[Public Interpretations Database]

I-0183: Restrictions On Untrusted Programs In Low Assurance Products

 
NUMBER:               I-0183
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Restrictions On Untrusted Programs In Low Assurance
                      Products

FIRST POST:            [criteria 2354]
MOST RECENT REPOST:    [criteria 2478]

REQUIREMENT:          System Architecture
CRITERIA CLASSES:     C1, C2, B1
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:
     I-0114           Untrusted Programs Must Not Execute With Security-Relevant Privileges

STATEMENT:

The following interprets the requirement that ``The TCB shall maintain a domain for its own execution that protects it from external interference or tampering (e.g., by modification of its code or data strucutres).'' At C2 and B1, it interprets the System Architecture requirement stated above in its interaction with the C2 and B1 System Architecture words ``The TCB shall isolate the resources to be protected so that they are subject to the access control and auditing requirements.''

Administrative procedures or ADP mechanisms shall be in place to prevent programs not in the TCB from executing with the ability to violate the protected TCB domain. At C2 and B1, administrative procedures or ADP mechanisms shall additionally be in place to prevent programs not in the TCB from executing with the ability to violate the access control or auditing policies.

PROJECTED IMPACT:

This could have an impact on products that allow a highly-privileged user to execute non-TCB programs while retaining privilege (e.g., the superuser in UNIX).

SUPPORT:

A significant concern in trusted products is that of Trojan Horses; i.e., programs that trick a trusted user into executing them and then take advantage of the trusted user's privileges. The goal of this interpretation is to reduce the risk of such programs in trusted products.

Note that this interpretation applies only for the C1, C2, and B1 ratings. At B2 and above, the least privilege requirement imposes a stronger requirement with respect to Trojan Horse prevention; those requirements are addressed in I-0114.

In order for trust to be maintained in correct TCB operations, there must be assurance that the executable code and databases upon which the TCB depends are as evaluated. This assurance is broken if untrusted programs are executed with abilities that provide the potential for such programs to modify TCB data or executables.

Ideally, ADP mechanisms would be in place to prevent such programs from having the ability to violate the TCB domain. This could be achieved by removing the appropriate abilities before the program is executed, or by disallowing the execution of such programs by trusted users. In environments with a limited trusted user population, it may be acceptable to address this through clear TFM guidance.

This interpretation applies only to those abilities that allow the TCB domain to be violated. It has a greater impact in environments with coarse-granularity to privilege (such as the traditional UNIX superuser) than those with fine grained capabilities. In the latter products, Trojan Horses that attack user data are still possible. These attacks could involve disclosure or modification of user data, or modification of access controls on user data.