Slashdot Mirror
IBM Clinches Security Certification for Linux
Nimey writes "IBM has gotten Linux certified under the Common Criteria specification. " What this means is that government can consider Linux when making purchasing decisions. Linux got the highest rating possible.
Glad to see they aren't letting SCO scare them away from giving Linux their support time after time
Just because the government can consider buying Linux, doesn't mean it will. After all, Microsoft has got a pretty firm hold on the burecrats in charge.
I hate liberals. If you are a liberal, do not reply.
So what I want to know is anything with the Linux kernel good to use, or just SUSE? Call me nuts, but I thought that different distributions using the Linux kernel could be pretty damn different as far as security and stability go.
I think Taco screwed up the newspost. It should read "What this means is that government can consider IBM's Linux solutions when making purchasing decisions. IBM got the highest rating possible."
"Mod, mod, mod...and another troll bites the dust."
XP is a desktop OS, and hardly needs security certification of that level. Windows 2003 server just came out a few months ago. Give it time. I bet the Linux configuration that was certified was not exactly 2.5 kernel material running debian unstable.
Mother is the best bet and don't let Satan draw you too fast.
Because it lacks the corporate hype that Red Hat, et al, gave to Linux.
What I'm trying to figure out is, "What's important? The kernel or the glibc?"
Apps written to glibc will run on GNU/HURD, Linux, Lava, and other kernels, too. Technically, that's a better story. But business wise, the brand in people's mind is "Linux".
Try the CCEVS home page... Here you can find the Validated Products List.
... information wants to be forwarded
There are many reasons why BSD should be ahead of the game, but unfortunately it is not. I wish I had some real numbers, but I remember having one of my BSD zealot friends run a command and pipe it to wc to see how many packages were available in the BSD ports tree. At that time there was about 2,000. I was impressed, until:
[wawannem@weswlinux]:/home/wawannem
$ apt-cache dump | wc -l
100543
I think this is what really makes the case for linux. It is sort of a Catch-22, there is more software available for linux, so more software is created for linux.
Now as windows advocates were forced to admit, a security rating is about as useful(/useless) as a TPC-C benchmark. It's a test under controlled circumstances and the real world is never this controlled - but it does compare apples to apples. No serious advocate of either would blindly consider the other to be utterly secure or unsecure; but I think the /. editors have jumped the gun both factually (it's not the highest rating possible, it's the lowest rating possible) and enthusiastically. I mean, would this story have made it if the headline read "Linux finally achieves a security rating lower than Windows 2000"?
Windows XP and 2003 are currently under testing but it takes time so please don't reveal your ignorance by announcing that Linux must be more secure than either of those since they haven't been certified yet. XP is every bit as secure and more than Windows 2000 and 2003 is far more secure than any other Windows release. That they'll be certified is not a question but just a matter of time.
Flame away - the karma rating here is meaningless as it's nearly effortless to get "Excellent" and maintain it.
That isn't accountability. It's accounting. A real man admits he was wrong, and works to fix it. A coward insists the world is at fault, and ducks the problem entirely.
This world was not built by cowards. Though they have done their share of destroying great empires, both political, intellectual, and capital.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Excuse the pedantry, but doesn't this mean SuSE running on IBM boxes got certified, not Linux per se?
--
This sig is inoffensive.
Supporters said Linux software, whose popular mascot is a penguin, was under testing for better-security ratings.
WTF does Linux's mascot have to do with being under testing for better ratings? Is the reporter trying to convey the impression that Linux is isn't serious business since it has a cute mascot instead of a corporate logo?
Wrong place in the article to put that bit.
1) CC != Security, CC == Trust. EAL2 is close to the lowest level of evaluation and if my recollection of the eval levels is correct (it's been a while), EAL2 basically says that somebody somewhere might be able to find the documentation behind all the code if they went looking for it. Win 2k got EAL4 which is a full code and documentation review.
2) When you put a product into CC you define a protection profile, the weight and value of the evaluation is based upon the complexity of that profile. It would be useful to see the profile for this eval. It is possible (in theory at least) to get a product through CC by defining a profile that outlines what happens when you click on the "Red Hat". The more you exclude the more quickly you get through the process, but conversely the less interesting the evaluation is to government.
3) For those of you that feel this steals a march over WinXP, be aware that WinXP is in evaluation and the protection profiles that it is being evaluated under are public. Microsoft are doing a far more extensive job with XP than IBM did with Linux. When a Government procurement organisation comes to buy product, even for systems classified as SECRET, the fact that a product is in evaluation is generally enough, this is certainly true outside of the US.
Don't get me wrong, this is a great start and will certainly spread a lot of marketing fud but it does not mean a great deal to the government community. If anything it will raise a series of questions about why Microsoft's so called 'in secure' product can achieve EAL4 when the Open Source Linux offering can only scratch through EAL2.
Tread carefully.
If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?
Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?
Linux DOES have an advantage. I can always get support for a old version of a distro. (Worst case, I AM the support.) Now here we are in 2003. It takes M$ 2 years to get Windows certified. They stop shipping the product after 3 years, and pull the plug after 5. That means you have, tops, 3 useful years of a M$ product in a sensitive environment. Less when you consider implementation time.
People gripe about how the space shuttle runs on old equipment, but you have to remember, there are plenty of installations that require computing hardware to be embedded for decades. Think factory equipment, weapon systems, utilities, traffic lights, aircraft.
When engineering those systems you use the most stable installation you can find, strip it down to just what you need, and run it until you can't buy parts for it anymore.
Now how do you do that within a 5 year Window again?
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
This announcement means only one thing. IBM would not have gone through this trouble unless there were a few large contracts (DARPA/DOD) that will underwrite the expense in the future. Think I'll buy a few more shares of IBM stock today.
"Curiosity killed the cat, but for a while I was a suspect."- Steven Wright
Linux was tested for test "low and moderate" security and passed. It was not tested for anything higher so we don't now if it would have failed those.
The tests costs lots of money and time, so you start at the bottom and work youre way up. It is like say a soccer team passing the semi-finals, you don't then say, oh that means they missed the finals? No that is yet to come.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
No it didn't. FUD. According to
FUD = Fear, Uncertainty, and Doubt
Overexageration is not FUD. It may be inaccurate or perhaps just plain wrong, but it is not FUD.
The EAL2+ assurance level achieved is NOT the highest rating possible by a long, long shot - it's actually close to the lowest
Yep. I wonder if the "highest possible" hyperbole didn't come out of some (clueful) statement about how this may be the highest common criteria rating possible for a Linux system to a (clueless) reporter, who just fixated on the "highest possible" part.
Whichever, it may be true that Linux can't get higher CC ratings because of the nature of the development process. CC ratings beyond level 2 demand more and more tightly controlled and regimented design and development processes. At the highest level (EAL7), you basically have to apply formal proofs of correctness to a very thoroughly vetted design, as well as to perform extremely careful management of all of the design documentation and code so that you can be sure it's not tampered with.
It *might* be possible for Linux to get a level 3 rating, but it would be very, very expensive, since that would require analysis and documentation of much more of the system design (CC doesn't believe in "the code is the documentation"), so that the implementation can be methodically verified.
This doesn't mean that Linux can't be or isn't secure, it just means that its development process is incompatible with the assumptions underlying Common Criteria. Basically, CC assumes that security can only be achieved through very methodical, formal, controlled development processes, with intense security-focused scrutiny applied at each step. The OSS world believes there's another way, the "many eyes make all bugs shallow" approach.
The underlying assumptions of the two approaches are interesting to me. CC presumes that it's possible to close all of the security holes during design and development, ensuring that the resulting system is airtight. The OSS approach presumes that bugs happen, that security is an arms race between the white hats and the black hats, and that the way to win it is to make sure that you recruit as many white hats as possible and give them complete access.
In both cases, the software will inevitably contain exploitable security flaws. CC aims to make them rare and hard to find (particularly since the source will probably not be published), OSS aims to fix them faster than they can be exploited. The result is that EAL7 software probably contains a few hard-to-exploit but very long-lived defects, whereas OSS contains many more defects with much shorter lifespans.
The common criteria specifications were defined before the security benefits of open source were understood, and therefore don't consider them at all. I think that after a few more years of experience CC needs to be revisited and revised in light of this new information. The very highest security rating should probably only go to software that utilizes both approaches.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I agree with you on that. As the requirements for EAL4 certification stand right now, it's quite true that Linux would not be able to qualify. However, the reason Linux doesn't qualify shows exactly what the problem is with his argument that Linux is less secure somehow because it doesn't have this certification: Linux is not unable to achieve EAL4 because of a lack of technical merit or actual real world security, it's because of a *technicality*. While documentation of the development process is, I suppose, necesary for closed source operating systems to prove certain standards of programming, the fact that you can actually *look* at the source code in OSS projects lessens the neccesity of this aspect for that type of projects. If I can look at the code and actually see that, for example, the password authentication routines are secure, then does it matter if the actual programming was done by a highly regimented team of programmers using a compartmentalized programming methodology, or a lone college student working from his parents basement while munching cheetos? The resulting code and its security is what matters, not so much the development process used to arrive at this code.
:) So here's hoping that the talk of changing the CC process to take OSS principles into account more moves from beyond mere talk to some action.
At least, that's *my* humble opinion.
"Two things are infinite: the universe, and human stupidity. And I'm not sure about the first one." - Albert Einstein
The terms CC and "security" should never be used in the same sentence, CC is not about security it is about trust.
All this rating does is open the door a little. It's up to the marketing boys at IBM to bludgeon the pencil-pushers into submission.
Claiming some sort of "victory" for GNU/Linux as a whole is silly. This is another step in the right direction.
As GNU/Linux has become more utilized, it has attracted the attention of powerful (and some incompetent) enemies. Be careful what you wish for! GNU/Linux, by its nature will never present a unified front to defend itself. By binding the interestes of users to the interests of parties with power, we improve the chances that things will go our way.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
These lower level security evaluations don't mean much in terms of real security out on the big scarey internet; i.e. the situation most of us find our machines in all the time. (This has been discussed on slashdot before.) Basically, all that is necessary to get one is that you document *everything* and then throw a pile of money into having a government-approved independent organization evaluate your product and make sure that it does what the documentation says it does. If your product behaves as your documentation says it does, you get the certification. It is worth noting that OpenBSD, who have only had one remote hole in the default installation in seven years, have avoided these types of certifications for a long time. Look at Theo's comments on the C2 rating in the Orange Book (the predicessor of the common criteria.) This is the formal description of EAL4 in the official list of evaluation levels Notice that the goal is to "retrofit" a product line with security, and only to the degree that doing so is "economically feasible". Compare that with Bruce Schneier's comment that "Security isn't easy, nor is it something that you can bolt onto a product after the fact." No one should be surprised that feature-rich, general purpose operating systems designed for quick and easy use (i.e. everything turned on by default) are vulnerable.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
My complements.
EAL7 is the highest defined Common Criteria Evaluation Assurance Level. EAL2 is one of the lower ones and can be achieved by minimal documentation efforts. If one looks at the chart on page 54 of the Common Criteria Part 3 Security Assurance Requirements document, one sees that an EAL7 system would be analyzed in 25 areas where a EAL2 one would be analyzed in only 13. And even in the 13 areas that are common, there are requirements at the EAL7 level to do each thing much better that don't appear at the EAL2. What may seem like a minor wording difference between 2 requiremnets may take millions to achieve.
EAL2 does not require an exhaustive vulnerability analysis or penetration testing or a covert channel analysis as do those levels above EAL4.
I'm aware of only one OS aspiring to a greater than EAL5 level for a general purpose operating system, DigitalNet's STOP which is currently in evaluation, has been for 8 months and will be for several more months.
Acquiring that EAL5+ rating even for a operating system that previously received NSA's highest rating ever for a general purpose operating system takes several years and multiple million $, not the $500K quoted in another post.
The Govt procuring agency is responsible for assuring that the protection profile or security target that the OS was evaluated against is appropriate for the value of the data they are trying to protect and that the assurance level is also appropriate.
All an EAL2 does is allows the government to buy and to use Linux in the most insensitive areas. Surely three letter agencies would require much more than an EAL2.
For the original post to say "highest" is to say the writer misunderstood the significance of the IBM announcement.
Of course formal validation is valuable; sorry if I appeared to imply that it's not. The AC's question seemed to be saying that formal methods would eliminate vulnerabilities completely, which they will not.
It's also worth noting that the OSS patch-treadmill approach is completely inapplicable in some environments -- those where patches aren't feasible. I work on smart card systems for a living, and that's the situation for smart card operating system code. You can only patch it by replacing the cards, and that is often cost-prohibitive. In those environments, as well as the very high-security environments that you mention, rapid discovery and patching doesn't work, so formal methods and extreme attention to detail are the only option. They only take you so far (*everything* only takes you so far) but the name of the game is "mitigate what risks you can, bound the rest and build backup plans".
The patch treadmill approach is somewhat more resilient from a security standpoint, because in a formal system, when you find a defect the process of fixing it has to be similarly formal, which means complex and time-consuming, and it's likely that there isn't a good mechanism in place for delivering updates. However, the patch treadmill approach is also more likely to see successful penetrations in the short term.
At the end of the day, there are places for both approaches, and places for a combined approach as well.
at least with some sort of certification system, you can sure that what you have is better than the choices...
I wouldn't go quite that far. With the certification system, you can be sure that the software has passed the required verification tests. That tells you something valuable about the system, but it doesn't really tell you anything about the alternatives, unless they've also been tested. Still, as long as you understand what it is and is not, certification is definitely worthwhile.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.