The CEO of Green Hills Software Inc continues to write about the supposed security flaws of Linux. This annoys me, but I'm not going to dwell on it - it's pretty much FUD, but concentrating on military applications. They don't seem to be competing for the desktop, and all of this is just to draw attention to their products.
This week I had to clean a friend's computer of viruses, and install a firewall before the Sasser worm gets near our university network. She uses... yes, WindowsXP, of course. (I use Debian, btw.) It seems to my inexpert eyes that Linux is more secure than Windows, and yet Windows has a security rating of EAL 4, whereas Linux has EAL 2.
My point is that these ratings mean very little - you basically pay for them to be done, which is why an open-source project stands little chance of having this happen. From the article: "A full security certification must be performed by someone who is a formal methods mathematician, a software engineer, and an experienced evaluator. That is a rare and expensive breed of individual. A thorough evaluation of Linux for subversions would cost billions of dollars." (Their emphasis.)
As a mathematician, this got me thinking. Could a program be written to formally test the security of another program (i.e. the Linux kernel, or a whole distribution)? Could it be an open-source program? After all, talented programmers are a rare and expensive breed as well, and yet Linux happened.
But then how could the security of a test program be guaranteed? I suppose firstly by making it simple enough that any flaws in the source code would be obvious. That might be difficult, but perhaps not as difficult as certifying the whole kernel by hand. Ken Thompson's subversion idea is fascinating as well - I'd wondered about this myself. One option might be writing one in assembler (on a machine without microcode!)... or could you use the untrusted C compiler to write a trusted compiler for a different language, and then use this other language to compile a trusted C compiler? :-) Fun.