Slashdot Mirror
Certifying Software As Secure?
"It turns out that the much-touted Microsoft Windows NT 3.5 and 4.0 TCSEC C2 rating basically states that the operating system assures separation of users and data and audits user and security-related events -- capacities that are essentially standard expectations of any modern 'enterprise' operating system. That rating is essentially two (2) levels out of seven (7) from the rating for utter lack of security (D1). See the U.S. Government's Commercial Product Evaluations page and its associated Trusted Technology Assessment Program (TTAP)'s FAQ entry on TCSEC evaluation rating interpretation for more information. For now, be aware that the evaluation ratings go non-intuitively, from lowest to highest: D1, C1, C2, B1, B2, B3, A1. Microsoft's rating also only applies to very specific configurations of the Windows NT Operating System and none of its frills -- like ASP, for instance.
Still, even from the standpoint of researching evaluation and certification options, it looks like only International Government Evaluation (i.e. the 'Common Criteria' evaluation process) and perhaps the ICSA certification are available to any vendor who wants to be pro-active and benefit from standards in the process. (Please let me know if you know better!) And I've talked with a number of hacker types who sneer at the idea that any of these certifications are worth the money and effort to put into them.
At the same time, pointy-haired types eat this certification stuff up. In point of fact, government contracts can be much more possible and much easier to obtain if you get certified this way, and as Microsoft's spin-doctoring of their C2 TCSEC rating points out, it just makes the company that has the rating look more responsible, all around, or can, if your readers and customers don't know what the rating actually means.
Sure, it's possible to contract with any security auditing firm to get something or someone to say that your product's at least minimally secure, but it's still unfortunate, but true, that if you want any kind of widely-recognized, standard certification, you'd better actually seek out some kind of formal evaluation and rating.
Do people agree, disagree, and either way, can they prove it?"
IIRC, you don't have to deliver the source to the evaluators, but you have to at least have someone in-house designated to do reviews. Somewhere in the huge pile of documents has to be plan for ensuring that implementation meets design - as well as plans for testing and configuration management.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
So, if I read this rightly, NT has been C2 certified with service pack 6a and special c2 updates, for less than a year (though MS has been claiming certification forever...) and while you're allowed to have a network card, your network configuration is TCP/IP only, no appletalk, netbeui, or IPX, and no network services of any kind. (That is, I believe the list of 'specifically excluded' services is a superset of the standard install services.) ;)
Also, what data you transmit over the net is not evaluated. They're just saying you can have a network card, and if no ports are open you're still safe.
Which I guess is better than the (supposed) no-network configuration of NT3.51. If that's true.
I think I'm going to print this out and take it home. THanks.
--Parity
--Parity
'Card carrying' member of the EFF.
Heh. Java needs a JVM to run. If you write the JVM in Java, that JVM would need a JVM to run on. Ie, you'd have a JVM written in Java running over a JVM written in C. :-)
:-)
Heh, very practical.
(8-DCS)
Never trust anyone over 90000
Heh, I realize that this is way off topic, but the immortal John Carmack is UID 101025...
Doh!
There is starting to be support for capabilities in Linux (a major requirement for B and higher stuff). Of course, this is a major break from the UNIX model, where root has all the capabilities, and other people may be granted root-like power in restricted code, and everything else is done through the file system with simple ACLs (i.e. gorups).
It may be possible to make a B-level distribution, assuming that physical access is controlled, and programs are set up very carefully. But you probably wouldn't find it terribly useful, since nobody could become root, as that would seriously break the security model. You'd basically have to deal with not having a user-level capabilities system by lacking abilities.
Of course, you could probably get C2 by turning off all the services you don't actually want, removing the setuid bit from programs that shouldn't have it, restricting access to some other programs, and replacing the rest of the setuid programs with versions which are simple enough to verify their security.
Generally, many of these ratings aren't very helpful unless you're a government, because at the higher levels it's mostly concerned with making sure that your secret data can't go to untrusted places. If you're big enough that you actually talk to trusted places, this is helpful, but for most places, it means the computer is unusable.
For example... the machine can't let you cut and paste from a secret document to anything like, say, a web browser or ssh window. It can't let you accomplish this in several steps, either. It quickly becomes impossible to deal with having anything that can send information out to anything but verifiable secure and trusted sites. Not only do your directory listings not include secret files if you're not a trusted user, they don't even if you are, if you can copy out to something untrusted. It's actually easier on the user to have a separate machine for secret data, and it's all silly unless you're also searching your employees for secret files at the door.
Of course, in the business world, you generally don't deal with secret data on this level. Security is aimed at preventing access from users who shouldn't get it, not preventing spies from getting information out. B3 or C2 is about where it's worth getting, and beyond that what you're interested in is an entirely different scale of security.
I've often wondered why so many operating systems have a superuser account that overrides all security controls. If an ordinary user has a file that has its permissions set to read/write by user only (Unix mode 0600), why should the operating system allow any other user access to that file? Windows NT started out with some good ideas but someone screwed it up by adding the take ownership feature. Someone might ask, how do you backup the files on the system? One solution would be to give special access rights to a trusted and audited backup/restore program. I would also suggest that the backup program encrypt all data stored on tape with its own private key.
Mea navis aericumbens anguillis abundat
They wanted a secure web-server, running their in-house written CGI code. The PHBs decided that as long as the underlying OS was certified as secure, they would have no security problems! Yes, people are really that naive!
Virtual Vault was eventually dropped when it was discovered that their Systems Management software (which used the extreemly insecure SNMP) wouldn't run on the proposed system, and they needed everything to report back to one central super-console.
When you compile Java into native binaries, you _still_ append the JVM to these binaries. What do you think makes memory garbage collection in Java? Where do you think these processes will go when you generate the native binaries?
:-)
You are not getting rid of the problem, you are just hiding it. All these "ugly things" prone to errors are simply _hidden_ inside the JVM. But they are _still_ needed, and _still_ used. And written in C.
(8-DCS)
My C=64 - no way to get in - no services, no monitor, no drives, no power supply, no function. After I case it in cement and drop in into the abyss, it should be pretty safe indeed...
--
"It's tough to be bilingual when you get hit in the head."
...is make sure that VBScript is disabled.
:)
---
I wear pants.
You can find all of the rainbow books here and here. They're worth a look.
--
So far, I've proven that addition on my Turing machine is secure, provided the intruder doesn't have physical access to the tape.
I'm still working on multiplication...
Sun's Trusted Solaris (I'll let somebody else get a few Informative points by posting a link; I don't have it handy) lets you do some useful things in this respect. I don't recall their rating offhand; somewhere in the midrange.
You can do some really cool things besides impress your boss with the rating, too. Like make indidivdual directories and files simply not be there when certain users do an ls(1). I don't mean "permission denied" kind of things, I mean the kernel itself just skips over that file; doesn't even report its existence.
It's great for situations when information at different classification levels (Top Secret, Secret, Confidential, Stuff That Used To Be Secret Before You Put It On The Damn IIS Server And Some Eleven-Year-Old Kid Got It, etc) all need to live on the same machine.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
To truly certify software as secure is a very huge task. It assumes you understand and have validated every single state the machine can be in, which is practically infinite. Even the state of the power button matters.
I really hate the false sense of (ahem) security that certification gives. They're trying to assure the software is secure, which to is almost an impossible task for any non-trivial system. Anybody who says a system is secure is lying to themselves and others.
With things this complex, security can only be approximated.
Of course, you can certify a design as secure with much less effort but it's the implementation that matters the most.
Network Security Library
Common Vulnerabilities and Exposures
SecurityFocus
You can find everything you want to know (and more) at these sites.
``We are the people our parents warned us about.''
1. THERE IS NO SUCH THING AS SECURE SOFTWARE.
:)
Like Yogi Berra said, "In theory, there's no difference between theory and practice. In practice, there is." No matter how stringent the testing, no matter how exacting the software development (up to and including provably-correct software), software cannot be secured. In theory, following a provably-correct software design (such as is possible in some Ada subsets) allows you to design software which is provably correct... but that's theoretical, not practical.
Sometimes, the buggiest thing in a system is a feature which is working exactly as it's designed to do. Provably-correct software is predicated on there being a correct assessment of what the software needs to do and needs to not do, and so far, nobody's come up with a way to do provably-correct brainstorming.
Auditing cannot, repeat, cannot make a piece of software secure. All it does is find errors, not all errors, and maybe even not all the major errors.
2. TRUSTED SYSTEMS ARE JUST THAT.
Trust. It's another way of saying "I have faith in you." Faith is the antithesis of proof. For years my Linux box was a haX0r's dream--I didn't bother to turn off services, my root password was fairly easy to guess, etc. That doesn't sound like a trusted box, does it?
Wrongo. It was very trusted, because it wasn't connected to any network and it was in my bedroom. I trusted it a lot--I had faith that it wasn't going to be compromised.
Whenever you see someone advertising a "trusted system", ask yourself: who trusts it? Why do they trust it? Should I trust it? "Trusted systems" are sometimes a lot of snake-oil; people who don't know beans about security buy "Trusted Solaris" because it says "Trusted", even though their incompetency as a UNIX sysadmin makes the box vulnerable.
(Note: I have a lot of respect for Trusted Solaris, even more than I do for OpenBSD. I'm just making the point that the word "Trusted" doesn't mean much.)
3. THE MOST IMPORTANT ELEMENTS IN SECURITY ARE THE USERS AND THE SYSADMIN, IN THAT ORDER.
Most people will reverse this around, claiming that the sysadmin is more important security-wise. There's merit to that (after all, root == God), but I reverse it. There's only one sysadmin, and an attacker more or less has to take his chances that the sysadmin is incompetent enough to fall for (a crack, a social engineering attack, a DDoS, etc.). But if there are hundreds of users, it's certain that at least one of them is going to be a complete fargin' idiot, which means attacks which involve users are more effective than those which go straight for root.
This is an important point. No matter how secure the box, no matter how trusted it is, the weakest link are the users. When companies get on a security kick, they tend to spend lots of money on software and very little on educating their users. This has always struck me as backwards.
4. USERS DON'T WANT SECURE SYSTEMS.
Have you ever tried to use Trusted Solaris, or OpenBSD in a particularly bondage-and-discipline configuration? Sure, they're locked up tight against intrusion, but this comes at a steep price in usability. People want computers to be easy to use more than they want them to be secure. If you make computers too secure, your own legitimate users will circumvent security. I regularly see passwords on Post-It notes stuck to monitors--not just in Corporate America, but in government offices which routinely handle extremely sensitive data.
5. FOR ALL THIS, SECURITY AUDITS ARE A GOOD IDEA.
Security audits do two things: first, they tend to ensure that software works the way it ought, and second, they tend to ensure that software doesn't work the way it oughtn't. The potential problem that's spotted and corrected due to a security audit may never have resulted in an exploit, but it may well have resulted in a Blue Screen of Death at some point down the line.
Security audits don't just make systems more secure; done properly, they make systems more reliable, which in turn makes them more usable.
These software designers really need to take their head out from between their butt cheeks and start thinking of something decently secure. Last I heard, breaking 128-bit SSL wasn't so much of a daunting task.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Wasn't ICSA the the jokers that were calling themselves NCSA (Natl Computer Securiyt A???) when everone used Mosaic just to so people would think they were related to the supercomputer people (aka the real NCSA).
And now a new breed of jokers want to sell me their firewalls that are security cerified by people that willfuly lied about their credentials. Thats a great markting plus for a security product.
I personally think that there is at least some value in getting your software audited. OpenBSD is clearly a good test case for the value of internal audits in producing secure code. OTOH, internal audits are never going to be as convincing to some people of the quality of security as external audits are because of the temptation to cheat.
I think that the government standards for secure computing bases are very valuable in giving you good ideas of what to do. It's clearly the result of careful thought by some very intelligent people. I think that they're missing out on an intermediate security level between their C and B levels that includes horizontal mandatory access controls (basically capabilities) without security levels.
That being said, I think that all flavors of Unix are always going to be inherently insecure as long as they maintain their "root is god" attitude. As it is there's no room for error. One security hole is enough to give an attacker complete control over your box, and OpenBSD levels of paranoia and auditing are necessary in order to achieve security against anything but a casual attacker. Unix isn't going to be reasonably secure until it implements some kind of mandatory controls, either capabilities or a full class B access control with security levels.
There's no point in questioning authority if you aren't going to listen to the answers.
> There is starting to be support for capabilities in Linux
Linux's so-called "capabilities" are a joke. They are nothing of the sort, they are just more acl bits tacked onto operations. You want real capabilities, try something like EROS. A true capability manifests as a visibility thing -- you can't call a forbidden operation if you can't even get a handle on it. A true capabilities system is a "thought police" model. You can't perform a forbidden operation because you just can't have that thought. You can't delete a file you can't touch. You can't open a device you can't see. Etc.
Capabilities can be rock-solid security, but they do have some problems, like revocation. The neat thing about EROS is that stack smash attacks can't gain any extra privileges, because they can't manufacture any extra capabilities -- you'd have to smash the kernel stack to do that.
I've finally had it: until slashdot gets article moderation, I am not coming back.
For a system to be B-level compliant, it must have mandatory access controls, something that Linux does not have. There are a few 3rd party tools that can help with this, but they are not complete, and not part of Linux. It may be possible to build a B-level box out of Linux, but Linux itself is not, and probably never will be. Believe it or not, it's for the same reason that NT will not: it makes the system very difficult to use. Mind you that NT is only C2 compliant without a network card installed, and Linux would probably fall into the same category. For certification purposes, NT and Linux are on the same playing field, because the certifications are more into the design of the system, and rarely address the implementation, or bugs.
I guess the point is that you could have a B or A level box, but you'd never use it for anything interactive because it would be too inflexible. To answer your question, AIX is fairly secure, but the OS has to go through a number of hoops before it passes any level of certification, which, BTW, NT does also.
So you wouldn't let C get anywhere near a secure
system, eh?
Well, Java depends on the JVM. What did you write
the JVM in?
(8-DCS)
POI: NT has a C2 rating *including* networking.
Personally, I've never been able to find any serious evaluation of NT's rating anywhere on the web or in print. There is, of course, MS's marketing claims that 'NT is C2', period and end of statement, no details, no clarifications, no special configurations mentioned.
Then there's people sounding off on the 'net, who generally say, 'The guy who put together the NT 3.51 box to pass C2 certification had to do all kinds of things to make it even work, (including removing networking, tweaking the registry, removing this that and the other program), and then when he tried to publicize what he'd done Microsoft effectively murdered him by suing him here there and everywhere and bad-mouthing him so that he had high stress and was unemployed and so unable to afford medical care died of stress related illness'.
Okay. Whatever. I don't entirely believe that it took a year of intense configuration and ripping out the critical guts of NT to make it secure, and I also don't believe that every version of NT is C2 secure out of the box, which is what MS implies. The government, of course, only says, 'Only boxes are rated C2 secure, not OSes'. (Except they say it in bureaucratese...)
In other words, your 'Point of Information' is just one more bit of noise and there is no signal in sight.It's an unsubstantiated claim on a widely disputed and underdocumented issue.
--Parity
--Parity
'Card carrying' member of the EFF.
> the only secure box is an unplugged one, put in a steel box and thrown at the bottom of the sea
And even that's not safe with Bob Ballard around.
--
Sheesh, evil *and* a jerk. -- Jade
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood