Los puntos clave no están disponibles para este artículo en este momento.
The current paradigm for trusted computer syst,ems holds that trust is a property of a system. It is a. property that ca.n be formally modeled, specified, and verified. It can be “designed int,o ” a. system using a rigorous design methodology. For high levels of a.ssurante, the design methodology uses forma.1 models sod methods in order to “prove ” tha.t trust is present. This paradigm underlies The Department of Defense Trusted Computer System E~valuation Criteria (TCSEC) 3, commonly ca.lled the “Orange Book,” and its companion “rainbow series ” rep0rt.s. In this paper, we will refer to these documents a.s the “Crit.eria.” The Criteria specifies a. met.hoclology for modeling, designing, and implement~iug a. syst,em tl1a.t builds trust into a system, and a process for proving t.o an evaluator that the methodology has been followed. For a description of the Criteria, and the eva.lua,tiou process, see Chokhani l. Application of the Criteria. 1la.s been fraught wit,11 problems for both developers and eva.lua.tors. Steve Lipner clearly a.rticulated this breakdown in t.he keynote address a,t IFIP-SEC 91 4. The problems he identified include: Systems a.re not opera.ted in their eva.luat.ed configuration. Eva.luated systems are penetrat,ed because they are not properly configured or operated. The Criteria apply to operating systems products, whereas actual opera.ting environments include heterogeneous networks and a.pplicat.ions. Applica.tions must, run wit.11 “privilege, ” overriding the opera.ting systems controls. Evaluation becomes irrelevant. There is no esperiential ba.sis on which to build applicat.ion-level crit.eria.
Dorothy E. Denning (Fri,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: