Multics Technical Bulletin MTB-664 Design Documentation To: Distribution From: Pozzo Date: 07/02/84 Subject: Design Documentation for the TCB 1 ABSTRACT The Criteria requires design documentation that describes how the TCB enforces the security policy of the system, as described in the DTLS. It further requires a complete and accurate description of the interface between the TCB modules and the TCB protection mechanisms. This document identifies an interim plan towards satisfying this requirement. It further describes what needs to be done to completely fulfill the requirements set out by the Criteria. This MTB, in addition to informing the Multics community of its contents, serves as formal notification to the DOD Security Evaluation Team, informing them of Honeywell's plans for both an interim and final plan for Multics design documentation. Comments should be sent to the author: via Multics Mail: Pozzo.Multics on either MIT Multics or System M. via US Mail: Maria M. Pozzo Honeywell Information Systems, inc. 575 Tech Square Cambridge, Massachusetts 02139 via telephone: (HVN) 261-9364, or (617) 492-9364 _________________________________________________________________ Multics project internal working documentation. Not to be reproduced or distributed outside the Multics project without the consent of the author or the author's management. MTB-664 Multics Technical Bulletin Design Documentation 2 THE TRUSTED COMPUTING BASE The TCB is that portion of the system (hardware, software, and firmware), whose protection mechanisms enforces the sytem's security policy. For Multics, the software that is considered the TCB is ring zero, ring one and privileged applications. (See detailed list in Section 4). 3 DESIGN DOCUMENTATION Design documentation which satisfies the Criteria for a level B2 system, consists of Multics PLMs (Program Logic Manuals), SDNs (System Designers Notebooks) and MTBs (Multics Technical Bulletins) for the entire TCB. Currently, these documents for many of the areas are outdated and some do not exist. The following plan will provide design documentation that accurately describes the TCB as it is currently implemented and, coupled with the Configuration Management Strategy, will assure that this doumentation is kept current. It is intended to provide accurate design documentation for each area of the TCB. The format of this documentation will be as follows: * An initial chapter which describes what the subsystem does, the classes of information it handles, how that information can be manipulated, and an overview of how the subsystem interfaces internally and with the rest of the TCB. * A chapter specifying the security policy enforced by the subsystem as well as a description of the security-relevant portion. * Remaining chapters that detail the internal modules and interfaces of the subsystem. In addition, an overview of the entire TCB will be provided to serve as an introduction to this entire set of design documentation. 4 INTERIM PLAN The interim plan will provide the first two chapters, as described above, for MR11, as well as the introductory overview of the entire TCB. The following detailed list describes the area to be covered and the effort required for completing both Multics Technical Bulletin MTB-664 Design Documentation the interim plan and the final plan. Note that the effort required is in terms of man-months, and that the interim effort is part of the final effort, not an addition to it. Subsystem Interim Final _________ _______ _____ Message Segments and Mailboxes 0.25 1.00 Storage System (incl. Salvagers) 0.50 2.50 System Initialization DONE DONE Programming Standards DONE DONE RCPRM 1.00 1.00 Security Control (Directory Control) 1.00 2.00 Volume Backup Dumper 0.25 1.00 Hierarchy Backup Dumper 0.25 1.50 Hardcore IO (IOI) 0.25 1.00 System and User Control 0.50 2.00 Interprocess Communication 0.25 0.50 Traffic Controller 0.50 3.00 IO Daemon - misc IO modules 0.50 3.00 Reconfiguration 0.25 1.00 Name and Address Space Management 0.50 2.00 Run-Time Environment 0.75 3.00 Fault and Interrupt Handling 0.25 1.00 Logical Volume Management (MDC) 0.50 2.00 System Administration 0.50 2.00 On-line T&Ds 0.50 2.00 Ring-0 Auditing & Logging 0.50 0.50 Overview of the TCB NA NA ______ ______ 9.00 32.50