Secure OS Gets Highest NSA Rating, Goes Commercial

ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.

Let the Testing begin...

[sbenson]

Now let people who don't have financial ties test it.

Re:Let the Testing begin...

[sbenson]

If it is Internet facing, it's an open test bed.

n/t

[KasperMeerts]

I'm sorry if I take a test that gives Windows and Linux the same security rating not very seriously.
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.

Re:n/t

A dog and a horse both have four legs but, they do have several other differences.

Re:n/t

[blhack]

Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.

You forget the the NSA pretty much recruits the best and brightest hackers that the world has to offer. Their policy of "we don't have a budget" and the oppurtunity to work on the absolute cutting edge (and actually see it put to use) is pretty much the most kickass thing that you can offer somebody who has a passion for knowledge.

Re:n/t

[thermian]

I imagine they see having the source code available as a negative for Linux simply because it gives would be attackers much more information about the system than is otherwise available.

That theory is one touted by commercial OS vendors, and its been thoroughly disproved. Availability or otherwise of source code has no effect on the hardness of your OS. If anything having it available is even safer, because its a heck of a lot easier for people to point at a problem bit of code and say 'fix that bit now'.

What causes the problem is non rigorous OS design. Hiding the source won't help you protect your clients from a design flaw which allows them to be attacked.

The OS in question here however is most likely quite rigorously designed, and won't have a lot of the bloat that causes desktop OSs so many problems.

Re:n/t

[CaptainPatent]

Indeed, I was looking at that too and some interesting points from the wiki article:

To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
[...]
Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.

So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing. So even if a Linux distro wanted to be verified at a higher level - who's going to fork over the dough?

Additionally this seems to be a hired method of testing and bug report/fixing. Just because they fix the bugs found at one "level" of testing does not mean there aren't missed holes. Additionally it doesn't mean that a well written piece of software isn't capable of a higher rating with little or no fixes (like the Linux kernel probably is.) It is impressive that Integrity-178B achieved the EAL-6+ rating because it has definitely been put through its paces... and due to the way it was designed it probably has very few holes in it, but EAL should definitely not be the end-all be-all judge of OS quality.

Re:n/t

My question to blanket statements like this is always, "Which version of Windows?"

Give me any of the NT family of Windows (pro or business editions as the case may be) and I can configure them to be as security as any version of Linux.

The main problem with both Windows and Linux is they are not secured on initial installation and in home use, people often run with higher privileges than they should.

I have never had a Windows computer or server of mine infected or compromised. It is possible to do.

Re:n/t

[orclevegam]

Cryptography yes, security no. Although cryptography is a very important tool in designing a secure OS, it's not the only one, and probably not even the most important one. Likewise for software in general. Cryptography is important for communications, and data protection which makes it important for communications between programs, and storage of programs, but actually ensuring the integrity of the system or application has a lot more to do with CS than it does Math. Both math and CS students can be equally smart, but in different ways. The math students will tend to be good at number crunching and abstract thinking, particularly in regard to projecting problems into various spaces where they can be solved using various functions. The CS students are going to tend towards a more systematic view of things in which they break problems down into sub-components without losing track of the larger picture and the way the various pieces interlock and interact with each other. You most likely perceive the math students as being "more intelligent" because you yourself are more inclined to the mathematical way of thinking about things.

When the NSA was first created the primary concern with regards to security was a combination of mathematical and physical problems. Mathematics in the form of encrypted communications, and physical in the form of ensuring that the people and/or documents that contained sensitive information and the devices used to cypher them were properly secured. With the rise of the internet and the switch to an increasingly interconnected infrastructure software security has emerged as a factor now. It no longer matters how good the encryption is between your two programs if the OS their running on can be compromised and the data scraped as the application decodes it (or better yet the encryption key itself). As such even though the NSA started as an organization specializing in primarily cryptographic systems it must expand to include software and hardware security as well.

Re:n/t

[Kjella]

So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.

Uh, yes? The more specific the documentation, the more work has to be done to verify it. I'm not sure how many million LOCs are in the Linux kernel but if I had to go through EAL6+ semi-formal proofs for all of them I'd charge a bundle too. Are you really trying to imply that NSA issue this sham certification because they're short on funding? Stop trying to pretend that all the "experimental support" that goes into Linux could or should pass certification, because it damn well shouldn't. Certainly not on based on a casual "it's probably capable" that's quite frankly pulled out of your nethers with no documentation to back it up. Here for example are THREE security exploits in the kernel in the last two months:

1 Linux Kernel VDSO Unspecified Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-11-04 00:00:00 MST
URL: http://www.securityfocus.com/bid/32099
2 Linux Kernel LDT Selector Local Privilege Escalation and Denial of Service Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31565
3 Linux Kernel 'generic_file_splice_write()' Local Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31567

Don't get me wrong, Linux is a great system and all but I wouldn't want to nuclear launch control on it, sorry.

Re:n/t

[orclevegam]

Having working with the OS in question and directly with the NSA on getting our own OS certified (which we decided was too expensive in the end, and wound up throwing it away to use Integrity-178B)....

NSA does employ a sizeable group of mathemeticians in the area of security now as well. They've invested a lot of time in money in mathematical models for proving security, namely from the vantage point of possible combinations of system states, and how to minimize those into a human-testable number of states.

Yes, I've seen some of the work that's been done on trying to create a OS that can be mathematically proven to be secure, but I just don't buy it. Sure you can use some set theory and various other things to try to show how mathematically the system is bounded within the secure states, but all of that goes out the window once you move beyond a non-trivial set of functionality, and completely ignores the human side of the equation (which is the most important part, if the system makes it hard on the user to remain secure, then the user won't use the system the way it's meant). I also wasn't saying that mathematicians have no place in software security, or that they aren't useful, just that a mathematician isn't necessarily the best (or even good) choice for designing a OS.

Computer security is equal parts software, hardware, interface, and user training. Ignore any of those and you've just introduced your weak link in the system (usually the user and/or interface which go hand in hand). Hardware is only really an issue of you're trying to secure against a threat with physical access, which any halfway competent security professional can tell you is a stalling tactic at best. Software is critical to prevent things like buffer overflow attacks, but can be tested automatically with a good degree of accuracy. Interface and user training are really the linchpins of security. A good interface is a must in order to allow the user to make informed decisions concerning how trustworthy the system in question is, and proper training is important to allow the user to properly interpret the information they're receiving from the interface and to learn to spot subtle signs of problems.

Of course, in a specialized environment like a B2, or highly secured and hardened systems like no doubt the NSA uses the problem can be reduced in scope as to be nearly fully encompassed by a mathematical state model, but in so doing you massively limit the capability of the underlying system. In essence you take a general purpose system (computer) and reduce it's functionality to one specific task in order to be assured of it performing that single task in a easily controlled fashion. Although this is fine for the highly specialized tasks the NSA puts these systems to it would never work in a general purpose system used by end consumers and even most businesses. Once you go down that route, you might as well just use an embedded device as you've already lost the greatest advantage a PC has which is generalized functionality.

Re:n/t

[v1]

what it means is that if you have a higher EAL number, it means you definitely have more money, and possibly are more secure.

Unfortunately, probably a niche product at best

[93+Escort+Wagon]

It seems like in the OS battle between security and convenience, convenience wins every time. I see Windows everywhere - at the bank, on hospital equipment and at doctors' offices, on ATMs... not to rant specifically against Windows; but it shows up a lot of places where I think we'd be much better served if the company had gone to the time and expense of developing a custom solution. Really, why should Windows be running on an X-Ray machine or an electrical power plant console?

A tad careless?

[Zathain+Sicarius]

Isn't releasing this OS a little careless? Part of the reason it's so secure is because only the military has its hands on it. If you go around selling it, I'm sure someone will buy it just to poke around and find each and every hole in its security.

"Linux" is not certified for anything

[crush]

A couple of specific distros on specific hardware have received EAL4+ certification: RHEL5 (on 12 or so different platforms) and SLES9 on IBM eServer spring to mind. I'm fairly sure that no other GNU/Linux distributions have received such certification and it makes absolutely no sense to talk about "Linux" being certified for anything.
This is not just nit-picking about GNU/Linux vs Linux as the name: it's a case where it's actually very important to be aware that specific versions of specific programs with specific configuration files have been tested and found not to fail in particular ways.

Re:So why can't Windows and Linux do this?

[eddy]

The fact that both a windows installation and most linux dists need to be useful for the common folk, you know, with security no-nos such ethernet and maybe even USB support. And no, hotgluing ports doesn't cut it.

Look, it'd be perfectly feasible to push Windows or GNU/Linux through a higher certification, but someone has got to pay for it and the market is infinitesimal.

You don't know how your walls can be breached

[wintermute42]

The nature of computer system penetration (hacking) is that it takes a great deal of time and patience. The attacker will put a lot of effort into learning everything they can about the system and then more time in probing possible vulnerabilities.

Linux and Unix systems in general have a better underlying security model than Windows (e.g., the way root/administrator vs. user is handled). Unix architectures also had years of students attacking them (back before this was a serious crime). However, if those of us who are Linux fans are honest we know that the reason we don't have to worry as much about Linux attacks is that hackers target Windows because it is more pervasive.

The Greenhills operating system has never been exposed to a large group of people who are willing to spend a lot of time penetrating it. The idea that you can just label a system as secure seems questionable. You always get attacked via means that you didn't expect. What they're really saying is that the system implements a security model that they believe to be secure. But B1 bombers are not placed on the Internet protecting large amounts of money, so they are unlikely to attract hackers.

Re:So why can't Windows and Linux do this?

[Legion_SB]

In the big picture, there's a distinct trade-off between security and usability.

That doesn't mean that, in the small picture, every security improvement comes at the cost of usability. But when you're talking big picture, to get the kind of security you're talking about, you have to rethink what it means to use a computer/OS/etc. Things you currently take for granted (like, as someone else said, plugging a USB device in) become "holes" that have to be closed.

OpenBSD?

[1053r]

Does anybody know if OpenBSD (or any *BSD for that matter) has ever received a rating? Or at least, what it would probably rate if it were to receive a rating? I would suspect that it would rate at least with Linux or perhaps one higher, seeing as their slogan is "only two remote holes in the default install in over a decade."

Re:Security?

Doesn't the security of a computer system rely on a good sysadmin?

Partially, but not entirely. There are other factors.

I could open every port known to man, but I don't need to and its insecure, or I could only run services I need, and keep them patched and up-to-date. This should be factored into security levels.

And how would you protect yourself from the Apple laptop wireless flaw that was remotely exploitable by anyone in wireless range? Apple chose to protect themselves by threatening to sue the guy who discovered it, but that isn't a very good security method. Not many of us can afford that many lawyers :)

Another example: in the past, flaws have been found in tcp/ip stacks that are exploitable even if you have all ports firewalled off.

Even OpenBSD had a bug that could be triggered by sending a specially crafted IPv6 fragmented packet.

Good security isn't easy.

This is an RTOS, not a general purpose OS

[EmbeddedJanitor]

GreenHills make RTOS solutions for embedded use etc. The emphasis is on robustness and security over features. It is a painstaking process of testing and verification to add features.

Sure, in theory, Windows and Linux could attain these levels of security but in practice Windows and Linux favor adding features and capabilities. Compromises have to be made to get stuff out in an acceptable timeframe.

Re:lols

[db32]

I blame all of my hardware problems on software too...

Seriously, going through that list I see. Fire, lots of fires. Two instances of computer failure due to faulty hardware. A few landing gear hardware problems. A dash of pilot error or otherwise bad luck. And a rather unfortunate bird strike on a weak section of a wing (that was later redesigned because of this event IIRC).

I am curious as to what you are trying to insinuate by linking to crashes due to these issues next to the software....

I think you missed the point

[MikeRT]

The point here is that it really does make good use of security through obscurity here. By being a product that is sold only to customers that work in classified environments, it has an inherent advantage in that almost no one outside of a small customer base will have access to poke at it. Put simply, the criminal element has hitherto had almost 0 chance of getting a chance to go to town on it.

Ubuntu!

[jd]

It is headed by the only Linux nerd who could afford to chase a rating of 6 or above. (7 is the highest the EAL will go.) Another thing to consider is that EAL ratings are only valid for a combination of OS and hardware. So, running Windows on any box (even if functionally identical) to the configuration tested on makes the tests invalid. The true is arguably the same for Linux, except that you can download LTP and gain some measure of assurance (even if not blessed on that platform) that you've not broken any of the security.

The highest old-style NSA rating (A1) is superior to the current EAL6+, and general-purpose OS' did achieve it. Genesis was one (and, no, not the one with the Phil Collins plugin module). EAL6+ looks to me to be about the same as the Orange Book B3 classification, which Trusted Irix achieved. Linux, if LTP was extended enough, could be provisionally ratified up to this level. If it ever was, then I could see vendors like IBM (who got Red Hat certified up to EAL4+) or private millionaires either individually or (more likely) jointly funding the certification.

Of course, EAL-style security isn't everything you need. Security labels on packets would be good - isn't there some work on this already? Support for hardware MAC (mandatory access controls) for memory would be good, as that protects not only against memory access violations in software, but also against such violations with RDMA. (Of course, if the hardware isn't present, you don't get that security, but likewise if the OS support isn't present, you don't get the security.) Better support for hardware encryption - especially within OpenSSL and IPSec - would improve matters too. Coverity is a decent-enough static checker, but their much-vaunted cooperation with Open Source doesn't seem to be producing much in the way of results - I can't remember the last time anyone covered on Slashdot or LWN any work by them. Are the major Linux vendors considering alternatives like Klockwork or any of the theorum provers listed just the other day?

Linux is already very good, but it hasn't received the severe auditing of OpenBSD (although, arguably, Linux does better when it comes to bugs that aren't security holes and also does better on the feature set and hardware supported). Perhaps a round or eleventy of severe auditing would be good for it. There again, perhaps there are other means of being close enough to that level of effectiveness without cutting back on the flexibility and without demanding unreasonable resources.