com (Jon Spencer) writes:
: (1) B1 is not much better than C2.
B1 systems are designed and built to contain mandatory access control
mechanisms. C2 is not. This is the crucial difference.
: (2) The strengths of B2 and above are related to the high assurance issues
: rather than to the features. At B2 you have a very good expectation
: that the system actually works like it is supposed to. After that, you
: must determine if the high assurance features really address the
: threats in your environment.
Most of the "high assurance" effort revolves around protecting secrets
from being leaked by subverted software. This is not a major security
threat to Internet servers and firewalls. Therefore, much of the high
assurance spent on typical TCSEC systems is irrelevant to commercial
On the other hand, mandatory protection can *unconditionally* protect
some portions of the system from direct access or modification by
other portions. For example, executables or readable file contents can
be protected from modification. Or network interfaces going to a
sensitive network can be protected from access by software serving
users on the Internet. This is very useful in commercial
: I would also argue the issue that TCSEC strictly addressed the military.
True. But there's a nugget there -- mandatory protection -- that we
need if we need to keep a system intact while serving potentially
hostile consumers. It's a real alternative to sacrificial hosts.
com secure computing