Slashdot Mirror
Secure OS Gets Highest NSA Rating, Goes Commercial
ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.
Now let people who don't have financial ties test it.
I'm sorry if I take a test that gives Windows and Linux the same security rating not very seriously.
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.
As long as there are slaughterhouses, there will be battlefields.
EAL7+ means that it can defend against well-funded and sophisticated attacks and doesn't have an NSA backdoor built into it. EAL8 is exactly like EAL7+, only it can do it while getting slashdotted.
or Duke Nukem 3D?
A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially
B1 Accidents, OS Homepage, More Wikipedia!
On the Oregon Cost born and raised, On the beach is where I spent most of my days
What's preventing Microsoft and open source world from understanding these "sophisticated" attacks and hardening their respective operating systems against them?
Help a man when he is in trouble and he will remember you when he is in trouble again.
When you order a B1B, you pay for the Integrity-178B license even if you later install a copy of Linux For Strategic Bombers.
Question is, though, does the security extend to the child OS and its software while running on this "so expensive we can't tell you how much it costs, and you can't hack us to find out" system? I guess that's a general question. Wouldn't running a browser on (god forbid) a Vista component leave you just as vulnerable as if you hadn't bothered?
Inadvertant and Casual attempts?
Oops. I tripped over my computer and hacked your system. Sorry.
It seems like in the OS battle between security and convenience, convenience wins every time. I see Windows everywhere - at the bank, on hospital equipment and at doctors' offices, on ATMs... not to rant specifically against Windows; but it shows up a lot of places where I think we'd be much better served if the company had gone to the time and expense of developing a custom solution. Really, why should Windows be running on an X-Ray machine or an electrical power plant console?
#DeleteChrome
Isn't releasing this OS a little careless? Part of the reason it's so secure is because only the military has its hands on it. If you go around selling it, I'm sure someone will buy it just to poke around and find each and every hole in its security.
A couple of specific distros on specific hardware have received EAL4+ certification: RHEL5 (on 12 or so different platforms) and SLES9 on IBM eServer spring to mind. I'm fairly sure that no other GNU/Linux distributions have received such certification and it makes absolutely no sense to talk about "Linux" being certified for anything.
This is not just nit-picking about GNU/Linux vs Linux as the name: it's a case where it's actually very important to be aware that specific versions of specific programs with specific configuration files have been tested and found not to fail in particular ways.
It's not like the military really needs to replace all of its important infrastructure since it already has SIPRNet and JWICS which shield its sensitive systems from most hackers because they're not even on the public Internet anymore.
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03.
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Is this really a true statement? According to Wikipedia, only Windows 2000, SP3 is EAL4 certified. Since this is an obsolete and unsupported release (Win2k SP4 is still supported), is it correct to say that "Windows..[is] EAL 4+ certified"?
It would be more accurate to say either: "Windows 2000, SP3 is EAL4 certified" or "Windows used to be EAL4 certified".
The real "Libtards" are the Libertarians!
Can you please tell me if this company has any relationship with a certain paper company down in Texas? Or will you send this Haitian guy over to me to
Why the hell am I posting on Slashdot? Dunno, just like any ordinary day I guess.
The Hacker's Guide To The Kernel: Don't panic()!
EAL6 is NOT the highest rating given by the NSA. EAL7 is. EAL7 has been awarded to one product (The Tenix Interactive Link Data Diode Device). Source: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
The nature of computer system penetration (hacking) is that it takes a great deal of time and patience. The attacker will put a lot of effort into learning everything they can about the system and then more time in probing possible vulnerabilities.
Linux and Unix systems in general have a better underlying security model than Windows (e.g., the way root/administrator vs. user is handled). Unix architectures also had years of students attacking them (back before this was a serious crime). However, if those of us who are Linux fans are honest we know that the reason we don't have to worry as much about Linux attacks is that hackers target Windows because it is more pervasive.
The Greenhills operating system has never been exposed to a large group of people who are willing to spend a lot of time penetrating it. The idea that you can just label a system as secure seems questionable. You always get attacked via means that you didn't expect. What they're really saying is that the system implements a security model that they believe to be secure. But B1 bombers are not placed on the Internet protecting large amounts of money, so they are unlikely to attract hackers.
I've worked with test benches running the OS and hardware that is going on the 787.
If it's the same thing, it's going to be interesting seeing something like windows or linux run on it.
It has different processing areas, and each of the areas run on a different piece of hardware. So you basically had one computer running datalink to ground stations and other aircraft and another computer doing navigational computations (and several other computers doing various other tasks).
If windows were the same way it would be like.. having a different set of ram and a different processor running network tasks from ones running hard drive communication tasks.
Then again the OS that connects all of these together might be more flexible than I imagine, I only work on a small piece of software that runs on one of the aforementioned.
The most hardened OS ever is any OS running in an signal-leak-proof room in the middle of a mountain with well-paid, trustworthy guards manning the entrance and a booby trap to bury and destroy the computer if anyone unauthorized gets past the entrance.
In this environment, even Windows 98 is secure.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
OpenBSD is free, and I guarantee "that it can defend against well-funded and sophisticated attackers."
Doesn't the security of a computer system rely on a good sysadmin? I could open every port known to man, but I don't need to and its insecure, or I could only run services I need, and keep them patched and up-to-date. This should be factored into security levels.
"I refuse to believe that everybody refuses to believe the truth." -- Lisa Simpson
So it has not network stack? Or keyboard? Or monitor, or... That's the only way I'd deem it that secure.
Does anybody know if OpenBSD (or any *BSD for that matter) has ever received a rating? Or at least, what it would probably rate if it were to receive a rating? I would suspect that it would rate at least with Linux or perhaps one higher, seeing as their slogan is "only two remote holes in the default install in over a decade."
As much faith as I have in the NSA's security abilities, does anyone have any idea what criteria they were using exactly? Any in-depth results they've made public, preferably?
It's an aggregate result of how many social security numbers B1 bombers have lost over the last 10 years divided by how many B1 bombers, with the software installed, have been stolen out of government offices or left behind in taxi cabs.
I am the richest astronaut ever to win the superbowl.
This is silly. It is an EAL6+ operating system that will host EAL4+ guest operatnig systems, probably so that someone can actually do something useful with it. So, can someone explain to me how the data in that EAL4 operating system isn't vulnerable to a casual/incidental attacker? How does running a vulnerable OS on an invulnerable OS make the vulnerable one any safer? (I have the same problems with people claiming VMWare makes them more secure...)
NSA E.A. Testing Criteria
---
EAL0 $1,000,000
EAL1 $1,000,000
EAL2 $2,000,000
EAL3 $3,000,000
EAL4 $4,000,000
EAL5 $5,000,000
EAL6 $6,000,000
EAL7+ Call for quote.
boycott slashdot February 10th - 17th check out: altSlashdot.org
This sounds really smart. Let out something that the military uses and see how long it takes to get hacked. We go through this all the time and everyone thinks they've got it licked. Then, after about a billion collective hacking hours are spent on it, some joker finds the hole. Now they can drop bombs! Cool!!!
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
Some companies do use it for marketing. Others use it secondarily for marketing, but primarily to garner or maintain eligibility for certain contracts. EAL certification is required to get into certain government roles, for example. Ongoing re-certification is required to remain in some of them. The criteria and results are available from the Common Criteria website. For example, the evaluation covering Windows XP and Server 2003 details the OS variants, hardware on which it was tested, and drivers and patches that were present during testing.
You can never go home again... but I guess you can shop there.
The source code is leaked and it is :
Boot:
cli
cmp al,al
Here:
jz Here
I think it is unbreakable myself, but it seems that it doesn't do a whole lot.
Sure, in theory, Windows and Linux could attain these levels of security but in practice Windows and Linux favor adding features and capabilities. Compromises have to be made to get stuff out in an acceptable timeframe.
Engineering is the art of compromise.
In the annual hacking contest we talked about, oh, six months ago, in which competitors won laptops by being the first to gain root access to them, OSX was breached first, early on day 1. Vista and Linux, properly configured, weren't breached until the rules allowed direct access to the machine on a later day of the competition. This translates to: Macs are secure because they're not a common target, but when there's incentive to hack one (like there would be for a system that needs a security rating for deployment) it goes down easier than anything else.
"I zero-index my hamsters" - Willtor (147206)
The point here is that it really does make good use of security through obscurity here. By being a product that is sold only to customers that work in classified environments, it has an inherent advantage in that almost no one outside of a small customer base will have access to poke at it. Put simply, the criminal element has hitherto had almost 0 chance of getting a chance to go to town on it.
This is Windows M.E. , right?
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
From the TFA: "Chandler maintains that locking down the OS saves money for security in the long run. 'There's an opportunity that this [solution] could be a cost savings for enterprises, with all that is spent on intrusion prevention' and other security tools and efforts, he says."
I'm not so sure I'd trust ANY OS without also having other security checks and intrusion detection in place. Sounds like bad advice wrapped around marketingspeak to me.
Why is he being voted down? He's right about Linux (and the same thing can be said about Windows, too, and OS X). None of them use a development process that includes formal verification of specifications or formal verification that the implementation matches the specification. Of course they are insecure.
I am really sick of ignorant people misstating what Common Critera is. All a high EAL means is that your system has been tested and it does what you claim it does in your Security Target, which describes your system, and which vendors can write HOWEVER they want. Sometimes there are standard "templates" called Protection Profiles for certain classes of security assets, which restrict how vendors can draft their targets, but still, all the EAL is is an assurance level that those requirements are met by the solution. You could Common Criteria certify an absolute trainwreck to a very high EAL: if your requirements as stipulated in your Security Target include, for instance, "There will only be null passwords," and the lab verifies that, among other bad requirements, those items as assured to a high degree, you could wind up with an EXCEEDINGLY insecure system at a high EAL. A security practitioner reviewing the CC documentation can make a determination about whether the protection profile is worthwhile, and then the assurance level simply provides assurance that what s/he has read in the Security Target is actually how the system is engineered. It's not rocket science, I just don't understand how people keep mouthing off about crap they clearly don't understand.
(%i1) factor(777353);
(%o1) 777353
ssh my-b1b
login: root
password: hellosss
last login Tue Nov 18 17:22:14 EST 2008 from nsa
# drop -4 bombs
# exit
All I see are Ada 95, Embedded C, and C++ support, not much third party driver support, and hardly any third party applications at all.
Might as well use AROS as it has more of that than the OS in TFA.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
besides /vertising for Green Hills:
Modern warplanes are connected in a battlefield 'net that allows data, command and control to be passed between the planes (and satellite and ground). This is (obviously) a wireless network. Having a network stack and other interfaces hardened against intrusion makes it less likely that a battlefield adversary could either generate false data (the "magic" display in an F-22 paints the local AWACS as a "bandit", for example, and the pilot launches a missile), snoop data (the "stealthy" F-22s are here, here, here and here, so launch missiles at them), or perform some sort of DOS, degrading the systems capabilities. There are "well-funded and sophisticated attackers" who are likely to have those goals.
If there was a business case, and so many of the developers didn't have, uh, reservations, about using their code in military equipment, the OpenBSD and, maybe, Linux kernel and glibc could be certified (stripped of a few components, probably, and with a few tweaks). With a "trusted" kernel, libraries, and tool chain, you build the rest of system from scratch, anyway. It's not like you're supposed to be browsing the public internet with IE or FF on a B-1's navigation system.
There's no way for M$-Windows to be certified at EAL6+, because its design philosophy (the back doors are built in, not added on) is completely against any sort of security, and I don't think Vista is even EAL4+.
EAL0? Is there such a rating?
Nice troll, but the Mac was not hacked remotely, the guy had command-line access. In those cases, computer security is the last of your problems.
Your sig must be hilarious for people (blind folks and such) who need their computers to read the text of websites for them. :)
At least they don't have to worry about seeing goatse when the trolls post links ;)
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
It is headed by the only Linux nerd who could afford to chase a rating of 6 or above. (7 is the highest the EAL will go.) Another thing to consider is that EAL ratings are only valid for a combination of OS and hardware. So, running Windows on any box (even if functionally identical) to the configuration tested on makes the tests invalid. The true is arguably the same for Linux, except that you can download LTP and gain some measure of assurance (even if not blessed on that platform) that you've not broken any of the security.
The highest old-style NSA rating (A1) is superior to the current EAL6+, and general-purpose OS' did achieve it. Genesis was one (and, no, not the one with the Phil Collins plugin module). EAL6+ looks to me to be about the same as the Orange Book B3 classification, which Trusted Irix achieved. Linux, if LTP was extended enough, could be provisionally ratified up to this level. If it ever was, then I could see vendors like IBM (who got Red Hat certified up to EAL4+) or private millionaires either individually or (more likely) jointly funding the certification.
Of course, EAL-style security isn't everything you need. Security labels on packets would be good - isn't there some work on this already? Support for hardware MAC (mandatory access controls) for memory would be good, as that protects not only against memory access violations in software, but also against such violations with RDMA. (Of course, if the hardware isn't present, you don't get that security, but likewise if the OS support isn't present, you don't get the security.) Better support for hardware encryption - especially within OpenSSL and IPSec - would improve matters too. Coverity is a decent-enough static checker, but their much-vaunted cooperation with Open Source doesn't seem to be producing much in the way of results - I can't remember the last time anyone covered on Slashdot or LWN any work by them. Are the major Linux vendors considering alternatives like Klockwork or any of the theorum provers listed just the other day?
Linux is already very good, but it hasn't received the severe auditing of OpenBSD (although, arguably, Linux does better when it comes to bugs that aren't security holes and also does better on the feature set and hardware supported). Perhaps a round or eleventy of severe auditing would be good for it. There again, perhaps there are other means of being close enough to that level of effectiveness without cutting back on the flexibility and without demanding unreasonable resources.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Lynx OS is EAL 7, and has been for a while. It will be quite some time before Greenhill makes it to EAL7. In the mean time, Lynuxworks uses Linux API, so that you have your choice of a real linux solution, or if needed, you can switch up to LynuxOS.
I prefer the "u" in honour as it seems to be missing these days.
Is that a challenge I hint?
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
The EAL is only half of the equation. The Target of Evaluation (device under test) is subjected to EAL appropriate documentation and verification against a design document called the Security Target. This ST specifies the threat environment. For example the windows ST specifies that all authorized system users are benign and thus not a threat.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
The NSA doesn't really recruit anyone. Most people working at the NSA are military.
One, they do recruit civilians, quite heavily, and two, there are a large number of military people in their ranks. But those military people are pretty bright, too.
Life is hard, and the world is cruel
echo > hardened_os.asm -e "\tCALL _do_non_networked_basic_bomber_plane_stuff\n\tNOP" ./hardened_os
make
run_vm
attack_vm
if [ $? -eq 0 ]; then
echo "It's tough. You should buy it."
fi
On their web page Integrity claims:
INTEGRITY is secure.
Windows, Linux, VMware, and others are not.
And we can prove it.
http://www.integrityglobalsecurity.com/pages/learnCommon.html
Then the website mentions the TJ Maxx hack (and that TJ Maxx was not running the INTEGRITY OS). But the TJ Maxx hack had little to do with the OS, but rather the wireless encryption protocol in use.
From my limited experience, it seems most attacks like social engineering, weak passwords, poor configuration, etc., are much softer targets than the OS itself. To claim that the OS is the panacea of security is missing the point.
Are you sure about this? I saw quite a few movies where people get into to Military computers typing "Connect to Military Computer" & then guessing the right password. These were very smart people, but they did get into those databases and all.
Secondly, no system in universally accepted in acquisitions. They may have some certification, lets say for an F-22, but they'd never just blindly take that same package and consider it certified for an F-35, or any other aircraft, nor would the FAA for DO-178B. New fighter aircraft are networking, but you'll never "casually hack" one unless you've got your own F-22 and you're flying in the sortie between the two (man in the middle attack).
will not touch it until it has been certified by an industry independent body like ISO.
Nihil in publicum sputa.
Wrong story? http://science.slashdot.org/article.pl?sid=08/11/18/0110209/
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Seriously, what level would it need to be to be protected from kids with too much time on their hands?
The DO-178B standard specifies the engineering procedures and tasks that must be followed
to achieve certification to the level specified by and required by the FAA.
The three lower levels (B,C,D) are a subset of level "A" certification.
Level A states that failure of a level A system will result in loss of the aircraft.
Level B failure will cause disruption of flight and difficulties for the pilot.
Level C will cause additional workload for the flight crew.
Level D failure will not affect the flight crew, This includes in-flight entertainment...
Level A and B requirements includes detailed design documents that explain the purpose
of every line of code (prior to coding), code coverage with full conditional execution and
hundreds of other requirements that I've forgotten. IMHO, A DO-178B level A
O/S would take a department of 10-20 engineers 4-5 years.
It won't run Flash.
Say hello to my little sig.
Now, they want to sell me the "release version," as if they're suddenly a legitimate, privately funded dot-com startup of yore? I was born at night, but it was not last night. We citizens already own that product. Turn it over.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
found this http://www.ghs.com/linux/threat.html on the Green Hills site, while looking for non-existent documentation.
there are a few other articles there talking about how horrible linux is.
When Geiger counters are outlawed, only mutants will have Geiger counters
are what are the overall capabilities of the operating system, its communication and data input methods outside and including standard user interface, and active countermeasures it employs against simple things like buffer overflow.
of course, proprietary OS means these statistics are blackboxed indefinitely, meaning that any claim or degree of security touted by the DoD cant be independently verified...
so how the fuck is this news again?? brjust blind curiousity, id like to see this bomber operating system go head-to-head against openBSD.
Good people go to bed earlier.
I think everyone horribly misunderstands what this "operating system" really is. (I have been working with it for years)
It is little more then a system executive with memory isolation and about 5k lines of code. (each mathematically inspected and proven)
It does not have a IP stack. (There are no ports to attack)
It does not have a GUI.
It does not have but a VERY basic scheduler (and I dont think the scheduler was part of the verified system but I could be wrong)
It does not guarantee your software you have running on it cannot be hacked (like an IP Stack).
All it does it make sure that memory from one container does not leak to another.
It is designed to support MILS (Multiple Independent Levels of Security) http://en.wikipedia.org/wiki/Multiple_Independent_Levels_of_Security
All this being said, from a security point of view it is a wonderful (but limited) foundation for building a secure system. (And GHS makes a great product)
Sounds fishy, smells like someone is trying to set up themselves a highly evolved botnet of PCs that
only the military would know about, hence how they get their AF cyberbotnet they kept talking about,
and this would also mean they would do a virtual layer, allowing windows or linux to lie on top of that, still vulnerable too. Wow, saw this coming a mile away, wonder who else saw it???
Also make back some of the money invested into this thing...by making available to the private sector.
2 birds with one stone!
I've worked on Software with DO-178B compliance, that's what the 178B in the Integrity-178B stands for. If EAL verification is based on Documentation and Testing then I'd say that tacking EAL onto something that complies with DO-178B is just a short jump with a price tag tacked on. Moreover, the fact that it runs on the B1B is independent of their trying to be DO-178B compliant. Compliance with 178B is more in line with getting an OS/Software package certified for commercial aviation.
Sounds to me that Green Hills was aiming at this from the get go and is just picking up the EAL-6+ rating as another stamp on the box, and another advertising point. Not that I'm against software reuse, but once you know what goes into designing Aviation software, this sounds a lot less impressive.
http://en.wikipedia.org/wiki/DO-178B
The EAL6+ rating granted to the configuration represented by the B1B is unique and in order to get a like designation for anything else you'd have to go through the same hoops it passed through in their entirety. The fact that someone has gotten an EAL6+ really doesn't gain the next person to try much of anything beyond some familiarity with the process at Green Hills.
We've heard of it.
fEh
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
My degree was in Mechanical Engineering, with a minor in CS, and now I manage a software firm (including hiring)
Mathematicians at a university are smarter, in my experience (dated by about a decade) I don't think this has to fundamentally mean there are no brilliant people in CS - I'd suspect the following mechanism:
CS is often really bad at evaluating students' ability. Possibly partially because they're a quite young educational discipline. Therefore, it's relatively hard to flunk out of CS due to lack of brilliance. (Flunking out from lack of DILIGENCE is different; a CS degree is still a lot of work.) I've seen VERY incompetent people with degrees from all sorts of places...
Math is often easier to flunk out of, and in some cases more likely to be very difficult to get program admission to. Perhaps this is partially because it's an extremely old educational discipline... And being less 'practical' I suspect there's a greater part brilliance and lesser part diligence to getting the degree. (That's not bad - some project management is important in CS!)
So if you take the same pool of candidates and randomize which field they go into, more people will stay in the program and graduate in CS than Math - at least in the admittedly limited subset of universities I've been exposed to. The best will do fine in either, the worst in neither, but a certain class of middle ones will pass in CS if they stick with it, and would fail out of Math.
I think it's also true that being a more practical, commercial discipline, there's simply demand for many more CS degrees, diluting the 'average' brilliance of someone graduating with that degree. I have made no attempt to verify this whatsoever, however.
Yes, I realize someone knows of a school where the math dept is easy and the CS dept is hard. I'm not trying to say this is a law of the universe, only a statistical truth.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot