Slashdot Mirror

you can read about the Common Criteria here.

Unfortunately, the other site has been shut down.

Do you even know what the EAL levels mean??? I'll bet any amount of money you don't. Especially since you're touting an EAL4 piece of software as being better than EAL2 piece of software. You see EAL4 means an audit of your OS design methodology, the software itself is never tested by anybody except the developer at this level. That's right, the software itself need never even be booted up for an EAL4 certification. So you cannot infer that an EAL4 certified piece of software is provably and certifiably superior to an EAL2 piece of software because that's not a part of the certification process at that level, it only certifies the development methodology and documentation.

Now, you want to impress me, show me an EAL7 certified operating system (ie. formally verified design and tested). It's gonna be hard though because there are none yet.

Here, read this.

Win2k server got EAL4+ based on the Common Criteria ISO standard. Hmm. That kind of makes me think the Common Criteria assurance levels don't really mean anything, and they exist soley for PHBs.

Yes, but Linux certainly did not receive the "highest level of security evaluation," as the Reuters article stated. Oh, and if you want to know what the certification actually means, then you can read the Common Criteria.

IIRC, it's about 9 million for EAL7 test as it has the NSA certify all the source, compiled binaries, default configuration, and configuability. The hardware is also certified the same way, so that the OS is joined to the exact brand of chip. And EAL7 takes about 1-3 years of rigorus testing.

Well considering no OS has ever been evaluated to EAL7, I think you're wrong. Especially since you apparently have no clue what is entailed at that level. Hint: formal proofs of security.

I think the largest system certified to this level was a reimplementation of the first intel 4004 based calculator (add, subtract, multiple, divide).

None are "user-tested." They have to be all evaluated at an approved independant testing lab

The highest level completed is EAL4+
for an Operating System.

Common Criteria's CCPL (Centralised Certified Product List)- OS
and the NIST's Validated Products List (Operating Systems).

AIX 5L for PowerPC V5.2, Program Number 5765-E62
B1/EST-X, V2.0.1 with AIX, V 4.3 (Bull)
HP-UX (11i) Version 11.11
IRIX v 6.5.13, with patches 4354, 4451, 4452
IPSO 3.5 and 3.5.1 (Nokia)
Trusted IRIX /CMW v 6.5.13, with patches 4354, 4451, 4452, 4373, 4473
Solaris 8 2/02
Trusted Solaris 8 4/01
Sun Solaris Version 8 with AdminSuite v3.0.1
Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886

The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.

What does this mean?

It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.

You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.

Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.

This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.

The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.

What does this mean?

It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.

You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.

Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.

This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.

The common criteria is about an standardized approach to security. The CC itself is not about the system security, just the general approach to the security. CC is also more about information security and information assurance, it is not focused on system vulnrenabilities.

What does this mean?

It is basically just a bunch of paperwork to cover the a** of the civil servant who approves the computer system purchases.

You need to read the actual NIST docs about exactly what hardware the system had. The old NT4 C2 was a specific Compaq with no networking and no floppy drive, IIRC.

Then you need to look at what they claim to protect against. You can use a standard form letter like protection plan which says it won't get viruses or hacked as long the system has no networking and no removable media or you can use a protection plan which is useful.

This doesn't mean much in general, other than the usual misunderstanding and misquoting by sales people to management. It doesn't make any difference to Linux itself.

Keep in mind that currently it is fairly useless for a commercial organization to go after a rating higher that EAL4+. The Common Criteria Recognition Agreement (CCRA) does not yet support anything above this level. Thus if an EAL7 is achieved in Germany, it will not be recognized in the US.

If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

EAL4 - methodically designed, tested and reviewed

EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs.

An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

Linux received it's evaluation at a level of EAL2; according to the CC guidelines, this is "structurally tested" and means that it should "not demand more effort on the part of the developer that is consistent with good commercial practice"; applicable where "a low to moderate level of independently assured security" is required.
Windows 2K received an EAL4+, according to NIAP's evaluated product list; which is *supposed* to show it was "methodically designed, tested, and reviewed". This is probably about on par with the old Orange Book (TCSEC) C3 it used to have. EAL4 does "not require substantial specialist knowledge" and is the "highest level in which it is likely to be economically feasible to retrofit in an existing product line." It's intended that an EAL4 system shows "low-level design for the Target of Evaluation (ToE)"; with testing that supports "independent search for obvious vulnerabilities."
That being said, having an EAL2 or EAL4 will probably not get you into a job that involves holding classified data.
All of this is accessible from , the CC website.

the Common Criteria web site and have a look?

After evaluation product get on the CCPL (Centralised Certified Product List) here
Apperantly this is not a complete list; and Linux via IBM is not listed yet.
It is not o the "Products in Evaluation List" here either, so I guess they are uppdating their lists now.

No product has a higher rating than 5 right now. Most product get a 4 or 4+.
The list is crowded by firewalls and all the "old UNIX derivates" such as HP-UX, AIX, Solaris,etc. Microsoft got Win 2000 SP3. Cisco, Symantec, SecureLogic and Entrust also got product on the list.

But one company is missing form the list:.. The company we all ehh love: SCO. ;-)

After evaluation product get on the CCPL (Centralised Certified Product List) here
Apperantly this is not a complete list; and Linux via IBM is not listed yet.
It is not o the "Products in Evaluation List" here either, so I guess they are uppdating their lists now.

No product has a higher rating than 5 right now. Most product get a 4 or 4+.
The list is crowded by firewalls and all the "old UNIX derivates" such as HP-UX, AIX, Solaris,etc. Microsoft got Win 2000 SP3. Cisco, Symantec, SecureLogic and Entrust also got product on the list.

But one company is missing form the list:.. The company we all ehh love: SCO. ;-)

After evaluation product get on the CCPL (Centralised Certified Product List) here
Apperantly this is not a complete list; and Linux via IBM is not listed yet.
It is not o the "Products in Evaluation List" here either, so I guess they are uppdating their lists now.

No product has a higher rating than 5 right now. Most product get a 4 or 4+.
The list is crowded by firewalls and all the "old UNIX derivates" such as HP-UX, AIX, Solaris,etc. Microsoft got Win 2000 SP3. Cisco, Symantec, SecureLogic and Entrust also got product on the list.

But one company is missing form the list:.. The company we all ehh love: SCO. ;-)

Why, just a bunch of bullshit rhetoric.

What, you thought government certifications mean something?

It's just beurocracy. If it means anything, it means the OS exists. Keeps them from buying too much vaporware.

check this list. As you can seen there are mostly *nix based systems and also Win2K listed as EAL4 and no, XP is not there!

You can get an overview at networkcomputing.com or at the common citeria web site.

EAL2 != Security
CC EAL<n>
I would like to have EAL5 or better...

Check out here: http://www.commoncriteria.org/

The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest. But, it's a great start.

IBM and SuSE say they're working on a higher level CAPP evaluation, which roughly equates to the old C2 TCSEC criteria.

I mean, look at all the other level 4 assurance level OSs here . Of course, Windows 2k has had this certification since last year AND Microsoft has prepared a nice guide for ensuring compliance to the common criteria guides for the Windows Sysadmin. I'm very glad that Linux will be able to compete with Windows on a bureaucratic level as well as on technical merit, but perhaps there is a slight overreacction from the part of the /. editors?

As I understand the Common Criteria specifications, EAL 4 is the highest level of security that can be achieved without becoming cost prohibitive.

This FAQ provides a good summary of the EALs, and says:

EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.

Anything higher involves stricter controls on the original development process, ie. Microsoft would have had to go back and develop from scratch under a controlled development environment.

The set of features is (I think) the protection profile (PP). Not sure exactly what the PP is here - the press releases were rather vague, but it may be the commercial adaptation of the old military C2 (discretionary access control).

Before passing judgement, we need to know what the evaluated configuration looked like - what other software was included, what networking features were enabled, etc.

I suspect the reason Linux (or OpenBSD or FreeBSD...) have not applied for this is that it costs money. I'm sure MS paid SAIC a nice bundle for this work. A BIG difference between the Common Criteria and the old Orange Book evals. Under the Orange Book (the old C2), the gov't paid, the trade-off being that they took their sweet time doing the eval. Now we have private labs doing the work - more quickly, but there is always the issue of whether the payment biases the results.

FYI, here is what the Common Criteria says about EAL4:

EAL4 - methodically designed, tested and reviewed EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs. An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

There are good certifications and bad certifications. Bad ones can be just bought (and addressed like: This product is secure, as tested by company X). But certifications like Common Criteria need a lot more work. If you are going to get e.g. Common Criteria level 4 (or above) certification you must provide the high-level and low-level design documents, tests, etc to certification body. They check all these and create also tests by themselves. Also if you go beyond level 4, another party may test your product (like NSA). You might also need to provide your source code (or part of it) to be inspected. In the case of NSA, they propably don't use script ciddies :-)

With Common Criteria one must also carefully check the Security Target of the evaluated product. The ST identifies what was actually tested. Some products are only partially certified. For example Checkpoint has only their engines certified and not the management system. Security Targets are publicly available documents.

I might say that you could rely more on products which are Common Criteria level 4+ certified than level 2 or plain 4. Although some people say that if a product is EAL4+ certified in UK it is same than EAL3 at USA...

according to CommonCriteria.org only two firewalls are now being under evaluation for EAL4+ in USA. Another one is Sidewinder, but I think they have some problems with their evaluation since it has been going on over a year now (See also their press release ). Another one is Stonegate. For this there was no exact information when the evaluation was started, but IIRC it wasn't listed until this summer, or so.

I don't know who wrote this but it's a standard article of faith(sic) in the IT industry.

The only case I can think of in which a vendor provides a meaningful statement that a system operates with a particular fitness for purpose would be systems evaluated under Common Criteria orTSEC

And these systems differ from the vast majority of operating software systems in that:

• Certification is made only wrt a specific hardware configuration
• In the case of A - level MLS systems there has been a formal proof of security
• B - level MLS systems require extensive design and audit validation
• None of the above necessarily guarantee the absence of coding errors / holes

So the current state of the art is "software is too complex to guarantee performance", this is codified in commercial code and practice. What this means for now is that entitities which use software cover themselves with insurance. (I have no idea what it costs to insure a commercial web-presence.)

I think changing things to hold producers of commercial software and systems would be a good step. I can't see however how this would happen without forcing considerable change in the practice of software design and development.

Either tehcnology and QA need to change, or software systems would need to become simple. Given the current set of assumptions it is effectively impossible to perform an analysis of any non-trivial code and determine that it is safe in the expected execution environment(s).

Simplicity sounds great on paper. At present there isn't a market for simple software that works with high assurance. (Look at the tiny marketshare for the BSD's). Even the systems that run over unix-like / oss show a degree of bloat that continues to push reliability out the window.

Prudence and solid engineering practice in operations dictate that we use the simpler / more robust tools in key locations. So BSD or secured versions of linux get deployed as firewalls etc, and critical application and database servers are run with various redundancies (clustering / failover etc), which effectively throws hardware at solving the software 'problem'

Which is just another name for insurance.

You're correct about the risk, but the Government has strict standards that systems must adhere to, both when they go into production and when they are in initial development. The Common Criteria site has a listing of protection profiles that basicly spell out all the requirements a system must adhere to in order to be considered 'secure.' In the Labeled Security Protection Profile (and likely the others...I'm only familiar with this one) there is a section that basicly states that "the developer must use a content management system" and provide all documentation for how it functions, is administered, and how changes to the content are tracked.

In other words if any government group were to use an open source product or start one of their own they are still required to keep their copy of the source tree for the code under rigid, monitored control to ensure what happened to irssi and FragRoute could not happen to their project.

I'm not saying that CVS will be the total solution to this problem, but it's nice to see that they do have measures built-in to mitigate the risks.

If the the EGOVOS announcement goes beyond vapor, CC may be in the future of Linux. For some reason though Slashdot just won't accept that as a story.

BTW, you might want to get a handle on the basic background of CC before shooting your mouth off. TCSEC is no longer accepting new products for evaluation, though those who started the old process can finish it. Common Criteria really means it now. Read the friendly website.

If the the EGOVOS announcement goes beyond vapor, CC may be in the future of Linux. For some reason though Slashdot just won't accept that as a story.

BTW, you might want to get a handle on the basic background of CC before shooting your mouth off. TCSEC is no longer accepting new products for evaluation, though those who started the old process can finish it. Common Criteria really means it now. Read the friendly website.

In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).

Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.

Sigh.. anyone fancy rewriting Multics for the Intel platform? :)

Who needs another x86-based Unix at this point?

Common Criteria environments x86 Unix options are fading fast.

Is there even a remote chance that IBM would correct the remaining deficiencies and seek Common Criteria evaulation for some shape or form of Linux? I would love to use the Linux xSeries offerings as well as the 1300 series but for some customers it is not an option.

Some DoD projects require common criteria certification, it has replaced the old rainbow books. Damn fine idea to get the allies using the same standard.

The Common Criteria:
here and here.

Which supersedes the Orange Book:
here and here.

Closest is the international Common Criteria . It's the indirect descendent of the old military orange book (you know, C2 certified, etc.). The attempt is to come up with multiple standards for each security critical component. The components are evaluated against the standard. A higher rating means they meet the standard to a stricter engineering criteria.

Some sample standards (or "Protection Profiles") include proxy and packet filtering firewalls.

My sense is the folks overseeing the Common Criteria would like industry groups to sponsor Protection Profile development. For example, banks could come up with profiles for wire transfer components, ATMs, etc. The shipping industry could be another.

BTW, if you visit the Website, there is an interesting line of Common Criteria-branded clothing, for the geek who has everything!

Well, I can't speak for the others, but Common Criteria is not a company. It is a body of international standards intended to give everyone a common language for definition of security requirements, testing, and evaluating results. You can find more info about it here:
http://www.commoncriteria.org/
or more specifically the docs describing the Common Criteria here:
http://www.commoncriteria.org/cc/cc.html

A quote from the intro to the docs might help clarify:
"This multipart standard, the Common Criteria (CC), is meant to be used as the basis for evaluation of security properties of IT products and systems. By establishing such a common criteria base, the results of an IT security evaluation will be meaningful to a wider audience. 2 The CC will permit comparability between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation."

Well, I can't speak for the others, but Common Criteria is not a company. It is a body of international standards intended to give everyone a common language for definition of security requirements, testing, and evaluating results. You can find more info about it here:
http://www.commoncriteria.org/
or more specifically the docs describing the Common Criteria here:
http://www.commoncriteria.org/cc/cc.html

A quote from the intro to the docs might help clarify:
"This multipart standard, the Common Criteria (CC), is meant to be used as the basis for evaluation of security properties of IT products and systems. By establishing such a common criteria base, the results of an IT security evaluation will be meaningful to a wider audience. 2 The CC will permit comparability between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation."

However several classes of network products do exist, commonly called Trusted Network Separation products that can be used to provide unidirectional communications between two gateways (ie. the host machines on a low and high class network). These are sometimes called Data Diodes owing to the way they work.

These products are accredited for use within military organisations worldwide.
Data Diode information
Some examples of evaluated products

Invicta doesn't appear to have a website. Maybe because they don't have an IP address for search engines to crawl? How would that work, anyway? If it switches addresses all the time, how do you keep a connection open?

Often, vendors refer to this as having "B1 functionality

Before I go on, note that references to B1 are becoming outdated. The TCSEC is being superseded by the Common Criteria (see commoncriteria.org for details). In this criteria, there are protection profiles (generic statements of requirements), that are crafted into Security Targets for specific Targets of Evaluation. The TCSEC B1 rating is being replaced by the Labeled Security Protection Profile (see http://www.r adium.ncsc.mil/tpep/library/protection_profiles/in dex.html). However, as with the TCSEC, a rating involves not only an evaluation of function, but an evaluation of assurance. This assurance includes design documentation, user documentation, installation instructions, and testing. These factors make it difficult to evaluate a generic Linux installation. The features could also complicate matters. For example, if FPT_SEP (in B1 parlance, System Architecture) is included, there is a requirement that the domain for the policy-enforcing portion of the OS must be protected. This is typically done by using kernel mode, and putting users in user mode. This is typically done on a specific hardware platform, so the platform must be known in order to perform the evaluation.

As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.

There are few A1 systems, but some do exist. Usually, they are not full OSs, but narrower products such as network guards. You are correct in that they are prohibitively expensive to develop.