If A1 is the answer, what was the question? An Edgy Naif's retrospective on promulgating the trusted computer systems evaluation criteria

This paper provides an introspective retrospective on the history and development of the United States Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). Known to many as the Orange Book, the TCSEC contained a distillation of what many researchers considered to be the soundest proven principles and practices for achieving graded degrees of sensitive information protection on multiuser computing systems. While its seven stated evaluation classes were explicitly directed to standalone computer systems, many of its authors contended that its principles would stand as adequate guidance for the design, implementation, assurance, evaluation and certification of other classes of computing applications including database management systems and networks. The account is a personal reminiscence of the author, and concludes with a subjective assessment of the TCSEC's validity in the face of its successor evaluation criteria.

[1]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[2]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[3]  Z. G. Ruthberg,et al.  Audit and Evaluation of Computer Security , 1977 .

[4]  Willis H Ware Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security , 1979 .

[5]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[6]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[7]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[8]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[9]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[10]  Willis H Ware,et al.  Security Controls for Computer Systems , 1970 .

[11]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[12]  M. Schaefer,et al.  Symbol security condition considered harmful , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[13]  V. A. Vyssotsky,et al.  Structure of the multics supervisor , 1965, AFIPS '65 (Fall, part I).

[14]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[15]  G H Nibaldi Proposed Technical Evaluation Criteria for Trusted Computer Systems , 1979 .

[16]  Charles P. Pfleeger,et al.  Tea and I: An Allergy. , 1989, S&P 1989.

[17]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[18]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[19]  Zella G. Ruthberg Audit and evaluation of computer security II : system vulnerabilities and controls : proceedings of the NBS invitational workshop, held at Miami Beach, Florida, November 28-30, 1978 , 1980 .

[20]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .