Secure OS Gets Highest NSA Rating, Goes Commercial 352
ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.
lols (Score:5, Informative)
A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially
B1 Accidents [wikipedia.org], OS Homepage [ghs.com], More Wikipedia! [wikipedia.org]
Re:n/t (Score:5, Informative)
EAL does not mean what you think it does.
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level [wikipedia.org]
The Protection Profile and Validation Report (Score:4, Informative)
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03 [niap-ccevs.org].
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/ [niap-ccevs.org].
"Both Windows and Linux are EAL 4+ certified" (Score:4, Informative)
Is this really a true statement? According to Wikipedia, only Windows 2000, SP3 is EAL4 certified. Since this is an obsolete and unsupported release (Win2k SP4 is still supported), is it correct to say that "Windows..[is] EAL 4+ certified"?
It would be more accurate to say either: "Windows 2000, SP3 is EAL4 certified" or "Windows used to be EAL4 certified".
Article misleads about EAL6 (Score:4, Informative)
Re:n/t (Score:1, Informative)
Re:n/t (Score:5, Informative)
You apparently did not read the wikipedia article through. The reason that Windows and Linux (distributions) achieve EAL-4 rating is because "EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line."
Furthermore, "Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4."
Higher levels require some sort of formal methods use in the design and testing. This is very unlikely to ever happen for Linux (it is virtually impossible to create a formal design retroactively; either it does not correspond to the system or it is just as complex as the system).
For this reason, Linux will probably never get any higher. Windows may just get higher, because it has a completely new security model and kernel, which are likely able to get EAL-6 grading in time.
Re:n/t (Score:1, Informative)
Erratum: for "the world", read "the USA".
Re:Let the Testing begin... (Score:5, Informative)
That being said, I don't believe EAL6+ requires any additional vulnerability testing beyond that of than EAL5+; it is mostly just a stricter evaluation/review of the soundness of the OS design.
hehehe; this is a marketing joke (Score:4, Informative)
Re:n/t (Score:2, Informative)
He/She didn't say run the compiler yourself.
Re:n/t (Score:3, Informative)
kind of, but not really. The higher EAL levels require things like proofs on your enforcement algorithms in the context of the machine (CPU feature set) it runs on. There are a lot of musty corner cases where user-based security fails. Thus it is impractical to retrofit existing OSes that rely on user-based security, because the security methods have fatal design flaws.
as far as practicality, consider denial of service attacks using the confused deputy problem. Linux, like windows, is full of mutexes and spinlocks. The answer is priority inheritance, and even that is only a partial answer.
Re:Let the Testing begin... (Score:5, Informative)
Under the Common Criteria (CC) [wikipedia.org], people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) [niap-ccevs.org] to evaluate it. Labs are certified by NIAP [niap-ccevs.org], a partnership of NIST [nist.gov] and the NSA [nsa.gov] Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team [niap-ccevs.org] employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
The way to use these certified products is to select a product family [niap-ccevs.org] (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
Check out some interesting operating systems, like Windows XP [niap-ccevs.org], Mac OS X [niap-ccevs.org], or one of the Linux [niap-ccevs.org]'s.
It's certainly not perfect, but it's better than what we had.
Re:Ubuntu! (Score:4, Informative)
Reading the comments in here, I think most of the posters don't understand what EAL 5+ is all about. Neither Linux nor Windows will ever achieve more than EAL 4. No, SELinux won't cut it. Neither will OpenBSD. 5+ requires formal verification. Do you understand what that means? You aren't testing everything you can think of, knowing that there will always be more problems because you can't think of everything and even if you could, you can't test everything. Instead, you have restricted the operations to such a small set that it actually is possible to prove every single possible permutation of all the operations will traverse and end only in known, secure states. For formal verification to be possible requires a small enough kernel, and Windows, Linux, and the BSDs are all far too large. They will never make EAL 5+. Hence the interest in microkernels.
Now, there are some idiots who think they can get a system rubberstamped if only they bribe, pressure, wear down, or befuddle enough labs. (They're also idiots for thinking that the labs can be befuddled.) I should know, I was once stuck having to work with such. Considering the depths of chicanery to which those former acquaintances were willing to go, I am not 100% confident that a system that is given a high EAL rating actually deserves the rating.
Green Hills has been hammering away at this for years, and now they've finally gotten their rating. It would greatly help with users' trust of the system if their code was open source. And it'd also help if there weren't more idiots trotting out the tired, old, and very wrong "security through obscurity" line that opening the source would compromise security. That sort of claim can only detract from any confidence that their product really is deserving of EAL 6, and that the people responsible for the evaluation know what they're doing.
Another big problem, and maybe why they didn't make EAL 7, is the hardware. I have heard that in the past systems have been considered all of a piece-- can't put the software on any old hardware, has to be only on the exact hardware it was evaluated for. But it takes so many years to get there that the hardware becomes obsolete and useless long before they're done. That's one of the things that happened with GEMSOS (could you mean GEMSOS, not Genesis?)-- it's only certified on a 286 or some such.
What this "OS" is about (Score:1, Informative)
I think everyone horribly misunderstands what this "operating system" really is. (I have been working with it for years)
It is little more then a system executive with memory isolation and about 5k lines of code. (each mathematically inspected and proven)
It does not have a IP stack. (There are no ports to attack)
It does not have a GUI.
It does not have but a VERY basic scheduler (and I dont think the scheduler was part of the verified system but I could be wrong)
It does not guarantee your software you have running on it cannot be hacked (like an IP Stack).
All it does it make sure that memory from one container does not leak to another.
It is designed to support MILS (Multiple Independent Levels of Security) http://en.wikipedia.org/wiki/Multiple_Independent_Levels_of_Security [wikipedia.org]
All this being said, from a security point of view it is a wonderful (but limited) foundation for building a secure system. (And GHS makes a great product)