Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software Security United States

Windows Gets Independent Security Certification 207

linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."
This discussion has been archived. No new comments can be posted.

Windows Gets Independent Security Certification

Comments Filter:
  • Hehe (Score:5, Funny)

    by Anonymous Coward on Thursday December 15, 2005 @10:56PM (#14269785)
    It's as secure as 95% of the destops out there. That's a good score!
  • by deathbyzen ( 897333 ) on Thursday December 15, 2005 @10:57PM (#14269789)
    Pigs have flown and it's getting a little chilly in Hell.
    • by Kamiza Ikioi ( 893310 ) on Thursday December 15, 2005 @11:21PM (#14269874)
      "This just in: Businesses and Government IT Professionals quickly abandon Common Criteria security certification as a security standard of any useful purpose."

      From Wikipedia on a previous certification: "The fact that Microsoft Windows 2000 remains an ISO 15408 certified product, without including the application of any Microsoft security vulnerability patches in its evaluated configuration, shows both the limitation and strength of an evaluated configuration."

      I believe that it also shows the limitation and inherent weakness of this criteria as a "security" certification or a confidence booster for consumers. Unless, of course, anyone here reasonably believes that any completely unpatched version of Windows is secure by any stretch of the imagination. I read about a machine like that once that never needed patching... it was unplugged from the net, stripped of all peripherals, dipped in molten lead, and buried inside 10m^3 of concrete and dropped into the middle of the ocean, thus becoming the most secure PC ever. I think it ran FreeBSD, too.
      • They should have used OpenBSD.

        • They should have used OpenBSD.

          Actually if you want to get serious about it they should use a "Trusted" OS like Trusted Solaris or similar OS that uses mandatory access controls. OpenBSD does not have support for that in the base configuration the last time I checked, although it is probably sufficient for general purpose computing.

          • You can achieve something close to MAC in OpenBSD. If you disable root login, and use systrace for everything that needs elevated privileges (privilege escalation on a per-syscall basis). You can also run at securelevel 1 or 2, so no one can modify files marked as immutable.

            If you really want MAC though, TrustedBSD was merged back with FreeBSD in the 5.x branch, and is there in the latest releases. I seem to recall that Solaris 10 and Trusted Solaris now use the same codebase too, so that's another op

      • In my understanding, these certifications are based on operating system features such as permissions and logging, and have nothing to do with implementation faults (buffer overflows, etc.) IT professionals aren't going to abandon them because, except for certain government applicaitons, everyone ignored them anyway.
      • There is no secure Windows box. There are only partially secure Windows boxes.

        And, a default Windows install can be connected to the net with no firewall, NAT or proxy, or any AV software for like 8 seconds before becoming infected with Skynet and its kin.
    • by Fred_A ( 10934 ) <fredNO@SPAMfredshome.org> on Friday December 16, 2005 @03:49AM (#14270579) Homepage
      Ah, pigs flying, that would explain all this shit coming down lately...
  • Perfect timing (Score:5, Interesting)

    by castoridae ( 453809 ) on Thursday December 15, 2005 @11:01PM (#14269809)
    Now all the US police departments (that have to use EAL-4 systems) can buy upgrades from Win2000 to XP. Perfect timing, with all that DHS money coming down the pipe right now...
  • by El Cubano ( 631386 ) on Thursday December 15, 2005 @11:02PM (#14269814)

    I took a security-related class not too long ago. The prof pointed out that the CC is basically worthless. The important thing is the profile. For example, he said most CC certifications are given out for a profile of a system on a friendly network that is not physically accessible to untrusted users. How useful is that?

    He also said something to the effect of: You can claim that your security policy has never been breached, as long as your policy is to not check security.

    The problem is that government perpetuates this by requiring people/companies to spend tons of money on this stuff to get "approved" for government use.

    • by StikyPad ( 445176 ) on Thursday December 15, 2005 @11:32PM (#14269917) Homepage
      To be fair, there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running. Once an attacker has physical access, all bets are off.
      • How about an encrypted filesystem? How about if there were no ways for this attacker to gain root priveliges from a local login. I really don't understand what you're saying.
        • I think part of the essence of having physical access is having unlimited time. This makes things like brute forcing the root password a little easier. Or, steal the hd and go to work on that encryption back at your own lab.
        • 1) Social Engineering can get around any encryption or local software security. If a person can get to the restricted machine, chances are they also got all the information they need to access the system.

          2) Unless the machine has no floppy drives, USB ports, or CD-ROMs, a live CD would allow an attacker with physical access to the machine to boot, image the hard drive to an external device (like an IPOD) and decrypt it later.

          There are ways around any security. Sometimes, it is just a little more tim
          • 1. OK, sufficient social engineering can bypass any security. But for some things the social engineering required would be enormous. It would be easier to steal the system and discs containing passwords and keys
            2. Live CDs can be disabled by setting a BIOS password. Sure, an attacker could convince someone to let him reset the BIOS by disassembling the computer. That would be a masterful feat. And how does the attacker decrypt the harddrive once it is stored on the IPOD?

            • On a small scale, you're right. Some of this stuff is out of the reach of most ordinary attackers. Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

              However, I think that organizations like the CIA, KGB, Mossad, and other big-time intelligence agencies would go through that kind of effort to socially engineer access to systems.

              If you can get
              • Social engineering, especially on the scale that would be required to reach "secure" government, industry, or criminal computers, would be an enormous undertaking for most groups looking to get this information.

                I think you underestimate (or overlook entirely) the efficacy of low-tech methods of social engineering. If I have possession of your secure computer, and the information on it is valuable enough to me, I'll just fucking beat the password/token/keycard/whatever out of you.

                Sadism trumps encryptio

            • BIOS passwords are useless, there are Master passwords for most makes and models :)

              go here and find yours today:

              http://www.biosflash.com/e/bios-passwords.htm [biosflash.com] :)
          • Social Engineering can get around any encryption or local software security. If a person can get to the restricted machine, chances are they also got all the information they need to access the system.

            Also don't forget lead pipe cryptography...
        • Once you have access to the machine, you can always break into it. Yeah, an encrypted file system will slow people down a lot.

          But if the machine can boot itself and access that disk, then the machine itself contains all the information needed to decrypt the data on the disk. And thus someone can break into it by definition. It may be difficult, but it's certainly possible.

          This is why Kerberos key granters are locked away.
        • To paraphrase Schneier, it's important to answer the question, "Secure against what? Secure from whom?" I doubt your encrypted filesystem is going to be secure against someone dropping a grenade on the CPU, for example.
        • How about you install key-logger and wait for the fireworks? Any kind of physical security that can be trusted upon is hard to obtain. The IBM 4758 PCI Cryptographic Coprocessor [ibm.com] is used in environments where it is important to prevent tampering. It has been said many times before, that the only way to have a "secure" environment is to guard all access points with armed marines. This, naturally, is not feasible and physical security will always be an easy point of attack. Thus, the grand-parents post is vali
        • "How about an encrypted filesystem?"

          That defends against access AFTER the machine has been turned off, but with physical access to a machine while it's up, that does you no good. You can simply attach a debugger to a process that has legitimate access to the encrypted information, and dump the information returned from read(2) (assuming POSIX semantics).

          "How about if there were no ways for this attacker to gain root priveliges from a local login"

          Given physical access, that's almost impossible to arrange. Fo
      • I'd like to think that highly secure installations, such as military units, would have the physical computer behind an impregnable barrier, with only cables protruding. Add to that an encrypted file system and physical barriers to gain access even to the terminals, and you should have a system that ensures better security.

        I'd like to think that.

        I suspect that the reality is a Dell PC sits beside the desk, and there's a stack of music CDs piled on top of it, some of which are the new Sony rootkit installatio
      • It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to
        1) determine the smallest possible window of time when the system was broken
        2) prevent an attacker from inserting messages into the system, even with root acc
        • It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to 1) determine the smallest possible window of time when the system was broken 2) prevent an attacker from inserting messages into the system, even with root a
          • Fine, then yank the power cord, bust open the case and remove the drive. Pop a USB adapter on it and plug it into another machine. Now you can start working on getting the data without having to boot from the drive or without any other part of the system getting in the way.

            This is where a TCPA TPM becomes useful. You can encrypt the data with a key stored in the TPM and bound to a particular boot profile. If you attach the drive to a different machine, or boot the machine off of another device, or with

      • there is really no such thing as a system that can withstand an attacker who has physical access regardless of what OS you're running.

        This is false on it's face. People have physical access to ATM machines all the time. Many of them run Windows now. There are tons of ways to secure machines from physical attack and make the game far from over. Granted it's not Windows thats doing it but it *is* Windows that is being secured.
        • This is false on it's face. People have physical access to ATM machines all the time. Many of them run Windows now. There are tons of ways to secure machines from physical attack and make the game far from over. Granted it's not Windows thats doing it but it *is* Windows that is being secured.

          Sorry but you don't have physical access to computer inside the ATM machine. It's locked in a steel box, designed to prevent access and aleart authorties when you try to gain access.

    • First of all, I question security professor's judgement call that the CC is worthless. The main value behind the CC is for people to build secure systems to a set, standardized lists of requirements, and reading over unbiased evaluations gauging the fufillment of those requirements.

      It is only people that fail to understand the set purpose of the CC that claim it has no value.

      EAL4 is just the common level to evaluate products at, because it is internationally recognized.

      The Information Assurance Technical F
  • Of course... (Score:5, Informative)

    by Chris Bradshaw ( 933608 ) on Thursday December 15, 2005 @11:05PM (#14269823)
    For those who don't have the foggiest... More info on Common Criteria Certification can be found Here [commoncriteriaportal.org]
  • Amazing... (Score:3, Insightful)

    by musawilliams ( 750285 ) on Thursday December 15, 2005 @11:06PM (#14269824)
    You pay someone off to give you a cert, then, in the same breath, announce another security vulnerability [cnn.com].
    • Re:Amazing... (Score:4, Interesting)

      by KrispyKringle ( 672903 ) on Thursday December 15, 2005 @11:48PM (#14269973)
      If I remember right, there is a certification fee. Of course, that makes sense, since certifying an OS costs the certifier. But you're not saying that; you're implying that MS payed a bribe to get certified.

      Care to back that up with references? Or is this just typical Slashdot trolling?
      • Care to back that up with references? Or is this just typical Slashdot trolling?

        He did back it up with references. Their software collection that just got officially declared "Spiffy, +3" is demonstrably not secure, as per the link he provided (and many others just like it).

        Since the OS obviously does not meet the generally accepted standards for "secure", but it was certified as such anyway, there are two possibilities:

        1. The certification is meaningless and should be widely recognized as such, or
  • by mnmn ( 145599 ) on Thursday December 15, 2005 @11:07PM (#14269829) Homepage
    I am officially releasing my certification of "The Highest Level Of Security", and giving it to my pet OS, ELKS!

    Therefore, ELKS is the most secure OS in the world.

    The press meeting will be at 24:01 December 31st.
  • From TFA (Score:5, Insightful)

    by TubeSteak ( 669689 ) on Thursday December 15, 2005 @11:09PM (#14269833) Journal
    During the certification review, Lipner said the various versions of Windows XP and Windows Server 2003 were evaluated in more than 20 real-world scenarios or "workloads" in a testing lab. It includes rigorous and exhaustive testing at the source-code level to determine certifications, he explained.

    Critics of Common Criteria certification say the ratings are not a true reflection of the secure nature of a product in general purpose situations because it does not take every general-purpose situation into account.
    No certification process is going to take every situation into account. Windows would never get certified if that was the case. Neither would anything else with a TCP stack.

    I'm just mentioning this to help cut off some of the anti-MS crap that's going to get modded up as insightful.

    Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.
    • Re:From TFA (Score:5, Informative)

      by NutscrapeSucks ( 446616 ) on Thursday December 15, 2005 @11:38PM (#14269937)
      Not to mention that Windows does have certain security features that are simply not present in standard Unix.

      For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

      Probably not important in most environments, but for government-type security it can be.
      • Re:From TFA (Score:5, Informative)

        by plsuh ( 129598 ) <plsuh AT goodeast DOT com> on Friday December 16, 2005 @12:40AM (#14270121) Homepage
        For example, an administrator can be denied access to a file. The admin can change the ACLs by taking ownership, but doing this generates a log event. Deleting the logs generates another log event. AFAIK, it's impossible to restrict the unix superuser in this way.

        You're comparing an administrator user (which is a preset level of privilege on Windows) with the root user on a Un*x system, which is apples to oranges. The root user on Un*x is more properly compared to the LocalSystem account on Windows. The key difference is that the LocalSystem account never has a password so you can never log in as LocalSystem. However, many Un*x systems (e.g. Mac OS X) also have root accounts that don't have a password (and thus you cannot log in as root) or at least disallow remote root logins, giving them similar levels of account protection.

        In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library. Even if an attacker fools a Mac OS X admin into running a script, there is still the need to authenticate which gives the admin a chance to halt the attack.

        --Paul
        • Re:From TFA (Score:5, Insightful)

          by drsmithy ( 35869 ) <drsmithy@@@gmail...com> on Friday December 16, 2005 @01:49AM (#14270321)
          The root user on Un*x is more properly compared to the LocalSystem account on Windows.

          There is no real comparison, because the security models are fundamentally different.

          In unix, if you're root, you can do anything. "Security" checks basically start with an "if (UID != 0)".

          In Windows, all accounts are subject to ACLs. Some accounts have more generous ACLs than others, but there is no equivalent to the "can do anything"-ness of a unix root account.

          In fact, the restrictions on the default administrator account on Windows are weaker than those given to administrator accounts on Mac OS X -- a Windows admin can write to \Windows\System32 without elevated privileges, which pretty much means game over if the attacker can get the admin to execute a script (e.g. through a browser flaw) that puts DLL's into the directory. In contrast, a a Mac OS X admin needs to authenticate and temporarily gain elevated privileges to write to the equivalent location, /System/Library.

          This comparison is flawed. An "Administrator" account in OS X is a completely different thing to an "Administrator" account in Windows - not only in concept, but also in execution. An OS X admin account is more properly compared to a "Power User" in Windows - but even then the two are still very different due to the different security models. An OS X "admin" account is simply one that can sudo to root - thus giving it complete control over the entire machine, with no further permissions checks performed at all. Since Windows has no equivalent of root, it has no equivalent to an OS X "Administrator" user. A "Power User" is similar in purpose (limited administrative abilities, but can't destroy the machine wantonly), but very different in execution.

          • Re:From TFA (Score:3, Informative)

            by asuffield ( 111848 )
            From my (admittedly limited) understanding of this part of the Windows security model, anybody with "Administrators" access or better can install device drivers into the kernel. This is a piece of software that runs in kernel space, with no security restrictions at all. The 'restrictions' you are talking about apply only to non-driver software. So there's your "can do anything"-ness.
          • The root user on Un*x is more properly compared to the LocalSystem account on Windows.

            There is no real comparison, because the security models are fundamentally different.

            True, but the selinux and the window security models are remarkably similar on paper.

            The big problem with windows security is that it has been left as an exercise for the reader, and if you document your secure windows system, you might be able to turn it is for your PhD dissertation. (I am exaggerating, but not by much.)

            Selinux is slowl

        • Re: (Score:3, Interesting)

          Comment removed based on user account deletion
        • However, many Un*x systems (e.g. Mac OS X) also have root accounts that don't have a password (and thus you cannot log in as root)

          Not exactly, the root account is disabled. If it had no password you could log in with no password but by putting an '*' in the beginning of a password field in the passwd file, you disable that user account. This is the way that OS X ships. Once you remove the *, you can log in as the root user.
      • Look up SELinux before you post on this subject. Your ignorance is showing.
        • Comment removed based on user account deletion
          • So tell us, who do you know still running AT&T System V?
          • Once again your ignorance is stunning. SElinux comes "standard" with suse and fedora and is available to all debian based and gentoo users via the standard software update mechanism.

            As for linux not being unix that's just a nitpick. Nicely done though, that's a very professional wordsmithing, something worthy of a PR firm or a paid astro turfer.
      • I know you said Unix, but as far as Unix workalikes are concerned, SElinux (which is turned on by default on RedHat products) can do all this and more.
      • AFAIK, it's impossible to restrict the unix superuser in this way.

        If you consider FreeBSD to be Unix, then consider chflags [freebsd.org] and securelevel [freebsd.org]. Together, they can prevent even root from having more than read-only access to a file. Same goes for OpenBSD, and I think NetBSD as well.

    • "Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way."

      I can attest to that as well. Windows is fairly secure except MSFT made IE such an integral part of Windows. You end up with a situation where Windows is secure but the most accessible and vulnerable part of it can get you right past all those defense. It's akin to putting a screen door on a vault.

      • Re:From TFA (Score:3, Insightful)

        by drsmithy ( 35869 )
        I can attest to that as well. Windows is fairly secure except MSFT made IE such an integral part of Windows. You end up with a situation where Windows is secure but the most accessible and vulnerable part of it can get you right past all those defense. It's akin to putting a screen door on a vault.

        Bollocks. IE is normal user space code just like Firefox or Word. It can't do anything more than any other code running under that user account can.

        The "integration" of IE - in and of itself - doesn't make Win

        • I'm guessing the poster is referring to the behavior of Windows to run IE-like processes in far more situations than just clicking the big blue E. It's true that if you're running as a non-power-user on a properly configured machine, IE should be able to cause no more problems than the user entering a command prompt and manually attempting to destroy things.

          The problem with IE's low-level integration is that little versions of the IE rendering engine appear all over the place: in the help system, in MSN/W

    • Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

      Yes, it's come a long way from previous versions of Windows.

      Doesn't mean it's any good now, especially when compared to what else is available.
    • Using Internet Explorer is still a bit like playing Russian Roulette perfect, but the security of Windows has come a long way.

      Agreed. But Internet Explorer in still unremoveable from Windows.
  • Tiger? (Score:4, Interesting)

    by jmcmunn ( 307798 ) on Thursday December 15, 2005 @11:10PM (#14269837)

    As a Windows user considering the switch to the Intel Mac's coming soon, I'm curious if Tiger (OS 10.4.4 or whatever) has gotten this certification? I know the argument is that you're more secure no matter what since no one writes spyware etc for the Mac, but is it certified? I'm honestly curious, so I know what I'm in for.
  • trusted != secure (Score:5, Informative)

    by evenprime ( 324363 ) on Thursday December 15, 2005 @11:14PM (#14269852) Homepage Journal
    Pay attention to what the linked wikipedia story says:
    Higher EAL levels do not necessarily imply "better security", they only mean that the claimed security assurance of the TOE has been more extensively validated. [wikipedia.org]


    This just means that it does what they claim. I'd be more interested in seeing what the security claims were....

    • You're exactly right. Here's how it works:

      You have this thing called a Protection Profile (PP). It defines the kind of environment the computer/OS will be operating in: Is it networked? What kind of hardware does it have? Software? If it is networked, is the network friendly or hostile? etc.

      So, what MS does is have a their OS graded on a really pussy PP (not networked, in a friendly environment, locked in a vault so there's no physical access, etc) and say "Our product is secure (what "secure" means i
  • Boy... (Score:3, Funny)

    by Beatbyte ( 163694 ) on Thursday December 15, 2005 @11:14PM (#14269853) Homepage
    They're giving these things out to ANYBODY.
  • by Anonymous Coward on Thursday December 15, 2005 @11:18PM (#14269865)
    Does this certification actually mean anything, or is this just yet another Microsoft maneuver to be able to a government/corporate entity "See, we meet specification XXX that you demand software that you use have."

    Microsoft did this with POSIX support for Windows NT; NT's Posix is next-to-useless (they don't have fork(), for example) but Microsoft got it so that they could tell the relevant people "See, NT is posix-aware."

    Another example: Internet Explorer for Solaris. Probably one of the most horrible browsers out there; Microsoft only did it so companies that said "We standardize on one browser for all users" could standardize on IE. Microsoft had no real intention of supporting Solaris.

    In fact, I will go so far to say that Microsoft's proposed "open document format" doesn't exist because Microsoft has any intention of opening up their format, but so that Microsoft can meet Massachusetts' requirement to have an "open" format. This is why Massachusetts should continue to tell Microsoft that they will not use Office Vista until it supports the Open Document [oasis-open.org] standard.

    So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts [sourceforge.net] the blow away anything for Linux.
    • The mention of Microsoft POSIX brought back nightmares. When I head MS NT was POSIX compliant, I tried it out. What a joke--it's a complete sham. For example, if you set the time, the call works, but doesn't do anything! The time is the same. Other calls are similar. It's nice that valid POSIX system calls don't fail, but it would be better if an implementation actually does something!

      The only reason they did this POSIX sham, I understand, is because of US Government requirements for POSIX. Nobody

    • What do you mean by Microsoft's open document format not existing? They already are releasing the draft schemas on MSDN.

      Why should MA require them to use Open Document? It's not like XML transformations are all that tough as long as we've got the schemas which we should in this case. If Microsoft's public schema isn't complete, MA won't use Microsoft Office because it doesn't comply with the law.

      The state seems to be interested in making sure they have perpetual access to the schema. As long as Office write
      • What do you mean by Microsoft's open document format not existing?

        The format exists, but it's not open per the MA definition. The fact that a schema exists and is published is far from adequate to meet the requirements.

    • So this doesn't sound like a typical anti-Microsoft post, I will say that Microsoft products are far easier to learn than the Linux equivalents, and that Microsoft made some beautiful fonts the blow away anything for Linux.

      Microsoft didn't make the fonts, they licensed them from Monotype. And IMHO they don't blow away Bitstream Vera.

      Nice try though, appreciated. So this doesn't sound like a typical anti-Microsoft post, I will say that... uhm... they make nice joysticks! :)
  • What does EAL4 mean? (Score:5, Informative)

    by danFL-NERaves ( 302440 ) on Thursday December 15, 2005 @11:20PM (#14269872)
    Copied verbatim from the Common Criteria v2.1 specification. I can't make heads nor tails of it:

    Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed

    Objectives

    EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.

    EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.

    Assurance components

    EAL4 (see Table 6.5) provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.

    The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification and high-level design, selective independent confirmation of the developer test results, strength of function analysis, evidence of a developer search for vulnerabilities, and an independent vulnerability analysis demonstrating resistance to penetration attackers with a low attack potential.

    EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures.

    This EAL represents a meaningful increase in assurance from EAL3 by requiring more design description, a subset of the implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery.

    Assurance class
            Assurance components
    Class ACM: Configuration management
            ACM_AUT.1 Partial CM automation
            ACM_CAP.4 Generation support and acceptance procedures
            ACM_SCP.2 Problem tracking CM coverage
    Class ADO: Delivery and operation
            ADO_DEL.2 Detection of modification
            ADO_IGS.1 Installation, generation, and start-up procedures
    Class ADV: Development
            ADV_FSP.2 Fully defined external interfaces
            ADV_HLD.2 Security enforcing high-level design
            ADV_IMP.1 Subset of the implementation of the TSF
            ADV_LLD.1 Descriptive low-level design
            ADV_RCR.1 Informal correspondence demonstration
            ADV_SPM.1 Informal TOE security policy model
    Class AGD: Guidance documents
            AGD_ADM.1 Administrator guidance
            AGD_USR.1 User guidance
    Class ALC: Life cycle support
            ALC_DVS.1 Identification of security measures
            ALC_LCD.1 Developer defined life-cycle model
            ALC_TAT.1 Well-defined development tools
    Class ATE: Tests
            ATE_COV.2 Analysis of coverage
            ATE_DPT.1 Testing: high-level design
            ATE_FUN.1 Functional testing
            ATE_IND.2 Independent testing - sample
    Class AVA: Vulnerability assessment
            AVA_MSU.2 Validation of analysis
            AVA_SOF.1 Strength of TOE security function evaluation
            AVA_VLA.2 Independent vulnerability analysis
    • by Anonymous Coward
      ...demonstrating resistance to penetration attackers with a low attack potential.

      Does this mean that it can defeat an attack that is most likely not going to succeed?

      Wow. Just wow.

    • Re: (Score:3, Funny)

      Comment removed based on user account deletion
    • What EAL4 means... (Score:2, Interesting)

      by [ByteMe] ( 145131 )
      This is the short-form explanation. If you somehow decide to care about this more seriously, aside from seeking professional help I would recommend that you consult the Book of Armaments...er...the *real* CC site: http://csrc.nist.gov/cc/ [nist.gov]

      Each of the areas that Common Criteria cares about has an extensive set of "things in this area about which we care" that is the source of the ADO_IGS.1 (&c) items above. For a software item such as an OS, think of those as "claims".

      For any area, the EAL just shows t
  • Take long? (Score:5, Funny)

    by StikyPad ( 445176 ) on Thursday December 15, 2005 @11:21PM (#14269878) Homepage
    Well, it only took 4 years to finally certify XP. Although I guess that's not bad when you consider that in another 4 years they'll have Vista to start evaluating.
  • by dananderson ( 1880 ) on Thursday December 15, 2005 @11:50PM (#14269982) Homepage
    The Common Criterial Security (CCS) Certification is good, but not great. It's equivalent to Entry-level certification. Yes, it's the highest Entry-level certification, but other Operating Systems, such as Linux, Solaris, and other UNIX flavors have long had it.

    What's important is CCS Profiles, which allow one to tune the OS to the security level you need ("one size does not fit all"). AFAIK, MS Windows does not have profiles.

    That's said, it's great that Microsoft is starting to get serious about security.

    • That's said, it's great that Microsoft is starting to get serious about security.

      Well, 2000 has been EAL4 certified as well for quite some time now, so when we're speaking of those certifications, I think it's only that they take some time to get, not that Microsoft has just recently started considering them.
  • by Chaffar ( 670874 ) on Thursday December 15, 2005 @11:56PM (#14269999)
    According to Wikipedia:
    Its purpose is to allow users to specify their security requirements, to allow developers to specify the security attributes of their products, and to allow evaluators to determine if products actually meet their claims.

    So, who sets the security requirements? Does this certification have any value, or is it the equivalent of "smiley faces for everyone"?
    [National Information Assurance Partnership] So, what are your security requirements?

    [Bribed Official] I need to be able to install ro0tkits without the user's approval...

    [National Information Assurance Partnership] Excellent... EAL 4+ for all!


  • Windows has always been the most secure operating system on the planet. In fact, there is no other secure software in the world. Only Windows has 100% completely unbreakable security, guaranteeing that your data is completely safe at all times, even if you plug it directly into the Internet with no firewall or any other security software or hardware at all. Yes, Windows is the most secure piece of software in the world.

    *Disclaimer: This post requires flexible definitions of safe, secure, security, and unbre

  • Audit (Score:2, Interesting)

    by jawahar ( 541989 )
    Has anyone done windows source code audit?
    • One may presume that the PRC (People's Republic of China) performed a real source code security audit on MS Windows back when their government was granted access three plus years ago.

      One might also conclude that the PRC government's move toward their very own linux distribution, Red Dragon Linux, is a result of that MS source code security audit.

      While that does predate Microsoft's release of Windows XP Pro SP2, there seem to be enough other vulnerabilities in MS OSes that the PRC has not, at least publicall
  • by McMuffin Man ( 21896 ) on Friday December 16, 2005 @01:20AM (#14270234)
    For those of you who haven't done Common Criteria, a few clarifications:

    EAL stands for "Evaluation Assurance Level". Your EAL level describes the degree to which you demonstrated your claims. It says almost nothing about what those claims are. It's an exaggeration to say you could get EAL 4 on a brick by claiming that it would stay put when you dropped it, but not a big one.

    The claims are contained in your Security Target (ST), which is a series of claims about the Target of Evaluation (ToE). Your ST doesn't necessarily have to include many claims relevant to good security, and your ToE can exclude many subsystems and capabilities of the system being certified. To use a pre-CC example, Windows NT got an Orange Book certification by specifying that the certified system could not be connected to a network.

    If you want to adhere to a standard that tries to verify that your ToE includes capabilities that make your device useful and that your ST makes claims which really mean something about the security properties of device, you demonstrate compliance with a published Protection Profile (PP). In the US, there are a series of PP's published . These PP's describe relevant capabilities and security properties for systems used in various roles (for example, a traffic filter firewall for low risk environments).

    Without a PP, the only way to know what that EAL 4+ actually means is to closely read the ToE and the ST to figure out just how thin they sliced the salami.

    Having said all that, a tiny bit of research confirms that Microsoft actually certified these systems against the Controlled Access PP. This is a basic robustness standard (by comparison, Red Hat Linux 5 is also certified against the Labeled Security PP and the Role Based Access Control PP, which assert more robust security capabilities), but it's quite a bit more than nothing, and quite a bit more than many companies do to get their "we do Common Criteria" marketing claim.

    Color me impressed.
  • by Animats ( 122034 ) on Friday December 16, 2005 @03:00AM (#14270481) Homepage
    NSA originally had the Orange Book [ncsc.mil] security standards, which ranged from class C1 (Discretionary access protection, i.e. standard UNIX), up to class A1 (formally verified mandatory protection). These were serious security standards, issued in 1985. Compliance was tough, and testing was by NSA. But A few systems passed testing [ncsc.mil]. Trusted Xenix made it to level B2. The WANG SCOMP, a special-purpose secure machine, made it to level A1 in 1984. That was the high water mark of operating system security.

    Vendors hated this process. First, the vendors didn't control the test process - the National Security Agency's Central Security Service did. NSA's policy back then was that you got two tries to pass validation. On the first try, the vendor was told of problems found, and given a chance to fix them. The second try was strictly pass/fail, and might include tests that the vendor had never seen. So it was quite possible, and common, for products to flunk and be cut out of procurements.

    The Common Criteria process, on the other, hand, is conducted by third party labs paid by the vendor. So they're very "responsive" to the vendor.

    The "Common Criteria" are comparable to the class C Orange Book standards. They're very weak. There was heavy lobbying by the computer industry to water down the Orange Book standards, and that lobbying was successful.

    The evaluation report for Windows XP is online. [microsoft.com] It's worth reading, even though it's long.

  • Common Criteria (Score:3, Informative)

    by LeFrame ( 939271 ) on Friday December 16, 2005 @03:09AM (#14270499)
    Do check out this link: "Understanding the Windows EAL4 Evaluation" [jhu.edu] It is about the testing of Windows 2000 sp3, but it is still a very valid description of the problem with CAPP/EAL4. Rounded up: "The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel. Translating that into colloquial English: Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast. - An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky."
  • worthless (Score:3, Insightful)

    by penguin-collective ( 932038 ) on Friday December 16, 2005 @05:26AM (#14270718)
    CC, like other such certifications, is a checklist of features: it requires systems to have lots of security features. Satisfying such a checklist doesn't tell you anything about whether a system is actually secure, it supposedly tells you about whether you can or cannot implement complex security procedures. But it doesn't even tell you that because there is no guarantee that the features work and interact as intended, and, on the other hand, systems not formally satisfying the requirements may still support your security procedures.

    Companies like Microsoft love standards like CC because they don't have to provide actual security, they just have to add lots of features to their operating system, and Microsoft is great at adding features.

    If you want to achieve real security, your best bet is to remove as much unnecessary functionality from a system as possible, and that includes a lot of the junk that CC requires.
  • Primer (Score:4, Informative)

    by Tom ( 822 ) on Friday December 16, 2005 @05:55AM (#14270769) Homepage Journal
    For those not in-the-know on CC:

    EAL4+ is a fairly high level, and not easy to reach. This was serious work and money invested for M$.

    However, do keep in mind that CC is much more about assurance than about security. In fact, most (and in many cases the most difficult to meet) requirements are in the development and documentation areas.

    What EAL4+ does mean is that windos isn't a quickly hacked together bundle of hogwash (even though it looks like that at times), but was systematically developed, using version control software and systematic testing as well as being extensively documented.
    Usually, this goes together with a higher software quality, and high software quality usually means higher security.
  • by HangingChad ( 677530 ) on Friday December 16, 2005 @06:42AM (#14270874) Homepage
    an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security,

    Ouch! Oh, great. Now I have...Ouch!...monkies flying out of my butt. Ouch!

  • by master_p ( 608214 ) on Friday December 16, 2005 @07:13AM (#14270942)
    Windows protocols can not be breached in any way, therefore making Windows 100% secure systems. But the Windows O/S is not 100% safe, due to bugs in critical libraries and wrong default settings. A properly patched and configured Windows system is as safe as any Unix box, but the complex security model of Windows makes it far easier to be breached.

  • $ nmap windows2k

    Starting Nmap 3.95 ( http://www.insecure.org/nmap/ [insecure.org] )
    Interesting ports on windows2k:
    (The 1662 ports scanned but not shown below are in state: closed)

    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds

    Since actually using windows requires this kind of setup, and closing these ports usually breaks things like outlook and filesharing, I'd say in such cases, windows is still a security failure. At least until the netbios protocol stack gets fixed or removed which
  • Where to look (Score:2, Informative)

    by kaaona ( 252061 )
    One may argue the technical merits of CAPP/EAL certifications, but serious competitors in the federal IT market simply can't afford not to make the large investments in time and money to get them. Anyone interested in the details can explore:

    http://niap.nist.gov/cc-scheme/in_evaluation.html [nist.gov]
    http://niap.nist.gov/cc-scheme/vpl/vpl_type.html [nist.gov]

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...