top - download
⟦54d39d04e⟧ Wang Wps File
Length: 11355 (0x2c5b)
Types: Wang Wps File
Notes: SECURITY FILTER STUDY
Names: »3326A «
Derivation
└─⟦550b0bab9⟧ Bits:30006219 8" Wang WCS floppy, CR 0276A
└─ ⟦this⟧ »3326A «
WangText
SECURITY FILTER
STUDY
PAGE #
PHASE I REVIEW
A̲G̲E̲N̲D̲A̲
1. Phase I - Results
2. Phase II - Planning
3. Phase II - Baseline Decisions:
a) Selection of Hardware Architecture
b) Selection of Method for the Optional Human
Validation Feature
d) Designation of Functions which may be Non-Trusted
e) The Risk of Non-Trusted Layers in the Filter, is
it acceptable.
1.
T̲h̲e̲ ̲p̲h̲a̲s̲e̲ ̲I̲ documents had been reviewed by the AMC
and gave rise to a list of 22 comments.
Each comment was discussed in details. It was stated
by JDH that the phase I delivery would be approved
after proper response to the comments.
The following is the response to comments from
the AMC on the following documents
a) SFS/TN/001, 821115: Functional Analysis, referred
to below as TN1.
b) SFS/TN/002, 821217: Security filter Architectures,
referred to below as TN 2.
c) SFS/TN/003, 830120: preliminary sizing and costing,
referred to below as TN3.
d) SFS/PFS/001, 821220: Preliminary Filter Specification,
referred to below as PFS.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲
TN1, para 3.1 subpara 6, page 5.
Change last sentence to read: "Hence, messages garbled
during transmission will ....."
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲2̲
TN1, para 4 g, page 12.
Software for analysis of logged information will not
be considered during phase II.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲3̲ ̲
TN1, para 4.1 subpara 2, page 13.
Last sentence, change "this place" to "the line interface".
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲4̲
TN1, para 4.13, subpara. 1, page 28.
After conversion of the validation information test
runs shall be performed to prove the validity of the
validation information. Those test runs can be performed
on an off-line support system which is very similar
to an actual security filter system. It shall be loaded
with exactly the same computer programs as used in
the filter system in question. If the support system
has additional features compared to the actual filter
system, then such features shall be unavailable during
the test runs.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲5̲
TN2, para 4.1.2, subpara 2, page 11.
Change to read: "the term corruption covers here both
the unauthorized erasing and the unauthorized writing
of information.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲6̲
TN2, para 4.3 last subpara page 13.
Change "as well input as" to read " input to as well
as".
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲7̲
TN2, para 4.5, subpara 3, page 14.
Change "against" to read "for".
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲8̲
TN2, para 5.1, subpara 2, page 16.
Change whole subpara. to read:
Most of the advantages are due to the fact that the
common-bus concept provides a true multipoint to multipoint
communication capability which perfectly accomodates
the typical system structure with one or more master
modules i.e. modules like a CPU, which can initiate
transfers over the bus, and one or more slave modules
like a RAM which can only respond passively.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲9̲
TN0, Fig. 6-3, page 23.
a) The figure shows the structural flow of information.
The figure shows also truly the data paths between
the functional blocks, which could also be interpreted
as modules.
This means that all modules will have two physically
distinct ports, an input port and an output port.
The data paths shown are the only physical and
logical information channels between the modules
(layers) except for a few control lines for handshake
type (Data ready/Acknowledge) of signals.
b) Dotted areas are trusted system components.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲0̲
TN3, general.
The implications of processing a full message (up to
8000 characters), instead a single page of a message
(max. 2500 characters) will be considered during phase
II.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲1̲
TN3, general.
The terminology will be standardized in phase II documents.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲2̲
TN3, page 7
a) "Check field formats" covers the checking of field
length and specifications on the legal types of
characters in that field (e.g. a coordinate shall
be expressed in one out of a few legal formats).
b) Check numerical limits, number of elementary operations
each message: Change 100 fields to read 160 fields.
c) The figures are based upon IFB appendix 1 page
16.
The table with the distribution of precedence has
been combined with the table of future distribution
of traffic to provide the amount of data transferred,
excluding narrative text messages.
This gives approximately one thirds of data. The
table adds to 35%. The breakdown into 10, 10, 15
has been assessed roughly from the samples of messages
we have seen, since we have no better way of estimating
these figures.
The number of elementary operations for each function
incudes the total number of operations for this
type of field.
E.g. fields which are checked by a limited amount
of tabulator values (strings, numbers or any combination
of characters), will not require any additional
format or limit check.
However, it was pointed out by the AMC that the
processing capacity shall be dimensioned for the
following (worst case) condition:
1) Continuous transmission of AD at P-3 messages
with a rate of 2400 bit/sec.
2) All fields are subject to constraints.
3) All constraints of all fields shall be automatically
validated.
d) The time of 6.7 sec is the transmission time. According
to the IFB, the time available is 6.7 + 5 seconds.
This point, however, gave rise to a discussion
on the buffer handling. The conclusion was that
we should consider the simple scheme of collecting
the entire message in the input buffer before any
processing is made and likewise, that the entire
message should be validated before output on the
line.
The implications of this scheme, in particular
regarding processing power requirements, will be
determined.
e) Serial bit error check is a data integrity check
performed on the incoming serial bit stream as
part of the X.25 protocol. The check uses a 16
bit sequence, generated by the transmitting device
and provided to the receiver at the end at the
message. This 16 bit sequence is the frame checking
sequence (ref. CCITT rec. X.25).
Cyclic Redundency Check (CRC) is a means for checking
data integrity where data are handled in parallel
form, e.g. in bytes.
The CRC word (one or more bytes) terminates the
message and is transferred with the message as
an integral part. The CRC word is the result of
a polynomial calculation comprising each and all
bits of the message.
The check algorithm is similar to the generator
algorithm.
The method is used in many peripherals.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲3̲
TN3, para 4.2, page 22, also PFS para 4.1.2.8 page
16
a) Log Analysis Software will not be considered in
phase II.
b) The reasons for logging will not be determined
nor be logged by the security Filter. An off-line
support system will have the capability of displaying
the logged message, and perhaps also of determining
the cause.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲4̲
TN3 para 4.3, page 22
No, but it is assumed that a trusted compiler will
not be available in the near future, hence all trusted
software is assumed to be written in low level language.
We will consider using HOL for untrusted software to
minimize all-over cost.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲5̲ ̲
TN3, para 5, page 26
a) Change "Security Analysis" to read "certification
Study".
b) Penetration Test is to be considered as on option
Hence, change "26 man/months", to read 20 mm.
c) TEMPEST certification includes all necessary design,
design analysis etc. required to achieve the certificate.
d) Change 180 man/months to read 195mm.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲6̲
TN3, para 5, page 27 and 28.
a) The two figures were derived in two different ways.
They are considered to be equal in the context
within which they are used.
b) No, but this cost will be estimated in phase II.
c) No, the formal verification of item 4, page 27
is the effort to achieve good, reliable software
which fulfils the functional specifications.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲7̲
PFS para 2.2.2.6, page 6.
Trade-offs are many and non-trivial. Viable solutions
will be considered in phase II.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲8̲
TN3, para 2.1.2, page 7 and 4.3, page 22.
Special check includes Date-time. Group check, geographic
positions etc. While "others" covers message formats
other than ADat P-3.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲1̲9̲
TN3 para 5, page 28.
Breakdown of estimates on production costs for the
baseline filter can be made only to module level. Please
refer to TN2, page 23:
Input 2.5
Multipurpose processor 4
Gate Keeper(1) 4
Output 2.5
Power Supply 1
Input/output filters 2
Cabinet and Wiring 4
Tape Recorder 2
Integration 3
̲ ̲ ̲
TOTAL 25 K DOLLARS
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲2̲0̲
PFS para 4.1.2.9
The frequency of illegal messages shall be calculated
as shown overleaf.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲2̲1̲
PFS para 4.1.3.6, page 26.
The phase II specification will state clearly which
requirements are design oriented and which are met
by operational procedures.
C̲o̲m̲m̲e̲n̲t̲ ̲N̲o̲ ̲2̲2̲
Phase I report para 3.2.2, page 8.
a) replace in second subpara: "designated approving
authority" by "appropriate security authority"
b) add a third subparagraph as follows:
The Security Filter must be certified by an appropriate
national security agency, based on a study of the
security filter system by a technically competent
independent organization, that the system as designed
meets the security specifications of the security
filter.
2. P̲h̲a̲s̲e̲ ̲I̲I̲ ̲p̲l̲a̲n̲n̲i̲n̲g̲
The chart overleaf was presented, explained and agreed.
Current arrangement with TRW was explained and discussed.
IDM and SC was invited to participate in the work session
with TRW in Ballerup, tentatively planned for either
week 12 or week 14.
We will inform JDH as soon as a firm arrangement has
been made.
3. P̲h̲a̲s̲e̲ ̲I̲I̲ ̲B̲a̲s̲e̲l̲i̲n̲e̲ ̲D̲e̲c̲i̲s̲i̲o̲n̲s̲
a) The Idealized Architecture was selected as the
baseline hardware architecture for phase II.
b) The software architecture as described in the Phase
I Report, page 7, Figure 3.1-1 was selected as
the baseline for phase II.
c) It was decided that a human validation feature
as an option should be considered throughout please
II.
The basic method and implementation should be as
described in the document Security Filter Architectures
pages 23 & 24.
d) Determination of which functions are trusted was
deemed to be part of phase II work.
e) Non-trusted layer in the filter is acceptable,
provided the design was produced under controlled
conditions.
