Composing a High-assurance Infrastructure out of Tcb Components

U.S. Government agencies and major vendors are actively attempting to secure critical infrastructure networks, but those efforts depend on patching unsecure, commodity systems, installing add-on security appliances, and applying other industry “best practices” that are ineffective against new attacks and software subversion. This has unfortunately led to the conclusion that it is impossible to secure critical infrastructure networks and even that a completely new, “alternative” Internet is needed. These conclusions disregard known and proven techniques for building secure, high-assurance, trusted systems – techniques developed as a result of years of research and engineering experience and systematically codified in the Trusted Computer System Evaluation Criteria (TCSEC) and related documents. Those techniques have not since been improved upon or adequately replaced, not even by the more recent Common Criteria for Information Technology Security Evaluation. In this paper, we sketch how the trusted systems technology codified in the TCSEC can be applied today to create a secure infrastructure network.