Slashdot Mirror
UPDATED: SGI B1 Linux Patches
jd writes, "It's been rumoured for some time, but no code was shown and no announcements were made. Well, they actually did it. The first drop of the necessary code to bring Linux to B1 standards is on their Web site. The code is essentially a rip of their IRIX code, and isn't fully Linuxified, yet, but it's all there and ready." Update: 04/12 05:52 by E : We got mail from Richard, who maintains these pages... He says: "It is true that SGI are working on making Linux C2/B1 as anyone who has been to a SGI Linux University event will attest, and we are working with a number of others to that end. But to say that we have released a patch for Linux is very misleading and is setting expectations way above what is currently available." So, take this with a grain of salt.
I'd rather try one of those military food patches
hehehe
you turd, think about it. Linux may get certified, but that will be only one specific distribution. Since all "linuxes" are different, they can't all have the same security rating.
"Cram it"
That's IPO syndrome, not the bandwagon hitting a wall. The bandwagon is still there, still plodding forward at the same rate as before the IPOs. Just without the fresh money and IPOs that the idiots out there want, the bandwagon isn't gaining much attendance. Doesn't mean the Linux sector (come on, Linux doesn't deserve a fucking SECTOR of the economy) is dead and buried.
True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
Orange Book criteria are completely obsolete. Read up on Common Criteria
SGI scsi host adapter has a scsi ID of 0, so make sure the hard disk is jumpered for ID 1.
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
One more thing to silence the FUD.
--
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Back in the 80s I had an (unclassified) summer job for a UK government agency which did a lot of secure stuff. One of their core security policies was the "high water mark" policy, which said that a physical document could only go up in classification, never down (although it might be possible to get permission to make a less classified document with the same contents). For paper documents this is really sensible: it is NEVER acceptable to have a document with SECRET crossed out and CONFIDENTIAL written in, for instance. The problem came when they (a) applied this to magnetic media and (b) treated entire physical (hard) disks as single documents. This meant that if a disk had ever had 1 byte of TOP SECRET information on it, then the whole disk, forever, was TOP SECRET. The inevitable result was that disks slowly migrated up the security levels, and there was always a glut of TOP SECRET disks and a shortage of unclassified ones. The surplus TS disks were eventually taken out, hit with a hammer a bit and chained to the wall at the back of the computer building, as no one had yet approved a method of disposing of them.
Sorry for taking your joke seriously.. I just don't see understand the value of making a system secure by making it practically useless.
You're well out of date. NT 4 got a C2 evaluation (with networking) in Dec 99.
Why wouldn't we want to release the source ?
Security through obscurity isn't....
You cannot be serious.
If you don't have source you're gambling that I (as a developer of closed source/proprietory protocols) am smarter than every cracker out there ?
Even I won't take that risk...
Trusted IRIX is standard IRIX with some extensions, many of which are gaurded with:
if
ie. An IRIX kernel already has much of the code to do this, its just not executed unless you install some extra stuff on the system.
There is folly and foolishness on the one side, and daring and calculation on the other. - Admiral Pellew, Hornblower
It's the same thing, but B1 is better than C2. IIRC, higher numbers and "lower" letters are better ( A > B > C, 1
Well, you're right of cause. But then the human element is always the weak link in any security system. However, it doesn't just apply to text, it could be graphical data, formulas, whatever. And having to manually transfer whatever you're copying could be a long winded process, so slowing things down by eliminating a quick cut'n paste does have value.
Yesterday I only skipped quickly over the mechanisms a CMW X session and GUI have to implement. It's more involved than I described (I only wanted to give you a taste). In addition to Windows having SL's, the root window has a label with a security level attached to it. So does the keyboard and so does the mouse. There are also another set of labels called IL's (Information Labels) which change according to whatever data is being viewed at the time. Restrictions can be placed on how IL's are manipulated too.
The point I was trying to make is that working in this kind of environment is a whole new ball game compared to C2 or traditional Unix security, even from a users point of view. GUI's need to be modified so that they are aware of all these mechanism and follow the restrictions they impose. The standards that define how a CMW workstation operates also dictate that SL's and IL's present for different elements of the screen are also displayed (and often colour coded: Red for Top Secret, Green for Unclassified, etc). So the window manager has to display this, not just for the window, but also pull down menus, dialogue widgets, the lot.
I've not seen this implemented in a GUI file manager yet. That would be quite a challenge I'm sure.
Macka
Exactly. We use everything from very high-end Origin servers to desktop O2s. For one project, everything is server-side Java (no graphics involved). Even with the 4 processor behemouth like the Origin, Java is still quite slow compared to the same code running on a small Win box.
As far as graphics goes, SGI still has to make decent devices drivers for their own graphics hardware. We have some applications that require Octanes (very expensive) because the O2 can't handle the power we need. A $10K computer can't handle it! And SGI wants to push us to Linux? Make some damn drivers!
I can care less about what OS I use. Give me power, hardware support, OpenGL and Inventor and I am golden. We have started to use NT because the graphics support on Windows has really improved.
--Ivan, weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
There is nothing holding up XFS. The Source has been released, any leagal disputes have been squashed. Won't matter a little bird turd if they want to buy it to resell it or not.
I think this announcment certifies SGI's commitment to linux. They've opensourced many of their key proprietary IRIX features.
Many of you seem confused by what this announcment means, it gives us the ability to make Linux B1 certified on specific hardware, in a networked environment, etc,etc. Microsoft may tout that WindowsNT4+SP6a+C2patch is C2 Certified, but it's that system in that network configuration that's certified, not all generic systems and configurations, just the ability to achieve C2 certification exists... and that's what SGI wants to provide.. the ability to make Linux B1 certified.
I don't know much about the certifcation process but this is a great step forward for adoption of linux in government systems (maybe now we'll have a reliable, SECURE Government that has no IT excuses left except their incompetence:)
Regards.
See this for the REAL requirements.
Notice that you have to be able to MATHEMATICALLY PROVE your system specification is secure in order to be certified A1 secure. That's a pain.
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
... chock-a-block full of TLA (three letter acronyms) makes my head swim. I'm left wondering how scalable would this system be? I can see it working in a tight-dense human network where there are enough closely coordinating and communicating entities to determine access levels and policies, apply classification of information into categories, and a regulatory/punishment system for violations. Does this translate well into the rather hap-hazardous nature of the Internet? Just like military style firms (where do you think chief executive *officer* comes from) are a hangover from the industrial age, perhaps we need to rethink the whole idea?
....
Perhaps the underlying model has some fundamental constraints on growth? I'm reminded of the genetic case where bacteria which have complex regulatory gene expressions (think a switched network of proteins activating different stages) have a size limitation of 10 megabase pairs. Beyond that the conflicting signals seem to inhibit any higher level functions. The example that I can think of is that person A can look at kernel code, but not the part with patent X, unless they sign an NDA with company K, which is waived if they are no longer competing with company L, etc
Are there other ways of looking at the problem? Kerberos has a ticketing system which is essentially a time-to-live mechanism. Perhaps a commercial implementation at file level could be based on the half-life of information? How long is it before a piece of information becomes commercially irrelevant? And then check thresholds (refreshed periodically) across a range of keys to see the probability that such access violates a critical temporal mass (ie if viewing too many sensitive documents at once, could be indication of someone faking a download).
Perhaps then it would shift the paradigm of information control away from fine-grained permissions (human intensive) towards detection of unusual patterns of activitiy (AI intensive).
LL
A1 likely involves a secure processing facility, a optical network diverter, and no doubt some heavy-duty Electromagnetic Airlock trapping. It most likely involves a entry-way lined with 2 lead doors and a right angle somewhere. Tempest hardening is illegal though. I suppose the A1 is for military computers only.
To me it's how steak is done.
Lowmag.net
A1: a unplugged computer, locked in Fort Knox. Even Windows can achieve that.
Lowmag.net
SGI released the B1 stuff a long time ago. I've had a copy from cvs on my system for months now. It's interesting code. But uh... K&R C? I'll leave you to form your own ideas.
The B1 certification, other than requiring years to be issued, only certifies a given system with a given hardware and a given configuration.
This means that even the same distribution on the same hardware with only a slight different configuration is no more B1. Even worse for different distributions, which may offer the same functionalities but using sligthly different way to do so.
There is really little use for this kind of certfication in real world, other than for throwing marketing hype to clueless customers, and just raises a false sense of security.
Anyway, SGI's involvement in writing securty patches for Linux deserves gratitude. They are working a lot (and somewhat quietly) to really offer interesting solutions for security, debugging, efficiency. I hope some of their ideas will be incorporated in the main source tree (and not just XFS - when it will be ready for prime time).
My 0.02 Euro.
If the GPLed XFS is from SGI then SGI can relicense it under any terms they want. Anyone stupid enough to buy it though would just be an idiot.
Someone trying to sell Linux to a security concious site would need to independantly get certified. You can't certify a particular program or OS or piece of hardware as B1/C2 certified. It requires complete validation of the whole package. Change the ethernet card you have to recertify the whole shebang.
Wish someone would put that phrase to rest. The truth of the matter is that if you don't know where the weaknesses are then you can't exploit them. You suddenly have to do a ton of probes looking for possibilities and thus you ring a lot of alarms to a watchful admin.
The sentinel utility i wrote is essentially a tripwire clone with MD5 signatures replaced by the more secure RIPEMD-160 algorithm (and patent free to boot). download at http://zurk.sourceforge.net or http://zurk.netpedia.net...also on freshmeat.
Mandrake 7.0 uses postfix by default...
WRONG.
P -CSC-EPL-99-001.html
Here's the link:
http://www.radium.ncsc.mil/tpep/epl/entries/TTA
SAIC's Center for Information Security Technology, an authorized TTAP Evaluation Facility, has performed the evaluation of Microsoft's claim that the security features and assurances provided by Windows NT 4.0 with Service Pack 6a and the C2 Update with networking meet the C2 requirements of the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) dated December 1985.
It's a common misconception that networked configurations cannot be C2-compliant. That's incorrect. C2 does not address networking. As long as the introduction of networking components does not break anything else that is required for C2 compatibility, then the system is still certifiable as C2.
What'cha smokin' dude? :-)
From their "Future Goals" page:
"Some day, if ever: Meet B1 security requirements. Now that MAC categories and secure delete are implemented the way has shortened, but it is not really urgent though, since Orange Book is far out of date. "
Sigh...
SGI already has B1 in 4.0. They are currently in the evaluation process for the current OS, 6.5.x.
This is just simply untrue. B1 requirements above the C2 auditing requirement are Mandatory Access (don't even need ACL's or CAPabilities).
MAC labels can easily added to the task struct and file system checks added at the VFS level. Kernel done. Then add MAC to a file system like ext2 or use SGI's xfs when its done being ported. Instant B1 support.
Darn nay-sayers!
If we build it, they will come...:-)
Actually...it is true: a B1 certification is only good for the exact configuration it is done on. However, getting that cert. does mean that Linux can claim to 'have' B1 security, just not cert'ed. Of course anyone can claim C2 or B1 security features (i.e. Solaris) and never have been certified.
Um...IRIX 4.0 was certified B1. It didn't have capabilities (priviledges)-- just root. It met DoD criteria for B1.
The biggy for B1 is MAC, not capabilities or ACL's.
-l
CAPP and LSPP are where it's at! CAPP = Controlled Access Protection Profile LSPP = Labelled Security Protection Profile Both of those are defined under the "Common Criteria". Those 2 protection profiles supercede C2 and B1 (and are supposed to be equivalent). To see the 1999 version of DoD requirements, check out http://www.rad ium.ncsc.mil/tpep/library/protection_profiles/inde x.html
Postfix as a drop-in Sendmail
:) Hmmm... A UW2 SCSI card that encrypted everything going in and out of any particular device(s) (configurable so you could read unencrypted CD-ROMs, etc) with 3DES or Serpent would rock (the onboard BIOS prompts you for a passphrase at boot time, hashes it and uses it as a key). Wonder if you can get something like that... [fires up Google]
Can anyone tell me why RH (and most other distros) still ship with only sendmail? I can understand that it's useful on big sites, but it would be nice if something a little smaller and more secure (like qmail) was available in the distro.
install the re-freed Tripwire (or a clone)
Are there any free (aka GPL or BSD licensed) Tripwire (or clone) versions out there [I hadn't heard that Tripwire was in any way free...]? I was thinking about doing a BSD licensed version for fun sometime this summer, but if they already exist I'm not sure if I should bother.
encrypt all but your boot partition using Serpent
Or if you've got the cash, buy a card that encrypts the stuff in hardware.
Wasn't NT 4.0 C2 certified with a network connection just a feq months ago?
With large organizations that require some security certifications on their book (read: governments) this kind of certifications is a crucial plus on our side.
Eventually, more people will use Linux because of the certification. And it is the ultimate source of improvement I can think of.
By circular, I meant that your reason for why FreeBSD was better than OpenBSD was because FreeBSD was written by a guy who writes FreeBSD. :)
"Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)
2) more importantly, it's from a major contributor to FreeBSD.
1) What type of security issues?
2) Circular reasoning isn't valid.
"Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)
I'm not sure about that Celeron part, they are already shipping with Xeon's & PIII's. For MIPS.. well they are starting to move away from them since they are excellent ships but are not increasing performance numbers as fast as others (Intel).
I do know that there is a port going on right now that works (without X windows that is, way too much proprietery info about graphics required). Check out linux.sgi.com which looks old but get on the mailing list much newer stuff.
You've got a termination problem there, also if your root drive has not been formatted properly your miniroot will hang.
I work for a large federal agency where we're supposed to be C2. We're also mandated to use NT as our *only* OS for anything below certain minis and our mainframes. (Luckily, I work in an excepted function.) Sometime back, when it finally became clear that NT couldn't be certified C2, the powers-that-be simply issued an edict that NT had (and this is a precise quote) "achieved C2 functionality." In non-government language, that roughly translates to "we hafta use it so we're pretending it's OK."
:-)
As another poster has said, ya gotta love the government sometimes. Who else can simply change the rules when they become inconvenient?
It helps, of course, that our CIO apparently bows and prays to Redmond thrice daily.
Well, maybe it won't run but how long before someone takes this up to give linux a real security rating (bet it's quicker than M$ managed).
Never underestimate the dark side of the Source
SGI is no longer promoting IRIX for anything other then its very high end systems. The school I go has an arangement with SGI, so most of the major servers, including the multiuser login machines are SGIs running IRIX. On the very high end machines, i.e. the R12000s with multiple processors they are still advocating IRIX but for the generic workstations and lower end servers they are promoting Linux. They have basically decided to that all these fractured Unixes are a bad thing and to try and phase one of them out. Now if only the rest of the major manufactuarers would decide to adopt this policy, Linux would really go mainstream.
"You can't fight in here! This is the war room" --Dr. Stra
hehe but if you'd left out the the sentence about the sun, I would have found it possible this kind of actions DO take place in the US :))
;)
a well... perhaps we see too much US movies in europe
--
Never underestimate the relief of true separation of Religion and State.
You don't. However, someone trying to sell Linux to a security concious site does need it. B1 should allow system integrators to start using Linux, thus furthering the march towards World Domination.
A well-crafted lie appears unquestionable - Dama Mahaleo
I think it would be interesting to see how Linux would handle it. While most of us would have no use for it, I wonder how many Universities and Colleges are going to pick on the SGI B1 release. I think it'd be great to see it popping up and being used. While I love using hte IRIX cluster at PSU, I think it'd be great to have an Alternative Linux (with b1 security of course) running for students to work on projects also...
------- What exactly is real?
Imagine being able to run all your daemons in protected spaces. So -what- if Sendmail gets cracked? It can't -touch- anything outside of it's private universe.
Mostly, I agree. What you mention already exists in FreeBSD v.4.0; the jail() process command. Jail() sets up a seperate isolated area of the operating system that is accessed by IP address, not through the normal local methods. Because of that, breaking into a jail()ed process won't get you much.
(I really want this under Linux. So much so, I'm installing FreeBSD just to try it out!)
If you add integrity checks to the jail()ed process, when it does get exploited -- and you should always plan that your daemons will get exploited -- you'll know it.
To clean the system, you can swap in a waiting jail()ed process by changing IP addresses. If you want to monitor the intruder, you can...and they won't know you are tracking thier movements!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I care. Working as a sysad for a large DoD contractor, I would love to be able to push for Linux systems on the network. There is a strong push to move UNIX workstations and servers to NT from the powers that be while the actual sysads are coming to favor LINUX systems. But they will never get to voice that option without somekind of security review and approval. (By the way, the NT boxes get to be on the networks by hiding behind VPNs)
The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.
To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.
There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).
As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.
The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com
I attended the Linux U in seattle a couple of weeks ago and the reps said something about the Linux release will be on the Celeron sometime in July 2000. The kernel will be 2.6 but one dude said it is a version of Irix 6.1. SGI is contracted with Intel on this and it is supposedly highly scaleable.
-- Defenestrate Microsoft!
I attended the Linux univ. at Seattle a coupla weeks ago and one of the reps said the SGI/Linux will not be configured for the MIPS. The platform will be Intel Celeron and is a version of IRIX 6.1 that is open source. I also have a few questions about the Indy I have. Can anyone tell this foolish youngster how to configure a Quantum Viking 4.5 HD on an Indy. I had the Seagate take a dump on me and replaced it with the Viking. The Indy is scsi-2 fast and the viking is Uw2. I used a somewhat cheesy adapter and now my Indy sees 5 Hd's instead of one. I think mebbe a termination problem? The websites don't seem to have the info I need and SGI wants megabucks to answer my questions. The Indy now will not take the miniroot and cannot install the OS.IRIX 6.2. Dammit. It did seem to accept fx to config and partition but will not run inst. Please help! My E-Mail is madmaxwilliam@netscape.net
-- Defenestrate Microsoft!
Thanx man, That solved the problem in about 5 minuits of fucking around. Y'all were a big help.
-- Defenestrate Microsoft!
Actually, this is only true for multilevel devices. There can be single-level devices that are labelled externally (with paper labels). These require procedural controls to ensure that the labels are proper; the operating system enforces the restriction that only data whose label is dominated (i.e., less-than-or-equal to) may be copied to the device (some systems choose to enforce an "equal" policy, which is stricter).
Often, vendors refer to this as having "B1 functionality
Before I go on, note that references to B1 are becoming outdated. The TCSEC is being superseded by the Common Criteria (see commoncriteria.org for details). In this criteria, there are protection profiles (generic statements of requirements), that are crafted into Security Targets for specific Targets of Evaluation. The TCSEC B1 rating is being replaced by the Labeled Security Protection Profile (see http://www.r adium.ncsc.mil/tpep/library/protection_profiles/in dex.html). However, as with the TCSEC, a rating involves not only an evaluation of function, but an evaluation of assurance. This assurance includes design documentation, user documentation, installation instructions, and testing. These factors make it difficult to evaluate a generic Linux installation. The features could also complicate matters. For example, if FPT_SEP (in B1 parlance, System Architecture) is included, there is a requirement that the domain for the policy-enforcing portion of the OS must be protected. This is typically done by using kernel mode, and putting users in user mode. This is typically done on a specific hardware platform, so the platform must be known in order to perform the evaluation.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
There are few A1 systems, but some do exist. Usually, they are not full OSs, but narrower products such as network guards. You are correct in that they are prohibitively expensive to develop.
No. Product evaluations do not consider the location, physical access and environments, although certification and accreditation does. There may be assumptions in the documentation about the environment, however.
Ian Bicking wrote:
I get the impression they can't, because the certification includes the installation.
My understanding is they could produce standalone certified system, and offer a service where they install and have certified a network sytem. It would be expensive though. I could be very wrong, since I've never been involved in such a process.
What I wonder is, what operating systems do B1-ready systems run at the present?
That's easy one to answer. According to the TPEP Evaluated Products List, the following operating systems have been used in B1-rated systems:
Amdahl UTS/MTS v2.1.5+
Computer Associates CA-ACF2 MVS v6.1 with CA-ACF2 MAC
Digital SEVMS, several versions on VAX and version 6.1 on Alpha
Digital Ultrix MLS v2.1 on VAXStation (Microvax)
Harris CX/SX v6.1.1 and v6.2.1
HP HP-UX BLS v8.04 and v9.0.9+
SGI Trusted Irix v4.0.5EPL (where this code came from)
Unisys OS1100SR1 and OS1100/2200, Several releases
You'll see that rather than making their mainstream operating system ratable, most vendors (eg. Digital, HP and SGI) offer a special version of the OS that is set up to meet the rating criterion.
----
----
Open mind, insert foot.
Irix (and Secure Irix, in this case) has some features that Linux lacks. I don't mind them on the Linux bandwagon if it means that the Free Linux kernel can get more functionality, security and scalability .
----
----
Open mind, insert foot.
Just one thing to remember, Linux itself can never be B1, or any other level certified, it's only complete evaluated systems - case, drives, os, etc. I'd not know b1+ cert well if I didn't need to know it.. thou never had to use it, gotta love government sometimes, huh? :)
bash: ispell: command not found
This sig left intentionally blank.
1) I don't know what they are off the cuff; see the article a day or two ago.
2) circular? The man doing the Trusted FreeBSD is *already* a major player in FreeBSD, making it the more natural choice for him. Code he knows inside and out, or code that's similar. Not a tough choice.
But I never said that. I made no claim as to FreeBSD being better than OpenBSD.
However, for an individual developer, the operating system he already knows and is involved with is a better *choice* unless the existing advantages to the other operating system are compelling.
Hmmm.... I see a pattern here...
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Sorry, but this is not true at all. DEC MLS+ was based on a modified version of the base Unix kernel. Back in the early days of DEC MLS+ it was a long term goal to have B1/CMW functionality available as an installable subset that could be layered on top of the commercial unix product. It could have achieved that in the end as most of the MLS+ specific source code got merged in with the base OS source code, but just ifdef'd out so it wouldn't build into the base product.
Last I heard DEC MLS+ was being retired, with MLS+ V4.0D (or V4.0E) to be the last version. Don't take that as gospel though, plans do change.
Macka
When is SGI going to do something good for IRIX? I am a developer that uses IRIX. No other OS can give us the graphics power that we require. I use Java on IRIX and it is awful. SGI has only 3 developers working on the Java port, and has dozens working on these little Linux projects. Come on SGI, don't forget IRIX.
--Ivan, weenie NT4 user: bite me!
--weenie NT4 user: bite me!
"Computers are nothing but a perfect illusion of order" -- Iggy Pop
In case you haven't looked recently, the linux bandwagon seems to have crashed into a brick wall... Look at all the linux stock prices today vs 2 months ago... They've been beaten down far more than any other sector.
SGI's just doing what they think makes good business sense, no more, no less. They're adopting Linux as their low-end OS because it runs on commodity hardware. Many of their customers will probably buy those machines. Many of their customers also want machines with B1 ratings. They'ed probably have to violate the GPL in order to implement B1 Security into a Linux distro without releasing the source, so they're doing what's required.
Well... whether the MAC option made it into the mainline Linus tree would depend on how ugly the code was, and how much #ifdef stuff it took, I suppose.
I would imagine that it all would have to be distributed as a separate patch, though, like the real time kernel, or the 8086-80286 kernel.
But that's the point... nobody's suggesting (that I've seen) that MAC be some option you select in make xconfig. :-)
Especially since some sort of Trusted Linux would have to have a complete pre-configured installation, with each file given the proper capabilities, ACLs, labels, and such in advance.
Any MAC-enabled linux would have to be a specialised distribution, with a modified kernel, toolset, X server, window manager, shell, and everything.
It doesn't mean that the basic outline of the file system, programming interface, utilities, and everything can't be modified versions of the originals.
Yes, we should care! If it's a meaningful certificate, that is. Spending millions to get a proper Unix(tm) appellation put upon Linux is not very meaningful. But getting a security certification is.
Rephrase your question thusly: "I already know how to drive, so why should I take even one hour out of my day to get a driver's license?"
If you want to drive on the B1 highway, you need a driver's license.
A Government Is a Body of People, Usually Notably Ungoverned
Orange book security don't just consider the hardware. It includes the installation, location, and all physical access and environments of the machine. These Certifications are case by case and cost a LOT.
Some time ago I went to the SGI LinuxUniversity in NYC, and they announced at their security track that they would be posting C2 and B1 patches to the kernel soon, and they expect to have 'final' versions integrated before the US goverment requirements for secure OSes kick in. I forget the exact dates, but that is the idea. btw Compaq (DEC) is working on this as well. The reason why they posted the code so soon, is that they don't want to be bashed again as they were last time when they released patches to the kernel... last time they were too late, so there was little time to review the patches, hence large chunks of code were refused (AFAIK). SGI is jumping on the linux bandwagon bigtime, but just on the x86 architecture, and the upcoming IA64. I guess they want to compete with solaris, but not with IRIX.
When will it be ready for use ? Kernel 2.6 or before ? This is not a simple standalone RPM to install.
It is nice to SGI supporting linux. I guess they don't have much to do now... after selling off Cray. Besides the OpenGL wave, what does SGI do these days?
The sample codes SGI put on their web page is just a microscopic portion of a fully functional military grade OS product. It will require a complete rewrite of the whole operating system; a re-implementation of system api's, principals and concepts.
:-)
A PATCH JUST CAN'T DO THE JOB.
Let's just focus on a small but important aspect of military grade systems - PRIVILEGE. We can forget about secure networking, trusted windowing, and etc etc for now (eventually we will need to address those too).
In a trusted system, each user is held accountable for actions taken by processes being their id, even though those actions may be completely beyond perception. As a consequence, the trusted system must regulate not only user actions, but also the actions of user processes. In Linux (or traditional Unix), all power is vested in the root uid 0. Throughout the kernel of the underlying system there are checks for effective uid 0.
All of these checks are replaced on a trusted system by a check for privilege. Privileges allows the trusted system to control access to system calls, based on the requested operation and the invoking user account - much more reliable and granular than simply checking identity. No more if uid !=0 then deny access. very action which compromise security is estricted with a named privilege, and a process with appropriate privileges is allowed to invoke a system call REGARDLESS of uid.
So, on Linux a privileged operation succeeds if the effective uid == 0; on a trusted system the operation succeeds if the process has the appropriate privilege.
So now, you're probably thinking "EEK! r00t d03sn'7 0wn!'.
There are other topics such as data labelling, auditing, etc etc that I have not mentioned, but
are critical to the implementation of a trusted system and secure OS kernel.
If all those could be implemented in form of a patch, perhaps we should consider Windows 2000 a patch too.
Yours,
--Albert
In regards to the change a single thing comment.
How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.
However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.
This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.
Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.
So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.
If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.
B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.
To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.
As always, I'm happy to answer more questions.
If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
It's been answered before, too :)
1) not quite the same type of security issues.
2) more importantly, it's from a major contributor to FreeBSD.
It's been a while since I looked at the B1 definitions, but let me see if I describe MACs as I understand them.
The key aspect appears to be a distinction with Discretionary Access Controls (DAC) - owner and group permissions, ACL lists, etc. DACs are controlled by the owner of the file, but MACs are controlled by the "security administrator." The terms "mandatory" and "discretionary" reflect the fact that the owner must always accept MAC access control on his files, but he can discard the DAC checks (e.g., using mode 0777).
One of the subtle points about MACs is that they are required to be persistent *in all media*. This means that MACs should be preserved (and enforced) when a file is copied to removable media, and somehow indicated on all printed pages. (E.g., printing the "sensitivity level" (confidential, secret, etc) in large type on all printed pages.) Obviously you can't preserve MAC information if the format doesn't support it, so a MAC system may be able to write (enhanced) tar images to tape, but not be able to copy files to a floppy/zip/etc disk using MSDOS or even ext2fs filesystems.
There may be more to MACs; the specs are deliberately vague. A *very* large part of the certification process is going through the appropriate standard and documenting *what* you did and *why* you did it, with some commentary about the implications of that decision. This provides the implementer the flexibility of using whatever technique fits their needs. E.g., nothing says that DACs must be implemented with ACLs, although most people now use them because they're familiar and proven acceptable to the certification agencies.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Media can be of 2 types -- multi-level or single-level. A Multi-level media supports inclusion of MAC labels. Single:not. You simply define the Sensitivity and Integrity level of the mounted tape drive (or FAT, FAT32, normal NFS, etc).
/etc/passwd unless they specifically log in with S=2 or su to S=2 (requires password again).
/etc/shadow was set to 2. Say users run at S=0. Root is permitted to run at S=2 (say highest) and S=0 (lowest). Implications:
/etc/shadow, root must relogin or su to get S=2. 'Su' to a different integrity or sensitivity level must recheck password and if the user is allowed to run at the requested levels. After root has S=2 can then read /etc/shadow in order to 'modify' it (they have to also have raised their Integrity to '2' to write to it).
/etc/shadow because of MAC policy regardless if someone get's sloppy with DAC bits.
Modeling under the Bell-LaPadula Sensitivity and Biba Integrity models (one type of MAC often used), we have a couple of rules and two groups of items: "Subjects" - things that access or do things and "Objects" things that are accessed or done to. Some things in a system can fall into both contexts depending on the situation. For example, a Subject "Process" (they do things to
objects like files) could also access another process -- the accessed process would be an 'object' as far as security checks are concerned.
So Rule 1) Subjects (S) can only write to an Object (O) if the Object is at the same sensitivity level or above (O is said to "dominate" the level of S and dominate implies >-).
Rule 2) says that Subjects can only read Objects that they dominate (their sensitivity level is >= to the object's).
Biba Integrity works the same but opposite:
Rule 3) Subject can only write to Objects if Subject's Integrity >= (dominates) the Object's.
and Rule 4) Subject can only read Objects that have equivalent or greater Integrity (integ(O)>=integ(S)).
This can be *way* useful for "normal users".
Think of this:
Root is allowed Integrity levels 0-2, default=1. All system files at integrity level 2 (both executables and data). Users and their files are set at integrity level 0. Implications:
1) Any file root creates has I=1 so normal users can't write to it unless the file is specifically downgraded. A subject can write to or create "downgraded" Integrity files, so root is permitted to write lower level integrity files, but this wouldn't be the default creation value. Even if root downgrades the file's Int., Discretionary Access Control (DAC) (i.e. permission bits) still apply.
2) Root can't write to
3) Users could read these 'public' files but couldn't write to them even if the file DAC was 0777.
3) Root couldn't execute any files not in the 'system file list'. No trojans! Only if root overrides security policy and changes the state of a file to 'trusted' (@ int=1 or 2) can it be executed as root.
Now for Sensitivity, let's imagine
In order to modify
So normal users can't see
Just these "simple" applications of MAC would not greatly inconvenience any user, but an attacker gaining root (unless they do so via the password) has limited power. This means most attacks that gain 'root-shell' via a 'bug' are still pretty limited in what they can do.
Now if you add file based capabilities, root can have even less priviledge and/or ability to do damage.
Also, remember, as I've mentioned before -- if you set MAC,S=0,I=0 for everything in the system, you get traditional Unix DAC behavior.
-l
I am interested in when for example the various distros will impliment this. I already have taken the first step. Namely not having an internet connection as most humans know it. So exactly what is out there. A while ago Trusted BSD came out. I would really like to get my machine to a B1 raiting so perhaps I can get bragging rights for something.
Will this ever happen?
Slashdot social engineering at it's finest
Okay, I think I understood the nutrient patch article earlier today. But B1 patches? Does it help them avoid refueling, or just replenish the supply of bombs?
Take a look at the requirements for B1 listed above. There's no way to support MAC, ACL, etc. with the standard Unix model. You can't just layer these things on top of the kernel without inheriting the flaws of the kernel.
There have been quite a few "secure unix" systems produced and B1 certified. HP, Concurent, Harris, DEC all come to mind. But in all of these cases they started with a secure kernel and then layered Posix on top of it to make it look like Unix.
So what? So, you can't PATCH the Linux kernel to make it B1. Unless you call "throwing out the kernel and replaceing it with a totally different beast" a patch.
BTW, if you really want an A1 operating system to play with, there is a free one - mentioned on /. - at:
http://www.eros-os.org/
It hasn't been certified yet, but the pieces are there.
Most techs still make a choice based on facts and real-life requirements and experience instead of some certification. We like to do it ourselves, no?
These improvements *will* improve Linux. That's all that matters. Any certifications that might be the result of it are merely a side effect and not very important, to us.
Beefing up Linux to C2 will be a great thing for commercial interest/acceptance, and only small changes to existing GUI interfaces would be needed to accomodate that (adding ACL options to widgets that display/manipulate file permissions).
B1 however is a different kettle of fish. GUI's like KDE, GNOME, and others would have to be extensively modified to work properly (if at all) in a B1 environment. The standard for this is called CMW (Compartmented Mode Workstation). Commercial products like DEC MLS+ are implementations of B1/CMW on top of the standard Unix product. I don't know what SUN's is called, but they do the same.
This also applies to almost anything else that is not part of the kernel, eg:
* TSIX instead of TCP/IP, which automaticly excludes you from participating in non B1 DNS environments, and allows you to configure networks restricting communication between systems of the same SL (Security Level) or perhaps SL's that yours dominates (with the appropriate kernel privs enabled).
* A new filesystem, or extensions to an existing filesystem, to make it multilevel aware. That way, when you cd(1) into a directory that contains files that have a higher SL than you have Clearance to access, you don't see them. Not from an ls(1) or by any other C hackery you can conjure up, because they are blocked at the filesystem level.
* A new multilevel print environment, so that for example files with an SL of "Top Secret" cannot be printed out on printers that don't have the same or higher SL (eg, Secret, Confidential, Unclassified, or whatever they have been called in the environment you're in).
* Getting back to CMW again. On a B1/CMW workstation where the GUI is multilevel aware, if you have logged in selecting an SL of "Secret" (assuming you have Clearance for this) and you open a terminal window with that SL, then open another terminal window with a lower SL, eg "Unclassified" then you will NOT be able to cut and paste text from the Secret window to the Unclassified window (unless you have privs allowing you to override this AND they are turned on). GUI's that are not multi-level aware (like all the ones that currently exist) would only be able to work as they stand on one SL at a time. If you wanted to work with files (or viewable data) at a higher SL than the one you were logged in on, you'd have to log right out and log in again at the higher SL.
Working with B1 and CMW can be very complicated. Designing and setting up an environment that has all these features is even worse. Which is probably why B1 has never caught on in the commercial world. Applications not specificly written or modified to run in a multi-level environment, can only operate on one level at a time (ie: the level they are start at) which often defeats the object of having a multilevel enviromnent in the first place.
Maybe Linux could shine here though. Last I heard (maybe it's changed again
Macka
TrustedBSD "provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Orange Book B1 evaluation criteria"
And they also have a mondo-cool logo.
Returned Peace Corps IT Volunteer
Just to be fair, they recently obtained a C2 on NT4+special service pack+certain hardware, in a networking environment. See here for more info.
The scale works like this: there are different security levels, each with stronger requirements. The actual requirements are quite numerous, here's a long article with details.
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
--
-- Slashdot sucks.
Orange Book certification (C2, B1, etc.) usually requires certification of a total system... not just the operating system. So, even if you could install all their mods in a single package, you would need to certify the OS along with your brand of PC, controllers, etc.
Be that as it may, it is a great start.
Security levels C2 and greater (including B1) will be useful for getting Linux into government offices, the same ones where NT is C2 certified (as long as there is no network connection [smile!])... the government already has a large installed base of desktop systems.
Linux's low cost of entry and now B1 features is just more of the foot in the door for the government and other people that will have to take a look at this system that was once dismissed as a "toy" by others.
--
"May I have ten thousand marbles, please?"
Here's a whirlwind tour of the Orange Book categories.
D level systems have no security worth mentioning. Think DOS, Win95, MacOS - no real notion of separate users.
C level systems have DAC - discretionary access control. Essentially, they have ACLs (access control lists). You can determine who can have access to your stuff. There are two divisions here, C1 and C2, with C2 being more stringent.
Several Unix-type systems have been certified at C2 (though you have to add ACLs), as has WinNT.
B level systems add MAC - mandatory access control. Every object (file, device) and subject (process) has a level (often something like unclassified, secret, top_secret) and a set of categories associated with it. If you're cleared for "secret/stealth_bomber, SDI, Area_51", you can't read stuff labeled "top_secret/who_killed_JFK" or "secret/Clintons_little_black_book". And you can't write something "unclassified/Area_51", so you can't spill the beans. (But you can write to objects at a higher level than you are.) There's B1, B2, and B3. I think you can still count the number of certified B-level operating systems on your fingers.
A1 level systems have been mathematically proven. IIRC there's only one that's ever been certified at this level.
There's also something called CMW (compartmented mode workstation), which is like the B levels but deals with "information labels" instead of "sensitivity labels" - i.e., it tries to track what's really in the object, so if you paste secret data into a file it gets upgraded.
It's a bitch to get something certified (I worked on Trusted Mach, which was intended to be B3 but never went anywhere); we're talking piles of documentation, many rounds of review, and a pile of money.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood