Modifying a Multilevel Secure System

This section contains the following topics:

CATop Secret Features Not Part of a TCB Configuration

Introduction

The trusted computing base (TCB) components of an CA Top Secret MLS system include hardware and software. Changes to the TCB must be authorized to ensure the TCB remains trusted and is protected from unauthorized access. Any authorized programs or site-developed authorized code added to the TCB must adhere to the same or equivalent controls and checking as the TCB performs to maintain integrity. Even though integrity is maintained, the addition of any authorized software outside of the TCB may compromise MLS.

System Integrity

System integrity prevents an unauthorized program from:

Bypassing storage or fetch protection
Bypassing OS password or VSAM password
Bypassing security checking
Obtaining control in an authorized state

z/OS accomplishes this by using hardware and software features.

Software features ensure that only authorized programs can access functions that might compromise integrity. To be authorized, a program must:

Execute in supervisor state
Execute with a program status word (PSW) key of 0-7
Be authorized by the authorized program facility (APF)

If a program satisfies one of these requirements, it can access a restricted supervisor call (SVC), certain exit and I/O appendages, or another system function that could compromise the security and integrity of the system.

Possible Integrity Exposures

In general, a software program does not harm system integrity if it:

Uses only unauthorized and unrestricted MVS interfaces
Runs only as a problem program
Does not modify z/OS MVS

System integrity of a secure system might be compromised if a program:

Runs authorized or with special privileges
Uses an SVC, program call, exit, or I/O appendage
Modifies MVS
Uses APF
Places its name in the program properties table (PPT)
Runs in supervisor state
Runs with a PSW of 0-7
Operates with a acid that has special CA Top Secret attributes

An authorized program could introduce integrity exposures in the following areas:

Supplying and verifying addresses for user storage areas
Supplying and verifying control blocks and addresses
Identifying and validating resources
Having SVC routines call other SVC routines
Accessing control program and user data
Serializing resources

IBM provides information about guidelines that enable an authorized program to use system and user resources. These guidelines include:

Protection: Ensures the protection of sensitive data owned by authorized programs, the protection of user data from unauthorized users, and the protection of sensitive functions, such as SVCs.
Identification: Ensures that system and user resources are not counterfeited by separating these resources and that authorized programs can identify which program has responsibility for validating user data.
Validation: Ensures the validity of requests to use main storage and system resources by unauthorized programs and the validity of data passed by authorized programs.
Serialization: Ensures that access to system resources is serialized and that a validation process does not alter variables before the operation being validated is complete.

Acceptable Modifications

Any product that runs authorized and is not part of the TCB is not considered part of an MLS TCB system.

Important! This does not mean that software that is not part of the TCB will not run on the system.

CATop Secret Features Not Part of a TCB Configuration

The following CA Top Secret features are not part of a TCB configuration:

CA Top Secret CICS
CA Top Secret IMS
Distributed Database (DDB)
Command Propagation Facility (CPF)
Cache facility
Record-level protection (RLP)
CA Top Secret Exits
VTAM Common Sign-on Managers
PSF print labeling