Orange Book

• B2
  • formal security policy model
  • device labels
  • DAC and MAC (Message Authentication Code) (fancy checksums)
  • covert channel control
  • more extensive testing
• B3
  • reference monitor mediates all access
  • security administrator support
  • system recovery required
  • auditing expanded
• A1
  • formal design and verification