Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
specific hardware "registers" with <strong>the</strong> main memory areas (domains) <strong>the</strong>y are<br />
protecting. There should be sufficient types and numbers <strong>of</strong> "registers" <strong>to</strong><br />
ensure <strong>the</strong> number <strong>of</strong> sensitivity labels for information in <strong>the</strong> system can be<br />
adequately mapped. Common ways <strong>to</strong> achieve <strong>the</strong>se capabilities are through<br />
"Descrip<strong>to</strong>r Base Registers," "Bounds Registers," and "Virtual Memory Mapping<br />
Registers," although o<strong>the</strong>r approaches may also be used.<br />
3.4.1.5 INTEGRITY CHECKING MECHANISMS<br />
Integrity checking mechanisms usually provide support for security<br />
functions. For example, memory parity checks and cyclic redundancy check<br />
schemes ensure errors are detected. <strong>An</strong>o<strong>the</strong>r commonly used technique is<br />
called a watchdog timer. This timer performs a direct security-related<br />
function by ensuring an application program cannot "steal all <strong>the</strong><br />
processor's time" by independently checking allocations <strong>of</strong> processor time.<br />
3.4.1.6 DIRECT MEMORY ACCESS (DMA) PROTECTION<br />
DMA allows input-output <strong>to</strong> occur simultaneously with <strong>the</strong> processor's normal<br />
computational activities. That is, once <strong>the</strong> processor initiates an inpu<strong>to</strong>utput<br />
operation, a separate hardware feature directs <strong>the</strong> flow <strong>of</strong> data in<strong>to</strong><br />
(or out <strong>of</strong>) main memory independent <strong>of</strong> <strong>the</strong> processor, while <strong>the</strong> processor<br />
itself is free <strong>to</strong> complete o<strong>the</strong>r tasks. Since DMA is independent <strong>of</strong><br />
processor intervention, it cannot be confined by <strong>the</strong> TCB's enforcement<br />
techniques. Thus, unless DMA security protection is provided, Manda<strong>to</strong>ry Access<br />
Controls cannot be enforced during DMA operations.<br />
3.4.1.7 ASYNCHRONOUS EVENT MECHANISMS<br />
Asynchronous events are not predictable (e.g., arrival <strong>of</strong> a message, <strong>the</strong><br />
printer's running out <strong>of</strong> paper, or communications link errors). Asynchronous<br />
event mechanisms are hardware features which handle <strong>the</strong> unpredictable, usually<br />
by "interrupting" <strong>the</strong> processor. Once interrupted, <strong>the</strong> processor <strong>the</strong>n deals<br />
with <strong>the</strong> event. For security, <strong>the</strong> hardware features should cause <strong>the</strong> processor<br />
<strong>to</strong> recognize and respond <strong>to</strong> specific asynchronous events, such as "security<br />
policy violations" (in DoD 5200.28-STD phrasing, violations <strong>of</strong> <strong>the</strong> Simple<br />
Security Property or Star Property). Unless hardware features support <strong>the</strong>se<br />
properties, s<strong>of</strong>tware must interpret <strong>the</strong> results <strong>of</strong> every operation, -causIng a<br />
severe performance penalty. The penalty may come in<strong>to</strong> conflict with mission<br />
performance requirements.<br />
3.4.2 CAVEATS<br />
Care must be taken not <strong>to</strong> restrict potentially valid solutions in <strong>the</strong><br />
specifications (requirements), statement <strong>of</strong> work, or CDRL sections <strong>of</strong> <strong>the</strong> RFP.<br />
Many possible design solutions could meet <strong>the</strong> requirements. Use <strong>of</strong> specific<br />
terms could unintentionally preclude <strong>the</strong> application <strong>of</strong> alternative<br />
techniques. Thus, terms should be used that illustrate <strong>the</strong> concepts involved<br />
without restricting <strong>the</strong> design choices available <strong>to</strong> <strong>the</strong> contrac<strong>to</strong>r. The second<br />
guideline <strong>of</strong> this four-guideline series, "Language for RFP Specifications<br />
and Statements <strong>of</strong> Work - <strong>An</strong> Aid <strong>to</strong> <strong>Procurement</strong> Initia<strong>to</strong>rs," was written<br />
specifically <strong>to</strong> deal with this problem.<br />
3.4.3 MANAGING HARDWARE<br />
<strong>Page</strong> 46