Compliant Product - XTS-400 / STOP 6.4 U4
Certificate Date: 03 July 2008
Validation Report Number: CCEVS-VR-VID10293-2008
Product Type: Operating System
Conformance Claim: EAL5 Augmented with ALC_FLR.3,ATE_IND.3
CC Testing Lab: Arca CCTL
The XTS-400™ product is a combination of STOP™ revision 6.4.U4, a multilevel secure operating system, and a BAE Systems Information Technology, Inc.-supplied x86 hardware base. STOP is a 32-bit, multiprogramming, multi-tasking, operating system that can support multiple concurrent users. In addition to proprietary interfaces for secure administration, STOP™ provides a Linux®-like user environment and programming interface (API/ABI) that allows many programs written for Linux to be copied to the XTS™ and run without change while benefiting from the designed-in security that STOP™ and the XTS-400™ provide. STOP 6.4.U4 adds many functional and security enhancements to those in the previously evaluated STOP 6.1.E.
An X-windows graphical user interface (GUI) is included within the Target of Evaluations and is available at the console for work by untrusted users. Trusted path initiation causes suspension of the GUI and trusted commands cannot be run from the GUI. All windows on the display are at the same level and multi-level cut-and-paste is not supported.
Network connectivity on up to 17 different networks is allowed in the evaluated configuration. TCP/IP and Ethernet are included in the Target of Evaluation (TOE), but not network servers (e.g., SMTP). Within an evaluated configuration, network attachments must be made according to rules in the Trusted Facility Manual (e.g., the network must be single-level while multiple networks can each be at a different level). Remote users or unusual network traffic cannot compromise the TOE, but the TOE itself does not prevent disclosure of (or loss of integrity by) data on the network.
The system provides mandatory access control that allows for both a security and integrity policy. It provides 16 hierarchical sensitivity levels, 64 non-hierarchical sensitivity categories, eight hierarchical integrity levels, and 16 non-hierarchical integrity categories. The mandatory security policy (MAC) enforced by the XTS-400 is based on the (formal) Bell-LaPadula security model; the mandatory integrity policy (MIC) is based on the (formal) Biba integrity model. The system implements discretionary access control (DAC) and provides for user identification and authentication needed for user ID-based policy enforcement.
Individual accountability is provided with an auditing capability. Data scavenging is prevented through residual data protection mechanisms. A trusted path mechanism is provided by the implementation of a Secure Attention Key (SAK), which provides trusted communications between users and the system.
The separation of administrator and operator roles is enforced using the integrity policy. The system enforces the "principle of least privilege" (i.e., users should have no more authorization than that required to perform their functions) for administrator and operator roles. All actions performed by privileged (and normal) users can be audited. The audit log is protected from modification using integrity and subtype mechanisms. STOP™ also provides an alarm mechanism to detect the accumulation of events that indicate an imminent violation of the security policy.
STOP™ was designed from the ground up with strong internal architectural characteristics to resist penetration and minimize the chance of bugs. STOP uses hardware privilege level and memory protection mechanisms to protect itself from tampering and to isolate processes from one another.
STOP™ consists of the TOE Security Functions (TSF) software and a body of untrusted application code and commands. The TSF consists of the hardware and four major software components:
- The Security Kernel operates in the most privileged domain and provides all mandatory, subtype, and a portion of the discretionary access control;
- TSF System Services operates in the next-most-privileged domain, and implements a hierarchical file system, supports user I/O, and implements the remaining discretionary access control.
- Operating System Services (OSS) operates in a less privileged domain and provides the Linux-like interfaces.
- Trusted Software operates in the lowest privileged domain and provides the remaining security services and user commands.
The XTS-400™ is available on Intel Xeon (P4) based server class systems, available in tower, and rack-mount chassis. All components are commercial-off-the-shelf (COTS). The XTS-400™ uses specific Intel-brand motherboards and industry standard ISA or PCI peripheral cards or chips built into the motherboard.
In addition to more basic components, the evaluated configuration allows:
- CD-ROM drive
- 4mm DAT tape drive
- PC card readers
- Add-in Ethernet cards
- Add-in SCSI host adapters
- Parallel PCL-5 printer
- Serial terminal
- Flat panel displays
SECURITY EVALUATION SUMMARY
The security protection provided by XTS-400™ release 6.4.U4 has been evaluated against the requirements specified in the Common Criteria for Information Technology Security Evaluation, Version 2.3 (CC), which includes all final international and U.S. interpretations of CC v2.3 as of 11 July 2007. The Arca Common Criteria Testing Laboratory (the "lab") performed this evaluation under the auspices of the U.S. Common Criteria Evaluation and Validation Scheme. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3.
The lab determined that the evaluation assurance level (EAL) for the product is EAL5 augmented with the following security assurance requirements:
The product is also conformant with the Certified Protection Profiles entitled “Labeled Security Protection Profile (Version 1.b)” and “Controlled Access Protection Profile (Version 1.d)” and satisfies all of the security functional requirements stated in the Security Target. The evaluation was completed on 3 July 2008. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10293-2008, dated 3 July 2008) prepared by CCEVS. This report should be consulted for the complete lists of evaluated hardware and software components.
The XTS-400™ is a general-purpose computer system. The EAL5+ rating implies a high level of assurance surpassing that of most other general-purpose systems on the market. Several certification and accreditation (C&A) efforts have been completed that use the XTS-400™ or its predecessor XTS-300 as a multi-level application platform.
The XTS-400™ is general-purpose in that it can be used for a range of purposes from multi-user workstation to server/guard/gateway, with rack-mount and tempest variants. With additional application support, it is suitable as a network server or firewall. Since the XTS-400™ is based on commodity hardware it is positioned to take advantage of the frequent hardware advances in the x86 hardware base and in the SCSI subsystem. The security functionality built in to the XTS-400™ goes well beyond the profiles to which it conforms, particularly in the area of mandatory integrity (which can be used for, among other things, virus protection).
Though designed as a very high assurance system, the XTS-400™ provides a familiar, Linux-like user command and programming environment. The Linux-like environment supports binary compatibility and will run most programs imported from Linux systems without recompilation. Most standard Linux commands and tools are provided on the XTS-400™.