BSI-DSZ-CC for. IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2. from.

Transcription

1 BSI-DSZ-CC for IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 from IBM Corporation

2 BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach , D Bonn Phone +49 (0) , Fax +49 (0) , Infoline +49 (0) Certification Report V1.0 CC-Zert-327 V4.63

3 BSI-DSZ-CC IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 from IBM Corporation PP Conformance: Operating System Protection Profile, Version 2.0, 01 June 2010, BSI-CC-PP OSPP Extended Packages: (1) General Purpose Cryptography, (2) Integrity Verification, (3) Virtualization, (4) Advanced Management, (5) Labeled Security all Version 2.0, 28 May 2010 Functionality: Assurance: PP conformant Common Criteria Part 2 extended Common Criteria Part 3 conformant EAL 4 augmented by ALC_FLR.3 Common Criteria Recognition Arrangement The IT product identified in this certificate has been evaluated at an approved evaluation facility using the Common Methodology for IT Security Evaluation (CEM), Version 3.1 for conformance to the Common Criteria for IT Security Evaluation (CC), Version 3.1. This certificate applies only to the specific version and release of the product in its evaluated configuration and in conjunction with the complete Certification Report. The evaluation has been conducted in accordance with the provisions of the certification scheme of the German Federal Office for Information Security (BSI) and the conclusions of the evaluation facility in the evaluation technical report are consistent with the evidence adduced. This certificate is not an endorsement of the IT product by the Federal Office for Information Security or any other organisation that recognises or gives effect to this certificate, and no warranty of the IT product by the Federal Office for Information Security or any other organisation that recognises or gives effect to this certificate, is either expressed or implied. Bonn, 20 August 2012 For the Federal Office for Information Security for components up to EAL 4 Bernd Kowalski Head of Department L.S. Bundesamt für Sicherheit in der Informationstechnik Godesberger Allee D Bonn - Postfach D Bonn Phone +49 (0) Fax +49 (0) Infoline +49 (0)

4 Certification Report BSI-DSZ-CC This page is intentionally left blank. 4 / 54

5 BSI-DSZ-CC Certification Report Preliminary Remarks Under the BSIG 1 Act, the Federal Office for Information Security (BSI) has the task of issuing certificates for information technology products. Certification of a product is carried out on the instigation of the vendor or a distributor, hereinafter called the sponsor. A part of the procedure is the technical examination (evaluation) of the product according to the security criteria published by the BSI or generally recognised security criteria. The evaluation is normally carried out by an evaluation facility recognised by the BSI or by BSI itself. The result of the certification procedure is the present Certification Report. This report contains among others the certificate (summarised assessment) and the detailed Certification Results. The Certification Results contain the technical description of the security functionality of the certified product, the details of the evaluation (strength and weaknesses) and instructions for the user. 1 Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009, Bundesgesetzblatt I p / 54

6 Certification Report BSI-DSZ-CC Contents This page is intentionally left blank...8 A Certification Specifications of the Certification Procedure Recognition Agreements European Recognition of ITSEC/CC Certificates (SOGIS-MRA) International Recognition of CC Certificates (CCRA) Performance of Evaluation and Certification Validity of the Certification Result Publication...11 B Certification Results Executive Summary Identification of the TOE Security Policy Assumptions and Clarification of Scope Architectural Information Major structural units of the TOE Security functions AIX Identification and authentication Auditing Discretionary access control Object reuse Security management TSF protection Privileges, authorizations, roles, and superuser emulation TCB protection Trusted Execution (TE) Networking Workload Partitions (WPARs) Cryptographic Framework Mandatory access control (LAS mode only) Mandatory integrity control (LAS mode only) Trusted Network (LAS mode only) VIOS Identification & authentication Discretionary access control Role-based access control Security management Documentation IT Product Testing Developer Testing Test configuration Testing approach Testing results Test coverage Test depth Conclusion Evaluator Testing Effort / 54

7 BSI-DSZ-CC Certification Report Test configuration Chosen subset size Evaluator tests performed Summary of Evaluator test results Evaluator Penetration Testing Evaluated Configuration Results of the Evaluation CC specific results Results of cryptographic assessment Obligations and Notes for the Usage of the TOE Security Target Definitions Acronyms Product specific Acronyms Glossary Bibliography...42 C Excerpts from the Criteria...43 D Annexes / 54

8 Certification Report BSI-DSZ-CC This page is intentionally left blank. 8 / 54

9 BSI-DSZ-CC Certification Report A Certification 1 Specifications of the Certification Procedure The certification body conducts the procedure according to the criteria laid down in the following: BSIG 2 BSI Certification Ordinance 3 BSI Schedule of Costs 4 Special decrees issued by the Bundesministerium des Innern (Federal Ministry of the Interior) DIN EN standard BSI certification: Procedural Description (BSI 7125) [3] Common Criteria for IT Security Evaluation (CC), Version [1] Common Methodology for IT Security Evaluation, Version 3.1 [2] BSI certification: Application Notes and Interpretation of the Scheme (AIS) [4] 2 Recognition Agreements In order to avoid multiple certification of the same product in different countries a mutual recognition of IT security certificates - as far as such certificates are based on ITSEC or CC - under certain conditions was agreed. 2.1 European Recognition of ITSEC/CC Certificates (SOGIS-MRA) The SOGIS-Mutual Recognition Agreement (SOGIS-MRA) Version 3 became effective in April It defines the recognition of certificates for IT-Products at a basic recognition level and in addition at higher recognition levels for IT-Products related to certain technical domains only. The basic recognition level includes Common Criteria (CC) Evaluation Assurance Levels EAL1 to EAL4 and ITSEC Evaluation Assurance Levels E1 to E3 (basic). For higher recognition levels the technical domain Smart card and similar Devices has been defined. It includes assurance levels beyond EAL4 resp. E3 (basic). In Addition, certificates issued for Protection Profiles based on Common Criteria are part of the recognition agreement. 2 Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009, Bundesgesetzblatt I p Ordinance on the Procedure for Issuance of a Certificate by the Federal Office for Information Security (BSI-Zertifizierungsverordnung, BSIZertV) of 07 July 1992, Bundesgesetzblatt I p Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der Informationstechnik (BSI-Kostenverordnung, BSI-KostV) of 03 March 2005, Bundesgesetzblatt I p Proclamation of the Bundesministerium des Innern of 12 February 2007 in the Bundesanzeiger dated 23 February 2007, p / 54

10 Certification Report BSI-DSZ-CC As of September 2011 the new agreement has been signed by the national bodies of Austria, Finland, France, Germany, Italy, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Details on recognition and the history of the agreement can be found at The SOGIS-MRA logo printed on the certificate indicates that it is recognised under the terms of this agreement by the nations listed above. 2.2 International Recognition of CC Certificates (CCRA) An arrangement (Common Criteria Recognition Arrangement) on the mutual recognition of certificates based on the CC Evaluation Assurance Levels up to and including EAL 4 has been signed in May 2000 (CCRA). It includes also the recognition of Protection Profiles based on the CC. As of September 2011 the arrangement has been signed by the national bodies of: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Republic of Korea, Malaysia, The Netherlands, New Zealand, Norway, Pakistan, Republic of Singapore, Spain, Sweden, Turkey, United Kingdom, United States of America. The current list of signatory nations and approved certification schemes can be seen on the website: The Common Criteria Recognition Arrangement logo printed on the certificate indicates that this certification is recognised under the terms of this agreement by the nations listed above. 3 Performance of Evaluation and Certification The certification body monitors each individual evaluation to ensure a uniform procedure, a uniform interpretation of the criteria and uniform ratings. The product IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 has undergone the certification procedure at BSI. The evaluation of the product IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 was conducted by atsec information security GmbH. The evaluation was completed on 8 August The atsec information security GmbH is an evaluation facility (ITSEF) 6 recognised by the certification body of BSI. For this certification procedure the sponsor and applicant is: IBM Corporation. The product was developed by: IBM Corporation. The certification is concluded with the comparability check and the production of this Certification Report. This work was completed by the BSI. 4 Validity of the Certification Result This Certification Report only applies to the version of the product as indicated. The confirmed assurance package is only valid on the condition that all stipulations regarding generation, configuration and operation, as given in the following report, are observed, 6 Information Technology Security Evaluation Facility 10 / 54

11 BSI-DSZ-CC Certification Report the product is operated in the environment described, as specified in the following report and in the Security Target. For the meaning of the assurance levels please refer to the excerpts from the criteria at the end of the Certification Report. The Certificate issued confirms the assurance of the product claimed in the Security Target at the date of certification. As attack methods evolve over time, the resistance of the certified version of the product against new attack methods needs to be re-assessed. Therefore, the sponsor should apply for the certified product being monitored within the assurance continuity program of the BSI Certification Scheme (e.g. by a re-certification). Specifically, if results of the certification are used in subsequent evaluation and certification procedures, in a system integration process or if a user's risk management needs regularly updated results, it is recommended to perform a re-assessment on a regular e.g. annual basis. 5 Publication The product IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 has been included in the BSI list of certified products, which is published regularly (see also Internet: and [5]). Further information can be obtained from BSI-Infoline Further copies of this Certification Report can be requested from the developer 7 of the product. The Certification Report may also be obtained in electronic form at the internet address stated above. 7 IBM Corporation Burnet RD Austin,TX USA 11 / 54

12 Certification Report BSI-DSZ-CC This page is intentionally left blank. 12 / 54

13 BSI-DSZ-CC Certification Report B Certification Results The following results represent a summary of the Security Target of the sponsor for the Target of Evaluation, the relevant evaluation results from the evaluation facility, and complementary notes and stipulations of the certification body. 13 / 54

14 Certification Report BSI-DSZ-CC Executive Summary The target of evaluation (TOE) is the AIX Version 7.1 operating system and the optional IBM Virtual I/O Server (VIOS) Version 2.2 including ifixes shipped as part of PRPQ P AIX is a general purpose, multi-user, multi-tasking operating system. It is compliant with all major international standards for UNIX systems. It provides a platform for a variety of applications in the governmental and commercial environment. AIX is available on a broad range of computer systems from IBM, ranging from departmental servers to multiprocessor enterprise servers, and is capable of running in an LPAR (Logical Partitioning) environment. Several servers running AIX 7.1 (any combination of BAS mode systems and LAS mode system scan be used) can be connected to form a distributed system, but not all components of such a system are components of the TOE. The communication aspects within AIX 7.1 used for this connection are also part of the evaluation. It is assumed that the communication links themselves are protected against interception and manipulation by measures which are outside the scope of this evaluation. In LAS mode, the TOE enforces MAC, MIC, DAC, and TCB control policies to implement security goals, such as confidentiality, integrity, and accountability. LAS mode can operate in a network or stand-alone configuration. In a network configuration, LAS mode supports BSO/ESO/CIPSO/RIPSO and provides network filtering on incoming and outgoing packets, based on network interface and host filtering rules. The AIX evaluation shall consist of a closed network of high-end, mid-range and low-end IBM System p POWER6 and POWER7 servers running the TOE. In addition, each server may optionally run VIOS. The TOE Security Functionality (TSF) consists of those parts of AIX that run in kernel mode plus some trusted processes. These are the functions that enforce the security policy as defined in the Security Target. Tools and commands executed in user mode that are used by the system administrator need also to be trusted to manage the system in a secure way but, as with other operating system evaluations, they are not considered to be part of this TSF. Table and Table 2 provide a guide for what is supported in BAS mode and what is supported in LAS mode. An X' means that the mode supports the description. 14 / 54

15 BSI-DSZ-CC Certification Report BAS Mode LAS Mode TOE Description x x The TOE includes installation from CD-ROM. x x The TOE includes the Virtual Input/Output Server (VIOS) which allows for the virtualization of SCSI drives and network adapters. x x System administration tools include the smitty non-graphical system management tool. The WebSM administrative tool is excluded. x The TOE includes standard networking applications, such as ftp, rlogin, rsh, and NFS. Port filtering will be used to protect network applications which might otherwise have security exposures. x The TOE includes the following networking applications: telnet and ftp. It also includes NFS as a single level file system. x The TOE includes the X-Window graphical interface and many X-Window applications. x The TOE supports BSO/ESO/CIPSO/RIPSO for IPv4 with an AIX specific implementation for IPv6 and provides network filtering on incoming and outgoing packets, based on network interface and host filtering rules. Table 1: BAS mode vs. LAS mode for TOE BAS Mode LAS Mode Operational Environment Description x x The Operational Environment includes the hardware and the BootProm firmware. x x The Operational Environment includes applications that are not evaluated, but are used as unprivileged tools to access public system services, for example the Mozilla web browser or the Adobe Acrobat Reader to access the supplied online documentation(which is provided in HTML and PDF formats). No HTTP server is included in the evaluated configuration. x x The Operational Environment includes LDAP for maintaining TOE authentication data. x x The Operational Environment includes Kerberos for aiding in establishing a trusted channel between NFSv4 clients and servers. Table 2: BAS mode vs. LAS mode for Operational Environment The Security Target [6] is the basis for this certification. It is based on the certified Protection Profile Operating System Protection Profile, Version 2.0, 01 June 2010, BSI- CC-PP , OSPP Extended Package General Purpose Cryptography, Version 2.0, 28 May 2010, OSPP Extended Package Integrity Verification, Version 2.0, 28 May 2010, OSPP Extended Package Virtualization, Version 2.0, 28 May 2010, OSPP Extended Package Advanced Management, Version 2.0, 28 May 2010, OSPP Extended Package Labeled Security, Version 2.0, 28 May The TOE Security Assurance Requirements (SAR) are based entirely on the assurance components defined in Part 3 of the Common Criteria (see part C or [1], Part 3 for details). 15 / 54

16 Certification Report BSI-DSZ-CC The TOE meets the assurance requirements of the Evaluation Assurance Level EAL 4 augmented by ALC_FLR.3. The TOE Security Functional Requirements (SFR) relevant for the TOE are outlined in the Security Target [6], chapter 6.1. They are selected from Common Criteria Part 2 and some of them are newly defined. Thus the TOE is CC Part 2 extended. The TOE Security Functional Requirements are implemented by the following TOE Security Functions: AIX: VIOS: Identification and authentication Auditing Discretionary access control Object reuse Security management TSF protection Privileges, authorizations, roles, and superuser emulation TCB protection Trusted Execution (TE) Networking Workload Partitions (WPARs) Cryptographic Framework Mandatory access control (LAS mode only) Mandatory integrity control (LAS mode only) Trusted Network (LAS mode only) Identification & authentication Discretionary access control Role-based access control Security management For more details please refer to the Security Target [6], chapter The assets to be protected by the TOE are defined in the Security Target [6], chapter Based on these assets the TOE Security Problem is defined in terms of Assumptions, Threats and Organisational Security Policies. This is outlined in the Security Target [6], chapter 3. The evaluated configuration is documented in the AIX Release Notes [9]. This document specifies a number of constraints, such as configuration values for various configuration files, specific steps to be taken during installation and information to administrators on how to manage the TOE. 16 / 54

17 BSI-DSZ-CC Certification Report The vulnerability assessment results as stated within this certificate do not include a rating for those cryptographic algorithms and their implementation suitable for encryption and decryption (see BSIG Section 9, Para. 4, Clause 2). The certification results only apply to the version of the product indicated in the certificate and on the condition that all the stipulations are kept as detailed in this Certification Report. This certificate is not an endorsement of the IT product by the Federal Office for Information Security (BSI) or any other organisation that recognises or gives effect to this certificate, and no warranty of the IT product by BSI or any other organisation that recognises or gives effect to this certificate, is either expressed or implied. 2 Identification of the TOE The Target of Evaluation (TOE) is called: IBM AIX 7 for POWER, V7.1 Technology level with optional IBM Virtual I/O Server V2.2 The following table outlines the TOE deliverables: No Type Identifier Form of Delivery 1. SW AIX Base Operating System(bos LPP) AIX supported devices (devices LPP) Physical delivery by ordering the PRPQ AIX printer drivers and control files (printers LPP) System management tools (sysmgt LPP) X Windows server,libraries, and applications (X11 LPP) Kerberos client (optional) (krb5.client LPP) TDS (LDAP) client (optional) (ldap.client LPP) CliC cryptographic module (clic LPP) PRPQP DOC Technical Reference: Communications, Volume 1 Version: SC Date received: Oct 2010 SHA-256: 771b14348c6410c495b7c4d6fc934ec781d941f64f9b85271b037dd5e48d31c7 Electronic delivery via IBM Infocenter Technical Reference: Communications, Volume 2 Version: SC Date received: Oct 2010 SHA-256:325395bce1b1c279838c63f1b2513ace5adc14e9b93f27d30de83c6e291fac40 17 / 54

18 Certification Report BSI-DSZ-CC No Type Identifier Form of Delivery 3. DOC Commands Reference, Volume 1 Version: SC Date received: Sep 2010 SHA-256: 8a982de b6227d123ae83189f632c22f6b22b715ca03277fb975da5 Electronic delivery via IBM Infocenter Commands Reference, Volume 2 Version: SC Date received: Sep 2010 SHA-256: 71bc345d78d4beb8c948ed21b40e54e6406f0071bf26d86533c675bbc Commands Reference, Volume 3 Version: SC Date received: Sep 2010 SHA-256: 7ff2c6fd019633e67b410ffbf5c122c09b274a356e1fa922d53f7cfdaddb48b5 Commands Reference, Volume 4 Version: SC Date received: Sep 2010 SHA-256: aba07585de26ad3f8cd59021fd3c a22e53ebafbeea0465ea696e4b Commands Reference, Volume 5 Version: SC Date received: Sep 2010 SHA-256: 4b1dfbd55b5406ad7735aa47612a5e6fdbcde16eb308a2a e54e8705b Commands Reference, Volume 6 Version: SC Date received: Sep 2010 SHA-256: b17ed1b42b71bb9775e1e12e1dc13c9e97c bcaa33be0a04b442ccc8c3 4. DOC Understanding the Diagnostic Subsystem for AIX Version: SC Date: Sep 2010 SHA-256: c6f db494d9d98439f296f25c9fb8a12987f33d55933daff8346d 5. DOC Files Reference Version: SC Date: Oct 2010 SHA-256: 3067f66fa711a2c53dfc08e2372d7eb477c7451dfe9c3b6cc519991db81e DOC General Programming Concepts: Writing and Debugging Programs Version: SC Date: Oct 2010 SHA-256: d43bb6f1e7c140ca88ed555a0c0980a3b052aa9de357b a 7. DOC Kernel Extensions and Device Support Programming Concepts Version: First Edition Date: Sep 2010 SHA-256: f2b16c9ebc2af445e26146fdda3492f62cd7291a5dfd8fee235a2256b76fda92 8. DOC AIX 7.1 Technical Reference: Kernel and Subsystems, Volume 1 Version: First Edition Date: Sep 2010 SHA-256: c5bc06c aaa3c a31ccd15b6aa39b3a61af1e3d8e97d309a8 Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter AIX 7.1 Technical Reference: Kernel and Subsystems, Volume 2 Version: First Edition Date: Sep 2010 SHA-256: 73ea0f7f2f8b a66b6e49a1f54a26bdcdc0da8abce88504ee0a36ef9db 9. DOC Operating system and device management Version: SC Date: Oct 2010 SHA-256: 885b735ea0b864300f ba126b285659ef526e3e36cd4078e0beb7ab DOC AIX Version 7.1 Release Notes Version: GI Date: SHA-256: 780e5c5135c05c0e9847b42fac2696a567948f4ebd550f5476c dc DOC AIX Version 7.1: Security Version: SC Date: Sep 2011 SHA-256: 38208a80c bc c9ee5fff85887f94ecda1fee14664a12a3 Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter 18 / 54

19 BSI-DSZ-CC Certification Report No Type Identifier Form of Delivery 12. DOC Networks and Communications Management Version: SC Date: Oct 2010 SHA-256: 14e81d36fc5cb2b7370a0a0d92e0bc43a1611a9936d9ea64dd03026a0d6b6e DOC AIX 7.1 Technical Reference: Base Operating System and Extensions, Volume 1 Version: SC Date: Oct 2010 SHA-256: 80cd69a578494cd c8c0e29dbae8b a659818ceadd4b2044ac81 Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter AIX 7.1 Technical Reference: Base Operating System and Extensions,Volume 2 Version: SC Date: Oct 2010 SHA-256: 29b5a93791f817cc69eff1b35aaaf860812ba9e95070b0744f597b052b5534f4 14. DOC Virtual I/O Server and Integrated Virtualization Manager commands Version: Date: 2009 SHA-256: cef8c826da9f6d696b830ba7f9286e26e31c15c f2ec90257f1d 15. DOC Virtual I/O Server Version: Date: 2011 SHA-256: 8277c21d56b098105db4156e3b31db94e90326a d4dd084e0b5cb 16. DOC IBM Workload Partitions for AIX Date: Oct 2010 SHA-256: 245bc3a7ffa4339ed69bccc0539ce5ec3fb39555b357fb691cb8dca72ecc6cc9 Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Electronic delivery via IBM Infocenter Table 3: Deliverables of the TOE The integrity of the TOE parts delivered via the IBM Infocenter should be checked by recomputing the SHA-256 checksums and comparing those with the ones above. 3 Security Policy The Security Policy is expressed by the set of Security Functional Requirements and implemented by the TOE. It covers the following issues: The TSF must be able to record defined security-relevant events. The TSF must allow authorized users to remotely access the TOE using a cryptographically-protected network protocol that ensures integrity and confidentiality of the transported data and is able to authenticate the end points of the communication. The TSF must control access of subjects and/or users to named resources based on identity of the object. The TOE shall mediate communication between sets of TOE network interfaces, between a network interface and the TOE itself, and between subjects in the TOE and the TOE itself in accordance with its security policy. The TOE shall mediate communication between subjects acting with different subject security attributes in accordance with its security policy. The TOE must ensure that users have been successfully authenticated before allowing any action the TOE has defined to provide to authenticated users only. The TSF must provide all the functions and facilities necessary to support the authorized users that are responsible for the management of TOE security mechanisms and must ensure that only authorized users are able to access such functionality. 19 / 54

20 Certification Report BSI-DSZ-CC The TSF must be designed and implemented in a manner that allows for establishing a trusted channel between the TOE and a remote trusted IT system that protects the user data and TSF data transferred over this channel from disclosure and undetected modification and prevents masquerading of the remote trusted IT system. The TOE must allow roles assigned to users for performing security-relevant management tasks to be delegated to other users in accordance with the security policy. The TOE must allow security management actions based on roles to be assigned to different users. The TOE must prevent the execution of user actions allowed by a specific permission until a second user with a different permission approves this action. The TSF must provide the following cryptographic services for general use by authorized entities: symmetric and asymmetric ciphers, message digest generation, symmetric and asymmetric key generation. The TOE shall be able to verify the integrity of both TSF code and TSF data to ensure that they have not been modified when compared to the integrity information in the integrity database. The TOE shall be able to verify the integrity of user data to ensure that it has not been modified when compared to the integrity information in the integrity database. The TOE shall perform pre-defined actions upon detection of a breach of integrity. The TOE shall be able to allow authorized users to update the integrity verification database covering TSF data, the TSF code, and user data. The TOE will control information flow between entities and resources based on the sensitivity labels of users and resources (LAS mode only). The TOE will provide the capability to mark printed output with accurate labels based on the sensitivity label of the subject requesting the output (LAS mode only). The TOE will provide the capability to label all subjects, and all objects accessible by subjects, to restrict information flow based on the sensitivity labels (LAS mode only). The TOE will control information flow between compartments under the control of the TOE, based on security attributes of these compartments and potentially other TSF data (e.g.,security attributes of objects). The TOE will control access of compartments to objects and resources under its control based on: security attributes of the objects, security attributes of the compartment that attempts to access the object, and the type of access attempted. For each access request, the TOE is able to identify the compartment requesting to access resources, objects or information. The TOE shall offer administrators a mechanism to overwrite user-accessible blocks of SCSI hard disk drives with predefined bit patterns. The TOE shall control access to resources based on the integrity level of the information being accessed and the integrity level of the subject attempting to access that information (LAS mode only). 20 / 54