knowledge
into usable criteria  for system evaluation.  The  TCSEC was republished
 as  a  DoD  standard,  DoD-5200.28-STD, in December 1985 to provide
a means of evaluating specific security features and assurances
available in "trusted, commercially available automatic data
processing system  The  TCSEC's  rating  scale  extends  from
 a minimal to a high level of trust with advanced security features
  and    sophisticated   assurance   measures.  Specific criteria
determine each rating level and guide system builders and evaluators
in determining the level of trust provided by specific systems.
 When the rating levels are  combined with environmental  guidelines
and minimum security protection requirements, accreditation decisions
for specific installations can be made.


The philosophy of  protection embodied in the TCSEC  requires
 that  the  access  of  subjects (i.e., processes in a domain)
 to objects (i.e., containers of information) be mediated in accordance
with an explicit and  well-defined  security   policy.   At  the
 higher criteria classes,  the "reference monitor  concept"
[1] is  an essential  part of  the system  and the security policy
is  modeled.  There are several  security policy models  that
 represent  the   desired  behavior  of  a reference monitor.
 The Bell-La  Padula model [4-6] and its Multics  interpretation
[3] are commonly  used, but not mandated.


The    computer    security    research   and development that
 underpin the TCSEC began  in the late 1960s and concentrated
on secure operating systems.  By the early 1970s initial  worked
examples had provided a substantial amount of  information about
building trust into operating systems.   Research continued throughout
 the   1970s  to    refine  mechanisms,   features,  and assurances
needed to provide trusted operating systems.


Multilevel   database   management   security received  far less
 research and  development attention than did secure operating
 systems.  This was primarily due  to  the  perception  that 
one  could not credibly implement  a  multilevel   secure  database
 management system (DBMS)  on top of an  untrusted operating system
base.   However,  some  research  in  multilevel secure DBMSs
 (mostly theoretical)   was conducted  during the 1970s  [15-16],
 and  research  has  continued  to  the present  [9-14, 17-19,
22,  25-28].  By the  mid 1980s, commercially developed, trusted
 operating systems were becoming  available that  could provide
 the basis  for hosting secure  applications such as  multilevel
secure DBMSs.


In June 1986,  the National Computer Security Center  (NCSC) 
initiated  its  efforts  to address the


evaluation of trusted  database management systems with an Invitational
 Workshop  in Baltimore,  Maryland.  Representatives  from  the
 research, commercial, and  government communities met  to address
issues of database  management security.  The met to discuss aspects
of  trust (defined by the that  were  sufficiently  well  defined
 and capable producing  repeatable and  objective assessments.
  The NCSC  invited issue  papers and  prepared a agenda.    The
 issue   papers  and   the  subcommittee summaries  were  published
 as  the  Proceedings of the National Computer Security Center
Invitational Workshop on Database Security [20].


As  an outgrowth  of this  workshop, the NCSC undertook the  task
of preparing this  Trusted Database Management System Interpretation
(TDI)  of the TCSEC to focus  on  the  special  problems  posed
 by  DBMSs.  A working group was assembled to draft this Interpretation.
 Three drafts were produced, with extensive community review and
public discussion.  This Interpretation is the result  of the
interaction within the general  computer security and  database
management communities.
SCOPE



The  interpretations  in  this  document  are intended  to  be
 used  in  conjunction  with the TCSEC itself;  they  apply  to
 application-oriented software systems  in general,   and database
 management systems (DBMSs)  in particular.  Although  the interpretations,
as noted,  are general enough to apply  to any software system
 which  supports  sharing  and  needs to enforce access  control
(e.g., transaction  processing systems, electronic   mail   systems),
  in   the   interest  of simplicity, the  discussion, and thus
 the terminology, will be directed toward DBMSs.


The   interpretations  are  intended   to  be applied  primarily
 to  commercially  developed trusted DBMSs,  but can  also be
 applied to  the evaluation of existing non-commercial DBMSs 
and to the specification of security requirements for DBMS acquisitions.
PURPOSE



This  Interpretation of   the TCSEC  has been prepared for the
following purposes:  


 To provide a  standard to manufacturers for security features
to build into  their new and  planned commercial products in order
to provide widely available systems that satisfy trust requirements
(with  particular emphasis on  preventing the disclosure of data)
for sensitive applications, 


 To  provide a  metric with  which to evaluate the degree
of trust that can be placed in computer systems for the secure
processing of classified and other sensitive information, and



 To provide a  basis for specifying security requirements
in acquisition specifications.


With  respect  to   the  second  purpose  for development of the
criteria, i.e., providing a security evaluation metric,  evaluations
can be  delineated into two  types:  (1)  evaluations performed
 on a  computer product   from   a   perspective   that   excludes
 the application environment; or,  (2) evaluations to assess whether
appropriate  security measures have  been taken to  permit the
 system to  be used  operationally in  a specific environment.
 The former type of evaluation is done  by the  National Computer
 Security Center (NCSC) through the  Trusted Product Evaluation
Program  and is called "formal product evaluation."


The latter  type of evaluation, that  is, one done for  the purpose
of assessing  a system's security attributes  with  respect  to
 a  specific  operational mission, is  known as a "certification
 evaluation."  A formal   product   evaluation   does   not
  constitute certification  or accreditation  for the  system
to  be used  in  any  specific  application  environment.  The
system   security   certification    and   the   formal approval/accreditation
 procedure,  done  in accordance with the  applicable policies
of the  issuing agencies, must still be followed before  a system
can be approved  for use  in processing  or  handling sensitive
or classified    information. Designated Approving Authorities
 (DAAs) remain  ultimately responsible  for specifying the security
of systems they The  TCSEC and   this Interpretation  will be
used  directly  and  indirectly  in  the  certification process.
  Along with  applicable policy,  they will be used directly 
as technical guidance for  evaluation of the total system and
for specifying system security and certification requirements
for new acquisitions.  Where a  system being  evaluated for  certification
employs a product that has undergone a formal product evaluation,
reports from that process will  be used as input to the certification
  evaluation.   Moreover,   the  National Security Agency plans
 to publish additional guidelines to  assist certifiers  and help
 ensure consistency  in certifications of systems  processing
national security informantion.
STRUCTURE OF THE DOCUMENT



The remainder of the  TDI is divided into two parts, plus two
appendices and a glossary.


PART 1, TECHNICAL CONTEXT, "presents general information
 about the   evaluation of  trusted systems that are constructed
of several parts.  This discussion is  critical  to  trusted 
 DBMSs  built  upon  trusted operating  systems, but is  not limited
to  DBMSs only.  It is included  in the TDI because it  is not
currently available in  any previously published  document.  This
section reviews the  central reference monitor concept, explains
 the  need  to  evaluate  a  system  built  of well-defined  parts,
and  develops the  concept of  TCB subsets.   TCB subsets  provide
 a  way of  splitting a total TCB  along access control policy
 lines such that an  evaluation  by  parts  can  be  undertaken.
 PART 1 concludes  with   an  interpretation  of   those  TCSEC
requirements  which are  relevant to  an evaluation  by parts,
and  a description of the  process of evaluation by parts.


PART 2, INTERPRETED REQUIREMENTS, "provides interpretions
 of  those  TCSEC  requirements  that are either specific to DBMSs
 (or applications in general), or are  particularly relevant to
DBMSs.   The number of requirements that are  treated explicitly
is relatively small, because many of  the TCSEC requirements apply
as stated    to   database   management    systems.    The requirements
 treated  explicitly  are  labels,  audit, system    architecture,
  design    specification   and verification, and design documentation.


Appendix   A   summarizes   the   interpreted requirements  for
each TCSEC  class and is  intended to provide an easy reference
for those requiring a listing of  requirements  for  a  specific
 class  (e.g.,  B2).  Appendix  B provides  discussion of  several
topics not directly  tied to  the requirements  levied on  trusted
DBMSs by the interpretation of the TCSEC requirements.


The  TDI  proper  will  be  supplemented by a Companion Document
Series (CDS).   The CDS will address a wide spectrum of issues
 related to trusted DBMSs but which are beyond the scope of this
document.  Community debate about on-going topics  of interest
will probably result  in gradual  extensions of  what is  known
about trusted DBMSs.  Thus, volumes in the CDS will be issued
both regularly (to document  the state of the community debate)
 and by exception  (to record new  problems and new solutions).
PART 1 TECHNICAL CONTEXT

TC-1 INTRODUCTION



Modern computing systems are rarely conceived and built  by a
single organization.   Rather, the rule is   that  systems   
are  constructed   by  assembling  parts?hardware,    firmware,
  and    software?produced independently  by  various  organizations
 or  vendors.


This fact introduces a  fundamental difficulty into the task 
of evaluating a  "system" for conformance  to the trust
 requirements  of  the  Trusted  Computer  System Evaluation Criteria
(TCSEC).  [8] This difficulty stems from the  fact that assessment
(either  evaluation of a product or certification of  a system)
entails a global perspective of  the entire system  under consideration.
 There are not yet  widely accepted methods of factoring the 
various aspects  of  a  trust assessment  and then reassembling
 the results  into a  statement about  the whole.


These conflicting  perspectives of  local production and global
 evaluation analysis are particularly evident  in the field of
database management, but  they are by  no means limited  to that
field.   Thus the   publication of  this Interpretation requires
 consideration  of  how  to  deal with systems built in parts
in the absence of a general treatment of the  topic.  On  the
other  hand, any  treatment of the issue  in the  context of 
trusted database  management will have  significant influence
in other  fields where the  same or  similar problems  arise,
just  because of community  review and  NCSC publication.   The
approach taken  in this  document is  to address  the issues 
of evaluating  systems built  of parts  in a  way that  is independent
  of   the   field   of   trusted  database management.  This
 conscious attitude of  generality is intended  to  make  clear
 the  distinction between the larger  system-of-parts issues 
 and the  more specific DBMS issues.


PART 1, "TECHNICAL  CONTEXT," is divided into six sections.
 Section TC-2,  "Reference Monitor Perspective,"  summarizes
 the  role  of  the reference monitor concept in both the  TCSEC
and the assessing of a system for its  trust characteristics.
 Section TC-3, "Need for Evaluation by Parts,"  deals
with the need to extend  the reference  monitor perspective  slightly
to begin to address the  evaluation of systems constructed of
separate parts.  Section TC-4, "TCB Subsets," is the
heart   of   PART   1.    That   section  introduces  a conservative
 extension  to  the  reference  validation mechanism,  TCB subsets.
  This extension  provides the basis for being able to undertake
evaluation of systems built in parts in a way that  allows re-use
 of the results of separate evaluations   (whether  those evaluations
were performed before the current evaluation was begun or whether
the separate evaluations overlap  in time).  Section  TC-5, "General
Interpreted Requirements," outlines  the application of the
TCSEC  requirements to individual TCB  subsets when an  evaluation
by parts  is being done.   Section TC-6, "Design  Choices"
 describes  the  general  process  of applying  TCB subsets  and
meeting  the conditions  for evaluation by parts.  The  treatment
in this section is general and not limited  to DBMSs; DBMS-specific
issues are discussed in the appendices.
TC-2 REFERENCE MONITOR PERSPECTIVE



Building   or   evaluating   a   system   for compliance with
the requirements  of a particular class in the TCSEC is based
on the perspective of the Trusted Computing Base (TCB).  The notion
of the TCB is central to the  entire concept of assessing  systems
for trust.  The reference monitor described  in the Anderson report
[1] is the  basis of the notion of a  TCB, as described in the
TCSEC:


For  convenience,  these  evaluation criteria use  the term  Trusted
Computing  Base to  refer to the reference  validation  mechanism,
beit a security kernel,  front-end  security   filter, or the
entire trusted computer system.  [8, p.  67]  Even in those lower
 classes (below B2) where the reference monitor  concept and reference
validation mechanisms are not mentioned explicitly, the perspective
of the reference monitor and its implementation as  a reference
validation  mechanism is present. Specifically, there  are requirements
for (1) identifying the policy  being enforced, (2) identifying
subjects and  objects, (3) providing evidence  that the operation
of the reference validation mechanism matches the high-level 
description of the user  interface, and (4) demonstrating isolation
of the TCB.


Therefore,  all TCSEC  evaluations share  the initial conceptual
 steps of identifying  the mediation policy, the subjects, and
the objects.  Starting from a global  system  perspective,  the
 initial  step  is to identify  the  access  mediation  policy
 that  will be enforced.  One  must then identify those  active
system entities that  are candidates for being  the "subjects"
whose   access  to   objects  the   TCB  will  mediate.  Similarly,
 one must  identify those  passive entities, those data repositories,
that  are candidates for being the "objects," access
to which the TCB will mediate.


As usual, the existence of an abstraction within a system does
not make it necessarily  a reference-monitor object, i.e., one
 visible at the TCB interface.  This  is because the  TCB will
make  use of system abstractions for both its internal processes
and its storage requirements.   Those entities, while being stored
 in system "objects,"  will not be  available to untrusted
processes (that is,  they are not exported by the TCB).   Thus
the analytical, iterative  step is the separation of candidate
subjects and objects into those that are mediated by the TCB and
those that are not.


The various trust classes include requirements,  at varying  
levels of  completeness and rigor, that the basic  reference monitor
perspective of mediating access of subjects  to objects be implemented
in  a  correct,   self-protecting,  and  non-bypassable manner.
  The core  requirements of  the TCSEC  classes focus  on  these
 reference  monitor  imperatives.  The increasingly  strict requirements
 for visibility  into the   system  design  and   implementation
 (structure, documentation, testing, configuration, and distribution
requirements)  all support  the notion  of checking the system's
 conformance  to  its  identified  intent with regard to the subjects,
objects, and policy.
TC-3 NEED FOR EVALUATION BY PARTS



The need  to be able to  evaluate and certify systems built  in
parts is increasingly  evident.  This need is seen in a variety
of contexts:


The  need to  evaluate and  certify systems built  out  of  parts
 sold  by  different  vendors,  a situation especially prevalent
in  the field of trusted DBMSs.


The  need to   re-assess systems  that have undergone either small-
or large-scale improvements and are  already  evaluated  and 
placed  on  the Evaluated Products List (EPL).


The general problem of "families of systems," systems
that exist  on a spectrum of hardware bases or  that can be customized
for  a user's specific needs.


In all such cases,  two related versions of a system are  largely
similar.  It should  be possible to undertake evaluations and
certifications  in such a way that the entire assessment does
 not have to be re-done for every  slight variation that appears.
  The current state  of technology,   however, places  limitations
on what  can be  accomplished in  this regard;  it is  not currently
possible to determine the trust characteristics  of  a  system
  on  the  basis  of  an arbitrary collection of subparts.   The
overall task of trust assessment entails  so many interrelated
subtasks that the ability to separate and reassemble is not well
understood.


In this circumstance of needing to be able to accommodate evaluation
 of a system built  in parts and the lack of  consensus about
how this can be  done in a technically sound fashion, a conservative
approach must be adopted.   The following are required:   (1)
a clear description  of  what  "parts"  will  be considered
for separate  evaluation; (2)  a clear  description of  the conditions
under which such an evaluation by parts will be  undertaken; 
and  (3)  a  general interpretation of TCSEC requirements as they
would apply when a system is being  evaluated by  parts.  The
 "parts" that  will be considered  by  separate  evaluation
 are  called  "TCB subsets," the topic of Section TC-4
below.
TC-4 TCB SUBSETS

TC-4.1 INTRODUCTION



To  attempt   an  evaluation  of  a   TCB  by splitting  it into
 parts,  there  must be  available a precise  definition of  what
parts  are candidates  for separate evaluation (that is,  for
evaluation by parts) as well as any other  conditions that must
be satisfied before an evaluation by parts will be undertaken.
 This section   defines  "TCB   subset"  as   a  strict
  and conservative  extension of  the traditional  concept of
the reference validation mechanism (RVM) as a method of delineating
which parts of a  TCB can be candidates for separate evaluation.
 The definition of TCB subsets, as well  as  explanatory  and
 motivational  material,  is included   below  in   Section  TC-4.2,
  "TCB  Subsets Context."  Section TC-4.3 addresses
the conditions that must be  satisfied by a TCB  divided into
a set  of TCB subsets before evaluation by  parts will be undertaken.
 These  conditions  assure  that  the  structure  of and relationships
 among  TCB  subsets  will  satisfy TCSEC requirements,   especially
 those   derived  from   the reference monitor concept.
TC-4.2 TCB SUBSETS CONTEXT

TC-4.2.1 DEFINITION OF TCB SUBSETS



A  TCB  subset  M  is  a  set  of  software, firmware, and hardware
(where  any of these three could be  absent) that  mediates the
  access of  a set  S of subjects to a set O of objects on the
basis of a stated access control policy P and satisfies the properties:

  1) M mediates every access to objects in O by subjects in
S;
  2) M is tamper resistant; and
  3) M  is  small  enough  to  be  subject  to analysis  and
tests, the  completeness of which  can be assured.






   M uses resources provided  by an explicit set of more primitive
TCB subsets  to create the objects of O, create  and manage its
data  structures, and enforce the  policy  P.   If  there  are
 no  TCB  subsets more primitive than  M, then M uses  only hardware
resources to  instantiate its objects,  to create and  manage
its own data structures, and to enforce its policy.
   The  above  definition  does  not  explicitly prohibit an
access control policy P that allows trusted subjects.  The implications
 for the evaluation process when  a TCB  subset's policy  allows
or  does not allow such trusted subjects are substantial and are
discussed in Section TC-6.4.  As described  in TC-4.3, one of
the conditions for an evaluation by  parts of a TCB made up of
TCB subsets is that all the trusted subjects of each TCB subset
be included in that TCB subset.
   





TC-4.2.2 MOTIVATION



The definition of "TCB subset" is intended to parallel
the  definitions of the reference  monitor and reference  validation
mechanism  found in  the Anderson report [1] and included in the
TCSEC itself.  "The term Trusted  Computing  Base   [refers]
 to  the  reference validation mechanism, be  it security kernel,
front-end security  filter,   or  the  entire   trusted  computer
system."  [8,  p.  67] "TCB subset"  is defined
exactly like  a reference  validation mechanism,  with only one
difference, that it does  not necessarily extend to the hardware.
  Rather, a  TCB subset  uses either hardware resources  or  the
 resources  provided  by other, more primitive  TCB  subsets.
  Thus  TCB  subsets  build on abstract machines, either physical
hardware machines or other  TCB  subsets.   Just  like  reference
validation mechanisms, a TCB subset  must enforce a defined access
control policy.
TC-4.3 CONDITIONS FOR EVALUATION BY PARTS



Building  or evaluating   a system  using the definition of TCB
subsets in the section above requires meeting  six conditions
  in addition  to demonstrating that the  candidate TCB subsets
satisfy  the properties appropriate  to  the   evaluation  target
 class.   The conditions are as follows:


The   candidate  TCB   subsets  are identified;


The  system policy is  allocated to the candidate TCB subsets;


Each candidateTCB subset M[i] includes all the trusted subjects
  with   respect   to its technical policies P[i];


The   TCB   subset   structure   or architecture is explicitly
described;


Each  TCB subset  occupies distinct subset-domains; and


The  more   primitive  TCB  subsets provide support for the RVM
arguments  for  less  primitve  TCB subsets.


These conditions are described below.
TC-4.3.1 CANDIDATE TCB SUBSETS



The  first  condition  is  that  the relevant elements   of  each
  candidate  TCB   subset  M[i]  be identified.  The hardware,
firmware, and software which compose the  TCB subset need to 
be clearly identified, along  with  the  subjects  and  objects.
  In terms of Section TC-4.2.1, this  condition is the identification
of  M[i], S[i],  and O[i].    There may  be no  objects mediated
by  more than one TCB subset.   That is, there cannot be an object
O that is both in O[i] and O[j].
TC-4.3.2 POLICY ALLOCATION



The next condition  is policy allocation, the description  of
 the  technical  policy  P[i]  for each identified  M[i]  along
 with  the  relation  of  these policies  to the  system policy
 P.  The  policies P[i] will  be expressed  in terms  of subjects
 in S[i]  and objects   in  O[i].    Thus,  to   satisfy  the
  TCSEC requirement that the (composite) TCB enforce its stated
policy P, each rule in  P must be traceable through the structure
 of  the  candidate  TCB  subsets  to the TCB subset(s) where
that  enforcement occurs.  See Sections TC-5.2.1.1 and TC-5.2.1.4.
TC-4.3.3 TRUSTED SUBJECTS INCLUDED



Every  trusted subject  with respect  to P[i] must be  part of
the  TCB subset M[i].   This condition makes possible separate
evaluation  of TCB subsets with respect to  "local"
requirements.  When  this condition is not met, evaluation  of
candidate TCB subsets cannot be  guaranteed on an  evaluation
by parts  basis.  This situation is treated in Section 6.4.
TC-4.3.4 TCB SUBSET STRUCTURE



The  TCB  subsets  will  exhibit  a structure based  on  the 
ordering  implied  by  dependency.  TCB subset A is  less primitive
than TCB subset B  if (a) A directly  depends on B  or (b) a 
chain of TCB  subsets from A to B exists such  that each element
of the chain directly  depends on  its successor  in the  chain.
 In this  case we  use the   phrase "TCB  subset B  is more
primitive than TCB subset A" synonymously.


The  sense  of  "directly  depend"  in (a) is exactly
 the following: it is not possible to verify the implementation
of A with respect to its specification without a statement about
the specification of B.


More precisely, for a candidate TCB subset M, let sM denote the
specification of M.  The specification will include, as a minimum,
the statement of the technical policy P of M.  Further, let vM
denote the (engineering) demonstrations of the correctimplementation
of M with  respect to its specification.


A (candidate) TCB subset A depends (for its correctness)"
on  (candidate) TCB subset B  if and only if the arguments of
vA  assume, wholly or in part, that sB has been implemented correctly.
 (See Appendix B, item 5 for additional discussion.)


The proposed structure of  TCB subsets has to be identified. 
The order must  be a  partial order. (Without  a  partial  order,
 there  could  be circular chains of dependencies  that  would
 inhibit separate evaluations of the TCB subsets.)
 TC-4.3.5 SEPARATE SUBSET-DOMAINS



The candidate TCB subsets must operate in near isolation from
each other, with the only interaction between them being that
explicitly asserted as  part of  the interface.   In the  case
of reference monitors, many existing  implementations have relied
on the domain  concept [23] which supports  the assertions of
 non-bypassability and  self protection.   A natural extension
 of the domain  concept will be  required for isolation  of  TCB
 subsets  from  each  other and from non-TCB entities.


A subset-domain  is a set of  system domains.


Each  candidate  TCB  subset  must  occupy  a  distinct subset-domain
such that modify-access to a TCB subset's subset-domain is permitted
only  to that TCB subset and (possibly) to more primitive  TCB
subsets.   This requirement  ensures that the structure of subset-domains
with respect to access is consonant with the dependency relation
among TCB subsets.
TC-4.3.6 SUPPORT FOR RVM ARGUMENTS



Candidate TCB subsets  must satisfy the three RVM properties 
included in the definition  in TC-4.2.1 in order to complete 
evaluation by parts successfully.  TCB subsets  that build on
resources  and functionality provided  by more  primitive TCB
 subsets must  rely on assured and  evaluatable characteristics
of  those more primitive TCB  subsets.  A convincing argument
 must be advanced   that  the  features,   characteristics,  and
assurances provided  by the more primitive  TCB subsets are  capable
of supporting  RVM arguments for  the less primitive TCB subsets.


The  first property (mediating  every access) requires  that 
there  is   no  way  of  bypassing  the mediation  provided by
 TCB subset  M for  its objects, either  directly  or   by  unexpected
 side-effects  of interactions  with  other  TCB  subsets.   A
variety of approaches   could  suffice   for  demonstrating  
this property.


The   second  property   (tamper  resistance) requires that the
policy-critical code and data for the less  primitive  TCB  subset
  be  protected  from  any alteration not specifically allowed
 by the TCB subset.  A variety of approaches could suffice for
demonstrating this property.


The  third property (completeness  of testing and analysis for
correctness) requires the (engineering) demonstrations vM[i] of
 the correctnessof each less primitive  candidate TCB subset 
M[i].  Aconvincing argument must therefore be advanced that the
specifications sM[k] for all  of the more primitive TCB subsets
 M[k] on  which M[i]  depends will  suffice for establishing vM[i].
TC-4.4 EVALUATION ALTERNATIVES



As noted earlier, the need to evaluate systems whose elements
are developed  separately, possibly by independent developers,
results in the need to define  TCB subsets.  That  is not to 
say, however, that  design  by  TCB  subsetting  and  the  subsequent
evaluation by parts are the only alternatives.  Rather, there
are three distinct possibilities.


A  system  TCB,  regardless  of  any internal structure, may be
viewed as a single entity.  In such a case,  the  evaluation 
may  proceed  essentially as an evaluation against the TCSEC.
 This case is examined in Section TC-6.2.


A system TCB may  be presented as a subsetted architecture  composed
 of  a  number  of candidate TCB subsets.  Given that each  of
the candidate TCB subsets satisfies the  conditions set forth
in  Section TC-4.3, an  evaluation  by  parts  is  possible. 
 This case is described in Section TC-6.3.


It  may be possible  to satisfy only  some of the conditions for
evaluation by parts.  This situation might  arise when  a  previously
 evaluated TCB  or TCB subset is modified  to accommodate the
policy-enforcing elements of a new application layer.  A special
case of this situation is described in Section TC-6.4.  In such
cases,  depending  upon  the  particulars,  it  may  be possible
to  realize some of the  savings in evaluation effort.  However,
no general statements can be made for these cases.
TC-5 GENERAL INTERPRETED REQUIREMENTS

TC-5.1 OVERVIEW



This section provides specific interpretations  of those  TCSEC
requirements  that are particularly  relevant for subsetted  architectures
and evaluation by parts.  Its  organization is derived from the
 structure  of  the  TCSEC  requirements.  For each relevant TCSEC
requirement there is a discussion of how that  requirement is
 interpreted in  an evaluation  by parts.


For   conciseness,   only   the  requirements headings applicable
for A1  systems are included below.  Thus,  the  interpretation
 guidance  below  should  be applied  only as demanded  by the
requirements  for the target  class of the  candidate trusted
system.   For a system targeted  at an evaluation class  below
A1, only those  requirements that  pertain to  the target  class
apply to the TCB subsets making up that system.


A    listing   of   the    requirements   and interpretations
by TCSEC class is presented in Appendix A.   The rationale for
 the applicability of  the TCSEC requirements to TCB  subsets
alone or to the  TCB as an entirety is described in Appendix B,
item 7.]
TC-5.2 DETAILED REQUIREMENTS

TC-5.2.1 SECURITY POLICY

TC-5.2.1.1 Discretionary Access Control



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
TC-5.2.1.2 Object Reuse



This  requirement applies   as stated  in the TCSEC to every TCB
subset in the TCB.
TC-5.2.1.3 Labels



This requirement applies as stated in the TCSEC  to  every  TCB
  subset  whose  policy  includes mandatory access control of
its subjects to its objects.  Any TCB subset  whose policy does
not include such  mandatory  access  control  is  exempt  from
this requirement.
Label Integrity



This requirement applies as stated in the TCSEC to every  TCB
subset whose policy includes mandatory  access control of its
subjects to its objects.  Any TCB subset  whose policy does not
include such  mandatory  access  control  is  exempt  from this
requirement.
Exportation of Labeled Information



This  requirement applies as stated in the TCSEC to every TCB
subset whose policy includes mandatory  access  control of its
subjects to its objects.  Any TCB subset  whose policy does not
include such  mandatory  access  control  is  exempt  from this
requirement.
Subject Sensitivity Labels



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.
Device Labels



This  requirement applies as stated in the TCSEC  to every TCB
subset  whose  policy  includes mandatory access control of its
subjects to its objects and has attached physical  or virtual
devices.  Any TCB subset  whose policy  does not  include such
 mandatory access control  or has no attached  physical or virtual
devices   is  exempt   from  this   requirement.   This requirement
can be satisifed  by the cooperative action of more than one TCB
subset.  
TC-5.2.1.4 Mandatory Access Control



This  requirement applies   as stated  in the TCSEC to every TCB
subset  whose  policy  includes mandatory  access  control  of
  its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
TC-5.2.2 ACCOUNTABILITY

TC-5.2.2.1 Identification and Authentication



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services or provide  the services
directly.  Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to  ensure that the security
level of subjects external to the  TCB that may be created to
act on  behalf of the individual user  are dominated by the clearance
and authorization of that user.  Each TCB subset   may  maintain
  its  own   identification  and authentication  data or  one
central  repository may be maintained.  If each TCB subset  has
its own data, then the  information  for  each  individual  user
 must  be consistent among all subsets.
Trusted Path



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


When  TCB subsets  are used,  the requirement for  trusted  path
 at  levels  B2  and  above  remains applicable  to the  entire
TCB.   The need  for trusted path "when positive  TCB-to-user
connection is required (e.g.,  login,  change  subject  security
 level)"  can require user interaction with  virtually any
TCB subset within  the TCB.   The implementation  of trusted 
path could   be   localized   in   a   single   TCB  subset. 
Alternatively, it could be implemented in more than one TCB  subset
if   the separate  implementations together comply with the system
security policy.
TC-5.2.2.2 Audit



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


A  TCB subset  may maintain  its own security audit  log,  distinct
 from  that  maintained  by  more primitive TCB subsets, or it
may use an audit interface provided by  a different TCB subset
 allowing the audit records  it  generates  to  be  processed
 by  that TCB subset.


If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other,  either at the  time they are  generated
or later.


Any TCB subset wherein  events may occur that require  notification
 of  the  security  administrator


shall  be able  to do  the following:   (1) detect  the occurrence
of these events,  (2) initiate the recording  of  the  audit 
trail   entry,  and  (3)  initiate  the notification of the security
  administrator.   The ability to  terminate events (2)  and (3)
above  may be provided  either in  the TCB  subset within which
they occur, or in the TCB  subset(s) where actions that lead to
the event were initiated.


The monitoring  and notification requirements may require  cooperation
between multiple  distinct TCB subsets  or  multiple  instantiations
 of  the same TCB subset.   For example,  to detect  the accumulation
 of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the  same user.  As another example, there may  be a single
TCB subset  that collects events from a  number of other TCB 
subset instantiations and, based  on its analysis  of them, notifies
 the security administrator.
TC-5.2.3 ASSURANCE

TC-5.2.3.1 Operational Assurance

System Architecture



This  requirement applies   as stated  in the TCSEC to every 
TCB subset, with the following


additional interpretations.The  TCB must  provide domains  for
execution that are allocated to and used by TCB subsets according
to the subset-domain condition for evaluation by parts.  A  most
primitive TCB  subset must provide  domains for execution.  A
 less primitive TCB subset  must make use of domains provided
by a  more primitive TCB subset.  A less primitive TCB subset
may provide further execution domains but is not required to do
so.


Similarly,  the  TCB  must  provide  distinct address  spaces
  for  untrusted  processes.    A  most primitive  TCB  subset
 must  provide  distinct address spaces for  its subjects.  A
less  primitive TCB subset must make use of the distinct address
space provided by a  more primitive  TCB  subset.   A less  primitive
TCB subset may  provide more fine-grained  distinct address spaces,
but is not required to do so.


In general, requirements specifically referring  to hardware 
or firmware  apply only  to TCB subsets that include hardware
or firmware.   The exception  is   the  requirement  that  the
  TCB  make effective use of  available hardware.  This requirement
applies  to  those  TCB   subsets  that  use  resources provided
 by  more  primitive  TCB  subsets  in lieu of hardware.   Those
 TCB  subsets  are  required  to make effective  use  of   the
 protection-relevant  features exported to it by the more primitive
TCB subsets (e.g., execution domains, support for distinct address
spaces) to separate those elements that are protection-critical
from those that are not.
System Integrity



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
Covert Channel Analysis



This  requirement applies as stated in the TCSEC  to the  entire
TCB.    When the  TCB is  made up entirely  of  TCB  subsets 
meeting  the conditions for evaluation  by parts,  analysis of
 the individual  TCB subsets satisfies this  requirement.  Otherwise,
covert channel  analysis of the  entire TCB must  be performed
(even if the results of  covert channel analysis of the individual
TCB subsets were available).
Trusted Facility Management



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  Any  "operator"  or "administrator"
 functions intrinsic  to an  individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
Trusted Recovery



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB   and to  the individual  TCB subsets.  The  cooperative recovery
actions of  the TCB subsets making up the TCB must provide trusted
recovery for  the  overall  TCB.   Otherwise,  trusted  recovery
evaluation  must address  the entire  TCB (even  if the individual
 TCB  subsets   meet  the  trusted  recovery requirements).
TC-5.2.3.2 Life-Cycle Assurance

Security Testing



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.  Otherwise, security  testing of the entire  TCB
must be performed   (even  if   the  results   of  testing  the
individual TCB subsets were available).
Design Specification and Verification



This  requirement applies   as stated  in the TCSEC to every TCB
 subset, with the following specific additional interpretations.
It  must be   demonstrated that  the securitypolicy enforced by
the  composite TCB is represented by the collection of policy
 models for the individual TCB subsets.


The argument  that the descriptive  top level specification (DTLS)
and formal top level specification (FTLS) are consistent with
the TCB interface applies to the  entire TCB.   There  is  required
an  explicit and convincing  description of  how  the  set of
 top level specifications (one for each  TCB subset) describes
the TCB  interface  in  terms  of  exceptions,  errors, and effects.
Configuration Management



This  requirement applies   as stated  in the TCSEC  to  every
 TCB  subset  in  the  TCB,  with  the following additional interpretation.


Because subsets  of the TCB may  be developed independently, a
single configuration management system may  not  be  feasible.
  However,  the  combination of configuration  management systems
 used to  support all the TCB subsets must  meet all the stated
requirements.  The  information describing the  interrelations
between separate  TCB  subsets  and  separate  security  policy
models  falls into  the category  of "all documentation and
 code associated  with the  current version  of the TCB"
in the TCSEC requirements.
Trusted Distribution



This  requirement applies   as stated  in the TCSEC to the  entire
TCB.  It can be  met by satisfying the  requirements  for  each
 TCB  subset if procedures exist for  assuring that all  TCB subsets
upon  which a particular  TCB  subset  depends  (that  is,  the
 more primitive TCB subsets) are  exactly the same version as
specified for the TCB subset in question.
TC-5.2.4 DOCUMENTATION

TC-5.2.4.1 DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
TC-5.2.4.2 Trusted Facility Manual



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB.


This  requirement can  be met  by providing a set of manuals,
one  for each distinct (non-replicated) TCB  subset.  Each  manual
shall  address the functions and privileges to be  controlled
for the associated TCB subset.   Additionally,   it  must  clearly
  show  the interfaces to, and the interaction with, more primitive
TCB  subsets.  The  manual  for  each TCB  subset shall identify
 the  functions  and  privileges  of  the  TCB subsets  on which
 the associated  TCB subset  depends.  Also, the TCB subset's
 manual shall identify which, if any,  configuration options 
of the  more primitive TCB subsets are to be used for the composite
TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.


The means for correlating multiple audit logs and synonymous 
user identifications from  multiple TCB subsets (if such exist)
shall also be addressed.  The  trusted facility  manual shall
 describe the  composite TCB so  that the interactions  among
the TCB subsets  can be readily determined.   Other manuals may
be  referenced in this determination.   The manuals that address
 the distinct modules  of the TCB  and the generation of  the
TCB need  to be integrated  with the other trusted facility manuals
 only to the extent that they are affected by the  use and operation
(versus the development) of the composite TCB.


The  TCB modules  that contain  the reference validation  mechanism
must  be associated  with the TCB subset  to  which  they   belong.
  The  procedure  for generating  a  new  TCB  after  modifying
 only one (or several)  TCB subsets must  be described.  This
 may be accommodated   by  independent   regeneration  of   the
individual TCB  subsets or by regeneration  of only the affected
TCB subsets.
TC-5.2.4.3 Test Documentation



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
TC-5.2.4.4 Design Documentation



This  requirement applies   as stated  in the TCSEC to the composite
TCB, with the following specific additional interpretations:


Requirements  concerning  models,  FTLS and DTLS, apply to individual
TCB subsets.


The requirement  concerning the description of interfaces  between
modules of the  TCB includes the interfaces between TCB subsets.


The documentation of  the implementation of a reference validation
mechanism must include justification for meeting the conditions
for evaluation by parts.


The  A1 requirement to describe clearly  non-FTLS internals of
 the TCB applies  to TCB subsets.
TC-5.3 SUMMARY OF THE REQUIREMENTS



The  requirements interpretations  in Section TC-5.2 above can
be grouped into two categories:  those that  apply to  individual
TCB  subsets and  those that apply  totally or  in part   to the
 overall TCB.   For purposes  of exposition,  the former  category
will  be termed "local  requirements," that is, those
 for which separate  analysis   of  the  individual   TCB  subsets
suffices to determine compliance for the composite TCB.  The latter
 are termed "global requirements,"  that is, those which
 require analysis of the  entire system and for  which  separate
 analysis  of  the  individual TCB subsets does not suffice.
TC-5.3.1 LOCAL REQUIREMENTS


  Discretionary Access Control;
  Object Reuse;
  Labels (except Subject Sensitivity Labels);
  Mandatory Access Control;
  System   Architecture  (except   domains  for




execution and distinct address spaces);

  System Integrity;
  Configuration Management;
  Security Features User's Guide;
  Design Documentation
  models,
  DTLSs,
  FTLSs, and
  non-FTLS internals.





TC-5.3.2 GLOBAL REQUIREMENTS



Subject     Sensitivity    Labels;    


Identification and  Authentication;   


Trusted  Path; 


Audit; 


System Architecture domains for execution, and distinct address
spaces;


              Covert   Channel   Analysis;        


     Trusted   Facility Management;     


     Trusted   Recovery  (also  applies  to


individual TCB subsets);   Security Testing;   Design Specification
and Verification correspondence  between  system policy and the
set of TCB subset models consistency of TCB interface with the


set of TCB subset DTLSs, and consistency ofTCB interface with
the set of TCB subset FTLSs;  Trusted Distribution;     Trusted
Facility Manual (also applies to individual TCB subsets);


Test Documentation; and   Design Documentation (except models,
DTLSs, FTLSs, and non-FTLS internals).
TC-6 DESIGN CHOICE

TC-6.1 OVERVIEW



This  section  examines  the  several  design choices available
for constructing systems in parts and the consequences of each
 when attempting to perform an evaluation by parts.  The  first
case described is that of a  TCB evaluated under the TCSEC  without
benefit of TCB  subset structuring.   This  case  is of  value
for several  reasons:  it serves  as a reference  point; it can
 be considered  the degenerate  case of subsetting; and  it  is
 always  an  option  to  evaluate  any TCB, regardless of  internal
structure, as a  monolith.  The second  and third  cases are 
presented in  terms of  a


         configuration    of    exactly    two    subsets;   the


          generalization  to   more  than  two  TCB   subsets
 is


          straightforward.   The   second  case  is  that   of
 a


          subsetted  architecture  that   exactly  satisfies 
the


conditions  for evaluation  by parts.   The third  case represents
a special case of  an altered TCB, one which is implemented using
trusted subjects.


Note that no evaluation using TCB subsets and evaluation by  parts
results in a  TCB subset receiving an evaluation rating.  Rather,
 the entire system, with its composite TCB, is  evaluated and
receives a rating.


However, evaluation  by parts is intended  to allow the


results of local analysis  of individual TCB subsets to be  distinguishable
and  separately referencable.   For further discussion of this
 topic, see Appendix B, item 10.
TC-6.2 A SINGLE TCB SUBSET



The  evaluation  of  a  TCB  consisting  of a single  TCB subset
 is equivalent  to a straightforward evaluation  against  the
 TCSEC.   The  conditions  for evaluation   by  parts   (Section
 TC-4.3)   reduce  to requirements found in the TCSEC itself.
TC-6.2.1 ANALYSIS OF THE CONDITIONS

TC-6.2.1.1    Condition    1: Candidate TCB Subsets



The TCB (hardware,  software, and firmware), as distinguished
from the rest of the computing system, must  be identified.  This
 is a basic  requirement for TCSEC evaluation.  Similarly,  the
subjects and objects within the system must  be identified.  The
requirement that no more than one  TCB subset mediate access to
any particular object  is satisfied, because there  is only one
TCB subset.
TC-6.2.1.2 Condition 2: Policy Allocation



The  policy P  enforced by  the TCB  (subset) must  be identified.
  The demonstration  that the  TCB (subset) enforces that policy
 will be a description of how  the  TCB  performs  access  mediation
 between the system's subjects and  objects according a system-level
description  of limitations   on access  (the technical policy
 P[i] of  the definition).   The tracing  of the policy to the
system design and behavior is part of the stated TCSEC requirements.


TC-6.2.1.3   Condition    3: Trusted Subjects Included


This  condition  is  satisfied  in  the  same manner  as  it 
is  in  evaluations  under  the  TCSEC.  Specifically,  the  TCB
 boundary  is  shown  to be the interface that is presented to
untrusted subjects.
TC-6.2.1.4 Condition 4: TCB Subset Structure



Satisfaction of this  condition (TC-4.3.4) is immediate, because
there is only one TCB subset. 
TC-6.2.1.5       Condition      5: Separate Subset-Domains




Satisfaction  of  the  separate subset-domain condition (TC-4.3.5)
is identical  to the C1 through A1 requirement that "the
TCB maintain a domain for its own execution that  protects it
from  external interference or tampering."  [8, p.  13 et
al.] 
TC-6.2.1.6   Condition   6: Support for RVM Arguments 



Satisfaction of this  condition (TC-4.3.6) is immediate, inasmuch
as there  are no less primitive TCB subsets  that  must  be  demonstrated
 to  satisfy  RVM requirements.
TC-6.2.2 EVALUATION S CONSEQUENCE



In this case, the  evaluation of the (single) TCB  subset proceeds
 exactly like  an evaluation under the  TCSEC.  Demonstration
  that the  candidate system meets  all the global  and local
requirements  (as  they apply  to  the  target  evaluation  class)
includes the consideration of each requirement as it applies system's
philosophy of protection, design, documentation, and implementation.
  The system must be shown  to   exhibit  the  properties  of
  a  reference validation mechanism, appropriate to the target
class.
TC-6.3 TWO TCB SUBSETS, MEETING THE CONDITIONS



This case  is of a  TCB that consists  of two candidate  TCB subsets,
A  and B, where  A is the  most primitive TCB subset.  That is,
B uses the abstractions provided  by  A  (the  objects,  in  particular)
as its resource  for the  construction and  exportation of its
own  abstractions.    B  also  uses   the  abstractions provided
by A for its  metadata (that is, internal data structures) that
make it  possible for B to instantiate its exported abstractions
as  well as keep records that enable it  to correctly enforce
its  stated policy.  In terms of the discussion of Section TC-4.3.4,
TCB subset B directly depends on TCB subset A.  It will be assumed
that TCB subset A  enforces mandatory and discretionary policies
on its objects and  that TCB subset B enforces a  discretionary
 policy  on  the  objects  it exports.  Additionally, all  trusted
subjects of A  are contained within A.  Thus, every subject  of
A (including all the active entities  that make up the logic 
of B) operates at  a single  sensitivity  level.   It will  further
be assumed  for  th  is  example  that  the mechanisms for domains
and thus for  subset-domains are independent of the mandatory
 and discretionary access  control policy enforcement mechanisms.
TC-6.3.1 ANALYSIS OF THE CONDITIONS

TC-6.3.1.1    Condition    1: Candidate    TCB subsets



The  TCB (hardware, software,  and firmware), as distinguished
from the rest of the computing system, must  be identified.  This
 is a basic  requirement for TCSEC evaluation.  Similarly,  the
subjects and objects within the system must be identified.


In this case, all the hardware, software, and firmware  that make
 up the  TCB must  be identified as being part of either TCB subset
A or TCB subset B.  The subjects  and  objects  mediated  by 
A  (call them the "A-subjects" and "A-objects"
 for this discussion) must be identified.  Similarly  the B-subjects
and B-objects must also be identified.


The   additional   requirement   in   Section TC-4.3.1 that "there
may not be any objects mediated by more than  one TCB subset"
 means that there  can be no B-object that is also an A-object.
TC-6.3.1.2 Condition 2: Policy Allocation



The policy  P enforced by the  whole TCB must be identified. 
 In addition, the policy  enforced by A (call  it  the  A-policy),
  stated  in  terms  of  the A-subjects  and  the  A-objects,
 must  be  identified.  Similarly,  the  B-policy,  stated   in
 terms  of  the B-subjects and the B-objects, must be identified.
TC-6.3.1.3    Condition   3: Trusted Subjects included



As  was stated  above, TCB  Subset A contains all  its own  trusted
subjects.   There may  be trusted subjects with respect to the
 policy of A, but all such subjects execute in the subset-domain
of A.
TC-6.3.1.4 Condition 4: TCB Subset Structure



Because B directly uses the A-objects and its logic is  embodied
in A-subjects, the  structure of the TCB  subsets  is  precisely
  "TCB  subset  A  is  more primitive than TCB subset B."
 This is a partial order.
TC-6.3.1.5       Condition      5: Separate Subset-Domains




Satisfaction  of  the  separate subset-domain condition  requires
that a  set of domains  provided by the   system  be   identified
 as   being  the  domains "occupied"  by  A  and  B.
  The  domain,  or  domains, occupied  by  A  is  exactly  the
 "domain  for its own execution" found in the TCSEC
requirements.  The domain or  domains  occupied  by  TCB  subset
 B  must  not be modifiable  by any code  or other system  entity
except possibly by TCB subset A.
TC-6.3.1.6   Condition   6: Support for RVM Arguments



Satisfying  the condition  for RVM  arguments requires demonstrating
 the plausibility of  being able to establish the three  requisite
properties of an RVM.  The  first  property  requires  that  no
 B-subject  be allowed  to  access  B-objects  without  those
accesses being mediated by TCB  subset B.  The tamper resistance
property requires that TCB subset  A provide a way that TCB subset
B can be  designed and implemented such that A-subjects  that
 are  not  part  of B's implementation cannot  tamper with  B's
policy-critical  code or data.  The  third  RVM  property  must
 be  satisfied  by  the individual TCB  subsets.  The degree to
 which each TCB subset must satisfy this  property is commensurate
with the evaluation class of the TCB.
TC-6.3.2 EVALUATION CONSEQUENCES



In this  case, the evaluation of  the two TCB subsets  requires
 that  each  meet  TCSEC requirements applicable to  each TCB
subset viewed  individually and that the two  TCB subsets combine
in a way  to meet all the TCSEC requirements stated for the target
class.


All local requirements are imposed on the two TCB subsets, A and
B, individually.  If each TCB subset can meet  the requirements
of the  target class, viewed as  if it  were a  separate TCB,
 the only  areas where additional  evaluation or  accreditation
work  might be required are those areas where  the sum of the
analysis of  the parts is not necessarily complete and convincing.
 Those areas  requiring additional work are exactly  the set 
of global  requirements described  in Section TC-5.3.2.


           Demonstrating that the candidate system meets the 
TCSEC requirements  (as they  apply to  the target evaluation
 class)  requires  that  both  A  and  B  be evaluated with respect
to the local  requirements of the target  class and that  the
composite TCB  be evaluated for global requirements.  In this
case, full testing of TCB subset  A against all the  requirements
(both local and  global)  simplifies the  task  of  demonstrating
satisfaction of the global requirements, both for B and for the
entire TCB.


Suppose, for  example, that TCB subset  A has been subjected 
to security testing appropriate  to the target  class  and  has
 been  shown  to  be adequately resistant  to  penetration  attacks.
  This  means that within  the confidence  level provided  by
the  testing requirement, no  A-subject can subvert  A's enforcement
of its policy.  In  this situation, every active entity in B is
an A-subject  and hence B can neither penetrate A nor be  induced
to do so by any  B-subject.  Thus, no further  testing of  A 
will  be required  to determine whether the entire TCB is resistant
to penetration; any additional  penetration  testing   can  be
 limited  to determining the ability of B to withstand assault.


Similarly, if A has  been searched for covert channels (as required
for its target class requirements), then no   further  search
 for  covert channels will be required, either  in the analysis
of B or  in the  overall  consideration  of the  entire TCB. 
Note  that if B  implements a mandatory  access control policy
(e.g., integrity), then it would be necessary to perform a covert
channel analysis  on B, but no further covert channel analysis
of A would be required.


The ability of users to determine the current sensitivity  level
 of  B-subjects  operating  on their behalf  will have  to be
 shown by  considering the TCB subsets  A and  B together. This
requirement  is satisfied immediately if  the argument relies
exclusively on A meeting the requirement.
TC-6.4   TWO TCB SUBSETS, NOT MEETING THE CONDITIONS



This case  also concerns a TCB  that consists of two candidate
 TCB subsets, C and D.  C  is the most primitive TCB subset. 
That is, D uses the abstractions provided  by  C  (the  objects,
 in  particular) as its resource  for the  construction and  exportation
of its own  abstractions.    D  also  uses   the  abstractions
provided by C for its  metadata (that is, internal data structures)
that make it  possible for D to instantiate its exported abstractions
as  well as keep records that enable it  to correctly enforce
its  stated policy.  In terms of the discussion of Section TC-4.3.4,
TCB subset D directly depends on TCB subset C.  Additionally,
D is trusted  with  respect  to  C.   That  is,  some of the C-subjects
 which  make  up  TCB  subset  D  execute as trusted processes
of C.  Here  also, as in the previous example, it is assumed 
that C implements mandatory and discretionary policies over  its
objects.  Further, the intent of D is to implement a discretionary
policy over the  objects it  exports.  However,  because D includes
subjects  which  are  trusted  relative  to  C's policy demonstration
 of the  full and  correct enforcement of the mandatory policy
requires analysis  of both C and D and is no longer localized
to TCB subset C.  It will be assumed  that the mechanisms  for
domains and  thus for subset-domains  are independent   of the
 mandatory and discretionary access control policy enforcement
mechanisms.


This case can be viewed  as a special case of a  previously  evaluated
 TCB  which  has been altered.  However,  the  alteration  takes
 the  form  of  a less primitive  subset  which  is  implemented,
 at least in part,  with   trusted  subjects  (i.e.,  some   of
 the C-subjects  are trusted  subjects which  execute in the subset-domain
 of D).   Although this  case may appear, intuitively,  to be
 different from  that of  arbitrary alteration of  a previously
evaluated TCB,  the example demonstrates that such an  approach
makes it impossible to perform an evaluation by parts.
TC-6.4.1 ANALYSIS OF THE CONDITIONS

TC-6.4.1.1    Condition    1:     Candidate    TCB Subsets




The  identification  of  the  TCB  (hardware, software, and firmware)
as  distinguished from the rest of  the computing  system  is
 a basic  requirement for TCSEC evaluation.   Likewise, the subjects
 and objects within the system must be identified.


In this case, all the hardware, software, and firmware  that make
 up the  TCB must  be identified as being part of either TCB subset
C or TCB subset D.  The C-subjects  and  C-objects  mediated 
by  C  have to be identified.   Similarly  the  D-subjects  and
D-objects must also be identified.


The   additional   requirement   in   Section TC-4.3.1 that "there
may not be any objects mediated by more  than  one  TCB  subset"
 means  there  can  be no D-object that is also a C-object.
TC-6.4.1.2 Condition 2: Policy Allocation



The policy  P enforced by the  whole TCB must be  identified.
  In  addition,  the  individual policy enforced by C (call it
the C-policy) must be identified  in terms of  the C-subjects
and the C-objects.  Similarly,  the  D-policy,  stated   in  terms
 of  theD-subjects and the D-objects,  must be stated.  In this
case, the C-policy will  include the strict enforcement of  a
 mandatory  access  control  policy  that  allows trusted subjects
to execute in the subset-domains which compose TCB subset D.
TC-6.4.1.3   Condition    3: Trusted Subjects 



Included This  condition is   not satisfied  because D includes
 at least  one  subject  that is  trusted with respect  to C.
  Hence a  subject that  is trusted with respect to the policy
of C is outside C, and evaluation by  parts  is  not  an  option.
  If  TCB  subset C had previously been  evaluated, then this
is  an example of an  altered TCB,  albeit  a  special case. 
 The change consists  of  the  addition  of  one  or  more  trusted
C-subjects  in D  whose effect   on the  behavior of  C cannot
 be predicted  a priori.   An assessment  of the impact  of  D
 on  the  behavior  of  C  cannot be made strictly by an examination
 of the trusted subjects and the definition  of C's interface.
 A  global assessment of C and D is required.
TC-6.4.1.4 Condition 4: TCB Subset Structure



Because D directly uses the C-objects and its logic is  embodied
in C-subjects, the  structure of the TCB  subsets  is  precisely
  "TCB  subset  C  is  more primitive than TCB subset D."
 This is a partial order.
TC-6.4.1.5       Condition      5: Separate Subset-Domains




Satisfying    the   separate    subset-domain condition  (TC-4.3.5)
requires  identifying the  set of system  domains   (likely  administered
 by   the  most primitive TCB subset C) as  the domains "occupied"
by C and  D.   The  domain,  or  domains,  occupied  by C is exactly
the "domain for its own execution" found in the TCSEC
requirements.  The domain  or domains occupied by TCB  subset
D  must not  be modifiable  by any  code or other system  entity
except possibly  by a part  of TCB subset C.
TC-6.4.1.6   Condition   6: Support for RVM Arguments



Satisfying  the condition  for RVM  arguments requires demonstrating
 the plausibility of  being able to establish the three  requisite
properties of an RVM.  The  first  property  requires  that  no
 B-subject  be allowed  to  access  B-objects  without  those
accesses being mediated by TCB  subset B.  The tamper resistance
property requires that TCB subset  A provide a way that TCB subset
B can be  designed and implemented such that  A-subjects  that
 are  not  part  of B's implementation cannot  tamper with  B's
policy-critical  code or data.  The  third  RVM  property  must
 be  satisfied  by  the individual TCB  subsets.  The degree to
 which each TCB subset must satisfy this  property is commensurate
with the evaluation class of the TCB.
TC-6.4.2 EVALUATION CONSEQUENCES



In   this   example,   the   conditions   for evaluation  by parts
 are not  satisfied and  thus, thef ull potential for savings
in evaluation effort cannot,  in general, be realized.  A  clear
option in such cases is to view  the system as a monolithic  TCB
and proceed accordingly.  However, because  this case represents
an example of an altered TCB, it admits of a wide spectrum of
 specific sub-cases.  Thus,  if the analysis  of the system  proceeds
 in  parallel  to  that  required  for evaluation  by parts  it
 may  be possible,  in special cases, to identify elements of
the analysis of the more primitive candidate TCB subset  which
can be successfully argued to be unaffected by the alterations.
 Some evaluation effort, often significant,  can be  saved, but
 unlike evaluation  by parts, how much can  only be estimated
by consideration of the implementation specifics.   For example,
in this specific  case,  the  local  analysis  of  TCB subset
C represents  a reasonable   candidate for  analysis that need
not be redone.
TC-6.5 SUMMARY



The  three cases  described above  illustrate the  effects of
 various TCB  subsetting situations  as they relate to the evaluation
requirements.  A  monolithic evaluation proceeds  exactly as described
in the TCSEC, with requirements being applied to the entire TCB.
When  all the   conditions for  evaluation by parts are satisfied,
considerable savings in evaluation effort  are realized.  The
 evaluation of a  new system configuration that includes exactly
the same TCB subset that was previously evaluated  (such as the
TCB subsets A and B in the Section  TC-6.3) is limited to (a)
local analysis of the individual TCB subsets (by reference to
earlier  analysis,  if  available)  and  (b)  a simpler global
 analysis, because each  TCB subset is  an exact analog of a TCB.


When the  conditions for evaluation  by parts are  not satisfied,
no  general statements can  be made about the factorability of
 analysis or the reusability of  previous analysis.   The extent
 to which  previous evaluation  evidence and  results remain 
valid can  be determined only  on a case-by-case  basis. 
PART 2 INTERPRETED REQUIREMENTS

IR-1 OVERVIEW AND CONTEXT



Part 2,  "INTERPRETED REQUIREMENTS," provides specific
 interpretations of  those TCSEC  requirements which are  deemed
to be either  DBMS-specific (or, more generally,   application-specific)
   or   particularly relevant  to DBMSs.   All  of  the requirements
 in the TCSEC apply in any case.


For   the   topics    included   below,   the interpretations
 provide  clarification  of  the  TCSEC requirements.   As  is
 the  case  for  the  TCSEC, the interpreted  requirements at
  any class  include those specified for that class in addition
to interpretations for  lower classes  that  have  not been  superseded
or altered.


Section IR-2  presents an overall  summary of the  TCSEC  requirements,
 as  interpreted  in the more detailed sections  that follow.
 Sections  IR-3 through IR-7  address  individual  requirements
interpretations for labels, audit, system architecture, design
specification and verification, and design documentation, respectively.
 The  format is an initial discussion  of  the  topic   in  general,
 followed  by specific requirements and interpretations that apply
to database   management  systems.    A  listing   of  the requirements
 and  interpretations  organized  by TCSEC class is presented
in Appendix A.
IR-2 SUMMARY OF THE INTERPRETATIONS



This      section      provides      specific interpretations
 of those  TCSEC requirements  that are particularly  relevant
for subsetted  architectures and evaluation by parts.  Its  organization
is derived from the  structure  of  the  TCSEC  requirements.
 For each relevant TCSEC requirement there is a discussion of
how that requirement is interpreted for a DBMS.
IR-2.1 SECURITY POLICY

IR-2.1.1 DISCRETIONARY ACCESS CONTROL



The  requirement   for  discretionary  access control is not changed
in  the context of this document and therefore applies as stated
in the TCSEC.
IR-2.1.2 OBJECT REUSE



The  requirement  for  object  reuse  is  not changed in  the
context of this  document and therefore applies as stated in the
TCSEC.
IR-2.1.3 LABELS



The  requirement  for  labels  is  treated in Section IR-3 of
this document.
IR-2.1.4 MANDATORY ACCESS CONTROL



The requirement for  mandatory access control is  not changed
 in the  context of  this document  and therefore  applies as
 stated in  the TCSEC.   However, there   are  several   subtle
 ramifications   of  this requirement of which a developer or
evaluator should be aware.  A brief discussion can  be found in
Appendix B, item 8, "Content-Dependent and Context-Dependent
Access Control."
IR-2.2 ACCOUNTABILITY

IR-2.2.1 IDENTIFICATION AND AUTHENTICATION



The   requirement   for   identification  and authentication 
is not changed  in the context  of this document and therefore
applies as stated in the TCSEC.
IR-2.2.2 AUDIT



The  requirement  for  audit  is  treated  in Section IR-4 of
this document.
IR-2.3 ASSURANCE

IR-2.3.1 OPERATIONAL ASSURANCE

IR-2.3.1.1 System Architecture



The  requirement for  system architecture  is treated in Section
IR-5 of this document.
IR-2.3.1.2 System Integrity



The requirement  for system integrity  is not changed in  the
context of this  document and therefore applies as stated in the
TCSEC.
IR-2.3.1.3 Covert Channel Analysis



The  requirement for covert  channel analysis is  not changed
 in the  context of  this document  and therefore applies as stated
in the TCSEC.
IR-2.3.1.4 Trusted Facility Management



The   requirement    for   trusted   facility management  is 
not  changed  in  the  context  of this document and therefore
applies as stated in the TCSEC.
IR-2.3.1.5 Trusted Recovery



The requirement  for trusted recovery  is not changed in  the
context of this  document and therefore applies as stated in the
TCSEC.
IR-2.3.2 LIFE CYCLE ASSURANCE

IR-2.3.2.1 Security Testing



The requirement  for security testing  is not changed in  the
context of this  document and therefore applies as stated in the
TCSEC. IR-2.3.2.2      Design     Specification      and Verification
The requirement for  design specification and verification  is
 treated  in   Section  IR-6  of  this document.
IR-2.3.2.3 Configuration Management



The requirement  for configuration management is  not changed
 in the  context of  this document  and therefore applies as stated
in the TCSEC.
IR-2.3.2.4 Trusted Distribution



The  requirement for trusted  distribution is not  changed  in
 the  context  of  this  document  and therefore applies as stated
in the TCSEC.
IR-2.4 DOCUMENTATION

IR-2.4.1 SECURITY FEATURES USER'S GUIDE



The  requirement  for   a  security  features user's  guide is
 not changed  in the  context of  this document and therefore
applies as stated in the TCSEC.
IR-2.4.2 TRUSTED FACILITY MANUAL



The requirement for a trusted facility manual is  not changed
 in the  context of  this document  and therefore applies as stated
in the TCSEC.
IR-2.4.3 TEST DOCUMENTATION



The requirement for test documentation is not changed in  the
context of this  document and therefore applies as stated in the
TCSEC.
IR-2.4.4 DESIGN DOCUMENTATION



The  requirement for design  documentation is treated in Section
IR-7 of this document.
IR-3 LABELS

IR-3.1 GENERAL DISCUSSION



The  labels  requirements  of  the  TCSEC are entirely  applicable
 to  database  management systems.  The  basic   difference  between
 the   TCSEC  labeling requirements  as they  apply to  operating
systems  and DBMSs involves which storage objects are labeled
rather than  how   the  labels  are  handled.    This  section
discusses  special considerations  in implementing  and evaluating
 labeling mechanisms in  database management systems.  Of particular
importance  is the selection of the storage objects that are to
be labeled.


Beginning at the B1 evaluation class, trusted database management
 systems are required  to associate labels  with all  storage
objects  under their control.  The  granularity  of  storage 
objects  to be protected shall be chosen by the DBMS designer.


Stored view definitions (that is, named query commands) that are
visible at  the TCB boundary must be stored in labeled objects.
 The TCB must mediate access both   to  the   view  definition
  and  to   the  view instantiation  (that  is,  the  set  of
labeled objects accessed as  the result of executing  the query
command contained in the view definition).


It has been proposed  in several designs that views be  used as
a mechanism to  implement context- or content-dependent labeling.
 The intuitive attractiveness of this approach  is undeniable,
but the implementation details must be  carefully worked out to
achieve a sound implementation.   A brief discussion of this 
topic  can  be  found  in  Appendix  B,  item  8, "Content-Dependent
and Context-Dependent Access Control." TCB designers and
evaluators may make distinctions between objects that are  explicitly
labeled or  implicitly labeled.  Such  distinctions are meaningful
 only within  the confines  of the  TCB; all storage objects are
explicitly  labeled from a point of view outside the TCB.   For
example, consider an object of one type  (e.g., table or file)
within  the TCB that "contains" many (reference  monitor)
objects of another type (e.g.,  tuples and records).  The  file
could have an explicit  label associated with it, and  some of
the records  could  have  explicit  labels  associated with them.
 Those records that  have no explicit label would be implicitly
labeled by the label of the file.


For database management  systems, the objects that store the base
data  of the database (e.g., files, records,  relations,  and
 tuples), as well as those objects that store the metadata  (e.g.,
directories, indices, schemas, data dictionaries,  discretionary
authorization  tables, recovery  logs, and transaction logs),
 must  be  labeled.   Objects  that  need not be labeled  include
internal  resources that  are not user visible (e.g., printer
daemon scratch files and resource allocation tables).  The requirement
 for importing data  (labeled and unlabeled) is  the same as in
the TCSEC.  For additional information, see Appendix B, item 9,
"Bulk Loading of a Database."
IR-3.2 SPECIFIC INTERPRETATIONS

CLASS (B1): LABELED SECURITY PROTECTION



There are no interpretations for this class.
CLASS (B2): STRUCTURED PROTECTION

Statement from TCSEC



Sensitivity  labels associated with  each ADP system resource
.  .  .  that is directly or indirectly accessible  by subjects
 external to  the TCB  shall be maintained by the TCB.
Interpretation



Internal TCB  variables that are  not visible to  untrusted subjects
 need not  be labeled,  provided that they are not  directly or
indirectly accessible by subjects external to the TCB.  However,
it is important to understand that such internal variables can
function as  covert signaling  channels when  untrusted subjects
are  able  to  detect  changes  in  these  variables by observing
system behavior.
CLASS (B3): SECURITY DOMAINS



There are no additional requirements.
CLASS (A1): VERIFIED DESIGN



There are no additional requirements.
IR-4 AUDIT

IR-4.1 GENERAL DISCUSSION



The audit requirements of  the TCSEC apply to database  management
systems.   This section  discusses special  considerations  in
 designing  and  evaluating audit mechanisms in database management
systems. The  TCB must  be capable  of maintaining  an audit trail
 of accesses and attempted  accesses to the objects  protected
by  the mandatory  and discretionary security   policies.   Two
   examples  are   given  to illustrate auditing techniques for
discretionary access control decisions.


Example 1.  Consider a DBMS TCB providing discretionary controls
on defined views of the database.  Because the named object presented
at the TCB interface is the view definition  (not the  records
instantiated  through the view), all that needs to be auditable
is the use of the view by any untrusted subject.


Example 2.Consider a DBMS TCB that enforces discretionary   access
 control   on  individual   data records.  When a user  enters
a query, the construction of a  response may involve  a search
over  many records that are not returned to  the user because
they did not satisfy the  query.  Records that do  satisfy the
query but to  which the user  does not have  access should be
auditable.  Records that do  not satisfy the query need not be
 auditable.  That is,  in the context  of audit, access  permission
to  the user  and satisfaction  of a query are to be kept separate.


There is no need to audit operations that are strictly internal
to the  TCB.  Separate security audit logs may be maintained by
 the operating system and the database   management   system.
   Likewise,   separate identifications for the same  user may
be maintained by the  operating  system   and  the  database 
management system.  The correlation of  separate audit logs may
be done either at  the time they are generated  or at some later
time.


The  emphasis of  the audit  criterion is  to provide individual
accountability for actions by users.  This  goal is  not the 
same as  that for  a backup and recovery log.  There is no requirement
to integrate the audit  log with the  backup and recovery  log,
although such an integrated log is not prohibited.  At the designer's
discretion,  there may be a selectable  capability to  reduce
the  number of  audit records generated  in response to queries
 that involve many access control decisions.
IR-4.2 SPECIFIC INTERPRETATIONS CLASS (C2): CONTROLLED ACCESS
PROTECTION

Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events, in the case of a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  and inserts),  not just
 the invocation of the database management system.  The auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses  which are  visible to  users.  That  is, each discretionary
access  control policy decision  shall be auditable.  Individual
operations  performed by trusted software, if totally transparent
 to the user, need not be auditable.  If the total audit requirement
is met by the  use  of  more  than  one  audit  log,  a method
of correlation must be available.
CLASS (B1): LABELED SECURITY PROTECTION

Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  and inserts),  not just
 the invocation of the database management system.  The auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
CLASS (B2): STRUCTURED PROTECTION



There is no interpretation for the additional requirements.
CLASS (B3): SECURITY DOMAINS



There is no interpretation for the additional requirements.
CLASS (A1): VERIFIED DESIGN



There are no additional requirements.
IR-5 SYSTEM ARCHITECTURE

IR-5.1GENERAL DISCUSSION



The  system architecture requirements  of the TCSEC apply to database
management systems.  The interpretations provided are a duplication
 of  the  general  interpreted requirements that  apply  to  an
 evaluation by parts.  They are included because DBMS evaluations
often involve multiple TCB subsets.
IR-5.2 SPECIFIC INTERPRETATIONS

CLASS    (C1):      DISCRETIONARY    SECURITY PROTECTION

Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
CLASS (C2): CONTROLLED ACCESS PROTECTION



There is no interpretation for the additional requirements.
CLASS (B1): LABELED SECURITY PROTECTION



There is no interpretation for the additional requirements.
CLASS (B2): STRUCTURED PROTECTION

Statement from TCSEC



The  user  interface  to  the  TCB  shall  be completely  defined
  and  all  elements  of   the  TCB identified.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB subsets as well as
 the user interface to the whole TCB.
Statement from TCSEC



It  shall  make  effective  use  of available hardware   to  
separate   those   elements   that  are protection-critical from
those that are not.
Interpretation



If the  TCB is composed of  multiple subsets, each TCB subset
must make use of facilities provided to it by  more primitive
TCB subsets, such  as support for execution domains  and for distinct
address  spaces, to achieve the required separation.
CLASS (B3): SECURITY DOMAINS



There is no interpretation for the additional requirements.
CLASS (A1): VERIFIED DESIGN



There are no additional requirements.
IR-6 DESIGN SPECIFICATION AND VERIFICATION 

IR-6.1 GENERAL DISCUSSION



The  design  specification  and  verification requirements of
the TCSEC, with   the   related documentation requirements, apply
to database management systems.  The interpretations provided
include a duplication  of general  interpreted requirements  that
apply  to an  evaluation by  parts.  They  are included because
of  the likelihood that a  DBMS evaluation will involve multiple
TCB subsets.


In   the  database    context,  the   set  of candidates  for
"subject"  and "object"  can be  larger than
normally encountered in trusted operating systems.  Where a database
system builds on an underlying trusted operating  system, for
 example, the  set of  candidate subjects  for the  two  TCB 
subsets includes  both the active  entities created  by the  operating
system  and those active entities created by the trusted portion
of the DBMS.  The set of  candidates for objects is large.


Examples are files, segments, buffers, structures, pages, relations,
tables, tuples, rows, columns, elements, entities, relationships,
procedures, metadata, system tables, query trees, query plans,
locking mechanisms,  rollback mechanisms, indices, recovery and
backupmechanisms, precalculated operations (such  as  joins),
view definitions, view instantiations, constraints, authorization
tables, data dictionary tables, and audit logs.


The requirements in the TCSEC for showing how the  various   representations
 of  the   system  being evaluated fit together can  be represented
as in Figure IR-1.  For monolithic TCBs,  the policy must be stated;
the model  must be developed, maintained,  and shown to be sufficient
to enforce the policy; and the DTLS (FTLS for  A1) must  be constructed
 and shown  to correspond both to the model and to the TCB implementation.
 These steps allow  a chain of  reasoning to proceed  from the
stated  policy  to  the  assertion  that  the system in question
actually enforces the policy.


In  the  case  of  multiple  TCB subsets, the intent is the same.
 Tracing all policy requirements to


the actual system implementation  must be possible, and vice versa.
 The current dilemma is that the theory and techniques for subdividing
a model into a set of models (or a top  level specification into
a set  of top level specifications) have not yet been established.
 Likewise neither theory or techniques have been established for
composing a set  of models or top level specifications  into 
a  unified  model  or  top  level specification.   The absence
 of rigorous  methods does not preclude an evaluation using a
subsetted TCB.


The process of mapping policy to implementation is  possible for
each TCB  subset, using the same techniques required for a monolithic
TCB.  For subsetted TCBs, designers and evaluators must explicitly
show  how the policy, model and specifications  for  each  TCB
 subset  meet  the TCSEC requirements.  In addition, convincing
informal arguments must  be given to show how  the collection
of TCB subsets  enforces the policy of  the composite TCB.


Because morerigorous composition methods are unavailable, convincing
informal arguments are appropriate for evaluation of  TCBs up
to and including Class A1.


The TCSEC requirements concerning the mapping from  policy to
 implementation for  a TCB  composed of multiple TCB subsets raise
these crucial topics:


The  allocation  of  policy  to  the  TCB subsets, 


The relation  of the  models for  the TCB subsets to the overall
system policy, and 


The   relation    of   the   top   level specification for each
TCB subset to the entire system.


Allocation of policy to  the TCB subsets is a precise division
 of the policy for  the entire system, as  addressed  in  the
 policy  allocation condition of Section TC-4.3.


The  second topic,  above, requires  that the policy for each
TCB subset be stated.  Additionally, it is  required  that  there
 be  an  informal  convincing argument that  the collection of
models  represents the policy enforced by the entire system.


The third topic, the way  in which the set of top level specifications
for the individual TCB subsets describes the  composite TCB interface
with  respect to exceptions, errors and effects, is treated in
a similar fashion.   The top  level specifications  for each 
TCB  subset  must  meet  the   requirement.   There is, in addition,
 a requirement   for an  informal, convincing description of how
the  set of top level specifications describes the TCB interface
with respect to exceptions, errors,  and effects.   At the  A1
level,  there is  no requirement  for  additional  formal  specification
 or formal  proofs  beyond  the  specification  and  proofs specific
to the individual TCB subsets.


Rather than formally  composing the policies, models,  and  specifications
 and  performing  a single monolithic evaluation, a series of
separate evaluations may  be  performed  (one  for  each  TCB
 subset).  The evaluations are  then tied together by  presentation
of sufficient  informal  arguments   that  the  individual policies
collectively represent  the policy enforced by the   entire  system,
   that  the   individual  models collectively  represent the
 system's policy,  that the individual specifications represent
 the TCB interface, and  that  the  source  code  of  each  TCB
 subset  is consistent with its top level specification.


Note  that satisfactory  completion of  these requirements  is
logically equivalent  to demonstrating that a "unified"
model for the entire TCB is consistent with  the  policy  enforced
  by  the  system,  that  a "unified"  top level  specification
corresponds  to the model,    and   that     the   "unified"
   top   level specification(s) corresponds to the source code.
 These interpreted  requirements,  which   do  not  mandate  a
"unified"  top  level  specification,  are  technically
achievable   interpretations   of   the  policy-tracing requirements
in the case of multiple TCB subsets.
IR-6.2 SPECIFIC INTERPRETATIONS

CLASS (B1): LABELED SECURITY PROTECTION

Statement from TCSEC



An informal  or formal model of  the security


policy  supported by the  TCB shall be  maintained over the life
cycle of the ADP system and demonstrated to be consistent with
its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB


subsets,  this  requirement  applies  to  the  security policy
of  each TCB subset.  An  informal argument that the  set  of
 policy  models  represents  the "security policy  supported
 by  the  [composite]  TCB"  must  be provided.
CLASS (B2): STRUCTURED PROTECTION

Statement from TCSEC



A  formal   model  of  the   security  policy supported by the
TCB shall  be maintained over the life cycle  of  the  ADP   system
 and  demonstrated  to  be consistent with its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB


subsets,  this  requirement  applies  to  the  security policy
of  each TCB subset.  An  informal argument that the  set  of
 policy  models  represents  the "security policy  supported
 by  the  [composite]  TCB"  must  be provided.
Statement from TCSEC



A descriptive  top-level specification (DTLS) of  the TCB  shall
 be  maintained that  completely and accurately  describes the
 TCB in  terms of exceptions, error messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB


subsets, this  requirement applies to the  DTLS of each TCB subset.
 An informal argument that the set of DTLSs accurately describes
the TCB must be provided.  If there is a multifaceted policy (e.g.,
both mandatory  access  control   and  discretionary  access control
policies) in a  particular TCB subset, then all facets must be
 represented in the DTLS and  in the TCB subset's model.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
CLASS (B3): SECURITY DOMAINS

Statement from TCSEC



A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
  applies to  individual TCB subsets.  Enforcement of all  policies
must be shown to occur  in  all  situations  (e.g.,  state  transitions)
required by  the formal security policy  model.  In the case 
of  a  discretionary  access  control policy, the presence of
the access  control check at all identified state transitions
is the total  of what is required for demonstrating  consistency
 between  the  DTLS  and the model.  This may be verified  by
inspection of the DTLS (that  is, by  visually checking  that
exception checks required by  the model are  present in the  DTLS).
 For the mandatory  access control policy, the  DTLS must be shown
 by a convincing  argument to be  consistent with the model.
CLASS (A1): VERIFIED DESIGN

Statement from TCSEC



A  formal top-level  specification (FTLS)  of the TCB  shall be
maintained that  accurately describes the  TCB in  terms of  exceptions,
error  messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this  requirement
applies to the  FTLS of each TCB subset.  An informal argument
that the set of FTLSs accurately describes the TCB must be provided.


If there is a multifaceted policy (e.g., both mandatory  access
 control   and  discretionary  access control policies) in a 
particular TCB subset, then all facets must be  represented in
the FTLS and  in the TCB subset's model.
Statement from TCSEC



The  FTLS shall  be shown  to be  an accurate description of the
TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



.  .  .  a combination of formal and informal techniques  shall
be  used to   show that  the FTLS  is consistent with the model.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB


subsets,  this requirement   applies to  individual TCB subsets.
 Enforcement of all  policies must be shown to occur  in  all
 situations  (e.g.,  state  transitions) required  by the  formal
security  policy model  at the required  occasions.  In  the case
 of a  discretionary access  control  policy,  the  presence 
of  the access control  check at  all identified  state transitions
is the  total  of  what   is  required  for  demonstrating consistency
between  the FTLS and the  model.  This may be  verified by  inspection
of  the FTLS  (that is,  by visually checking that exception checks
required by the model  are present  in  the  FTLS).  For  the
mandatory access  control policy,  the FTLS  must be  shown by
 a combination  of formal  and informal  techniques to  be consistent
with the model.
IR-7 DESIGN DOCUMENTATION

IR-7.1 GENERAL DISCUSSION

The  design documentation requirement  of the



TCSEC applies to database management systems.


The    interpretations    provided    are   a duplication  of
 the  general  interpreted requirements that  apply  to  an  evaluation
 by  parts.   They  are included   because  DBMS   evaluations
 often   involve multiple TCB subsets.
IR-7.2 SPECIFIC INTERPRETATIONS

CLASS (C1): DISCRETIONARY SECURITY PROTECTION

Statement from TCSEC



If the  TCB is composed of  distinct modules, the   interfaces
 between    these  modules   shall  be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION



There are no additional requirements.
CLASS (B1): LABELED SECURITY PROTECTIONStatement from TCSEC




The specific TCB  protection mechanisms shall be  identified and
 an explanation  given to  show that they satisfy the model.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to each TCB  subset and shall include  the protection
  mechanisms which  support the conditions  for  TCB   subset
 structure  and  separate subset-domains.
CLASS (B2): STRUCTURED PROTECTION

Statement from TCSEC



The interfaces between  the TCB modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between different
TCB subsets.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



Documentation  shall  describe  how  the  TCB implements  the
reference  monitor concept  and give an explanation  of why it
 is tamper resistant,  cannot be bypassed, and is correctly implemented.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to each TCB subset with  respect to
its specific technical policy.   In  addition,  there  must  be
 documented an informal  argument that  the cooperative  action
of the TCB  subsets  makes  the  TCB  itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC



Documentation shall  describe how the  TCB is structured to  facilitate
testing and to  enforce least privilege.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
is interpreted  to apply to individual TCB subsets as well as
to the overall TCB.
CLASS (B3): SECURITY DOMAINS

Statement from TCSEC



The  TCB implementation  shall be  informally shown to be consistent
with the DTLS.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to individual TCB subsets.
CLASS (A1): VERIFIED DESIGN

Statement from TCSEC



The  TCB implementation  shall be  informally shown to be consistent
with the FTLS.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to individual       TCB        subsets.
      
SUMMARY OF THE INTERPRETATIONS BY CLASS Appendix A



This  section is  a presentation  of all  the interpreted requirements
organized  by TCSEC class.  It includes all the requirements which
are either relevant to subsetted  architectures or are  DBMS-specific.
 Any TCSEC  requirements  not  explicitly  identified herein apply
as stated in the TCSEC.
CLASS (C1): DISCRETIONARY SECURITY PROTECTION

C1-1 SECURITY POLICY

C1-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
C1-2 ACCOUNTABILITY

C1-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services  or provide  the services
 directly.  Each TCB subset   may  maintain   its  own   identification
 and authentication  data or  one central  repository may be maintained.
 If each TCB subset  has its own data, then the  information 
for  each  individual  user  must  be consistent among all subsets.
C1-3 ASSURANCE

C1-3.1 OPERATIONAL ASSURANCE

C1-3.1.1 SYSTEM ARCHITECTURE



This requirement applies as stated  in the TCSEC   to  every 
 TCB  subset,   with  the  following additional interpretations.


The  TCB must  provide domains  for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains forexecution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Statement from TCSEC

The TCB  shall maintain a domain  for its own execution that
 protects it from  external interference or tampering. 

Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
C1-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
C1-3.2 LIFE CYCLE ASSURANCE

C1-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.  Otherwise, security  testing of the entire  TCB
must be performed   (even  if   the  results   of  testing  the
individual TCB subsets were available).
C1-4 DOCUMENTATION

C1-4.1  SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
C1-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.


The means for correlating multiple audit logs and synonymous 
user identifications from  multiple TCB subsets (if such exist)
shall also be addressed.  The  trusted facility  manual shall
 describe the  composite TCB so  that the interactions  among
the TCB subsets  can be readily determined.   Other manuals may
be  referenced in this determination.   The manuals that address
 the distinct modules  of the TCB  and the generation of  the
TCB need  to be integrated  with the other trusted facility manuals
 only to the extent that they are affected by the  use and operation
(versus the development) of the composite TCB.
C1-4.3 TEST DOCUMENTATION



This requirement applies as stated  in the TCSEC to the composite
TCB.
C1-4.4 DESIGN DOCUMENTATION



This requirement applies as stated  in the TCSEC to the composite
TCB.
Statement from TCSEC



If the  TCB is composed of  distinct modules, the   interfaces
 between    these  modules   shall  be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
CLASS (C2): CONTROLLED ACCESS PROTECTION

C2-1 SECURITY POLICY

C2-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
C2-1.2 OBJECT REUSE



This  requirement applies  as  stated  in the  TCSEC to every
TCB subset in the TCB.
C2-2 ACCOUNTABILITY

C2-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services  or provide  the services
 directly.  Each TCB subset   may  maintain   its  own   identification
 and authentication  data or  one central  repository may be maintained.
 If each TCB subset  has its own data, then the  information 
for  each  individual  user  must  be consistent among all subsets.
C2-2.2 AUDIT



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


A  TCB subset  may maintain  its own security audit  log,  distinct
 from  that  maintained  by  more primitive TCB subsets, or it
may use an audit interface provided by  a different TCB subset
 allowing the audit records  it  generates  to  be  processed
 by  that TCB subset.


If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other,  either at the  time they are  generated
or later.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of access to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management system,
are the individual  operations initiated by users (e.g.,   updates,
retrievals,  and inserts),  not just  the invocation of the database
management system.  The auditing mechanism shall  have  the  capability
 of  auditing all mediated accesses  which are  visible to  users.
 That  is, each discretionary access  control policy decision
 shall be auditable.  Individual operations  performed by trusted
software, if totally transparent  to the user, need not be auditable.
 If the total audit requirement is met by the  use  of  more 
than  one  audit  log,  a method of correlation must be available.
C2-3 ASSURANCE

C2-3.1 OPERATIONAL ASSURANCE

C2-3.1.1 SYSTEM ARCHITECTURE



This  requirement applies   as stated  in the TCSEC   to  every
  TCB  subset,   with  the  following additional interpretations.
 The  TCB must  provide domains  for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains for execution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.
Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
C2-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
C2-3.2 LIFE CYCLE ASSURANCE

C2-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.  Otherwise, security  testing of the entire  TCB
must be performed   (even  if   the  results   of  testing  the
individual TCB subsets were available).
C2-4 DOCUMENTATION

C2-4.1 SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
C2-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.


The means for correlating multiple audit logs and synonymous 
user identifications from  multiple TCB subsets (if such exist)
shall also be addressed.


The  trusted facility  manual shall  describe the  composite TCB
so  that the interactions  among the TCB subsets  can be readily
determined.   Other manuals may be  referenced in this determination.
  The manuals that address  the distinct modules  of the TCB 
and the generation of  the TCB need  to be integrated  with the
other trusted facility manuals  only to the extent that they are
affected by the  use and operation (versus the development) of
the composite TCB.
C2-4.3 TEST DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
C2-4.4 DESIGN DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
Statement from TCSEC



If the  TCB is composed of  distinct modules, the interface between
these modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
CLASS (B1): LABELED SECURITY PROTECTION SECURITY POLICY

B1-1 SECURITY POLICY

B1-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
B1-1.2 OBJECT REUSE



This  requirement applies   as stated  in the TCSEC to every TCB
subset in the TCB.
B1-1.3 LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B1-1.3.1 LABEL INTEGRITY



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B1-1.3.2 EXPORTATION OF LABELED INFORMATION



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B1-1.4 MANDATORY ACCESS CONTROL



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B1-2 ACCOUNTABILITY

B1-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.  If  the TCB is  composed
of TCB  subsets, one TCB subset  may either rely  on a mechanism
 in another TCB subset to provide identification and authentication
services or provide  the services directly.  Similarly, that TCB
subset may rely on a mechanism in another more primitive TCB subset
to  ensure that the security level  of subjects external to the
 TCB that may be created to act on  behalf of the individual user
 are dominated by the clearance and authorization of that user.
 Each TCB subset   may  maintain   its  own   identification 
and authentication  data or  one central  repository may be maintained.
 If each TCB subset  has its own data, then the  information 
for  each  individual  user  must  be consistent among all subsets.
B1-2.2 AUDIT



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


A  TCB subset  may maintain  its own security audit  log,  distinct
 from  that  maintained  by  more primitive TCB subsets, or it
may use an audit interface provided by  a different TCB subset
 allowing the audit records  it  generates  to  be  processed
 by  that TCB subset.


If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other,  either at the  time they are  generated
or later.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of access to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management system,
are the individual  operations initiated by  untrusted  users
(e.g.,   updates, retrievals,  and inserts),  not just  the invocation
of the database management system.  The auditing mechanism shall
 have  the  capability  of  auditing all mediated accesses  which
are  visible to  users.  That  is, each discretionary access 
control policy decision  shall be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management system,
are the individual  operations initiated by  untrusted users (e.g.,
updates, retrievals,  and inserts),  not just  the invocation
of the database management system.  The auditing mechanism shall
 have  the  capability  of  auditing all mediated accesses which
are visible to  the user.  That is, each discretionary access
 control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
B1-3 ASSURANCE

B1-3.1 OPERATIONAL ASSURANCE

B1-3.1.1 SYSTEM ARCHITECTURE



This  requirement applies   as stated  in the TCSEC   to  every
  TCB  subset,   with  the  following additional interpretations.
 The  TCB must  provide domains  for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains for execution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.


Similarly,  the  TCB  must  provide  distinct address  spaces
  for  untrusted  processes.    A  most primitive  TCB  subset
 must  provide  distinct address spaces for  its subjects.  A
less  primitive TCB subset must make use of the distinct address
space provided by a  more primitive  TCB  subset.   A less  primitive
TCB subset may  provide more fine-grained  distinct address spaces,
but is not required to do so.
Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
B1-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
B1-3.2 LIFE CYCLE ASSURANCE

B1-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.  Otherwise, security  testing of the entire  TCB
must be performed   (even  if   the  results   of  testing  the
individual TCB subsets were available).
B1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION



This  requirement applies   as stated  in the TCSEC to every TCB
 subset, with the following specific additional interpretations.


It  must be   demonstrated that  the security policy enforced
by the  composite TCB is represented by the collection of policy
 models for the individual TCB subsets.
Statement from TCSEC



An informal  or formal model of  the security policy  supported
by the  TCB shall be  maintained over the life cycle of the ADP
system and demonstrated to be consistent with its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this 
requirement  applies  to  the  security policy of  each TCB subset.
 An  informal argument that the  set  of  policy  models  represents
 the "security policy  supported  by  the  [composite]  TCB"
 must  be provided.
B1-4 DOCUMENTATION

B1-4.1 SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other  related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B1-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.


The means for correlating multiple audit logs and synonymous 
user identifications from  multiple TCB subsets (if such exist)
shall also be addressed.


The  trusted facility  manual shall  describe the  composite TCB
so  that the interactions  among the TCB subsets  can be readily
determined.   Other manuals may be  referenced in this determination.
  The manuals that address  the distinct modules  of the TCB 
and the generation of  the TCB need  to be integrated  with the
other trusted facility manuals  only to the extent that they are
affected by the  use and operation (versus the development) of
the composite TCB.
B1-4.3 TEST DOCUMENTATION



This requirement applies as stated  in the TCSEC to the composite
TCB.
B1-4.4 DESIGN DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB, with the following specific additional interpretation:


Requirements  concerning   models  and  DTLSs apply to individual
TCB subsets.
Statement from TCSEC



If the  TCB is composed of  distinct modules, the interface between
these modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
Statement from TCSEC



The specific TCB  protection mechanisms shall be  identified and
 an explanation  given to  show that they satisfy the model.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to each TCB  subset and shall include the protection
mechanisms which support the conditions  for  TCB subset structure
and separatesubset-domains.
CLASS (B2): STRUCTURED PROTECTION

B2-1 SECURITY POLICY

B2-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
B2-1.2 OBJECT REUSE



This  requirement applies  as  stated  in the  TCSEC to every
TCB subset in the TCB.
B2-1.3 LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
Statement from TCSEC



Sensitivity  labels associated with  each ADP system resource
.  .  .  that is directly or indirectly accessible  by subjects
 external to  the TCB  shall be maintained by the TCB
Interpretation



Internal TCB  variables that are  not visible to  untrusted subjects
 need not  be labeled,  provided that they are not  directly or
indirectly accessible by subjects external to the TCB.  However,
it is important to understand that such internal variables can
function as  covert signaling  channels when  untrusted subjects
are  able  to  detect  changes  in  these  variables by observing
system behavior.
B2-1.3.1 LABEL INTEGRITY



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B2-1.3.2 EXPORTATION OF LABELED INFORMATION



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B2-1.3.3 SUBJECT SENSITIVITY LABELS



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.
B2-1.3.4 DEVICE LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory access control
of its subjects to its objects and has attached physical  or virtual
devices.  Any TCB subset  whose policy  does not  include such
 mandatory access control  or has no attached  physical or virtual
devices   is  exempt   from  this   requirement.   This requirement
can be satisifed  by the cooperative action of more than one TCB
subset.
B2-1.4 MANDATORY ACCESS CONTROL



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B2-2 ACCOUNTABILITY

B2-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services or provide  the services
directly.  Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to  ensure that the security
level of subjects external to the  TCB that may be created to
act on  behalf of the individual user  are dominated by the clearance
and authorization of that user.  Each TCB subset   may  maintain
  its  own   identification  and authentication  data or  one
central  repository may be maintained.  If each TCB subset  has
its own data, then the  information  for  each  individual  user
 must  be consistent among all subsets.
B2-2.1.1 TRUSTED PATH



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.  When  TCB subsets
 are used,  the requirement for  trusted  path  at  levels  B2
 and  above  remains applicable  to the  entire TCB.   The implementation
of trusted path could be localized in a single TCB subset.  Alternatively,
it could be implemented in more than one  TCB  subset if   the
separate  implementations together comply with the system security
policy.
B2-2.2 AUDIT



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


A  TCB subset  may maintain  its own security audit  log,  distinct
 from  that  maintained  by  more primitive TCB subsets, or it
may use an audit interface provided by  a different TCB subset
 allowing the audit records  it  generates  to  be  processed
 by  that TCB subset.


If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other,  either at the  time they are  generated
or later.


Any TCB subset wherein  events may occur that require  notification
 of  the  security  administrator shall be  able to:  


(1) detect the  occurrence of these events, 


(2)  initiate the recording of  the audit trail entry,  and  


(3)  initiate the notification of  the security  administrator.
  


The   ability  to  terminate events (2) and (3) above  may be
provided either in the TCB  subset within  which they   occur,
or  in the  TCB subset(s)  where actions  that lead  to the  event
were initiated.


The monitoring  and notification requirements may require  cooperation
between multiple  distinct TCB subsets  or  multiple  instantiations
 of  the same TCB subset.   For example,  to detect  the accumulation
 of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the  same user.  As another example, there may  be a single
TCB subset  that collects events from a  number of other TCB 
subset instantiations and, based  on its analysis  of them, notifies
 the security administrator.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  inserts), not  just
the  invocation of the database  management  system.   The  auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management system,
are the individual  operations  initiated by untrusted users (e.g.,
  updates, retrievals,  and inserts),  not just  the invocation
of the database management system.  The auditing mechanism shall
 have  the  capability  of  auditing all mediated accesses which
are visible to  the user.  That is, each  discretionary access
 control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
B2-3 ASSURANCE

B2-3.1 OPERATIONAL ASSURANCE

B2-3.1.1 SYSTEM ARCHITECTURE



This  requirement applies   as stated  in the TCSEC to every TCB
subset, with  the  following additional interpretations.


The  TCB must  provide domains  for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains for execution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.


Similarly,  the  TCB  must  provide  distinct address  spaces
  for  untrusted  processes.    A  most primitive  TCB  subset
 must  provide  distinct address spaces for  its subjects.  A
less  primitive TCB subset must make use of the distinct address
space provided by a  more primitive  TCB  subset.   A less  primitive
TCB subset may  provide more fine-grained  distinct address spaces,
but is not required to do so.


In    general,   requirements    specifically referring  to hardware
 or firmware  apply only  to TCB subsets  that   include  hardware
 or   firmware.   The  exception  is   the  requirement  that
 the   TCB  make effective use of  available hardware.  This requirement
applies  to  those  TCB   subsets  that  use  resources provided
 by  more  primitive  TCB  subsets  in lieu of hardware.   Those
 TCB  subsets  are  required  to make effective  use  of   the
 protection-relevant  features exported to it by the more primitive
TCB subsets (e.g., execution domains, support for distinct address
spaces) to separate those elements that are protection-critical
from those that are not.
Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC



The  user  interface  to  the  TCB  shall  be completely  defined
  and  all  elements  of   the  TCB identified.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB subsets as well as
 the user interface to the whole TCB.
Statement from TCSEC



It  shall  make  effective  use  of available hardware   to  
separate   those   elements   that  are protection-critical from
those that are not.
Interpretation



If the  TCB is composed of  multiple subsets, each TCB subset
must make use of facilities provided to it by  more primitive
TCB subsets, such  as support for execution domains  and for distinct
address  spaces, to achieve the required separation.
B2-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
B2-3.1.3 COVERT CHANNEL ANALYSIS



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.    When the  TCB is  made up entirely  of  TCB  subsets 
meeting  the conditions for evaluation  by parts,  analysis of
 the individual  TCB subsets satisfies this  requirement.  Otherwise,
covert channel  analysis of the  entire TCB must  be performed
(even if the results of  covert channel analysis of the individual
TCB subsets were available).
B2-3.1.4 TRUSTED FACILITY MANAGEMENT



This  requirement applies   as stated  in the TCSEC   to   the
  entire   TCB.    Any  "operator"  or "administrator"
 functions intrinsic  to an  individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
B2-3.2 LIFE CYCLE ASSURANCE

B2-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.  Otherwise, security  testing of the entire  TCB
must be performed   (even  if   the  results   of  testing  the
individual TCB subsets were available).
B2-3.2.2 DESIGN SPECIFICATION AND VERIFICATION



This  requirement applies   as stated  in the TCSEC to every TCB
 subset, with the following specific additional interpretations.


It  must be  demonstrated that  the security  policy  enforced
 by  the  composite  TCB  is represented by the collection  of
policy models for the individual TCB subsets.


The argument  that the descriptive  top level specification  (DTLS)
  is  consistent  with   the  TCB interface applies to the entire
TCB.  There is required an explicit  and convincing description
of  how the set of top  level specifications (one for  each TCB
subset) describes  the TCB  interface in  terms of  exceptions,
errors, and effects.
Statement from TCSEC



A  formal   model  of  the   security  policy supported by the
TCB shall  be maintained over the life cycle  of  the  ADP   system
 and  demonstrated  to  be consistent with its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this 
requirement  applies  to  the  security policy of  each TCB subset.
 An  informal argument that the  set  of  policy  models  represents
 the "security policy  supported  by  the  [composite]  TCB"
 must  be provided.
Statement from TCSEC



A descriptive  top-level specification (DTLS) of  the TCB  shall
 be  maintained that  completely and accurately  describes the
 TCB in  terms of exceptions, error messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this  requirement
applies to the  DTLS of each TCB subset.  An informal argument
that the set of DTLSs accurately describes the TCB must be provided.


If there is a multifaceted policy (e.g., both mandatory  access
 control   and  discretionary  access control policies) in a 
particular TCB subset, then all facets must be  represented in
the DTLS and  in the TCB subset's model.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
B2-3.2.3 Configuration Management



This  requirement applies   as stated  in the TCSEC  to  every
 TCB  subset  in  the  TCB,  with  the following additional interpretation.
 Because subsets  of the TCB may  be developed independently,
a single configuration management system may  not  be  feasible.
  However,  the  combination of configuration  management systems
 used to  support all the TCB subsets must  meet all the stated
requirements.  The  information describing the  interrelations
between separate  TCB  subsets  and  separate  security  policy
models  falls into  the category  of "all documentation and
 code associated  with the  current version  of the TCB"
in the TCSEC requirements.
B2-4 DOCUMENTATION

B2-4.1 SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B2-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed. The means for correlating
multiple audit logs and synonymous  user identifications from
 multiple TCB subsets (if such exist) shall also be addressed.


The  trusted facility  manual shall  describe the  composite TCB
so  that the interactions  among the TCB subsets  can be readily
determined.   Other manuals may be  referenced in this determination.
  The manuals that address  the distinct modules  of the TCB 
and the generation of  the TCB need  to be integrated  with the
other trusted facility manuals  only to the extent that they are
affected by the  use and operation (versus the development) of
the composite TCB.


The  TCB modules  that contain  the reference validation  mechanism
must  be associated  with the TCB subset  to  which  they   belong.
  The  procedure  for generating  a  new  TCB  after  modifying
 only one (or several)  TCB subsets must  be described.  This
 may be accommodated   by  independent   regeneration  of   the
individual TCB  subsets or by regeneration  of only the affected
TCB subsets.
B2-4.3 TEST DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
B2-4.4 DESIGN DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB, with the following specific addditional interpretations.
 Requirements  concerning   models  and  DTLSs apply to individual
TCB subsets.  The requirement concerning the description of interfaces
 between  modules  of  the  TCB includes the interfaces between
TCB subsets. The documentation of  the implementation of a reference
   validation    mechanism    must    include justification for
meeting the conditions for evaluation by parts.
Statement from TCSEC



The interfaces between  the TCB modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
Statement from TCSEC



The specific TCB  protection mechanisms shall be  identified and
 an explanation  given to  show that they satisfy the model.
Interpretation

If the  TCB is composed of  multiple subsets, this requirement
 applies to each TCB  subset and shall include  the protection
mechanisms which  support the conditions  for  TCB   subset  structure
 and  separate subset-domains.

Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



Documentation  shall  describe  how  the  TCB implements  the
reference  monitor concept  and give an explanation  of why it
 is tamper resistant,  cannot be bypassed, and is correctly implemented.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to each TCB subset with  respect to
its specific technical policy.   In  addition,  there  must  be
 documented an informal  argument that  the cooperative  action
of the TCB  subsets  makes  the  TCB  itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC



Documentation shall  describe how the  TCB is structured to  facilitate
testing and to  enforce least privilege.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
is interpreted  to apply to individual TCB subsets as well as
to the overall TCB.
CLASS (B3):  SECURITY DOMAINS

B3-1 SECURITY POLICY 

B3-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
B3-1.2 OBJECT REUSE



This  requirement applies  as  stated  in the  TCSEC to every
TCB subset in the TCB.
B3-1.3 LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory access control
of its subjects to its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
Statement from TCSEC



Sensitivity  labels associated with  each ADP system resource
.  .  .  that is directly or indirectly accessible  by subjects
 external to  the TCB  shall be maintained by the TCB
Interpretation



Internal TCB  variables that are  not visible to  untrusted subjects
 need not  be labeled,  provided that they are not  directly or
indirectly accessible by subjects external to the TCB.  However,
it is important to understand that such internal variables can
function as  covert signaling  channels when  untrusted subjects
are  able  to  detect  changes  in  these  variables by observing
system behavior.
B3-1.3.1 LABEL INTEGRITY



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B3-1.3.2 EXPORTATION OF LABELED INFORMATION



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B3-1.3.3 SUBJECT SENSITIVITY LABELS



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.
B3-1.3.4 DEVICE LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory access control
of its subjects to its objects and has attached physical  or virtual
devices.  Any TCB subset  whose policy  does not  include such
 mandatory access control  or has no attached  physical or virtual
devices   is  exempt   from  this   requirement.   This requirement
can be satisifed  by the cooperative action of more than one TCB
subset.
B3-1.4 MANDATORY ACCESS CONTROL



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
B3-2 ACCOUNTABILITY

B3-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services or provide  the services
directly.  Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to  ensure that the security
level of subjects external to the  TCB that may be created to
act on  behalf of the individual user  are dominated by the clearance
and authorization of that user.  Each TCB subset   may  maintain
  its  own   identification  and authentication  data or  one
central  repository may be maintained.  If each TCB subset  has
its own data, then the  information  for  each  individual  user
 must  be consistent among all subsets.
B3-2.1.1 TRUSTED PATH



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


When  TCB subsets  are used,  the requirement for  trusted  path
 at  levels  B2  and  above  remains applicable  to the  entire
TCB.   The need  for trusted path "when positive  TCB-to-user
connection is required (e.g.,  login,  change  subject  security
 level)"  can require user interaction with  virtually any
TCB subset within  the TCB.   The implementation  of trusted 
path could   be   localized   in   a   single   TCB  subset. 
Alternatively, it could be implemented in more than one TCB  subset
if   the separate  implementations together comply with the system
security policy.
B3-2.2 AUDIT



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement. A  TCB subset  may
maintain  its own security audit  log,  distinct  from  that 
maintained  by  more primitive TCB subsets, or it may use an audit
interface provided by  a different TCB subset  allowing the audit
records  it  generates  to  be  processed  by  that TCB subset.
If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other, either at the time they are generated
or at some later time.


Any TCB subset wherein  events may occur that require  notification
 of  the  security  administrator shall be  able to:  (1) detect
the  occurrence of these events, (2)  initiate the recording of
 the audit trail entry,  and  (3)  initiate   the  notification
 of  the security  administrator The ability to terminate events
(2) and (3) above  may be provided either in the TCB  subset within
 which they   occur, or  in the  TCB subset(s)  where actions
 that lead  to the  event were initiated.  The monitoring  and
notification requirements may require  cooperation between multiple
 distinct TCB subsets  or  multiple  instantiations  of  the same
TCB subset.   For example,  to detect  the accumulation  of events
for a single user it may be necessary to collect events from several
subjects in distinct processes that are surrogates for the  same
user.  As another example, there may  be a single TCB subset 
that collects events from a  number of other TCB  subset instantiations
and, based  on its analysis  of them, notifies  the security administrator.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  inserts), not  just
the  invocation of the database  management  system.   The  auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be audited.   If the total audit requirement  is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  and inserts),  not just
 the invocation of the database management system.  The auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
B3-3 ASSURANCE

B3-3.1 OPERATIONAL ASSURANCE 1 

B3-3.1.1 System Architecture



This  requirement applies   as stated  in the TCSEC   to  every
  TCB  subset,   with  the  following additional interpretations.
The  TCB must  provide domains  for execution that are allocated
to and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains for execution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.


Similarly,  the  TCB  must  provide  distinct address  spaces
  for  untrusted  processes.    A  most primitive  TCB  subset
 must  provide  distinct address spaces for  its subjects.  A
less  primitive TCB subset must make use of the distinct address
space provided by a  more primitive  TCB  subset.   A less  primitive
TCB subset may  provide more fine-grained  distinct address spaces,
but is not required to do so.


In    general,   requirements    specifically referring  to hardware
 or firmware  apply only  to TCB subsets  that include  hardware
or  firmware.  However, the  requirement that  the  TCB  make
effective  use of hardware requires that a less primitive TCB
subset make effective  use  of   the  protection-relevant  features
exported to it by the more primitive TCB subsets (e.g., execution
domains, support for distinct address spaces) to separate those
elements that are protection-critical from those that are not.
Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC



The  user  interface  to  the  TCB  shall  be completely  defined
  and  all  elements  of   the  TCB identified.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB subsets as well as
 the user interface to the whole TCB.
Statement from TCSEC



It  shall  make  effective  use  of available hardware   to  
separate   those   elements   that  are protection-critical from
those that are not.
Interpretation



If the  TCB is composed of  multiple subsets, each TCB subset
must make use of facilities provided to it by  more primitive
TCB subsets, such  as support for execution domains  and for distinct
address  spaces, to achieve the required separation.
B3-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
B3-3.1.3 COVERT CHANNEL ANALYSIS



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.    When the  TCB is  made up entirely  of  TCB  subsets 
meeting  the conditions for evaluation  by parts,  analysis of
 the individual  TCB subsets satisfies this  requirement.  Otherwise,
covert channel  analysis of the  entire TCB must  be performed
(even if the results of  covert channel analysis of the individual
TCB subsets were available).
B3-3.1.4 TRUSTED FACILITY MANAGEMENT



This  requirement applies   as stated  in the TCSEC   to   the
  entire   TCB.    Any  "operator"  or "administrator"
 functions intrinsic  to an  individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
B3-3.1.5 TRUSTED RECOVERY



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB   and to  the individual  TCB subsets.  The  cooperative recovery
actions of  the TCB subsets making up the TCB must provide trusted
recovery for  the  overall  TCB.   Otherwise,  trusted  recovery
evaluation  must address  the entire  TCB (even  if the individual
 TCB  subsets   meet  the  trusted  recovery requirements).
B3-3.2 LIFE CYCLE ASSURANCE

B3-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.


Otherwise, security  testing of the entire  TCB must be performed
  (even  if   the  results   of  testing  the individual TCB subsets
were available).
B3-3.2.2 DESIGN SPECIFICATION AND VERIFICATION



This  requirement applies   as stated  in the TCSEC to every TCB
 subset, with the following specific additional interpretations.


It  must be   demonstrated that  the security policy enforced
by the  composite TCB is represented by the collection of policy
 models for the individual TCB subsets.


The argument  that the descriptive  top level specification  (DTLS)
  is  consistent  with   the  TCB interface applies to the entire
TCB.  There is required an explicit  and convincing description
of  how the set of top  level specifications (one for  each TCB
subset) describes  the TCB  interface in  terms of  exceptions,
errors, and effects.
Statement from TCSEC



A  formal   model  of  the   security  policy supported by the
TCB shall  be maintained over the life cycle  of  the  ADP   system
 and  demonstrated  to  be consistent with its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this 
requirement  applies  to  the  security policy of  each TCB subset.
 An  informal argument that the  set  of  policy  models  represents
 the "security policy  supported  by  the  [composite]  TCB"
 must  be provided.
Statement from TCSEC



A descriptive  top-level specification (DTLS) of  the TCB  shall
 be  maintained that  completely and accurately  describes the
 TCB in  terms of exceptions, error messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this  requirement
applies to the  DTLS of each TCB subset.  An informal argument
that the set of DTLSs accurately describes the TCB must be provided.


If there is a multifaceted policy (e.g., both mandatory  access
 control   and  discretionary  access control policies) in a 
particular TCB subset, then all facets must be  represented in
the DTLS and  in the TCB subset's model.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
  applies to  individual TCB subsets.  Enforcement of all  policies
must be shown to occur  in  all  situations  (e.g.,  state  transitions)
required by  the formal security policy  model.  In the case 
of  a  discretionary  access  control policy, the presence of
the access  control check at all identified state transitions
is the total  of what is required for demonstrating  consistency
 between  the  DTLS  and the model.  This may be verified  by
inspection of the DTLS (that  is, by  visually checking  that
exception checks required by  the model are  present in the  DTLS).
 For the mandatory  access control policy, the  DTLS must be shown
 by a convincing  argument to be  consistent with the model.
B3-3.2.3 CONFIGURATION MANAGEMENT



This  requirement applies   as stated  in the TCSEC  to  every
 TCB  subset  in  the  TCB,  with  the following additional interpretation.


Because subsets  of the TCB may  be developed independently, a
single configuration management system may  not  be  feasible.
  However,  the  combination of configuration  management systems
 used to  support all the TCB subsets must  meet all the stated
requirements.  The  information describing the  interrelations
between separate  TCB  subsets  and  separate  security  policy
models  falls into  the category  of "all documentation and
 code associated  with the  current version  of the TCB"
in the TCSEC requirements.
B3-4 DOCUMENTATION

B3-4.1 SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as  required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
B3-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.


The means for correlating multiple audit logs and synonymous 
user identifications from  multiple TCB subsets (if such exist)
shall also be addressed.


The  trusted facility  manual shall  describe the  composite TCB
so  that the interactions  among the TCB subsets  can be readily
determined.   Other manuals may be  referenced in this determination.
  The manuals that address  the distinct modules  of the TCB 
and the generation of  the TCB need  to be integrated  with the
other trusted facility manuals  only to the extent that they are
affected by the  use and operation (versus the development) of
the composite TCB.


The  TCB modules  that contain  the reference validation  mechanism
must  be associated  with the TCB subset  to  which  they   belong.
  The  procedure  for generating  a  new  TCB  after  modifying
 only one (or several)  TCB subsets must  be described.  This
 may be accommodated   by  independent   regeneration  of   the
individual TCB  subsets or by regeneration  of only the affected
TCB subsets.
B3-4.3 TEST DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
B3-4.4 DESIGN DOCUMENTATION



This  requirement applies   as stated  in the TCSEC  to   the
 composite  TCB,  with   the  following addtional specific interpretations
 Requirements  concerning   models  and  DTLSs apply to individual
TCB subsets.  The requirement concerning the description of interfaces
 between  modules  of  the  TCB includes the interfaces between
TCB subsets.  The documentation of  the implementation of a reference
   validation    mechanism    must    include justification for
meeting the conditions for evaluation by parts.
Statement from TCSEC



The interfaces between  the TCB modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
Statement from TCSEC



The specific TCB  protection mechanisms shall be  identified and
 an explanation  given to  show that they satisfy the model.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to each TCB  subset and shall include  the protection
  mechanisms which  support the conditions  for  TCB   subset
 structure  and  separate subset-domains.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



Documentation  shall  describe  how  the  TCB implements  the
reference  monitor concept  and give an explanation  of why it
 is tamper resistant,  cannot be bypassed, and is correctly implemented.
Interpretation

If  the  TCB  is  composed  of  multiple  TCB subsets,  this
requirement  is interpreted  to apply to each TCB subset with
 respect to its specific technical policy.   In  addition,  there
 must  be  documented an informal  argument that  the cooperative
 action of the TCB  subsets  makes  the  TCB  itself tamper resistant,
non-bypassable, and correct.

Statement from TCSEC



Documentation shall  describe how the  TCB is structured to  facilitate
testing and to  enforce least privilege.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
is interpreted  to apply to individual TCB subsets as well as
to the overall TCB.
Statement from TCSEC



The  TCB implementation  shall be  informally shown to be consistent
with the DTLS.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to individual TCB subsets.
CLASS (A1):  VERIFIED DESIGN

A1-1 SECURITY POLICY 

A1-1.1 DISCRETIONARY ACCESS CONTROL



The discretionary access control requirements apply as stated
in the  TCSEC to every TCB subset whose policy  includes discretionary
  access control  of its subjects to  its objects.  Any TCB  subset
whose policy does not  include such discretionary access  control
is exempt from this requirement.
A1-1.2 OBJECT REUSE



This  requirement applies  as  stated  in the  TCSEC to every
TCB subset in the TCB.
A1-1.3 LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
Statement from TCSEC



Sensitivity  labels associated with  each ADP system resource
.  .  .  that is directly or indirectly accessible  by subjects
 external to  the TCB  shall be maintained by the TCB
Interpretation



Internal TCB  variables that are  not visible to  untrusted subjects
 need not  be labeled,  provided that they are not  directly or
indirectly accessible by subjects external to the TCB.  However,
it is important to understand that such internal variables can
function as  covert signaling  channels when  untrusted subjects
are  able  to  detect  changes  in  these  variables by observing
system behavior.
A1-1.3.1 LABEL INTEGRITY



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
A1-1.3.2 EXPORTATION OF LABELED INFORMATION



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
A1-1.3.3 SUBJECT SENSITIVITY LABELS



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.
A1-1.3.4 DEVICE LABELS



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory access control
of its subjects to its objects and has attached physical  or virtual
devices.  Any TCB subset  whose policy  does not  include such
 mandatory access control  or has no attached  physical or virtual
devices   is  exempt   from  this   requirement.   This requirement
can be satisifed  by the cooperative action of more than one TCB
subset.
A1-1.4 MANDATORY ACCESS CONTROL



This  requirement applies   as stated  in the TCSEC  to  every
 TCB   subset  whose  policy  includes mandatory  access  control
 of   its  subjects  to  its objects.  Any TCB subset  whose policy
does not include such  mandatory  access  control  is  exempt
 from this requirement.
A1-2 ACCOUNTABILITY

A1-2.1 IDENTIFICATION AND AUTHENTICATION



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the  TCB  subsets  making  up
  the  TCB  must  satisfy  the requirement.


If  the TCB is  composed of TCB  subsets, one TCB subset  may
either rely  on a mechanism  in another TCB subset to provide
identification and authentication services or provide  the services
directly.  Similarly, that TCB subset may rely on a mechanism
in another more primitive TCB subset to  ensure that the security
level of subjects external to the  TCB that may be created to
act on  behalf of the individual user  are dominated by the clearance
and authorization of that user.  Each TCB subset   may  maintain
  its  own   identification  and authentication  data or  one
central  repository may be maintained.  If each TCB subset  has
its own data, then the  information  for  each  individual  user
 must  be consistent among all subsets.
A1-2.1.1 TRUSTED PATH



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.


When  TCB subsets  are used,  the requirement for  trusted  path
 at  levels  B2  and  above  remains applicable  to the  entire
TCB.   The need  for trusted path "when positive  TCB-to-user
connection is required (e.g.,  login,  change  subject  security
 level)"  can require user interaction with  virtually any
TCB subset within  the TCB.   The implementation  of trusted 
path could   be   localized   in   a   single   TCB  subset. 
Alternatively, it could be implemented in more than one TCB  subset
if   the separate  implementations together comply with the system
security policy.
A1-2.2 AUDIT



This  requirement applies   as stated  in the TCSEC to the entire
TCB.  The cooperative action of the TCB  subsets  making  up 
 the  TCB  must  satisfy  the requirement.  A  TCB subset  may
maintain  its own security audit  log,  distinct  from  that 
maintained  by  more primitive TCB subsets, or it may use an audit
interface provided by  a different TCB subset  allowing the audit
records  it  generates  to  be  processed  by  that TCB subset.


If  the   TCB  subset  uses   different  user identifications
than a more primitive TCB subset, there shall be  a means to associate
 audit records generated by different  TCB subsets for the  same
individual with each other, either at the time they are generated
or at some later time.


Any TCB subset wherein  events may occur that require  notification
 of  the  security  administrator shall be  able to:  (1) detect
the  occurrence of these events, (2)  initiate the recording of
 the audit trail entry,  and  (3)  initiate   the  notification
 of  the security  administrator.   The   ability  to  terminate
events (2) and (3) above  may be provided either in the TCB  subset
within  which they   occur, or  in the  TCB subset(s)  where actions
 that lead  to the  event were initiated.


The monitoring  and notification requirements may require  cooperation
between multiple  distinct TCB subsets  or  multiple  instantiations
 of  the same TCB subset.   For example,  to detect  the accumulation
 of events for a single user it may be necessary to collect events
from several subjects in distinct processes that are surrogates
for the  same user.  As another example, there may  be a single
TCB subset  that collects events from a  number of other TCB 
subset instantiations and, based  on its analysis  of them, notifies
 the security administrator.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  inserts), not  just
the  invocation of the database  management  system.   The  auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be audited.   If the total audit requirement  is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
Statement from TCSEC



The  TCB shall  be able  to create, maintain, and protect  from
modification .  .  .   an audit trail of accesses to the objects
it protects.
Interpretation



Auditable events,  in the case of  a database management   system,
 are  the   individual  operations initiated   by   untrusted
   users   (e.g.,   updates, retrievals,  and inserts),  not just
 the invocation of the database management system.  The auditing
mechanism shall  have  the  capability  of  auditing all mediated
accesses which are visible to  the user.  That is, each discretionary
access  control policy decision  and each mandatory  access  control
 policy  decision  shall  be auditable.  Individual operations
 performed by trusted software, if totally transparent  to the
user, need not be auditable.  If the total audit requirement is
met by the  use  of  more  than  one  audit  log,  a method of
correlation must be available.
A1-3 ASSURANCE

A1-3.1 OPERATIONAL ASSURANCE

A1-3.1.1 SYSTEM ARCHITECTURE



This  requirement applies   as stated  in the TCSEC   to  every
  TCB  subset,   with  the  following additional interpretations.The
 TCB must  provide domains  for execution that are allocated to
and used by TCB subsets according to the subset-domain condition
for evaluation by parts.  A  most primitive TCB  subset must provide
 domains for execution.  A  less primitive TCB subset  must make
use of domains provided by a  more primitive TCB subset.  A less
primitive TCB subset may provide further execution domains but
is not required to do so.


Similarly,  the  TCB  must  provide  distinct address  spaces
  for  untrusted  processes.    A  most primitive  TCB  subset
 must  provide  distinct address spaces for  its subjects.  A
less  primitive TCB subset must make use of the distinct address
space provided by a  more primitive  TCB  subset.   A less  primitive
TCB subset may  provide more fine-grained  distinct address spaces,
but is not required to do so.  In    general,   requirements 
  specifically referring  to hardware  or firmware  apply only
 to TCB subsets  that include  hardware or  firmware.  However,
the  requirement that  the  TCB  make effective  use of hardware
requires that a less primitive TCB subset make effective  use
 of   the  protection-relevant  features exported to it by the
more primitive TCB subsets (e.g., execution domains, support for
distinct address spaces) to separate those elements that are protection-critical
from those that are not.
Statement from TCSEC



The TCB  shall maintain a domain  for its own execution that 
protects it from  external interference or tampering.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this requirement
applies to each TCB subset.
Statement from TCSEC



The  user  interface  to  the  TCB  shall  be completely  defined
  and  all  elements  of   the  TCB identified.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB subsets as well as
 the user interface to the whole TCB.
Statement from TCSEC



It  shall  make  effective  use  of available hardware   to  
separate   those   elements   that  are protection-critical from
those that are not.
Interpretation



If the  TCB is composed of  multiple subsets, each TCB subset
must make use of facilities provided to it by  more primitive
TCB subsets, such  as support for execution domains  and for distinct
address  spaces, to achieve the required separation.
A1-3.1.2 SYSTEM INTEGRITY



This  requirement applies   as stated  in the TCSEC  to every
 TCB subset  that includes  hardware or firmware.   Any  TCB 
subset   that  does  not  include hardware or firmware is exempt
from this requirement.
A1-3.1.3 COVERT CHANNEL ANALYSIS



This requirement applies as stated  in the TCSEC to the entire
TCB.   When the TCB  is made up  entirely of TCB subsets meeting
the conditions for evaluation by parts, analysis of  the individual
TCB subsets  satisfies this requirement.  Otherwise, covert channel
analysis of the entire TCB  must be performed  (even if the  results
of covert channel  analysis of the individual  TCB subsets were
available).
A1-3.1.4 TRUSTED FACILITY MANAGEMENT



This  requirement applies   as stated  in the TCSEC   to   the
  entire   TCB.    Any  "operator"  or "administrator"
 functions intrinsic  to an  individual TCB subset must be supported
by that TCB subset or by a more primitive TCB subset.
A1-3.1.5 TRUSTED RECOVERY



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB   and to  the individual  TCB subsets.  The  cooperative recovery
actions of  the TCB subsets making up the TCB must provide trusted
recovery for  the  overall  TCB.   Otherwise,  trusted  recovery
evaluation  must address  the entire  TCB (even  if the individual
 TCB  subsets   meet  the  trusted  recovery requirements).
A1-3.2 LIFE CYCLE ASSURANCE

A1-3.2.1 SECURITY TESTING



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset satisfies   the  requirement    for  the  
entire  TCB.


Otherwise, security  testing of the entire  TCB must be performed
  (even  if   the  results   of  testing  the individual TCB subsets
were available).
A1-3.2.2 DESIGN SPECIFICATION AND VERIFICATION



This  requirement applies   as stated  in the TCSEC to every TCB
 subset, with the following specific additional interpretations.


It  must be   demonstrated that  the security policy enforced
by the  composite TCB is represented by the collection of policy
 models for the individual TCB subsets.


The argument  that the descriptive  top level specification (DTLS)
and formal top level specification (FTLS) are consistent with
the TCB interface applies to the  entire TCB.   There  is  required
an  explicit and convincing  description of  how  the  set of
 top level specifications (one for each  TCB subset) describes
the TCB  interface  in  terms  of  exceptions,  errors, and effects.
Statement from TCSEC



A  formal   model  of  the   security  policy supported by the
TCB shall  be maintained over the life cycle  of  the  ADP   system
 and  demonstrated  to  be consistent with its axioms.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this 
requirement  applies  to  the  security policy of  each TCB subset.
 An  informal argument that the  set  of  policy  models  represents
 the "security policy  supported  by  the  [composite]  TCB"
 must  be provided.
Statement from TCSEC



A descriptive  top-level specification (DTLS) of  the TCB  shall
 be  maintained that  completely and accurately  describes the
 TCB in  terms of exceptions, error messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this  requirement
applies to the  DTLS of each TCB subset.  An informal argument
that the set of DTLSs accurately describes the TCB must be provided.


If there is a multifaceted policy (e.g., both mandatory  access
 control   and  discretionary  access control policies) in a 
particular TCB subset, then all facets must be  represented in
the DTLS and  in the TCB subset's model.
Statement from TCSEC



A  formal top-level  specification (FTLS)  of the TCB  shall be
maintained that  accurately describes the  TCB in  terms of  exceptions,
error  messages, and effects.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets, this  requirement
applies to the  FTLS of each TCB subset.  An informal argument
that the set of FTLSs accurately describes the TCB must be provided.


If there is a multifaceted policy (e.g., both mandatory  access
 control   and  discretionary  access control policies) in a 
particular TCB subset, then all facets must be  represented in
the FTLS and  in the TCB subset's model.
Statement from TCSEC



The  FTLS shall  be shown  to be  an accurate description of the
TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



A convincing argument shall be given that the DTLS is consistent
with the model.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
  applies to  individual TCB subsets.  Enforcement of all  policies
must be shown to occur  in  all  situations  (e.g.,  state  transitions)
required by  the formal security policy  model.  In the case 
of  a  discretionary  access  control policy, the presence of
the access  control check at all identified state transitions
is the total  of what is required for demonstrating  consistency
 between  the  DTLS  and the model.  This may be verified  by
inspection of the DTLS (that  is, by  visually checking  that
exception checks required by  the model are  present in the  DTLS).
 For the mandatory  access control policy, the  DTLS must be shown
 by a convincing  argument to be  consistent with the model.
Statement from TCSEC



.  .  .  a combination of formal and informal techniques  shall
be  used to   show that  the FTLS  is consistent with the model.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
  applies to  individual TCB subsets.  Enforcement of all  policies
must be shown to occur  in  all  situations  (e.g.,  state  transitions)
required  by the  formal security  policy model  at the required
 occasions.  In  the case  of a  discretionary access  control
 policy,  the  presence  of  the access control  check at  all
identified  state transitions is the  total  of  what   is  required
 for  demonstrating consistency between  the FTLS and the  model.
 This may be  verified by  inspection of  the FTLS  (that is,
 by visually checking that exception checks required by the model
 are present  in  the  FTLS).  For  the mandatory access  control
policy,  the FTLS  must be  shown by  a combination  of formal
 and informal  techniques to  be consistent with the model.
A1-3.2.3 CONFIGURATION MANAGEMENT



This  requirement applies   as stated  in the TCSEC  to  every
 TCB  subset  in  the  TCB,  with  the following additional interpretation.


Because subsets  of the TCB may  be developed independently, a
single configuration management system may  not  be  feasible.
  However,  the  combination of configuration  management systems
 used to  support all the TCB subsets must  meet all the stated
requirements.  The  information describing the  interrelations
between separate  TCB  subsets  and  separate  security  policy
models  falls into  the category  of "all documentation and
 code associated  with the  current version  of the TCB"
in the TCSEC requirements.
A1-3.2.4 TRUSTED DISTRIBUTION



This  requirement applies  as stated  in the TCSEC to the  entire
TCB.  It can be  met by satisfying the  requirements  for  each
 TCB  subset if procedures exist for  assuring that all  TCB subsets
upon  which a particular  TCB  subset  depends  (that  is,  the
 more primitive TCB subsets) are  exactly the same version as
specified for the TCB subset in question.
A1-4 DOCUMENTATION

A1-4.1 SECURITY FEATURES USER'S GUIDE



This  requirement applies   as stated  in the TCSEC to every TCB
subset  in the TCB.  This collection of guides must include descriptions
of every TCB subset in  the  TCB  and  explicit  cross-references
 to other related  user's   guides  to  other  TCB   subsets,
 as required.  In addition, interactions between mechanisms within
different TCB subsets must be clearly described.
A1-4.2 TRUSTED FACILITY MANUAL



This  requirement applies   as stated  in the TCSEC to the TCB
and to every TCB subset in the TCB. This  requirement can  be
met  by providing a set of manuals, one  for each distinct (non-replicated)
TCB  subset.  Each  manual shall  address the functions and privileges
to be  controlled for the associated TCB subset.   Additionally,
  it  must  clearly   show  the interfaces to, and the interaction
with, more primitive TCB  subsets.  The  manual  for  each TCB
 subset shall identify  the  functions  and  privileges  of  the
 TCB subsets  on which  the associated  TCB subset  depends. 
Also, the TCB subset's  manual shall identify which, if any, 
configuration options  of the  more primitive TCB subsets are
to be used for the composite TCB to operate securely.


Any   pre-defined   roles   supported  (e.g., database  administrator)
 by  the  TCB  subset shall be addressed.  The means for correlating
multiple audit logs and synonymous  user identifications from
 multiple TCB subsets (if such exist) shall also be addressed.



The  trusted facility  manual shall  describe the  composite TCB
so  that the interactions  among the TCB subsets  can be readily
determined.   Other manuals may be  referenced in this determination.
  The manuals that address  the distinct modules  of the TCB 
and the generation of  the TCB need  to be integrated  with the
other trusted facility manuals  only to the extent that they are
affected by the  use and operation (versus the development) of
the composite TCB.


The  TCB modules  that contain  the reference validation  mechanism
must  be associated  with the TCB subset  to  which  they   belong.
  The  procedure  for generating  a  new  TCB  after  modifying
 only one (or several)  TCB subsets must  be described.  This
 may be accommodated   by  independent   regeneration  of   the
individual TCB  subsets or by regeneration  of only the affected
TCB subsets.
A1-4.3 TEST DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB.
A1-4.4 DESIGN DOCUMENTATION



This  requirement applies   as stated  in the TCSEC to the composite
TCB, with the following specific additional interpretations:


Requirements  concerning   models,  FTLS  and DTLS, apply to individual
TCB subsets.


The requirement concerning the description of interfaces  between
 modules  of  the  TCB includes the interfaces between TCB subsets.


The documentation of  the implementation of a reference    validation
   mechanism    must    include justification for meeting the
conditions for evaluation by parts.


The   A1  requirement  to   describe  clearly non-FTLS internals
of the TCB applies to TCB subsets.
Statement from TCSEC



The interfaces between  the TCB modules shall be described.
Interpretation



If the  TCB is composed of  multiple subsets, this  requirement
applies  to each  TCB subset  and the interfaces between TCB subsets.
Statement from TCSEC



The specific TCB  protection mechanisms shall be  identified and
 an explanation  given to  show that they satisfy the model.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to each TCB  subset and shall include  the protection
  mechanisms which  support the  conditions  for  TCB   subset
 structure  and  separate subset-domains.
Statement from TCSEC



The   descriptive   top-level   specification (DTLS) shall be
shown to  be an accurate description of the TCB interface.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
 applies to the interface  between the TCB  subsets as well  as
to the  user interface of  the composite  TCB.  The   TCB interface
 description shall include an explanation of how to describe the
total TCB accurately, in  the context of the  multiple TCB subset
DTLSs.
Statement from TCSEC



Documentation  shall  describe  how  the  TCB implements  the
reference  monitor concept  and give an explanation  of why it
 is tamper resistant,  cannot be bypassed, and is correctly implemented.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to each TCB subset with  respect to
its specific technical policy.   In  addition,  there  must  be
 documented an informal  argument that  the cooperative  action
of the TCB  subsets  makes  the  TCB  itself tamper resistant,
non-bypassable, and correct.
Statement from TCSEC



The  TCB implementation  shall be  informally shown to be consistent
with the DTLS.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to individual TCB subsets.
Statement from TCSEC



The  TCB implementation  shall be  informally shown to be consistent
with the FTLS.
Interpretation



If  the  TCB  is  composed  of  multiple  TCB subsets,  this requirement
 is interpreted  to apply to individual TCB subsets.
Statement from TCSEC



Documentation shall  describe how the  TCB is structured to  facilitate
testing and to  enforce least privilege.
Interpretation



If the  TCB is composed of  multiple subsets, this requirement
is interpreted  to apply to individual TCB subsets as well as
to the overall TCB. 
 APPENDIX  B 



GENERAL ITEMS
1. PERSPECTIVE ON ASSURANCE



This   Trusted  Database   Management  System Interpretation 
(TDI) of   the Trusted  Computer System Evaluation Criteria (TCSEC)
 derives its perspective on assurance directly  from the reference
 monitor concept as recorded in the Anderson  Report [1] and as
embodied in  the TCSEC.  In  both the reference  monitor concept
and in the TCSEC, the  assessment of a system for trust characteristics
involves a single, global review of the system  at issue.   That
same  perspective of  an even, global   review  of    a  candidate
  trusted  database management system (DBMS) is present in the
TDI, in that only   complete   systems   will   be   considered
 for assessment.   That  is,  neither  software  packages in isolation
nor systems that satisfy only a subset of the TCSEC.  requirements
will  be considered for evaluation or accreditation.  The  interpretation
of requirements, both  in  Part  1,  "Technical  Context,"
 and  Part 2, "Interpreted  Requirements,"  is  consistent
 with both community experience in designing and assessing trusted
systems,  and the  precedents of  the reference monitor concept
and the TCSEC.  The interpretations, therefore, provide special
guidance for the task of evaluating (or accrediting)    candidate
    systems    composed    of distinguishable  parts.   However,
 the interpretations neither attenuate nor delete TCSEC requirements.


It is  worth noting that the  introduction of the TCSEC  with
its metric for the  evaluation of whole systems had as one goal
 the simplification of the task of  accrediting   computer  systems
 for  use   in  the processing  of sensitive  information.  The
 evaluation process was  not intended to replace  the accreditation
process but to provide input  to that process.  It must be  recognized
 that  there  will  be  occasions when a fielded  suite  of  computer
 systems,  each  evaluated against the  TCSEC requirements at
a  particular class, will not be  able to be assigned a TCSEC
 class, nor is it  necessary to  be able  to make  such an assignment.
 The accreditation  decision includes the  assessment of risk
 of   a  particular  system  configuration   in  a particular
environment;  a decision to connect  a suite of TCSEC evaluated
systems may  have to be made without a  uniformly  applied  TCSEC-like
 assessment  over the entire system.
2. PROCUREMENT OPTIONS



The   Trusted  Computing   System  Evaluation Criteria  (TCSEC)
 and  its  published interpretations, including  this  Trusted
  Database  Management  System Interpretation,   have  as    a
 primary   purpose  the  "provision  [of]   a  basis  for
  specifying  security requirements  in acquisition  specifications."
 [8,  p.  2] In the area of trusted DBMS and trusted systems that
include database  management functionality, there  is a range
of  options open to an  acquisition organization.  These options
need to  be understood by the acquisition managers  and their
staffs  to allow them  the greatest possible    flexibility  
 in    matching   operational requirements with  a combination
of  available products and  the state  of the  art in  system
integration  and development.


The  fundamental  point  is  the  distinction between the  target
trust class  (that is, C1,  C2, B1, B2, B3, or A1) needed for
a particular installation and the  degree  of  trusted  DBMS 
functionality  that  is required.   Succinctly,   a  system  that
  requires  a particular  level of trust  (B2, for example)  and
DBMS  functionality does not necessarily require an evaluated
trusted  DBMS at  the level   of B2.   In fact,  if the statement
of required capability allows it, meeting the requirement   without
a trusted  DBMS could well  be the preferred  risk-reducing approach.
  This is  generally true  because the  more sophisticated  the
trusted DBMS requirement,  the more  likely it  is that  the current
vendor  base will  not be   able to  supply the  needed functionality
(with  the requisite assurance)  from the normal product line.
 Further,  even if one can specify carefully  just what  additional
assured  capability is needed  so that  a program-specific  development
can be undertaken,  the  lack   of  community  experience  and
consensus   on advanced trusted  DBMS issues  and implementations
   introduces    the    potential   for


significant programmatic, schedule, and cost risks.


Although  a full  description of  options for the  acquisition
manager  is beyond  the scope  of this document, a  representative
description of some  of the options  that could  be considered
 is included  below.  The  options  include  (1)  multiple  copies
 of a DBMS running   at   different   levels,   each   maintaining
single-level  databases; (2) a  single copy of  a DBMS, but  
with  each   database  maintained   at  a  single sensitivity
 level (i.e.,  no sharing  of data  between databases); (3)  a
single copy supporting  single level databases,  but  with  limited
 sharing,  perhaps  of a "snapshot" nature;  and (4)
DBMSs that  allow databases that include data of  several sensitivity
levels.  This option admits  of subcases from the very  simple
to the very complex.


To  illustrate  the   options  listed  above, consider a command
post  where a commander's staff uses a  single computer system.
  Included on the  staff are logistics,  weather,  and  intelligence
 organizations, each  dealing with  information of  differing
(maximum) sensitivity.    If  all  three   organizations  require
similar  DBMS functions,  there might  be a  variety of ways to
provide that functionality.

  (1) If the product DBMS-1 suited the needs of each of the
organizations and there were no requirement to share data between
them, then three copies of DBMS-1 could  be used,  running at,
 for example,  TOP SECRET, SECRET, and CONFIDENTIAL, respectively,
and maintaining separate single-level databases.  If the organizational
missions  do  not   require  multilevel  operations  or sharing,
this  option could be perfectly  suited to the operational need.
  In this case, every  copy of DBMS-1 would be running as an 
application outside the TCB and would  not have to  be evaluated
at  all, neither as  a product nor  as a developed system.   The
advantages of this option are  that commercial, off-the-shelf
systems can be  used (both the DBMS and  the underlying trusted
operating system)  and no evaluation risk  is entailed.







The disadvantages  are the limited flexibility  and the
hidden fact  that the installation procedures  for many
DBMSs require  the insertion of code into  the heart of the underlying
 computer system, insertions  that would undermine  the   evaluation
 rating   and  thus  theconfidence in the trusted operating system.

  (2) A cost advantage could be realized in the preceding  case
if there  were a product,  DBMS-2, such that a single copy  could
provide DBMS functionality at all  three levels.   This capability
 requires that the base trusted  operating system and the  DBMS
itself are designed so  that the DBMS  code uses scratch  space
to allow the  code to be shared without  the potential for mixing
control or metadata  in workspaces, indices, and stacks.  Not
 all commercial DBMSs have  this property, so this  option will
be  less available than  case (1).  Note that  in this case also,
 the databases themselves are  single-level and  the workspace
 used by  the DBMS itself will have to be single-level.




(3) If the  operational requirements are that the intelligence
and  logistics organizations must have access  to the weather
 data maintained by  the weather organization, the simplest  technical
solution would be to  periodically  provide  a  snapshot  of 
the  needed weather data  for use by the  other organizations.
 The database management system DBMS-2 above could provide a solution
 in this  case if   a portion  of the  weather database  could
be copied  onto diskette (or  even into another   file)   for
  the other organizations  to incorporate  into  their   own 
DBMS  operations.   The disadvantage of  this approach is that
 the information will not be as current as that available to the
weather organization itself.  Frequently, however, that lack of
currency  may be  a reasonable   price to  pay for  the enormous
reductions in cost and risk in procurement and maintenance.


(4) If the  operational requirements will not allow   anything
 less    than  real-time   sharing  of information,  then DBMS-2
 will not  be sufficient.  At this  point, the  operational requirements
 have forced the inclusion  of the most sophisticated  solution
to a trusted   system  with    DBMS  requirements,   a  true multilevel
DBMS.   In this case, it  remains a valuable goal to minimize
the  complexity of the needed sharing.  If  the DBMS  is providing
 a functionality  that looks like  tables to the  user, then it
 is less complex  if each table  is at a single  level than if
each  row (or each column) could be at a different sensitivity
level.  The most  complex situation is  when each entry  in the
table  could  be  at  a  different  sensitivity  level.  During
 the  procurement  and  development  process, it would  be worthwhile
 to structure  the procurement  to favor solutions  that are as
simple as  possible from a multilevel trusted DBMS standpoint.
3. ALTERATION OF PREVIOUSLY EVALUATED TCB



The discussion in Part 1, "Technical Context" arose
from consideration of  the conditions under which it is possible
 to add an application layer,  such as a DBMS,  to another  TCB
in  such a  way as  to allow the system rating to be determined
by evaluating the system elements (i.e.,  the subsets) separately.
  The benefit to  both  the  applications  vendor  and the evaluators
derives  from the  fact that  the DBMS  operates as  an untrusted
subject relative to  the underlying TCB (even though the  DBMS
enforces its own  policy).  Therefore, there  is  no  need  to
 re-examine previous evaluation evidence;  any   and  ll  actions
 performed   by  the application   layer  are   completely  constrained
  in accordance  with the  security policy  defined for  the underlying
TCB.


The   savings   in   evaluation   effort   is predicated  on the
 assumption that  the vendor  of the application layer  makes
no changes of any  kind to the other TCB.  In effect, the  argument
made by the vendor is as follows:
(a) The underlying  TCB enforces policy P[i].



The validity of the claims about the underlying TCB has already
been established, and these claims remain valid because the underlying
TCB has  not been altered in any way and  because the DBMS is
 completely constrained by that  policy  (i.e.,  P[i]  cannot
 be  violated by any action of the DBMS).
 (b) The application is a TCB subset which enforces policy
P[k]



Thus,  the   policy  enforced   by  the composite system (i.e.,
the policy enforced at the user interface of the composite TCB)
is merely a combination of the policies of the individual TCB
subsets.


Because   there   is   neither   theory   nor experience which
 allows one to make  general, a priori statements about the effects
 of arbitrary changes, any alterations to a previously  evaluated
product must, in general,  be considered  to result  in a  product
whose security attributes, and thus whose rating, is unknown.
 Thus, if  the previously evaluated product  is altered, argument
(a)  cannot be made merely  by referencing the published   evaluation
  report.     It   becomes   the responsibility of the DBMS  vendor
to state P[i] (i.e., identify  the policy  enforced by  the altered
product) and  to demonstrate  that the  implementation satisfies
the  appropriate TCSEC  requirements.  Hence,  at least some evaluation
evidence focused  on the underlying TCB must  be  provided  by
 the  vendor  of the application layer.   The  amount  of   evidence
 required  will  be determined by  the type, extent, and  amount
of change, as well as the characteristics of the original TCB.


This  is not  to say,  however, that  changes always  invalidate
 all  previous  evaluation evidence. Rather,  that there  is no
 way to  predict what effect arbitrary change will have  on that
evidence.  Clearly, some changes will invalidate a substantial
part, if not all,  of the  previous evaluation  results, requiring
a completely  new evaluation.  In  some cases it  will be virtually
 impossible to  determine the  full effect of even  relatively
 simple   changes,  whereas  in  other instances it  may be possible
to  determine the effects of  at  least  some  changes  quite
 precisely.   In  a well-modularized system, changes to  the internals
of a module might be shown to have no functional or security effect
 outside of  the  module.   Even changes  to the module that alter
its interface  might be shown to have effects  which do  not propagate
 beyond those  modules which have a direct interface to the altered
module.


In  either   case  however,  at   least  some evidence must be
produced about the underlying, altered TCB.  Thus, the vendor
who  alters the product which is hosting his application becomes
responsible for any and all evidence required to  substantiate
the claims being made for both the application and the underlying
TCB.


In fact, it is always  the case that the DBMS vendor is responsible
for  all the evidence required to demonstrate   that  the   system
 (i.e.,   the  trusted components of the application  plus the
underlying TCB) has the level of trust claimed  for it.  In the
case of strict subsetting for evaluation by parts, in which the
application    is    layered    onto    an   unaltered, previously-evaluated
 TCB,  part  of  the  evidence  is  satisfied   by  referencing
 the   previous  evaluation results  and the  commercially-available
specifications for  that  portion  of  the  system.   However,
 if the previously   evaluated  TCB   has  been   altered,  the
applications    vendor   is    now   responsible    for demonstrating
that the underlying  TCB has the level of trust being claimed
 for it.  How much, if  any, of the previous evaluation evidence
is still valid is a matter to be resolved.


The development of  the subsetting notion has been motivated by
the need for evaluating systems whose elements may have been 
developed by different vendors.  Consequently,  the discussion
 of TCB  subsets has been largely  focused on the  topic of extending
 the policy enforcement  attributes of  previously evaluated 
TCBs.  However,  the  notion  of  TCB  subsetting  provides  a
perfectly  general   design  method.   A  TCB   can  be structured
and policy enforcement allocated to simplify both analysis and
evaluation.   To the extent that each TCB  subset   in  a  subsetted
 system   satisfies  the conditions  of TC-4.3,  the evaluation
 can be factored along  policy lines,  and  a  rating for  the
composite system determined.
4. SATISFYING RVM REQUIREMENTS



The evaluation of a  system whose TCB is made up of a set of TCB
 subsets follows a logical flow that makes  it  an  orderly  process.
  The  initial step is satisfying  the  conditions  for  evaluation
 by parts.  Those conditions are as follows:


Identification  of  the   candidate  TCB subsets;


Allocation  of   the  policy  (the  clear statement  of the  technical
policies  enforced by  the individual TCB subsets, stated in terms
of the subjects and objects for that TCB subset);


Demonstration  that  each  candidate  TCB subset contains its
own trusted subjects;


Specification of the  structure of the TCB subsets (as a collection
of abstract machines);


Identification of  sets of domains (called "subset-domains")
 assigned for   the execution  of the individual TCB subsets;
and


Identification of what  externally stated properties  of  TCB
 subsets  will  be  used  to  argue convincingly  and independently
 for the  RVM nature of each of the constituent TCB subsets.


The  successful  completion   of  this  step, especially the "support
for  RVM arguments" will result in a conditional approval
of two items:  a set of goals in the evaluation of the more primitive
TCB subsets and the  feasibility  of  being   able  to  argue
 the  RVM properties of less primitive  TCB subsets using no more
information about  the more primitive TCB  subsets than the identified
goals.  The goals for the more primitive TCB   subsets   will
  be    a   set   of   mechanisms, characteristics,  or properties
 whose proper,  assured functioning will have to be demonstrated.
 Examples are domain    mechanisms,   mandatory    integrity 
 policy enforcement  mechanisms,  and  a  special  category  of
object with associated content-preservation guarantees.  These
mechanisms  or characteristics or  properties are strictly  a
function of  the more primitive  TCB subset and  will  have  to
 be  evaluated  and  approved  in a (possibly) later  part of
the evaluation  process.  The conditional approval of the feasibility
of constructing an  independent  RVM  argument  for  less primitive
TCB subsets  relies on  an interplay  between the  proposed mechanisms
 of the  more primitive  TCB subset  and the anticipated  needs
of  the  RVM  argument for  the less primitive TCB subset.


The  next steps   of the  evaluation process, with  regards  to
 the  reference  validation mechanism requirements, involve the
independent evaluation of the TCB subsets.  TCB subsets  that
have been identified as providing  features or  mechanisms on
 which other  TCB subsets  will rely  for RVM  arguments will
 have to be demonstrated to provide the  stated mechanisms with
the same level of assurance  as the target evaluation class of
the entire system.  If all the identified mechanisms can  be 
validated,  the  conditional  approval  of the  "support
for RVM arguments" condition remains unchanged.   If  some
  mechanism  cannot  be  properly established  from either  a
functional  or an assurance perspective,  then  the  conditional
 approval  of that portion of the "support" condition
is withdrawn and the evaluation effort must regroup.


TCB subsets that were projected to be able to complete RVM arguments
successfully  using no more than the identified  "support"
mechanisms and  features will have to  have full RVM arguments
 advanced and accepted  by  the  evaluation  team.   There  are
 three possible outcomes:  (1) it could be shown that the TCB
subset in question  does not  meet the  RVM requirements;  (2)
it could  be shown,  using the  external descriptions  and assurances
of the mechanisms  of the more primitive TCB subsets, that  the
less primitive TCB  subset does meet the RVM requirements; or
(3)  it might be impossible to determine  whether  or  not  the
 TCB  subset meets the requirements.   In case (1),  the TCB subset
 failed to meet  its reference  validation mechanism  requirements
and the design team must regroup.  In case (2), the TCB subset
 satisfies  its  reference  validation mechanism requirements.
 In case (3), the conditional approval of the  "support 
for  RVM  arguments"  condition  will be withdrawn and the
design and evaluation teams will have to agree on an alternate
course of action.


In the case that  an attempt to establish RVM properties for a
less primitive TCB subset could not be completed  (case  (3) 
above),  it  might  well be that additional mechanisms or features
of the more primitive TCB  subset  would  allow   the  RVM  arguments
 to  be completed successfully.   In that case,  the evaluation
team and the design team would have to establish a new, augmented
  set  of    mechanisms  for   the  "support" condition.
 The evaluation could then continue with the new  mechanism requiring
 validation by  the evaluation team  and the  argument for  the
RVM  properties of the less primitive TCB subset having to be
re-attempted.


It is  important to note that  the dependency of  the  less  primitive
 TCB  subsets  on  the assured policies  and   RVM  supporting
 mechanisms   makes  it imperative that the evaluation of the
whole TCB be done by   a  single   evaluation  team   through
 the  final determination  that the  system complies  with the
full


set  of requirements  for the  target class.   Thus, in particular,
an evaluation team addressing an evaluation by parts (including
 the case of a TCB  subset that has been previously  evaluated
and placed on  the EPL) must be  kept  together  for  the  entire
evaluation.  Local evaluation   of  one   TCB  subset   does 
not  justify dissolving  the  responsible  subteam.   Later results,
global or local to another  TCB subset, could require a full 
evaluation team  current  on  all aspects  of the evaluated  configuration.
  This   does  not  mean,  of course,  that  the  original   evaluation
 team  for  a previously evaluated EPL product has to be reassembled.
 A  new  team,  part  of  which  may  be delegated prime responsibility
for  that TCB subset, suffices,  as long as  the  full  team 
is  kept  together  for  the whole evaluation.
5. SUBSET DEPENDENCY



For  candidate TCB  subset M,  sM denotes the specification  of
 M,  including   as  a  minimum,  the statement of the technical
policy  P of M.  The term vM denotes   the  (engineering)   demonstrations
 of   the correctness of the implementation  of M with respect
to its specification.  A (candidate) TCB subset A "depends
(for its  correctness)" on (candidate) TCB  subset B if and
 only  if  the   arguments  within  vA  assume  the correctness
of the implementation  of B with respect to sB.


In less  precise terms, the  specification sM defines what M is
supposed  to do.  M does whatever its implementation  allows,
features  and all.   How well M does  compared  to  what  sM 
 says  it  should  do  is encompassed  in the  engineering arguments
 vM.  If, in the argument vA, one has to  assume that all or part
of sB accurately  describes what B does, A  "depends"
on B for its correctness.
Example 1:  Use of Provided Objects



Suppose  TCB subset  B provides  "file" as  a mediated
 object under  its technical  policy P[B]  and that candidate
TCB subset A  uses B-files to store data and  executables.  If
vA  uses the fact  that different B-files are distinct and  access
to them is constrained by  the  technical  policy  P[B]  (assumptions
that are nearly  certain to  apply), then  vA is  relying on the
fact that sB and B match and in this case, A depends on B.
Example 2:  Mutually Suspicious Systems



Suppose  A  and  B  are  mutually  suspicious airline    reservation
   systems    hosted    in   two interconnected   systems  belonging
 to   two  distinct organizations.   It  is  assumed  that  sA
 and sB both provide  for a  capability to  accept reservations
over the  network from  "foreign" systems  using a 
mutually defined  protocol.   The   protocol  is  carefully  and
completely specified  (within both sA and  sB) and both vA  and
 vB  demonstrate,   to  the  desired  level  of satisfaction,
that A and B  are correct with respect to sA  and sB,  respectively.
 A  does not  depend for its correctness on B because  sA is complete:
 for whatever sequence  of  bits  it  receives  from  B, sA specifies
exactly   what  behavior   A  must   exhibit,  and   vA demonstrates
 that  it   does  exhibit  that  behavior. Similarly,   B  does
  not  depend   upon  A   for  its correctness.  Neither A nor
B depends on the other.


There may well exist a "system specification" that 
specifies  the  desired  behavior  of  the entire system, but
that is irrelevant  to the arguments that A and  B are individually
 correct with respect  to their own specifications.  It may even
 be the case that both A  and B are  individually correct, while
 the combined system  is  incorrect  with   respect  to  the 
"system specification."  That is, two correct subsystems
can be combined improperly with respect to the desired "system
specification."
Example 3:  Use of Remotely Provided Functionality



Suppose A  is a mail  server and B  a generic SQL DBMS.  The specification
 sA (as might be expected) makes  no mention  of a  DBMS; it 
simply specifies the interface behavior  (to its human clients)
 of the mail system.  In vA, however, we  find that the software
for A uses tables provided by B to store messages.  A and B are
on  separate, interconnected machines.   Neither sB nor vB make
 mention of the mail system at  all.  As in the  preceding  example,
 sB  completely  specifies the behavior  of  B  for  all  received
 bit  patterns  and sequences.   Here, A  depends upon  B, but
 B does  not depend on A.  Note that data flow in both directions
is completely  legitimate and  does not  compromise in any way
the "integrity" (correctness)  of B.  Dependency is
distinct from "data flow."


This   example  shows   that  a   superficial examination of the
"architecture" of a domain structure is  insufficient
 to   determine  which  candidate  TCB subsets depend upon  other
TCB subsets.  Superficially, this  architecture  is  the  same
 as  the  example  of mutually suspicious  systems above, but
here  A depends on  B.   It  also  shows  that  an  examination
 of the interface specifications is  insufficient.  Finally, it
shows that dependency is not  the same as the notion of "privilege"
(as  normally understood in the  context of operating  systems
 to  mean  loosened  restrictions on allowed  functions and  accesses),
because  there is in this example no  sense in which B has access
 to all of A's internal structures.  It only has access to some
of them.
Example 4:  Use of Locally Provided Functionality



Suppose A  and B are the mail  server and SQL DBMS  of  the  preceding
 example,  except  that  A  is implemented in a less privileged
ring than B.  That is, the interconnect is replaced by a ring-crossing
service call.  Obviously, A  still depends on B and  B does not
depend on  A.  The change  is that now  B has potential access
to any of A's  structures.  The general rule for the use of domain
protection mechanisms (such as rings) is that  if B is privileged
 with respect to A,  then A necessarily  depends  on  B  (simply
 by  virtue of B's privilege  to access any  of A's structures).
  Thus, a detailed  examination of  sA and  vA is  unnecessary
to establish dependency.
Cautionary Example



Suppose   that   A   and   B   are  "mutually dependent";
that is, A depends on B and B depends on A.  This  means  that
 vA  assumes  that  B  is implemented correctly with respect to
sB,  and vB assumes that A is implemented  correctly  with  respect
 to  sA.  Further suppose that  both vA and vB are  valid (reasonable
and compelling).  One would hope  that it follows from this that
both A and B  are correct.  Unfortunately, this is not always
the case.


If A  and B are both correct  with respect to sA  and sB,  then
vA  is a  valid argument  with a true premise and is therefore
true.   The same is true for B and vB.


Suppose,  however,  that   A  is  implemented incorrectly  with
respect  to sA  and B  is implemented incorrectly with respect
to sB.  vA is a valid argument with a  false premise; it is thus
 valid but (possibly) untrue.  Similarly, vB is  valid but (possibly)
untrue.  This case shows that it is quite possible for vA and
vB to both be valid while  A and B are both (individually) incorrectly
implemented.


What has  been exposed here is  a hidden case of circular reasoning:
 the  argument that A is correct is based on  the assumption that
B is  correct, and the argument that  B is correct is based  on
the assumption that  A is correct.   Thus, vA depends  (circularly)
on the assumption that A is correct, and vA reduces to the following
tautology: if vA is correct with respect  to sA then vA is correct
with respect to sA. It is thus possible in principle for mutually
dependent subsystems A  and B to have  vA and vB to  be logically
valid while either A or  B, or both, are incorrect with respect
to their specifications (sA or sB). 


To  make this  result concrete,  consider two airline  reservation
systems,  A  and  B, based  on the mutually  suspicious   systems
 of  example   2  above. Suppose that A maintains  information
about all flights originating or terminating in the United States
while B maintains  information  about  flights  originating  or
terminating in Europe.  Assume  sA includes a statement that A
will generate  flight itineraries from an origin to  a  destination,
  with  appropriate  provision  for connections.   "Appropriate
provision  for connections" means  allowing enough  time
to  change planes  without requiring  passengers to  wait an 
excessive period  of time.   Further  assume  that  sB  includes
 a  similar statement.  From  the assumption that A meets  sA
and B meets  sB, one  can construct  a valid  argument that A
meets its  specification sA for  itineraries orginating or  terminating
 in  either  the  U.S.   or  Europe.  A similarly  valid argument
 can  be  made about  B.  If, however,  A stores  flight segment
 times in  the local time  of the airport  and B stores  them
i n  Greenwich Mean Time, an itinerary generated by either A or
B that relies on information from  the other will be incorrect
because  of the  time  differences.   Thus, A  will not generate
 accurate,  timely  flight  itineraries,  even  though   a  valid
  argument  that   it  does   can  be constructed.    This   difficulty
  arises   from   the presumption that A and B are mutually dependent.
6. TAMPER RESISTANCE ARGUMENTS



The    requirement   to    demonstrate   that individual TCB subsets
exhibit the reference validation mechanism  tamper resistance
property  deserves special attention.  In  a subsetted architecture
there  are two (related)  aspects to  this requirement.   The
first is the ability of a less  primitive TCB subset to maintain
control over  access to the objects  that implement its logic
and data structures.   The second is establishing the      assurance
    that      policy-critical     or correctness-critical  data
 used  by  a  TCB  subset is persistent (that is, that it  does
not change or become contaminated with  other data between the
 execution of instructions). 


A  less primitive  TCB subset  will be  using objects and  subjects
provided by a  more primitive TCB subset.  Thus,  policy-critical
data will be  stored in objects  that are  provided by  the more
 primitive TCB subset  rather than in  some system entity  created
and maintained  by the  less primitive  TCB subset  itself.


One part  of the tamper resistance  argument focuses on being
able to demonstrate  that no alteration of either the policy-critical
data or of the TCB subset's code is possible.  That is, no system
 entity external to a TCB subset (with  the possible exception
of  more primitive TCB subsets upon which it depends) should be
capable of causing arbitrary changes to  that TCB subset's code
or data  structures.  If a  third, not more  primitive TCB subset
(or a subject totally outside the TCB) were able to gain access
to  an object where policy-critical data was stored, the tamper
resistance property could not be established  for the  TCB  subset
 in question.   For a most-primitive TCB subset, a wide variety
of techniques could  be used to  limit access to  an object in
 which such policy-critical data  is stored (e.g., prohibition
on the sharing of  objects, strict ownership control of the ability
to extend  access permission, and mandatory access   controls).
  Similarly,  the   conditions  for evaluation  by parts  require
that  the system designer identify  a   set  of  mechanisms  and
  their  assured properties  as  the   basis  for  demonstrating
 tamper resistance for each TCB subset.


The  second topic  is the  assurance that the contents  of  the
 objects  that  store  a TCB subset's policy-critical  data  not
 change  except  through the execution  of  that  TCB  subset's
 logic.   If  a data structure that  identified an exported object
 (such as tables or  tuples or entities) were  to have extraneous
data  inserted  by  a  more  primitive  TCB subset (for example,
 as  a  result  of  garbage  collection or the random  action
 of  memory  management),  then no basis would  exist  for   arguments
 concerning  the  correct implementation of the less primitive
TCB subset.  For a most  primitive TCB  subset (which  includes
supporting hardware), the  argument that the  policy-critical
data is kept current and correct can be made strictly on the basis
of  that TCB subset.  However, when  a TCB subset obtains resources
from a more primitive TCB subset, the argument cannot  be made
strictly  on the basis  of the design  of the TCB  subset.  Rather,
the  argument must proceed  from  assured   mechanisms  provided
 by  more primitive TCB  subsets.  This is exactl  y analogous
to the case of a  reference validation mechanism for which one
relies  on mechanisms not strictly  included in the design  of
the  policy-enforcing elements  to establish the  requisite  properties
  of  non-bypassability  and tamper  resistance.   A  variety
 of  mechanisms  might provide   a   basis    for   demonstrating
  that   the implementation of a TCB  subset is correct, even
though resources are obtained from a more primitive TCB subset
(e.g., type-enforcement).
7. RATIONALE FOR LOCAL AND GLOBAL REQUIREMENTS



Section     TC-5,    "General     Interpreted Requirements,"
 lists  the  requirements  of  the TCSEC according to  how the
requirements apply to  a TCB made up of more than one  TCB subset.
 The general rationale for distinguishing which  requirements
can be satisfied by  independent analysis  and consideration 
of the TCB subsets was to consider the  requirements one at a
time to determine whether satisfaction of the requirement by the
individual TCB subsets  would necessarily mean that the  entire
system   satisfies the  stated requirement.


For  some  requirements,  such  as  those  for  certain documentation,
 it  is  clear  that  the requirement is factorable; that is,
it  is satisfied for the composite TCB  if it  is satisfied  for
each  of the  TCB subsets individually.    For  other   requirements,
 individual system  characteristics could  make factorability
 of a requirement patently obvious, but not all systems would
enjoy such  simple factorability.  An example  would be trusted
path requirements  for security-related events:  if  all  security-related
 ev  ents  occur  in the most primitive TCB  subset, satisfaction
of  the requirement by  that TCB  subset suffices  to demonstrate
 that the system meets the requirement, but for systems that have
security-relevant events in less primitive TCB subsets, some explanation
 of the cooperative action  of the TCB subsets   would   be  
required.    For   still   other requirements, one  can expect
that the  satisfaction of the  requirement  for  the  entire 
system  will always require some  explanation of the cooperative
 action of the constituent  TCB subsets.  Provision of  a coherent
audit record across events in several TCB subsets is in this category.


In  the paragraphs  below, a  brief rationale for  identifying
requirements   as wholly  or partially global  is provided.  
Those requirements  that are not listed are considered to be completely
local.
Subject Sensitivity Labels



At level B2 and above, the TCSEC requires the following:


The TCB  shall immediately notify  a terminal user  of each change
 in the security  level associated with  that  user  during  an
 interactive  session.   A terminal user shall be able to query
the TCB as desired for  a display  of the  subject's complete
 sensitivity level.


For   subsetted   architectures,   the   user interface  could
 be  to  a  TCB  subset  that does not support  a mandatory  access
control  policy.  Thus,  a change noted  by a more primitive TCB
 subset that does support such a  policy would have to be  relayed
to the user, possibly  through cooperative action of  the full
set of TCB subsets.  Similarly, a request by a terminal user 
for  the  complete  sensitivity  level  could  be initially  received
 by  a  TCB  subset  that  does not support  a  mandatory  access
 control  policy and will require  cooperation between  TCB subsets
 to determine the complete  subject sensitivity level and  to
provide that information to the requesting user.
Identification and Authentication



The    identification   and    authentication requirements in
the TCSEC address the need to correctly associate authorizations
with subjects.   In a TCB made of several TCB subsets, it is possible
that only one of the  TCB   subsets  will  provide   identification
 and authentication,  which will  be  used  by all  the less primitive
 TCB subsets.   Alternatively, identification and  authentication
may  be provided  directly in  more than one  TCB subset.  In
either case,  the TCB subsets have  to work  cooperatively to
 use identification and authentication data for  uniquely identifying
users and for associating users with auditable actions.
Trusted Path



At B2, the only required uses of trusted path are  login  and
 authentication.    At  B3  and  above, occasions  "when
a  positive TCB-to-user  connection is required (e.g., login,
 change subject security level)" are  included.   In  both
 cases,  a  system vendor may choose  to use  trusted path  for
situations  where the security-relevant event could  be recognized
or handled in more  than one TCB subset.  On  those occasions,
the careful coordination of all the involved TCB subsets in the
correct handling of trusted path situations must be shown.  If
a single  TCB subset implements trusted path and all the invocations
of  trusted path are limited to that  TCB  subset  (that  is,
 the  flow  of control in responding  to a  trusted path  initiation
never leaves the TCB  subset until the response  is completed),
then nothing further would be  required.  The description of the
limitation  of trusted path to a  single TCB subset will  suffice
for the  global part of  the requirement, leaving only the demonstration
of local satisfaction of the requireme nt by the identified TCB
subset.
Audit



If  each  of  several  TCB  subsets meets the audit requirements
locally, then  there is the issue of whether the set of audit
records meets the requirements of  being  able  to  note  and
 record  individual user actions, and  at B3 and  above, to be
 able to initiate required action.   If not all the TCB  subsets
meet the audit requirements locally,  then the requirements must
be satisfied  by the cooperative  action of the  set of TCB subsets.
 In both cases, consideration of the audit characteristics of
 all the TCB subsets has  to be part of  determining that  the
 entire  TCB meets  the audit requirements.
System Architecture



For   many   of   the   system   architecture requirements,  demonstrating
 that   a  requirement  is satisfied  by all  of the  consitituent
TCB  subsets is sufficient to demonstrate that  it is satisfied
for the composite  TCB.   The  requirements  for  the "TCB
[to] maintain a domain for its execution" and for the TCB
to "maintain  process isolation  through the  provision of
distinct  address  spaces"  could  be  satisfied by the entire
 TCB without  each constituent  TCB meeting  the requirement.


The  requirement for  the TCB  to maintain  a domain for its execution
implies  the need for each TCB subset to have a domain for its
own execution, isolated from  both untrusted  portions of  the
system  and from less primitive  TCB subsets.  The exact  wording
of the TCSEC requirement  could be read as  disallowing a less
primitive TCB  subset from occupying a  domain provided by  a
more  primitive TCB  subset and  to allocate  its subjects to
domains that do  not have access to its own domain:   the verb
  "maintain" could  be (erroneously) read  as  requiring
 each  TCB  subset  to  create  and maintain  its  own  domain
 for  execution.  The proper interpretation is that the TCB  as
a whole must provide and  maintain such  domains for  execution,
rather than each individual TCB subset.  Similarly,  the exact
  wording of  the TCSEC requirement on the  "maintain[ing]
of process isolation through the provision of distinct address
spaces" could be  read  as  requiring  each  TCB  subset
 to  provide distinct address spaces.   The proper interpretation
is that  the TCB  as a   whole must  provide and  maintain process
isolation,  either   through  provision   and subsequent use 
of distinct address spaces,  or through provision  of  distinct
 address  spaces  by  every TCB subset.
Covert Channel Analysis



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.    When the  TCB is  made up entirely  of  TCB  subsets 
meeting  the conditions for evaluation  by parts,  analysis of
 the individual  TCB subsets suffices to  satisfy this analysis
requirement.  Otherwise,  covert channel   analysis must  address
the entire  TCB  (even  if  the  result  of  covert channel analyses
of the individual TCB subsets were available).
Trusted Facility Management



The ability to run  a trusted system facility properly  applies
 to  the  combination  of TCB subsets making  up the  TCB.   This
 requirement should  not be difficult  to meet,  provided that
 the individual  TCB subsets  meet  the  requirement  and  the
 interactions between  the  TCB  subsets  at  the facility management
level are clear.
Trusted Recovery



In  the case  of  "an  ADP system  failure or other discontinuity,"
each TCB subset  in a B3 or above system  needs   to  be  able
 to   recover  "without  a protection compromise." 
Further,  the recovery actions of  distinct TCB  subsets needs
 to be  coordinated and combined  so  that  the  resulting  system
 is not only recovered as  far as each TCB subset  is concerned,
but is also recovered as a composite TCB.
Security Testing



This  requirement applies   as stated  in the TCSEC  to the  entire
TCB.   If a  TCB consists  of TCB subsets meeting the conditions
for evaluation by parts, the satisfaction of the requirements
by each TCB subset suffices to satisfy the requirement for the
entire TCB.  Otherwise, security testing must include testing
of the entire  TCB  (even  if   the  results  of  testing  the
individual TCB subsets are available).
Design Specification and Verification



For  many  of  the  design  specification and verification   requirements,
  demonstrating   that   a requirement is satisfied by all of
the consitituent TCB subsets  is  sufficient  to   demonstrate
 that  it  is satisfied for the composite  TCB.  The requirements
for a "formal model of the security policy supported by the
TCB" and that the DTLS at B3  and the FTLS at A1 "be
an accurate description  of the TCB interface"  apply in
a limited way to the entire TCB.


After complying security  models are provided for the  individual
TCB subsets, a  convincing argument is required to explain how
the set of models represents abstractly the policy of the entire
system.


After   complying  top-level   specifications (DTLS  at  B3  and
 FTLS  at  A1)  are provided for the individual  TCB  subsets,
 an  explicit  and convincing description of how the  set of top-level
specifications describe the TCB interface  with respect to exceptions,
errors and effects must also be provided.
8. CONTENT-DEPENDENT  AND  CONTEXT-DEPENDENT ACCESS CONTROL




An  attractive  proposition   in  a  database managment system
 is to implement access  controls that depend  in some  way on
 the values  of the  data in  a storage object or the  context
in which the information is  accessed.  For example,  one might
desire  to limit access to all personnel records in a database
according to the  salary value (content-dependent  access rules).
 On the other hand, a company's earnings report might be held
in confidence until announced at the stockholders' meeting,  at
 which  time   it  is  public  information (context-dependent
access rules).


This document  does not encourage  or endorse mandatory  access
control  on storage  objects that are based on the  content of
data values or  on the context in which  the information is viewed.
  Given that these are  research  topics,  it  is  prudent  to
 take  this conservative stance.  Research and current practice
are insufficient  to  allow  definitive  guidance  on  such implementations.
9. BULK LOADING OF A DATABASE



The bulk loading of  a database into (perhaps thousands of) database
objects  must be done with care.  If the data  to be loaded are
unlabeled, it  may not be practical to require an  authorized
user to examine the data  to be  loaded into  each object  and
assign  it a sensitivity label.  Instead it may be more practical
to assign labels to the  data according to the sensitivity label
of the single-level device that is used to import it.   In  this
 way,  bulk   loading  may  be  done  in single-level stages.


Even  importing labeled  multilevel data  may prove  difficult.
  The  imported  data  records may be organized on the input 
device in accordance with their logical structure,  not their
sensitivity  levels.  For some trusted DBMS architectures, this
requires that the TCB first  separate the data by  sensitivity
levels and subsequently  load  the  data   into  the  database
 as single-level structures. 


Another problem with  bulk loading of labeled data  is  granularity.
  It  may  be  that the labeling granularity  of data on  the
input device  is different from   the  labeling   granularity
 supported   by  the receiving trusted DBMS.  As  an example,
the data being imported may be labeled at the file or field level,
and the  importing DBMS may  support labeling at  the tuple level.
 In  such instances, the  data would have  to be mapped into objects
of  the proper labeling granularity as the data are being imported.
10. LOCAL ANALYSIS IN SYSTEM ASSESSMENT



The  ability  to  distinguish  and separately reference the results
of  local analysis of TCB subsets is  a primary  aspect of  evaluation
by  parts, and the benefits  which  accrue  are  apparent  in
two, closely related,  cases  that  arise  in  evalutions  by
parts.  These may be thought of as dealing with the problems of
"hosting" and "porting" although  they are
actually two aspects of the same problemthat of assessing a trusted
system constructed of previously evaluated parts.


For the first case (i.e., that of "hosting"), consider
an  operating system which has  been evaluated against  the  TCSEC
 requirements  and  has  received a rating.  Thus, the operating
system  is a TCB for which both the local and global  analysis
has been done.  The results  of  the  local  analysis  can  now
 be used to support  the  evaluation  of  a  TCB  made  up  of
 the operating  system (or,  the more  primitive TCB subset) and
any proposed TCB  extension (or, less primitive TCB subset). 
Suppose,  for example, that vendor  A chooses the  rated operating
 system as   the host  for a  DBMS product, which implements an
access control policy.  As described  in  TC-6,  it  is  now 
possible,  under the


correct conditions, to re-use  the results of the local analysis
of  the host operating system  in developing a rating for the
composite  system.  Even for those cases not meeting all the conditions
for evaluation by parts, it  may be  possible that   some, if
 not most,  of the previous  results are  still valid.   If vendor
 B also chooses the rated operating system  as the host for his
DBMS  product, it  will be  possible (again,  under the proper
 conditions) to develop  a rating for  the (new) composite  system
without  having to  repeat the  local analysis of the host operating
system.  As an alternate case,  suppose a  site has  need of 
an electronic mail service as well as the  DBMS utility.  The
mail utility will operate in a peer-entity relation with the trusted
DBMS utility (i.e., both the  mail service and the DBMS depend
 on  the  host  operating  system,  but  neither depends  on the
other).   Again, having the  results of the local  analysis of
the host  operating system eases the burden of assessing the security
characteristics of the user  interface to the composite system
 made up of the  mail system  and  the  host operating  system.
 In short,  the  ability   to  distinguish  and  separately reference
the results of the local analysis of the host operating  system
 makes  it  feasible  to evaluate the effect of  adding arbitrary
trusted  applications, only by performing the local analyis for
the application and any global analysis required.


For   the  second    case,  (i.e.,   that  of "porting")
the question becomes that of determining the effect of moving
a known trusted application, such as a DBMS,  across arbitrary
 host systems.   Assume that  a trusted  DBMS   product  meeting
 the   conditions  for evaluation by parts has  been evaluated
on some trusted host, and a rating determined for the composite
system.  Clearly,  the  results  of  the  local  analysis of the
trusted  application available  are also  applicable to the  analysis
of  a composite   system made  up of  the trusted  application
 and  a  different  host operating system.  Thus, having the local
analysis of the trusted application will ease  the evaluation
burden associated with  porting  of  trusted  applications  to
 different hosts.    To  the   extent  that   the  conditions
 for evaluations  by parts  have been  satisfied, the  local analysis
 of  the  application  is  valid by reference.


Hence  only the  local analysis  of the  host operating system
and  the requisite global analysis  is needed to assess  the security
 attributes of  the new  composite system.
11. RATING MORE COMPLEX SYSTEMS



The  view taken  by the  TCSEC is  that of an "atomic"
 TCB; the TCB  is seen to  be a single  entity which  is, in some
 sense, homogeneous.  This  allows a relatively  simple measure
 (i.e., the  digraphs) to be assigned to the TCB.  However, real
systems may be more complex, resulting in the inability of a single,
simple rating  to convey  the full  complexity of  the system.
 This  is  implicitly  recognized  in  TCSEC  evaluation reports
and  EPL entries, in which credit  may be given to a vendor for
meeting TCSEC (functional) requirements beyond those necessary
to satisfy the rating (e.g., the B3 discretionary  access control
feature in  a C2 TCB).   In   short,  systems   which  reflect
  straightforward implementations   or  extensions   of  the 
 TCSEC  can accurately be described with  a single digraph.  On
the other  hand, adding  complexity to  systems may violate assumptions
 which underlie   the TCSEC  rating system, requiring a more complex
 description if accuracy is to be achieved.


If a TCB made up of TCB subsets is consistent with  the  TCSEC
 assumptions  on  homogeneity,  then a simple  digraph  suffices
 for   a  full  and  accurate description of the security  properties
of the product.  However,  to the  extent that  a subsetted architecture
introduces complexity not captured by the digraphs, the simple
TCSEC ratings cannot be applied to the composite system.   More
 specifically,  for  a  subsetted TCB to achieve a  single rating,
all the  requirements of that class   must   be   satisfied. 
  For   example,  if  a discretionary access control-enforcing
 DBMS TCB subset is  added onto a  previously evaluated B3  product,
the entire system can achieve a  B3 rating if it could also have
 achieved the B3  rating evaluated as  a monolith.  That is, the
 new TCB subset must also  satisfy all the assurance and architectural
requirements of B3.


Consider   a  candidate   TCB  subset   which enforces a  discretionary
access control policy  over a new type of object, targeted at
a host system which has already been evaluated at the B3 level.
 Examples are a database  management   system  providing  discretionary
access  control over   tuples, a  transaction processor providing
   discretionary    access    control    over transactions,  
and   a    message   system   providing discretionary  access
control   over messages.   If the candidate TCB subset meets all
the C2 requirements, the problem  is  what  rating   will  be
 assigned  to  the composite  system.  To designate  it a "C2"
 is clearly inaccurate, as well as being  unfair to the original
B3 product  vendor.  To designate  it "B3" may  be equally
inaccurate, and it creates  ambiguity in the meaning of the  metric
 used  for  comparing  systems.   In  fact, depending on the details
of the specific candidate, the composite  system could  legitimately
be  rated at  any level from C2 to B3 under a TCSEC evaluation.


The TCSEC rating system  assumes a measure of homogeneity  which
 the  above  example  violates  thus invalidating the very basis
upon which a single digraph may  be assigned.   Hence, a  subsetted
system  such as described above,  will have to be  characterized
with a more  complex   description  than  a   single  digraph.


Although this  may seem undesirable, it will  be a more accurate
 description of  the system,  and it   provides sufficient  information
to  allow system  designers and accreditors  to  make  decisions
 about  sufficiency of security for their  specific applications.
 In essence, such  an  approach  is  necessary  for  recognizing
the additional  complexity  which   can  be  introduced  by architectures
 which   allow  system  elements to be developed separately.
GLOSSARY



candidate  TCB  subset     The  identification  of the hardware,
 firmware,  and  software  that  make  up the proposed TCB  subset,
along with the  identification of  its  subjects and  objects;
one  of the  conditions for evaluation by parts


 content-dependent access  control   Access  control in which
access is determined by  the value of the data to be accessed.


context-dependent access  control   Access  control in which 
 access   is    determined   by   the   specific circumstances
under which the data is being accessed.


 database management  system   A computer  system whose main function
is to facilitate  the sharing of a common set of data among many
 different users.  It may or may not  maintain  semantic  relationships
 among  the data items.


       DBMS   Abbreviation for "database management system."


depends   A TCB subset A depends (for its correctness) on  TCB
 subset  B  if  and  only  if the (engineering) arguments  of
 the  correct  implementation  of  A with respect to its specification
assume, wholly or in part, that  the  specification  of  B  has
 been  implemented correctly.


domain    The set  of objects that  a subject has  the ability
to access.


dominated  by     Security  level  A  is  dominated by security
level B if (1) the clearance/classification in A is less than
or equal to the clearance/classification in  B,  and  (2)  the
 set  of  access approvals (e.g., compartment designators)  in
A is contained  in the set of  access approvals in  B (i.e., each
 access approval appearing  in A  also  appears  in B).   This
dominance relation is a special case of a partial order.


dominates   "Security level B dominates security level A"
is synonymous with "security level A is dominated by security
level B."  See "dominated by."


global requirements   Those  which require analysis of the  entire
system and  for which separate  analysis of the  individual  TCB
 subsets  does  not  suffice.  See Section TC-5.3.2 for a summary
list.


lattice   A partially ordered set for which every pair of  elements
has  a greatest  lower bound  and a  least upper bound.


local requirements   Those for which separate analysis of  the
individual  TCB subsets  suffices to  determine compliance for
the composite TCB.  See Section TC-5.3.1 for summary list.


metadata    (1)  Data  referring  to other  data; data (such as
 data structures, indices, and  pointers) that are  used  to 
instantiate   an  abstraction  (such  as "process,"
"task," "segment,"  "file," or "pipe").
 (2) A  special  database,  also   referred  to  as  a  data dictionary,
 containing  descriptions  of  the elements (e.g., relations,
domains,  entities, or relationships) of a database.


monolithic TCB    A TCB that consists of  a single TCB subset.


object    A passive  entity that contains  or receives information.
 Access  to an object  potentially implies access  to the  information
it  contains.  Examples  of objects are:  records,  blocks, pages,
segments, files, directories, directory trees, and  programs,
as well as bits, bytes, words, fields, processors, video displays,
keyboards, clocks, printers, network nodes, etc.


partial  order    A relation  that is  symmetric (a is related
to a),  transitive (if a is related to  b and b is  related  to
 c,  then  a  is  related  to  c),  and antisymmetric (if a is
related to b and b is related to a, then a and b are identical.)


primitive    An ordering relation between  TCB subsets based 
on  dependency  (see  "depends"  above).   A TCBsubset
B is  more primitive than a second  TCB subset A (and  A is  less
primitive  than B)  if (a)  A directly depends on B or (b) a chain
 of TCB subsets from A to B exists  such that  each element  of
the  chain directly depends on its successor in the chain.


reference monitor concept    An access control concept that  refers
to an  abstract machine that  mediates all accesses to objects
by subjects.


reference validation mechanism   "An implementation of the
reference monitor concept .  .   .  that validates each reference
to data or programs by any user (program)  against  a  list  
of  authorized  types  of reference  for that  user."  It
 must be  tamper proof, must always be invoked, and  must be small
enough to be subject  to  analysis  and  tests,  the completeness
of which can be assured.  [1] 


security  policy     The   set  of  laws,  rules,  and practices
 that regulate  how an  organization manages, protects, and distributes
sensitive information.


storage object   An object that supports both read and write accesses.


subject   An active entity, generally in the form of a person,
process,  or device that causes  information to flow  among  objects
 or   changes  the  system  state.  Technically, a process/domain
pair.


subset-domain      A  set  of  system   domains.   For evaluation
 by parts,  each candidate  TCB subset  must occupy a distinct
subset domain such that modify-access to  a domain  within  a
 TCB subset's  subset-domain is permitted  only to  that TCB 
subset and  (possibly) to more primitive TCB subsets.


TCB subset   A set of software, firmware, and hardware (where
 any  of  these  three  could  be  absent)  that mediates the
access  of a set S of subjects  to a set O of  objects on  the
basis  of a  stated access  control policy P and satisfies the
properties:

  (1) M  mediates every access to  objects O by subjects in
S;
  (2) M is tamper resistant; and
  (3) M  is  small  enough  to  be  subject to analysis  and
tests, the  completeness of which  can be assured.






   technical policy   The  set of rules regulating access of
subjects to objects enforced by a computer system.




Trusted  Computing  Base  (TCB)      The  totality  of protection
  mechanisms   within   a   computer  system including   hardware,
  firmware,   and   software  the combination  of which  is responsible
 for enforcing  a security  policy.   A  TCB  consists  of  one
 or  more components  that together   enforce a  unified security
policy over a product or  system.  The ability of a TCB to correctly
 enforce a security policy  depends solely on  the mechanisms
 within the  TCB and  on the correct input by system  administrative
personnel of parameters (e.g.,  a  user's  clearance)  related
 to the security policy.


trusted subject   A subject  that is permitted to have simultaneous
view- and alter-access  to objects of more than one sensitivity
level.


user     Any  person  who  interacts  directly  with a computer
system.


view   That portion of the database that satisfies the conditions
specified in a query.


view  definition    A stored  query; sometimes loosely referred
to as a "view."
BIBLIOGRAPHY



          1.   J.  P.    Anderson, "Computer  Security Technology


          Planning  Study,"  ESD-TR-73-51   (AD-758206),
 J.   P.


Anderson Co., October 1972.

  2. J.  P.  Anderson, "On the Feasibility of Connecting
   RECON to an External Network," Technical Report, J.
 P.
   Anderson Co., March 1981.
  3. D.   E.   Bell  and  L.   J.   La  Padula, "Secure
   Computer  Systems:   Unified   Exposition  and  Multics Interpretation,"
 MTR-2997, (AY/W  020 445),  The MITRE Corporation, Bedford, Massachusetts,
July 1975.
  4. D.   E.   Bell  and  L.   J.   La  Padula, "Secure




          Computer    Systems:      Mathematical    Foundations,"


          MTR-2547-I,  (AD  770   768),  The  MITRE  Corporation,


Bedford, Massachusetts, March 1973.

  5. L.   J.   La  Padula  and  D.   E.   Bell, "Secure
   Computer Systems:  A  Mathematical Model," MTR 2547-II,
(AD   771  543),    The  MITRE   Corporation,  Bedford, Massachusetts,
May 1973.
   6.   D.    E.   Bell,  "Secure  Computer   Systems:
  A
   Refinement  of the  Mathematical Model,"  MTR 2547-III,
   (AD   780  528),    The  MITRE   Corporation,  Bedford,




Massachusetts, December 1973.

  7. D.  E.  Bell,  "Secure Computer Systems:  A Network
   Interpretation,"  Proceedings of  the Second  Aerospace
Computer Security Conference, McLean Virginia, December 2-4, 1986,
pp.  32-39.




          8.   Department  of   Defense,  Department  of  Defense


          Trusted   Computer  System  Evaluation   Criteria, 
DOD


5200.28-STD, December 1985.

  9. D.   E.   Denning,  "Cryptographic  Checksums  for
   Multilevel Database Security,"  Proceedings of the IEEE
Symposium on  Security & Privacy,  Oakland, California, April
29-May 2, 1984, pp.  52-61.
  10. D.  E.  Denning, "Commutative Filters for Reducing
   Inference  Threats  in  Multilevel  Database  Systems,"
Proceedings  of  the  IEEE   Symposium  on  Security  & Privacy,
 Oakland, California,  April 22-24,  1985, pp.  134-146.
  11. E.  B.  Fernandez, R.   C.  Summers, and C.  Wood,
   Database Security and Integrity, Boston, Massachusetts:
   Addison Wesley, 1981.
  12. C.  Garvey and A.  Wu, "ASD Views," Proceedings
of the  Fourth  Aerospace  Computer  Security Applications Conference,
  Orlando,  Florida,  December   1988,  pp.  85-95.
  13. R.  D.   Graubart and  J.  P.   L.  Woodward,  "A
   Preliminary  Naval Surveillance  DBMS Security  Model,"
Proceedings  of  the  IEEE   Symposium  on  Security  & Privacy,
 Oakland, California,  April 26-28,  1982, pp.  21-37.
  14. R.  D.  Graubart,  "The Integrity-Lock Approach to
   Secure  Database Management,"  Proceedings of  the IEEE
   Symposium on  Security & Privacy,  Oakland, California,




April 29-May 2, 1984, pp.  62-74.

  15. M.   J.   Grohn,  "A  Model  of  a Protected Data
   Management   System,"  ESD-TR-76-289,  I.    P.   Sharp
Associates, Ltd., June 1976.
  16. T.   H.  Hinke, M.  Schaefer et  al., "Secure Data
   Management System," RADC-TR-75-266 (AD-A019201), System
Development  Corporation,   Santa  Monica,  California, November
1975.
  17. C.   E.   Landwehr,  C.   L.   Heitmeyer,  and J.
   McLean,   "A  Security   Model  for   Military  Message
Systems,"  ACM Transactions  on Computer  Systems, Vol. 
2, No.  3, August 1984, pp.  198-222.
  18. T.  F.  Lunt, D.  E.  Denning, P.  G.  Neumann, R.
   R.  Schell,  M.  Heckman, and W.   R.  Shockley, "Final




          Report   Vol.    1:    Security   Policy   and   Policy


          Interpretation  for   a  Class  A1   Multilevel  Secure


          Relational    Database   System,"    Computer 
 Science


Laboratory, SRI International,  Menlo Park, California, 1988.

  19. J.  McHugh and  B.  M.  Thuraisingham, "Multilevel
   Security  Issues  in  Distributed  Database  Management Systems,"
 Computers  &  Security,  Vol.   7,  No.   4, Elsevier Advanced
Technology Publications, August 1988, pp.  387-396.
  20. National Computer  Security Center, Proceedings of the
 National  Computer  Security  Center  Invitational Workshop 
on  Database  Security,  Baltimore, Maryland, June 17-20, 1986.
  21. P.   A.  Rougeau and  E.  D.  Sturms,  "The Sybase
   Secure Dataserver:  A Solution to the Multilevel Secure




          DBMS  Problem,"   Proceedings  of  the   10th 
National


          Computer  Security   Conference,  Baltimore,  Maryland,


September 21-24, 1987, pp.  211-215.

  22. M.   Schaefer,  ed.,  Multilevel  Data Management




Security,  Air   Force  Studies  Board,   Committee  on


Multilevel  Data Management Security,  National Academy Press:
 Washington, D.C., 1983.

  23. M.  D.  Schroeder and J.  H.  Saltzer, "A Hardware
   Architecture   for   Implementing   Protection  Rings,"
Communications  of the  ACM,  Vol.   15, No.   3, March 1972,
pp.157-170.
  24. W.  R.  Shockley and  R.  R.  Schell, "TCB Subsets
for Incremental  Evaluation," Proceedings of  the Third Aerospace
  Computer   Security   Conference,  Orlando, Florida, December
7-11, 1987, pp.  131-139.
  25. P.  Stachour and B.  Thuraisingham, "Design of LDV

   A Multilevel Secure Database Management System,"
IEEE Transactions  on Knowledge  and Data  Engineering, Vol. 
2, No.  2, June 1990, pp.  190-209.








   26.   M.  Stonebraker,   "Operating System  Support
for Database Management,"  Communications of the  ACM, Vol.
 24, No.  7, July 1981, pp.  412-418.






  27. Unisys Corporation, "Secure  Distributed Database
   Management  System," Final  Technical Report,  Rome
Air Development  Center  Technical  Report, RADC-TR-89-314, Vol.
 1-5, December 1989.
  28. J.   Wilson, "Views as  the Security Objects  in
a
   Multi-level   Secure  Relational   Database  Management System,"
 Proceedings  of  the  1988  IEEE Symposium on Security &
 Privacy, Oakland, California,  April 18-21, 1988, pp.  70-84.








t