The Orange Book

By Paul F. Renda

September 12, 2021

Introduction

In the past 10 years, there has been a surge in personnel who have entered the cybersecurity field. This article argues that the Department of Defense’s “Rainbow Series” of books for information security is still relevant today for informing the expertise of both new and experienced information security professionals. The Rainbow Series is composed of 27 Department of Defense books where each book in a series is a different color, hence the name “Rainbow Series.” One book in particular, Trusted Computer System Evaluation Criteria, also known as the “Orange Book” is still used as a reference for security assessments today. Although the Orange Book may seem ancient due to its publication date in the 1980s, the Orange Book could have predicted the problems we have today with ransomware and trojan horses.

As a sample, here are some of the titles in the Rainbow Series:

The complete "Rainbow Series" of Department of Defense publications on information security.
(Photo by Deron Meranda, https://commons.wikimedia.org/wiki/File:Rainbow_series_documents.jpg)

Orange Book Classification Levels

The Orange Book has multiple security classification levels that range from minimum security, the D level, to maximum, the A level:

D: Minimal protection - Reserved for systems that fail evaluation
C1: Discretionary protection (DAC) - System doesn’t need to distinguish between individual users and types of access.
C2: Controlled access protection (DAC) - System must distinguish between individual users and types of access; object reuse security features required.
B1: Labeled security protection (MAC) - Sensitivity labels required for all subjects and storage objects.
B2: Structured protection (MAC) - Sensitivity labels required for all subjects and objects; trusted path requirements.
B3: Security domains (MAC) - Access control lists (ACLs) are specifically required; system must protect against covert channels.
A1: Verified design (MAC) - Formal Top-Level Specification (FTLS) required; configuration management procedures must be enforced throughout entire system lifecycle.
Beyond A1 - Self-protection and reference monitors are implemented in the Trusted Computing Base.

And the Orange Book ratings have a major demarcation of security levels between C2 level and B1 level and between the B3 level and the A1 level of security.

The C2 Level vs B1 Level

The C2 level is discretionary access controls, while the B1 level starts mandatory access controls. At the C2 level, somebody in payroll could take a payroll file, copy it over, and let people from other departments see the payroll information. The B1 level introduces mandatory access controls. That means that a user in the payroll department and payroll resources such as data sets would have some type of token to attach to their IDs and data sets. At the C2 level, someone in payroll could copy a payroll file and distribute it to everyone in other departments. With mandatory access controls that would be impossible because the token on the payroll file will still be on the copied file thus preventing someone from outside payroll to be able to view it.

The B3 Level vs A1 Level

The demarcation between the B3 level and the A1 level is that it has a verified design.

Orange Book Relevance

Some people think that the Orange Book is obsolete and that it no longer matters. That is incorrect. Mandatory Access Control, introduced in the Orange Book, guards against Trojan horses and other modern threats requiring user input. Mandatory access controls add virtual segregation between users. Virtual segregation of users minimizes the impact that ransomware or Trojan horses on users across the computer system. Perhaps a better way of explaining this is from a Computer Weekly article:

Segregation serves as an obstacle, which makes lateral movement difficult and isolates security issues. Whether it be a malicious attack or technical fault, proper segregation of IT environments can limit the spread to other internal areas, reducing the potential impact.

In comparison, the current mechanisms that organizations use against Trojan horses are user education and scanning incoming files. This methodology does not work 100% of the time. The orange book explicitly states that the Trojan horse is a significant vulnerability in Discretionary Access Control. From the Orange Book:

6.1 A FUNDAMENTAL FLAW IN DISCRETIONARY ACCESS CONTROL

Discretionary access control mechanisms restrict access to objects based solely on the identity of subjects who are trying to access them. This basic principle of discretionary access control contains a fundamental flaw that makes it vulnerable to Trojan horses. On most systems, any program which runs on behalf of a user inherits the DAC access rights of that user. An example of the workings of a Trojan horse will illustrate how most DAC mechanisms are vulnerable.

Conclusion

The Department of Defense’s Orange Book is still valid today and the understanding of discretionary access controls and mandatory access controls has a significant importance with respect to security and virtualization. The concept of mandatory access control vs. discretionary access controls is not taught in a lot of security certification training today. A practical example of discretionary access controls vs. mandatory access controls is that under discretionary access controls a user can click on some malware and it can affect other users. Mandatory access controls give a higher rate of security with respect to malware.

About the Author

Paul Renda has over 30 years in information security. He has spoken at a number of above ground and below ground hacker conferences. He studied physics and math at Queens College and the University of Houston, and he has worked as a system administrator for IBM Z/OS and Linux systems.