Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE to Standardize OS Security Components

Posted by michael on from the pointing-no-fingers dept.

aster_ken writes "The Institute of Electrical and Electronic Engineers has started work on a standard for securing operating systems, as a recognition that software security is 'limited by the operating systems that underpin them', the organization said yesterday. The standard, dubbed IEEE P2200, will address external threats and intrinsic flaws arising from software design and engineering practices."

5 of 197 comments (clear)

  1. great... by arcanumas · · Score: 3, Interesting
    The way i see it , 2 things can happen.One is that it will be too demanding/utopian/generic and no-one will apply it , in which case the standards existence is of no importance.
    The other is that at some point a system that adheres to the standard will be compomised and will raise questions as to the usefulness of this standars.

    I don't question the need for standards , but not all things can be standardized. Standards stand for a commonnly accepted way of doing something. Security is still too volatile.

    --
    Slashdot Sig. version 0.1alpha. Use at your own risk.
  2. Not A Guarantee by robbyjo · · Score: 4, Interesting

    It's true that some flaws in the OS are inherently design-based. However, even if we make certain design requirements to be incorporated in the OS, it still doesn't guarantee that the OS is secure. I would think that it even can't minimize the number of OS breaches. It would even hamper the OS development in order to comply with their standards.

    About the quote regarding the "minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics". I don't think it would be possible the goal of "the least restrictive requirement while not relenting the control" is vague. Unless it provides rigid post- or pre-conditions of each method (in first order logic if necessary) and provide each formal specifications unambiguously, I would still see some leaks here and there. And, guess what? They put the requirement like UML standards: Way to vague. Congratulations.

    For those of you who are curious, click here for the draft.

    --

    --
    Error 500: Internal sig error
  3. I predict one of three things will happen by mark-t · · Score: 4, Interesting
    And they all involve Microsoft

    One, the final standard spec will be loose enough that Windows will already be compliant, so it won't mean anything.

    Two, the final standard spec will be Microsoft's Window-centric implementation of a secure system (existing windows systems may not be compliant, but future ones would be). No non-Windows system would be able to meet the standard without extensive licensing fees being paid to Microsoft to license the technologies needed.

    Three, the final standard spec will be sensible, and Microsoft will ignore it. With the mainstream desktop environment paying no regard to the specification, the spec fails to acquire the widespread adoption necessary to become a real standard.

    --
    File under 'M' for 'Manic ranting'
  4. Re:Some info by Roxy · · Score: 4, Interesting
    Anyways the IEEE has a track record of working on security-related standards

    Yes, like the P1003.6 (POSIX Security) which I was involved with (died because of lack of interest and politicial conflicts) as well as P1003.22 (Distributed Security) which I was one of the founders of (was later adopted by X/Open and is usually irrelevant today).

    For some reasons (like practical experience), I don't believe the IEEE will manage this any better than they have before (i.e., very badly, mostly due to political aspects having precedents before technical and security aspects).

    Feel free to mod an old cynic down.

    --
    -- Roland Buresund MBA, MCMI, CISSP
  5. Re:Americans and standards by qtp · · Score: 3, Interesting

    Usually, only one of those is the case, as with metric vs. standard. It's a helluva lot of hassle to convert a lot of people to using metric when everything is done a different way.

    Except for the fact that it is much easier to calculate in metric, and many Americans, such as myself, who deal with both sytems, depending on the subject at hand, find metric much easier than the Imperical system that we grew up using.

    And, yes America is different for the sake of being different. It may be brutish and idiotic, but it also results in diversity

    I fail to see how adopting the metric system would in any way threaten the diversity that we (at least the sane ones among us, perhaps not the majority) dearly love about our country.

    I prefer slightly worse stuff to perfectly consistent stuff in many ways.

    I agree, but often the American tendancy to be "different" not only results in "slightltly worse stuff" but it also results in such mind niumbing consistancy that we must seek products elsewhere for not only quality, but for something that is different, especially when the "stuff" is beer.

    It forces constant change, fights off stagnation, etcetera.

    Actually it was the growing dominance of foreign imports that caused the diversification of American beer market and allowed the "microbrews" to share a place on the shelf. The non-standardization of brewer products allowed the few large brewers who manufactured the most cheaply made product to dominate the beer distribution markets after prohibition until relatively recently, when foreign brewers became able to produce enough product for the American market (mostly due to the strength of the dollar in relation to thier own native currencies), in spite of some of the older breweries that had more diverse product lines (such as D.G. Yuengling, Stegmaier, and some of the other older breweries that pre-dated prohibition).

    --
    Read, L