PSARC/2002/762 -- Layered Trusted Solaris Manifest: Outline - this doc; a suggested starting point (outline.txt) 20 Questions -- 20Questions.txt Overview slides -- 24 pages (Overview.pdf) CDE overview slides -- 9 pages (CDE.pdf) Layered Trusted Solaris -- a work in process; the current snapshot of the project specification document (spec.pdf) CIPSO spec -- not printed reference for the interested (fips188.txt) Background: The ``Layered Trusted Solaris'' document is largely incomplete. Only chapters 1, 2, and 5 contain information, some of which is out of date. This review is an ``ARC early'' review aimed at providing an overview and context for the subprojects. Guidance on the level of detail needed for the subprojects would help the project team set understand how best to proceed. Parts of the materials contain references and comparisons to previous (TS8) releases of Trusted Solaris. This material is provided for audiences who are familar with previous TS releases and may safely be glossed over for this review. Subprojects: The project team has identified a number of subprojects (listed here). The project team requests that the reviewers suggest any additions or reductions that they feel would make the review(s) simpler. 1) label interfaces: The set of public and private interfaces for: translating labels to and from external form; manipulating and comparing labels. The changes to existing interfaces such as ucred_get to return and access a process' label. 2) labeled networking: The transmission and receipt of label options. The databases which configure network MAC policy. The modifications to network stacks and endpoints to propagate labels when needed and to make MAC decisions. The changes to the network stacks to implement MAC decisions on routing. The changes to existing interfaces such as getpeerucred() to return labels to the caller. 3) labeled file system: Changes necessary for mounting, looping back and automounting cross zones and from the global zone. Labeled device allocation. 4) labeled printing: The ability to label banner and trailer printed output pages. The ability to keep printer queues separated by label. The ability to print/suppress top and bottom document page labels. 5) label aware system management: Tools such as SMC, the addition CDE actions to the RBAC interfaces, various CLIs, new attributes in the RBAC databases. Role use of global zone. 6) labeled desktop X: Changes to Xsun and additional X libraries for TS10. 7) labeled desktop CDE: Various cross zone managers and additional or changed dt* libraries. 8) packaging, installation, and configuration changes: New and updated packages. Integration with Greenline and inetd. Configuring and booting labeled zones for TS10. 5, 6, 7 are probably most appropriate as LSARC cases Glossary -- magic decoder ring settings: CC -- Common Criteria (an ISO standard for evaluating trusted systems) PP -- Protection Profile A collection of Criteria from the CC designed to meet a particular goal. Produces are evaluated against PPs and judged as to whether the meet the collected criteria. CAPP -- Controlled Access Protection Profile A PP which is analogous to the old ``C2 level of evaluation.'' It includes Audit, object reuse, discretionary access control (DAC) criteria. Solaris releases after 2.3 largely meet this PP. LSPP -- Labeled Security Protection Profile A PP which is analogous to the old ``B1 level of evaluation.'' It includes all of CAPP and adds mandatory access control (based on labels). All Trusted Solaris releases have and must continue to meet this PP. RBACPP -- Role Based Access Control Protection Profile A PP which describes the criteria for Role Based Access Control. Recent Trusted Solaris releases have meet this PP. Solaris 9 and is expected to meet this PP. All Trusted Solaris releases must continue to meet this PP. DAC -- Discretionary Access Control; access control which is under the control of the discretion of the object owner. For example, file permissions and ACLs. MAC -- Mandatory Access Control; access control which is not under the control of the object owner, but is imposed by system policies that may be configured by appropriately authorized administrators. MAC is often based on comparing Labels using rules originally defined by Bell and LaPadula that subjects can view objects whose label is dominated by the subject's label and subjects can modify objects whose label dominates the subject's label. TCB -- Trusted Computing Base; the collection of hardware, firmware, software and administrative procedure that enforces the security policy. Ideally a TCB should meet all the reference monitor principles: always invoked, tamperproof, small enough to be analyzed. Typically Operating System TCBs fail the last principle. EAL -- Evaluation Assurance Level; the methodology and requirements for the strength and thoroughness of a CC evaluation. The higher the number to more rigorous. Ranges from 1 -- passes simple testing to 7 -- formally verified. The highest level for most general commercial produces is EAL4+. (EAL4 LSPP is analogous to the old ``B1.'') Label -- metadata associated with an object to describe the sensitivity of the data it contains and associated with a subject to describe the sensitivity of data that it may access. Labels typically have the relationships equal (l1 == l2), dominates (l1 >= l2), dominated by (l1 <= l2), disjoint (l1 <> l2) i.e., neither dominates, nor dominated by. Traditionally labels have had 2 component types: a classification or level (unclass, secret, top secret); compartments or categories (Finance, Personnel, EMG). Classifications are represented by short integers and operations of >, <, ==. Compartments are represented by bit sets and operations of ``set inclusion, ``set equality.'' MLD -- Multi-level Directory; a special directory used on previous releases to contain separately writable directories for all labels. A polyinstantiation of a directory, one for every label. Subject -- An active computing entity such as a process. Object -- A passive computing entity acted upon by a subject such as a file or a process. MLS -- Multi-Level Secure (or multi-level security); Having the ability to process, contain, separate/isolate processes and data that are labeled with unequal labels such that there are no unintended data flows or interference in violation of the MAC policy.