Slashdot Mirror

Fair warning, it's ~250K and definitely not light reading.

© 2000 James Lanfear. All rights reserved.

For those who might be interested, this is a listing of systems certified under the evaluation criteria, by order of rating. So, when do we see Linux there

No, but that's not the fault of the OS. They never even evaluated it, nor OpenBSD, nor FreeBSD, none. They've stuck with big name crap. Here's the list of products that have been evaluated. Interesting that NT, the OS of choice when it comes to r00ting servers, is high on the list of secure solutions. Blame the operator I guess..

For those who might be interested, this is a listing of systems certified under the evaluation criteria, by order of rating. So, when do we see Linux there ?

href="http://www.radium.ncsc. mil/tpep/epl/epl-by-class.html

Yep, It's being replaced by the common criteria, a joint product of Europe, Canada and the US. It's just been recently standardized into an ISO. These sites should be public:
Common Criteria Project at NIST
Trusted Product Evaluation Program

Whoops, that url was goofy. Try
this one instead. Sorry.

--

Basically, it's a government standard for computer security. Most free unixes don't even come close.

This is partly because, as security increases, convenience decreases. A and B rated systems require hardware that's designed for security, and PC hardware isn't.

For other interesting books in the rainbow series, see http://www.radium.ncsc.mil/tpep/li brary/rainbow/.

For other interesting books in the rainbow series, see http://www.radium.ncsc.mil/tpep/li brary/rainbow/.

Actually, this doesn't affect most Slashdot users because the operating systems they use have such lousy security that there are far easier attacks than using a covert channel. This applies to all the UNIX variants and all the Microsoft products. (Yes, it does. If it didn't, there wouldn't be new CERT advisories every week.)

There are solutions to the covert channel problem, but people hate them. Applications have to be denied access to an accurate timebase, which means no clock with resolution finer than a second, introducing deliberate jitter into the CPU dispatching, and adding some random delay to I/O operation responses. Forget playing games or multimedia.

The big win is that in a system with mandatory security and covert-channel protection, even if a virus or trojan horse gets access to secured data, it can't get the data out of the box.

I used to develop secure operating system kernels for a DoD contractor. The current state of operating system security is worse than it was twenty years ago. Users will choose animated penguins over security. What passes for "computer security" today is mostly aimed at keeping amateurs from blatantly interfering with servers. And it can't even do that successfully. A serious attack is much more subtle.

In the DoD world, one worries about two main threats. The intelligence community worries about the attacker obtaining some information they have without an alarm being raised. The military worries about the attacker interfering with their systems at a time chosen by the attacker, probably at a key moment of a military operation. The attacker is assumed to have enough resources to duplicate the systems being attacked and to practice on them. There's also the assumption that physical and computer intrusions might be used together.

Enough rant for now. Go read some NSA evaluations of security products.

Here is the NSA list of Evaluated Systems.

True, it is certified. But anyone interested should check the specs. Only on the Compaq Workstation and Server platform tested. And without IIS or other web server on the server side. No browser on the client, etc...

If you really, really wanted to provide NT in a C2 configuration, you could, but not without considerable effort, and at that the config would have severely limited functionality.

An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.

An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.

An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.

An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.

An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.

Does anyone ever read old stuff here? Here is some more anyway.

Evaluations against TCSEC, ITSEC and Common Criteria may well be working to an obsolete model of the environment, but if anyone can point to something better I would be glad to see it.

I just searched BUGTRAQ for SCO CMW+ - the one I mentioned - and it said "No matching vulnerability found." There were vulnerabilities for other SCO offerings.

I also just checked the TCSEC EPL as well as ITSEC and I can't find any DGUX rated B1 or equivalent (highest is C2).

On the subject of 'xploits' it is not until B2 that "The TCB shall be found relatively resistant to penetration", and B3 that "The TCB shall be found resistant to penetration".

One side effect of the search was that I found that NT4 (with SP6a and C2 update) is "... rated C2 by NSA ...[read the caveat for yourself]..." dated November 1999.

Try this link Sammy and learn. Class D is basically no certs and Class C1 is slightly less secure than C2.

Man, this from 5 minutes of searching. People should know better.

I don't know that Linux has ever been officially evaluated. It's not on the list.

Here is the list stating all evaluated programs ever.

It's interesting to note that Trusted Irix got a B1 rating... hmmmm....

Did anyone else notice that you needed service pack 6a AND a hotfix? Seems to me this means that before those fixes MS was failing the test.

I for one had thought that MS had just given up on C2 for NT4, but apparently they were trying for all these years. Wow.

They also never said that it had passed. Windows NT 4.0 has been evaluated at the C2 level in six different configurations They never say they got it passed (they do point out that passing would involve evaluation of physical security and administration proceedures).

The TPEP Evaluated products by vendor page only shows NT 3.5. Perhaps it hasn't been updated yet.

The National Computer Security Center (NCSC) says they no longer distribute hardcopy. You can get a CDROM current as of 10/1999 though...

http://www.radium.ncsc.mil/tpe p/library/hard-dist.html


Or you can D/L them (Not as impressive though)

http://www.radium.ncsc.mil/tpep/libr ary/rainbow/

The National Computer Security Center (NCSC) says they no longer distribute hardcopy. You can get a CDROM current as of 10/1999 though...

http://www.radium.ncsc.mil/tpe p/library/hard-dist.html


Or you can D/L them (Not as impressive though)

http://www.radium.ncsc.mil/tpep/libr ary/rainbow/

All the evaluations against TCSEC (Orange Book) are explicitly stated to be "when installed as prescribed" in the Evaluated Products List. Just because typical use of NT is less secure than typical use of Unix, this does not mean that NT cannot be configured and used securely enough to pass. I don't usually work as root on Unix, but I usually (on my workstation always) work with Administrator rights on NT - this is crazy, but that's just how you get you work done.

Note also that for NT they went for E3/F-C2 rather than the E2/F-C2 that the ITSEC says is intended to correspond to TCSEC class C2, and this brings in things like having to provide the evaluator with "Source code or hardware drawings for all security enforcing and security relevant components".

Under the TCSEC you did not have to show that a system was "relatively resistant to penetration" until B2 (corresponds to E4/F-B2) and ITSEC does not seem to have anything like this phrase - perhaps because it is meaningless and there is no way to test for something so vague. Passing the E3/F-C2 level of evaluation does not mean there are no ways to break in, and this is just as true of the Unixes that have been evaluated as it is for NT.

Another thing to note is that at least one version of Unix has been evaluated at the less stringent E2/F-C2, and many have not been evaluated at all.

Passing the evaluation is not really anything to boast about, but failure would have been embarrasing.

I think you're referring to C2 certification. This is something that is supposed to be required of government machines. It doesn't just certify the software, but the "platform", meaning the software on a particular hardware setup. There were 3 platforms that were certified using NT 3.51. I don't remember what hardware. You are correct though that they were only certified as non-networked machines. If you connect them to a network, then they do not meet the security criteria.

Microsoft has touted NT 4 as being C2 certified as well. See this story about Ed Curry, a Microsoft consultant who tried to blow the whistle on them for this lie. Here is where you can read the summary of the NT certification. Note these lines:

Because the evaluated configuration does not include a network environment, both products are considered stand-alone workstations.

A network configuration of the Windows NT platform is currently pending evaluation agreement.

This implies that NT was supposed to undergo testing in a networked environment. Since certification was never granted in this case, one can assume that either the testing was never done, or NT did not pass the tests.

Unfortunately, the C2 certification requirement has not been enforced. It's kind of sickening to watch the government wring its hands and rant about the coming "digital Pearl Harbor" when they have screwed themselves and the rest of us through their own corruption. They pay Microsoft (and various OEMs) for machines that don't meet their own security standards. How insane is that? As far as I'm concerned, the idiots who chose Microsoft software for the servers should be tossed in jail for treason. They knowingly, or through their own incompetence compromised the security of our country's computer systems. Even though most of the most secure servers are probably not running Windows, there are enough that crackers can break into all sorts of government installations. If the government is so concerned about security, you'd think they'd start purchasing only securable machines. Just another symptom of a government that can't find its ass with both hands.

The document providing the (unclassified) definition of C2 security rating is in the Red Book. Certification is not cheap, from what I have heard.

N.B., these certifications are intended for specialized use. E.g., placement in critical systems on warships. Hence the story about how a Navy ship was crippled for hours due to an NT error. (Well, they now claim it was a data entry error, but it's a pretty poor OS which goes down for the count on a simple divide-by-zero error in an application.) I think the government is now starting to use a related certification for all computer purchases... but they've had to waive that requirement since NT lacks it.

Read the document (if you can) and ask yourself how NT and Linux compare in actual use. Unless you're installing a system on a military base, that's all that really matters. There are some pretty common Unix security errors, but once you nuke all of the "trust-based services" (rcp, rsh, etc.) and run crack as a weekly cron job things are reasonably secure. NT, in practice, tends to wide open... and attempts by the MIS department to tighten security leave everyone unable to do their work while still leaving countless gaping holes.

Orange book rules (or is it red book) ...

I believe it's the Orange, and IBM seems to have the redbooks ;-)

Actually, it would in fact be the red book since it's network related. Of course, this will soon be irrelevant because the Rainbow Series is being superceded by the Common Criteria for Information Technology Security Evaluation (CCITSE) .

Orange book rules (or is it red book) ...

I believe it's the Orange, and IBM seems to have the redbooks ;-)

Actually, it would in fact be the red book since it's network related. Of course, this will soon be irrelevant because the Rainbow Series is being superceded by the Common Criteria for Information Technology Security Evaluation (CCITSE) .