GUIDELINES FOR THE SECURITY ANALYSIS, TESTING, AND EVALUATION OF RESOURCE-SHARING COMPUTER SYSTEMS

Declassified and Approved For Release 2013/03/21 :CIA-RDP89B01.354R000200320012-2 CL, fside.A.AL;,, - _ge r .2t-ok AtAiduirse- -440A- C;flilau.ter Security Subcoutee of- nited-St- sUigcnce Board Security Committ ,I13SEC-CSS4L7L_ Guidn,ae- for the Security Analysis, Test andEvaluation of Resource-Sharing Computer Systems 1. r6Q14e.._ ,To tiva-, basic guidance for the security analysis, taki test- and evaluation of resource7sharing computer systms - ?Q2,110 etrbutz wherein the can-trol a444-4,401-teg-r-4-t-y of tAq.e.i?data stored and/or processed must be ensured. To list G.Q44P....-G4-41-re- etyyteAG7 features, procedures and relatie- conditions which -- should he analyzed, tested and evaluated prior to kiie-system ?S-DA__ l'P'171--- 61t2P- reeei;:vil-cff- accreditation wi-titirin-th-e. resourcesharingpe eb.4.4c5 OLAA? ? -itil-mnat. While the guidance 4-developed for d-refere-t-e --t-G_ rvt4_64-, el-av - 1-esouree-sharing computer systems, shoid be applied to other systems,a-s--tte-171- f--- , 11. Scone- The guidance contained herein is applicable to all community intelligence functions using resource-sharing com- puter systems support for which special handling controls have been establisheth ? Tr_ '1 C5t4 (P-. Crt-wLe-ditTei -6-A.esource-sharing computer systems should be analyzed, tested and evaluated for the possession and -func- -tionally dependable operability of Security -ffa#&mm features . ei.--.4%-P???a4 e. 23...e...J Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 ( ;(1 11 NI ft rl, .1 6, r\ ji La ju .4; Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 /Q ...,- ? ? , tor szycL-0) and procedures. -Gefilp.14-tex-s-e-etm-i-ty-ana4yG4--s-r-test-andeva-l- OLtaL the_basis fAar?sys-tem-acoreditet-ion-c- The-- - -----of-thi-s-e-ffor-t---should be aLs_tatame-n-t---ei-th-o-r- . recommend-i-ng-e-r----not---rec-ommend--1-ng----s-u-ch-accrLdtta-ricTh-a-n ? explane-tkon-of-th-e-reasons for that statement, The security analysis, test and evaluation should be conducted when the system is operating under relatively _static, though pro- ductive, conditions. During this time systems changes must be separately evaluated in light of their impact on both the security of the system and the status of the analysis, test and eval,?TurnoppAati?._,N,..060 0.;u4eranl OL4,,fe) A. Security Analvsis - This process will encompass the - 444641ANIaltA accumulation. of all features for providing.5ecurity protection of information handled (to be handled) within a re urce-sharing? computer system.c.nd , I e4444,1'444.. .tioue 4t4.4.4. 44.4644.4Avw 4AA to the software,. hardware ,and A. procedural conditions of the system. LsYstem configurations, capabilities, locations and procedures will vary widely among organizations using this guidance; however, it .is essential that, insofar as possible, they all be analyzed based upOn this guidance in .conjunction with agency/departmental :3 regulatory guidance. Security analysis is requisite to security testing which is, in turn, requisite to security evaluation. While these may be independent phases, they are not mutually exclusive. In fact, the pursuit p of one. phase may require refinement of the others, regardless of the stage 2 CON _T A T. , Declassified and Approved For Release 2013/03/21 : CIA-RDi-'89B0'1354R000200320012-2 UUIN LIJIILLN 1 11-11A Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 LI of completion of all. The securityanalysis will be the process of identifying security safeguards and ordering them into a framework based upon the manner and degree to which they are designed to guard against possible security vul'- nerabilities. 1. Hardware Controls ,SANo-649 a. Memory_protect device - A determination be made to insure that a memory prOtect d_y-ce is available to detect and prevent any attempt to read or write outside the area of memory assigned to a given user or application. These devices can fail, therefore, it is advisable to require a special program which will attempt to deliberately and quently violate the memory bounds. b. Separation 6f data by device (or within device) Similar to memory protect, except that data separation is-not normally additionally dependent upon software protectiont However, when data is resident inmemory, it is ?dependent upon memory protection. c0 Protection statevariables - The executiOn state of a processor may include one or more variables which determine the interpretation of instructions executed by the processor. These variables should be identified at the outset of the .security analysis exercise. For example, a processor ? might have a master/slave mode protection state variable, in .which certain instructions are illegal except in master mode.. 3 CONITI:DENTI2 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 4.11N -L. 4 ???9?? ? fef....? ? Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 1/4,) 2.. Software- Controls. a.- Security labeis.7 Security ? classification and other required control labelsshould be identified with the information and programs in the system to insure appro-? priate 'labeling of output/input and _access authority. b. User Identification/Authentication - User 1dentification/authentication?for access to resource-sharing computer systems will primarily apply to remote users; however, all persons accessing any part of the system should be ruired to identify themselves in ?some-manner. This will be-the(soft- ware) means by which the system assures that the individual- at a terminal or access unit is the person he represents himself to be and has authorityto access information which he is requesting. c.- System Supervisor (also known as Executive and Monitor). . The supervisor acts as the overall guard of the system. It is that portion of the software which internally manages job flow through the computer, allocates systems re- -sources to jobs, and contrels information flowing to and from files and terminals. The malfunctionor deliberate alteration of the supervisor could couple information from one program to another; change the security classification of users, files or programs; or,. at a minimum :destroy information in the system. For these reasons, rigid controls must be inforced to insure that only authorized personnel have access to the supervisor. d. -Privileged instructions - Coupled with the supervisor and 'the hardware controls, the architecture of the 4 GONF/Piladna.AL Declassified and Approved For Release 2013/03/21 : ulA-RDP89B01354R000200320012-2 )I Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 %??7 cm/ 5Wi computer must provide for privileged instructions. The set of privileged instructions must contain all input/output commands and also every command which could change a memory boundary or protection barrier. Moreover, the design of the computer should be such as to insure that only, the supervisor program can operate the privileged instructions. It is absolutely essential that the supervisor program not be by- passed. e. ....e_paration of User/Executive Modes of Oper- ation -?The user .and executive ? modes of system operation shall be separated so that a program operating in user mode is prevented, from performing unauthorized executive functions. f. -Residue Cleanout - Instructions for performing residue cleanout should be stalidard within the system for all ? K. user programs to execute under the following conditions:. 1(1) Upon job completion.' 1(2) Upon program error (without recovery) ,a44-4ntxt+s4Q.,a-haz b ?- 1' ? , upervil-tor-tira-t . (5) Upon release of the allocated storage area to the supervisor. (6) Upon each-s/ initiation. (7) Before allocation and after de-allocation of any assigned permanent user storage area. OrMTUTTYrriVfMT A /S- Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 iN Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 ? ? ?.cs.1 .g. Audit Trail - The computer system should pro-, .?duce in -a secure manner an audit trail containing sufficient information to ?permit a regular security review of system .activity. System ? usage recording functions can be used to detect improper use or maintenance of the data base. These functions are specifically directed toward protection of data ? security and assured integrity. They should be performed by ? the system Supervisor in.connection with a special system log and access authentication .library.. The-audit trail will allow for: -(1)- Detection of database/system misuse. .(2) ? Documentation of data base/system misuse. -(3) Audit of task performance. 3. Other Controls: a. Personnel Security (1)? During the analysisga determination will be made that all personnel who have an operational require- ment to access the computer center and/or remote terminals have been cleared. to the highest level of classified informa- tion stored or processed by the system. All other personnel must be properly escorted. (2) Procedures will be insured for unescorted access to the ?computer center area. This access should be limited to personnel with a predetermined need and holding clearances ?commensurate with. the highest category of dlassified inform otion processed or stored by the system. Access to a (Thl\PLIITTYT:411:1771 6" Ai_ it A Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 --- - Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 remote terminal should be limited to personnel whoare cleared and have access approvals for information designated ?for output at that terminal. b. ical Security .TA determination willjpe made that the computer facility and remote terminals meet_ applic4,4e physical security standards presdribed for safeguarding classified in formation stored or processed by the system.? (2) ? Physical_security requirements for the computer -center ? area should be based upon the over-all require- ments of the entire system; however, remote terminal area re- quirements may be based upon the--highest level of information designated for input/output at each terminal. -(3)- PrOvisionS may be made for downgrading area controls to the level of protection required for the in- formation actually being processed provided that measured are taken to maintain a level of security commensurate with the highest category of classified information resident in the system. .- Communications Links The communications links between all components of a system shall be secured in a manner appropriate for the transmission of the highest classified data 'designated to be carried by the link. d.? Emanations Security - Control measures and tests will be applied to equipment and systems to .the extent necessary to prevent the compromise of classified- or controlled (j, 1\17-07-*P' 1NrPTAL Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 Ca) information by the unauthorized interception of spurious emissions from equipment used to process the information. Individual organizations will retain the responsibility for applying control measures for those systems within their per view in accordance with the National Policy on Compromising Emanations. e, Procedures and Administrative Safeguards . (1) Procedures and administrative processes and channels must be established to maintain access controls and to insure that system security measures bare performing adequately. (2) Procedures prescribed for systems users at remote terminals must provide adequate protection for all levels and categories of classified information handled by each terminal. (3) Computer facility access procedures must be established to provide maximum control over access to. the area. B. Security Testing - This process will include the inspection and testing of the hardware, software, physical and procedural security features of the resource-sharing system under study. The testing will determine the degree to which the syStem conforms to the requirements of appropriate regulations and policies. The extent and duration of the .inspection and testing, and the development of standards and other criteria to be met will depend heavily on the manner in ',1"IFT,1-)11P,Nrr '1 A 17,, ilarlaccifiPri 2nd Approved For Release 2013/03/21 CIA-RDP89B01354R000200320012-2 1 UJ I: ? Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 co) cw) which.the hardware and. software is constructed and the class. of the system being ,studied.- .The process measures the extent? to which security safeguards. guard against projected security vulnerabilities. - 1. Hardware Controls a. Memory Protect Device - This device should be exercised over a period of time, utilizing all available or representative programs, to insure the positive operability of the device. b. Separation of data by device (or ?within device)- A check should be made to determine the extent of this tcchnic,ue and the security .orotection afforded data from these devices while they are core kesident. This technique will depend upon other protection features once data has left the resident peripherals or devices. CG. Protection State Variables - The actual ability of the? processor to' - access locations in primary memory will be tested to insure that all original and modified capa7 bilities are known, &iderstood and controlled. 2. ? Software Controls a. Security labels - The use of security labels .will be closely related to external labeling, internal file or record labeling and user.identification/authorization. Access to the data contents will be controlled through?the label iden- tification. Furthermore,-each user will possess access to 9 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 '1 ..j Ili L' !IN "1 -% Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 resident files based upon his'identification/authorization.. label access authority,- which will be contained in the access? libraries and/or executive system. b. User.Identification/Authentication - The user activity must insure that only individuals with proper clearance and access authorization are permitted to utilize remote terminals at their activity. Additionally, Software checks should be introduced and Used to insure user authenti- cation for the access of specified files or data which ? is available through the system. Numerous methodologies of user identification/authentication have been and are being devised. Regardless of the specific method chosen, the recommended approach of system resources from a security authority standpoint is a software lockout in which a number of program:checks are made against ? the following input para- meters: (1) User name. (2) User classification and security release codes. (3) Console identification. (4) Console classification. (5) Overlay identification. (6) Program classification and security release codes. (7)? Record classification and security release codes, CTINTTMpTWITTAir, ? Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 Software control- of the release- of data by security classi-. fication and control codes promises to provide greater efficiency in system usage with security control and provides a better foundation for control on interchanges of data with other systems where direct interface becomes a reality. ? The security test of this featurewill determine the capabilities and functional operability. c. System Supervisor - A check should be-made to insure 'that rigid access control is exercised over the Supervisor.. Only specified individuals should be permitted to change, modify, update or otherwise alter the Supervisor. A file-query system which merely provides the user at a remote terminal the capability to access files using a set of fully checked programs is probably the least dangerous mode of operation in. a resource-sharing computer system. d. Privileged Instructions - A check should be made to ascertain the extent- of use of privileged instructions, if any exist. The check should also include 'useraccess to these instructions and maintenance responsibilities. A liffe test using the instructions should be accomplished against various software systems to verify the exact functions and re- sults of the instructions from a security/data integrity standpoint. e. Separation of User/Executive Modes of Oper- ation,- rA test should be performed, after investigation of Ce2v7.--,IT-7-,-7-1-i,,Trrrr A -7,- J rk. _LC). _LA Declassified and Approved For Release 2013/03/21 .: CIA-RDP89B01354R000200320012-2 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 cs) the system documentation, to insure that application/user programs are incapable of performing any alteration to the executive. It may be necessary to investigate all user pro- grams to make this determination. f. Residue Cleanout.- A test should be performed to confirm the operability of the. residue cleanout function. 'Upon execution of residue cleanout instructions, sample data should be printed/displayed-to allow review to insure that the process has been successful.:-Measures should be implemented to insure that memoryresidue from terminated user programs is made inaccessible to unauthorized users. g.- Audit Trail - During the testing of the audit trail software feature, special care mustbe used to confirm that all access and security authorization violations are de- tected and recorded. For this reason, special "spy" programs or intentional violator programs Should be exercised aginst the system to determine the effectiveness of the audit trail to detect violators and give the appropriate alarm. The other system accounting capabilities. of the audit trail should be secondary to security protect features. C. Securit. Evaluation - Based upon the security analysis and test results, a thorough evaluation should be conducted with the final objective being system accreditation for multi- level security, resource-sharing computer environment. The decision should be based Upon a .demonstrated capability of the 12 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B013541i000200320012-2 Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 - entire system; .its hardware, software, procedures, physical- :? plant and personnel, that adequate protection can and will be provided the information scheduled to be processedby the 'system. 13 CONFIDENTIAL Declassified, and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2