Slashdot Log In
Secure OS Gets Highest NSA Rating, Goes Commercial
Posted by
kdawson
on Tue Nov 18, 2008 04:13 PM
from the compartmentalized-with-a-vengeance dept.
from the compartmentalized-with-a-vengeance dept.
ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Let the Testing begin... (Score:5, Insightful)
Now let people who don't have financial ties test it.
Re:Let the Testing begin... (Score:5, Informative)
That being said, I don't believe EAL6+ requires any additional vulnerability testing beyond that of than EAL5+; it is mostly just a stricter evaluation/review of the soundness of the OS design.
Parent
EAL = ToE(DUT) + ST(environment) (Score:4, Interesting)
The EAL is only half of the equation. The Target of Evaluation (device under test) is subjected to EAL appropriate documentation and verification against a design document called the Security Target. This ST specifies the threat environment. For example the windows ST specifies that all authorized system users are benign and thus not a threat.
Parent
Re:Let the Testing begin... (Score:5, Insightful)
If it is Internet facing, it's an open test bed.
Parent
Re:Let the Testing begin... (Score:5, Informative)
Under the Common Criteria (CC) [wikipedia.org], people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) [niap-ccevs.org] to evaluate it. Labs are certified by NIAP [niap-ccevs.org], a partnership of NIST [nist.gov] and the NSA [nsa.gov] Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team [niap-ccevs.org] employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family [niap-ccevs.org] (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP [niap-ccevs.org], Mac OS X [niap-ccevs.org], or one of the Linux [niap-ccevs.org]'s.
It's certainly not perfect, but it's better than what we had.
Parent
n/t (Score:5, Insightful)
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.
Re:n/t (Score:5, Informative)
EAL does not mean what you think it does.
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level [wikipedia.org]
Parent
Re:n/t (Score:5, Insightful)
To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
[...]
Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.
So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing. So even if a Linux distro wanted to be verified at a higher level - who's going to fork over the dough?
Additionally this seems to be a hired method of testing and bug report/fixing. Just because they fix the bugs found at one "level" of testing does not mean there aren't missed holes. Additionally it doesn't mean that a well written piece of software isn't capable of a higher rating with little or no fixes (like the Linux kernel probably is.) It is impressive that Integrity-178B achieved the EAL-6+ rating because it has definitely been put through its paces... and due to the way it was designed it probably has very few holes in it, but EAL should definitely not be the end-all be-all judge of OS quality.
Parent
Re:n/t (Score:5, Funny)
So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.
Is Scientology somehow involved in this?
Parent
Re:n/t (Score:5, Informative)
You apparently did not read the wikipedia article through. The reason that Windows and Linux (distributions) achieve EAL-4 rating is because "EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line."
Furthermore, "Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4."
Higher levels require some sort of formal methods use in the design and testing. This is very unlikely to ever happen for Linux (it is virtually impossible to create a formal design retroactively; either it does not correspond to the system or it is just as complex as the system).
For this reason, Linux will probably never get any higher. Windows may just get higher, because it has a completely new security model and kernel, which are likely able to get EAL-6 grading in time.
Parent
Re:n/t (Score:4, Funny)
No problem.
Easy!
Parent
Re:n/t (Score:4, Interesting)
So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing. So even if a Linux distro wanted to be verified at a higher level - who's going to fork over the dough?
Commercial Linux vendors like Red Hat, SuSe and IBM.
Certifications like EAL tell you about the technical capabilities of an OS. They don't tell you anything about how competently said OS will be used.
Parent
Re:n/t (Score:5, Insightful)
So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.
Uh, yes? The more specific the documentation, the more work has to be done to verify it. I'm not sure how many million LOCs are in the Linux kernel but if I had to go through EAL6+ semi-formal proofs for all of them I'd charge a bundle too. Are you really trying to imply that NSA issue this sham certification because they're short on funding? Stop trying to pretend that all the "experimental support" that goes into Linux could or should pass certification, because it damn well shouldn't. Certainly not on based on a casual "it's probably capable" that's quite frankly pulled out of your nethers with no documentation to back it up. Here for example are THREE security exploits in the kernel in the last two months:
1 Linux Kernel VDSO Unspecified Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-11-04 00:00:00 MST
URL: http://www.securityfocus.com/bid/32099 [securityfocus.com]
2 Linux Kernel LDT Selector Local Privilege Escalation and Denial of Service Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31565 [securityfocus.com]
3 Linux Kernel 'generic_file_splice_write()' Local Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31567 [securityfocus.com]
Don't get me wrong, Linux is a great system and all but I wouldn't want to nuclear launch control on it, sorry.
Parent
Re:Ubuntu! (Score:4, Informative)
Reading the comments in here, I think most of the posters don't understand what EAL 5+ is all about. Neither Linux nor Windows will ever achieve more than EAL 4. No, SELinux won't cut it. Neither will OpenBSD. 5+ requires formal verification. Do you understand what that means? You aren't testing everything you can think of, knowing that there will always be more problems because you can't think of everything and even if you could, you can't test everything. Instead, you have restricted the operations to such a small set that it actually is possible to prove every single possible permutation of all the operations will traverse and end only in known, secure states. For formal verification to be possible requires a small enough kernel, and Windows, Linux, and the BSDs are all far too large. They will never make EAL 5+. Hence the interest in microkernels.
Now, there are some idiots who think they can get a system rubberstamped if only they bribe, pressure, wear down, or befuddle enough labs. (They're also idiots for thinking that the labs can be befuddled.) I should know, I was once stuck having to work with such. Considering the depths of chicanery to which those former acquaintances were willing to go, I am not 100% confident that a system that is given a high EAL rating actually deserves the rating.
Green Hills has been hammering away at this for years, and now they've finally gotten their rating. It would greatly help with users' trust of the system if their code was open source. And it'd also help if there weren't more idiots trotting out the tired, old, and very wrong "security through obscurity" line that opening the source would compromise security. That sort of claim can only detract from any confidence that their product really is deserving of EAL 6, and that the people responsible for the evaluation know what they're doing.
Another big problem, and maybe why they didn't make EAL 7, is the hardware. I have heard that in the past systems have been considered all of a piece-- can't put the software on any old hardware, has to be only on the exact hardware it was evaluated for. But it takes so many years to get there that the hardware becomes obsolete and useless long before they're done. That's one of the things that happened with GEMSOS (could you mean GEMSOS, not Genesis?)-- it's only certified on a 286 or some such.
Parent
Re:n/t (Score:5, Interesting)
Parent
Re:n/t (Score:5, Insightful)
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.
You forget the the NSA pretty much recruits the best and brightest hackers that the world has to offer. Their policy of "we don't have a budget" and the oppurtunity to work on the absolute cutting edge (and actually see it put to use) is pretty much the most kickass thing that you can offer somebody who has a passion for knowledge.
Parent
Re: (Score:3)
Then why are they recruiting some of the best mathematicians I know?
Re:n/t (Score:4, Interesting)
Parent
Re:n/t (Score:5, Insightful)
When the NSA was first created the primary concern with regards to security was a combination of mathematical and physical problems. Mathematics in the form of encrypted communications, and physical in the form of ensuring that the people and/or documents that contained sensitive information and the devices used to cypher them were properly secured. With the rise of the internet and the switch to an increasingly interconnected infrastructure software security has emerged as a factor now. It no longer matters how good the encryption is between your two programs if the OS their running on can be compromised and the data scraped as the application decodes it (or better yet the encryption key itself). As such even though the NSA started as an organization specializing in primarily cryptographic systems it must expand to include software and hardware security as well.
Parent
Re:n/t (Score:4, Insightful)
Having working with the OS in question and directly with the NSA on getting our own OS certified (which we decided was too expensive in the end, and wound up throwing it away to use Integrity-178B)....
NSA does employ a sizeable group of mathemeticians in the area of security now as well. They've invested a lot of time in money in mathematical models for proving security, namely from the vantage point of possible combinations of system states, and how to minimize those into a human-testable number of states.
Yes, I've seen some of the work that's been done on trying to create a OS that can be mathematically proven to be secure, but I just don't buy it. Sure you can use some set theory and various other things to try to show how mathematically the system is bounded within the secure states, but all of that goes out the window once you move beyond a non-trivial set of functionality, and completely ignores the human side of the equation (which is the most important part, if the system makes it hard on the user to remain secure, then the user won't use the system the way it's meant). I also wasn't saying that mathematicians have no place in software security, or that they aren't useful, just that a mathematician isn't necessarily the best (or even good) choice for designing a OS.
Computer security is equal parts software, hardware, interface, and user training. Ignore any of those and you've just introduced your weak link in the system (usually the user and/or interface which go hand in hand). Hardware is only really an issue of you're trying to secure against a threat with physical access, which any halfway competent security professional can tell you is a stalling tactic at best. Software is critical to prevent things like buffer overflow attacks, but can be tested automatically with a good degree of accuracy. Interface and user training are really the linchpins of security. A good interface is a must in order to allow the user to make informed decisions concerning how trustworthy the system in question is, and proper training is important to allow the user to properly interpret the information they're receiving from the interface and to learn to spot subtle signs of problems.
Of course, in a specialized environment like a B2, or highly secured and hardened systems like no doubt the NSA uses the problem can be reduced in scope as to be nearly fully encompassed by a mathematical state model, but in so doing you massively limit the capability of the underlying system. In essence you take a general purpose system (computer) and reduce it's functionality to one specific task in order to be assured of it performing that single task in a easily controlled fashion. Although this is fine for the highly specialized tasks the NSA puts these systems to it would never work in a general purpose system used by end consumers and even most businesses. Once you go down that route, you might as well just use an embedded device as you've already lost the greatest advantage a PC has which is generalized functionality.
Parent
Re:n/t (Score:4, Funny)
Fixed that for you.
Admittedly, mathematicians can formally prove they are more intelligent the CSers, but nobody except another mathematician could a) understand the proof, and b) give a shit.
Parent
Re: (Score:3, Funny)
Re:n/t (Score:5, Funny)
Don't I feel stoopid.
Especially so after you forgot to check 'Post Anonymously' the second time around...
Parent
Re:n/t (Score:5, Insightful)
I imagine they see having the source code available as a negative for Linux simply because it gives would be attackers much more information about the system than is otherwise available.
That theory is one touted by commercial OS vendors, and its been thoroughly disproved. Availability or otherwise of source code has no effect on the hardness of your OS. If anything having it available is even safer, because its a heck of a lot easier for people to point at a problem bit of code and say 'fix that bit now'.
What causes the problem is non rigorous OS design. Hiding the source won't help you protect your clients from a design flaw which allows them to be attacked.
The OS in question here however is most likely quite rigorously designed, and won't have a lot of the bloat that causes desktop OSs so many problems.
Parent
Re:n/t (Score:5, Interesting)
Parent
Two steps from the highest, actually (Score:5, Funny)
Re:Two steps from the highest, actually (Score:5, Funny)
EAL9+ means it autonomously retaliates against the attacker's system.
EAL10+ means it autonomously retaliates against the attacker.
Parent
Re:Two steps from the highest, actually (Score:5, Funny)
Parent
Re:Two steps from the highest, actually (Score:4, Funny)
My computer goes to EAL11!
The power of God blazes out of the box to melt the faces and explode the heads of intruders,
just like in Raiders of the Lost Mainframe.
Parent
lols (Score:5, Informative)
A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially
B1 Accidents [wikipedia.org], OS Homepage [ghs.com], More Wikipedia! [wikipedia.org]
Re:lols (Score:5, Insightful)
Seriously, going through that list I see. Fire, lots of fires. Two instances of computer failure due to faulty hardware. A few landing gear hardware problems. A dash of pilot error or otherwise bad luck. And a rather unfortunate bird strike on a weak section of a wing (that was later redesigned because of this event IIRC).
I am curious as to what you are trying to insinuate by linking to crashes due to these issues next to the software....
Parent
So why can't Windows and Linux do this? (Score:3, Interesting)
This is an RTOS, not a general purpose OS (Score:3, Insightful)
Sure, in theory, Windows and Linux could attain these levels of security but in practice Windows and Linux favor adding features and capabilities. Compromises have to be made to get stuff out in an acceptable timeframe.
Worse than Dell with the Windows tax (Score:5, Funny)
When you order a B1B, you pay for the Integrity-178B license even if you later install a copy of Linux For Strategic Bombers.
Re:Worse than Dell with the Windows tax (Score:4, Funny)
When you order a B1B, you pay for the Integrity-178B license even if you later install a copy of Linux For Strategic Bombers.
Aah, I always wondered what LSB stands for.
Parent
lower that 4+ (Score:5, Funny)
Oops. I tripped over my computer and hacked your system. Sorry.
Re: (Score:3, Funny)
"I hacked you? Sorry mate, I was just trying to play Solitaire"
Looks like we're lucky this time. Last kid that accidently played videogames with our system chose Global Thermonuclear War!
Unfortunately, probably a niche product at best (Score:4, Insightful)
It seems like in the OS battle between security and convenience, convenience wins every time. I see Windows everywhere - at the bank, on hospital equipment and at doctors' offices, on ATMs... not to rant specifically against Windows; but it shows up a lot of places where I think we'd be much better served if the company had gone to the time and expense of developing a custom solution. Really, why should Windows be running on an X-Ray machine or an electrical power plant console?
"Linux" is not certified for anything (Score:5, Insightful)
This is not just nit-picking about GNU/Linux vs Linux as the name: it's a case where it's actually very important to be aware that specific versions of specific programs with specific configuration files have been tested and found not to fail in particular ways.
The Protection Profile and Validation Report (Score:4, Informative)
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03 [niap-ccevs.org].
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/ [niap-ccevs.org].
"Both Windows and Linux are EAL 4+ certified" (Score:4, Informative)
Is this really a true statement? According to Wikipedia, only Windows 2000, SP3 is EAL4 certified. Since this is an obsolete and unsupported release (Win2k SP4 is still supported), is it correct to say that "Windows..[is] EAL 4+ certified"?
It would be more accurate to say either: "Windows 2000, SP3 is EAL4 certified" or "Windows used to be EAL4 certified".
Article misleads about EAL6 (Score:4, Informative)
Re: (Score:3, Funny)
Actually it's EAL8. But you can't know about it, because it's insecure. Products that qualify for EAL8 can be neither confirmed nor denied, because if you knew about them, they wouldn't qualify. Those developers that make it are EAL8-ed.
You don't know how your walls can be breached (Score:5, Insightful)
The nature of computer system penetration (hacking) is that it takes a great deal of time and patience. The attacker will put a lot of effort into learning everything they can about the system and then more time in probing possible vulnerabilities.
Linux and Unix systems in general have a better underlying security model than Windows (e.g., the way root/administrator vs. user is handled). Unix architectures also had years of students attacking them (back before this was a serious crime). However, if those of us who are Linux fans are honest we know that the reason we don't have to worry as much about Linux attacks is that hackers target Windows because it is more pervasive.
The Greenhills operating system has never been exposed to a large group of people who are willing to spend a lot of time penetrating it. The idea that you can just label a system as secure seems questionable. You always get attacked via means that you didn't expect. What they're really saying is that the system implements a security model that they believe to be secure. But B1 bombers are not placed on the Internet protecting large amounts of money, so they are unlikely to attract hackers.
example use (Score:5, Funny)
ssh my-b1b
login: root
password: hellosss
last login Tue Nov 18 17:22:14 EST 2008 from nsa
# drop -4 bombs
# exit
There is a point to this (Score:3, Interesting)
besides /vertising for Green Hills:
Modern warplanes are connected in a battlefield 'net that allows data, command and control to be passed between the planes (and satellite and ground). This is (obviously) a wireless network. Having a network stack and other interfaces hardened against intrusion makes it less likely that a battlefield adversary could either generate false data (the "magic" display in an F-22 paints the local AWACS as a "bandit", for example, and the pilot launches a missile), snoop data (the "stealthy" F-22s are here, here, here and here, so launch missiles at them), or perform some sort of DOS, degrading the systems capabilities. There are "well-funded and sophisticated attackers" who are likely to have those goals.
If there was a business case, and so many of the developers didn't have, uh, reservations, about using their code in military equipment, the OpenBSD and, maybe, Linux kernel and glibc could be certified (stripped of a few components, probably, and with a few tweaks). With a "trusted" kernel, libraries, and tool chain, you build the rest of system from scratch, anyway. It's not like you're supposed to be browsing the public internet with IE or FF on a B-1's navigation system.
There's no way for M$-Windows to be certified at EAL6+, because its design philosophy (the back doors are built in, not added on) is completely against any sort of security, and I don't think Vista is even EAL4+.
hehehe; this is a marketing joke (Score:4, Informative)
Re:Anonymous Coward (Score:5, Funny)
As much faith as I have in the NSA's security abilities, does anyone have any idea what criteria they were using exactly? Any in-depth results they've made public, preferably?
It's an aggregate result of how many social security numbers B1 bombers have lost over the last 10 years divided by how many B1 bombers, with the software installed, have been stolen out of government offices or left behind in taxi cabs.
Parent
Re: (Score:3, Funny)
NSA E.A. Testing Criteria
---
EAL0 $1,000,000
EAL1 $1,000,000
EAL2 $2,000,000
EAL3 $3,000,000
EAL4 $4,000,000
EAL5 $5,000,000
EAL6 $6,000,000
EAL7+ Call for quote.
I think you missed the point (Score:3, Insightful)