Modifying a Multilevel Secure System
The trusted computing base (TCB) components of an CA Top Secret MLS system include hardware and software. Changes to the TCB must be authorized to ensure the TCB remains trusted and is protected from unauthorized access. Any authorized programs or site-developed authorized code added to the TCB must adhere to the same or equivalent controls and checking as the TCB performs to maintain integrity. Even though integrity is maintained, the addition of any authorized software outside of the TCB may compromise MLS.
System integrity prevents an unauthorized program from:
- Bypassing storage or fetch protection
- Bypassing OS password or VSAM password
- Bypassing security checking
- Obtaining control in an authorized state
z/OS accomplishes this by using hardware and software features.
Software features ensure that only authorized programs can access functions that might compromise integrity. To be authorized, a program must:
- Execute in supervisor state
- Execute with a program status word (PSW) key of 0-7
- Be authorized by the authorized program facility (APF)
If a program satisfies one of these requirements, it can access a restricted supervisor call (SVC), certain exit and I/O appendages, or another system function that could compromise the security and integrity of the system.
Possible Integrity Exposures
In general, a software program does not harm system integrity if it:
- Uses only unauthorized and unrestricted MVS interfaces
- Runs only as a problem program
- Does not modify z/OS MVS
System integrity of a secure system might be compromised if a program:
- Runs authorized or with special privileges
- Uses an SVC, program call, exit, or I/O appendage
- Modifies MVS
- Uses APF
- Places its name in the program properties table (PPT)
- Runs in supervisor state
- Runs with a PSW of 0-7
- Operates with a acid that has special CA Top Secret attributes
An authorized program could introduce integrity exposures in the following areas:
- Supplying and verifying addresses for user storage areas
- Supplying and verifying control blocks and addresses
- Identifying and validating resources
- Having SVC routines call other SVC routines
- Accessing control program and user data
- Serializing resources
IBM provides information about guidelines that enable an authorized program to use system and user resources. These guidelines include:
- ProtectionEnsures the protection of sensitive data owned by authorized programs, the protection of user data from unauthorized users, and the protection of sensitive functions, such as SVCs.
- IdentificationEnsures that system and user resources are not counterfeited by separating these resources and that authorized programs can identify which program has responsibility for validating user data.
- ValidationEnsures the validity of requests to use main storage and system resources by unauthorized programs and the validity of data passed by authorized programs.
- SerializationEnsures that access to system resources is serialized and that a validation process does not alter variables before the operation being validated is complete.
Any product that runs authorized and is not part of the TCB is not considered part of an MLS TCB system.
This does not mean that software that is not part of the TCB will not run on the system.
CATop Secret Features Not Part of a TCB Configuration
The following CA Top Secret features are not part of a TCB configuration:
- CA Top Secret CICS
- CA Top Secret IMS
- Distributed Database (DDB)
- Command Propagation Facility (CPF)
- Cache facility
- Record-level protection (RLP)
- CA Top Secret Exits
- VTAM Common Sign-on Managers
- PSF print labeling