IEEE to Standardize OS Security Components

aster_ken writes "The Institute of Electrical and Electronic Engineers has started work on a standard for securing operating systems, as a recognition that software security is 'limited by the operating systems that underpin them', the organization said yesterday. The standard, dubbed IEEE P2200, will address external threats and intrinsic flaws arising from software design and engineering practices."

In other news

[Unregistered]

Microsoft creates own standards beaurou
Deems Windows perfect, others not

Limited release

That's just great, codify the security aspects of OSes into a $100 document that can't be freely redistributed. That's a really good idea...

great...

[arcanumas]

The way i see it , 2 things can happen.One is that it will be too demanding/utopian/generic and no-one will apply it , in which case the standards existence is of no importance.
The other is that at some point a system that adheres to the standard will be compomised and will raise questions as to the usefulness of this standars.

I don't question the need for standards , but not all things can be standardized. Standards stand for a commonnly accepted way of doing something. Security is still too volatile.

Re:great...

[GoofyBoy]

>Security is still too volatile.

Better put: Security is in the details.

If I'm going to crash a system then its going to be its specific weakness/flaw and not some standard hole in every product.

The standard will help but it still does not guarentee the implementation will be invulnerable.

IEEE

Never mind a secure OS, I think these electronic engineers sound like very useful devices. Is there a review of one anywhere? How much do they cost? Do they run Linux?

Re: IEEE

[Black+Parrot]

> Never mind a secure OS, I think these electronic engineers sound like very useful devices. Is there a review of one anywhere? How much do they cost? Do they run Linux?

Yeah, I have an old mechanical engineer, and I think it's about time to upgrade to a modern electronic one in order to reduce the maintenance costs.

So, did anyone else...

[pla]

So, did anyone else read the linked article and think "Looks like someone bought the IEEE's support of TCPA / Palladium"?

I hope not, but it certainly sounds that way. Basically, it makes the point that we cannot trust people not to run programs that break their own (or others) computers, so the task of limiting what (possibly malicious) code can run falls to the OS.

Sad. If I didn't have complete confidence that any DRM scheme will eventually prove itself flawed, I might actually worry. Though, I certainly do not look forward to the general inconvenience it would cause, regardless...


Only education (and not running Outlook) will help reduce the modern plague of worms, virii, spam, and other ways to generally make a computer and the internet grind to a crawl. Not legislation, and not crippled hardware. People simple need to learn how to secure their own damn machines.

Re:So, did anyone else...

[esme]

Basically, it makes the point that we cannot trust people not to run programs that break their own (or others) computers, so the task of limiting what (possibly malicious) code can run falls to the OS.

you know, this basic premise doesn't have to be tied up in DRM. i think any decent security model is going to involve partitioning off system capabilities that aren't appropriate to the current user/situation/time of day/etc.

unix has had this sort of thing for ages, in the form of user permissions, and ulimit. ulimit supports various parameters -- files, memory, cpu, etc. that can be consumed. taking this to its logical conclusion and including bandwidth, address book access, connections to various servers, etc. could provide a pretty logical way to fence in worms.

providing even more restricted environments (like chroot jails or the applet runner) for untrusted code would be a good idea, too. if microsoft is going to insist on allowing people to email executables (screen savers, vbscript, etc.), the world will be better off if they execute in an environment that can't access the network, DoS the local machine, etc.

-esme

Re:Here here!

[bryanthompson]

don't get too excited there, guy. just becuase someone puts out a 'standard' doesn't mean everyone has to follow it. anyone can form an organization to make standards, but they dont' mean anything if nobody wants to follow them.

Not only that, but people like microsoft will just make their own standards and ignore the ones already set. They won't have any affect on anything, imho.

Not A Guarantee

[robbyjo]

It's true that some flaws in the OS are inherently design-based. However, even if we make certain design requirements to be incorporated in the OS, it still doesn't guarantee that the OS is secure. I would think that it even can't minimize the number of OS breaches. It would even hamper the OS development in order to comply with their standards.

About the quote regarding the "minimum expectations of consumers for security and general reliability by establishing a floor for these characteristics". I don't think it would be possible the goal of "the least restrictive requirement while not relenting the control" is vague. Unless it provides rigid post- or pre-conditions of each method (in first order logic if necessary) and provide each formal specifications unambiguously, I would still see some leaks here and there. And, guess what? They put the requirement like UML standards: Way to vague. Congratulations.

For those of you who are curious, click here for the draft.

This could be good

[Bruha]

I think it's time for all OS's to accept standards to help people interact with eachother effectively and securely. As everyone know MicroSoft has shunned many attempts at standards in order to control their market share by keeping their users pinned into MicroSoft sanctioned data. This has the effect of forcing businesses to support the MicroSoft users first and everyone second if at all.

I think a security standard should be enforced by a world body to help prevent MicroSoft from once again taking the standard and corrupting it to work only with Windows and .Net applications thus forcing the same cycle of users/companies designing to MS standards again thus shutting out the rest of us from secure systems.

Some would say standards hurt computing that's not exactly the case. You can design products around standards and still compete with other standard compliant products. It allows everyone to remain compatible and at the same time darwinism will take effect with bad products going away and good products evolving to better suit their users.

I predict one of three things will happen

[mark-t]

And they all involve Microsoft

One, the final standard spec will be loose enough that Windows will already be compliant, so it won't mean anything.

Two, the final standard spec will be Microsoft's Window-centric implementation of a secure system (existing windows systems may not be compliant, but future ones would be). No non-Windows system would be able to meet the standard without extensive licensing fees being paid to Microsoft to license the technologies needed.

Three, the final standard spec will be sensible, and Microsoft will ignore it. With the mainstream desktop environment paying no regard to the specification, the spec fails to acquire the widespread adoption necessary to become a real standard.

I've got a secure system

[Jacer]

It has no network adapter (modem or otherwise) and no input devices (as in all the ports ps/2 com et cetra have been melted shut or broken off) It has no hard drive, just rom, and It's in a chest rigged to explode somewhere at the bottom of the north atlantic! I extend an invite to all the hackers/crackers to try to by pass it!

Quit whining - not everything has to be free

[sczimme]

This is typical of so many kiddies these days: "I want everything for free, even if it's something I will never need/use/understand".

Many products that are the result of the work of many people - like cars, toasters, and yes, even documents - cost money to produce. Learn to recognize which items are worth the amount on the price tag, and purchase accordingly.

Re:Quit whining - not everything has to be free

[qtp]

The problem with this particular document being a "pay to play" licensing scheme, is that it will likely be adopted into law in some way, either as a supplier specification or as a compliance requirement for marketing a product or service.

There are several jurisdictions in the United States where thier building codes are released in this way and are protected under copyright requiring a builder or homeowner to pay a large amount to have a copy of the current codes for reference and to pay an additional amount to include excerpts from the code in zoning and building permit applications. The fact that all persons (in that jurisdiction) are subject to compliance with these codes makes the licensing scheme an unfair limitation on builders giving an unfair advantage to larger construction companies and prevents homeowners being able to make even small improvements to thier properties if they are on a limited budget.

I have seen building projects where the cost of preparing the permits was extensively more than the cost of actual construction due to licensing costs for access to the building codes and the necessity of including exerpts from the building code in the application. The one that springs to mind is a $1,500.00 improvement to a fire escape (required by code) that cost in excess of $2,000.00 to prepare the permits. If there had been no licensing fee for code exerpts , and if a reference copy of the code had been possible to obtain for less than $750.00, it would have cost less than $500.00 to prepare the permit, as it would have been possible to prepare the application in house and would not have required a legal review of the application before submittal.

The only purpose that charging for the use of a specification serves is to limit the playing feild in the affected industry to a certain class of individuals who either already have money with which to pay, or have made commitments to persons who might or might not be knowlegable about the involved technology, but have the economic power and the desire to regulate that industry.

This kind of non-governmental regulation puts an artificial limitation on the mechanisms of capitolism and prevents the very kind of "free market" (that you seem to be arguing for) from developing and prevents participation from legitimate businesses and other projects that have the necessary skills, knowledge, and abilities, but are lacking in support from the already established players in that market.

Re:So What?

[Jameth]

I beg to differ. IEEE won't take them down, but it will bug them a bit. It is somewhat like MS being a rampaging bear, Linux being a horde of bunny-rabbits, and IEEE being a bunch of thorny trees.

Linux hits the trees less, but it irritates the bear and prevents it from rears up. Eventually, after the Linux bunnies all mate like crazy, one bunny rabbit is born that is somewhat like the bunny in Monty Python's The Search for the Holy Grail. The point here is to mate Linux distros with each other until the perfect bunny emerges.

Americans and standards

[Tim+Ward]

Um, yes, perhaps.

Remember the reaction of the average American to an international standard is to denounce it as a communist plot, particularly if one of the European standards bodies takes an interest (or even ISO, which most Americans regard as European and therefore communist).

If you want an example of how well Americans make good use of international standards you just have to look at their mobile phone system ... and laugh or weep to taste. (I have this phone which works in 199 countries of the world and doesn't work in one, which is ... guess which? Likewise there's just one county in the world which uses strange paper sizes ... just one country which is so wedded to Imperial units that it crashes spacecraft in preference to following international standards ... and so on and so on ...)

Now, if most operating system manufacturers were European and Japanese this would be a good idea, because they'd be likely to follow any new international standard. But it happens to be a fact of life that many operating systems are produced or contributed to by Americans, so any such idea is dead in the water before it gets off the ground.

Re:Americans and standards

[qtp]

Usually, only one of those is the case, as with metric vs. standard. It's a helluva lot of hassle to convert a lot of people to using metric when everything is done a different way.

Except for the fact that it is much easier to calculate in metric, and many Americans, such as myself, who deal with both sytems, depending on the subject at hand, find metric much easier than the Imperical system that we grew up using.

And, yes America is different for the sake of being different. It may be brutish and idiotic, but it also results in diversity

I fail to see how adopting the metric system would in any way threaten the diversity that we (at least the sane ones among us, perhaps not the majority) dearly love about our country.

I prefer slightly worse stuff to perfectly consistent stuff in many ways.

I agree, but often the American tendancy to be "different" not only results in "slightltly worse stuff" but it also results in such mind niumbing consistancy that we must seek products elsewhere for not only quality, but for something that is different, especially when the "stuff" is beer.

It forces constant change, fights off stagnation, etcetera.

Actually it was the growing dominance of foreign imports that caused the diversification of American beer market and allowed the "microbrews" to share a place on the shelf. The non-standardization of brewer products allowed the few large brewers who manufactured the most cheaply made product to dominate the beer distribution markets after prohibition until relatively recently, when foreign brewers became able to produce enough product for the American market (mostly due to the strength of the dollar in relation to thier own native currencies), in spite of some of the older breweries that had more diverse product lines (such as D.G. Yuengling, Stegmaier, and some of the other older breweries that pre-dated prohibition).

No operating system will ever be completely secure

[rborek]

As long as there are people creating software, there will always be security bugs in the operating system. You just can't go over millions of lines of code and spot every bug that can result in a security breach - especially if two portions of code combined are the reason for the breach (those two pieces of code can be hundreds of thousands of lines of code apart). I predict that they'll certify an operating system secure... and then the next day a security alert will be announced for it. Microsoft has come a long way from their old operating systems - Windows Server 2003 is much more secure, but no operating system will ever be 100% secure as long as there are hackers out there to test every possible vulnerability... and the fact that there are administrators out there that may not secure the OS down and make stupid configuration errors.

Re:No operating system will ever be completely sec

[Wesley+Felter]

You just can't go over millions of lines of code and spot every bug that can result in a security breach

That's why really secure OSes don't have millions of lines of security-critical code.

Re:Some info

[Roxy]

Anyways the IEEE has a track record of working on security-related standards

Yes, like the P1003.6 (POSIX Security) which I was involved with (died because of lack of interest and politicial conflicts) as well as P1003.22 (Distributed Security) which I was one of the founders of (was later adopted by X/Open and is usually irrelevant today).

For some reasons (like practical experience), I don't believe the IEEE will manage this any better than they have before (i.e., very badly, mostly due to political aspects having precedents before technical and security aspects).

Feel free to mod an old cynic down.