Multics > Library > Articles > B2
28 Apr 2015

The B2 Final Evaluation Report

Tom Van Vleck

button: I am secure! You would B2 with Multics

Almost thirty years later, the Final Evaluation Report for Multics MR 11.0, CSC-EPL-85/003, for the B2 evaluation of Multics, has been released to the public and is available at (6MB PDF).

I started asking for this document in the mid 90s. The Trusted Product Evaluation Program (TPEP) web page said "Releasable only to US Government and their contractors." I was told then that its distribution was restricted because it might provide a guide to interfering with the NSA's use of Multics. Site N was shut down in 1992. DOCKMASTER shut down in 1998. Starting in 2004, I asked various NSA people for a copy of the report and permission to post it. At one point I corresponded with a person at NSA who thought my request was reasonable. They thought all the information about Multics had been sent over to NIST as part of the "IAD Archives." I asked some NIST folks, who enlisted the help of NSA colleagues, but told me nobody at NSA could find a copy of the Final Evaluation Report. In late 2013, I located some Multicians who had legitimate copies, and offered to scan one and lend it to NSA, but requests for permission to publish the document still got no answer.

The Multicians who had copies of the report told me that the inside cover said

  "Distribution authorized to U.S. Government agencies and their contractors
  to protect unclassified technical, operational, or administrative data
  relating to the operations of the National Security Agency.  Other requests
  shall be referred to the National Computer Security Center (NCSC). Specific
  authority is Section 6, Public Law 86-36 (50 U.S. Code 402 note). 
  Date of determination is 17 December 1986."

We didn't want to post the report without official permission. In September 2014, another Multician offered to talk to some of his colleagues on behalf of this project, and in April 2015, we have official permission. NSA even supplied us with a scan of the document into a 36MB PDF. Multicians are grateful for the efforts of Dr. Ron Ross of NIST and Steven M. LaFountain of NSA for their persistence and diligent support to make this valuable record publicly available.

The Report

The report is 157 pages, and was formatted with Multics compose. After the usual front matter, acknowledgements, etc, its executive summary basically says "Multics meets the requirements of Class B2." Following sections describe the evaluation process, and Multics itself, at a high level, and explain the major components of the Multics Trusted Computing Base. This is followed by a section for each B2 requirement, describing what is required, and how Multics meets the requirement. Then there is a section describing the testing performed by the evaluation team and Honeywell, and a description of the evaluators' penetration testing. The report finishes with comments by the evaluation team, and appendices describing the hardware and software that was evaluated.

A Multician reading this report wouldn't see any surprises. Yup, the system was supposed to do X, and the evaluators looked, and it does. The details of exactly how they looked are not provided, but it is clear that it took a substantial effort to make sure that every requirement was completely understood and that all the details were checked.

The report also does not provide details of the penetration testing, such as lists of the flaws hypothesized and lists of the bugs found and fixed in the testing.

One could imagine the documentation for the next level of detail, filling a few file boxes, stored away in the Indiana Jones Warehouse.

The story of Multics security and the evaluation process that led to the B2 rating is described in "Multics B2 Security Evaluation".