Security Criteria for Distributed Systems: Functional Requirements.

Abstract : The focus of the security requirements presented in this report is on the design, implementation, and operation of trusted distributed operating systems. The view represented in this report is that any trusted distributed system consists of a set of Trusted Computing Bases interconnected by trusted channels subject to interconnection policies, or constraints, placed on one or several security perimeters. A detailed rationale for this view of a distributed system product is provided in the National Research Council's report, Computers at Risk. What is presented herein is not intended to stand alone: these requirements rely on continuing work (i.e., the Common Criteria) to provide a process and infrastructure by which they can be assembled into specific evaluation criteria and subsequently applied (e.g., in the evaluation of a trusted distributed system). These requirements apply only to the functional security requirements of distributed systems. Functional security requirements relate to mechanisms implementing system and information protection. The development of additional assurance requirements is needed to have a complete set of requirements for trusted system evaluation criteria. Assurance requirements are those that affect the 'trust' or confidence one has in the design, construction, and operation of a given protection feature or mechanism. The development of a set of assurance requirements will occur via the Common Criteria working group. The requirements presented in this report borrow heavily from the strong foundational work that resulted in the draft security criteria known as the Federal Criteria. The technical content and focus of those criteria were adapted to incorporate the area of distributed computer systems.