Using Proven Reference Monitor Patterns for Security Evaluation

The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed.

[1]  Roger R. Schell,et al.  A multi-level secure file sharing server and its application to a multi-level secure cloud , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[2]  Roger R. Schell,et al.  Concepts and Terminology for Computer Security , 2006 .

[3]  Roger R. Schell,et al.  Designing the GEMSOS security kernel for security and performance , 1985 .

[4]  D. Gambel,et al.  HSRP - A1'ing a large-scale management information system , 1989 .

[5]  Edsger W. Dijkstra,et al.  Notes on structured programming , 1970 .

[6]  Roger R. Schell,et al.  Evaluation Criteria for Trusted Systems , 2006 .

[7]  Steven B. Lipner,et al.  Security assurance , 2015, Commun. ACM.

[8]  Gordon Smith,et al.  TCB subsets: the next step , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[9]  Dorothy E. Denning,et al.  Element-level classification with A1 assurance , 1988, Comput. Secur..

[10]  Cynthia E. Irvine,et al.  Subversion as a Threat in Information Warfare , 2004 .

[11]  David Elliott Bell,et al.  Looking back at the Bell-La Padula model , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Mary Ellen Zurko,et al.  A Retrospective on the VAX VMM Security Kernel , 1991, IEEE Trans. Software Eng..

[13]  C. Weissman BLACKER: security for the DDN examples of A1 security engineering trades , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[15]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[16]  Eduardo B. Fernandez,et al.  Systematic mapping of security patterns research , 2015 .

[17]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[18]  Cynthia E. Irvine A multilevel file system for high assurance , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[19]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[20]  Paul A. Karger,et al.  Thirty years later: lessons from the Multics security evaluation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[21]  Roger R. Schell,et al.  A high-assurance, virtual guard architecture , 2012, MILCOM 2012 - 2012 IEEE Military Communications Conference.

[22]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .