Secure OS Gets Highest NSA Rating, Goes Commercial

← Back to Stories (view on slashdot.org)

Secure OS Gets Highest NSA Rating, Goes Commercial

Posted by kdawson on Tuesday November 18, 2008 @09:13AM from the compartmentalized-with-a-vengeance dept.

ancientribe writes "A hardened operating system used in the B1B bomber and other military aircraft has now been released commercially, after receiving the highest security rating by a National Security Agency-run certification program. Green Hills Software's Integrity-178B operating system was certified as EAL6+, which means that it can defend against well-funded and sophisticated attackers." The company is not saying how much the OS would cost a potential customer: "The system and its associated integration and consulting services are custom solutions." Both Windows and Linux are EAL 4+ certified, which means they can defend against "inadvertent and casual" security breach attempts.

20 of 352 comments (clear)

Let the Testing begin... by sbenson · 2008-11-18 09:15 · Score: 5, Insightful

Now let people who don't have financial ties test it.
1. Re:Let the Testing begin... by Verdatum · 2008-11-18 10:44 · Score: 5, Informative
  
  The financial ties involved in EAL evalution are pretty loose at best. I'm more familiar with FIPS and Orange Book evaluation, but assuming the processes are similar, evaluation is done a an independent third party organization; usually as a result of a requirement stated in a government contract. There is not much in the way of monetary incentive for the evaluation group to rate a product any higher than it deserves to be.
  
  That being said, I don't believe EAL6+ requires any additional vulnerability testing beyond that of than EAL5+; it is mostly just a stricter evaluation/review of the soundness of the OS design.
2. Re:Let the Testing begin... by sbenson · 2008-11-18 12:28 · Score: 5, Insightful
  
  If it is Internet facing, it's an open test bed.
3. Re:Let the Testing begin... by Isao · 2008-11-18 13:25 · Score: 5, Informative
  
  Ok, here are some real facts about how this works.
  Under the Common Criteria (CC), people with financial ties create the product. They (or another sponsor who wants the product evaluated) pay an independent lab (CCTL) to evaluate it. Labs are certified by NIAP, a partnership of NIST and the NSA Information Assurance directorate. (The NSA has two main parts, the other is Signals Intelligence.) The independent lab evaluation is overseen by a Validation team employed by the government, who reviews the process and results of every evaluation, including all vendor evidence, before it is certified. The Validators also oversee the labs for proper execution of the CC. Once it passes all these reviews successfully it is certified.
  Certifications are tiered by Evaluation Assurance Levels (EALs), from 1 to 7. Generally, the higher the EAL, the greater confidence there is in the vendor claims. This is NOT the same as being more secure!
  The way to use these certified products is to select a product family (say firewalls), and review at a minimum two documents: The Security Target (ST) and Validation Report (VR). The ST is written by the vendor or sponsor, and basically contains the security claims they're making for the product, and how they expect the product to be used. The Validation Report describes how those claims were evaluated, and what notable things the Validation team observed during the evaluation. After reading both of these documents (usually not more than 100 pages - pretty short for 1-2 years of work) you can determine if the product can be used in its certified configuration in your environment.
  Check out some interesting operating systems, like Windows XP, Mac OS X, or one of the Linux's.
  It's certainly not perfect, but it's better than what we had.
n/t by KasperMeerts · 2008-11-18 09:15 · Score: 5, Insightful

I'm sorry if I take a test that gives Windows and Linux the same security rating not very seriously.
Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.

--
As long as there are slaughterhouses, there will be battlefields.
1. Re:n/t by characterZer0 · 2008-11-18 09:19 · Score: 5, Informative
  
  EAL does not mean what you think it does.
  http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
  
  --
  Go green: turn off your refrigerator.
2. Re:n/t by moderatorrater · 2008-11-18 09:20 · Score: 5, Interesting
  
  Source code audits with automated scripts that attack every port and every program checking for buffer overflows or other avenues of attack. It would require a lot of work, but it makes sense that the NSA would put in a lot of work to explore these operating systems, both to know how to secure against attack and to know how to pull off an attack against another country. The real question is, how much do you trust this OS not to have an NSA back door?
3. Re:n/t by blhack · 2008-11-18 09:20 · Score: 5, Insightful
  
  Also, how can they test this? The only way to properly test something like this is to let it out in the wild for a decade or two. That's not something you can imitate in a testing room.
  You forget the the NSA pretty much recruits the best and brightest hackers that the world has to offer. Their policy of "we don't have a budget" and the oppurtunity to work on the absolute cutting edge (and actually see it put to use) is pretty much the most kickass thing that you can offer somebody who has a passion for knowledge.
  
  --
  NewslilySocial News. No lolcats allowed.
4. Re:n/t by CaptainPatent · 2008-11-18 09:37 · Score: 5, Insightful
  
  Indeed, I was looking at that too and some interesting points from the wiki article:
  
  To achieve a particular EAL, the computer system must meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.
  [...]
  Technically speaking, a higher EAL means nothing more, or less, than that the evaluation completed a more stringent set of quality assurance requirements. It is often assumed that a system that achieves a higher EAL will provide its security features more reliably (and the required third-party analysis and testing performed by security experts is reasonable evidence in this direction), but there is little or no published evidence to support that assumption.
  
  So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing. So even if a Linux distro wanted to be verified at a higher level - who's going to fork over the dough?
  
  Additionally this seems to be a hired method of testing and bug report/fixing. Just because they fix the bugs found at one "level" of testing does not mean there aren't missed holes. Additionally it doesn't mean that a well written piece of software isn't capable of a higher rating with little or no fixes (like the Linux kernel probably is.) It is impressive that Integrity-178B achieved the EAL-6+ rating because it has definitely been put through its paces... and due to the way it was designed it probably has very few holes in it, but EAL should definitely not be the end-all be-all judge of OS quality.
  
  --
  Well, back to rejecting software patent applications.
5. Re:n/t by betterunixthanunix · 2008-11-18 09:45 · Score: 5, Interesting
  
  Actually, the security of a system should not depend on hiding the operating details of the system. The EAL levels are based on things like audit logs, privilege separation, the ability to kick a user off the system and kill all their processes, etc. The availability of the source is neither a positive nor a negative on EAL ratings.
  
  --
  Palm trees and 8
6. Re:n/t by the_other_chewey · 2008-11-18 09:46 · Score: 5, Funny
  
  So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.
  Is Scientology somehow involved in this?
7. Re:n/t by Anonymous Coward · 2008-11-18 09:54 · Score: 5, Funny
  
  Don't I feel stoopid.
  Especially so after you forgot to check 'Post Anonymously' the second time around...
8. Re:n/t by Anonymous Coward · 2008-11-18 10:07 · Score: 5, Informative
  
  You apparently did not read the wikipedia article through. The reason that Windows and Linux (distributions) achieve EAL-4 rating is because "EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line."
  Furthermore, "Commercial operating systems that provide conventional, user-based security features are typically evaluated at EAL4."
  Higher levels require some sort of formal methods use in the design and testing. This is very unlikely to ever happen for Linux (it is virtually impossible to create a formal design retroactively; either it does not correspond to the system or it is just as complex as the system).
  For this reason, Linux will probably never get any higher. Windows may just get higher, because it has a completely new security model and kernel, which are likely able to get EAL-6 grading in time.
9. Re:n/t by Kjella · 2008-11-18 10:26 · Score: 5, Insightful
  
  So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.
  Uh, yes? The more specific the documentation, the more work has to be done to verify it. I'm not sure how many million LOCs are in the Linux kernel but if I had to go through EAL6+ semi-formal proofs for all of them I'd charge a bundle too. Are you really trying to imply that NSA issue this sham certification because they're short on funding? Stop trying to pretend that all the "experimental support" that goes into Linux could or should pass certification, because it damn well shouldn't. Certainly not on based on a casual "it's probably capable" that's quite frankly pulled out of your nethers with no documentation to back it up. Here for example are THREE security exploits in the kernel in the last two months:
  1 Linux Kernel VDSO Unspecified Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
  Last modified on: 2008-11-04 00:00:00 MST
  URL: http://www.securityfocus.com/bid/32099
  2 Linux Kernel LDT Selector Local Privilege Escalation and Denial of Service Vulnerability (Vulnerabilities) Rank: 820
  Last modified on: 2008-10-03 00:00:00 MDT
  URL: http://www.securityfocus.com/bid/31565
  3 Linux Kernel 'generic_file_splice_write()' Local Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
  Last modified on: 2008-10-03 00:00:00 MDT
  URL: http://www.securityfocus.com/bid/31567
  Don't get me wrong, Linux is a great system and all but I wouldn't want to nuclear launch control on it, sorry.
  
  --
  Live today, because you never know what tomorrow brings
Worse than Dell with the Windows tax by Anonymous Coward · 2008-11-18 09:19 · Score: 5, Funny

When you order a B1B, you pay for the Integrity-178B license even if you later install a copy of Linux For Strategic Bombers.
Re:Two steps from the highest, actually by jbeaupre · 2008-11-18 09:20 · Score: 5, Funny

EAL9+ means it autonomously retaliates against the attacker's system.
EAL10+ means it autonomously retaliates against the attacker.

--
The world is made by those who show up for the job.
lower that 4+ by internerdj · 2008-11-18 09:21 · Score: 5, Funny

Inadvertant and Casual attempts?
Oops. I tripped over my computer and hacked your system. Sorry.
"Linux" is not certified for anything by crush · 2008-11-18 09:22 · Score: 5, Insightful

A couple of specific distros on specific hardware have received EAL4+ certification: RHEL5 (on 12 or so different platforms) and SLES9 on IBM eServer spring to mind. I'm fairly sure that no other GNU/Linux distributions have received such certification and it makes absolutely no sense to talk about "Linux" being certified for anything.
This is not just nit-picking about GNU/Linux vs Linux as the name: it's a case where it's actually very important to be aware that specific versions of specific programs with specific configuration files have been tested and found not to fail in particular ways.
Re:Two steps from the highest, actually by Anarke_Incarnate · 2008-11-18 09:35 · Score: 5, Funny

EAL11+ means it goes to eleven. The others they go to 10, but this one goes to 11, so if you need that extra.....push off the cliff....
example use by hey · 2008-11-18 10:23 · Score: 5, Funny

ssh my-b1b
login: root
password: hellosss
last login Tue Nov 18 17:22:14 EST 2008 from nsa
# drop -4 bombs
# exit