Domain: argus-systems.com
Stories and comments across the archive that link to argus-systems.com.
Comments · 23
-
Re:OpenBSD
OpenBSD, from what I've heard, is good, but most of its security is based upon correct implementation. This is good, but the OpenBSD team can only audit and control the base system, meaning that applications and libraries added to the system can often degrade the security of the system as a whole.
Judging from the technologies and companies mentioned in the summary, this attempt at Linux security is based on providing better access controls and privilege models in the Linux kernel. By better, I mean that these mechanisms can:
1) Provide finer grain privileges so that fewer programs can be exploited to escalate privilege, and
2) Isolate unrelated programs and users from each other (e.g. an exploit in a DNS server is restricted to only accessing DNS files but is not able to manipulate web server pages).
These two techniques basically reduce the number of avenues an attacker can use to exploit a system. It is less likely that a piece of exploitable software will have sufficient access to whatever it is the attacker wants to get to. Granted, it is not a complete solution, but it's a handy thing to have in one's security toolbox.
I believe that the OpenBSD/OpenSSH teams are beginning to do similar things (e.g. OpenSSH privilege separation), but I don't think they've taken the leap to providing more sophisticated access controls in the kernel.
If you're interested, examples of trusted operating systems/access controls can be found at the following places:
Linux Capabilities:
http://ftp.kernel.org/pub/linux/libs/security/linu x-privs/kernel-2.4/capfaq-0.2.txt
Trusted BSD:
http://www.trustedbsd.org/docs.html
Argus Systems Group (go to the Support section and take a look at the docs for PitBull LX and Foundation; they give a rather complete description of the mechanisms):
http://www.argus-systems.com/
Trusted Computer Solutions (mentioned in the article):
http://www.trustedcs.com/index.html
Disclaimer: I used to work for Argus Systems Group, and I know a few of the TCS employees (as they are also ex-Argus employees). -
Don't forget the OS
You should consider OS level security in addition to hardware. I once worked as an intern for a place called Argus Systems Group http://www.argus-systems.com/ which modifies the Solaris kernel to conform to government standards. I'm sure there are probably several other similar vendors out there.
-
Re:Personality Cults (Specifically, Theo De Ratt)
When I attempt to read from a raw disk device as a non privileged user, I get "access denied". Can you be more specific and provide links or proof that this is the current state of affairs with OpenBSD?
I see you deliberly cut my sentence off at a convenient point. I suggest that if you genuinely want to know more about what it means to control access to devices and files using MAC (including for software run as root, i.e. via expolits) I refer you to software such as L.I.D.S. and Pitbull.
Put simply:
On a system providing live services in real world scenarios (such as web, mail, ftp, ldap, samba, database software etc.) it's inherently less secure than a trusted operating system or one that at least partically impliments MAC, POSIX.1e, or that otherwise places restrictions such as on what specific software is allowed to perform privileged operations such as bind to a given port, or access a given file (etc) no matter what user the software in question it's run as (i.e. code run via software exploits, this means you).
I realise that OpenBSD does not have all worthy modern security features, but to say that OpenBSD security is just hype which boils down to OpenSSH and switched off services is just not right. It's not like all these things that you have failed to mention are useless.
I didn't say they were 'just hype', you seem to be trying quite hard to twist my words. However, I certainly stand by my assertion it's association with being a 'secure' OS is primarily based on those two factors, it's certainly not based on it's feature support. Despite how much Theo De Ratt belittles and misrepresents the work of others from a professional security standpoint OpenBSD's feature set really isn't that impressive compared to other free and commercial alternatives, including what can be done with Linux or even compared with features in newer versions of FreeBSD.
Re: OpenSSH on other platforms:
Can you back this up with a link? I find it a little hard to believe given his absolute freedom stance. Especially since OpenSSH is everywhere nowdays.
Theo's statement that he they were not interested in providing OpenSSH for any platform other than OpenBSD was how the whole argument with Alex de Joode started. See my previous post above, the Slashdot archives, or Google, for a link.
This appears to be carefully worded. I guess what you are saying here is that OpenBSD is a secure platform, but less than useful? Sure, it is not the most useful system out there, but for what it does well, it does very well.
Any OS will all it's network services turned off by default, is secure from remote exploits. However (and this is the reason I was choosing my words carefully) if you actually intended to run services (such as Web, Mail or FTP) on that system or allow local user accounts then OpenBSD is not what I would consider a particularly secure platform and there are certainly far superior alternatives (both free and commercial), that are far more deserving of credit and consideration.
Theo's often false derision (and deliberate misrepresentation) of the efforts of other OS vendors is something I find utterly unpalatable.
-
Re:More viruses for Linux?
Protecting root is important in the "root = god" security paradigm, but even in the best case (perfect implementation and no local root exploits), that only protects the bulk operating system and none of the user's programs or files. Worms can still propagate. Viruses can still copy or destroy all the user's precious data.
Using a separate user account for all internet usage and app testing would help, and in fact, taken to an extreme leads to SELinux and its kin which provide for complex access controls based upon combinations of programs, users, and resources. Fedora seems to be going in that direction and, as a result, might become my default OS if it makes managing applications hassle-free -- by pre-determining the proper ACLs for common applications, securely distributing them, and by providing tools for quick context-sensitive ACL management.
For a while, Microsoft was investigating similar security measures such as Argus Pitbull, but alas, it appears that they make more money with insecure systems. -
Thanks. Need help?
Gads...an informed post on security and the CC My complements.
Thanks.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. [....] For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
I'm glad you pointed that out. Taco's "highest" comment was just plain silly.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
I didn't know you guys were doing that. It looks like you guys have built a ground up proprietary security OS with XTS-400. Am I reading that correctly? If so, that's much more ambitious than the Solaris/Linux proprietary modules Argus is using in pitbull.
PS - if you know anyone who needs the services of a CISSP, let me know... ;-) -
More Examples (incl. Linux)Some others that have come up for discussion before (?) are: and
Pit Bull from Argus Systems
IIRC, these are more common Un*ces that are patched to provide "capabilities" - that is, instead of the root being the one-size-fits-all user that has enough privileges to get anything done, different kinds of access are broken down so that if a running program getw 0wned, it limits the damage.
Theo's answer to that probably would be, "code it right in the first place and it won't GET 0wned!!!", which is a valid point, the devil (no pun intended) is in the details.
BTW, I first came across EROS comes from Alan Cox in an interview with Robert Metcalfe a few years ago (remember the "Open Sores" series of articles? Great trolling, Bob!), in response to a question of what he thought was going to be the next big thing after Linux. He was impressed with the response (having previously accused Linux-y types of monomaniacal zeal), but it didn't overturn his opinion at the time that Linux was doomed. Oh well. (This comes to you courtesy of the similarly fated Internet.)
-
Comparing OS securtiy
When Microsoft compares Windows Security with Linux/Unix security, they commonly show you all the cute security features of Windows 2000 and then compare it with a freshly installed Red Hat 7 box (or something like that, debian, SuSE, whatever you want).
What about comparing the most secure setup of Windows with the most secure setup of Linux or Unix?
Now you end up comparing Windows 2000 with HP SecureLinux or with Trusted Solaris, Trusted Irix, and so on.
The most secure setup of Windows 2000 has C2 level security (discretionary access controls capable of defining access to the granularity of a single user, audit trail), while the most secure Versions of Linux have things like domain based access controls (however they are not certified at any TCSEC security level, not even C2) and the most secure Unix environments have B3 level security (structured protection, zero design flaws and minimum implementation flaws).
Just take a look at how security mechanisms work, maybe compare Linux+Pitbull/LX (domain based access control) with the most secure Version of Windows 2000 - and try to imagine, how DBAC keeps your computer secure, even when somebody hacks your sendmail daemon.
Now go and look for a Version of Windows with zero design flaws, or maybe just a B1 secure Version of Windows, good luck.
regards,
octogen
Some further information:
Trusted Solaris, Sun Microsystems; ITSEC EAL4 (exceeding B1 security);
Pitbull, Pitbull/LX, Argus Systems; ITSEC EAL4 security for AIX and Solaris; Domain Based Access Control for Linux (Pitbull/LX);
XTS/300, Getronics; TCSEC B3;
Firewall Server, BorderWare; (Unix based Firewall), ITSEC EAL4 with EAL5 vulnerability analysis;
Windows XP, Microsoft; TCSEC C2; -
This is funny...
...mostly because OpenVMS people tend to think, that 'their' OS is the most secure one on this planet (just like OpenBSD developers do, too).
Compared to Standard-Unices, OpenVMS might offer superior security, mostly because of the privilege model it utilizes instead of giving all-powerful root privileges to many user space applications.
On the other hand, we've got OSs which have much more sophisticated security than OpenVMS.
First, there is IBM's AS/400, which has got a privilege model quite similar in extent to the one used in OpenVMS, but additionally it has object-based design, and therefore object-based security (type enforcement and such...). However, it lacks Mandatory Access Control, TCB, Trusted Path and some other things mostly required by military and/or government environments, and therefore it only achieves a C2 security rating.
And then there are a couple of really secure Trusted Unices/Unix-style OSs, like Trusted Solaris, the Pitbull Addon for Solaris and AIX, Trusted IRIX, or XTS/400.
Just talking about fine-grained privilege controls: Argus' Pitbull has got around 100 privileges, how many privileges are there on an OpenVMS box?
No OS has ever received an A1 security branding. And the only OS which has ever received a B3 security branding, is actually a Trusted Unix Environment, something like a Unix clone with some proprietary security mechanisms built into the kernel (OpenVMS was B1 or maybe B2, iirc).
---
Regarding secure TCP/IP initial sequence number generation, it does not take a Trusted OS to just generate secure sequence numbers.
About two months ago, I compared initial sequence number generation on the following OSs using nmap:
* Windows 95
* Windows ME
* Linux 2.2.x
* Windows 2000 (plain)
* Windows 2000 (with Norton Internet security installed)
* OS/2 Warp Server Advanced 4.0 (default install)
* Sun Solaris 7 x86 (with tcp_strong_iss set to 2)
The results where pretty interesting and also a bit surprising:
Windows 95 was worst (ok, that's not surprising ;-), nmap rating ~10
Then came OS/2, which was not much better, nmap rating ~ 1000
(BTW: does anyone have nmap results from OS/390 or OS/400?)
Even Windows ME was a bit better than OS/2, but still far away from being secure, nmap rating ~ 8000
There was little difference between Win2k with Norton's Firewall (~12000) and Win2k without the Firewall (~15000)
Linux' results were quite good, nmap rating approximately some hundred-thousands or millions
Solaris with tcp_strong_iss set to 2 seemed to offer really strong sequence number generation, so nmap just printed a lot of 9s
---
Additional information:
Here is nmap.
Here is Argus Systems (EAL4 security for Solaris/AIX)
Here is IBM's AS/400
Here is Getronics (B3 secure Unix Environment running Unix and Linux applications)
And finally, here is OpenVMS -
If you don't mind proprietary stuff...
... you can try PitBull from Argus Systems. It's a very good product and free for non-commercial use (I think). If you can live without the source to their module.
-
The real problem
The worst problem regarding security is probably the fact, that today's mainstream processors mix up code, data and adresses in memory without being able to distinguish between these categories.
You can put anything (even some characters of input from the keyboard) into memory and let the computer use it as a memory address - and this is really a very, very bad architecture.
If an attacker could only modify data by exploiting buffer overflows instead of being able to put additional code on your machine and to execute it, his or her possibilities would be much more limited.
Most secure operating systems can't prevent a security breech within an application, but are still able to prevent access to the OS itself, to other applications or to sensitive data. This is done by strictly following the 'principle of least privilege', which mainly means that you do not run any process with all-powerful root privileges.
(Take a look at Argus' homepage for more information about secure Unix kernels with authorizations/privileges instead of 'root')
IBM invented a technology which would be suitable for protecting the system from unintentionally modified addresses, almost 20 years ago (in the System/38).
We definately need better processors and better operating systems.
A short summary of methods to prevent from buffer overflow exploitation:
* If a process CALLs a subroutine, the return addresses shall become pushed onto the stack and marked as a 'valid address' in some kind of shadow memory (if you have 64bit long addresses, you need 128MB additional memory as the shadow RAM for each 1024MB RAM).
* If some piece of data is MOVed to memory, then the memory region shall become marked as 'non-valid address' in shadow memory.
* If a processor tries to fetch an address from a memory region which is not marked as 'valid address' then the processor shall raise an exception (interrupt) to inform the operating system about the invalid pointer.
* Shadow memory shall only be accessible from the highest privilege level (that is, from kernel mode)
* User mode processes shall not be able to use OS APIs in order to mark modified addresses as 'valid address' unless the user process has the privilege to use the API.
* There should be a privilege which causes the OS to ignore invalid pointers and resume execution of a user process, in order to ensure that even very old programs (which use pointer manipulation without correct casting, etc.) can be used.
Unfortunately, there is almost no information on the net about hardware pointer protection, so you will possibly need to look into Frank Soltis' book "Inside the AS/400" to get very detailed information.
Inside the AS/400, Frank Soltis -
TSSHd
There is a derivate called "TSSH" (Trusted SSH) which comes with Argus-enhanced Trusted Operating Systems.
Trusted SSH is aware of TCSEC B1 security mechanisms (like Mandatory Access Control), Argus' privilege/authorizations concepts and ASN (Advanced Secure Networking).
You can find a short TSSH FAQ (mostly about its advantages over other commonly used SSH servers) here. -
REAL security [Re: Bash boy, bash]
We should not ask whether UNIX is or is not more or less secure than Windows NT, we should ask whether a specific derivate of UNIX can be made more secure than Windows NT can be made.
You are all mainly talking about application level security.
How many exploits are there on Windows NT - for IIS, for LANServer, for other NT services, for hacking the registry?
How many exploits are there for Linux - for Sendmail, for BIND, for telnet and even for SSH?
You mentioned OpenBSD, so let's take some look at OpenBSD. Its DEFAULT install is secure.
What about adding third-party software? What happens, when you've got Sendmail installed, and someone manages to hack uid 0 by exploiting some vulnerability in the Sendmail daemon?
All of these exploits are application level vulnerabilities.
The real problem with operating systems is, that they highly depend on application level security. Even OpenBSD is NOT really a secure Operating System - it's just a really secure software distribution.
OSes themselves may not be vulnerable - but their highly privileged application make them vulnerable.
However, for some derivates of Unix and specific setups of Unices, this is no longer true, while for Windows NT/2000/XP it is still true - and that is, why some Unices actually are more secure than NT, because their OS Kernels offer really strong security below the application level (user space).
Did you ever take a look at Trusted Solaris, at AIX/CMW, or at Argus' Pitbull for Solaris or AIX?
Sure, if some application is vulnerable to being exploited, it will still be vulnerable when running on one of these OSes - but it doesn't matter that much, because these Operating Systems are locked up from inside the OS kernel.
On 'normal' Unices, you simply attack some process, which has root privileges, and all system security is gone because of root's omnipotent superuser privileges.
On the OSes mentioned above, you do not run any process with root-like privileges, because you simply don't need to - instead, you've got a large set of privileges to allow some very specific privileged operations (like using a restricted port or changing the root directory), so what do you want to attack in order to get access to the Operating system itself?
On an Argus-enhanced Solaris box, for example, Sendmail would be running in its own compartment and with the PV_ASN_PORT privilege in it's effective privilege set.
If someone would successfully attack Sendmail, he/she would...
a) ...be locked down into sendmail's compartment
b) ...probably lose all of sendmails privileges when exec()'ing another binary, because the other binary does not have these privileges in its proxy privilege set
c) ...not be able to access configuration files, because they are probably protected by an integrity label
d) ...not be able to read secret information, because MAC's sensivity label would not allow it
e) ...not be able to gain any further privileges, even if he/she could exploit highly privileges binaries, because these privileges are not in the session's limiting privilege set
Provided that these Trusted Operating Systems are correctly configured, the only way to hack into one of them is to attack the OS kernel itself.
So, how many exploits can you find for the Pitbull-enhanced AIX kernel?
More information:
Trusted Solaris
Argus Systems
kind regards from Austria,
octogen -
Argus Pitbull LX
Just to mention Argus Pitbull / Pitbull LX from Argus which is also available for Linux...
And... no I'm in no way affiliated with them... ;)
But I have to admit I attended an Argus Pitbull Training. ;) -
Argus Pitbull LX
Just to mention Argus Pitbull / Pitbull LX from Argus which is also available for Linux...
And... no I'm in no way affiliated with them... ;)
But I have to admit I attended an Argus Pitbull Training. ;) -
Re:ACLs on Linux?ACLs are most commonly associated with Trusted Operating Systems (Where TrustedBSD gets it's name) ala the rainbow series of books.
The NSA's SE Linux has been covered here many times.
Also mentioned in the past is PitBull from Argus Systems (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution.)
And Sun also already has a Trusted Solaris.
There's others as well.
It occurs to me that you might have meant is it a first to provide ACL support via Samba, in which case I appologize. This was of course already answered by someone else.
-- -
Just like Pitbull
Except free! After the recent demonstration at Openhack III, this looks like a really Good Thing. Now the kernel can do effectively the same thing
:) -
Most Secure Well Known OS perhaps...
OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris from Sun and PitBull from Argus Systems Group.
Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.
None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...
Oh, BTW, there is a Trusted BSD project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
-- -
Use a Trusted OS.
Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.
Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).
I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.
Just my $0.02.
$ flames > /dev/null 2>&1 -
Use a Trusted OS.
Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.
Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).
I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.
Just my $0.02.
$ flames > /dev/null 2>&1 -
Use a Trusted OS.
Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.
Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).
I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.
Just my $0.02.
$ flames > /dev/null 2>&1 -
Re:A good security question?I'd love to do an interview on the subject. In honesty, I am new to
/. and don't know how to go about doing that. I'll certainly look into it.In regards to the change a single thing comment.
How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.
However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.
This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.
Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.
So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.
If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.
B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.
To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.
As always, I'm happy to answer more questions.
If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc. -
Re:A good security question?You can obtain a free Trusted OS that sits on top of Solaris 7 (x86 and sparc) from the Argus Revolution. ISO CDROM images are available for download as well as an online store to order the media from if you like.
The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.
To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.
There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).
As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.
The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com -
B1 Linux in about a year
Argus Systems Group, Inc. has announced it's intent to produce a Linux version of it's PitBull compartmentalized OS. PitBull is a B1 certified, compartmentalized version of Solaris (currently Solaris 7) which I have used to much success. While all they have announced is an intent to produce a Linux version, the company moves fast enough that we might see something as soon as a year from now. This isn't exactly ideal, I understand, but in DoD time it isn't that far away.
--