Whatever Happened to B1?
Multiple choice: B1 (or B-1) is
(a) A bomber (“Colonel, I can report that our B-1 test with synthetic fuel was a success.”)
(b) A vitamin, also known as thiamin (“Eat your asparagus, Willie; you know it’s high in B1.”)
(c) One of the TCSEC evaluation levels (“Roland, I think our B1 rating makes us the most secure OS around.”)
(d) A square on a Bingo card (“B1? Bingo!”)
(e) A condenser microphone (“Wow, Paul, that B1 microphone makes your voice sound great!”)
(f) A type of VISA for business visitors (“Now that you have your B-1, remember that in the USA they call it ‘soccer’.”)
The answer might be “all of the above” but the one that I’d like to focus on is alternative C.
A major reason for OS 2200’s security is the hardening done during the implementation of the U.S. Department of Defense (DoD) B1 level specification, called “Labeled Security Protection.” The National Computer Security Center (NCSC) issued the first DoD Trusted Computer System Evaluation Criteria (TCSEC), commonly referred to as the “Orange Book” in August 1983. Unisys management made the strategic decision to invest the resources necessary to make OS 1100 (the former name of today’s OS 2200) a candidate for the B1 rating and undergo the rigorous evaluation process needed to demonstrate compliance to the NCSC.
In 1989, OS 1100 became the first mainframe operating system to achieve a B1 rating.
Within the TCSEC hierarchy, the highest level of security (available only to operating systems derived from formal design specification and verification techniques) is “A1”. Below it are B3, B2, B1, C2, and so on. Unisys’ evaluation of the needs of its customer base led to the choice of B1, although certain features at the B2 and B3 level were also included in the 1989 Security Release I.
Many of the features that are integral to today’s OS 2200 security date back to Security Release I. An excerpt from its description enumerates some of those features:
“[The evaluated hardware systems] share a common architecture which employs a multi-state protection mechanism along with hardware memory protection. OS 1100 is structured to take advantage of these architectural features. For example, it supports multiple processes (activities), each running with a private virtual address space and capable of sharing protected subsystems (common memory banks). … The TCB [Trusted Computing Base] enforces a mandatory and discretionary security policy, performs user identification and authentication, clears residue, generates audit trail and accounting records, and provides a base upon which to build secure application programs.”
Feedback from customer use of OS 2200 security led to refining some features, adding new features, and de-emphasizing others. For the example, additional user privileges were implemented to let users control additional security-relevant activities, performance enhancements sped up time-critical transaction processing without sacrificing security, and new state of the art peripherals were supported. Other features, such as those that provided the highest security levels, although required for the B1 rating, were so secure as to make them unusable for practical purposes.
Why mention this now? After all, in the world of digital computing, 25 years ago is ancient history.
One reason is that this achievement signaled Unisys commitment to provide world-class security to clients using OS 2200, a commitment that continues 25 years later. Another reason is to use this event as a starting point in time for a discussion of security evolution.
In the 1990’s TCSEC evaluations were phased out in favor of a Common Criteria evaluation that incorporated elements of European and Canadian standards. Unisys chose not to pursue Common Criteria evaluation but instead used other independent evaluations to test and improve OS 2200 security.
These include cryptography certifications, such as those achieved by the Cipher API algorithms and the CryptoLib module. They also include third-party security evaluations, like those performed on WebTS in 2005, Java in 2007, and OS 2200 in 2011. During each of these evaluations, the Unisys development organizations took the necessary steps to correct deficiencies found by the evaluators.
You might wonder how there could have been deficiencies, given the prestigious B1 certification. Part of the answer lies in the emergence of new software (e.g., WebTS and Java) that was not part of the original B1 evaluation.
Another part lies in the evolution of cyber-attacks. The contest between attackers and defenders of digital data and systems escalates every year –sometimes every day – and even for a company with as much in-house security knowledge as Unisys, drawing on outside expertise helps us keep up with this evolution and make sure our systems are able to address the evolving attacks.
Of course, security evolution within OS 2200 occurs as standard practice, not just as a result of an external evaluation. OS 2200 software engineers respond to customer requests, new standards, emerging industry best practices, and internal evaluations to add security improvements with every release.
Here’s an example: One of the enhancements in CIFS 8R1 (part of CP OS 15.0) is SMB signing, which addresses potential man-in-the-middle attacks. As with many security enhancements, there is a tradeoff between security and performance, and the SMB signing computations incur some overhead, so you have the option of turning on or off signing between the client and server.
Here’s another example: OS 2200 communication product CPComm and CPCommOS have new features in CP OS 15.0 to disallow insecure TCP network connections and exercise greater control over the security attributes of individual processes.
There’s much more to be said about CP OS 15.0 security enhancements, but these examples are typical of the incremental security improvements in the 21st century OS 2200 releases. They build on the large, robust base of software architecture that has evolved over the past decades, providing refinements to an already strong security architecture and implementation.
Thus the answer to the question, “Whatever happened to B1?,” is that B1 is alive and well in OS 2200 and provides the foundation for today’s OS 2200 security.