XTS-400

STOP provides high-assurance security and was the first general-purpose operating system with a Common Criteria assurance level rating of EAL5 or above.

[1] The XTS-400 can host, and be trusted to separate, multiple, concurrent data sets, users, and networks at different sensitivity levels.

To support the trusted environment and various security features, STOP provides a set of proprietary APIs to applications.

As a high-assurance, MLS system, XTS-400 can be used in cross-domain solutions, which typically need a piece of privileged software to be developed which can temporarily circumvent one or more security features in a controlled manner.

The interactive environment, typical Unix command line tools, and a GUI are present in support of a desktop solution.

In support of server functionality, the XTS-400 can be implemented in a rackmount configuration, accepts an uninterruptible power supply (UPS), allows multiple network connections, accommodates many hard disks on a SCSI subsystem (also saving disk blocks using a sparse file implementation in the file system), and provides a trusted backup/save tool.

A popular application for high-assurance systems like the XTS-400 is to guard information flow between two networks of differing security characteristics.

XTS-400 version 6.0.E completed a Common Criteria (CC) evaluation in March 2004 at EAL4 augmented with ALC_FLR.3 (validation report CCEVS-VR-04-0058.)

XTS-400 version 6.1.E completed evaluation in March 2005 at EAL5 augmented with ALC_FLR.3 and ATE_IND.3 (validation report CCEVS-VR-05-0094), still conforming to the LSPP and CAPP.

XTS-400 version 6.4.U4 completed evaluation in July 2008 at EAL5 augmented with ALC_FLR.3 and ATE_IND.3 (validation report CCEVS-VR-VID10293-2008), also still conforming to the LSPP and CAPP.

[3][4] The main security feature that sets STOP apart from most operating systems is the mandatory sensitivity policy.

Support for a mandatory integrity policy, also sets STOP apart from most MLS or trusted systems.

Policy configuration does not require a potentially complicated process of defining large sets of domains and data types (and the attendant access rules).

The MSCU performs type 1 cryptography and has been separately scrutinized by the United States National Security Agency.

The XTS-400 uses only standard PC, commercial off-the-shelf (COTS) components, except for an optional Mission Support Cryptographic Unit (MSCU).

Up to 16 simultaneous Ethernet connections can be made, all of which can be configured at different mandatory security and integrity levels.

RAMP), very similar to an assurance continuity cycle under CC, ultimately ending up with version 5.2.E being evaluated in 2000.

On September 5, 2006, the United States Patent Offices granted BAE Systems Information Technology, LLC.

A security kernel occupies the innermost and most privileged ring and enforces all mandatory policies.

Software is considered trusted if it performs functions upon which the system depends to enforce the security policy (e.g., the establishment of user authorization).