Slashdot Mirror

← Back to Stories (view on slashdot.org)

UPDATED: SGI B1 Linux Patches

Posted by ryuzaki0 on from the trusted dept.

jd writes, "It's been rumoured for some time, but no code was shown and no announcements were made. Well, they actually did it. The first drop of the necessary code to bring Linux to B1 standards is on their Web site. The code is essentially a rip of their IRIX code, and isn't fully Linuxified, yet, but it's all there and ready." Update: 04/12 05:52 by E : We got mail from Richard, who maintains these pages... He says: "It is true that SGI are working on making Linux C2/B1 as anyone who has been to a SGI Linux University event will attest, and we are working with a number of others to that end. But to say that we have released a patch for Linux is very misleading and is setting expectations way above what is currently available." So, take this with a grain of salt.

11 of 103 comments (clear)

  1. Unix can't do B1 by Anonymous Coward · · Score: 4
    Sorry, but I have to remain an AC on this one, for obvious reasons.

    Take a look at the requirements for B1 listed above. There's no way to support MAC, ACL, etc. with the standard Unix model. You can't just layer these things on top of the kernel without inheriting the flaws of the kernel.

    There have been quite a few "secure unix" systems produced and B1 certified. HP, Concurent, Harris, DEC all come to mind. But in all of these cases they started with a secure kernel and then layered Posix on top of it to make it look like Unix.

    So what? So, you can't PATCH the Linux kernel to make it B1. Unless you call "throwing out the kernel and replaceing it with a totally different beast" a patch.

    BTW, if you really want an A1 operating system to play with, there is a free one - mentioned on /. - at:

    http://www.eros-os.org/

    It hasn't been certified yet, but the pieces are there.

  2. Certification? Oh No! by Rob+Kaper · · Score: 4
    Having a certification might impress some suits, but do *we* really care?

    Most techs still make a choice based on facts and real-life requirements and experience instead of some certification. We like to do it ourselves, no?

    These improvements *will* improve Linux. That's all that matters. Any certifications that might be the result of it are merely a side effect and not very important, to us.

  3. What about CMW by Macka · · Score: 4


    Beefing up Linux to C2 will be a great thing for commercial interest/acceptance, and only small changes to existing GUI interfaces would be needed to accomodate that (adding ACL options to widgets that display/manipulate file permissions).

    B1 however is a different kettle of fish. GUI's like KDE, GNOME, and others would have to be extensively modified to work properly (if at all) in a B1 environment. The standard for this is called CMW (Compartmented Mode Workstation). Commercial products like DEC MLS+ are implementations of B1/CMW on top of the standard Unix product. I don't know what SUN's is called, but they do the same.

    This also applies to almost anything else that is not part of the kernel, eg:

    * TSIX instead of TCP/IP, which automaticly excludes you from participating in non B1 DNS environments, and allows you to configure networks restricting communication between systems of the same SL (Security Level) or perhaps SL's that yours dominates (with the appropriate kernel privs enabled).

    * A new filesystem, or extensions to an existing filesystem, to make it multilevel aware. That way, when you cd(1) into a directory that contains files that have a higher SL than you have Clearance to access, you don't see them. Not from an ls(1) or by any other C hackery you can conjure up, because they are blocked at the filesystem level.

    * A new multilevel print environment, so that for example files with an SL of "Top Secret" cannot be printed out on printers that don't have the same or higher SL (eg, Secret, Confidential, Unclassified, or whatever they have been called in the environment you're in).

    * Getting back to CMW again. On a B1/CMW workstation where the GUI is multilevel aware, if you have logged in selecting an SL of "Secret" (assuming you have Clearance for this) and you open a terminal window with that SL, then open another terminal window with a lower SL, eg "Unclassified" then you will NOT be able to cut and paste text from the Secret window to the Unclassified window (unless you have privs allowing you to override this AND they are turned on). GUI's that are not multi-level aware (like all the ones that currently exist) would only be able to work as they stand on one SL at a time. If you wanted to work with files (or viewable data) at a higher SL than the one you were logged in on, you'd have to log right out and log in again at the higher SL.

    Working with B1 and CMW can be very complicated. Designing and setting up an environment that has all these features is even worse. Which is probably why B1 has never caught on in the commercial world. Applications not specificly written or modified to run in a multi-level environment, can only operate on one level at a time (ie: the level they are start at) which often defeats the object of having a multilevel enviromnent in the first place.

    Maybe Linux could shine here though. Last I heard (maybe it's changed again :-) DEC MLS+ from Compaq was being wound down. What killed it was the lack of applications that could run on it properly because they needed significant re-engineering to be multilevel aware (read huge cost!). Because the source of most linux apps are open, this would not be such a huge barrier to overcome. It will be interesting to wait and see.

    Macka

  4. FreeBSD to have similar plugins by griffjon · · Score: 4

    TrustedBSD "provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Orange Book B1 evaluation criteria"

    And they also have a mondo-cool logo.

    --
    Returned Peace Corps IT Volunteer
  5. Re:I prefer A1 by Shadowlion · · Score: 4

    Actually, there's an even more secure rating than A1.

    A0, as defined by the military, is an unplugged, completely disassembled computer system where all volatile magnetic memory has been exposed to extremely powerful electromagnets for at least 72 hours. Each piece is then separately taken Cape Canaveral via several different types of transportation (horse, plane, submarine, postal carrier), launch into orbit (using Space Shuttle flights randomly chosen from a calendar) whereupon they are loaded into small, disposable rockets and fired towards the sun along with all documentation.

  6. Re:B1?? by ianezz · · Score: 4
    since they have it only if NT is not networked.

    Just to be fair, they recently obtained a C2 on NT4+special service pack+certain hardware, in a networking environment. See here for more info.

  7. Re:B1?? by -brazil- · · Score: 4
    The scale comes from something known as the "Orange Book", and yes, "C2" also comes from there, and if M$ claims they got C2, they're full of shit (as if that were new...), since they have it only if NT is not networked.

    The scale works like this: there are different security levels, each with stronger requirements. The actual requirements are quite numerous, here's a long article with details.

    --

    The illegal we do immediately. The unconstitutional takes a little longer.
    --Henry Kissinger

  8. For a summary... by Amphigory · · Score: 5
    Bear in mind what these things mean. From the "TCSSEC" FAQ:
    18. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?

    The Interpreted Trusted Computer System Evaluation Criteria (ITCSEC) available in postscript at contains the definitive set of requirements for each TCSEC class. In Summary:

    Class D: Minimal Protection

    Class D is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.

    Class C1: Discretionary Security Protection

    The Trusted Computing Base (TCB) of a class C1 system nominally satisfies the discretionary security requirements by providing separation of users and data. It incorporates some form of credible controls capable of enforcing access limitations on an individual basis, i.e., ostensibly suitable for allowing users to be able to protect project or private information and to keep other users from accidentally reading or destroying their data. The class C1 environment is expected to be one of cooperating users processing data at the same level of sensitivity.

    Class C2: Controlled Access Protection

    Systems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

    Class B1: Labeled Security Protection

    Class B1 systems require all the features required for class C2. In addition, an informal statement of the security policy model, data labeling (e.g., secret or proprietary), and mandatory access control over named subjects and objects must be present. The capability must exist for accurately labeling exported information.

    Class B2: Structured Protection

    In class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in class B1 systems be extended to all subjects and objects in the automated data processing system. In addition, covert channels are addressed. The TCB must be carefully structured into protection-critical and non- protection-critical elements. The TCB interface is well-defined and the TCB design and implementation enable it to be subjected to more thorough testing and more complete review. Authentication mechanisms are strengthened, trusted facility management is provided in the form of support for system administrator and operator functions, and stringent configuration management controls are imposed. The system is relatively resistant to penetration.

    Class B3: Security Domains

    The class B3 TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security-relevant events, and system recovery procedures are required. The system is highly resistant to penetration.

    Class A1: Verified Design

    Systems in class A1 are functionally equivalent to those in class B3 in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. An FTLS is a top level specification of the system written in a formal mathematical language to allow theorems (showing the coorespondence of the system specification to its formal requirements) to be hypothesized and formally proven. In keeping with the extensive design and development analysis of the TCB required of systems in class A1, more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported.

    Enjoy.

    --

    --
    -- Slashdot sucks.
  9. B1 Summary by Plutor · · Score: 5
    B1 Security - "Labelled Security Protection"
    • Object protection can be on a single-user basis, e.g. through an ACL or Trustee database.
    • Authorisation for access may only be assigned by authorised users.
    • Object reuse protection (i.e. to avoid reallocation of secure deleted objects).
    • Mandatory identification and authorisation procedures for users, e.g. Username/Password.
    • Full auditing of security events (i.e. date/time, event, user, success/failure, terminal ID)
    • Protected system mode of operation.
    • Added protection for authorisation and audit data.
    • Mandatory security and access labelling of all objects, e.g. files, processes, devices etc.
    • Label integrity checking (e.g. maintenance of sssensitiy labels when data is exported).
    • Auditing of labelled objects.
    • Mandatory access control for all operations.
    • Ability to specify security level printed on human-readable output (e.g. printers).
    • Ability to specify security level on any machine-readable output.
    • Username and Password protection and secure authorisations database (ADB).
    • Protected operating system and system operations mode.
    • Periodic integrity checking of TCB.
    • Tested security mechanisms with no obvious bypasses.
    • Documentation for User Security, Systems Administration Security, Security Testing, examining audit information, and TCB design.
  10. Of course... by lar3ry · · Score: 5

    Orange Book certification (C2, B1, etc.) usually requires certification of a total system... not just the operating system. So, even if you could install all their mods in a single package, you would need to certify the OS along with your brand of PC, controllers, etc.

    Be that as it may, it is a great start.

    Security levels C2 and greater (including B1) will be useful for getting Linux into government offices, the same ones where NT is C2 certified (as long as there is no network connection [smile!])... the government already has a large installed base of desktop systems.

    Linux's low cost of entry and now B1 features is just more of the foot in the door for the government and other people that will have to take a look at this system that was once dismissed as a "toy" by others.
    --

    --
    "May I have ten thousand marbles, please?"
  11. Re:B1?? by Mr.+Slippery · · Score: 5
    It's a little more complicated than that...

    Here's a whirlwind tour of the Orange Book categories.

    D level systems have no security worth mentioning. Think DOS, Win95, MacOS - no real notion of separate users.

    C level systems have DAC - discretionary access control. Essentially, they have ACLs (access control lists). You can determine who can have access to your stuff. There are two divisions here, C1 and C2, with C2 being more stringent.

    Several Unix-type systems have been certified at C2 (though you have to add ACLs), as has WinNT.

    B level systems add MAC - mandatory access control. Every object (file, device) and subject (process) has a level (often something like unclassified, secret, top_secret) and a set of categories associated with it. If you're cleared for "secret/stealth_bomber, SDI, Area_51", you can't read stuff labeled "top_secret/who_killed_JFK" or "secret/Clintons_little_black_book". And you can't write something "unclassified/Area_51", so you can't spill the beans. (But you can write to objects at a higher level than you are.) There's B1, B2, and B3. I think you can still count the number of certified B-level operating systems on your fingers.

    A1 level systems have been mathematically proven. IIRC there's only one that's ever been certified at this level.

    There's also something called CMW (compartmented mode workstation), which is like the B levels but deals with "information labels" instead of "sensitivity labels" - i.e., it tries to track what's really in the object, so if you paste secret data into a file it gets upgraded.

    It's a bitch to get something certified (I worked on Trusted Mach, which was intended to be B3 but never went anywhere); we're talking piles of documentation, many rounds of review, and a pile of money.

    --
    Tom Swiss | the infamous tms | my blog
    You cannot wash away blood with blood