UPDATED: SGI B1 Linux Patches 103
jd writes, "It's been rumoured for some time, but no code was shown and no announcements were made. Well, they actually did it. The first drop of the necessary code to bring Linux to B1 standards is on their Web site. The code is essentially a rip of their IRIX code, and isn't fully Linuxified, yet, but it's all there and ready." Update: 04/12 05:52 by E : We got mail from Richard, who maintains these pages... He says: "It is true that SGI are working on making Linux C2/B1 as anyone who has been to a SGI Linux University event will attest, and we are working with a number of others to that end. But to say that we have released a patch for Linux is very misleading and is setting expectations way above what is currently available." So, take this with a grain of salt.
idea! (Score:1)
Moldy Directories? (Score:1)
Re:Go SGI (Score:1)
"Cram it"
Re:Hmm (Score:1)
Re:Good first step (Score:1)
True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
Orange Book criteria are completely obsolete. Read up on Common Criteria [nist.gov]
Re:This HAD been announced... (Score:1)
WinNT and C2 (Score:1)
One more thing to silence the FUD.
--
High Water Mark -- Only slightly Offtopic (Score:1)
Re:I prefer A1 (Score:1)
Sorry for taking your joke seriously.. I just don't see understand the value of making a system secure by making it practically useless.
Re:take that , wintrolls (Score:1)
Re:Hmm (Score:1)
Security through obscurity isn't....
Re:Hmm (Score:1)
If you don't have source you're gambling that I (as a developer of closed source/proprietory protocols) am smarter than every cracker out there ?
Even I won't take that risk...
Re:Unix can't do B1 (Score:1)
if
ie. An IRIX kernel already has much of the code to do this, its just not executed unless you install some extra stuff on the system.
Re:B1?? (Score:1)
Re:What about CMW (Score:1)
Yesterday I only skipped quickly over the mechanisms a CMW X session and GUI have to implement. It's more involved than I described (I only wanted to give you a taste). In addition to Windows having SL's, the root window has a label with a security level attached to it. So does the keyboard and so does the mouse. There are also another set of labels called IL's (Information Labels) which change according to whatever data is being viewed at the time. Restrictions can be placed on how IL's are manipulated too.
The point I was trying to make is that working in this kind of environment is a whole new ball game compared to C2 or traditional Unix security, even from a users point of view. GUI's need to be modified so that they are aware of all these mechanism and follow the restrictions they impose. The standards that define how a CMW workstation operates also dictate that SL's and IL's present for different elements of the screen are also displayed (and often colour coded: Red for Top Secret, Green for Unclassified, etc). So the window manager has to display this, not just for the window, but also pull down menus, dialogue widgets, the lot.
I've not seen this implemented in a GUI file manager yet. That would be quite a challenge I'm sure.
Macka
Re:Arrrrgh! (Score:1)
As far as graphics goes, SGI still has to make decent devices drivers for their own graphics hardware. We have some applications that require Octanes (very expensive) because the O2 can't handle the power we need. A $10K computer can't handle it! And SGI wants to push us to Linux? Make some damn drivers!
I can care less about what OS I use. Give me power, hardware support, OpenGL and Inventor and I am golden. We have started to use NT because the graphics support on Windows has really improved.
--Ivan, weenie NT4 user: bite me!
Re:Go SGI (Score:1)
SGI's commitment to Linux (Score:1)
Many of you seem confused by what this announcment means, it gives us the ability to make Linux B1 certified on specific hardware, in a networked environment, etc,etc. Microsoft may tout that WindowsNT4+SP6a+C2patch is C2 Certified, but it's that system in that network configuration that's certified, not all generic systems and configurations, just the ability to achieve C2 certification exists... and that's what SGI wants to provide.. the ability to make Linux B1 certified.
I don't know much about the certifcation process but this is a great step forward for adoption of linux in government systems (maybe now we'll have a reliable, SECURE Government that has no IT excuses left except their incompetence:)
Regards.
Re:I prefer A1 (Score:1)
Notice that you have to be able to MATHEMATICALLY PROVE your system specification is secure in order to be certified A1 secure. That's a pain.
Just reading through the documenttion ... (Score:1)
Perhaps the underlying model has some fundamental constraints on growth? I'm reminded of the genetic case where bacteria which have complex regulatory gene expressions (think a switched network of proteins activating different stages) have a size limitation of 10 megabase pairs. Beyond that the conflicting signals seem to inhibit any higher level functions. The example that I can think of is that person A can look at kernel code, but not the part with patent X, unless they sign an NDA with company K, which is waived if they are no longer competing with company L, etc
Are there other ways of looking at the problem? Kerberos has a ticketing system which is essentially a time-to-live mechanism. Perhaps a commercial implementation at file level could be based on the half-life of information? How long is it before a piece of information becomes commercially irrelevant? And then check thresholds (refreshed periodically) across a range of keys to see the probability that such access violates a critical temporal mass (ie if viewing too many sensitive documents at once, could be indication of someone faking a download).
Perhaps then it would shift the paradigm of information control away from fine-grained permissions (human intensive) towards detection of unusual patterns of activitiy (AI intensive).
LL
Re:I prefer A1 (Score:1)
A1 likely involves a secure processing facility, a optical network diverter, and no doubt some heavy-duty Electromagnetic Airlock trapping. It most likely involves a entry-way lined with 2 lead doors and a right angle somewhere. Tempest hardening is illegal though. I suppose the A1 is for military computers only.
To me it's how steak is done.
I prefer A1 (Score:1)
This happened a long time ago. (Score:1)
Re:Go SGI (Score:1)
The B1 certification, other than requiring years to be issued, only certifies a given system with a given hardware and a given configuration.
This means that even the same distribution on the same hardware with only a slight different configuration is no more B1. Even worse for different distributions, which may offer the same functionalities but using sligthly different way to do so.
There is really little use for this kind of certfication in real world, other than for throwing marketing hype to clueless customers, and just raises a false sense of security.
Anyway, SGI's involvement in writing securty patches for Linux deserves gratitude. They are working a lot (and somewhat quietly) to really offer interesting solutions for security, debugging, efficiency. I hope some of their ideas will be incorporated in the main source tree (and not just XFS - when it will be ready for prime time).
My 0.02 Euro.
Re:Go SGI (Score:1)
Re:A good security question? (Score:1)
Re:Hmm (Score:1)
Wish someone would put that phrase to rest. The truth of the matter is that if you don't know where the weaknesses are then you can't exploit them. You suddenly have to do a ton of probes looking for possibilities and thus you ring a lot of alarms to a watchful admin.
Re:Go SGI [OT] (Score:1)
Re:I prefer A1 (Score:1)
Re:Go SGI [OT] (Score:1)
Re:B1?? (Score:1)
Here's the link:
http://www.radium.ncsc.mil/tpep/epl/entries/TTA
SAIC's Center for Information Security Technology, an authorized TTAP Evaluation Facility, has performed the evaluation of Microsoft's claim that the security features and assurances provided by Windows NT 4.0 with Service Pack 6a and the C2 Update with networking meet the C2 requirements of the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) dated December 1985.
It's a common misconception that networked configurations cannot be C2-compliant. That's incorrect. C2 does not address networking. As long as the introduction of networking components does not break anything else that is required for C2 compatibility, then the system is still certifiable as C2.
Re:There is another B1 linux system working alread (Score:1)
From their "Future Goals" page:
"Some day, if ever: Meet B1 security requirements. Now that MAC categories and secure delete are implemented the way has shortened, but it is not really urgent though, since Orange Book is far out of date. "
Re:SGI and security - moahahaah. (Score:1)
SGI already has B1 in 4.0. They are currently in the evaluation process for the current OS, 6.5.x.
Re:Unix can't do B1 (Score:1)
MAC labels can easily added to the task struct and file system checks added at the VFS level. Kernel done. Then add MAC to a file system like ext2 or use SGI's xfs when its done being ported. Instant B1 support.
Darn nay-sayers!
If we build it, they will come...:-)
Actually...it is true: a B1 certification is only good for the exact configuration it is done on. However, getting that cert. does mean that Linux can claim to 'have' B1 security, just not cert'ed. Of course anyone can claim C2 or B1 security features (i.e. Solaris) and never have been certified.
Re:SGI B1 sample codes just a microscopic portion. (Score:1)
The biggy for B1 is MAC, not capabilities or ACL's.
-l
B1/C2 are passe. (Score:1)
Re:Go SGI [OT] (Score:1)
Can anyone tell me why RH (and most other distros) still ship with only sendmail? I can understand that it's useful on big sites, but it would be nice if something a little smaller and more secure (like qmail) was available in the distro.
install the re-freed Tripwire (or a clone)
Are there any free (aka GPL or BSD licensed) Tripwire (or clone) versions out there [I hadn't heard that Tripwire was in any way free...]? I was thinking about doing a BSD licensed version for fun sometime this summer, but if they already exist I'm not sure if I should bother.
encrypt all but your boot partition using Serpent
Or if you've got the cash, buy a card that encrypts the stuff in hardware.
Re:Of course... (Score:1)
Re:This happened a long time ago. (Score:1)
Beats C++...
Bearaucracy (Score:1)
Eventually, more people will use Linux because of the certification. And it is the ultimate source of improvement I can think of.
Re:why Trusted FreeBSD rather than open (Score:1)
Re:why Trusted FreeBSD rather than open (Score:1)
2) more importantly, it's from a major contributor to FreeBSD.
1) What type of security issues?
2) Circular reasoning isn't valid.
Re:This HAD been announced... (Score:1)
I do know that there is a port going on right now that works (without X windows that is, way too much proprietery info about graphics required). Check out linux.sgi.com which looks old but get on the mailing list much newer stuff.
You've got a termination problem there, also if your root drive has not been formatted properly your miniroot will hang.
NT and C2 (Score:1)
As another poster has said, ya gotta love the government sometimes. Who else can simply change the rules when they become inconvenient?
It helps, of course, that our CIO apparently bows and prays to Redmond thrice daily.
Go SGI (Score:1)
Re:Go SGI (Score:1)
Security rating on a system not running any daemons etc? I dunno that just sounded a wee bit vague. You would have to be VERY specific about what you do and how the system is setup and ONLY when it is setup that certain way does it get that rating etc. etc.
Jeremy
Re:Arrrrgh! (Score:1)
Call me naive :) (Score:1)
a well... perhaps we see too much US movies in europe
--
Re:A good security question? (Score:1)
You don't. However, someone trying to sell Linux to a security concious site does need it. B1 should allow system integrators to start using Linux, thus furthering the march towards World Domination.
Security... (Score:1)
I think it would be interesting to see how Linux would handle it. While most of us would have no use for it, I wonder how many Universities and Colleges are going to pick on the SGI B1 release. I think it'd be great to see it popping up and being used. While I love using hte IRIX cluster at PSU, I think it'd be great to have an Alternative Linux (with b1 security of course) running for students to work on projects also...
Re:Security...Notes on FreeBSD's jail() (Score:1)
Imagine being able to run all your daemons in protected spaces. So -what- if Sendmail gets cracked? It can't -touch- anything outside of it's private universe.
Mostly, I agree. What you mention already exists in FreeBSD v.4.0; the jail() process command. Jail() sets up a seperate isolated area of the operating system that is accessed by IP address, not through the normal local methods. Because of that, breaking into a jail()ed process won't get you much.
(I really want this under Linux. So much so, I'm installing FreeBSD just to try it out!)
If you add integrity checks to the jail()ed process, when it does get exploited -- and you should always plan that your daemons will get exploited -- you'll know it.
To clean the system, you can swap in a waiting jail()ed process by changing IP addresses. If you want to monitor the intruder, you can...and they won't know you are tracking thier movements!
Re:Certification? Oh No! (Score:1)
Re:A good security question? (Score:1)
The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.
To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.
There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).
As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.
The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc.
thompson@argus-systems.com [mailto]
Linux on SGI (Score:1)
Re:This HAD been announced... (Score:1)
Re:This HAD been announced... (Score:1)
Re: Mandatory access control (Score:1)
Actually, this is only true for multilevel devices. There can be single-level devices that are labelled externally (with paper labels). These require procedural controls to ensure that the labels are proper; the operating system enforces the restriction that only data whose label is dominated (i.e., less-than-or-equal to) may be copied to the device (some systems choose to enforce an "equal" policy, which is stricter).
Re:Good first step (Score:2)
I get the impression they can't, because the certification includes the installation.
My understanding is they could produce standalone certified system, and offer a service where they install and have certified a network sytem. It would be expensive though. I could be very wrong, since I've never been involved in such a process.
What I wonder is, what operating systems do B1-ready systems run at the present?
That's easy one to answer. According to the TPEP Evaluated Products List [ncsc.mil], the following operating systems have been used in B1-rated systems:
Amdahl UTS/MTS v2.1.5+
Computer Associates CA-ACF2 MVS v6.1 with CA-ACF2 MAC
Digital SEVMS, several versions on VAX and version 6.1 on Alpha
Digital Ultrix MLS v2.1 on VAXStation (Microvax)
Harris CX/SX v6.1.1 and v6.2.1
HP HP-UX BLS v8.04 and v9.0.9+
SGI Trusted Irix v4.0.5EPL (where this code came from)
Unisys OS1100SR1 and OS1100/2200, Several releases
You'll see that rather than making their mainstream operating system ratable, most vendors (eg. Digital, HP and SGI) offer a special version of the OS that is set up to meet the rating criterion.
----
Re:Hmm (Score:2)
----
Good first step (Score:2)
bash: ispell: command not found
Re:Good first step (Score:2)
What I wonder is, what operating systems do B1-ready systems run at the present?
--
Re:why Trusted FreeBSD rather than open (Score:2)
2) circular? The man doing the Trusted FreeBSD is *already* a major player in FreeBSD, making it the more natural choice for him. Code he knows inside and out, or code that's similar. Not a tough choice.
Re:why Trusted FreeBSD rather than open (Score:2)
But I never said that. I made no claim as to FreeBSD being better than OpenBSD.
However, for an individual developer, the operating system he already knows and is involved with is a better *choice* unless the existing advantages to the other operating system are compelling.
Re:Go SGI (Score:2)
Veritas can buy the IRIS version of XFS, without GPL complications, as it's encumbered and under a different licence. But if they buy the GPLed version, sure, they can charge for it, but they MUST supply the source code and they MUST NOT restrict your freedom (such as giving the source for free to everyone).
Re:Security... (Score:2)
Imagine being able to run all your daemons in protected spaces. So -what- if Sendmail gets cracked? It can't -touch- anything outside of it's private universe.
The same with the web server. Sure, Apache probably has problems, and many CGI scripts certainly do. But if you can't edit the web pages, grab the password files, compromise the system, or rm -fr /, getting in isn't the difficult bit. Finding anything to do, or even showing that you got there, IS.
Yeah, desktop PCs with dial-in access aren't so vulnerable. Even there, though, if you use IRC or some other easily-compromised real-time service, there -are- advantages in severely limiting the scope an attacker has. (That's why you should NEVER, EVER use something like IRC as 'root'. Most of us do, even though we know better, but whoever said sanity was a hallmark of an admin?)
Re:Good work... (Score:2)
Hmmm.... I see a pattern here...
take that , wintrolls (Score:2)
Re:Unix can't do B1 (Score:2)
Sorry, but this is not true at all. DEC MLS+ was based on a modified version of the base Unix kernel. Back in the early days of DEC MLS+ it was a long term goal to have B1/CMW functionality available as an installable subset that could be layered on top of the commercial unix product. It could have achieved that in the end as most of the MLS+ specific source code got merged in with the base OS source code, but just ifdef'd out so it wouldn't build into the base product.
Last I heard DEC MLS+ was being retired, with MLS+ V4.0D (or V4.0E) to be the last version. Don't take that as gospel though, plans do change.
Macka
Arrrrgh! (Score:2)
When is SGI going to do something good for IRIX? I am a developer that uses IRIX. No other OS can give us the graphics power that we require. I use Java on IRIX and it is awful. SGI has only 3 developers working on the Java port, and has dozens working on these little Linux projects. Come on SGI, don't forget IRIX.
--Ivan, weenie NT4 user: bite me!
Re:Hmm (Score:2)
SGI's just doing what they think makes good business sense, no more, no less. They're adopting Linux as their low-end OS because it runs on commodity hardware. Many of their customers will probably buy those machines. Many of their customers also want machines with B1 ratings. They'ed probably have to violate the GPL in order to implement B1 Security into a Linux distro without releasing the source, so they're doing what's required.
Re:Unix can't do B1 (Score:2)
I would imagine that it all would have to be distributed as a separate patch, though, like the real time kernel, or the 8086-80286 kernel.
Re:Unix can't do B1 (Score:2)
Especially since some sort of Trusted Linux would have to have a complete pre-configured installation, with each file given the proper capabilities, ACLs, labels, and such in advance.
Any MAC-enabled linux would have to be a specialised distribution, with a modified kernel, toolset, X server, window manager, shell, and everything.
It doesn't mean that the basic outline of the file system, programming interface, utilities, and everything can't be modified versions of the originals.
Re:I prefer A1 (Score:2)
"Better than A0 is the ultimate in security: the Heisenburg Security Rating. Here, for example, is a system rated as Heisenburg Secure. This locked box may or may not even contain a computer - and until you open it, it actually contains both! Of course, the network connections and power cables inside the box connect to the non-existent portion of the Heisenburg Secure system..."
Re:Certification? Oh No! (Score:2)
Rephrase your question thusly: "I already know how to drive, so why should I take even one hour out of my day to get a driver's license?"
If you want to drive on the B1 highway, you need a driver's license.
Re:Of course... (Score:2)
This HAD been announced... (Score:2)
Re:Go SGI (Score:2)
So when is it ready ? (Score:2)
When will it be ready for use ? Kernel 2.6 or before ? This is not a simple standalone RPM to install.
Good work... (Score:2)
SGI B1 sample codes just a microscopic portion... (Score:2)
A PATCH JUST CAN'T DO THE JOB.
Let's just focus on a small but important aspect of military grade systems - PRIVILEGE. We can forget about secure networking, trusted windowing, and etc etc for now (eventually we will need to address those too).
In a trusted system, each user is held accountable for actions taken by processes being their id, even though those actions may be completely beyond perception. As a consequence, the trusted system must regulate not only user actions, but also the actions of user processes. In Linux (or traditional Unix), all power is vested in the root uid 0. Throughout the kernel of the underlying system there are checks for effective uid 0.
All of these checks are replaced on a trusted system by a check for privilege. Privileges allows the trusted system to control access to system calls, based on the requested operation and the invoking user account - much more reliable and granular than simply checking identity. No more if uid !=0 then deny access. very action which compromise security is estricted with a named privilege, and a process with appropriate privileges is allowed to invoke a system call REGARDLESS of uid.
So, on Linux a privileged operation succeeds if the effective uid == 0; on a trusted system the operation succeeds if the process has the appropriate privilege.
So now, you're probably thinking "EEK! r00t d03sn'7 0wn!'.
There are other topics such as data labelling, auditing, etc etc that I have not mentioned, but
are critical to the implementation of a trusted system and secure OS kernel.
If all those could be implemented in form of a patch, perhaps we should consider Windows 2000 a patch too.
Yours,
--Albert
Re:A good security question? (Score:2)
In regards to the change a single thing comment.
How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.
However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.
This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.
Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.
So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.
If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.
B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.
To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.
As always, I'm happy to answer more questions.
If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).
Cheers,
Jeff
Jeff Thompson
Software Evangelist and Visionary
Argus Systems Group, Inc. [argus-systems.com]
Re:Good first step (Score:3)
As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.
----
why Trusted FreeBSD rather than open (Score:3)
1) not quite the same type of security issues.
2) more importantly, it's from a major contributor to FreeBSD.
Re:Go SGI (Score:3)
Then, of course, you could use OpenBSD's FTP daemon, and Postfix as a drop-in Sendmail, and you'd have a very tidy setup.
For the uber-paranoid, pipe -ALL- IPv4 and IPv6 traffic via IPSec or SKIP, use SSH rather than Telnet or RSH, use CBQ/RED and SYN cookies to prevent DoS attacks, use client-side certificates for private web-pages, use the shadow password suite + PAM, install the International Kernel Patches and encrypt all but your boot partition using Serpent, install the re-freed Tripwire (or a clone), and use the Linux Kernel capabilities to disable all non-essential functions.
Personally, I think using the SGI's B1 patches, plus the above configuration, would give you a setup which would be as close to uncrackable as you could realistically get AND still give access to outside individuals.
Re: Mandatory access control (Score:3)
The key aspect appears to be a distinction with Discretionary Access Controls (DAC) - owner and group permissions, ACL lists, etc. DACs are controlled by the owner of the file, but MACs are controlled by the "security administrator." The terms "mandatory" and "discretionary" reflect the fact that the owner must always accept MAC access control on his files, but he can discard the DAC checks (e.g., using mode 0777).
One of the subtle points about MACs is that they are required to be persistent *in all media*. This means that MACs should be preserved (and enforced) when a file is copied to removable media, and somehow indicated on all printed pages. (E.g., printing the "sensitivity level" (confidential, secret, etc) in large type on all printed pages.) Obviously you can't preserve MAC information if the format doesn't support it, so a MAC system may be able to write (enhanced) tar images to tape, but not be able to copy files to a floppy/zip/etc disk using MSDOS or even ext2fs filesystems.
There may be more to MACs; the specs are deliberately vague. A *very* large part of the certification process is going through the appropriate standard and documenting *what* you did and *why* you did it, with some commentary about the implications of that decision. This provides the implementer the flexibility of using whatever technique fits their needs. E.g., nothing says that DACs must be implemented with ACLs, although most people now use them because they're familiar and proven acceptable to the certification agencies.
Re: Mandatory access control (Score:3)
Modeling under the Bell-LaPadula Sensitivity and Biba Integrity models (one type of MAC often used), we have a couple of rules and two groups of items: "Subjects" - things that access or do things and "Objects" things that are accessed or done to. Some things in a system can fall into both contexts depending on the situation. For example, a Subject "Process" (they do things to
objects like files) could also access another process -- the accessed process would be an 'object' as far as security checks are concerned.
So Rule 1) Subjects (S) can only write to an Object (O) if the Object is at the same sensitivity level or above (O is said to "dominate" the level of S and dominate implies >-).
Rule 2) says that Subjects can only read Objects that they dominate (their sensitivity level is >= to the object's).
Biba Integrity works the same but opposite:
Rule 3) Subject can only write to Objects if Subject's Integrity >= (dominates) the Object's.
and Rule 4) Subject can only read Objects that have equivalent or greater Integrity (integ(O)>=integ(S)).
This can be *way* useful for "normal users".
Think of this:
Root is allowed Integrity levels 0-2, default=1. All system files at integrity level 2 (both executables and data). Users and their files are set at integrity level 0. Implications:
1) Any file root creates has I=1 so normal users can't write to it unless the file is specifically downgraded. A subject can write to or create "downgraded" Integrity files, so root is permitted to write lower level integrity files, but this wouldn't be the default creation value. Even if root downgrades the file's Int., Discretionary Access Control (DAC) (i.e. permission bits) still apply.
2) Root can't write to
3) Users could read these 'public' files but couldn't write to them even if the file DAC was 0777.
3) Root couldn't execute any files not in the 'system file list'. No trojans! Only if root overrides security policy and changes the state of a file to 'trusted' (@ int=1 or 2) can it be executed as root.
Now for Sensitivity, let's imagine
In order to modify
So normal users can't see
Just these "simple" applications of MAC would not greatly inconvenience any user, but an attacker gaining root (unless they do so via the password) has limited power. This means most attacks that gain 'root-shell' via a 'bug' are still pretty limited in what they can do.
Now if you add file based capabilities, root can have even less priviledge and/or ability to do damage.
Also, remember, as I've mentioned before -- if you set MAC,S=0,I=0 for everything in the system, you get traditional Unix DAC behavior.
-l
A good security question? (Score:3)
Will this ever happen?
Re:Go SGI (Score:3)
Actually I think anything about C1 has to get evaluated on a case by case basis by a certified DoD contractor. So even if you think you have a secure OS you may in fact not.
More patches? (Score:3)
Unix can't do B1 (Score:4)
Take a look at the requirements for B1 listed above. There's no way to support MAC, ACL, etc. with the standard Unix model. You can't just layer these things on top of the kernel without inheriting the flaws of the kernel.
There have been quite a few "secure unix" systems produced and B1 certified. HP, Concurent, Harris, DEC all come to mind. But in all of these cases they started with a secure kernel and then layered Posix on top of it to make it look like Unix.
So what? So, you can't PATCH the Linux kernel to make it B1. Unless you call "throwing out the kernel and replaceing it with a totally different beast" a patch.
BTW, if you really want an A1 operating system to play with, there is a free one - mentioned on /. - at:
http://www.eros-os.org/
It hasn't been certified yet, but the pieces are there.
Certification? Oh No! (Score:4)
Most techs still make a choice based on facts and real-life requirements and experience instead of some certification. We like to do it ourselves, no?
These improvements *will* improve Linux. That's all that matters. Any certifications that might be the result of it are merely a side effect and not very important, to us.
What about CMW (Score:4)
Beefing up Linux to C2 will be a great thing for commercial interest/acceptance, and only small changes to existing GUI interfaces would be needed to accomodate that (adding ACL options to widgets that display/manipulate file permissions).
B1 however is a different kettle of fish. GUI's like KDE, GNOME, and others would have to be extensively modified to work properly (if at all) in a B1 environment. The standard for this is called CMW (Compartmented Mode Workstation). Commercial products like DEC MLS+ are implementations of B1/CMW on top of the standard Unix product. I don't know what SUN's is called, but they do the same.
This also applies to almost anything else that is not part of the kernel, eg:
* TSIX instead of TCP/IP, which automaticly excludes you from participating in non B1 DNS environments, and allows you to configure networks restricting communication between systems of the same SL (Security Level) or perhaps SL's that yours dominates (with the appropriate kernel privs enabled).
* A new filesystem, or extensions to an existing filesystem, to make it multilevel aware. That way, when you cd(1) into a directory that contains files that have a higher SL than you have Clearance to access, you don't see them. Not from an ls(1) or by any other C hackery you can conjure up, because they are blocked at the filesystem level.
* A new multilevel print environment, so that for example files with an SL of "Top Secret" cannot be printed out on printers that don't have the same or higher SL (eg, Secret, Confidential, Unclassified, or whatever they have been called in the environment you're in).
* Getting back to CMW again. On a B1/CMW workstation where the GUI is multilevel aware, if you have logged in selecting an SL of "Secret" (assuming you have Clearance for this) and you open a terminal window with that SL, then open another terminal window with a lower SL, eg "Unclassified" then you will NOT be able to cut and paste text from the Secret window to the Unclassified window (unless you have privs allowing you to override this AND they are turned on). GUI's that are not multi-level aware (like all the ones that currently exist) would only be able to work as they stand on one SL at a time. If you wanted to work with files (or viewable data) at a higher SL than the one you were logged in on, you'd have to log right out and log in again at the higher SL.
Working with B1 and CMW can be very complicated. Designing and setting up an environment that has all these features is even worse. Which is probably why B1 has never caught on in the commercial world. Applications not specificly written or modified to run in a multi-level environment, can only operate on one level at a time (ie: the level they are start at) which often defeats the object of having a multilevel enviromnent in the first place.
Maybe Linux could shine here though. Last I heard (maybe it's changed again
Macka
FreeBSD to have similar plugins (Score:4)
And they also have a mondo-cool logo.
Re:I prefer A1 (Score:4)
A0, as defined by the military, is an unplugged, completely disassembled computer system where all volatile magnetic memory has been exposed to extremely powerful electromagnets for at least 72 hours. Each piece is then separately taken Cape Canaveral via several different types of transportation (horse, plane, submarine, postal carrier), launch into orbit (using Space Shuttle flights randomly chosen from a calendar) whereupon they are loaded into small, disposable rockets and fired towards the sun along with all documentation.
Re:B1?? (Score:4)
Just to be fair, they recently obtained a C2 on NT4+special service pack+certain hardware, in a networking environment. See here [securiteam.com] for more info.
Re:B1?? (Score:4)
The scale works like this: there are different security levels, each with stronger requirements. The actual requirements are quite numerous, here's a long article [kernel.org] with details.
For a summary... (Score:5)
--
B1 Summary (Score:5)
Of course... (Score:5)
Be that as it may, it is a great start.
Security levels C2 and greater (including B1) will be useful for getting Linux into government offices, the same ones where NT is C2 certified (as long as there is no network connection [smile!])... the government already has a large installed base of desktop systems.
Linux's low cost of entry and now B1 features is just more of the foot in the door for the government and other people that will have to take a look at this system that was once dismissed as a "toy" by others.
--
Re:B1?? (Score:5)
Here's a whirlwind tour of the Orange Book categories.
D level systems have no security worth mentioning. Think DOS, Win95, MacOS - no real notion of separate users.
C level systems have DAC - discretionary access control. Essentially, they have ACLs (access control lists). You can determine who can have access to your stuff. There are two divisions here, C1 and C2, with C2 being more stringent.
Several Unix-type systems have been certified at C2 (though you have to add ACLs), as has WinNT.
B level systems add MAC - mandatory access control. Every object (file, device) and subject (process) has a level (often something like unclassified, secret, top_secret) and a set of categories associated with it. If you're cleared for "secret/stealth_bomber, SDI, Area_51", you can't read stuff labeled "top_secret/who_killed_JFK" or "secret/Clintons_little_black_book". And you can't write something "unclassified/Area_51", so you can't spill the beans. (But you can write to objects at a higher level than you are.) There's B1, B2, and B3. I think you can still count the number of certified B-level operating systems on your fingers.
A1 level systems have been mathematically proven. IIRC there's only one that's ever been certified at this level.
There's also something called CMW (compartmented mode workstation), which is like the B levels but deals with "information labels" instead of "sensitivity labels" - i.e., it tries to track what's really in the object, so if you paste secret data into a file it gets upgraded.
It's a bitch to get something certified (I worked on Trusted Mach [tis.com], which was intended to be B3 but never went anywhere); we're talking piles of documentation, many rounds of review, and a pile of money.