BAE Systems: XTS-400 STOP 6.1.E
The XTS-400 product is a combination of STOP revision 6.1.E, a multilevel secure operating system, and a BAE Systems Information Technology, LLC-supplied x86 hardware base. STOP is a 32-bit, multiprogramming, multi-tasking, operating system that can support multiple concurrent users. In addition to proprietary interfaces for secure administration, STOP provides a Linux-like user environment and programming interface (API/ABI) that allows many programs written for Linux to be copied to the XTS and run without change while benefiting from the designed-in security that STOP and the XTS?400 provide.
An X-windows graphical user interface (GUI) is included within the Target of Evaluations and is available at the console for work by untrusted users. Trusted path initiation causes suspension of the GUI and trusted commands can not be run from the GUI. All windows on the display are at the same level and multi-level cut-and-paste is not supported.
Network connectivity on up to 16 different networks is allowed in the evaluated configuration. TCP/IP and Ethernet are included in the Target of Evaluation (TOE), but not network servers (e.g., SMTP). Within an evaluated configuration, network attachments must be made according to rules in the Trusted Facility Manual (e.g., the network must be single-level while multiple networks can each be at a different level). The TOE can not be compromised by remote users or unusual network traffic, but the TOE itself does not prevent disclosure of ( or loss of integrity by) data on the network.
The system provides mandatory access control that allows for both a security and integrity policy. It provides 16 hierarchical sensitivity levels, 64 non-hierarchical sensitivity categories, eight hierarchical integrity levels, and 16 non-hierarchical integrity categories. The mandatory security policy (MAC) enforced by the XTS?400 is based on the (formal) Bell and LaPadula security model; the mandatory integrity policy (MIC) is based on the (formal) Biba integrity model. The system implements discretionary access control (DAC) and provides for user identification and authentication needed for user ID-based policy enforcement.
Individual accountability is provided with an auditing capability. Data scavenging is prevented through residual data protection mechanisms. A trusted path mechanism is provided by the implementation of a Secure Attention Key (SAK),which provides trusted communications between users and the system.
The separation of administrator and operator roles is enforced using the integrity policy. The system enforces the "principle of least privilege" (i.e., users should have no more authorization than that required to perform their functions) for administrator and operator roles. All actions performed by privileged (and normal) users can be audited. The audit log is protected from modification using integrity and subtype mechanisms. STOP also provides an alarm mechanism to detect the accumulation of events that indicate an imminent violation of the security policy.
STOP was designed from the ground up with strong internal architectural characteristics to resist penetration and minimize the chance of bugs. STOP uses hardware privilege level and memory protection mechanisms to protect itself from tampering and to isolate processes from one another.
STOP consists of the TOE Security Functions (TSF) software and a body of untrusted application code and commands. The TSF consists of the hardware and four major software components:
- the Security Kernel, which operates in the most privileged domain and provides all mandatory, subtype, and a portion of the discretionary, access control;
- the TSF System Services, which operate in the next-most-privileged domain, and implement a hierarchical file system, supports user I/O, and implements the remaining discretionary access control;
- Operating System Services (OSS), which operates in a less privileged domain and provides the Linux-like interfaces; and
- Trusted Software, which provides the remaining security services and user commands.
The XTS-400 is available on Intel Pentium III and the Xeon (P4) based server class systems, available in tower, and rack-mount chassis. All components are commercial-off-the-shelf (COTS). The XTS-400 uses specific Intel-brand motherboards and industry standard ISA or PCI peripheral cards or chips built into the motherboard.
In addition to more basic components, the evaluated configuration allows:
- CD-ROM drive
- 4mm DAT tape drive
- PC card readers
- Add-in Ethernet cards
- Add-in SCSI host adapters
- parallel, PCL-5 printer
- serial terminal
- touchpads
- flat panel displays