Secure OS Gets Highest NSA Rating, Goes Commercial

ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.

So why can't Windows and Linux do this?

[Van Cutter Romney]

What's preventing Microsoft and open source world from understanding these "sophisticated" attacks and hardening their respective operating systems against them?

Re:n/t

[moderatorrater]

Source code audits with automated scripts that attack every port and every program checking for buffer overflows or other avenues of attack. It would require a lot of work, but it makes sense that the NSA would put in a lot of work to explore these operating systems, both to know how to secure against attack and to know how to pull off an attack against another country. The real question is, how much do you trust this OS not to have an NSA back door?

Cost?

[Anonymous Coward]

OpenBSD is free, and I guarantee "that it can defend against well-funded and sophisticated attackers."

Re:n/t

[betterunixthanunix]

Actually, the security of a system should not depend on hiding the operating details of the system. The EAL levels are based on things like audit logs, privilege separation, the ability to kick a user off the system and kill all their processes, etc. The availability of the source is neither a positive nor a negative on EAL ratings.

Re:n/t

[lanterndog]

Yeah... I majored in pure math (e.g. abstract, theoretical stuff) in college. I was good. The NSA was all over me. I didn't accept, obviously (I wouldn't be able to admit this if I had. :) They recruit lots and lots of math people. Very few CS people (I double-majored in math and CS. Google and MS tried to recruit me through CS). However, I will get flamed to the end of the earth for this, but it's my experience: Mathematicians are insanely more intelligent than CSers. That, and cryptography (which is why the NSA exists) has much more to do with mathematics (Algebra and Number Theory especially) than it does with programming or OS design.

Re:n/t

[drsmithy]

So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing. So even if a Linux distro wanted to be verified at a higher level - who's going to fork over the dough?

Commercial Linux vendors like Red Hat, SuSe and IBM.

Certifications like EAL tell you about the technical capabilities of an OS. They don't tell you anything about how competently said OS will be used.

There is a point to this

[dltaylor]

besides /vertising for Green Hills:

Modern warplanes are connected in a battlefield 'net that allows data, command and control to be passed between the planes (and satellite and ground). This is (obviously) a wireless network. Having a network stack and other interfaces hardened against intrusion makes it less likely that a battlefield adversary could either generate false data (the "magic" display in an F-22 paints the local AWACS as a "bandit", for example, and the pilot launches a missile), snoop data (the "stealthy" F-22s are here, here, here and here, so launch missiles at them), or perform some sort of DOS, degrading the systems capabilities. There are "well-funded and sophisticated attackers" who are likely to have those goals.

If there was a business case, and so many of the developers didn't have, uh, reservations, about using their code in military equipment, the OpenBSD and, maybe, Linux kernel and glibc could be certified (stripped of a few components, probably, and with a few tweaks). With a "trusted" kernel, libraries, and tool chain, you build the rest of system from scratch, anyway. It's not like you're supposed to be browsing the public internet with IE or FF on a B-1's navigation system.

There's no way for M$-Windows to be certified at EAL6+, because its design philosophy (the back doors are built in, not added on) is completely against any sort of security, and I don't think Vista is even EAL4+.

Re:n/t

[InlawBiker]

Nokia IPSO, which is certified for Check Point FW-1 and VPN-1 and is based on BSD, is also EAL4.

   

EAL = ToE(DUT) + ST(environment)

[conspirator57]

The EAL is only half of the equation. The Target of Evaluation (device under test) is subjected to EAL appropriate documentation and verification against a design document called the Security Target. This ST specifies the threat environment. For example the windows ST specifies that all authorized system users are benign and thus not a threat.