007 3300 005

User Manual: 007-3300-005

Open the PDF directly: View PDF .
Page Count: 116

Download
Open PDF In Browser	View PDF

Trusted IRIX™/CMW Security Features
User’s Guide

007-3300-005

CONTRIBUTORS
Written by Jeffrey B. Zurschmeide and Karen Johnson and updated by Terry Schultz
Production by Glen Traefald

COPYRIGHT
© 2000, 2003 Silicon Graphics, Inc. All rights reserved. The contents of this document may not be copied or duplicated in any manner, in whole
or in part, without the prior written permission of Silicon Graphics, Inc.

LIMITED AND RESTRICTED RIGHTS LEGEND
The electronic (software) version of this document was developed at private expense; if acquired under an agreement with the USA government
or any contractor thereto, it is acquired as "commercial computer software" subject to the provisions of its applicable license agreement, as
specified in (a) 48 CFR 12.212 of the FAR; or, if acquired for Department of Defense units, (b) 48 CFR 227-7202 of the DoD FAR Supplement; or
sections succeeding thereto. Contractor/manufacturer is Silicon Graphics, Inc., 1600 Amphitheatre Pkwy 2E, Mountain View, CA 94043-1351.

TRADEMARKS AND ATTRIBUTIONS
Silicon Graphics, SGI, the SGI logo, and IRIX are registered trademarks and Trusted IRIX/CMW is a trademark of Silicon Graphics, Inc., in the
United States and/or other countries worldwide.
Sun and RPC are registered trademarks of Sun Microsystems, Inc. UNIX and the X Window System are registered trademarks of The Open Group
in the United States and other countries.
Cover design by Sarah Bolles, Sarah Bolles Design, and Dany Galgani, SGI Technical Publications.

New Features in This Guide

This rewrite of the Trusted IRIX/CMW Security Features User’s Guide supports the Trusted
IRIX/CMW operating system as of the 6.5.22 release.

Major Documentation Changes
This guide includes the following changes:

007-3300-005

•

Updated information in “Related Publications” on page xvii.

•

Corrected information in the last code example in “Identifying System Security
Options from within a Compiled Program” on page 52.

iii

Record of Revision

Version

Description

001

September 1996
Original publication.

007-3300-005

002

July 1998
Second revision.

003

April 2000
Updated to support the Trusted IRIX/CMW 6.5.8 release.

004

August 2003
Updated to support the Trusted IRIX/CMW 6.5.21 release.

005

November 2003
Updated to support the Trusted IRIX/CMW 6.5.22 release.

Contents

New Features in This Guide.

007-3300-005

. iii

Record of Revision

. v

Figures .

. xi

Tables .

. xiii

About This Guide. . . . .
Who Should Read This Guide .
Accompanying Documentation .
What This Guide Contains . .
How to Use This Guide . . .
Related Publications . . . .
Obtaining Publications . .
IRIX Man Pages . . . . .
Conventions Used in This Guide
Reader Comments . . . . .

.
.
.
.
.
.
.
.
.
.

. xv
. xv
. xv
. xvi
xvii
xvii
xviii
. xix
. xx
. xxi

Introduction to Trusted IRIX/CMW .
Trusted IRIX/CMW Product Overview.
What Is a Trusted System . . .
Why Use a Trusted System . . .
Why Use Trusted IRIX/CMW . .
Trusted IRIX/CMW Security Features .
Identification and Authentication .
Mandatory Access Control . . .
Discretionary Access Control . .
System Audit Trail . . . . .
Object Reuse Policy . . . . .

.
.
.
.
.
.
.
.
.
.
.

. 1
. 2
. 2
. 4
. 4
. 5
. 6
. 7
. 9
. 10
. 10

vii

Contents

TSIX Session Manager . . . .
Data Import/Export Restrictions .

viii

.
.

. 11
. 11

Understanding Access Control . . . . .
Discretionary Access Control . . . . . .
Using Discretionary Access Control . . .
Access Control Lists . . . . . . . .
Setting Directory Default ACLs with chacl .
Text Form for ACLs . . . . . . .
Mandatory Access Control . . . . . .
Mandatory Sensitivity. . . . . . .
Mandatory Integrity . . . . . . .
Label Domination and Equivalence . . .
Using MAC Labels . . . . . . . . .
Changing Your Security Label . . . .
Changing the Label of a File . . . . .
Determining the Label of a File . . . .
Multilevel Directories . . . . . . .
Mail . . . . . . . . . . . .
Using Aliases for Labels . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. 13
. 14
. 14
. 18
. 19
. 19
. 22
. 22
. 23
. 24
. 26
. 26
. 27
. 27
. 28
. 28
. 28

Understanding System Access . . . . . . . . .
Interactive Desktop under Trusted IRIX/CMW . . . .
Window Appearance and Behavior . . . . . . .
Trusted Path Window. . . . . . . . . . .
Application Behavior . . . . . . . . . . .
Logging In Using the CMW Dialog . . . . . . . .
Logging Out Using the GUI . . . . . . . . . .
Logging In Using Telnet or Serial Terminals . . . . .
Determining the Identity and Security Features of a System .
Identifying the System from a Shell . . . . . . .
Identifying the System Security Options with a Program.
Passwords Under Trusted IRIX/CMW . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.

. 31
. 32
. 32
. 33
. 34
. 35
. 37
. 37
. 38
. 38
. 39
. 39

007-3300-005

Contents

Importing and Exporting Data . . . .
Printing under Trusted IRIX/CMW . . .
Using Tape Devices . . . . . . .
Magnetic Tape Backups with tar . .
Magnetic Tape Backups with xfsdump.
Using CD-ROM Devices . . . . . .

.
.
.
.
.
.

Understanding Auditing.
System Audit Trail. . .

.
.

. 45
. 45

Programming in a Trusted Environment . . . . . . . . .
Guidelines . . . . . . . . . . . . . . . . . .
Trusted IRIX/CMW System and Library Calls. . . . . . . .
Identifying System Security Options from within a Compiled Program

.
.
.
.

Glossary of Computer Security Terms .
Index

007-3300-005

.
.

41
42
42
43
43
44

47
48
48
52

. 53

. 91

Figures

Figure 1-1
Figure 3-1
Figure 3-2
Figure 3-3
Figure A-1

007-3300-005

Basic Trusted IRIX/CMW Security Label Structure
X11 Window Labeled userlow . . . . . .

.
.

. 8
. 32

Trusted Path Window . . . .
CMW Login Dialog Window . .
Data Structure of a Security Label

.
.
.

. 35
. 36
. 81

.
.
.

Tables

Table 2-1

Outline of Man Page Organization
Sample Label Relationships . . .

.
.

. xx
. 25

Table 6-1

Trusted IRIX/CMW System and Library Calls .

. 48

Table i

007-3300-005

.
.

xiii

About This Guide

“About This Guide” includes brief descriptions of the contents of this guide and an
explanation of the typographical conventions used, and refers you to additional sources
of information you might find helpful.
This guide explains how to use the Trusted IRIX/CMW (Compartmented Mode
Workstation) operating system with SGI workstations and servers. It provides
descriptions of those user tasks that are specific to this version of the operating system.
If you have a graphics workstation, you should be familiar with the user documentation
of the standard IRIX operating system, on which this product is based. See the
SGI_EndUser bookshelf in your online documentation system.

Who Should Read This Guide
You should read this guide if you have never used a secure system before or if you are
using Trusted IRIX/CMW for the first time.

Accompanying Documentation
To administer and use the Trusted IRIX/CMW operating system, you must have the set
of standard IRIX documentation in addition to the Trusted IRIX/CMW release. In
addition to this manual the following documentation is included:
Trusted IRIX/CMW Security Administration Guide
This manual describes how to administer your Trusted IRIX/CMW site.
Release Notes

007-3300-005

This document describes how to install the release and any known
problems with the implementation.

About This Guide

What This Guide Contains
This guide contains the following chapters:
Chapter 1, “Introduction to Trusted IRIX/CMW”
Provides an overview of Trusted IRIX/CMW.
Chapter 2, “Understanding Access Control”
Provides information on the mandatory and discretionary access control
features of Trusted IRIX/CMW.
Chapter 3, “Understanding System Access”
Describes the tasks and procedures necessary to successfully log in and
keep passwords current.
Chapter 4, “Importing and Exporting Data”
Provides information on the security requirements and features relating
to media and data import and export generally.
Chapter 5, “Understanding Auditing”
Describes the auditing features and the user’s responsibilities with
respect to an audited environment.
Chapter 6, “Programming in a Trusted Environment”
Provides information on programming practices in a trusted
environment.
Appendix A, “Glossary of Computer Security Terms”,
Provides a glossary of computer security terms and concepts used in
these guides and elsewhere.

xvi

007-3300-005

About This Guide

How to Use This Guide
The Trusted IRIX/CMW Security Features User’s Guide is written for end users of Trusted
IRIX/CMW systems. Frequently, people who would consider themselves end users find
themselves performing advanced administrative tasks. For those individuals, the Trusted
IRIX/CMW Security Administration Guide has been prepared to help both new and
experienced administrators successfully perform all operations necessary to configure
and maintain CMW security on Trusted IRIX/CMW systems.

Related Publications
The following documents contain additional information that may be helpful:

007-3300-005

•

IRIX Admin: Software Installation and Licensing—Explains how to install and license
software that runs under the IRIX operating system, the SGI implementation of the
UNIX operating system. Contains instructions for performing miniroot and live
installations using the inst command. Identifies the licensing products that control
access to restricted applications running under IRIX and refers readers to licensing
product documentation.

•

IRIX Admin: Disks and Filesystems—Explains disk, filesystem, and logical volume
concepts. Provides system administration procedures for SCSI disks, XFS and EFS
filesystems, XLV logical volumes, and guaranteed-rate I/O.

•

IRIX Admin: Networking and Mail—Describes how to plan, set up, use, and maintain
the networking and mail systems, including discussions of sendmail, UUCP, SLIP,
and PPP.

•

IRIX Admin: Backup, Security, and Accounting—Describes how to back up and restore
files, how to protect your system’s and network’s security, and how to track system
usage on a per-user basis.

•

IRIX Admin: Resource Administration—Provides an introduction to system resource
administration and describes how to use and administer various IRIX resource
management features, such as IRIX process limits, IRIX job limits, the Miser Batch
Processing System, the Cpuset System, Comprehensive System Accounting (CSA),
IRIX memory usage, and Array Services.

•

IRIX Admin: Peripheral Devices—Describes how to set up and maintain the software
for peripheral devices such as terminals, modems, printers, and CD-ROM and tape
drives. Also includes specifications for the associated cables for these devices.

xvii

About This Guide

•

Desktop User’s Guide—Provides step-by-step instructions for completing essential
tasks, such as printing files, finding files, and running applications; describes
techniques and shortcuts; and serves as a general reference for commands and
menus.

•

IRIX Checkpoint and Restart Operation Guide—Describes how to use and administer
IRIX Checkpoint and Restart (CPR) and how to develop applications that can be
safely checkpointed and restarted.

•

MIPSpro Compiling and Performance Tuning Guide—Describes the MIPSpro
compiler system, other programming tools and interfaces, and ways to improve
program performance.

•

NIS Administrator’s Guide—Documents the SGI implementation of the network
information service NIS, which provides location information about network
entities to other network services, such as NFS.

•

Personal System Administration Guide—Describes the responsibilities of the system
administrator for an SGI workstation, and provides details on the various tools and
utilities available for system administrators.

•

Performance Co-Pilot for IRIX User’s and Administrator’s Guide—Describes how to
administer the Performance Co-Pilot (PCP) software package.

•

Performance Co-Pilot for IRIX Advanced User’s and Administrator’s Guide—Describes
the Performance Co-Pilot (PCP) software package of advanced performance tools
for the SGI family of graphical workstations and servers.

These books have been written for standard IRIX. Where they differ from information in
this book and in the Trusted IRIX/CMW Security Administration Guide, the Trusted
IRIX/CMW books should be considered authoritative.

Obtaining Publications
You can obtain SGI documentation in the following ways:
See the SGI Technical Publications Library at http://docs.sgi.com. Various formats are
available. This library contains the most recent and most comprehensive set of online
books, release notes, man pages, and other information.
If it is installed on your SGI system, you can use InfoSearch, an online tool that provides
a more limited set of online books, release notes, and man pages. With an IRIX system,

xviii

007-3300-005

About This Guide

select Help from the Toolchest, and then select InfoSearch. Or you can type
infosearch on a command line.
You can also view release notes by typing either grelnotes or relnotes on a
command line.
You can also view man pages by typing man on a command line.

IRIX Man Pages
The IRIX reference pages (often called “man” or “manual” pages) provide concise
reference information on the use of IRIX commands, subroutines, and other elements
that make up the IRIX operating system. This collection of entries is one of the most
important references for an administrator. Generally, each reference page covers one
command, although some reference pages cover several closely related commands.
The IRIX reference pages are available online through the man command. To view a
reference page, use the man command at the shell prompt. For example, to see the
reference page for diff, enter
man diff

It is a good practice to print those man pages you consistently use for reference and those
you are likely to need before major administrative operations and keep them in a
notebook of some kind.
Each command, system file, or other system object is described on a separate page. The
reference pages are divided into seven sections, as shown in Table i. When referring to
reference pages, this document follows a standard UNIX convention: the name of the
command is followed by its section number in parentheses. For example, cc(1) refers to
the cc reference page in Section 1.

007-3300-005

xix

About This Guide

Table i shows the reference page sections and the types of reference pages that they
contain.
Table i

Outline of Man Page Organization

Type of Man Page

Section Number

General Commands

(1)

Administrator Commands

(1M)

System Calls and Error Numbers

(2)

Library Subroutines

(3)

File Formats

(4)

Miscellaneous

(5)

Demos and Games

(6)

Special Files

(7)

Conventions Used in This Guide
These type conventions and symbols are used in this guide:

command

This fixed-space font denotes literal items such as commands, files,
routines, pathnames, signals, messages, and programming language
structures.

variable

Italic typeface denotes variable entries and words or concepts being
defined.

user input

This bold, fixed-space font denotes literal items that the user enters in
interactive sessions. Output is shown in nonbold, fixed-space font.

[]

Brackets enclose optional portions of a command or directive line.

manpage(x)

Man page section identifiers appear in parentheses after man page
names.

(Double quotation marks) References in text to document section titles.

IRIX shell prompt for the superuser (root).

IRIX shell prompt for users other than superuser.

007-3300-005

About This Guide

()

(Parentheses) Following function names, these surround function
arguments or are empty if the function has no arguments.

Command Monitor prompt

Cascading menu options: File > Delete

This guide uses the standard UNIX convention for citing man pages in IRIX
documentation. The page name is followed by the section number in parentheses. For
example, rep(1C) refers to the rcp online man page.

Reader Comments
If you have comments about the technical accuracy. content, or organization of this
document, please tell us. Be sure to include the title and document number of the manual
with your comments. (Online, the document number is located in the front matter of the
manual. In printed manuals, the document number can be found on the back cover.)
You can contact SGI in any of the following ways.
•

Send e-mail to the follow address:
techpubs@sgi.com

•

Use the Feedback option on the Technical Publications Library World Wide Web
page:
http://docs.sgi.com

•

Contact your customer service representative and ask that an incident be filed in the
SGI incident tracking system.

•

Send mail to the following address:
Technical Publications
SGI
1600 Amphitheatre Pkwy., M/S 535
Mountain View, California 94043-1351

•

Send a fax to the attention of “Technical Publications” at +1 650 932 0801.

SGI values your comments and will respond to them promptly.

007-3300-005

xxi

Chapter 1

1. Introduction to Trusted IRIX/CMW

This user’s guide has been designed to introduce you to working with secure systems,
and in particular with the SGI Trusted IRIX/CMW (Compartmented Mode Workstation)
system. This guide provides information on how to maintain system integrity by using
security features. It also describes the various modifications and additions made to
standard IRIX that make this system secure.
This chapter introduces you to the basic concepts, terms, and features of a trusted system,
and explains security procedures and mechanisms. It includes the following sections:

007-3300-005

•

“Trusted IRIX/CMW Product Overview” on page 2

•

“Trusted IRIX/CMW Security Features” on page 5

•

“TSIX Session Manager” on page 11

•

“Data Import/Export Restrictions” on page 11

1: Introduction to Trusted IRIX/CMW

Trusted IRIX/CMW Product Overview
This section introduces you to the basic concepts, terms, and security procedures and
mechanisms of a trusted system.

What Is a Trusted System
Operating systems that attempt to provide a secure environment for the development
and storage of sensitive information are known as trusted systems. In an abstract sense,
no system is ever perfectly secure from harm, so we use the term trusted rather than
secure. A trusted system can be thought of as any system that fits the following criteria:
•

The system allows all users to do their ordinary and necessary work without
difficulty.

•

The system enforces the security policy deemed by the management to be
appropriate to the site.

The first criterion is the most important. If users are unable to do their ordinary and
necessary work, they either will circumvent the security measures or they will not use
the system at all. In either case, the trusted system is rendered useless. Many users are
concerned that they will not be able to do their work in a trusted environment. A good
site administration plan structures a trusted system so that the user is relatively
unaffected by its functioning. Ideally, users should be able to perform all their tasks and
only see the trusted features of the operating system when necessary.
The second criterion requires that the system have adequate security features to enforce
the site security policy set forth by the management. Trusted IRIX/CMW offers a variety
of security measures that are sufficient to satisfy most sites. These measures are as
follows:
Access Control Lists
An Access Control List (ACL) allows the owner of a file or directory to
make a specific list of users and user groups and the specific permissions
each one is allowed to the file or directory. ACLs are a standard feature
of IRIX.
Auditing

The audit subsystem allows the system administrator to keep a precise
log of all system activity. Auditing is a standard feature of IRIX.

007-3300-005

Trusted IRIX/CMW Product Overview

Capability

A capability is a discreet unit of privilege that can be assigned to a
process and allows the process to override a set of related system
restrictions.

Capability-based Privilege Mechanism
This is the mechanism through which a privilege is determined based on
the set of effective capabilities in a process. Also, it is the mechanism
through which capabilities are assigned to a process or an executable
file, and through which a process manages its capabilities.
Discretionary Access Control
Discretionary Access Control (DAC) is the standard IRIX system of file
and directory permissions.
Identification and Authentication
Trusted IRIX/CMW has improved user identification and
authentication facilities that ensure the integrity of system passwords
and help to ensure that only authorized users are granted access to the
system.
Mandatory Access Control
The Mandatory Access Control (MAC) facility allows the system
administrator to assign security classification labels to files and
directories and security clearance labels to users. This is in addition to
the Access Control Lists, Capabilities, and Discretionary Access
Controls available on the system.
Mandatory Integrity
This is a part of the Mandatory Access Control system that covers an
integrity requirement. It allows the system administrator to limit the
ability of highly trusted users to access files and programs that are not
absolutely secure and trusted.
Mandatory Sensitivity
This is a part of Mandatory Access Control that allows the system
administrator to restrict access to files, directories, and programs
according to security clearance requirements.
Privileges

Privilege is the ability to override system restrictions. This ability is
based on an authority that is specific to the privilege mechanism or
mechanisms in use by a given site.

Superuser-based Privilege Mechanism
This is the mechanism through which the IRIX system associates
privilege with the root user identity.

007-3300-005

1: Introduction to Trusted IRIX/CMW

Why Use a Trusted System
The Trusted IRIX/CMW system is designed to address the three fundamental issues of
computer security: policy, accountability, and assurance. By fully addressing these areas,
the system becomes a trustworthy base for secure development and business. Because
the nature of a trusted system is already constrained, little must be trusted beyond the
system itself. When you run your application programs on the system, you have a
reasonable certainty that your applications will be free from corruption and safe from
intruders.
CMW stands for Compartmented Mode Workstation, which means that your individual
windows and processes running simultaneously need not all be at the same MAC label.
This “compartmentalization” of windows and processes adds greatly to the usability of
the system. In all other ways, the system conforms to standard Trusted Computer System
Evaluation Criteria (TCSEC) B3 feature set, but with assurance of security at the B1 level.
The most important security aspect of the system is a clear definition of the site security
policy with respect to all the trusted system features listed in “What Is a Trusted System”
on page 2. To accomplish this, all system objects have been examined and altered to close
potential security holes and determine a basic clearance level. This examination and
revision process ensures the integrity and security of the distributed system.
Another highly important security aspect is assurance. A secure system design must be
inspected and approved by a competent agency. Trusted IRIX/CMW supports all
security requirements for B1 assurance and CMW systems as set forth by the National
Computer Security Center (NCSC) and all feature requirements through the TCSEC B3
level.

Why Use Trusted IRIX/CMW
Trusted IRIX/CMW is a significant improvement over conventional trusted operating
systems derived from the standard UNIX kernel. While secure operating systems
necessarily compartmentalize user interactions, the system need not be hostile to
experienced or novice users.
Trusted IRIX/CMW is fully integrated with standard IRIX. IRIX is the SGI
implementation of the UNIX System V Operating System. Trusted IRIX/CMW is an
add-on, developed to conform to the functional requirements set forth in the U.S.
National Computer Security Center (NCSC) Orange Book for an A1-level trusted
operating system. The Orange Book is a common name for the 5200.28-STD Department

007-3300-005

Trusted IRIX/CMW Security Features

of Defense (DoD) Trusted Computer Systems Evaluation Criteria. Trusted IRIX/CMW
will be evaluated at the assurance level as a B1 system.
Ease of Use

As a modified version of an existing operating system, many of the underlying features
of Trusted IRIX/CMW have withstood the test of time. Designing a system that
promoted ease of use was a paramount consideration in the creation of IRIX. SGI has a
firm commitment to visual computing, evidenced in the graphical tools provided to you
in the IRIX environment.
Greater User-Friendliness

Part of our commitment to ease of use is our commitment to user-friendliness. A
consistent and logical framework underlies the design of SGI visual desktop tools.
Better Support

SGI consistently ranks at the top or near the top in customer satisfaction polls. Customer
support, in a timely manner, has and will continue to be a corporate goal.
Customers in the United States may contact SGI customer support at 1-800-800-4SGI.
Customers outside the United States may contact their local SGI service representative

Trusted IRIX/CMW Security Features
The distinguishing difference between trusted systems and nontrusted systems is the
security-enhanced feature set. For CMW-level systems, this feature set includes four
main components. These components are improved identification and authentication of
users, auditing, object reuse, and access control (MAC and DAC).
As well as the required feature set, SGI has implemented the X Window System and
networking services for the trusted environment. Each component feature is described in
detail in this section.
Every trusted system has a Trusted Computing Base (TCB). The TCB is the system
hardware, the operating system program itself, and the commands, utilities, tools, and

007-3300-005

1: Introduction to Trusted IRIX/CMW

system files that are known to be secure. This set of hardware, files, and programs is the
trusted part of a trusted system.
Within the TCB, there are subjects and objects. A subject is any active force on the system,
such as a user’s shell process, or the audit daemon, or the operating system itself. An
object is any passive resource on the system, such as a text file, a page of memory, or a
piece of system hardware.
Trusted IRIX/CMW is fully configurable to your site’s needs. You are free to select your
own security clearances, your own capabilities and access control lists, and your own
system of password protection.

Identification and Authentication
The Identification and Authentication (I&A) mechanism controls user access to the
system. In common terms, the I&A mechanism is the login procedure. This subsystem is
always active if the system is running, and it is impossible to have any contact with the
system without first logging in through the I&A system.
The improved I&A facilities of Trusted IRIX/CMW allow the administrator to be certain
that the people on the system are authorized users and that private password integrity is
maintained to the highest possible levels.
Passwords Under Trusted IRIX/CMW

Under Trusted IRIX/CMW, encrypted passwords are stored separately from other user
identification information. This separate location is hidden from normal user access, so
the process of a systematic dictionary encryption hunt for a password is precluded. User
clearance information is also stored in a hidden or shadow file. Under Trusted
IRIX/CMW, the /etc/passwd file does not contain the encrypted password; only the
shadow password file contains that information.
In response to extensions to the CMW requirements, passwords can be generated
automatically for the users under Trusted IRIX/CMW.The system administrator can
configure the system to require this feature for every password change, or it can be an
option for the user. System administrators can require passwords to be changed
regularly.

007-3300-005

Trusted IRIX/CMW Security Features

Multilevel Login

Individual users may have a range of security levels available that have been
predetermined by the administrator. The user is not always required to log in at the
highest assigned level, thus allowing the flexibility to log in at a level appropriate for a
given task. After a successful login has been established, the user may change the
clearance of his or her process during the course of the login session. When this happens,
all open file descriptors of the process are closed and all objects cleared to prevent
declassification or violation of the security policy. All changes of clearance are audited.

Mandatory Access Control
Mandatory Access Control (MAC) allows the system administrator to set up policies and
accounts that will allow each user to have full access to the files and resources he or she
needs, but not to other information and resources not immediately necessary to perform
assigned tasks. The access control is called mandatory because the system does not allow
the owner of the files to change the security classification of system objects. Also, under
MAC, access permission cannot be passed from one user to another, as under traditional
UNIX systems, which use only Discretionary Access Control. Trusted IRIX/CMW
includes both Mandatory and Discretionary Access Control, which work together to
precisely control system access.
Under Trusted IRIX/CMW, MAC is divided into two interrelated subsystems:
Mandatory Sensitivity and Mandatory Integrity. The access-control enhancements to
Trusted IRIX/CMW allow the administrator to set up levels of clearance and related
categories of files and other resources, and to assign each user a clearance (or range of
clearances). Through this system of access controls, the administrator can custom tailor
a user’s environment so that the particular user has access only to those files and
resources he or she needs to complete required tasks. If there is a breach into that user’s
account, the unauthorized user has access to very little of the site’s protected
information.
Each label used for access control has two parts: the sensitivity label and the integrity
label. Figure 1-1 shows the components of a label.

007-3300-005

1: Introduction to Trusted IRIX/CMW

Figure 1-1

Basic Trusted IRIX/CMW Security Label Structure

Sensitivity Label Components

Sensitivity labels define the secretness or classification of files and resources and the
clearance level of users. A sensitivity label is composed of a sensitivity level and possibly
some number of sensitivity categories.
There are 256 hierarchical sensitivity levels available for the administrator to create
security classifications. In a commercial environment, this label attribute could be used
to classify, for example, levels of a management hierarchy. Each file or program has one
hierarchical sensitivity level. A user may be allowed to use several different levels, but
only one level may be used at any given time.
Over 65,000 sensitivity categories are available for files and programs. For example,
categories could include information sorted by subject matter such as geography,
demography, astronomy, and others. Each file or user can be a member of any number of
categories or of no categories.
Integrity Label Components

While the sensitivity labels identify whether a user is cleared to view certain information,
integrity labels identify whether data is reliable enough for a specific user to see. An
integrity label is composed of an integrity grade and some number of integrity divisions.
There are 256 hierarchical grades to classify the reliability of information. For example,
data could be classified as an unreliable rumor or as an absolute, confirmed fact.
There are over 65,000 divisions available to classify information based on its source. The
source implies probable integrity of the data. For example, sources of data could be
divided into Canadian Government, U.S. Government, CBS News, Hearst Publications,

007-3300-005

Trusted IRIX/CMW Security Features

and others. In the commercial environment, data sources could be Trade Shows, Press
Releases, Conversational, Dataquest, and the like.
Label Name Aliases

Label names are configurable so that specific sites can control naming conventions to
meet their special requirements. For example, the site administrator has control of name
length (within limits) and could use non-English names, if desired.
Users should only use labels that have label name aliases associated with them. A user
who wishes to use a label without a name should request the system administrator to
add one. The non-aliased representation of labels can be both verbose and confusing,
leading to possible mishandling by the unwary.
MAC Protected Passwords

Encrypted password files and user clearance data are under MAC and restricted to
administrative accounts.

Discretionary Access Control
Trusted IRIX/CMW supports the POSIX P1003.1e Draft16 definition for Access Control
Lists (ACLs). This draft standard provides for traditional file permission bits working in
concert with the more versatile ACLs. Discretionary Access Control (DAC) permissions
are defined by the user who owns the file in question. For example, if a user has a
personal file in his or her home directory, that user can set the DAC permissions to allow
no other users on the system to view, copy, or edit that file. Default DAC permissions for
newly created files are set via the umask command.
Thus, to gain access to a file that was created by another user, a user must not only have
the proper MAC clearance, but must have set the DAC permissions on the file to allow
others to access it. DAC permissions should be set in accordance with site security
policies.
Default DAC permissions for newly created files depend on the umask and on any
default ACL entries found in the containing directory.

007-3300-005

1: Introduction to Trusted IRIX/CMW

Access Control Lists

Access Control Lists (ACLs) allow users to specify on a user-by-user basis who may
access their files and directories. The purpose of this feature is to provide a finer level of
control than is allowed through traditional discretionary access control.

System Audit Trail
A foundation of Trusted IRIX/CMW is the system audit trail. The system audit trail
provides a means for the system administrator to oversee each important event taking
place on the system. The audit trail is useful for tracking changes in sensitive files and
programs and for identifying inappropriate use of the system.
The audit trail is generated by additional code in the operating system kernel that notes
specific important events, such as file creation, file changes, file removal, invocation of
programs, and the login and logout events.
The audit subsystem allows the administrator to create a dynamic record of the system’s
activity. This record allows the administrator to hold each user strictly accountable for his
or her actions. The audit system is completely configurable at any time by the audit
administrator.
Audit information must be carefully gathered and protected so that actions affecting
security can be traced to the responsible party. Trusted IRIX/CMW records the
occurrences of security-relevant events in an audit log. For each event audited, the
system records the date and time of the event, the initiating user, the type of event, the
success or failure of the event, and the name and security classification of the files or
programs used.
The auditing process is transparent to the user. It is important to recognize that when you
work on a trusted system, your actions will be audited. You should not, however, be
fearful of the auditing process. Its function is to protect you from others who may try to
use your user identity for mischief.

Object Reuse Policy
To preclude accidental disclosure of data, display memory and long-term data storage
are subject to an object reuse policy and implementation. For example, all system

007-3300-005

TSIX Session Manager

memory is always automatically cleared before it is allocated to another program.
Surrendered disk space is also cleaned before it is reallocated.

TSIX Session Manager
The purpose of trusted networking is to properly label data that is imported or exported
from the system, and to appropriately enforce the system security policy on that data.
The Trusted Security Information Exchange (TSIX) standard was created to allow various
trusted operating system vendors to interoperate. Under TSIX networking, labeling
occurs at two levels. At the Network Level, IP Security Options (RIPSO or CIPSO) are
used to route traffic. At the Session Manager Level, Security Attribute Modulation
Protocol (SAMP) and Security Attribute Token Mapping Protocol (SATMP) are used to
send all the Security Attributes required to enforce security policy between systems on
the network.
You should contact your administrator to determine the level of networking support
available at your site. Some sites may have a very open networking environment with
full connection to Trusted IRIX/CMW machines, while others may not allow any
connection between trusted and untrusted systems, or even between trusted systems.
Your implementation will be unique, and can be explained to you by your administrator.

Data Import/Export Restrictions
NCSC B-level security standards indicate that label information must be preserved when
files are placed on magnetic storage media such as tapes. Trusted IRIX/CMW has
modified the tar command to include the M keyword, to maintain label information on
tape media.
Additionally, CMW standards specify that all paper output must be marked with the
label of the information printed. Trusted IRIX/CMW line printer software has been
modified to add this feature.

007-3300-005

Chapter 2

2. Understanding Access Control

Access control is at the heart of a trusted system. Access control allows the administrators
to set up policies and accounts that allow each user to have full access to the files and
resources he or she needs, but not to other information and resources not immediately
necessary to perform assigned tasks.
Under Trusted IRIX/CMW, There are two forms of access control: these are called
Discretionary Access Control (DAC) and Mandatory Access Control (MAC). MAC is
further divided into two interrelated subsystems, Mandatory Sensitivity and Mandatory
Integrity.
The following topics are included:

007-3300-005

•

“Discretionary Access Control” on page 14

•

“Access Control Lists” on page 18

•

“Mandatory Access Control” on page 22

•

“Using MAC Labels” on page 26

2: Understanding Access Control

Discretionary Access Control
Discretionary Access Control (DAC) is the name of the standard UNIX system of access
permissions that allow the user to control access to files, directories, and other system
resources. The owner of any file or other system object can control access to that object,
even by those with equal or dominating clearances, by setting the DAC permissions.
Additionally, Access Control Lists (ACLs) can be used to provide a finer granularity of
control than is provided by the traditional permission bits.
The significant difference between MAC and DAC is that DAC allows untrusted users to
control access to their own files and change that access at will. The only user who can
override those access decisions is the superuser (root). DAC fills an otherwise unmet
need for system security at the personal level. Every file on the system is subject to both
MAC and DAC. You must meet both MAC and DAC requirements to access a file.

Using Discretionary Access Control
Trusted IRIX/CMW divides permissions into three categories and users into three
relative groups. The three categories of permissions are read, write, and execute. They are
denoted as “r” for read, “w” for write, and “x” for execute in long listings of files. Read
permission allows you to look at the contents of a file. Write permission allows you to
make changes to or remove a file. Execute permission allows you to run the file as a
command from your shell prompt.
To get a long listing, enter the ls -l command at your system prompt. This command
shows you more information about the files in the directory than an ordinary listing.
Along with the permission information, the ls -l command lists the owners of the files
and the size of the files and the date they were last modified. Adding the -D
command-line option to ls displays the ACL for the file or directory as well.
The three relative groups are the owner of the file, the owner’s group, and every other
user. If you get a long listing of a directory, you see that the permissions field looks like
this: -rw-r--r-- Each character is separately significant in the permissions listing.
Starting at the left, the first character is a dash. A dash in any place means that no
permission is granted and the actions associated with that permission are denied.
However, in the leftmost place, the contents of that space describes whether the file is a
file, directory, or special device file. If there is a dash in that place, the file in question is
an ordinary file. If it is a directory, a d appears in that space. If the file is a block special
device file, a b appears in the space, and if the file is a character special device file, a c

007-3300-005

Discretionary Access Control

appears there. For more complete information, consult the ls(1) man page or the
/usr/include/sys/stat.h file.
Directory Permissions

Directories use the same permissions as files, but that their meanings are slightly
different. For example, read permission on a directory means that you can use the ls
command to look at the contents of that directory. Write permission allows you to add,
change, or remove files in that directory. (However, even though you may have write
permission in that directory, you must also have write permission on the individual files
to change or remove them, unless you own the directory.) Finally, execute permission on
a directory allows you to use the cd command to change directories into that directory.
File Permissions

The first series of three places in the permissions field describes the permissions for the
owner of the file. Here is an example of a long listing for a file:
-rwx------+ 1 owner grp 6680 Apr 24 16:26 shell.script

The file is not a directory, so the first space is blank. The characters rwx indicate that the
owner of the file, owner, has read, write, and execute permission on this file. The second
series of three spaces describes permissions for the owner’s group. In this case, the group
is grp. Suppose permissions for this file were slightly different, like this:
-rwxr-x---+ 1 owner grp 6680 Apr 24 16:26 shell.script

In this case, any member of the group grp could read or execute the file, but he or she
could not change it or remove it. All members of group grp can share a pool of files that
are individually owned. Through careful use of group read and write permissions, you
can create a set of source files that are owned by one person, but any group member can
work on them.
The third series of spaces provides for all other users on the system and is called the
public permissions.
The plus sign (+) at the end of the permission string indicates that an ACL is in effect for
this file. Use the ls -D command to view the ACL for the file. Complete discussion of
Access Control Lists is found in the section titled “Access Control Lists.”
On a large system with several groups, MAC labels do not provide the complete
coverage desired. The individual groups can tailor their working set of files by using file

007-3300-005

2: Understanding Access Control

permissions and ACLs to share some files. A file that is set to be readable by any user on
the system is called publicly readable. Remember that even if DAC makes a file publicly
readable, a user must still have appropriate MAC clearance to see the file.
Here is a long listing of the sample Projects directory:
total 410
drw-------+
-rw-r--r--rw-rw-rw-rwxrwxrwx
-rw-rw-rw-rw-------rw-r-----rw-r--r--rwxrwxr-x+

1
1
1
1
1
1
1
1
1

owner
owner
owner
owner
owner
owner
owner
owner
owner

grp 48879 Mar 29 18:10 critical
grp 1063 Mar 29 18:10 meeting.notes
grp 2780 Mar 29 18:10 new.deal
grp 8169 Jun 7 13:41 new.items
grp 4989 Mar 29 18:10 outside.response
grp 23885 Mar 29 18:10 project1
grp 3378 Jun 7 13:42 saved_mail
grp 2570 Mar 29 18:10 schedules
grp 6680 Apr 24 16:26 shell.script

The files have varying permissions. Some can be read and written to only by the owner,
some can be read only by members of the owner’s group, and some can be read, changed,
or removed by anybody. The shell script can be executed publicly, subject to its ACL, and
the critical directory is also subject to an ACL.
Changing Permissions

You change the permissions on a file by means of the chmod command. You can use
chmod only to change files that you own. Generally, you use this command to protect
files you want to keep secret or private, to protect private directories, and to grant
permissions to files that need to be used by others. The command to restrict access to a
file or directory to yourself only is:
chmod 600 filename
chmod 700 directoryname

Other permissions may be added by using the chmod command with the letter
associated with the permission. For example, the command to add general write
permission to a file is
chmod +w filename

For more examples, see the chmod(1) reference page.
To set or change an ACL, use the chacl command:
chacl acl_entry [, acl_entry]... pathname

007-3300-005

Discretionary Access Control

For more information on chacl and the acl entry syntax, see the chacl(1) reference
page and “Text Form for ACLs” on page 19.
Setting Permissions with umask

You can assign default permissions to your files by using the umask command. Place this
command in your .cshrc, .profile, or .login file. The umask(1) man page is also
available for more information. By changing the setting of your umask, you can alter the
default permissions on your files and directories to any available DAC permission.
A drawback to the umask command is that it makes every file you create receive the
same permissions. For most purposes, you want the files you create to be accessible by
the members of your group. For example, if an individual is suddenly called away and
another person must take over that person’s portion of a project, the source files must be
accessible by the new user. However, the personal files you keep in your home directory
sometimes need to be private, and if you set your umask to allow group read and write
privileges, any member of the group can access your personal files. Mechanisms are
available to prevent this access. For example, you can create a directory of private files
and alter the permissions on that directory with the chmod command to restrict all but
your own access. Then it would not matter that the files were readable, because no other
user would be allowed into the directory.
You can also use the find command to change all the files in your home directory to your
chosen permission automatically at your convenience. You can set up your account so
that this action happens every time you log out.
The umask command is an important part of DAC. It allows us to maintain security and
still allow convenient access to your files. To set your account up to allow group read and
write privileges and no other privileges, place this line in your .cshrc or .profile file:
umask 007

This will make every file you create have the following permissions:
-rw-rw----

With your umask set to 007, directories that you create have the following permissions:
drwxrwx---

In plainer terms, you will have full use of the file or directory, and your group will have
full use. No other user, except the superuser (root), will have access to your files.

007-3300-005

2: Understanding Access Control

Access Control Lists
Access Control Lists (ACLs) are a part of the DAC features of your Trusted IRIX/CMW
system. An ACL works in the same way as standard file permissions, but it allows you
to have a finer level of control over whom may access a file or directory than standard
permissions allow. ACLs allow you to specify file permissions on a user by user basis.
Every system file or directory has an ACL that governs its discretionary access. This ACL
is referred to as the access ACL for the file or directory. In addition, a directory may have
an associated ACL that governs the initial access for files and subdirectories created
within that directory. This ACL is referred to as a default ACL. A user who wishes to gain
access to the files in a directory must be on both ACLs and must be allowed by MAC and
Trusted IRIX standard file permissions to successfully gain access. If you have not created
an access ACL for a file, the default ACL serves both ACL functions. Note that the ACL
on a file or directory also acts as an upper limit to the file permissions that can be set
automatically with umask.
Hereafter in this section, directories are treated as files, and where the term file is used,
consider it to also apply to directories.
An ACL is stored in the same way that standard file permissions are stored; as an
attribute of the file or directory. For example, to view the ACL of a file, use the -D option
to ls as shown here:
ls -D testfile

This produces output similar to this:
[u::rwx,g::rw-,o::---,u:332:r--,u:ernie:rw-,m::rw-]

The above example shows full permissions for the owner with the first entry on the line,
sets read permission for user ID 332 with the second entry, and sets read and write
permission for the user account ernie. The format of an ACL entry is discussed in “Text
Form for ACLs” on page 19.
To set or change an ACL, use the chacl command:
chacl acl_entry[,acl_entry]... pathname

An ACL consists of a set of ACL entries. An ACL entry specifies the access permissions
on the associated file for an individual user or a group of users. The order of internal
storage of entries within an ACL does not affect the order of evaluation. In order to read

007-3300-005

Access Control Lists

an ACL from an object, a process must have read access to the file. In order to create or
change an ACL, the process must own the file.

Setting Directory Default ACLs with chacl
To set a default ACL for the current directory and all its files and subdirectories, use this
command:
chacl -d acl_entry[,acl_entry]... pathname

For information on the format of an ACL entry, see “Text Form for ACLs” on page 19.

Text Form for ACLs
The text form for ACLs is used for either input or output of ACLs and is defined as
follows:
acl_entry[,acl_entry ]...
Although it is acceptable to place more than one entry on a physical line in a file, placing
only one entry per line makes it easier to read.
Each entry contains one ACL statement with three required colon-separated fields and
an optional comment:
entry tag type:entry qualifier:discretionary access permissions # comment
Comments may be included with any entry. If a comment starts at the beginning of a line,
then the entire line is interpreted as a comment. The first field must always contain the
ACL entry tag type.
One of the following ACL entry tag type keywords must appear in the first field:

007-3300-005

user

A user ACL entry specifies the access granted to either the file owner or
to a specified user account.

group

A group ACL entry specifies the access granted to either the file-owning
user group or to a specified user group.

other

An other ACL entry specifies the access granted to any process that does
not match any user, group, or implementation-defined ACL entries.

2: Understanding Access Control

mask

A mask ACL entry specifies the maximum access that can be granted by
any ACL entry except the user entry for the file owner and the other
entry.

The second field contains the ACL entry qualifier (referred to in the remainder of this
section as simply qualifier).
The following qualifiers are defined by default:
uid

This qualifier specifies a user account name or a user ID number.

gid

This qualifier specifies a user group name or a group ID number.

empty

This qualifier specifies that no uid or gid information is to be applied
to the ACL entry. The entry applies to the file owner only. An empty
qualifier is represented by an empty string or by white space.

The third field contains the discretionary access permissions that apply to the user or
group specified in the first field. The discretionary access permissions field contains
exactly one each of the following characters in the following order:
1.

r (read access)

2. w (write access)
3. x (execute/search access)
This would appear as rwx. Any or all of these may be replaced by a dash (-), which is the
no-access character.
A user entry with an empty qualifier specifies the access granted to the file owner. A user
entry with a uid qualifier specifies the access permissions granted to the user name
matching the uid value. If the uid value does not match a user name, then the ACL entry
specifies the access permissions granted to the user ID matching the uid value.
A group entry with an empty qualifier specifies the access granted to the default user
group of the file owner. A group entry with a gid qualifier specifies the access permissions
granted to the group name matching the gid value. If the gid value does not match a
group name, then the ACL entry specifies the access permissions granted to the group ID
matching the gid value. The mask and other entries contain an empty qualifier. A pound
sign (#) starts a comment on an ACL entry. A comment may start at the beginning of a
line, or after the required fields and after any custom-defined, colon-separated fields. The
end of the line denotes the end of the comment.

007-3300-005

Access Control Lists

White space is permitted (but not required) in the entries as follows:
•

At the start of the line

•

Immediately before and after a colon (:) separator

•

Immediately before the first pound sign (#) comment character

•

At any point after the first pound sign (#) comment character.

Comments have no effect on the discretionary access check of the object with which they
are associated.
Here is an example of a correct long text form ACL for a file:
user::rwx,user:332:r--,user:ernie:rw-,group::r--,other::r--,mask::rw-

The above example sets full permissions for the owner with the first entry on the line, sets
read permission for user ID 332 with the second entry, and sets read and write
permission for the user account ernie.
Here are some examples with comments:
group:10:rw- # User Group 10 has read/write access
other::--- # No one else has any permission
mask::rw- # The maximum permission except for the owner is read/write

The ACL entry may be shortened by using the following abbreviations for the entry tag
types. The abbreviation for user is u, the abbreviation for group is g. The abbreviation for
other is o, and the abbreviation for mask is m.
For example, a shortened ACL entry could look very similar to the following:
u::rwx # The file owner has complete access
u:332:r-- # User Acct 332 has read access only
g:10:rw- # User Group 10 has read/write access
u:653:r-- # User Acct 653 (who is in group 10) has read access only
o::--- # No one else has any permission
m::rw- # The maximum permission except for the owner is read/write

007-3300-005

2: Understanding Access Control

Mandatory Access Control
One of the new features in Trusted IRIX/CMW and in B-level trusted systems that is not
available in standard IRIX is Mandatory Access Control (MAC). MAC is essentially
different from DAC in that the restrictions placed on file and resource access are not up
to the discretion of the individual user, but are mandatory for all users. The system
enforces MAC through the security labels of all files, programs, resources, and processes
(including user processes) on the system. The concept of label domination and
equivalence is used to make MAC decisions. After the sections describing the
subdivisions of MAC, there is a section describing the rules of label domination and
equivalence.
MAC is divided into two parts, Mandatory Sensitivity and Mandatory Integrity. These
two concepts work in concert to provide a trusted environment for the users.

Mandatory Sensitivity
Mandatory Sensitivity (MSEN) is a mechanism for implementing strict controls on access
to data. A privileged user can never give information protected by Mandatory Sensitivity
to someone who is not allowed to see it. Under DAC, a user can change a file’s
permissions so that any user can read, write, or execute the file. This system provides a
good level of security in an open system but does not provide the level of security needed
by Trusted IRIX/CMW. MSEN works in addition to DAC to provide an extra level of
security.
MSEN defines two different kinds of permissions. One kind is for the user and the user’s
login shell process; the other is for system objects, such as files. The first kind of
permission, for users and processes, is called a clearance. A clearance permits a user or
the user’s process to use system objects with corresponding classifications. All of the
processes that run on behalf of a user must be within the user’s clearance.
Each clearance for a user and the processes associated with that user contain a level of
clearance, such as confidential or proprietary. Each user’s clearance can also be
valid in a number of categories. These categories are used to divide files and information
logically by relationship. For example, all development files could be in the category
ENGR and all personnel files could be in the category HR. A user with clearance in the
ENGR category would not necessarily have clearance in the HR category, even if the two
categories are currently running at the same classification. The number and names of
your clearances and categories are configurable at any time.

007-3300-005

Mandatory Access Control

The combination of clearance and categories forms the MSEN label of a user or a user’s
process, while the combination of classification and category forms the MSEN label of an
object.
An object (a file or system resource) is classified at a level of protection based on the
judgment of some person. It is also defined to be in some number of categories. For
example, employee salary records could be classified as top secret and in the
categories HR, management, and finance. Thus, a user who is cleared for top secret
data in the categories of HR, management, and finance could view the data, but a user
cleared only to the level of secret could not. A user cleared to top secret in another
category, such as ENGR, also could not view the information. To view information that
has categories, you must also be cleared for the same or a strict superset of categories. For
example a user cleared to top secret in only one category in our example, say
finance, could not view the employee salary information.
For a person to access a secret file about employee records, the user must be cleared for
both that level of secrecy and the category of information. Users cleared to levels higher
than the level of a given file can also view the file. For example, a user cleared for top
secret information can read a secret file, provided that the user is cleared in the
proper category.

Mandatory Integrity
The Mandatory Integrity (MINT) system protects important users from files of
questionable integrity. Until a program has been certified to be free of security risks,
important users should not be allowed to execute it. Mandatory integrity enforces this
restriction.
The MINT mechanism allows read and execute access only to those processes whose
integrity labels are dominated by the object (meaning that the file or program has equal
or greater integrity than the user process). Additionally, a process may only write to an
object with the same integrity. This is to avoid reducing the integrity of a file by a user
with lower integrity.
Mandatory Integrity is similar to MSEN in design and implementation, but addresses
different issues and threats. While MSEN prevents a user from accessing information
that is too sensitive or secret for the user’s clearance, MINT prevents a user from
accessing information or programs that are of unknown or lower quality or security. For
example, a user running at the highest possible clearance who has access to the most
secret and important system resources should not be allowed to run every program

007-3300-005

2: Understanding Access Control

found on the system. Such a user should be permitted to execute only programs of
known good integrity. This step further prevents Trojan Horse attacks on the system.
Consider the following scenario: A malicious intruder gains access to the system but only
at the lowest level. This person creates a program to remove or publish certain system
files and leaves the program in a public directory, calling it run.me. If a high-clearance
user finds the file and executes it, serious damage could result. The solution is for the
system to attach an integrity label to each file, indicating the known security of the file.
A file created by a low-clearance user, such as our intruder, would automatically get a
low-integrity label from the system. Any user with higher clearance would not see the
low-integrity file when listing the directory contents, and any attempt to run the program
would be denied access. Then, the auditor or system administrator would be notified of
the denied access through the system audit trail, and the program could be safely
removed.
Remember that a user’s integrity requirement does not prohibit accessing files of greater
integrity, only those of lower integrity.
MINT divides the objects of the system into divisions and assigns each file and resource
a grade. MINT divisions need not be related to the categories used by MSEN on your
system. For example, MINT divisions could be programming tools, general utilities, and
administrative utilities. Thus, a user who has a MSEN clearance for ENGR might have a
MINT requirement in programming tools, and in general utilities, but not in
administrative utilities.

Label Domination and Equivalence
The concept of label domination and equivalence is central to MAC. If a user’s label
clearance is higher than a file’s label classification and the integrity grade on the label of
the file is good enough for the user’s label, the user’s label is said to dominate the file’s
label. If the clearance and classification on both labels are equal, the labels are said to be
equal. A user’s label must be at least equal to or must dominate an object’s label in order
to access the object.
When you add categories to MAC, you change the order of dominance on your system.
In order to dominate, a user’s label must have the same or higher sensitivity and a set of
approved categories that are the same as or a superset of the categories of the file’s label,
and the integrity requirement for the user must be met by the file. Also, the integrity
divisions of the user must be the same or a subset of the integrity divisions of the file.

007-3300-005

Mandatory Access Control

Table 2-1 lists possible label relationships using the default labels supplied with your
system. In the table, the levels of sensitivity are unclassified, proprietary, and
company sensitive. The categories are green, gray, and gold. The integrity grades
are good, choice, and prime. The integrity divisions are cake, cookie, and cracker.
The labels are written in the form of sensitivity level-categories, integrity
grade-divisions.

Table 2-1

Sample Label Relationships

Subject Label

Object Label

Dominates?

proprietary/good

unclassified/prime Yes

Clearance
dominated;
integrity dominated

proprietary/prime

unclassified/good

Integrity of the file
not good enough

proprietary,green/
good

unclassified,green/ Yes
good

Clearance
dominates;
categories equal;
integrity equal

proprietary,green/
prime,cake

proprietary,green/
prime,cake, cookie,
cracker

Yes

Clearances identical
integrity divisions
dominate

proprietary/green,
prime

company

Object classification
higher than user
clearance

Categories not

sensitive,green/
prime

proprietary,green/, proprietary,green,
prime

gray/prime,cake,

Explanation

equal or dominated

cookie
proprietary,green,

proprietary,green,

gray/

gray/prime,cake,

prime,cake,cookie

proprietary,green,

gray,gold/choice

gray/prime

Yes

Categories equal;
integrity equal

Yes

Categories
dominated;
integrity dominated

007-3300-005

2: Understanding Access Control

Wildcard Labels

Wildcard labels are special labels for system objects that are always equal to the label of
any user process or other system subject that attempts access. For example, many system
networking services are implemented through wildcard labels, so that all users can
access the service. For example, the /dev/null device has a wildcard label.

Using MAC Labels
While using Trusted IRIX/CMW, you must change your security label from time to time
(if you are cleared for more than one label). You must also change the security label of a
file from time to time and you must frequently check the label of a file or resource. There
is a group of commands that allow you to perform these activities easily.
Note: It is possible (though not desirable) to create a higher MAC-labeled file in a lower
MAC-labeled directory. This file would not be visible to you at a lower MAC label.
Correspondingly, you would be unable to remove this file and it could consume an
arbitrary amount of your disk quota until your system administrator removes or
downgrades the file.

Changing Your Security Label
Sometimes you will find it necessary to run a program or other process at a label different
from your current login label. For example, the process may require a lower integrity
requirement or a higher clearance. The newlabel command allows you to run a process
at a different label.
To prevent inappropriate transfers or disclosures of information, all open file descriptors
associated with your login shell process are closed before the new process is invoked.
This assures that information at a higher classification will not be used as any input to
the new process, which may be running at a lower clearance. The default new process is
your default command shell, as specified in your environment.
Remember that you can execute newlabel only with a specified clearance up to the
maximum allowed for your login account. For complete information about newlabel,
consult the newlabel(1) man page.

007-3300-005

Using MAC Labels

To execute this command, enter:
newlabel label command

The label variable specifies the new security label you want and command specifies the
command to be run at the new label. Assuming the label you have chosen is within your
label range, the label is changed immediately for the duration of the command.
Remember that only root (the superuser) can use newlabel to run a shell.

Changing the Label of a File
You are allowed to change the label of any file or program you own, so long as you only
upgrade the sensitivity label of the file or downgrade the integrity label. That is, the new
label cannot be less sensitive or of higher integrity than the old label. What Trusted
IRIX/CMW does when you change the label is to make a copy of the file at the new label,
thus allowing the system administrator to undo your change, if necessary. When you
make the change, the new label of the file must be equal to the current label of the user
attempting the change. Use the chlabel command like this:
chlabel label filename

filename is the name of the file to be changed and label is the new label for the file. The
chlabel command allows you only to change the label to a label within your clearance
range. Remember that the label of the directory that contains the file will not be changed,
making future deletion or modification of the file impossible without administrator
intervention. It is generally better to upgrade whole directories than individual files.

Determining the Label of a File
The -M flag to the ls command displays the security labels for all files and subdirectories
in the directory being listed. Note however, that only those files with labels dominated
by your current label will appear in any directory listing, with or without the -M flag. If
you ever find yourself in a situation where a file seems to have “disappeared,” check
your label and make certain that the label of the file in question is dominated by your
label.

007-3300-005

2: Understanding Access Control

Multilevel Directories
Directories are subject to MAC just as any text file or other resource. Most directories
have labels that are identical to any file label. The exceptions are called multilevel
directories (which are sometimes called moldy directories or mld).
An mld places the files from each label into multiple hidden subdirectories. Thus, user A
at label Q will get a different listing of the contents of the mld from user B at label X.
However, neither process will see the subdirectory structure. Each process sees only
those files in the mld that have the same label as the process.
The hidden subdirectories in an mld are visible to a user process that has a moldy label.
A user may spawn a process with a moldy label using the -m option of the newlabel
command.

Mail
A given piece of mail is readable only if it matches your current MAC label. Mail sent to
you at a higher MAC label is unreadable until you log in at that label. Because of these
constraints, you would be unaware that you had mail addressed to you at this higher
MAC label. The side effect is analogous to someone placing a higher MAC-labeled file in
one of your directories. This higher MAC label mail can consume an arbitrary amount of
your disk resources. Mail sent to you outside your label range is not accessible at any
time.
If someone sends you mail outside of your allowed clearances, that mail is not delivered.
Mail that you send will not be delivered if your current label is outside the label range of
the recipient. For example, if you are logged in at system high privilege, and the recipient
has only user privilege, mail sent to that user will be rejected.

Using Aliases for Labels
A label alias (name) may be specified for any desired pair of sensitivity and integrity
levels and grades. Label aliases are defined in the /etc/mac file in the following format:
aliasname:alias:[msentype]
[level[,category]...]/[minttype][grade[,division]...]

007-3300-005

Using MAC Labels

If you do not supply the msentype field, the type is recorded as TCSEC. If you do not
supply the minttype field, the type is recorded as BIBA.
Trusted IRIX/CMW allows the system administrator to create aliases for commonly used
labels. For example, your system could use userlow, usermiddle, and userhigh as
three labels for three classes of users. Your system administrator should tell you what, if
any, label aliases are available at your site. A valid label alias can always be used in place
of the specific label name, whether during the login process or when using the system.

007-3300-005

Chapter 3

3. Understanding System Access

This chapter describes the access rules that govern Trusted IRIX/CMW. It includes a
step-by-step description of how to log in, a discussion about dealing with the password
mechanisms, an explanation of areas where Trusted IRIX/CMW differs from standard
IRIX, and short descriptions of some day-to-day tasks that users of Trusted IRIX/CMW
will need to perform. For a complete new-user tutorial on all aspects of the IRIX system,
refer to your standard IRIX documentation.
The following sections are included:

007-3300-005

•

“Interactive Desktop under Trusted IRIX/CMW” on page 32

•

“Logging In Using the CMW Dialog” on page 35

•

“Logging Out Using the GUI” on page 37

•

“Logging In Using Telnet or Serial Terminals” on page 37

•

“Determining the Identity and Security Features of a System” on page 38

•

“Passwords Under Trusted IRIX/CMW” on page 39

3: Understanding System Access

Interactive Desktop under Trusted IRIX/CMW
Generally, the IRIX interactive desktop behaves in the same manner on a Trusted
IRIX/CMW system as it does on a standard IRIX system. The most significant differences
are a consequence of the Trusted IRIX/CMW security policies and are described in this
section. This section does not describe how to use the desktop; for more information on
the desktop see the Desktop User’s Guide.

Window Appearance and Behavior
All windows on a Trusted IRIX/CMW system include an additional title bar, which
displays the window’s Mandatory Access Control (MAC) label. This is shown in
Figure 3-1. This is the MAC label for the window’s process, which is the same label as
that for the shell in the case of an xterm or similar terminal window.

Figure 3-1

X11 Window Labeled userlow

007-3300-005

Interactive Desktop under Trusted IRIX/CMW

The window manager and X server prevent you from copying and pasting text from one
window to another if the destination window’s label does not dominate the originating
window’s label. For example, text from a more sensitive window may not be cut and
pasted to a window with a less sensitive label. Therefore, the MAC policy of Trusted
IRIX/CMW is also enforced by the window manager.

Trusted Path Window
The trusted path window is always displayed on a Trusted IRIX/CMW system,
including during system login (as discussed in “Logging In Using the CMW Dialog” on
page 35). This window gives you greater control over the trusted behavior of the window
manager. The trusted path is a subject that has the CAP_XTCB capability, so the primary
purpose of the trusted path window is to inform you when you are and are not using a
trusted subject.
The trusted path window is not a separate process but an integral part of the window
manager. The window may not be lowered, iconified, or obscured by any other window.
This is enforced by the window manager so that you are always aware of the current
window manager behavior.
The window has two buttons, which by default are labeled “Trusted Path is Off” and
“OpenGL Disallowed.” These buttons can be used to restrict or relax the policy of which
windows can be displayed and used.
Below the buttons is a single bar displaying the label of the window that the mouse is
positioned over. If the mouse is not positioned over any windows, the text changes to
show “Background.” You can use this bar to determine the label of the current window
if it becomes obscured.
Another long horizontal bar will appear at the bottom of the window when the mouse is
positioned over a trusted window and the trusted path button is turned on. The bar will
display “You Are On The Trusted Path.” This bar will also appear when the mouse is
moved over the trusted path window, no matter what the state of the trusted path button.
Trusted Path Button

The trusted path button can be used to force the window manager to restrict access to
windows running with the CAP_XTCB capability. By default, this behavior is turned off,
but when the button is clicked, the text will change to display “Trusted Path Is On” and

007-3300-005

3: Understanding System Access

only the trusted windows (that is, the windows with the CAP_XTCB capability) can be
accessed. The mouse will not focus on a window that does not have this capability.
This behavior also prevents restricted windows from being displayed. For example, any
process attempting to create a window without this capability will be blocked from
displaying the window. As soon as the behavior is turned off (by clicking the button) all
new windows that were blocked will be displayed.
When the trusted path is enforced, some window manager operations are still allowed
on restricted windows, including iconifying, lowering, raising, and resizing windows.
However, the window manager will prevent the contents of those windows from being
updated.
OpenGL Allowed Button

The graphics hardware registers that are used by OpenGL applications are accessible to
other processes. Therefore, it is possible for another process to capture the contents of the
screen regardless of MAC label controls or capabilities.
On a Trusted IRIX/CMW system, by default, Open GL applications may not be
displayed. Given that a large number of applications on this platform use Open GL, this
behavior may be controlled by selecting the “OpenGL Disallowed” button, which will
change the button to display “OpenGL Allowed.” Any OpenGL application running at
the same MAC label of the user when they logged in may now be displayed. This
behavior can be removed by clicking the “OpenGL Allowed” button.

Application Behavior
The following applications behave differently on a Trusted IRIX/CMW system:

Toolchest

The system administration tools that are accessible from the toolchest
have not been customized for a Trusted IRIX/CMW system and,
generally, will not behave correctly. System administration functions
should be performed by editing the relevant configuration files or
running the appropriate command-line tools.

Icon catalog

The icon catalog and many other desktop functions will not work in a
Trusted IRIX/CMW environment because of their dependence on the
File Alteration Monitor (fam). fam is restricted from running on a
Trusted IRIX/CMW system. For more information about fam, see the
fam(1) man page.

007-3300-005

Logging In Using the CMW Dialog

X applications
X applications should behave normally on a Trusted IRIX/CMW system
within the constraints of the window manager and network security
policies.
IRIS GL applications
Applications that use the original GL graphics libraries may not be run
on a Trusted IRIX/CMW system without the appropriate capabilities
because the system cannot restrict the graphics to a specific MAC label.
OpenGL applications
OpenGL applications are restricted by the “OpenGL Allowed” button.
For more information see “OpenGL Allowed Button” on page 34.

Logging In Using the CMW Dialog
When no one is logged in to a Trusted IRIX/CMW machine, the system displays a login
prompt and waits for a user to enter a login name. To log in, you must first have an
account created for you on the system. Your system administrator should create this
account for you and tell you the login name you are to use. If you are allowed to select
your own login name, select a name that is easy to remember, such as your first name and
the initial of your last name. When your account is created, a password may also be
logged for you at that time by the system administrator. If so, you should know the
password before you attempt to log in. If a password is not logged for you when your
account is created, you should select one when you first log in.
When you are certain that the account has been created for you, you are ready to log in.
When no one is logged in at the console, a window is displayed for the login dialog.
Follow these instructions to log in:
1.

The trusted path window is displayed on the screen, as shown in Figure 3-2, and the
trusted path should be initialized “on.”

Figure 3-2

007-3300-005

Trusted Path Window

3: Understanding System Access

If the trusted path is not on, move the mouse cursor to the “Trusted Path Is Off”
button and click. If the trusted path window does not indicate that the trusted path
is on, call your system administrator.
Move the pointer to the CMW Login Dialog window. The trusted path window
should state that “You Are On The Trusted Path.” Again, if it does not state that you
are on the trusted path, call your system administrator.
2. On the CMW Login Dialog window, you should see the User Name: prompt, as
shown in Figure 3-3:

Figure 3-3

CMW Login Dialog Window

Enter the desired account name. You must enter an account name; there is no
default.
3. You are prompted for a MAC label:
MAC Label:

If you do not enter a MAC label name (that is, if you simply press the Enter key)
you are given your default login label.

007-3300-005

Logging Out Using the GUI

4. You are prompted for a capability set:
Capabilities:

If you do not enter a capability set (that is, if you simply press the Enter key) you
are given your default capability set.
5. You are prompted for your password:
Password:

Your password is not displayed as you type it in. Press the Enter key when you
have typed your password.
6. If all responses were valid, you are logged in. The screen clears and the default
windows and icons are displayed. The login process is now complete.

Logging Out Using the GUI
To log out of a Trusted IRIX/CMW system using the GUI, follow these steps:
1.

Right click on the screen background and select the “Log Out” option. A
confirmation pop-up window will appear.

2. In the confirmation window, click “Yes” to confirm the logout or “No” to cancel the
logout process.

Logging In Using Telnet or Serial Terminals
At times you may need to log in to a Trusted IRIX/CMW machine when you do not have
access to the graphical login program. You can use Telnet sessions and serial terminals to
log in to a Trusted IRIX machine.
The Trusted IRIX TTY login appears the same as a typical IRIX console login, but it does
not prompt you for a MAC label or capabilities. You can specify a MAC label or
capability on the login line in addition to your user ID. A TTY device may be configured
to have a restricted MAC range, thereby limiting users to labels within that range. By
default, a serial console will allow all labels. A MAC label specification is ignored for
Telnet sessions.

007-3300-005

3: Understanding System Access

To specify a MAC label, add a MAC= label, as follows:
login: root MAC=dblow
Password:

To specify a capability set, add a CAP= capability set, as follows:
login: root CAP=CAP_FOWNER,CAP_KILL+eip
Password:

You can specify both a MAC label and capability set, as follows:
login: user CAP=all+eip MAC=userlow
Password:

A login attempt will fail if you request a capability that does not exist or is not in your
capability set, or you attempt to log in with a MAC label not in your clearance or not
allowed by the TTY device.

Determining the Identity and Security Features of a System
It is possible for you (or one of your programs) to determine the current operating system
environment you are in by using one of the methods described in this section.

Identifying the System from a Shell
To determine the identity and security features of your operating system, you can
execute the sysconf command at a shell prompt. A complete description of all
sysconf command options can be found in the sysconf(1) man page.
You will see a great deal of output and, towards the bottom of the list, the relevant
information in the following format:
PROCESSORS
AVAIL_PROCESSORS
SYSNAME
HOSTNAME
RELEASE
VERSION
MACHINE

R4000 2.2
1
IRIX
bandicoot
6.5-ALPHA-1276144020
01050909
IP22

007-3300-005

Passwords Under Trusted IRIX/CMW

ARCHITECTURE
HW_SERIAL
HW_PROVIDER
ACL
AUDIT
CAP
INF
IP_SECOPTS
MAC

mips
1762094967
sgi
1
1
2
0
1
1

Identifying the System Security Options with a Program
From within a compiled program you can use the system call sysconf to identify the
system security options. Refer to the sysconf(3C) man page for more information on
this system call.

Passwords Under Trusted IRIX/CMW
Passwords are the first line of defense of a trusted system. As a user, it is your
responsibility to protect the privacy of your password at all times. Follow these rules
regarding your password:
•

Never give your password to another user or allow another user to “borrow” your
account.

•

Never keep your password written down anywhere near your machine.

•

Always commit your password to memory. If you forget it, the system
administrator can change it for you.

Trusted IRIX/CMW contains facilities to generate passwords for users, however, these
facilities are not configured to work by default. For more information about password
generation see the passwd(1) man page. If your site is configured to allow you to select
your own passwords, follow these rules when choosing your password:
•

007-3300-005

Never choose a password that could be guessed by someone who knew personal
information about you. For example, if someone stole your wallet with the intent of
finding out information about you, make certain that your password is not related
to something someone might find in your personal information, such as variations
on your name or the name of a friend or family member.

3: Understanding System Access

•

Always use a random mix of printable characters, control characters, punctuation
marks, and numerals when selecting a password.

•

Each password must have at least six characters. However, only the first eight
characters are significant.

•

The password must contain at least two alphabet characters and one numeral
character.

•

The password must not be related to the user’s login name. Any reversing or
circular shift of the characters in the login name will not be allowed. Capital letters
are assumed to be equivalent to their lowercase counterparts.

•

The password must have at least three characters different from the previous
password. Capital letters are assumed to be equivalent to their lowercase
counterparts.

Trusted IRIX/CMW supports facilities to manage the lifetime of a password, also known
as password aging. For more information about password aging see the passwd(1) man
page and the IRIX Admin: Backup, Security, and Accounting guide.

007-3300-005

Chapter 4

4. Importing and Exporting Data

Importing and exporting information is one of the main functions of a computer system.
Whenever data enters the computer, it is considered to have been imported from
somewhere, whether from the keyboard, the tape drive, or other input device. Anytime
the system produces information, such as via a printer or a write action to a tape or
floppy disk, an export is considered to have occurred. This chapter describes the
restrictions associated with using printers and removable media under Trusted
IRIX/CMW.
Sections in this chapter include:

007-3300-005

•

“Printing under Trusted IRIX/CMW” on page 42

•

“Using Tape Devices” on page 42

•

“Using CD-ROM Devices” on page 44

4: Importing and Exporting Data

Printing under Trusted IRIX/CMW
Printing under Trusted IRIX/CMW requires no special resources. Except where noted in
this chapter, printing operates exactly as described in your standard IRIX
documentation. The lp command behaves differently from its IRIX counterpart. You are
encouraged to read the lp(1) reference page before using this command.
Trusted IRIX/CMW meets the requirement for B1-level systems for labeled printing.
Each page of printed output carries the label of the printing process at the top and bottom
of the page. The system intercepts the output of a print request before it is sent to the
printer and ensures that appropriate banner pages and individual page labels are
produced. Your system administrator will tell you which commands to use to print your
files.

Using Tape Devices
Under Trusted IRIX/CMW, access to the tape device is administratively controlled. The
system administrator must take specific steps to ensure that the tape device is properly
configured for your use before you insert the tape in the drive. The procedures required
of the administrator are described in the Trusted IRIX/CMW Security Administration Guide.
Notify your system administrator that you need to use the tape device and provide the
security label of the information you wish to archive and the label your process will have
while you use the tape device. The administrator will then have to change the security
label of the tape device for you before you can begin. When you are done, the
administrator will change the label of the tape drive back to its default. The default label
for the tape device is dbadmin, which is accessible only by the administrative accounts.
Your site may have specific policies regarding the secure handling of tapes, particularly
in the area of human-readable “sticky” labels. Your site may require that tapes be
handled only by the operator, or you may be allowed to do so yourself.
Once you have made your tape, you must write the security classification and categories,
as well as any MINT grades and divisions on it, and handle and store the tape according
to your site’s security policies.
Check the local policy with your system administrator before attempting to physically
mount a tape.

007-3300-005

Using Tape Devices

The basic rules most sites follow for tape handling include:
•

Storing the tapes in a locked room, sorted according to security label.

•

Limiting access to the tape storage area to people with the highest security
clearances.

•

Disposing of used tapes in a secure manner, after they have been erased and
verified that no information remains readable on the tape. Sometimes tapes are
destroyed by burning.

Magnetic Tape Backups with tar
B1 systems are required to provide for labeled magnetic tape archives. Trusted
IRIX/CMW meets this requirement by providing the new M keyword to the tar
command. This keyword directs tar to maintain the security labels, access control lists,
and capability requirements on all files placed on the tape. To recover files from the tape,
use tar with the M keyword. Restoring tapes with files of differing labels requires special
capabilities.
Always remember that it is still possible to make unlabeled tapes using tar without the
M keyword. Also, using tar to extract labeled files without the M keyword will result in
the loss of label and other security data.

Magnetic Tape Backups with xfsdump
In addition to tar, the xfsdump command can be used to preserve MAC labels,
provided that the -A option is not specified. The xfsrestore command can then be
used to restore the backup.
For more information, see the xfsdump(1m) and xfsrestore(1m) man pages.

007-3300-005

4: Importing and Exporting Data

Using CD-ROM Devices
CD-ROM devices may be mounted on a Trusted IRIX/CMW system. The mount point
/CDROM is installed with the wildcard MAC label, so that all files on the CD-ROM are
visible to all users. (CD-ROMs are usually built with EFS or ISO9660 filesystems, which
do not support labels by default.)
If CD-ROMs with xfs filesystems and MAC labels are used on a Trusted IRIX/CMW
system, the /CDROM directory should be labeled the same as the tape devices.

007-3300-005

Chapter 5

5. Understanding Auditing

This chapter describes the system audit trail for the user. There is no interface to allow
users to alter or read the audit trail; it is accessible only to the system administrator or
auditor. This chapter explains what is happening within the audit system and how it
applies to the ordinary user.

System Audit Trail
The system audit trail (SAT) is a subsystem that allows the site administrator to make a
record of all system activity. The ongoing record of system activity shows general trends
in system usage, and also violations of the security policy. The site administrators can
monitor all system activity through the audit trail. There are many different types of
activities that take place on a trusted computer system. There are login attempts, file
manipulations, use of devices (such as printers and tape drives), and administrative
activity. All of these activities can be logged and reviewed through the system audit trail.
It is vitally important to remember that the system audit trail does not exist to allow users
to spy on one another, nor does it exist as a mechanism to entrap users. It exists as a
means to locate intentional violations of security policy.
Most audit records are generated in the course of normal work. Even records with
ominous sounding names, such as sat_access_denied, happen in the course of
ordinary activities. Your auditor does not spy on your system activity; he or she guards
against an outsider attempting to damage your work.
You do not need to take any action regarding the audit trail. It is maintained by the
system and by the auditor at your site. The auditing process is completely transparent to
the user.

007-3300-005

Chapter 6

6. Programming in a Trusted Environment

This chapter describes the special requirements of programming in a trusted
environment, and lists new system and library calls available under Trusted IRIX/CMW.
Trusted IRIX/CMW conforms to the specifications in POSIX P1003.1eD15.
Sections in this chapter include:

007-3300-005

•

“Guidelines” on page 48

•

“Trusted IRIX/CMW System and Library Calls” on page 48

•

“Identifying System Security Options from within a Compiled Program” on page 52

6: Programming in a Trusted Environment

Guidelines
There are a number of guidelines that anyone who programs in a secure environment
should follow:
•

In order to simplify your work, do not duplicate the work done by the I&A
programs of the Trusted IRIX/CMW system.

•

Make sure that all variables are in bounds.

•

Reduce global variable usage wherever possible.

•

Limit the functionality of each module to only one distinct task.

•

Do not create a procedure that circumvents any of the programmatic flow.

•

If overrides must be added, document them thoroughly in the code.

•

By design and principle, minimize the use of privilege required or permitted by
your programs.

Trusted IRIX/CMW System and Library Calls
The following system and library calls are relevant to Trusted IRIX/CMW. Man pages
exist for each of these calls in man page sections 2 and 3. Table 6-1 below lists each call
and its corresponding action.
Table 6-1

Trusted IRIX/CMW System and Library Calls

System/Library Call

Action

setlabel(2)

Set the MAC label of a file

satgetid(2), satsetid(2)

Get or set the audit identity of the calling
process

saton(2), satoff(2)

Turn on or off auditing of the specified
audit type

satread(2)

Read a block of audit record data

satstate(2)

Query state of the specified audit type

satvwrite(2)

Write a block of audit record data

007-3300-005

Trusted IRIX/CMW System and Library Calls

Table 6-1

007-3300-005

Trusted IRIX/CMW System and Library Calls (continued)

System/Library Call

Action

satwrite(2)

Write a block of audit record data

acl_copy_ext(3C)

Copy ACL from system to user space or
from user to system space

acl_delete_def_file(3C)

Delete the default ACL for a named
directory

acl_dup(3C)

Make a copy of an ACL

acl_free(3C)

Free memory allocated by ACL interface
calls

acl_from_text(3C)

Convert a POSIX ACL string to a struct acl
or a struct acl to a POSIX ACL string

acl_get_fd(3C), acl_set_fd(3C)

Get or set the ACL associated with an
open file

acl_get_file(3C),
acl_set_file(3C)

Get or set the ACL for a pathname

acl_size(3C)

Return the size of an ACL

acl_to_short_text(3C)

Convert a binary format ACL to a short
form ASCII ACL string

acl_to_text(3C)

Convert a binary format ACL to an ASCII
ACL string

acl_valid(3C)

Validate an ACL

cap_acquire(3C)

Make permitted set capabilities effective
or remove effective capabilities

cap_clear(3C)

Clear the fields of a capability

cap_copy_ext(3C)

Copy capability from system to user
space or from user to system space

cap_dup(3C)

Make a copy of a capability

cap_envl(3C), cap_envp(3C)

Ensure that the calling process has
sufficient privilege to perform actions
requiring the specified capabilities

6: Programming in a Trusted Environment

Table 6-1

Trusted IRIX/CMW System and Library Calls (continued)

System/Library Call

Action

cap_free(3C)

Free allocated capability

cap_from_text(3C)

Convert a POSIX capabilities string to
internal form

cap_get_fd(3C), cap_set_fd

Get or set the capabilities for an open file

cap_get_file(3C), cap_set_file

Get or set the capabilities for a pathname

cap_get_flag(3C), cap_set_flag

Get or set the value of a capability flag in
a capability

cap_get_proc(3C), cap_set_proc

Get or set process capabilities

cap_init(3C)

Allocate a capability structure

cap_set_proc_flags(3C)

Set the capability state flags for the
current process

cap_size(3C)

Return the size of a capability

cap_surrender(3C)

Remove capabilities from the effective set

cap_to_text(3C)

Convert capabilities to a POSIX
capabilities string

cap_value_to_text(3C)

Return the POSIX name for a capability
value

getspwnam(3)

Get a user’s name from the administrative
database

getuserinfonam(3),
getuserinfouid(3)

Get information about a user.

ia_audit(3)

Create and write an audit record, using
satwrite

mac_cleared(3C),
mac_clearedlbl(3C)

Report on user’s clearance

mac_dominate(3C)

Compare two MAC labels for dominance
relationship

mac_dup(3C)

Produce a duplicate copy of a MAC label

007-3300-005

Trusted IRIX/CMW System and Library Calls

Table 6-1

007-3300-005

Trusted IRIX/CMW System and Library Calls (continued)

System/Library Call

Action

mac_equal(3C)

Compare two MAC labels for the equality
relationship

mac_free(3C)

Free allocated MAC object

mac_from_text(3C)

Convert an ASCII MAC label string to a
binary format MAC label

mac_get_fd(3C), mac_set_fd(3C)

Get or set the MAC label associated with
an open file

mac_get_file(3C),
mac_set_file(3C)

Get or set the MAC label for a pathname

mac_get_proc(3C),
mac_set_proc(3C)

Get or set the MAC label for the current
process

mac_size(3C)

Get the size of a MAC label

mac_to_text(3)

Convert a binary format MAC label to an
ASCII MAC label string

mac_to_text_long(3C)

Convert a binary format MAC label to a
long form ASCII MAC label string

mac_valid(3C)

Test a MAC label for validity

sat_eventtostr(3),
sat_strtoevent(3)

Convert an audit event index to or from
an audit event string

sat_intrp_pathname(3)

Portable interface to interpret
sat_pathname structs

sat_read_file_info(3),
sat_write_file_info(3),
sat_free_file_info(3)

Portable interfaces to read audit file
headers

sat_read_header_info(3),
sat_free_header_info(3)

Portable interfaces to read audit record
headers

sgi_getcapabilitybyname(3C)

Get the default and allowed capability
sets for a named user

6: Programming in a Trusted Environment

Identifying System Security Options from within a Compiled Program
The following program code fragment will identify whether your Trusted IRIX/CMW
system currently supports capabilities, mandatory access control, and the secure audit
trail.
if (sysconf(_SC_CAP)) {
/* capabilities are supported.
Perform actions required to comply
with capability rules. */
}
if (sysconf(_SC_MAC)) {
/* mandatory access control is supported.
Perform actions required to comply
with MAC rules. */
}
if (sysconf(_SC_SAT)) {
/* secure audit trail is supported.
Perform actions required to comply
with auditing rules. */
}

The following program code fragment demonstrates how to temporarily enable a
specific capability to perform a particular task.
cap_value_t capv = CAP_XTCB;
cap = cap_acquire(1,&capv);
/* Now perform capability dependent tasks
before releasing the capability. */
cap_surrender(cap);

007-3300-005

Appendix A

A. Glossary of Computer Security Terms

The terms listed in this glossary are used in the trusted systems community.
*-property

A Bell-La Padula security model rule allowing a subject write access to
an object only if the security level of the object dominates the security
level of the subject. Also called confinement property.

acceptance inspection
The final inspection to determine whether or not a facility or system
meets the specified technical and performance standards. This
inspection is held immediately after facility and software testing and is
the basis for commissioning or accepting the information system.
access

A specific type of interaction between a subject and an object that results
in the flow of information from one to the other.

access control

The process of limiting access to the resources of a system only to
authorized programs, processes, or other systems (in a network). See
controlled access and limited access.

access control list
A discretionary access control entity associated with an object,
consisting of a list of entries where each entry is an identifier (a user or
group of users) coupled with a set of access permissions for that user or
group.
access control mechanism
Hardware or software features, operating procedures, management
procedures, and various combinations of these designed to detect and
prevent unauthorized access and to permit authorized access in an
automated system.
access level

007-3300-005

The hierarchical portion of the security level used to identify the
sensitivity of data and the clearance or authorization of users.

A: Glossary of Computer Security Terms

Note: The access level, in conjunction with the nonhierarchical
categories, forms the sensitivity label of an object. See category, security
level, and sensitivity label.
access period

A segment of time, generally expressed on a daily or weekly basis,
during which access rights prevail.

access port

A logical or physical identifier that a computer uses to distinguish
different tty input/output data streams.

access type

The nature of an access right to a particular device, program, or file (for
example, read, write, execute, append, modify, delete, or create).

accountability The property that enables activities on a system to be traced to
individuals who may then be held responsible for their actions.
add-on security
The retrofitting of protection mechanisms, implemented by hardware or
software.
administrative security
The management constraints and supplemental controls established to
provide an acceptable level of protection for data. Also called
procedural security.
administrator

In the trusted system, the administrator is responsible for system
administration tasks: filesystem maintenance and repair, account
creation, and other miscellaneous administrative duties.

assurance

A measure of confidence that the security features and architecture of an
AIS accurately mediate and enforce the security policy.

attack

The act of trying to bypass security controls on a system. An attack may
be active, resulting in the alteration of data; or passive, resulting in the
release of data.
Note: The fact that an attack is made does not necessarily mean that it
will succeed. The degree of success depends on the vulnerability of the
system or activity and the effectiveness of existing countermeasures.

007-3300-005

A: Glossary of Computer Security Terms

audit trail

A chronological record of system activities that is sufficient to enable the
reconstruction, review, and examination of the sequence of
environments and activities surrounding or leading to an operation, a
procedure, or an event in a transaction from its start to final results.
Alternatively, a set of records that collectively provide documentary
evidence of processing used to aid in tracing from original transactions
forward to related records and reports, or backwards from records and
reports to their component source transactions.

auditor

The auditor is an administrator who maintains and examines the system
audit trail. This person is responsible for maintaining and rearchiving
the information, examining the records for abuse, and customizing the
audit record gathering configuration.

authenticate

To verify the identity of a user, device, or other entity in a computer
system, often as a prerequisite to allowing access to resources in a
system.
Alternatively, to verify the integrity of data that have been stored,
transmitted, or otherwise exposed to possible unauthorized
modification.
Alternatively, to establish the validity of a claimed identity.

authentication Verifying the claimed identity of a principal.
authenticator

The means used to confirm the identity or to verify the eligibility of a
station, originator, or individual.
Alternatively, a record containing information that can be shown to
have been recently generated using the session key known only by the
client and server.

authorization

The granting of access rights to a user, program, or process.
Alternatively, the process of determining whether a client may use a
service, which objects the client is allowed to access, and the type of
access allowed for each.

availability of data
The state when data are in the place needed by the user, at the time the
user needs them, and in the form needed by the user.

007-3300-005

back door

See trap door.

backup plan

See contingency plan.

A: Glossary of Computer Security Terms

bandwidth

A characteristic of a communication channel that is the amount of
information that can be passed through it in a given amount of time,
usually expressed in bits per second.

Bell-LaPadula model
A formal state transition model of computer security policy that
describes a set of access control rules. In this formal model, the entities
in a computer system are divided into abstract sets of subjects and
objects. The notion of a secure state is defined, and it is proven that each
state transition preserves security by moving from secure state to secure
state, thereby inductively proving that the system is secure. A system
state is defined to be secure if the only permitted access modes of
subjects to objects are in accordance with a specific security policy. In
order to determine whether or not a specific access mode is allowed, the
clearance of a subject is compared to the classification of the object, and
a determination is made as to whether the subject is authorized for the
specific access mode. See star property (*-property) and simple security
property.
benign environment
A nonhostile environment that may be protected from external hostile
elements by physical, personnel, and procedural security
countermeasures.
between-the-lines entry
Unauthorized access obtained by tapping the temporarily inactive tty of
a legitimate user. See piggyback.

beyond A1

A level of trust defined by the DoD Trusted Computer System
Evaluation Criteria (TCSEC) that is beyond the state-of-the-art
technology available at the time the criteria were developed. It includes
all A1-level features plus additional features not required at the A1 level.

browsing

The act of searching through storage to locate or acquire information
without necessarily knowing of the existence or the format of the
information being sought.

callback

A procedure for identifying a remote system. In a callback, the host
system disconnects the caller and then dials the authorized telephone
number of the remote system to reestablish the connection. Synonymous
with dial back.

007-3300-005

A: Glossary of Computer Security Terms

capability

A capability is a special privilege given to a process to override the
system security policy. Each capability may have associated with it one
or more flags. For processes, three flags are always associated with the
capability, namely the effective, the permitted, and the inheritable flag.
A file may have zero or more of these flags associated with it for a
capability. Appropriate privilege is determined solely by a process
having a specific capability’s effective capability flag set.

category

The non-hierarchical component of the MSEN portion of a security label.
That is, a logical division of information that spans hierarchical security
levels as a means of increasing the protection of the data and further
restricting access to the data. Typical examples would be Politics,
Art, or Sports. There can be up to 65,536 different categories on your
system.

certification

The technical evaluation of a system's security features that establishes
the extent to which a particular computer system's design and
implementation meet a set of specified security requirements.

channel

An information transfer path within a system. May also refer to the
mechanism by which the path is affected.

ciphertext

The output of an encryption function. Encryption transforms plaintext
into ciphertext.

clearance

A security clearance represents the combination of sensitivity level and
categories that you are permitted to access.

client

A process that makes use of a network service, on behalf of a user. Note
that in some cases a server may itself be a client of some other server (for
example, a print server may be a client of a file server).

closed security environment
An environment in which both of the following conditions hold true: (1)
Application developers (including maintainers) have sufficient
clearances and authorizations to provide an acceptable presumption
that they have not introduced malicious logic. (2) Configuration control
provides sufficient assurance that applications and the equipment are
protected against the introduction of malicious logic before and during
the operation of system applications.

007-3300-005

A: Glossary of Computer Security Terms

communications security
Measures taken to deny unauthorized persons information derived
from telecommunications of the U.S. government concerning national
security, and to ensure the authenticity of such telecommunications.
Communications security includes cryptosecurity, transmission
security, and physical security of communications security material and
information.
compromise

A violation of the security policy of a system such that unauthorized
disclosure of sensitive information may have occurred.

compromising emanations
Unintentional data-related or intelligence-bearing signals that, if
intercepted and analyzed, disclose the information transmission
received, handled, or otherwise processed by any information
processing equipment.
computer abuse
The misuse, alteration, disruption or destruction of data processing
resources. The key aspects are that it is intentional and improper.
computer cryptography
The use of a crypto-algorithm in a computer, microprocessor, or
microcomputer to perform encryption or decryption in order to protect
information or to authenticate users, sources, or information.
computer fraud
Computer-related crimes involving deliberate misrepresentation,
alteration, or disclosure of data in order to obtain something of value
(usually for monetary gain). A computer system must have been
involved in the perpetration or cover-up of the act or series of acts. A
computer system might have been involved through improper
manipulation of input data; output or results; applications programs;
data files; computer operations; communications; or computer
hardware, systems software, or firmware.
COMSEC

Refers to communications security.

concealment system
A method of achieving confidentiality in which sensitive information is
hidden by embedding it in irrelevant data.
confidentiality The concept of holding sensitive data in confidence, limited to an
appropriate set of individuals or organizations.

007-3300-005

A: Glossary of Computer Security Terms

configuration control
The process of controlling modifications to the system's hardware,
firmware, software, and documentation that provides sufficient
assurance that the system is protected against the introduction of
improper modifications before, during, and after system
implementation.
configuration management
The management of security features and assurances through control of
changes made to a system's hardware, software, firmware,
documentation, test, test fixtures, and test documentation throughout
the development and operational life of the system.
configuration range
The evaluation of a computer system by the NCSC (National Computer
Security Center) is typically performed on a set of computer systems
manufactured by the evaluatee rather than on just one particular
computer system model. Due to the complexity of the evaluation
process, it is common that only a closely related subset of the evaluatee's
computer system product line be evaluated. The exact definition of the
set of computer systems that is being evaluated is called the
configuration range. The definition is exact. For example, part numbers
of cables that connect keyboards to the system are part of the definition,
and use of even a keyboard cable with a part number not in the
configuration range will cause the evaluation not to be valid for that
system. It is important to remember that the whole computer system is
being evaluated, not just the software.
confinement

The prevention of the leaking of sensitive data from a program.

confinement channel
See covert channel.
contamination The intermixing of data at different sensitivity and need-to-know levels.
The lower-level data is said to be contaminated by the higher level data;
thus, the contaminating (higher level) data may not receive the required
level of protection.
contingency plan
A plan for emergency response, backup operations, and post-disaster
recovery maintained by an activity as a part of its security program that
ensures the availability of critical resources and facilitates the continuity
of operations in an emergency situation. Also called disaster plan and
emergency plan.

007-3300-005

A: Glossary of Computer Security Terms

control zone

The space (expressed in feet of radius, surrounding equipment
processing sensitive information) that is under sufficient physical and
technical control to preclude an unauthorized entry or compromise.

controlled access
See access control.
controlled sharing
The condition that exists when access control is applied to all users and
components of a system.
cost-risk analysis
The assessment of the costs of providing data protection for a system
versus the cost of losing or compromising the data.
countermeasure
Any action, device, procedure, technique, or other measure that reduces
the vulnerability of or threat to a system.
covert channel A communications channel that allows two cooperating processes to
transfer information in a manner that violates the system's security
policy. Synonymous with confinement channel.
Alternatively, a communication channel that allows a process to
transfer information in a manner that violates the system's security
policy. See also covert storage channel and covert timing channel.
covert storage channel
A covert channel that involves the direct or indirect writing of a storage
location by one process and the direct or indirect reading of the storage
location by another process. Covert storage channels typically involve a
finite resource (for example, sectors on a disk) that is shared by two
subjects at different security levels.
covert timing channel
A covert channel in which one process signals information to another by
modulating its own use of system resources (for example, CPU time) in
such a way that this manipulation affects the real response time
observed by the second process.
crypto-algorithm
A well-defined procedure or sequence of rules or steps used to produce
a key stream or cipher text from plain text and vice versa.

007-3300-005

A: Glossary of Computer Security Terms

cryptography

The principles, means and methods for rendering information
unintelligible, and for restoring encrypted information to intelligible
form.

cryptosecurity The security or protection resulting from the proper use of technically
sound cryptosystems.
DAC

Discretionary Access Control.

data

Information with a specific physical representation.

data flow control
See information flow control.
data integrity

The requirement that data meet an a priori expectation of quality.
Alternatively, the state that exists when computerized data is the same
as that in the source documents and has not been exposed to accidental
or malicious alteration or destruction.

data security

The protection of data from unauthorized (accidental or intentional)
modification, destruction, or disclosure.

dedicated security mode
See modes of operation.
default classification
A temporary classification reflecting the highest classification being
processed in a system. The default classification is included in the
caution statement affixed to the object.
degauss

To reduce magnetic flux density to zero by applying a reverse
magnetizing field.

degausser

An electrical device that can generate a magnetic field for the purpose of
degaussing magnetic storage media.

Degausser Products List
A list of commercially produced degaussers that meet National Security
Agency specifications. This list is included in the NSA Information
Systems Security Products and Services Catalogue, and is available
through the Government Printing Office.

007-3300-005

A: Glossary of Computer Security Terms

denial of service
Any action or series of actions that prevent any part of a system from
functioning in accordance with its intended purpose. This includes any
action that causes unauthorized destruction, modification, or delay of
service. Synonymous with interdiction.
dial back

See callback.

dial up

The service whereby a computer can use the telephone to initiate and
effect communication with a computer.

disaster plan

See contingency plan.

Discretionary Access Control
A means of restricting access to objects based on the identity and the
need of the user, process and/or groups to which they belong. The
controls are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly) on
to any other subject. See also Mandatory Access Control.
division

The non-hierarchical component of the MINT part of the security label.
This is the integrity part of the security label. The division component is
very similar to the category component of the MSEN part of the security
label. There can be up to 65,536 different divisions on your system.
Typical examples of a division might be Prose, Poetry, Verse.

DoD Trusted Computer System Evaluation Criteria
A document published by the National Computer Security Center
containing a uniform set of basic requirements and evaluation classes
for assessing degrees of assurance in the effectiveness of hardware and
software security controls built into systems. These criteria are intended
for use in the design and evaluation of systems that process and store
sensitive or classified data. This document is Government Standard
DoD 5200.28-STD and is frequently referred to as “The Criteria” or “The
Orange Book”.
domain

The unique context (for example, access control parameters) in which a
program is operating; in effect, the set of objects that a subject has the
ability to access. See process and subject.
Alternatively, the set of objects that a subject has the ability to access.

007-3300-005

A: Glossary of Computer Security Terms

dominate

emanations

Access to a file or resource under Mandatory Access Control is
determined according to “domination.” You can view a file only if your
process label dominates the label of the file. One label (high) dominates
another label (low) if all four of the following conditions are true:
•

The Mandatory Sensitivity of high is greater than or equal to low,

•

The set of Mandatory Sensitivity categories of high is identical to
or a strict superset of the categories of low,

•

The Mandatory Integrity requirement of high is less than or equal
to the Integrity grade of low,

•

The set of Mandatory Integrity divisions of high is identical to or a
strict superset of the divisions of low.

See compromising emanations.

embedded system
A system that performs or controls a function, either in whole or in part,
as an integral element of a larger system or subsystem.
emergency plan
See contingency plan.
emission security
The protection resulting from all measures taken to deny unauthorized
persons information of value that might be derived from intercept and
from an analysis of compromising emanations from systems.
end-to-end encryption
The protection of information passed in a telecommunications system
by cryptographic means, from point of origin to point of destination.
Alternatively, protection of traffic in a communications network by
encrypting it at the source and decrypting it at the destination so that
all nodes it passes through remain ignorant of its actual content.

007-3300-005

entrapment

The deliberate planting of apparent flaws in a system for the purpose of
detecting attempted penetrations.

environment

The aggregate of external procedures, conditions, and objects that affect
the development, operation, and maintenance of a system.

EPL

The Evaluated Products List

A: Glossary of Computer Security Terms

erasure

A process by which a signal recorded on magnetic media is removed.
Erasure is accomplished in two ways: (l) alternating current erasure, in
which the information is destroyed by applying an alternating high and
low magnetic field to the media; or (2) direct current erasure, in which
the media are saturated by applying a unidirectional magnetic field.

Evaluated Products List
A list of equipments, hardware, software, and firmware that have been
evaluated against and found to be technically compliant with, at a
particular level of trust, the DoD TCSEC by the NCSC. The EPL is
included in the National Security Agency Information Systems Security
Products and Services Catalogue, which is available through the
Government Printing Office.
evaluation criteria
Trusted IRIX/CMW meets the requirements specified for the Trusted
Computer System Evaluation Criteria (TCSEC). The U.S. government
specifies a set of criteria that trusted systems must meet to be evaluated
successfully. A trusted system must offer a number of specific security
features and must demonstrate that it can be maintained and distributed
in a trusted fashion.
executive state One of several states in which a system may operate and the only one in
which certain privileged instructions may be executed. Such
instructions cannot be executed when the system is operating in other
(for example, user) states. Synonymous with supervisor state.
exploitable channel
Any information channel that is usable or detectable by subjects external
to the trusted computing base whose purpose is to violate the security
policy of the system. See also covert channel.
Alternatively, any channel that is usable or detectable by subjects
external to the Trusted Computing Base.

fail safe

Pertaining to the automatic protection of programs or processing
systems to maintain safety when a hardware or software failure is
detected in a system.

fail soft

Pertaining to the selective termination of affected nonessential
processing when a hardware or software failure is detected in a system.

failure access

An unauthorized and usually inadvertent access to data resulting from
a hardware or software failure in the system.

007-3300-005

A: Glossary of Computer Security Terms

failure control
The methodology used to detect and provide fail-safe or fail-soft
recovery from hardware and software failures in a system.
fault

A condition that causes a device or system component to fail to perform
in a required manner.

fetch protection
A system-provided restriction to prevent a program from accessing data
in another user's segment of storage.
file protection

The aggregate of all processes and procedures in a system designed to
inhibit unauthorized access, contamination, or elimination of a file.

file security

The means by which access to computer files is limited to authorized
users only.

flaw

An error of commission, omission, or oversight in a system that allows
protection mechanisms to be bypassed.

flaw hypothesis methodology
A systems analysis and penetration technique in which specifications
and documentation for the system are analyzed and flaws in the system
are hypothesized. The list of hypothesized flaws is then prioritized on
the basis of the estimated probability that a flaw exists and, assuming a
flaw does exist, on the ease of exploiting it, and on the extent of control
or compromise it would provide. The prioritized list is used to direct a
penetration attack against the system.
formal access approval
Documented approval by a data owner to allow access to a particular
category of information.
formal proof

007-3300-005

A complete and convincing mathematical argument, presenting the full
logical justification for each proof step, for the truth of a theorem or set
of theorems. The formal verification process uses formal proofs to show
the truth of certain properties of formal specification and for showing
that computer programs satisfy their specifications.

A: Glossary of Computer Security Terms

formal security policy model
A mathematically precise statement of a security policy. To be precise,
such a model must represent the initial state of a system, the way in
which the system progresses from one state to another, and a definition
of a secure state of the system. To be acceptable as a basis for a Trusted
Computing Base, the model must be supported by a formal proof that if
the initial state of the system satisfies the definition of a “secure” state
and if all assumptions required by the model hold, then all future states
of the system will be secure. Some formal modeling techniques include:
state transition models, temporal logic models, denotational semantics
models, algebraic specification models. An example is the model
described by Bell and LaPadula in [Bell, D. E. and LaPadula, L. J. Secure
Computer System: Unified Exposition and Multics Interpretation,
MTR-2997 Rev. 1, MITRE Corp., Bedford, Mass., March 1976]. See also
Bell-LaPadula model and security policy model.
formal verification
The process of using formal proofs to demonstrate the consistency
between a formal specification of a system and a formal security policy
model (design verification) or between the formal specification and its
high-level program implementation (implementation verification).
front-end security filter
A security filter, which could be implemented in hardware or software,
that is logically separated from the remainder of the system to protect
the system's integrity.
Alternatively, a process that is invoked to process data according to a
specified security policy prior to releasing the data outside the
processing environment or upon receiving data from an external
source.
functional testing
The segment of security testing in which the advertised security features
of the system are tested, under operational conditions, for correct
operation.

007-3300-005

A: Glossary of Computer Security Terms

grade

granularity

The hierarchical component of the MINT part of the security label. This
is the representation of the integrity level of an object or the integrity
requirement of a subject. The higher the value, the higher the integrity
level or requirement. Typical examples of grade are as follows:
•

Best--This integrity rating is reserved for the Trusted Computing
Base. Administrative accounts such as root require this level of
integrity.

•

Good--Free from viruses, worms, and so on.

•

Poor-- Software obtained from unknown persons.

An expression of the relative size of a data object; for example,
protection at the file level is considered coarse granularity, whereas
protection at field level is considered to be of a finer granularity.
Alternatively, the relative fineness or coarseness by which a mechanism
can be adjusted. The phrase “the granularity of a single user” means the
access control mechanism can be adjusted to include or exclude any
single user.

guard

A processor that provides a filter between two disparate systems
operating at different security levels or between a user process and a
database to filter out data that the user is not authorized to access.

handshaking procedure
A dialogue between two entities (for example, a user and a computer, a
computer and another computer, or a program and another program)
for the purpose of identifying and authenticating the entities to one
another.
host to front-end protocol
A set of conventions governing the format and control of data that are
passed from a host to a front-end machine.

007-3300-005

I&A

Identification and Authentication.

identification

The process that enables recognition of an entity by a system, generally
by the use of unique machine-readable user names.

A: Glossary of Computer Security Terms

Identification and Authentication
I&A is the process of determining (with some level of confidence) the
true identity of a user. The identification process usually requires both a
user name and a password. The authentication part of the process is the
underlying logic that the login and su programs go through in
validating this password and username.
impersonating See spoofing.
incomplete parameter checking
A system design flaw that results when not all parameters have been
fully anticipated for accuracy and consistency, thus making the system
vulnerable to penetration.
individual accountability
The ability to associate positively the identity of a user with the time,
method, and degree of access to a system.
information flow control
A procedure to ensure that information transfers within a system are not
made from a higher security level object to an object of a lower security
level. See covert channel, simple security property, and star property
(*-property). Synonymous with data flow control.
Information Systems Security Products and Services Catalogue
A catalogue issued quarterly by the National Security Agency that
incorporates the DPL, EPL, ETL, PPL and other security product and
service lists. This catalogue is available through the U.S. Government
Printing Office, Washington, DC (202) 1202) 783-3238.
instance

The name often given to the second component of a principal identifier,
or a particular principal from a group of related principals. In the latter
usage, the instances are often created to partition permission for users.
For example, a user might have a “normal” instance and a “root”
instance (which has different privileges) to impose a naming convention
on service key names. For an example of a particular service, the
instances identifies the host machines on which that service is provided
and the principal identifier of the server.

007-3300-005

A: Glossary of Computer Security Terms

integrity

In secure systems, the term “integrity” refers to the relative level of trust
a user can place in using a system resource. A program obtained from a
public-access bulletin board is of much lower integrity than one
purchased from a reputable vendor. This program is in turn of much
lower integrity than a program shipped as part of a trusted system. See
Mandatory Integrity.
Alternatively, sound, unimpaired, or perfect condition.

integrity label-- MINT
One half of the MAC label. Represents the measure of trust a user can
put in a system resource. See MSEN and sensitivity label.
interdiction

See denial of service.

internal security controls
Hardware, firmware, and software features within a system that restrict
access to resources (hardware, software, and data) to authorized subjects
only (persons, programs, or devices).
isolation

The containment of subjects and objects in a system in such a way that
they are separated from one another, as well as from the protection
controls of the operating system.

lattice

A partially ordered set for which every pair of elements has a greatest
lower bound and a least upper bound.

least privilege The principle that requires that each subject be granted the most
restrictive set of privileges needed for the performance of authorized
tasks. The application of this principle limits the damage that can result
from accident, error, or unauthorized use.
limited access

See access control.

lock-and-key protection system
A protection system that involves matching a key or password with a
specific access requirement.
logic bomb

007-3300-005

A resident computer program that triggers the perpetration of an
unauthorized act when particular states of the system are realized.

A: Glossary of Computer Security Terms

login-spoofing program
This term refers to any program that represents itself as a login program
in order to steal your password. For example, a spoofing program might
print the UNIX login banner on an unattended system and wait for
input from the user. The user dutifully types in the user name, and the
program prompts for the password, turning off character echo. After
storing away the user's password, the program reports that the
password is incorrect and exits, which causes the real login program to
be started on the system. The user then logs in, mistakenly assuming
that he or she previously mistyped the name or password, and starts a
session.
loophole

An error of omission or oversight in software or hardware that permits
circumventing the system security policy.

MAC

Mandatory Access Control. See Mandatory Access Control.

MAC label

A MAC label is comprised of two halves: the sensitivity label (MSEN)
and the integrity label (MINT). A typical MAC label would be
msenhigh/mintlow. This would represent an object with a highly
sensitive topic, but with a relatively low level of integrity (perhaps
obtained from a questionable source).

magnetic remanence
A measure of the magnetic flux density remaining after removal of the
applied magnetic force. Refers to any data remaining on magnetic
storage media after removal of the power.
maintenance hook
Special instructions in software to allow easy maintenance and
additional feature development. These are not clearly defined during
access for design specification. Hooks frequently allow entry into the
code at unusual points or without the usual checks, so they are a serious
security risk if they are not removed before live implementation.
Maintenance hooks are special types of trap doors.
malicious logic
Hardware, software, or firmware that is intentionally included in a
system for an unauthorized purpose; for example, a Trojan Horse virus.

007-3300-005

A: Glossary of Computer Security Terms

Mandatory Access Control
MAC is a means of restricting access to objects based on the sensitivity
and integrity (as represented by a label) of the information contained in
the objects and the formal authorization (that is, clearance) of subjects to
access information of such sensitivity and integrity. See also
Discretionary Access Control.
Mandatory Integrity
A means of restricting access to objects based on the integrity (as
represented by a label) of the information contained in the objects and
the subjects. Integrity is necessary to identify the Trusted IRIX/CMW
TCB. In order to do so, some mechanism for restricting what programs
may be executed by the superuser, auditor, and any other trusted users
must be implemented. The Mandatory Integrity (MINT) component of
the security label provides TCB isolation by denying access to programs
that have not been sufficiently analyzed (or have been and are deemed
untrustworthy to users with high integrity requirements). The MINT
mechanism allows only those processes whose integrity labels are
dominated by an object read or execute access to it. Additionally, a
process may write only to an object with the same integrity. The MINT
mechanism is very similar to the MSEN mechanism in having 256
hierarchical levels (the grades) and 65,536 non-hierarchical components
(the divisions).
Mandatory Sensitivity
The label of every subject and object on the system indicates a level of
security clearance. Access to an object by a subject is based on their
relative levels of clearance. A user will not even be aware of the existence
of objects that are at a higher level of sensitivity. A sensitivity label
(MSEN) is comprised of a type (for example, msenhigh) and a category
(for example, Politics, Sports).
masquerading See spoofing.
mimicking

See spoofing.

MINT

Mandatory Integrity. See Mandatory Integrity.

multilevel device
A device that is used in a manner that permits it to simultaneously
process data of two or more security levels without risk of compromise.
To accomplish this, sensitivity labels are normally stored on the same
physical medium and in the same form (that is, machine-readable or
human-readable) as the data being processed.

007-3300-005

A: Glossary of Computer Security Terms

multilevel secure
A class of system containing information with different sensitivities that
simultaneously permits access by users with different security
clearances and needs-to-know, but prevents users from obtaining access
to information for which they lack authorization.
multilevel security mode
See modes of operation.
multiple access rights terminal
A system or port that may be used by more than one class of users; for
example, users with different access rights to data.
multiuser mode of operation
A mode of operation designed for systems that process sensitive
unclassified information in which users may not have a need-to-know
for all information processed in the system. This mode is also for
microcomputers processing sensitive unclassified information that
cannot meet the requirements of the stand-alone mode of operation.
mutually suspicious
The state that exists between interacting processes (subsystems or
programs) in which neither process can expect the other process to
function securely with respect to some property.
National Computer Security Center
Originally named the DoD Computer Security Center, the NCSC is
responsible for encouraging the widespread availability of trusted
computer systems throughout the Federal Government.
National Security Decision Directive 145
Signed by President Reagan on 17 September 1984, this directive is
entitled “National Policy on Telecommunications and Automated
Information Systems Security.” It provides initial objectives, policies,
and an organizational structure to guide the conduct of national
activities toward safeguarding systems that process, store, or
communicate sensitive information; establishes a mechanism for policy
development; and assigns implementation responsibilities.

007-3300-005

A: Glossary of Computer Security Terms

National Telecommunications and Information System Security Directives
NTISS Directives establish national-level decisions relating to NTISS
policies, plans, programs, systems, or organizational delegations of
authority. NTISSDs are promulgated by the Executive Agent of the
Government for Telecommunications and Information Systems
Security, or by the Chairman of the NTISSC when so delegated by the
Executive Agent. NTISSDs are binding upon all federal departments
and agencies.
National Telecommunications and Information Systems Security Advisory
Memoranda Instructions
NTISS Advisory Memoranda and Instructions provide advice,
assistance, or information of general interest on telecommunications
and systems security to all applicable federal departments and agencies.
NTISSAMs/NTISSIs are promulgated by the National Manager for
Telecommunications and Automated Information Systems Security and
are recommendatory.
NCSC

National Computer Security Center.

need-to-know The necessity for access to, knowledge of, or possession of specific
information required to carry out official duties.
network front end
A device that implements the necessary network protocols, including
security-related protocols, to allow a computer system to be attached to
a network.

007-3300-005

NSDD 145

See National Security Decision Directive 145.

NTISSC

National Telecommunications and Information Systems

object

A passive entity that contains or receives information. Access to an
object potentially implies access to the information it contains. Examples
of objects are: records, blocks, pages, segments, files, directories,
directory trees, and programs, as well as bits, bytes, words, fields,
processors, video displays, keyboards, clocks, printers, and network
nodes.

object reuse

The reassignment and reuse of a storage medium (for example, page
frame, disk sector, magnetic tape) that once contained one or more
objects. To be securely reused and assigned to a new subject, storage
media must contain no residual data (magnetic remanence) from the
object(s) previously contained in the media.

A: Glossary of Computer Security Terms

open security environment
An environment that includes those systems in which at least one of the
following conditions holds true: (1) Application developers (including
maintainers) do not have sufficient clearance or authorization to provide
an acceptable presumption that they have not introduced malicious
logic. (2) Configuration control does not provide sufficient assurance
that applications are protected against the introduction of malicious
logic prior to and during the operation of system applications.
Operations Security
An analytical process by which the U.S. Government and its supporting
contractors can deny to potential adversaries information about
capabilities and intentions by identifying, controlling, and protecting
evidence of the planning and execution of sensitive activities and
operations.
OPSEC

Operations Security. See Operations Security.

Orange Book

Alternate name for DoD Trusted Computer Security Evaluation Criteria.

output

Information that has been exported by a TCB.

overt channel

A path within a computer system or network that is designed for the
authorized transfer of data. See also covert channel.

overwrite procedure
A stimulation to change the state of a bit followed by a known pattern.
See also magnetic remanence.
password

A protected, private character string used to authenticate an identity.

password aging
An administrator can set a minimum and a maximum amount of time
for the use of a given password. A user can be unable to log in if the
password had expired and the user ignored warnings to change it.
penetration signature
The characteristics or identifying marks that may be produced by a
penetration.
penetration study
A study to determine the feasibility and methods for defeating controls
of a system.

007-3300-005

A: Glossary of Computer Security Terms

penetration testing
The portion of security testing in which the evaluators attempt to
circumvent the security features of a system. The evaluators may be
assumed to use all system design and implementation documentation,
which may include listings of system source code, manuals, and circuit
diagrams. The evaluators work under the same constraints applied to
ordinary users.
periods processing
The processing of various levels of sensitive information at distinctly
different times. Under periods processing, the system must be purged of
all information from one processing period before transitioning to the
next when there are different users with differing authorizations.
permissions

A description of the type of authorized interactions a subject can have
with an object. Examples include read, write, execute, add, modify, and
delete.

personnel security
The procedures established to ensure that all personnel who have access
to sensitive information have the required authority as well as
appropriate clearances.
physical security
The application of physical barriers and control procedures as
preventive measures or countermeasures against threats to resources
and sensitive information.
piggyback

Gaining unauthorized access to a system via another user's legitimate
connection. See between-the-lines entry.

plaintext

The input to an encryption function or the output of a decryption
function. Decryption transforms ciphertext into plaintext.

Preferred Products List
A list of commercially produced equipments that meet requirements
prescribed by the National Security Agency. This list is included in the
NSA Information Systems Security Products and Services Catalogue,
issued quarterly and available through the Government Printing Office.
principal

A uniquely named client or server instance that participates in a
network communication.

principal identifier
The name used to uniquely identify each different principal.

007-3300-005

A: Glossary of Computer Security Terms

print suppression
Eliminating the displaying of characters in order to preserve their
secrecy; for example, not displaying the characters of a password as it is
keyed in.
privileged instructions
A set of instructions (for example, interrupt handling or special
computer instructions) to control features (such as storage protection
features) that are generally executable only when the automated system
is operating in the executive state.
procedural security
See administrative security.
process

A program in execution. It is completely characterized by a single
current execution point (represented by the machine state) and address
space.

protection-critical portions of the TCB
Those portions of the TCB whose normal function is to deal with the
control of access between subjects and objects. Their correct operation is
essential to the protection of the data on the system.
protection philosophy
An informal description of the overall design of a system that delineates
each of the protection mechanisms employed. A combination,
appropriate to the evaluation class, of formal and informal techniques is
used to show that the mechanisms are adequate to enforce the security
policy.
protection ring One of a hierarchy of privileged modes of a system that gives certain
access rights to user programs and processes authorized to operate in a
given mode.

protocols

A set of rules and formats, semantic and syntactic, that permits entities
to exchange information.

pseudo-flaw

An apparent loophole deliberately implanted in an operating system
program as a trap for intruders.

007-3300-005

A: Glossary of Computer Security Terms

Public Law 100-235
Also known as the Computer Security Act of 1987, this law creates a
means for establishing minimum acceptable security practices for
improving the security and privacy of sensitive information in federal
computer systems. This law assigns to the National Institute of
Standards and Technology responsibility for developing standards and
guidelines for federal computer systems processing unclassified data.
The law also requires establishment of security plans by all operators of
federal computer systems that contain sensitive information.
rainbow series The informal name given to a set of books published by the NCSC that
deal with computer security. The books are published with covers in
different colors, hence the term “rainbow.” The most used book in the
rainbow series is the Orange Book, the DoD Trusted Computer System
Evaluation Criteria.
read

A fundamental operation that results only in the flow of information
from an object to a subject.

read access

Permission to read information.

recovery procedures
The actions necessary to restore a system's computational capability and
data files after a system failure.
reference monitor concept
An access-control concept that refers to an abstract machine that
mediates all accesses to objects by subjects.
reference validation mechanism
An implementation of the reference monitor concept. A security kernel
is a type of reference validation mechanism.

007-3300-005

reliability

The probability of a given system performing its mission adequately for
a specified period of time under the expected operating conditions.

residual risk

The portion of risk that remains after security measures have been
applied.

residue

Data left in storage after processing operations are complete, but before
degaussing or rewriting has taken place.

A: Glossary of Computer Security Terms

resource encapsulation
The process of ensuring that a resource not be directly accessible by a
subject, but that it be protected so that the reference monitor can
properly mediate accesses to it.
restricted area Any area to which access is subject to special restrictions or controls for
reasons of security or safeguarding of property or material.
risk

The probability that a particular threat will exploit a particular
vulnerability of the system.

risk analysis

The process of identifying security risks, determining their magnitude,
and identifying areas needing safeguards. Risk analysis is a part of risk
management. Synonymous with risk assessment.

risk assessment See risk analysis.
risk index

The disparity between the minimum clearance or authorization of
system users and the maximum sensitivity (for example, classification
and categories) of data processed by a system.

risk management
The total process of identifying, controlling, and eliminating or
minimizing uncertain events that may affect system resources. It
includes risk analysis, cost benefit analysis, selection, implementation
and test, security evaluation of safeguards, and overall security review.
RM Plan

The Rating Maintenance Plan (RM-Plan) is a living document that
describes the policies which govern modifications to the Trusted
IRIX/CMW system and the procedures used to implement these
policies. It describes in detail the initial contents of the system, and how
each component of the Trusted Computing Base was approved for
inclusion. The procedures for making changes to the system for future
releases are defined. The change request mechanisms for new features,
performance enhancements, and field-detected security failures are
described. The methods by which changes are tracked are defined in the
RM-Plan. Source code control, document control, the product naming
scheme, and methods for identification of changes to the RM-Plan itself
are described. Evidence supporting the validity and necessity of
changes is maintained.

007-3300-005

A: Glossary of Computer Security Terms

safeguards

See security safeguards.

scavenging

Searching through object residue to acquire unauthorized data.

seal

To encipher a record containing several fields in such a way that the
fields cannot be individually replaced without either knowledge of the
encryption key or leaving evidence of tampering.

secure configuration management
The set of procedures appropriate for controlling changes to a system's
hardware and software structure for the purpose of ensuring that
changes will not lead to violations of the system's security policy.
secure state

A condition in which no subject can access any object in an unauthorized
manner.

secure subsystem
A subsystem that contains its own implementation of the reference
monitor concept for those resources it controls. However, the secure
subsystem must depend on other controls and the base operating
system for the control of subjects and the more primitive system objects.
Security Administration Guide
This document describes the administration of the security features of
Trusted IRIX/CMW. Instructions are provided on planning and
administering a trusted system, managing Mandatory Access Control,
Auditing, and Identification and Authentication facilities. Also, the
document covers printing and use of magnetic media in a trusted
environment.
The NCSC requires this document as part of the evaluation materials.
The NCSC name for this kind of document is a “Trusted Facilities
Manual.” The Trusted IRIX/CMW Security Administrator’s Guide is the
Trusted Facilities Manual for Trusted IRIX/CMW.
security critical mechanisms
Those security mechanisms whose correct operation is necessary to
ensure that the security policy is enforced.

007-3300-005

A: Glossary of Computer Security Terms

security evaluation
An evaluation done to assess the degree of trust that can be placed in
systems for the secure handling of sensitive information. One type, a
product evaluation, is an evaluation performed on the hardware and
software features and assurances of a computer product from a
perspective that excludes the application environment. The other type,
a system evaluation, is done for the purpose of assessing a system's
security safeguards with respect to a specific operational mission and is
a major step in the certification and accreditation process.
security fault analysis
A security analysis, usually performed on hardware at gate level, to
determine the security properties of a device when a hardware fault is
encountered.
security features
The security-relevant functions, mechanisms, and characteristics of
system hardware and software. Security features are a subset of system
security safeguards.
Security Features User's Guide
This document exists to describe in layman's terms the user visible
portion of the security features of the Trusted IRIX/CMW operating
system. This book describes for the user specific methods for effectively
using the system. It also describes what the user is not allowed to do and
what actions the user should take when faced with a denial of service.
security filter

A trusted subsystem that enforces a security policy on the data that pass
through it.

security flaw

An error of commission or omission in a system that may allow
protection mechanisms to be bypassed.

security flow analysis
A security analysis performed on a formal system specification that
locates potential flows of information within the system.
security kernel The hardware, firmware, and software elements of a TCB that
implement the reference monitor concept. It must mediate all accesses,
be protected from modification, and be verifiable as correct.

007-3300-005

A: Glossary of Computer Security Terms

security label

Figure A-1

The data structure used to associate a security clearance or classification
to each subject and object in Trusted IRIX/CMW. The structure of a
security label is shown in Figure A-1.

Data Structure of a Security Label

security measures
Elements of software, firmware, hardware, or procedures that are
included in a system for the satisfaction of security specifications.
security perimeter
The boundary where security controls are in effect to protect assets.
security policy The set of laws, rules, and practices that regulate how an organization
manages, protects, and distributes sensitive information.
security policy model
A formal presentation of the security policy enforced by the system. It
must identify the set of rules and practices that regulate how a system
manages, protects, and distributes sensitive information. See Bell-La
Padula model and formal security policy model.
security range The highest and lowest security levels that are permitted in or on a
system, system component, subsystem, or network.

007-3300-005

A: Glossary of Computer Security Terms

security requirements
The types and levels of protection necessary for equipment, data,
information, applications, and facilities to meet security policy.
security requirements baseline
A description of minimum requirements necessary for a system to
maintain an acceptable level of security.
security safeguards
The protective measures and controls that are prescribed to meet the
security requirements specified for a system. Those safeguards may
include but are not necessarily limited to hardware and software
security features, operating procedures, accountability procedures,
access and distribution controls, management constraints, personnel
security, and physical structures, areas, and devices. Also called
safeguards.
security specifications
A detailed description of the safeguards required to protect a system.
security test and evaluation
An examination and analysis of the security safeguards of a system as
they have been applied in an operational environment to determine the
security posture of the system.
security testing A process used to determine that the security features of a system are
implemented as desired. This includes hands-on functional testing,
penetration testing, and verification.
sensitive information
Any information, whose loss, misuse, modification of, or unauthorized
access to, could affect the national interest or the conduct of Federal
programs, or the privacy to which individuals are entitled under Section
552a of Title 5, U.S. Code, but that has not been specifically authorized
under criteria established by an Executive order or an act of Congress to
be kept classified in the interest of national defense or foreign policy.
sensitivity

In secure systems, sensitivity is a measure of the risk associated with the
disclosure of the data in question. A map of a foreign city
(UNCLASSIFIED) is less sensitive than the map of a foreign military
base (SECRET) which is in turn less sensitive than the name of the asset
who provided the maps (TOP SECRET).

007-3300-005

A: Glossary of Computer Security Terms

sensitivity label
One half of the MAC label. Where the MINT half represents the degree
of confidence a user may have in the integrity of a system resource, the
sensitivity label is a relative representation of the degree of risk
associated with the disclosure of the data in question. Sensitivity labels
are used by the TCB as the basis for mandatory access control decisions.
sensitivity level
The sensitivity level is the hierarchical portion of the sensitivity label.
See sensitivity label.
server

A particular Principal that provides a resource to network clients.

service

A resource provided to network clients; often provided by more than
one server (for example, remote file service).

session key

A temporary encryption key used between two principals, with a
lifetime limited to the duration of a single communications “session.

SFUG

See Security Features User's Guide.

simple security condition
See simple security property.
simple security property
A Bell-La Padula security model rule allowing a subject read access to
an object only if the security level of the subject dominates the security
level of the object. Synonymous with simple security condition.
single-level device
An automated information systems device that is used to process data
of a single security level at any one time. Because the device need not be
trusted to separate data of different security levels, sensitivity labels do
not have to be stored with the data being processed.
software security
General purpose (executive, utility or software development tools) and
applications programs or routines that protect data handled by a system.
software system test and evaluation process
A process that plans, develops and documents the quantitative
demonstration of the fulfillment of all baseline functional performance,
operational, and interface requirements.
spoofing

007-3300-005

An attempt to gain access to a system by posing as an authorized user.
Synonymous with impersonating, masquerading or mimicking.

A: Glossary of Computer Security Terms

stand-alone shared system
A system that is physically and electrically isolated from all other
systems, and is intended to be used by more than one person, either
simultaneously (for example, a system with multiple monitors) or
serially, with data belonging to one user remaining available to the
system while another user is using the system (for example, a personal
computer with nonremovable storage media such as a hard disk).
stand-alone single-user system
A system that is physically and electrically isolated from all other
systems, and is intended to be used by one person at a time, with no data
belonging to other users remaining in the system (for example, a
personal computer with removable storage media such as a floppy
disk).
star property

See *-property.

state variable

A variable that represents either the state of the system or the state of
some system resource.

storage object

An object that supports both read and write accesses.

STS

Subcommittee on Telecommunications Security of NTISSC

Subcommittee on Automated Information Systems Security
NSDD-l 45 authorizes and directs the establishment, under the NTISSC,
of a permanent Subcommittee on Automated Information Systems
Security. The SAISS is composed of one voting member from each
organization represented on the NTISSC.
Subcommittee on Telecommunications Security
NSDD-145 authorizes and directs the establishment, under the NTISSC,
of a permanent Subcommittee on Telecommunications Security. The STS
is composed of one voting member from each organization represented
on the NTISSC.
subject

An active entity, generally in the form of a person, process, or device,
that causes information to flow among objects or changes the system
state. Technically, a process/domain pair.

subject security level
A subject's security level is equal to the security level of the objects to
which it has both read and write access. A subject's security level must
always be dominated by the clearance of the user with which the subject
is associated.

007-3300-005

A: Glossary of Computer Security Terms

supervisor state
See executive state.
System Call Security Analysis
A document that describes the security policies, both discretionary and
mandatory, enforced by each of the Trusted IRIX/CMW system calls.
For each system call the differences in behavior between the superuser
and normal users, if any, are described. The object reuse policies are
discussed. This document is the heart of the security policy description
in that it describes which interfaces to the Trusted Computing Base are
affected and implement the system security policy. It is explicit and
definitive.
system integrity
The quality that a system has when it performs its intended function in
an unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system.
system low

The lowest security level supported by a system at a particular time or
in a particular environment.

Systems Security Steering Group
The senior government body established by NSDD-145 to provide
top-level review and policy guidance for the telecommunications
security and automated information systems security activities of the
U.S. Government. This group is chaired by the Assistant to the President
for National Security Affairs and consists of the Secretary of State,
Secretary of Treasury, the Secretary of Defense, the Attorney General, the
Director of the Office of Management and Budget, and the Director of
Central Intelligence.
tampering

An unauthorized modification that alters the proper functioning of a
piece of equipment or system in a manner that degrades the security or
functionality it provides.

TCB

Trusted Computing Base. See Trusted Computing Base.

TCSEC

DoD Trusted Computer System Evaluation Criteria.

technical attack
An attack that can be perpetrated by circumventing or nullifying
hardware and software protection mechanisms, rather than by
subverting system personnel or other users.

007-3300-005

A: Glossary of Computer Security Terms

technical vulnerability
A hardware, firmware, communication, or software flaw that leaves a
computer processing system open for potential exploitation, either
externally or internally, thereby resulting in risk for the owner, user, or
manager of the system.
Test Plan

A single document describes the overall planning for testing Trusted
IRIX/CMW. This document discusses the documentation plan for
testing, the design goal, software requirements, general testing
requirements, testing strategies, approaches, methods, hardware
resources, software resources, personnel resources, schedules, and
milestones.

TFM

Trusted Facilities Manual. See also Security Administration Guide.

threat

Any circumstance or event with the potential to cause harm to a system
in the form of destruction, disclosure, modification of data, and/or
denial of service.

threat agent

A method used to exploit a vulnerability in a system, operation, or
facility.

threat analysis The examination of all actions and events that might adversely affect a
system or operation.
threat monitoring
The analysis, assessment, and review of audit trails and other data
collected for the purpose of searching out system events that may
constitute violations or attempted violations of system security.
time-dependent password
A password that is valid only at a certain time of day or during a
specified interval of time.
top-level specification
A nonprocedural description of system behavior at the most abstract
level; typically, a functional specification that omits all implementation
details.
trap door

A hidden software or hardware mechanism that can be triggered to
permit system protection mechanisms to be circumvented. It is activated
in some innocent-appearing manner; for example, a special “random”
key sequence at a monitor. Software developers often introduce trap
doors in their code to enable them to reenter the system and perform
certain functions. Synonymous with back door.

007-3300-005

A: Glossary of Computer Security Terms

Trojan Horse

A computer program with an apparently or actually useful function that
contains additional (hidden) functions that surreptitiously exploit the
legitimate authorizations of the invoking process to the detriment of
security. For example, making a “blind copy” of a sensitive file for the
creator of the Trojan Horse.

trusted computer system
A system that employs sufficient hardware and software assurance
measures to allow its use for simultaneous processing of a range of
sensitive or classified information. A system is trusted when it is
believed that it can enforce a particular security policy. A CMW level of
trust will provide the user and administrator of a system with a given
level of trust in its ability to protect data from disclosure.
Trusted Computing Base
The totality of protection mechanisms within a computer system,
including hardware, firmware, and software, the combination of which
is responsible for enforcing a security policy. A TCB consists of one or
more components that together enforce a unified security policy over a
product or system. The ability of a TCB to enforce correctly a unified
security policy depends solely on the mechanisms within the TCB and
on the correct input by system administrative personnel of parameters
(for example, a user's clearance level) related to the security policy.
Alternatively, this term refers to the set of hardware and software that
together enforce the system's security policy. The TCB comprises only
those programs and hardware elements that are known to follow
security policy and are considered to be secure. This is necessarily a
subset of all the programs available with Trusted IRIX/CMW.
trusted distribution
A trusted method for distributing the TCB hardware, software, and
firmware components, both originals and updates, that protects the TCB
from modification during distribution and detects any changes to the
TCB that may occur.
Trusted IRIX/B
The trademarked name for the trusted operating system that preceded
Trusted IRIX/CMW
Trusted IRIX/CMW
The trademarked name (Trusted IRIX/CMW) for the trusted version of
IRIX at the B1/CMW level.

007-3300-005

A: Glossary of Computer Security Terms

trusted path

A mechanism by which a person at a system can communicate directly
with the TCB. This mechanism can only be activated by the person or the
TCB and cannot be imitated by untrusted software.

trusted process A process whose incorrect or malicious execution is capable of violating
system security policy.
trusted software
The software portion of the TCB.
untrusted process
A process that has not been evaluated or examined for adherence to the
security policy. It may include incorrect or malicious code that attempts
to circumvent the security mechanisms.
user

Person or process accessing the system either by direct connections (that
is, via the system console), or indirect connections (that is, prepare input
data or receive output that is not reviewed for content or classification
by a responsible individual).

user ID

A unique symbol or character string that is used by a system to identify
a specific user.

user profile

Patterns of a user's activity that can be used to detect changes in normal
routines.

virus

A self-propagating Trojan horse, composed of a mission component, a
trigger component, and a self-propagating component.

vulnerability

A weakness in system security procedures, system design,
implementation, internal controls, and so on, that could be exploited to
violate system security policy.

vulnerability analysis
The systematic examination of systems in order to determine the
adequacy of security measures, identify security deficiencies, and
provide data from which to predict the effectiveness of proposed
security measures.
vulnerability assessment
A measurement of vulnerability that includes the susceptibility of a
particular system to a specific attack and the opportunities available to
a threat agent to mount that attack.
work factor

An estimate of the effort or time needed by a potential penetrator with
specified expertise and resources to overcome a protective measure.

007-3300-005

A: Glossary of Computer Security Terms

007-3300-005

worm

A virus program that has a very narrow purpose. A worm is designed
to track down and eliminate specific data. Unlike a simple virus, which
by its very nature is obviously present, a worm is designed to remain
unnoticed in order that it may continue its task unchecked. Because it
may follow a serpentine path in its hunt for particular data it has earned
the nickname “worm.”

write

A fundamental operation that results only in the flow of information
from a subject to an object.

write access

Permission to write to an object.

Index

A
access control, 13
accountability, 4
assurance, 4
audit trail, 10, 45

B
B1
feature set, 5
printing, 11
tape backup, 11

C
categories, 22
changing
to a new label, 26
classifications, 22
clearance, 22
conventions, typographical, xx

Discretionary Access Control, 14
file permissions, 15
permissions, 14
POSIX standard, 9
umask, 17
using, 14
definition
of a trusted system, 2
of label relationships, 24
Discretionary Access Control, see DAC, 9
divisions, 24
documentation conventions, xxi
domination of labels, 24

E
equivalence of labels, 24

G
grades, 24

H
D
DAC, 9
changing permissions, 16
definition, 9, 14
directory permissions, 15

007-3300-005

help
reference, xix

Index

multilevel directories, 28

importing data, 41
IRIX permissions (DAC), 14

L
label
components, 7
label domination and equivalence, 24
label relationships
sample table, 25
labeling, 22

M
MAC
changing to a new label, 26
labeling, 22
permissions, 22
magnetic tape, 43
mail, 28
man command, xix
man pages, xix
mandatory integrity (MINT), 23
mandatory sensitivity, 22
MINT
(mandatory integrity), 23
divisions, 24
grades, 24
mld, 28
moldy directories, 28
MSEN
categories, 22
classifications, 22
clearances, 22

NCSC
Orange Book, 4
TCSEC, 5
newlabel(1), 26

O
object reuse, 10

P
password
guidelines, 39
selection, 39
passwords
generating, 6
permissions, 22
changing, 16
directory, 15
file, 15
umask, 17
permissions (DAC), 14
printing
security labels, 42

R
running a process at a new label, 26

007-3300-005

Index

S
sample label relationships, 25
SAT
definition, 10, 45
purpose, 10
system audit trail, 45
security
policy, 4
sensitivity
mandatory, 22
sensitivity label
printing, 42
support, 5
System Audit Trail, see SAT, 10
system audit trail, see SAT, 45

T
tape utilities, 41
TCB, 5
trust
definition, 2
Trusted Computing Base, 5
typographical conventions, xx

U
umask, 17

007-3300-005

</pre><hr>Source Exif Data: <br /><pre>File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.2
Linearized : Yes
Create Date : 2003:12:30 09:50:30
Producer : Acrobat Distiller 4.0 for Windows
Creator : FrameMaker xm5.5P4f
Modify Date : 2003:12:30 09:50:38-08:00
Page Count : 116
Page Mode : UseOutlines
</pre>
<small>EXIF Metadata provided by <a href="https://exif.tools/">EXIF.tools</a></small>

<div id="ezoic-pub-ad-placeholder-110">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

<ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-0545639743190253"
data-ad-slot="6172135303"
data-ad-format="link"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>
</div>
<div id="catlinks" class="catlinks catlinks-allhidden" data-mw="interface"></div> <div class="visualClear"></div>
</div>
</div>
<div id="mw-navigation">
<h2>Navigation menu</h2>

<form action="https://usermanual.wiki/search.php" id="searchform">
<div id="simpleSearch">
<input type="search" name="search" placeholder="Search UserManual.wiki" title="Search UserManual.wiki [ctrl-option-f]" accesskey="f" id="searchInput" tabindex="1" autocomplete="off"><input type="hidden" value="Special:Search" name="title"><input type="submit" name="go" value="Go" title="Find a User Manual" id="searchButton" class="searchButton"> </div>
</form>
</div>-->
<ul>
<li id="pt-mycontris"><a href="https://usermanual.wiki/upload" title="Upload User Manual" accesskey="y">Upload a User Manual</a></li>
</ul>
</div>
<div id="left-navigation">
<div id="p-namespaces" role="navigation" class="vectorTabs" aria-labelledby="p-namespaces-label">
<h3 id="p-namespaces-label">Versions of this User Manual:</h3>
<ul>
<li id="ca-nstab-main"><span><a href="https://usermanual.wiki/Document/0073300005.880169466" title="User Manual Wiki" accesskey="c">Wiki Guide</a></span></li> <li id="ca-nstab-main"><span><a href="https://usermanual.wiki/Document/0073300005.880169466/html" title="HTML" accesskey="c">HTML</a></span></li> <li id="ca-nstab-main" class="selected" ><span><a href="https://usermanual.wiki/Document/0073300005.880169466/help" title="Discussion / FAQ / Help" accesskey="c">Download & Help</a></span></li>
</ul>
</div>
</div>
<div id="right-navigation">
<div id="p-views" role="navigation" class="vectorTabs" aria-labelledby="p-views-label">
<h3 id="p-views-label">Views</h3>
<ul>

<li id="ca-view"><span><a href="#">User Manual</a></span></li>

<li class="selected" id="ca-edit"><span><a href="https://usermanual.wiki/Document/0073300005.880169466/help" title="Ask a question" accesskey="e">Discussion / Help</a></span></li>

</ul>
</div>
</div>
</div>
<div id="mw-panel">
<div id="p-logo" role="banner"><a class="mw-wiki-logo" href="https://usermanual.wiki/Main_Page" title="Visit the main page"></a></div>
<div class="portal" role="navigation" id="p-navigation" aria-labelledby="p-navigation-label">
<h3 id="p-navigation-label">Navigation</h3>

</div>
<div class="portal" role="navigation" id="p-tb" aria-labelledby="p-tb-label">

</div>
</div>
</div>
<div id="footer" role="contentinfo">
<ul id="footer-info">
<li id="footer-info-lastmod">© 2024 UserManual.wiki</li>
</ul>
<ul id="footer-places">
<li id="footer-places-privacy"><a href="https://usermanual.wiki/ContactUs" title="UserManual.wiki:Contact Us">Contact Us</a></li>
<li id="footer-places-about"><a href="https://usermanual.wiki/DMCA" title="UserManual.wiki:DMCA">DMCA</a></li>
</ul>
<ul id="footer-icons" class="noprint">
<li id="footer-poweredbyico">

</li>
</ul>

</div>

</div></body></html>
<script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="ab323d8acf880f5be0d292ee-|49" defer></script>