Slashdot Mirror
Secure OS Gets Highest NSA Rating, Goes Commercial
ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.
Now let people who don't have financial ties test it.
I'm sorry if I take a test that gives Windows and Linux the same security rating not very seriously.
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.
As long as there are slaughterhouses, there will be battlefields.
EAL7+ means that it can defend against well-funded and sophisticated attacks and doesn't have an NSA backdoor built into it. EAL8 is exactly like EAL7+, only it can do it while getting slashdotted.
A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially
B1 Accidents, OS Homepage, More Wikipedia!
On the Oregon Cost born and raised, On the beach is where I spent most of my days
What's preventing Microsoft and open source world from understanding these "sophisticated" attacks and hardening their respective operating systems against them?
Help a man when he is in trouble and he will remember you when he is in trouble again.
When you order a B1B, you pay for the Integrity-178B license even if you later install a copy of Linux For Strategic Bombers.
Inadvertant and Casual attempts?
Oops. I tripped over my computer and hacked your system. Sorry.
It seems like in the OS battle between security and convenience, convenience wins every time. I see Windows everywhere - at the bank, on hospital equipment and at doctors' offices, on ATMs... not to rant specifically against Windows; but it shows up a lot of places where I think we'd be much better served if the company had gone to the time and expense of developing a custom solution. Really, why should Windows be running on an X-Ray machine or an electrical power plant console?
#DeleteChrome
Isn't releasing this OS a little careless? Part of the reason it's so secure is because only the military has its hands on it. If you go around selling it, I'm sure someone will buy it just to poke around and find each and every hole in its security.
A couple of specific distros on specific hardware have received EAL4+ certification: RHEL5 (on 12 or so different platforms) and SLES9 on IBM eServer spring to mind. I'm fairly sure that no other GNU/Linux distributions have received such certification and it makes absolutely no sense to talk about "Linux" being certified for anything.
This is not just nit-picking about GNU/Linux vs Linux as the name: it's a case where it's actually very important to be aware that specific versions of specific programs with specific configuration files have been tested and found not to fail in particular ways.
The Protection Profile and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/pp/id/pp_skpp_hr_v1.03.
The Security Target and Validation Report can be downloaded at http://www.niap-ccevs.org/cc-scheme/st/vid10119/.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Is this really a true statement? According to Wikipedia, only Windows 2000, SP3 is EAL4 certified. Since this is an obsolete and unsupported release (Win2k SP4 is still supported), is it correct to say that "Windows..[is] EAL 4+ certified"?
It would be more accurate to say either: "Windows 2000, SP3 is EAL4 certified" or "Windows used to be EAL4 certified".
The real "Libtards" are the Libertarians!
EAL6 is NOT the highest rating given by the NSA. EAL7 is. EAL7 has been awarded to one product (The Tenix Interactive Link Data Diode Device). Source: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
The nature of computer system penetration (hacking) is that it takes a great deal of time and patience. The attacker will put a lot of effort into learning everything they can about the system and then more time in probing possible vulnerabilities.
Linux and Unix systems in general have a better underlying security model than Windows (e.g., the way root/administrator vs. user is handled). Unix architectures also had years of students attacking them (back before this was a serious crime). However, if those of us who are Linux fans are honest we know that the reason we don't have to worry as much about Linux attacks is that hackers target Windows because it is more pervasive.
The Greenhills operating system has never been exposed to a large group of people who are willing to spend a lot of time penetrating it. The idea that you can just label a system as secure seems questionable. You always get attacked via means that you didn't expect. What they're really saying is that the system implements a security model that they believe to be secure. But B1 bombers are not placed on the Internet protecting large amounts of money, so they are unlikely to attract hackers.
Does anybody know if OpenBSD (or any *BSD for that matter) has ever received a rating? Or at least, what it would probably rate if it were to receive a rating? I would suspect that it would rate at least with Linux or perhaps one higher, seeing as their slogan is "only two remote holes in the default install in over a decade."
As much faith as I have in the NSA's security abilities, does anyone have any idea what criteria they were using exactly? Any in-depth results they've made public, preferably?
It's an aggregate result of how many social security numbers B1 bombers have lost over the last 10 years divided by how many B1 bombers, with the software installed, have been stolen out of government offices or left behind in taxi cabs.
I am the richest astronaut ever to win the superbowl.
NSA E.A. Testing Criteria
---
EAL0 $1,000,000
EAL1 $1,000,000
EAL2 $2,000,000
EAL3 $3,000,000
EAL4 $4,000,000
EAL5 $5,000,000
EAL6 $6,000,000
EAL7+ Call for quote.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Sure, in theory, Windows and Linux could attain these levels of security but in practice Windows and Linux favor adding features and capabilities. Compromises have to be made to get stuff out in an acceptable timeframe.
Engineering is the art of compromise.
The point here is that it really does make good use of security through obscurity here. By being a product that is sold only to customers that work in classified environments, it has an inherent advantage in that almost no one outside of a small customer base will have access to poke at it. Put simply, the criminal element has hitherto had almost 0 chance of getting a chance to go to town on it.
ssh my-b1b
login: root
password: hellosss
last login Tue Nov 18 17:22:14 EST 2008 from nsa
# drop -4 bombs
# exit
besides /vertising for Green Hills:
Modern warplanes are connected in a battlefield 'net that allows data, command and control to be passed between the planes (and satellite and ground). This is (obviously) a wireless network. Having a network stack and other interfaces hardened against intrusion makes it less likely that a battlefield adversary could either generate false data (the "magic" display in an F-22 paints the local AWACS as a "bandit", for example, and the pilot launches a missile), snoop data (the "stealthy" F-22s are here, here, here and here, so launch missiles at them), or perform some sort of DOS, degrading the systems capabilities. There are "well-funded and sophisticated attackers" who are likely to have those goals.
If there was a business case, and so many of the developers didn't have, uh, reservations, about using their code in military equipment, the OpenBSD and, maybe, Linux kernel and glibc could be certified (stripped of a few components, probably, and with a few tweaks). With a "trusted" kernel, libraries, and tool chain, you build the rest of system from scratch, anyway. It's not like you're supposed to be browsing the public internet with IE or FF on a B-1's navigation system.
There's no way for M$-Windows to be certified at EAL6+, because its design philosophy (the back doors are built in, not added on) is completely against any sort of security, and I don't think Vista is even EAL4+.
It is headed by the only Linux nerd who could afford to chase a rating of 6 or above. (7 is the highest the EAL will go.) Another thing to consider is that EAL ratings are only valid for a combination of OS and hardware. So, running Windows on any box (even if functionally identical) to the configuration tested on makes the tests invalid. The true is arguably the same for Linux, except that you can download LTP and gain some measure of assurance (even if not blessed on that platform) that you've not broken any of the security.
The highest old-style NSA rating (A1) is superior to the current EAL6+, and general-purpose OS' did achieve it. Genesis was one (and, no, not the one with the Phil Collins plugin module). EAL6+ looks to me to be about the same as the Orange Book B3 classification, which Trusted Irix achieved. Linux, if LTP was extended enough, could be provisionally ratified up to this level. If it ever was, then I could see vendors like IBM (who got Red Hat certified up to EAL4+) or private millionaires either individually or (more likely) jointly funding the certification.
Of course, EAL-style security isn't everything you need. Security labels on packets would be good - isn't there some work on this already? Support for hardware MAC (mandatory access controls) for memory would be good, as that protects not only against memory access violations in software, but also against such violations with RDMA. (Of course, if the hardware isn't present, you don't get that security, but likewise if the OS support isn't present, you don't get the security.) Better support for hardware encryption - especially within OpenSSL and IPSec - would improve matters too. Coverity is a decent-enough static checker, but their much-vaunted cooperation with Open Source doesn't seem to be producing much in the way of results - I can't remember the last time anyone covered on Slashdot or LWN any work by them. Are the major Linux vendors considering alternatives like Klockwork or any of the theorum provers listed just the other day?
Linux is already very good, but it hasn't received the severe auditing of OpenBSD (although, arguably, Linux does better when it comes to bugs that aren't security holes and also does better on the feature set and hardware supported). Perhaps a round or eleventy of severe auditing would be good for it. There again, perhaps there are other means of being close enough to that level of effectiveness without cutting back on the flexibility and without demanding unreasonable resources.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Lynx OS is EAL 7, and has been for a while. It will be quite some time before Greenhill makes it to EAL7. In the mean time, Lynuxworks uses Linux API, so that you have your choice of a real linux solution, or if needed, you can switch up to LynuxOS.
I prefer the "u" in honour as it seems to be missing these days.
The EAL is only half of the equation. The Target of Evaluation (device under test) is subjected to EAL appropriate documentation and verification against a design document called the Security Target. This ST specifies the threat environment. For example the windows ST specifies that all authorized system users are benign and thus not a threat.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Wrong story? http://science.slashdot.org/article.pl?sid=08/11/18/0110209/
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...