Which Orange Book evaluation level is described as “Structured Protection”?
A.
A1
B.
B3
C.
B2
D.
B1
Explanation:
Class B2 corresponds to Structured Protection. Division B – Mandatory Protection Mandatory access
is enforced by the use of security labels. The architecture is based on the Bell- LaPadula security
model and evidence of the reference monitor enforcement must be available. B1: Labeled Security
Each data object must contain a classification label and each subject must have a clearance label.
When a subject attempts to access an object, the system must compare the subject and the object’s
security labels to ensure the requested actions are acceptable. Data leaving the system must also
contain an accurate security label. The security policy is based on an informal statement and the
design specifications are reviewed and verified. It is intended for environments that handle classified
data. B2: Structured Protection The security policy is clearly defined and documented and the
system design and implementation is subjected to more thorough review and testing procedures.
This class requires more stringent authentication mechanisms and well-defined interfaces between
layers. Subject and devices require labels, and the system must not allow covert channels. A trusted
path for logon and authentication processes must be in place, which means there are no trapdoors.
There is a separation of operator and administration functions within the system to provide more
trusted and protected operational functionality. Distinct address spaces must be provided to isolated
processes, and a covert channel analysis is conducted. This class adds assurance by adding
requirements to the design of the system. The environment that would require B2 systems could
process sensitive data that requires a higher degree of security. This environment would require
systems that are relatively resistant to penetration and compromise. B3 Security Domains In this
class, more granularity is provided in each protects mechanism and the programming code that is
not necessary to support the security is excluded. The design and implementation should not
provide too much complexity because as the complexity of a system increases, the ability of the
individuals who need to test, maintain, and configure it reduces; thus, the overall security can be
threatened. The reference monitor components must be small enough to test properly and be
tamperproof. The security administrator role is clearly defined and the system must be able to
recover from failures without its security level being compromised. When the system starts up and
loads its operating system and components, it must be done in an initial secure state to ensure any
weakness of the system cannon be taken advantage of in this slice of time. An environment that
requires B3 systems is a highly secured environment that processes very sensitive information. It
requires systems that are highly resistant to penetration. Note: In class (B2) systems, the TCB is
based on a clearly defined and documented formal security policy model that requires the
discretionary and mandatory access control enforcement found in class (B1) systems be extended to
all subjects and objects in the ADP system. In addition, covert channels are addressed. The TCB must
be carefully structured into protectioncritical and non-protection-critical elements. Class B
corresponds to “Structured Protection” inside the Orange Book.