|
|
 |
 |
Security Testing and Evaluation Labs
Security Evaluation Laboratory (SEL)
DigitalNet: XTS-400 STOP 6.0.E
The XTS-400 is a product of DigitalNet (formerly Getronics Government Solutions, LLC).
It includes STOP 6.0, a multitasking operating system that
supports both a mandatory sensitivity policy and a mandatory integrity
policy. It provides 16 hierarchical sensitivity levels, 64 non-hierarchical sensitivity
categories, eight hierarchical integrity levels, and 16 non-hierarchical integrity categories.
Some of the hierarchical integrity levels are used by the system to provide role
separation, and the others are available to users. The combination of mandatory
sensitivity hierarchical and non-hierarchical levels is called the Mandatory Access
Control (MAC) label. The combination of mandatory integrity hierarchical and non-hierarchical
levels is called the Mandatory Integrity Control (MIC) label. The system
also supports a discretionary access control policy.
The TOE includes the XTS-400 hardware, which consists of commercially available hardware
products. The XTS-400 is a 32-bit, demand-paging, time-sharing, single processor
system. Separation of data is accomplished by a combination of hardware and software.
The components of the TOE Security Functions (TSF) are:
- Security Kernel, which operates in the most privileged ring and provides
all mandatory and a portion of the discretionary access control;
- TSF System Services (TSS), which operates in the next-most-privileged
ring, and implements a hierarchical file system, supports user I/O, and
implements the remaining discretionary access control;
- Operating System Services (OSS), which provides the Linux Interface
Application Domain; and
- Trusted Software.
Software Components
The Security Kernel software occupies Ring 0, the innermost and most privileged of the four rings, and
performs all Mandatory Access Control (MAC) and Mandatory Integrity Control (MIC).
The kernel provides a virtual process environment, which isolates one process from
another. The kernel implements a variation of the reference monitor concept. When a
process requests access to an object, the kernel performs the access checks, and, given
that the checks pass, maps the object into the process' address space. Subsequent accesses
are mediated by the hardware. The Security Kernel also provides I/O services and an Inter-process Communication (IPC) message mechanism. The Security Kernel is part of
every process' address space and is protected by the ring structure supported by the
hardware.
The TSS software executes in Ring 1. TSS provides trusted system services required by
both trusted and untrusted processes. The Kernel, TSS and OSS have the responsibility
for creation and loading of both trusted and untrusted programs, respectively, in
XTS-400, Version 6.0. TSS software enforces the Discretionary Access Control (DAC)
policy to file system objects.
OSS executes in Ring 2 and provides a Linux-like UNIX interface for user-written,
trusted and untrusted software applications. The purpose of OSS is to hide the multilevel
security execution environment from software running in the Application Domain
(Ring 3).
Ring 3 is the Application Domain, in which all applications, both trusted and untrusted,
execute. Software is considered trusted in XTS-400, Version 6.0 if it performs functions
upon which the system depends to enforce the security policy (e.g., the establishment of
user authorization). This determination is based on integrity level and privileges.
Untrusted software runs at Integrity Level 3 or lower. Some processes require privileges to perform
their functions. An example of a process that requires privileges is the Secure Server,
which needs access to the User Access Authentication database, kept at system high
access level, while establishing a session for a user at another security level.
The multilevel secure XTS-400, Version 6.0 is designed to provide a high level of
security for many environments, including applications that may filter the
information according to rules based upon the security policies required by the site. The
system supports both a mandatory sensitivity policy and a mandatory integrity policy. It
provides hierarchical sensitivity levels, non-hierarchical sensitivity categories,
hierarchical integrity levels, and non-hierarchical integrity categories. The system
provides for user identification and authentication used for policy enforcement through
user identifiers and passwords, and individual accountability through its auditing
capability. Data scavenging is prevented through the control of object reuse. The trusted
path mechanism is provided by the implementation of a Secure Attention Key (SAK). The
separation of administrator and operator roles is enforced through integrity protected
operations.
Hardware Overview
The XTS-400, Version 6.0 is designed to be hosted on Intel Pentium III (or higher) based
server class systems. The I-386, Intel Pentium ® III (or greater) processor, upon which the
XTS-400 is based, incorporates its own ring protection mechanism supporting four
rings, descriptor privilege levels, gate descriptors, segment attributes (read, write,
execute), and call/return instruction. The privilege level (PL) protection mechanism
ranges from PL0 (the most privileged) to PL3 (the least privileged).
|
|