IEEE to Standardize OS Security Components

aster_ken writes "The Institute of Electrical and Electronic Engineers has started work on a standard for securing operating systems, as a recognition that software security is 'limited by the operating systems that underpin them', the organization said yesterday. The standard, dubbed IEEE P2200, will address external threats and intrinsic flaws arising from software design and engineering practices."

Easy solution.

[zoloto]

They should just copy/paste linux & the bsd's file system properties and make simething similar to SELinux's security manditory.

oh.. and ban microsoft. /rant

great...

[arcanumas]

The way i see it , 2 things can happen.One is that it will be too demanding/utopian/generic and no-one will apply it , in which case the standards existence is of no importance.
The other is that at some point a system that adheres to the standard will be compomised and will raise questions as to the usefulness of this standars.

I don't question the need for standards , but not all things can be standardized. Standards stand for a commonnly accepted way of doing something. Security is still too volatile.

About time!

[SilentSheep]

About time... question is will Micro$oft choose to conform to the standard or just keep going as they are, unless these 'standards' are legally binding!!

It'll take a lot of work to make windows secure!!

No operating syatem is completely secure anyway, there are always some 'undocumented features'

Some info

[dark-br]

IEEE P2200 will build on NIST and ISO Common Criteria documents, but will be an independent standard.

Anyways the IEEE has a track record of working on security-related standards includnig the popular P1363 (Standard Specifications for Public Key Cryptography) standard. P1363 defines standard implementations of public key crypto ciphers based on Integer Factorization, Discrete Log, Elliptic Curve, and Lattice algorithms.

Ill be waiting to see this P2200 come arround.

Re:Some info

[Roxy]

Anyways the IEEE has a track record of working on security-related standards

Yes, like the P1003.6 (POSIX Security) which I was involved with (died because of lack of interest and politicial conflicts) as well as P1003.22 (Distributed Security) which I was one of the founders of (was later adopted by X/Open and is usually irrelevant today).

For some reasons (like practical experience), I don't believe the IEEE will manage this any better than they have before (i.e., very badly, mostly due to political aspects having precedents before technical and security aspects).

Feel free to mod an old cynic down.

Not A Guarantee

[robbyjo]

It's true that some flaws in the OS are inherently design-based. However, even if we make certain design requirements to be incorporated in the OS, it still doesn't guarantee that the OS is secure. I would think that it even can't minimize the number of OS breaches. It would even hamper the OS development in order to comply with their standards.

About the quote regarding the "minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics". I don't think it would be possible the goal of "the least restrictive requirement while not relenting the control" is vague. Unless it provides rigid post- or pre-conditions of each method (in first order logic if necessary) and provide each formal specifications unambiguously, I would still see some leaks here and there. And, guess what? They put the requirement like UML standards: Way to vague. Congratulations.

For those of you who are curious, click here for the draft.

I predict one of three things will happen

[mark-t]

And they all involve Microsoft

One, the final standard spec will be loose enough that Windows will already be compliant, so it won't mean anything.

Two, the final standard spec will be Microsoft's Window-centric implementation of a secure system (existing windows systems may not be compliant, but future ones would be). No non-Windows system would be able to meet the standard without extensive licensing fees being paid to Microsoft to license the technologies needed.

Three, the final standard spec will be sensible, and Microsoft will ignore it. With the mainstream desktop environment paying no regard to the specification, the spec fails to acquire the widespread adoption necessary to become a real standard.

Re:I predict one of three things will happen

[Tony-A]

I wouldn't bet against you, but the forth possibility is that something will be produced that actually helps establish some base level of security.

If they do succeed, I should be able to run an unpatched OS, run unpatched and vulnerable applications and click on anything I please with impunity. That's not to say that everything's fine. It's just that I shouldn't be able to get consequences all out of proportion to their causes. I click on a bad website and maybe kill the browser, but that browser is extremely limited in the scope of what else it can mess with. I think the BSDs are aiming in that direction.

redundancy

[poptones]

With the incredible cheapness of compute cycles these days I don't understand at all the lack of certain widespread security devices. For example, why are there no inexpensive router NICs? You can buy a $40 Linksys - but that's a whole 'nother box. I have an old HP I use, but that's also another box. What do I do with my laptop when I want to use a public access point? Carry a Linksys with me?

All you need is an ARM, firmware in FLASH (so it can be upgraded when it is inevitably cracked), a PCI interface and the 10/100 guts - not substantially more than is already on a NIC, although admittedly much more than is on your $4 8139 based card. That would all fit into a chip (a small, low power chip at that), which means it could be incorporated into a laptop.

Why isn't there a more sophistacted watchdog in the motherboard chipset itself? With all those transistors there's no reason they couldn't dedicate an entire ARM or even a 386 core to the task. It doesn't have to prevent intrusions it just has to detect them and then activate some "doomsday" mechanism - like locking out the network port (which can also be on the motherboard chip, as it already is in many) or even just activating a hard reset. Through an on-board NIC it could do statefull packet analysis and it could keep a DENY list right in on-board FLASH.

I set a watchdog to monitor my connection through my firewall. If the outgoing data rate goes over a certain threshold (which would indicate an intrusion and someone mining data from my PC) then it simply hangs up the phone and rotates the autodialer to a different number. This capability requires a custom applet on my desktop and an external router.

Why? As cheap as silicon is these days this capability should be trivial to add right on the motherboard. It's not glamorous and it's not going to work in every case, but it's absolutely going to work in many of the most common cases - including substantially slowing the spread of virii, as an infected machine would instantly become trapped in a boot cycle or just knocked off the network. Yeah, that means every virus infection becomes a DDOS attack - but better for a few hundred machines to get knocked down than a few hundred thousand allowed to roam free for days or even months, eating up gigabytes of bandwidth with useless PING packets.

I wish more in the linux community didn't consider most of this technology such a flashpoint, because this is one area where the Open community has a real opportunity to make a substantial contribution and potentially drive platform design. If an open sourced core could be added to a motherboard chipset and would add only a couple of dollars, and that core would add substantial security to the platform, you have a feature that mom and dad understand and are willing to pay for.

Othrwise we just let Microsoft and AOL do it, and all it adds to the platform is a few bullets about the kneecaps.

Re:it's good

[Jameth]

I suspect that they would listen to it, because then they can put a sticker on the front of the box which says 'Conforms to IEEE Security Standards'. And that will be a big selling point, because people are really starting to get pissed.

I expect it will raise their security level, but raise expectations even higher, and increase the general danger brought about by virii and so-such due to user over-confidence.

How will they keep this on track?

[Brett+Johnson]

This is a slap in the face of Microsoft. But obviously Microsoft will be solicited for input.
Unfortunately, I see one (or both) of two things happening:

1) "This standard will enable mass production of a class of operating systems that meet
the minimum expectations of consumers for security and general reliability by establishing
a floor for these characteristics,"

MS will attempt to set the "floor" to be barely above its current standard for security and reliability.

2) Microsoft will drag the whole thing down some "Trusted Computing" DRM rathole.

Liability

[Free_Meson]

When this standard is in place and a company, say, microsoft, releases an operating system that they claim is secure but is not and does not follow the standard accepted for security by the rest of the industry, and its security fails as a result of this noncompliance, could microsoft then be sued for damages?

Re:Americans and standards

[qtp]

Usually, only one of those is the case, as with metric vs. standard. It's a helluva lot of hassle to convert a lot of people to using metric when everything is done a different way.

Except for the fact that it is much easier to calculate in metric, and many Americans, such as myself, who deal with both sytems, depending on the subject at hand, find metric much easier than the Imperical system that we grew up using.

And, yes America is different for the sake of being different. It may be brutish and idiotic, but it also results in diversity

I fail to see how adopting the metric system would in any way threaten the diversity that we (at least the sane ones among us, perhaps not the majority) dearly love about our country.

I prefer slightly worse stuff to perfectly consistent stuff in many ways.

I agree, but often the American tendancy to be "different" not only results in "slightltly worse stuff" but it also results in such mind niumbing consistancy that we must seek products elsewhere for not only quality, but for something that is different, especially when the "stuff" is beer.

It forces constant change, fights off stagnation, etcetera.

Actually it was the growing dominance of foreign imports that caused the diversification of American beer market and allowed the "microbrews" to share a place on the shelf. The non-standardization of brewer products allowed the few large brewers who manufactured the most cheaply made product to dominate the beer distribution markets after prohibition until relatively recently, when foreign brewers became able to produce enough product for the American market (mostly due to the strength of the dollar in relation to thier own native currencies), in spite of some of the older breweries that had more diverse product lines (such as D.G. Yuengling, Stegmaier, and some of the other older breweries that pre-dated prohibition).

Priorities

[Detritus]

It won't mean a damn thing if software designers and programmers don't readjust their priorities. That includes Microsoft and the open source community.

More time than I care to recall, a decision has had to be made between the right way and the fast way. The fast way almost always wins, even if it is fragile and error-prone.

Is the computing community willing to give more than lip service to security and reliability? Past history say no.

Re:Quit whining - not everything has to be free

[phallux]

This is typical of professional prejudice these days: (see above reply)

It's unfortunate that in capitalist societies people blindly accept that everything should cost money, even things such as information which can be replicated ad infinitum at no cost and without disturbing the original.

If this group, ostensibly chartered to set standards for the common good, finds it must charge money to those whom it purports to benefit, it is a bureaucracy and hence inimical to its stated purpose. Drafting standards is an activity which necessitates no production of physical materials and does not even require a physical meeting venue thanks to the ubiquitous Internet (which some of the IEEE's members helped architect for the very purpose of free information exchange). All this activity requires is volunteers and time. Why should any costs be incurred? If these engineers can't exploit tools such as the Internet to eliminate any financial overhead for the organization as a whole, I personally wouldn't trust them to draft standards for base OS security.

No, information is not free. But it should be freed, especially from bureaucracies and profiteers. For those thick of the head, here's how volunteerism should work: I'm going to call up 19 friends, ask them to donate $5 a piece, and release this document on Freenet. That's what I call for the common good.