Validated Product - XTS-400 / STOP 6.0.E

PRODUCT DESCRIPTION

The XTS-400™ product is a combination of STOP™ revision 6.0.E, a multilevel secure operating system, and a BAE Systems (formerly DigitalNet)-supplied x86 hardware base. STOP is a 32-bit, multiprogramming, multi-tasking, operating system that can support multiple concurrent users. In addition to proprietary interfaces for secure administration, STOP™ provides a Linux™-like user environment and programming interface (API/ABI) that allows many programs written for Linux to be copied to the XTS™ and run without change while benefiting from the designed-in security STOP™ and the XTS-400™ provide.

An X-windows graphical user interface (GUI) is supported by the Trusted Security Functions (TSF). It is available at the console for work by untrusted users. Trusted path initiation causes suspension of the GUI and trusted commands can not be run from the GUI. All windows on the display are at the same level and multi-level cut-and-paste is not supported.

Network connectivity on up to 8 different networks is allowed in the evaluated configuration. TCP/IP and Ethernet are built in to the TSF, but no network servers (e.g., SMTP) are within the TSF. Within an evaluated configuration, network attachments must be made according to rules in the Trusted Facility Manual (e.g., the network must be single-level while multiple networks can each be at a different level). The TSF can not be compromised by remote users or unusual network traffic, but the TSF itself does not prevent disclosure of, or loss of integrity by, data on the network.

The system provides mandatory access control that allows for both a security and integrity policy. It provides 16 hierarchical sensitivity levels, 64 non-hierarchical sensitivity categories, eight hierarchical integrity levels, and 16 non-hierarchical integrity categories. The mandatory security policy (MAC) enforced by the XTS-400™ is based on the (formal) Bell and LaPadula security model; the mandatory integrity policy (MIC) is based on the (formal) Biba integrity model. The system implements discretionary access control (DAC) and provides for user identification and authentication needed for user ID-based policy enforcement.

Individual accountability is provided with an auditing capability. Data scavenging is prevented through residual data protection mechanisms. A trusted path mechanism is provided by the implementation of a Secure Attention Key (SAK),which provides trusted communications between users and the system.

The separation of administrator and operator roles is enforced using the integrity policy. The system enforces the "principle of least privilege" (i.e., users should have no more authorization than that required to perform their functions) for administrator and operator roles. All actions performed by privileged (and normal) users can be audited. The audit log is protected from modification using integrity and subtype mechanisms. STOP™ also provides an alarm mechanism to detect the accumulation of events that indicate an imminent violation of the security policy.

STOP™ was designed from the ground up with strong internal architectural characteristics to resist penetration and minimize the chance of bugs. STOP uses hardware privilege level and memory protection mechanisms to protect itself from tampering and to isolate processes from one another.

STOP™ consists of the TSF software and a body of untrusted application code and commands. The TSF consists of the hardware and four major software components
· the Security Kernel, which operates in the most privileged domain and provides all mandatory, subtype, and a portion of the discretionary, access control;
· the TSF System Services, which operate in the next-most-privileged domain, and implement a hierarchical file system, supports user I/O, and implements the remaining discretionary access control;
· Operating System Services (OSS), which operates in a less privileged domain and provides the Linux-like interfaces; and
· Trusted Software, which provides the remaining security services and user commands.

The XTS-400™ is available on Intel Pentium III and the Xeon (P4) based server class systems, available in tower, and rack-mount chassis. All components are commercial-off-the-shelf (COTS). The XTS-400™ uses specific Intel-brand motherboards and industry standard ISA or PCI peripheral cards or chips built into the motherboard.

In addition to more basic components, the evaluated configuration allows:
· CD-ROM drive
· 4mm DAT tape drive
· PC card readers
· Add-in Ethernet cards
· Add-in SCSI host adapters
· parallel, PCL-5 printer
· serial terminal
· touchpads
· flat panel displays

SECURITY EVALUATION SUMMARY

The security protection provided by XTS-400™ release 6.0.E has been evaluated against the requirements specified in the Common Criteria for Information Technology Security Evaluation, Version 2.1 (CC) as amended by U.S. and international interpretations effective on March 1, 2003. This evaluation was performed by CygnaCom Solutions (the "lab") under the auspices of the U.S. SCHEME. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0.

The lab determined that the evaluation assurance level (EAL) for the product is EAL4 augmented with ALC_FLR.3 The product is also conformant with the Certified Protection Profiles entitled “Labeled Security Protection Profile (Version 1.b)” and “Controlled Access Protection Profile (Version 1.d)” and satisfies all of the security functional requirements stated in the Security Target. The evaluation was completed in February 2004. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number 04-0058, dated15-03-2004) prepared by CCEVS. This report should be consulted for the complete lists of evaluated hardware and software components.

An EAL5+ evaluation of the XTS-400 is in progress.

ENVIRONMENTAL STRENGTHS

The XTS-400™ is a general-purpose computer system. The EAL4+ rating implies a high level of assurance surpassing that of most other general-purpose systems on the market. Several certification and accreditation (C&A) efforts have been completed that use the XTS-300™ or XTS-400™ as a multi-level application platform.

The XTS-400™ is general-purpose in that it can be used for a range of purposes from multi-user workstation to server/guard/gateway, with rack-mount and tempest variants. With additional application support, it is suitable as a network server or firewall. Since the XTS-400™ is based on commodity hardware, it is positioned to take advantage of the frequent hardware advances in the x86 hardware base and in the SCSI subsystem. The security functionality built in to the XTS-400™ goes well beyond the profiles to which it conforms, particularly in the area of mandatory integrity (which can be used for, among other things, virus protection).

Though designed as a very high assurance system, the XTS-400™ provides a familiar, Linux-like user command and programming environment. The Linux-like environment supports binary compatibility and will run most programs imported from Linux systems without recompilation. Most standard Linux commands and tools are provided on the XTS-400™.