Redrawing the security perimeter of a trusted system

According to the trusted systems evaluation criteria (TCSEC) paradigm, if untrusted subjects are constrained by the trusted computer base (TCB), they may safely execute software of unknown assurance while accessing sensitive information. Untrusted subjects, however, can leak sensitive information, undermine the TCB´s accountability mechanisms, and destroy information integrity. Hence, the security properties needed by many organizations cannot be enforced at the TCSEC security perimeter, i.e., the TCB interface. We propose an alternative approach that redraws the security perimeter of a trusted system so that it encompasses not only a TCSEC TCB but the Controlled Application Set (CAS), a collection of software components for which some assurance of benign behavior has been obtained. Non-CAS components may also be present on a system bird may be used to manipulate only non-sensitive information. The approach advocates a form of balanced assurance in which the assurance sought for CAS components is commensurate with residual security risks they present. We propose practical assurance requirements, including new functional requirements for TCBs. Examples illustrate the applicability of the approach to confidentiality, accountability, and integrity