Navy Now Mandated To Consider FOSS As an Option

lisah writes "In a memorandum handed down from Department of the Navy CIO John Carey this week, the Navy is now mandated to consider open source solutions when making new software acquisitions. According John Weathersby, executive director of the Open Source Software Institute, this is the first in a series of documents that will also address 'development and distribution issues regarding open source within Navy IT environments.'"

Re:Cool!!

[Registered+Coward+v2]

Actually, all it says is that OSS can be considered COTS; so a DON entity can now classify OSS as COTS for procurement purposes. Nothing in it says they must consider OSS during procurement; and the requirement to talk to the lawyers when considering it will probably result in it being ignored anyway.

Of interest would be the clause about internal use - if one government agency modifies it can any other use it without requiring a broader release of the source? On theory the DON, as longs the program stays within the US Government, would be under no obligation to release any modifications since they have not distributed it; all they have done is install and run it on machines owned by them.

Re:Great! This is what you have to do

[jd]

It was rated C2, which means that it's got the real basic protections but that's about it. C-class operating systems were the lowest that could be used in any Government role, so when the early Windows 2000 failed one of the tests, it was technically unlawful to use Windows 2000 for any Government work, even when totally standalone. (The Orange Book only measured internal security, not network security, so failing on the Orange Book tests was a big deal.)

Although NT4 was certainly used for secret material, I am pretty sure that only B-rated operating systems were entitled to hold secret and some top secret information. A-rated systems could be used for anything. Only one truly general-purpose A-rated OS (Genesis) was ever developed and officially rated - many other A-rated OS' existed, but they were all special-purpose. C-rated systems were only supposed to be used for unclassified and commercially sensitive material, if I remember the system correctly.

Trusted Solaris was rated B1, which meant it was as good as you could get without some very stringent formal proofs of correctness and formal design methodologies. The big difference between B1 and A1 is that a B1 system is bulletproof only according to any tests and evaluations performed on it, but the tests aren't guaranteed comprehensive. With an A1 system, you also know that the implementation exactly matches the design and that there is no obvious flaw in the design.

However, the criteria have shifted over time. Under the Common Criteria, Trusted Solaris and Solaris 9 "only" rate EAL-4+ (out of a maximum of 7), with PR/SM and XTS-400 being the only ones to rate 5. Bear in mind that RHEL4 update 1 is also classed as 4+, as are Windows Server 2003 and Windows XP. The difference in security between Windows 2003 and Trusted Solaris is so vast as to be laughable, and the idea that a highly specialized, highly secure system like XTS-400 is less than a single unit of trustworthiness better than XP is a complete joke. Clearly the method used in the Common Criteria is flawed to the point of not being useful as a measure of trust.

Mind you, the Orange Book was not perfect. Trusted Irix was rated B3, MULTIX was rated B2. The Multicians (a group of surviving kernel developers for MULTICS) let me know that there was no API, but you can't test if the API works if there is no API to test against. This makes testing for code safety difficult at best - you've nothing to tell you what's meant by safe. I'm prepared to believe MULTIX was brilliant, in fact I do believe that, but I have a hard time believing that the level of trust you could place in it was somewhere between that of Trusted Irix and Trusted Solaris. That may well be the case, but it feels more likely somehow that the evaluation criteria are too narrow and too minimalistic.

(I'd develop my own criteria, but having friends and karma on Slashdot doesn't equate to being taken more seriously by industrial leaders on security issues than defense industry specialists. In fact, even being on Slashdot is probably a big minus in the eyes of places like BAE or Sun Microsystems. Which, of course, is stupid - everyone here knows Slashdot readers are the creme a-la creme of the industry.)

Re:Great! This is what you have to do

[jd]

Ok, here's a rundown on what I'd consider to be the criteria for measuring the trust of an OS:

• Privileges should be defined on a gross level using role-based access controls and then on a fine level using hierarchical access controls:
  • Privileges should be universal. In other words, they should not just apply to applications or system calls, but also to address ranges, network ports, network types of service, disk directories, memory regions, shared memory regions, login and authentication methods, swap space quota and rights, run queues available - everything.
  • Privileges can never increase, but they can decrease. If a thread loses the right to run, any time to run in, or any ability to do anything if running, then it can be used for denial of service but nothing else and should therefore be eliminated.
• The OS should not allow a user to escalate their privileges, even if a flaw is found within an application or Operating System:
  • Programs either run or accessed by a "local" user (or remotely by an identified "local" user) should never have greater rights than that subset of rights that exists for both program and user.
  • Programs either run or accessed by any other remote user should always be run with minimal rights.
  • The same is true for all other communication between any combination of users, processes, activities and resources.
• The OS should not allow a user to escalate anyone else's privileges either (a major requirement of systems on classified networks):
  • If any resource of any kind is placed somewhere another user can access it, that resource must have privileges that are no greater than the subset of it's own privileges, that of the source user/process and that of the destination user/process.
  • The source and destination must be of a compatible nature - some roles cannot transfer resources to other roles, transfers that would result in the elimination of a mandated right would not be permitted, etc.
  • Where the transfer is of a pipe or other communications mechanism, nothing coming through the pipe can have greater rights than the pipe itself.
• There should be no bypass mechanism:
  • This means no superuser, no special kernel components and no supervisory element. Everything that runs, including all kernel threads, should run with relative not absolute rights. When bugs are found - and they will be - the damage should be restricted to within a smaller scope than could have been inflicted without the bug.
• The overall design of the software should be structurally correct.
  • In other words, if you draw out how the data flows, there should be no arc that would invalidate the security model by running out of rights or by having too many.
• Those components for which a mathematical model can both exist and be verified should have such a model that has been verified.
  • Formal Methods are extremely hard to use well for giant projects, but there are many subsets for which they are ideal. An example of a formal method would be the Z Specification language, which is now an ISO standard. Tedious in the extreme for anything that's long and complex, it would be very usable for privilege management, key functions such as kmalloc/kfree, and other fundamental components on which the OS depends.
• All components and combinations of components should be fully specified in some form and tested to that specification.
  • A specification needn't be formal in the mathematical sense, but it should be possible to derive valid cases, extreme (ie: corner) cases, and invalid cases. Both component-level and integrated test harnesses should then validate that all identified cases produce the expected results. Integrated testing should include both shotgun and continuous tests.
  • Distributed and massively parallel algorithms can be extremely difficult to prove, but it is essential for any level of confidence that they be pr