GB 17859-1999 Criteria for the classification of computer information system security protection levels
Some standard content:
GB17859-1999
This standard has three main purposes: first, to provide a basis for the formulation of computer information system security regulations and supervision and inspection by law enforcement departments; second, to provide technical support for the development of security products; third, to provide technical guidance for the construction and management of security systems. The formulation of this standard refers to the United States' Trusted Computer System Evaluation Criteria (DoD5200.28-STD) and Trusted Computer Network System Description (NCSC-TG-005).
In the text of this standard, boldface indicates that performance requirements that do not appear or are enhanced in lower levels. This standard is the first part of the computer information system security protection level series standard. The computer information system security protection level series standard includes the following parts:
Computer Information System Security Level Division Criteria; Computer Information System Security Level Division Criteria Application Guide; Computer Information System Security Level Evaluation Criteria; The implementation of this standard should follow the specific provisions of the supporting national standards. This standard is proposed and managed by the Ministry of Public Security of the People's Republic of China. Drafting units of this standard: Tsinghua University, Peking University, Chinese Academy of Sciences. The main drafters of this standard are: Hu Daoyuan, Wang Lifu, Qing Sihan, Jing Qianyuan, Na Risong, Li Zhipeng, Cai Qingming, Zhu Weiguo, Chen Zhong. This standard shall be implemented on January 1, 2001. The Ministry of Public Security of the People's Republic of China is entrusted with the responsibility of interpreting this standard. 619
1 Scope
National Standard of the People's Republic of China
Computer Information System
Classified criteria for security protection of computer information system
Classified criteria for security protection of computer information system This standard specifies five levels of security protection capabilities of computer information systems, namely: Level 1: User autonomous protection level;
Level 2: System audit protection level;
Level 3: Security label protection level;
Level 4: Structured protection level;
Level 5: Access verification protection level.
GB17859—1999
This standard applies to the classification of technical capabilities of computer information system security protection. The security protection capability of computer information systems gradually increases with the increase of security protection levels. 2 Referenced standards
The clauses contained in the following standards constitute the clauses of this standard through reference in this standard. When this standard is published, the versions shown are valid. All standards will be revised, and parties using this standard should explore the possibility of using the latest versions of the following standards. GB/T5271 Data Processing Vocabulary
3 Definitions
Except for the definitions in this chapter, other definitions not listed can be found in GB/T5271. 3.1 Computer Information Systemcomputer information system is a human-computer system composed of computers and their related and supporting equipment and facilities (including networks), which collects, processes, stores, transmits, retrieves and other information according to certain application goals and rules. 3.2 Trusted computing base of computer information systemtrusted computing base of computer information systemThe overall protection device in the computer system, including hardware, firmware, software and a combination responsible for executing security policies. It establishes a basic protection environment and provides additional user services required by a trusted computing system. 3.3 Object object
The carrier of information.
3.4 Subject subject
The person, process or device that causes information to flow between objects. 3.5 Sensitivity label A set of information that indicates the security level of an object and describes the sensitivity of the object data. The sensitive label is used as the basis for mandatory access control decisions in the trusted computing base.
Approved by the State Administration of Quality and Technical Supervision on September 13, 1999 620
Implemented on January 1, 2001
3.6 Security policy security policy
GB 17859-- 1999
Laws, regulations and implementation rules on the management, protection and release of sensitive information. 3.7 Channel channel
The information transmission path within the system.
3.8 Covert channel
A communication channel that allows a process to transmit information in a way that compromises the system security policy. 3.9 Reference monitor A component that monitors the authorized access relationship between a subject and an object. 4 Level classification criteriabzxZ.net
4.1 Level 1 User Autonomous Protection Level
The trusted computing base of computer information systems at this level isolates users from data, enabling users to have the ability to autonomously protect security. It has multiple forms of control capabilities and implements access control on users, that is, it provides users with feasible means to protect user and user group information and prevent other users from illegally reading, writing, and destroying data. 4.1.1 Autonomous access control
The trusted computing base of computer information systems defines and controls the access of named users to named objects in the system. The implementation mechanism (e.g., access control list) allows named users to define and control the sharing of objects as users and/or user groups, preventing unauthorized users from reading sensitive information.
4.1.2 Identity Authentication
When the computer information system trusted computing base is initially executed, the user is first required to identify himself and use a protection mechanism (e.g., password to authenticate the user's identity; prevent unauthorized users from accessing user identification data. 4.1.3 Data Integrity
The computer information system trusted computing base prevents unauthorized users from modifying or destroying the trusted data through autonomous integrity policies. 4.2 Second-level system audit protection level
Compared with the user autonomous protection level, the computer information system trusted computing base at this level implements more fine-grained autonomous access control. It makes users responsible for their own behavior through login procedures, audit security-related events, and isolation resources. 4.2.1 Autonomous Access Control
The computer information system trusted computing base defines and controls the access of named users to named objects in the system. The implementation mechanism (e.g., access control list) allows named users to define and control the sharing of objects as users and/or user groups: prevent unauthorized users from reading sensitive information. And control the spread of access rights . The autonomous access control mechanism prevents unauthorized users from accessing objects according to the user-specified method and the default method. The granularity of access control is a single user. Users without access rights are only allowed to access objects specified by authorized users. 4.2.2 Identity Authentication
When the computer information system trusted computing base is initially executed, the user is first required to identify his or her own identity and use a protection mechanism (such as a password) to authenticate the user's identity: prevent unauthorized users from accessing user identification data. By providing users with a unique identifier, the computer information system trusted computing base can use products to be responsible for their own behavior. The computer information system trusted computing base also has the ability to associate the identity identifier with all auditable behaviors of the user. 4.2.3 Reuse
In the free storage object space of the computer information system trusted computing base, before initially assigning, allocating, or reallocating a subject to an object, revoke all authorizations for the information contained in the object. When a subject obtains access to a released object, the current subject cannot obtain any information generated by the original subject's activities. 4.2.4 Audit
The computer information system trusted computing base can create and maintain access audit trails of protected objects and prevent unauthorized users from accessing or destroying them.
GB 17859-1999
The computer information system trusted computing base can record the following events: using the identity authentication mechanism: introducing objects into the user address space (for example: opening files, program initialization); deleting objects, actions performed by operators, system management fees or (and) system security administrators, and other events related to system security. For each event, its audit record includes: the date and time of the event, the user, the event type, and whether the event is successful. For identity authentication events, the audit record contains the source of the request (for example: terminal identifier); for events of introducing objects into the user address space and object deletion events, the audit record contains the object name. For audit events that cannot be independently distinguished by the computer information system trusted computing base, the audit mechanism provides an audit record interface that can be called by authorized subjects. These audit records are different from the audit records independently distinguished by the computer information system trusted computing base. 4.2.5 Data Integrity
The trusted computing base of the computer information system uses autonomous integrity strategies to prevent unauthorized users from modifying or destroying sensitive information. 4.3 Third level security label protection level
The computer information system trusted computing base at this level has all the functions of the system audit protection level. In addition, it is necessary to provide informal descriptions of security policy models, data labels, and mandatory access control of subjects to objects; have the ability to accurately label output information; and eliminate any errors found through testing:
4.3.1 Autonomous access control
The computer information system trusted computing base defines and controls the access of named users to named objects in the system. The implementation mechanism (for example, access control list) allows named users to define and control the sharing of objects as users and/or user groups, preventing unauthorized users from reading sensitive information. And control the spread of access rights. The autonomous access control mechanism prevents unauthorized users from accessing objects based on user-specified methods or default methods. The granularity of access control is a single user. Users without access rights are only allowed to have access rights to objects specified by authorized users. Prevent unauthorized users from reading sensitive information.
4.3.2 Mandatory Access Control
The computer information system trusted computing base implements mandatory access control for all subjects and the objects they control (e.g., processes, files, segments, devices). Sensitive tags are assigned to these subjects and objects. These tags are a combination of hierarchical classification and non-hierarchical categories, which are the basis for implementing mandatory access control. The computer information system trusted computing base supports security levels composed of two or more components. The access of all subjects controlled by the computer information system trusted computing base to objects should meet the following requirements: the subject can read an object only if the hierarchical classification in the subject security level is higher than or equal to the hierarchical classification in the object security level, and the non-hierarchical category in the subject security level includes all non-hierarchical categories in the object security level; the subject can write an object only if the hierarchical classification in the subject security level is lower than or equal to the hierarchical classification in the object security level, and the non-hierarchical category in the subject security level is included in the non-hierarchical category in the object security level. The computer information system trusted computing base uses identity and authentication data to authenticate the identity of the user and ensure that the security level and authorization of the external subject of the computer information system trusted computing base created by the computer information system is controlled by the security level and authorization of the user.
4.3.3 Tagging
The computer information system trusted computing base should maintain sensitive tags related to the subject and the storage objects (such as processes, files, segments, and devices) it controls. These tags are the basis for implementing mandatory access. In order to input data without security tags, the computer information system trusted computing base requires and accepts the security level of the entire data from the authorized user, and it can be audited by the computer information system trusted computing base. 4.3.4 Identity Authentication
When the computer information system trusted computing base is initially executed, the user is first required to identify himself. In addition, the computer information system trusted computing base maintains user identity identification data and determines user access rights and authorization data. The computer information system trusted computing base uses this data to authenticate the user's identity and uses protection mechanisms (such as passwords) to authenticate the user's identity: prevent unauthorized users from accessing user identity authentication data. By providing users with unique identification, the computer information system trusted computing base can make users responsible for their own behavior. The computer information system trusted computing base also has the ability to associate identity identification with all auditable behaviors of the user. 4.3.5 Object reuse
In the free storage object space of the computer information system trusted computing base, before the object is initially assigned, allocated or reallocated to a subject, all authorizations for the information contained in the object shall be revoked. When a subject obtains access to a released object, the current subject cannot obtain any information generated by the original subject's activities. 622
4.3.6 Audit
GB 17859--- 1999
The computer information system trusted computing base can create and maintain access audit trails for protected objects and prevent unauthorized users from accessing or destroying them.
The computer information system trusted computing base can record the following events: use of identity authentication mechanism; introduction of objects into user address space (e.g., opening files, program initialization); deletion of objects; actions performed by operators, system administrators, or (and) system security administrators; and other events related to system security. For each event, the audit record includes: date and time of the event, user, event type, and whether the event is successful. For identity authentication events, the audit record contains the source of the request (e.g., terminal identifier); for events of objects introduced into user address space and object deletion events, the audit record contains the object name and the security level of the object. In addition, the computer information system trusted computing base has the ability to audit changes to readable output marks. For audit events that cannot be independently distinguished by the computer information system trusted computing base, the audit mechanism provides an audit record interface that can be called by authorized subjects. These audit records are different from the audit records that are independently distinguished by the computer information system trusted computing base. 4.3.7 Data integrity
The computer information system trusted computing base prevents unauthorized users from modifying or destroying sensitive information through autonomous and mandatory integrity policies. In a network environment, integrity sensitive tags are used to ensure that information is not damaged during transmission. 4.4 Level 4 Structured Protection Level
The computer information system trusted computing base at this level is built on a well-defined formal security policy model, which requires the autonomous and mandatory access control in the third-level system to be extended to all subjects and objects. In addition, covert channels must be considered. The computer information system can be stopped at this level. The computing base must be structured into key protection elements and non-key protection elements. The interface of the computer information system trusted computing base must also be clearly defined so that its design and implementation can withstand more adequate testing and more complete review, and strengthen the signature mechanism: support the functions of system administrators and operators; provide trusted facility management; enhance configuration management control. The system has considerable anti-penetration capabilities. 4.4.1 Autonomous Access Control
The computer information system trusted computing base defines and controls the access of named users to named objects in the system. The implementation mechanism (for example: access control list) allows named users and (or) user groups to specify and control the sharing of objects; prevent unauthorized users from reading sensitive information. And control the spread of access rights.
The autonomous access control mechanism prevents unauthorized users from accessing objects according to user-specified methods or default methods. The granularity of access control is a single user. Users without access rights are only allowed to access objects specified by authorized users. 4.4.2 Mandatory Access Control
The trusted computing base of the computer information system implements mandatory access control on all resources that can be directly or indirectly accessed by external subjects (for example: organisms, storage objects, and input and output resources). Sensitive tags are assigned to these subjects and objects. These tags are a combination of hierarchical classifications and non-hierarchical categories. They are the basis for implementing mandatory access control. The trusted computing base of the computer information system supports security levels composed of two or more components. All subjects outside the trusted computing base of the computer information system shall meet the requirement that the subject can read an object only when the level classification in the subject security level is higher than or equal to the level classification in the object security level, and the non-level category in the subject security level includes all the non-level categories in the object security level; the subject can write an object only when the level classification in the subject security level is lower than or equal to the level classification in the object security level, and the non-level category in the subject security level is included in the non-level category in the object security level. The trusted computing base of the computer information system uses identity and authentication data to authenticate the identity of the user and ensure that the security level and authorization of the external subject of the trusted computing base of the computer information system created by the user are controlled by the security level and authorization of the user. 4.4.3 Tagging
The trusted computing base of the computer information system maintains sensitive tags related to computer information system resources (e.g., subjects, storage objects, read-only memory) that can be directly or indirectly accessed by external subjects. These tags are the basis for implementing mandatory access. In order to input data that is not security-marked, the computer information system trusted computing base requires and accepts the security level of this data from the authorized user, and it can be audited by the computer information system trusted computing base.
4.4.4 Identity Authentication
When the computer information system trusted computing base is initially executed, the user is first required to identify himself, and the computer information system can maintain user identity identification data and determine user access rights and authorization data. The computer information system trusted computing base uses this data to identify the user's identity and uses protection mechanisms (such as passwords) to identify the user's identity; prevent unauthorized users from accessing user identity authentication data. By avoiding providing a unique identifier for the user, the computer information system trusted computing base can use the product to be responsible for its own behavior. The computer information system trusted computing base also has the ability to associate the identity with all auditable behaviors of the user. 4.4.5 Object reuse
In the free storage object space of the computer information system trusted computing base, before the object is initially assigned, allocated or reallocated to a subject, all authorizations of the trust contained in the object shall be revoked. When a subject obtains access rights to a released object, the former subject cannot obtain any information generated by the original subject's activities. 4.4.6 Audit
The computer information system trusted computing base can create and maintain access audit trails for protected objects and prevent unauthorized users from accessing or destroying them.
The computer information system trusted computing base can record the following events: use of identity authentication mechanisms; introduction of objects into user address space (for example: opening files, program initialization); deletion of objects; actions performed by operators, system administrators or (and) system security administrators, and other events related to system security. For each event of the adversary, the audit record includes: date and time of the event, user, event type, and whether the event was successful. For identity authentication events, the audit record contains the source of the request (for example, the terminal identifier); for events where an object is introduced into the user address space and object deletion events, the audit record contains the object name and the object's security level. In addition, the computer information system trusted computing base has the ability to audit changes to readable output marks. For audit events that cannot be independently distinguished by the computer information system trusted computing base, the audit mechanism provides an audit record interface that can be called by authorized subjects. These audit records are different from the audit records independently distinguished by the computer information system trusted computing base. The computer information system trusted computing base can audit events that may be used when using covert storage channels. 4.4.7 Data integrity
The computer information system trusted computing base prevents unauthorized users from modifying or destroying sensitive information through autonomous and mandatory integrity policies. In a network environment, integrity sensitive tags are used to ensure that information is not damaged during transmission. 4.4.8 Steady channel analysis
System developers should thoroughly search for stable storage channels and determine the maximum bandwidth of each identified channel based on actual measurements or engineering estimates.
4.4.9 Trusted Path
For the initial login and authentication of the user, the computer information system trusted computing base provides a trusted communication path between it and the user. The communication on this path can be initiated by the user. 4.5 Level 5 Access Verification Protection Level
The computer information system trusted computing base at this level meets the access monitor requirements. The access monitor arbitrates all access of the subject to the object. The access monitor itself is tamper-resistant; it must be small enough to be analyzed and tested. In order to meet the access monitor requirements, the computer information system trusted computing base excludes those codes that are not necessary for the implementation of security policies during its construction; during design and implementation, its complexity is reduced to the minimum from the perspective of system engineering. Support the functions of security administrators: expand the audit mechanism, send signals when security-related events occur; provide system recovery mechanisms. The system has a high anti-penetration capability. 4.5.1 Autonomous Access Control
The computer information system trusted computing base defines and controls the access of named users in the system to named objects. The implementation mechanism (e.g., access control list) allows named users and/or user groups to define and control the sharing of objects; prevent unauthorized users from reading sensitive information. And control the spread of access rights.
The autonomous access control mechanism prevents unauthorized users from accessing objects based on user-specified methods or default methods. The granularity of access control is a single user. Access control can specify named users and user groups for each named object and specify their access mode to the object. Users without access rights are only allowed to have access rights to objects specified by authorized users. 4.5.2 Mandatory access control
GB 178591999
The trusted computing base of computer information systems implements mandatory access control on all resources (e.g., subjects, storage objects, and input and output resources) that can be directly or indirectly accessed by external subjects. Sensitive tags are assigned to these subjects and objects. These tags are a combination of hierarchical classifications and non-hierarchical categories. They are the basis for implementing mandatory access control. The trusted computing base of computer information systems supports security levels composed of two or more components. The direct or indirect access of all subjects outside the computer information system trusted computing base to the object shall meet the following requirements: the subject can read the object only when the level classification in the subject security level is higher than or equal to the level classification in the object security level, and the non-level category in the subject security level includes all the non-level categories in the object security level; the subject can write an object only when the level classification in the subject security level is lower than or equal to the level classification in the object security level, and the non-level category in the subject security level is included in the non-level category in the object security level. The computer information system trusted computing base uses identity and authentication data to authenticate the identity of the user, and ensures that the security level and authorization of the external subject of the computer information system trusted computing base created by the user are controlled by the security level and authorization of the user. 4.5.3 Tagging
The computer information system trusted computing base maintains sensitive tags related to computer information system resources (e.g., subjects, storage objects, read-only memory) that can be directly or indirectly accessed by external subjects. These tags are the basis for implementing mandatory access. In order to input data that is not security-marked, the computer information system trusted computing base requires and accepts the security level of this data from the authorized user, and it can be audited by the computer information system trusted computing base.
4.5.4 Identity Authentication
When the computer information system trusted computing base is initially executed, the user is first required to identify himself, and the computer information system trusted computing maintains user identification data and determines user access rights and authorization data. The computer information system trusted computing base uses this data to authenticate the user's identity and uses protection mechanisms (such as passwords) to authenticate the user's identity: prevent unauthorized users from accessing user identification data. By providing an identity for the user, the computer information system trusted computing base can make the user responsible for his own behavior. The computer information system trusted computing base also has the ability to associate the identity with all auditable behaviors of the user. 4.5.5 Object Reuse
In the free storage object space of the computer information system trusted computing base, before initially assigning, allocating, or reallocating a subject to the object, revoke all authorizations for the information contained in the object. When a subject obtains access to a released object, the current subject cannot obtain any information generated by the original subject's activities. 4.5.6 Audit
The computer information system trusted computing base can create and maintain access audit trails for protected objects and prevent unauthorized users from accessing or destroying them.
The computer information system trusted computing base can record the following events: use of identity authentication mechanisms; introduction of objects into user address space (e.g., opening files, program initialization); deletion of objects, actions performed by operators, system administrators, or (and) system security administrators, and other events related to system security. For each event, the audit record includes: the date and time of the event, the user, the event type, and whether the event was successful. For identity authentication events, the audit record also includes the source of the request (e.g., terminal identifier); for events of object entry into user address space and object deletion events, the audit record contains the object name and the object's security level. In addition, the computer information system trusted computing base has the ability to audit changes to readable output marks. For audit events that cannot be independently distinguished by the computer information system trusted computing base, the audit mechanism provides an audit record interface that can be called by authorized subjects. These audit records are different from the audit records independently distinguished by the computer information system trusted computing base. The computer information system trusted computing base can audit events that may be used when using covert storage channels. The computer information system trusted computing base contains a mechanism that can monitor the occurrence and accumulation of auditable security events, and when the threshold is exceeded, it can immediately send an alarm to the security management. In addition, if these security-related events continue to occur or accumulate, the system should terminate them at the lowest cost.
4.5.7 Data integrity
The computer information system trusted computing base prevents unauthorized users from modifying or destroying sensitive information through autonomous and mandatory integrity policies. In a network environment, integrity sensitive tags are used to ensure that information is not damaged during transmission. 4.5.8 Covert channel analysis
GB17859-1999
System developers should thoroughly search for covert channels and determine the maximum bandwidth of each identified channel based on actual measurements or engineering estimates. 4.5.9 Trusted Path
When connecting to a user (such as registering, changing the subject security level), the computer information system trusted computing base provides a trusted communication path between it and the user. The communication on the trusted path can only be activated by the user or the computer information system trusted computing base, and is logically isolated from the communication on other paths and can be correctly distinguished. 4.5.10 Trusted Recovery
The trusted computing base of computer information systems provides processes and mechanisms to ensure that after a computer information system fails or is interrupted, it can be restored without compromising any security protection capabilities.
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.