Slashdot Mirror
Justifying the Common Criteria Security Evaluation
lewko writes "Microsoft has just received a Common Criteria certification for Windows 2000 at Evaluation Assurance Level (EAL) 4. Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this. What does it all mean? This paper suggests that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case. Microsoft bashing aside, the process in evaluating a security product is relevant to anyone considering the deployment of technology into their environment." The EROS operating systems he mentions looks interesting - of course, it also looked interesting three years ago.
Well how much of what is secure? It seems to me that MOST of the security bugs one associates with Microsoft are problems with two programs in particular--IIS and Outlook (Express version only).
I know some commercial Unixes are certified to C2 if you have it configured right. What about the Linuxes?
Why would anyone want to use a text editor that is not vi?
This kind of certification is a great thing for people running Win2K. But I have to wonder if Microsoft's upgrade cycle will cause those people to lose official support for Win2K unless they upgrade to XP or whatever's next very soon now? A lot of enterprises do a lot of time-consuming testing before they rollout something like Win2K, which is probably the first reasonable OS from MS. It'd be a real shame if all that testing and certification gets thrown out the window because MS doesn't feel its customers are buying upgraded products fast enough.
Even after reading the arcticle, it seems doubtful to me that millions of dollars were spent on creating documents to say that Windows 2000 meets the security criteria. Personally, even though this is Microsoft we're talking about, this seems a bit outrageous.
- - - - - Fear not the reaper, but my shiny white teeth.
Oh and if you use Visual SourceSafe, then you're covered. "Automated configuration management." Hogwash. This no more ensures you have a secure system than Suzi the Secretary checking to make sure you badged in the main door instead of surfing in behind Bob. Sure, you it is tough to have a secure system without some kind of ConfigMan, but it is not necessary and sufficient that having one ensures a secure system.
Oh, are all your tools identified (shades of ISO-9000!)? Golly, gee that's nice. So, we gonna check to see if all the old Lan Man code (which authenticates without credentials) is out of the current build? No? Oh, not a requirement.
What a load of tripe. I wonder how much they paid to have this cert. Probably more than an MCSE, and just as worthless.
Yeah, right.
Before you mod me down, I am a network admin that works with both windows 2000 and linux on a daily basis. I am also a certified MCSA (though we all know what we think of certs :) ). Anyways, my #1 reason why i think windows security SUCKS, is that the damn OS has no real firewall built into it! I mean, come on, with win2k you gotta either buy a hardware firewall (cisco pix, etc), or throw a unix box in front of it. And yes, i know XP does have a basic firewall built in, but do any of you want to run a server on XP ? People always bitch at MS for bundling software into their OS, but there's no excuse to not include reasonable packet filter ability in the OS. Thats why I believe the only time you EVER put a MS box on the net is if its behind a NAT or something else that totally hides the box from outsiders.
Lawyers, MBA's, RIAA? A jedi fears not these things!
but who the hell are the CommonCriteria folks, and why must I give a shit what they think of whatever OS?
The above is an honest question, if you can't elaborate clearly, please don't even bother to reply.
Thank you.
Welley Corporation - SLM Scammers
It is interesting to read about the concept of rings, with the main kernel sitting in the innermost ring. I know that some of the computers my dad worked on out at Hanford were Primes that had some concepts of rings, with the innermost being the highest up on the privilege levels. Not exactly the same I don't think, but this was many years ago.
(Hey just went looking, looks as if Primos Revision 21.0.1DODC2A got to the C2 level, so maybe this is more similar then I think)
Thank you for saying that out... there is nothing more valuable than a sysadmin who knows his platform.
I've been hearing a lot of moft-is-not-secure 'proofs' lately... I'm just wondering: has anyone actually proven that the OS is structuraly (ie by design) flawed?
A structural flaw for example would be that files have ACLs, but pipes don't. Or something of the sort... *not* that the default out of the box configuration leaves a NULL ACL on the \system32\cmd.exe (that is not a structural problem, it's configuration).
So long as someone doesn't show real facts when they claim to 'proove' something, it's FUD pure and simple AFAIConcerned.
You mean have MS pay Theo and everyone connected with the OpenBSD project enouh to persuade them that taking it proprietary and rebranding it Windows XX is A GOOD IDEA, right? Continuously checking Windows OS and applications for security fuckups is too big a job for one person, and probably too big a job for 1,000 persons.
Would the OpenBSD team sell out for $10 billion and the right to oversee future development?
Note that this would actually be an intelligent and cost-effective thing for MS to do, even if various code libraries have to be rewritten to avoid the use of GNU code of any sort, so we can take for granted that they'll never think of it for themselves.
While this is a lot more than MS paid for the rights to what later became MSDOS ($30K, IIRC), times have changed.
While this breaks compatibility with all MS applications, does anyone actually think anything less has the remotest chance of doing the job? Assuming the job is building a reasonably secure OS that can be made to work with a wide range of applications.
Tech Public Policy stuff
Users? You need no users for that.
/etc on Linux. I'm pretty sure that unless you're root it'll still work fine afterwards. And that's how it should be.
This means that any program can screw my registry enough to leave the system unbootable. What's the point in running as normal user, then? Just try to rm -rf
On Linux, if I want to try a suspicious program I can create a new user account and try it there. If I want to be more paranoid I can chroot it and use strace to find what exactly it's doing.
Now, if in Win2K it's possible to break the whole system as a normal user, where's all that security it's supposed to have?
Also, what registry tree? I've seen no detailed help files explaining every key of the Windows registry, what it's used for, and what would happen if it had too restrictive permissions. If those permissions are so badly set from the beginning it makes me think the reason is that many programs will break when they're unable to write to some places. If changing those ACLs would give me better security at the cost of breaking half of my programs, thanks, I don't want it. Linux works much better.
I bumped into this several years ago, in the antivirus field. "Get the product certified", said the marketing department. "Some big corporates want to see an official certification" said our sales people.
So I looked into it. At the time, it was called "Itsec", now it's "Common Criteria". It was run, in those days, by the electro-spooks, based in Cheltenham.
When I found what it was, I was absolutely ROFL.
I, the vendor, was expected to state the functionality of the product, what it was supposed to do, security-wise. They call this the TOE, "Target of Evaluation"
They, the evaluators, would check that it met that functionality, and give me a certificate if it did.
So far, so good. But what's the right functionality? In my case, what functionality should an antivirus have (rhetorical question, please don't tell me, except it isn't as simple as you might think).
So, I said to the people who ran the scheme, Suppose I define my functionality as "Comes in a blue box". Could I get an Itsec certification for that? The answer boiled down to "Yes, but that isn't a security issue". "Yes it is," I said.
Um. Who defines what is a security issue and what isn't? I was saying that the lack of a blue box, was a security issue. How do you say it isn't? Anyway, that's my TOE, please certify it. Well, it never got that far, that was just my way of telling them that their scheme was a joke.
So I went to a pal of mine who ran the security department at a university, suggested that he set up a certification scheme, and got the product certified under that instead. That made our marketing people happy, also our sales people. Customers had a certification to pin on the wall, everything was tickety-boo.
Except the government people, who knew they were being made monkeys out of, because I threw that "Comes in a blue box" thing at them at every conference and seminar I went to, and I heard that it started to seriously embarrass them, because people started asking questions about the value of their certifications. There's more in that thread - things did start to change, but the change didn't happen in the end.
Now, I'm not suggesting that the Microsoft certification says "Comes in a blue box." But until you've read the TOE, you don't actually know what security functions have been certified.
It is *very* flawed. This is how you can destroy a Win2K system as a normal user
Despite your probable pleas to the contrary, you were not a regular user when you carried that out. Windows has ACLs on virtually everything in the OS (contrary to Linux, for example, with its incredible large granularity security), and the registry is no exception. The HKLM registry branch has only READ access for anyone but System and Administrators (in some cases also Power Users, which much like Administrators is not an account that you should regularly run under). The registry applications abide by these permissions quite simply because they can't fail not to. I see two possible scenarios here, one that you were in an account as PowerUser or Administrator, or two that there is a complex fault that somehow bypassed the ACLs. I suspect the former as being dramatically more likely.
Having said, you weren't actually trying to do that in a serious way, were you? (copying the tree from 98 to 2K) As a sidenote, virtually all Windows variants keep one or more backup to the registry tree, and choosing "last known good configuratin" would have fixed it for you immediately.
As +/- mentioned in the article, the Common Criteria is based on a protection profile (PP) that says what the system is supposed to do. The given system is supposed then to meet that profile. Depending how well it meets the profile, it will be given a certification. Then again, the certification is based on any profile that the given vendor wants to follow. The key here is making sure, as a customer, that the profile used is one that meet your requirements. So the very fact that Win2k is CC certified means nothing, regardless of the level. Note that to minimize problems NSA, who oversees CC, from the start developed a few protection profiles for certification labs to use. I personally don't know which PP was used.
Actually, these certified versions of NT are only impressive to civilians.
From what I remember - NT4 was certified as c2 only without a network card. Which means that adding a network card invalidates the certification.
And the documentation I've seen on the Common Criteria levels tell me that EAP4 means that XP passed a design review. The interesting part of the CC cert is the CAPP - it means that XP is safe to use in am enviroment where you trust the employees, network and programs.
Esentially, CAPP EAL4 is good stuff to put in a press release and not much else.