Slashdot Mirror

← Back to Stories (view on slashdot.org)

IEEE to Standardize OS Security Components

Posted by michael on from the pointing-no-fingers dept.

aster_ken writes "The Institute of Electrical and Electronic Engineers has started work on a standard for securing operating systems, as a recognition that software security is 'limited by the operating systems that underpin them', the organization said yesterday. The standard, dubbed IEEE P2200, will address external threats and intrinsic flaws arising from software design and engineering practices."

3 of 197 comments (clear)

  1. Not A Guarantee by robbyjo · · Score: 4, Interesting

    It's true that some flaws in the OS are inherently design-based. However, even if we make certain design requirements to be incorporated in the OS, it still doesn't guarantee that the OS is secure. I would think that it even can't minimize the number of OS breaches. It would even hamper the OS development in order to comply with their standards.

    About the quote regarding the "minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics". I don't think it would be possible the goal of "the least restrictive requirement while not relenting the control" is vague. Unless it provides rigid post- or pre-conditions of each method (in first order logic if necessary) and provide each formal specifications unambiguously, I would still see some leaks here and there. And, guess what? They put the requirement like UML standards: Way to vague. Congratulations.

    For those of you who are curious, click here for the draft.

    --

    --
    Error 500: Internal sig error
  2. I predict one of three things will happen by mark-t · · Score: 4, Interesting
    And they all involve Microsoft

    One, the final standard spec will be loose enough that Windows will already be compliant, so it won't mean anything.

    Two, the final standard spec will be Microsoft's Window-centric implementation of a secure system (existing windows systems may not be compliant, but future ones would be). No non-Windows system would be able to meet the standard without extensive licensing fees being paid to Microsoft to license the technologies needed.

    Three, the final standard spec will be sensible, and Microsoft will ignore it. With the mainstream desktop environment paying no regard to the specification, the spec fails to acquire the widespread adoption necessary to become a real standard.

    --
    File under 'M' for 'Manic ranting'
  3. Re:Some info by Roxy · · Score: 4, Interesting
    Anyways the IEEE has a track record of working on security-related standards

    Yes, like the P1003.6 (POSIX Security) which I was involved with (died because of lack of interest and politicial conflicts) as well as P1003.22 (Distributed Security) which I was one of the founders of (was later adopted by X/Open and is usually irrelevant today).

    For some reasons (like practical experience), I don't believe the IEEE will manage this any better than they have before (i.e., very badly, mostly due to political aspects having precedents before technical and security aspects).

    Feel free to mod an old cynic down.

    --
    -- Roland Buresund MBA, MCMI, CISSP