Slashdot Mirror
Windows Gets Independent Security Certification
linumax writes "Microsoft Corp. on Wednesday clinched Common Criteria security certification from the U.S. government's National Information Assurance Partnership for six versions of its flagship Windows OS. The products receiving CC certification include Windows XP Professional with Service Pack 2 and Windows XP Embedded with Service Pack 2. Four different versions of Windows Server 2003 also received certification. Common Criteria certification, which was ratified as an international standard in 1999, helps customers in key market segments evaluate IT products when making software purchase decisions and contribute to higher levels of consumer confidence in IT product security, Lipner said. SuSE Linux ES 9 has already achieved the certification and almost a year away from being released, Red Hat Enterprise Linux 5 is on the path toward EAL4 certification."
I took a security-related class not too long ago. The prof pointed out that the CC is basically worthless. The important thing is the profile. For example, he said most CC certifications are given out for a profile of a system on a friendly network that is not physically accessible to untrusted users. How useful is that?
He also said something to the effect of: You can claim that your security policy has never been breached, as long as your policy is to not check security.
The problem is that government perpetuates this by requiring people/companies to spend tons of money on this stuff to get "approved" for government use.
For those who don't have the foggiest... More info on Common Criteria Certification can be found Here
Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
Copied verbatim from the Common Criteria v2.1 specification. I can't make heads nor tails of it:
Evaluation assurance level 4 (EAL4) - methodically designed, tested, and reviewed
Objectives
EAL4 permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.
EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs.
Assurance components
EAL4 (see Table 6.5) provides assurance by an analysis of the security functions, using a functional and complete interface specification, guidance documentation, the high-level and low-level design of the TOE, and a subset of the implementation, to understand the security behaviour. Assurance is additionally gained through an informal model of the TOE security policy.
The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification and high-level design, selective independent confirmation of the developer test results, strength of function analysis, evidence of a developer search for vulnerabilities, and an independent vulnerability analysis demonstrating resistance to penetration attackers with a low attack potential.
EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures.
This EAL represents a meaningful increase in assurance from EAL3 by requiring more design description, a subset of the implementation, and improved mechanisms and/or procedures that provide confidence that the TOE will not be tampered with during development or delivery.
Assurance class
Assurance components
Class ACM: Configuration management
ACM_AUT.1 Partial CM automation
ACM_CAP.4 Generation support and acceptance procedures
ACM_SCP.2 Problem tracking CM coverage
Class ADO: Delivery and operation
ADO_DEL.2 Detection of modification
ADO_IGS.1 Installation, generation, and start-up procedures
Class ADV: Development
ADV_FSP.2 Fully defined external interfaces
ADV_HLD.2 Security enforcing high-level design
ADV_IMP.1 Subset of the implementation of the TSF
ADV_LLD.1 Descriptive low-level design
ADV_RCR.1 Informal correspondence demonstration
ADV_SPM.1 Informal TOE security policy model
Class AGD: Guidance documents
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Class ALC: Life cycle support
ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life-cycle model
ALC_TAT.1 Well-defined development tools
Class ATE: Tests
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: high-level design
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
Class AVA: Vulnerability assessment
AVA_MSU.2 Validation of analysis
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.2 Independent vulnerability analysis
See http://niap.nist.gov/cc-scheme/st/ST_VID4012.html
For those of you who haven't done Common Criteria, a few clarifications:
EAL stands for "Evaluation Assurance Level". Your EAL level describes the degree to which you demonstrated your claims. It says almost nothing about what those claims are. It's an exaggeration to say you could get EAL 4 on a brick by claiming that it would stay put when you dropped it, but not a big one.
The claims are contained in your Security Target (ST), which is a series of claims about the Target of Evaluation (ToE). Your ST doesn't necessarily have to include many claims relevant to good security, and your ToE can exclude many subsystems and capabilities of the system being certified. To use a pre-CC example, Windows NT got an Orange Book certification by specifying that the certified system could not be connected to a network.
If you want to adhere to a standard that tries to verify that your ToE includes capabilities that make your device useful and that your ST makes claims which really mean something about the security properties of device, you demonstrate compliance with a published Protection Profile (PP). In the US, there are a series of PP's published . These PP's describe relevant capabilities and security properties for systems used in various roles (for example, a traffic filter firewall for low risk environments).
Without a PP, the only way to know what that EAL 4+ actually means is to closely read the ToE and the ST to figure out just how thin they sliced the salami.
Having said all that, a tiny bit of research confirms that Microsoft actually certified these systems against the Controlled Access PP. This is a basic robustness standard (by comparison, Red Hat Linux 5 is also certified against the Labeled Security PP and the Role Based Access Control PP, which assert more robust security capabilities), but it's quite a bit more than nothing, and quite a bit more than many companies do to get their "we do Common Criteria" marketing claim.
Color me impressed.
Vendors hated this process. First, the vendors didn't control the test process - the National Security Agency's Central Security Service did. NSA's policy back then was that you got two tries to pass validation. On the first try, the vendor was told of problems found, and given a chance to fix them. The second try was strictly pass/fail, and might include tests that the vendor had never seen. So it was quite possible, and common, for products to flunk and be cut out of procurements.
The Common Criteria process, on the other, hand, is conducted by third party labs paid by the vendor. So they're very "responsive" to the vendor.
The "Common Criteria" are comparable to the class C Orange Book standards. They're very weak. There was heavy lobbying by the computer industry to water down the Orange Book standards, and that lobbying was successful.
The evaluation report for Windows XP is online. It's worth reading, even though it's long.