TrustedBSD Announced 100
Kaufmann writes "It seems the BSD family has a new member: TrustedBSD. From its site: 'TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Orange Book B1 evaluation criteria. This project is still under development, and much of the code is destined to make its way back into the base FreeBSD operating system; however, this site will provide access to documentation, code relating to features that are still under development, and code that has its fingers in too many places to justify integrating into the base OS.' Sweet!"
Re:Xenix lives! (Score:1)
Re:BSD vs. WWF (Score:1)
FreeBSD also ships with IPsec, SSH, and OpenSSL. For patent reasons (not export reasons), RSA is not installed unless the user specifically asks that it be installed (and confirms they are out of the US, or agree to the RSAref license). In the long term, all of the BSDs will be using the KAME stack; OpenBSD is currently migrating towards it.
FreeBSD does not currently include an IKE daemon, such as the KAME racoon or OpenBSD isakmpd.
It's not clear you know what you're talking about. Please try again.
Re:Revolution =! Prostitution (Score:1)
OpenBSD = great BUT (Score:1)
Xenix lives! (Score:1)
Interesting, no?
Re:ACL's (Score:1)
traditional Unix security model. Fortunately,
ACL support seems to be much more common in
Unixes now, and with any luck all the free
Unixes will have support for them soon. It's
a useful enough feature that I concievably could
change the operating system on my systems to
whoever gets there first (well... unless it's
FreeBSD, as I have diverse hardware)
Re:ACL's using file permissions - a BAD idea. (Score:1)
While ACLs could be implemented using generic UNIX-style groups, it would be painful at best.
For example, under Digital UNIX (I think solaris has similar syntax supplied by setfacl), to set an acl so joe, mary, and all members of the project1 and project2 groups can access file foobie read/write, all I would need to do is:
setacl -u user:joe:rw- foobie
setacl -u user:mary:rw- foobie
setacl -u group:project1:rw- foobie
setacl -u group:project2:rw- foobie
Now, clearly, this can be done using standard UNIX groups - but given the essentially limitless potential combinations - this is NOT a good plan.
-Jeff
Re:They've bitten off a lot, here.. (Score:1)
As for reading the site, yeah, I read the entire thing, and, like I said, it's mostly links that point to each other.
In pointing out that the web site is immature, I was more taking a stab at
So there.
--
blue
Re:They've bitten off a lot, here.. (Score:1)
Shrug, then write something on the web page explaining that. Especially given today's atmosphere wrt BSDs, it's prolly a nice idea to spell out on which side of what fence you stand ahead of time. If it's open code and you welcome all comers and would like to see it pointed to all OSs, say so. If you're using FBSD for some technical superiority, say that.
If ya don't tell us who you are, what you do, and why, then ya can't complain when we make shit up at random.
--
blue
Re:Stop the FUD! (Score:1)
The way I see it the GNU-license is about making the free programs as good as possible, but the BSD-type is about making the programs, free and proprietarry, as good as possible.
just my opinions.
Looks good (Score:1)
If this thing were to ever become a full-blown BSD distribution, think of all the fun possibilities for the CD cover art. If you thought the OpenBSD one was good, wait till they show big bad crackers who think they're "The One" };-)
but what's the point of it ? (Score:1)
If you can (and I cannot see any way to stop it, barring mind control), then there is no real security in it, just making a little bit more annoying to do "unsecure" stuff. And if your point is to annoy users to gain some pseudo-security, there are even better ways to do it (ask any BOFH
Re:Current holders of big brother's seal (Score:1)
There is no such thing as getting (A|B|C)(1|2|3) certification. Products are evaluated to the certain criteria, but certification implies there is some certification body.
Re:BSD License (Score:1)
Four letters. (Score:1)
-russ
Re:Stop the FUD! (Score:1)
My point was that while it's true that the BSD developers could close their source, it's equally true that the FSF could close its source. Because the FSF alone holds the copyrights, a great deal of GPL'ed software is in just as much jeopardy of being closed as FreeBSD. The copyrights essentially negate the differences in the licenses because neither offers any protection.
However, in neither case would software available now be affected, as you so thoughtfully (that is, needlessly) pointed out. The issue is moot, though, because neither will ever happen. The BSD developers have more than proven their allegiance to the ideals of Open Source, as has the FSF. If anything, I credit BSD teams for resisting a temptation that doesn't exist for so many Linux developers.
© 2000 James Lanfear. All rights reserved.
Re:Stop the FUD! (Score:1)
© 2000 James Lanfear. All rights reserved.
Re:Four letters. (Score:1)
And who says they won't grab the OpenBSD source and give it a looksee? After all this *IS* Open Source, right?
Re:creating another BSD could be bad (Score:1)
Re:and come to think of it (Score:1)
In a more formal sense, mandatory access control is implemented by assigning every object (file, socket, device, fifo) a sensitivity label, and every subject(process/user) a clearence label. A subject with clearence label X may only write to an object with a sensitivity level of X or higher, and may only read from objects with a sensitivity level of X or lower. Thus, any data flow path within the system is restricted to only flowing from less sensitive to more sensitive. There a few twists (sensitivity labels are only partially ordered -- there may be levels which are incomprable, and no access paths exist between them).
Re:Fair enough (Score:1)
As a requirement for security, physical access control is also necessary, so for instance, a highly sensitive level might have only a single terminal associated with it, which was physically secure, so that it was possible to verify that you did not take any written data out. You can still memorize it, but the scope of possible causes for information leaks is greatly diminished. Hell, just preventing a buggy program from crashing and putting sensitive data in
Finally all of these trusted systems also implement extensive auditing capabilites, so in the event of a security comprimize, accesses to any particular object can be traced and examined.
When you get right down to it, DAC is really designed from the perspective of preventing people from writing data they shouldn't. MAC primarily focuses on preventing people from reading data they shouldn't.
Re:and come to think of it (Score:1)
As long as you stay on one machine, the actual implementation of MAC isn't too difficult, the hard part is all the integration work to assign labels and privs to everything, and ending up with a working system. However unless you inadvertantly give a program privs. it shouldn't have, none of that has particular system securtity implications, it is all more along the lines of "if you didn't do it right, it will fail".
Re:first again? (Score:1)
Now, as to the article...
It will be nice if this project sticks with us for a while. I remember when the documentation for the os's were multi-chaptered books that usually weighed as much as the system the os was being installed on. Remember DOS 3? Almost every command had a page (if not more) dedicated to its use.
Some of those extentions will most likely make it to my toy system. It will be good times for all.
Re:Stop the FUD! (Score:1)
(sarcasm on)If Microsoft has taught us anything, it's the importance of getting a product out ASAP, rather than fixing any of those naughty security bugs and holes which can be fixed in v n.1 and n.2. (sarcasm off)
---
Re:I'm confused -- isn't this just Capabilities + (Score:1)
levels cannot read anything above their level even if it's mode bits were set 0777.
Say we have los alamos lab doing "Secret" government work. All the scientists using the computer there would do all of their work at the 'secret' level. This way, 'secret chinese operative' can't leak the information to a
lower level. Even printouts are to be labeled, so theoretically they couldn't walk out of the secret facility w/a secret document (in practice physical security may be harder to enforce). Things like the camera in your watch might escape detection.
I'm not sure how you would implement such a scheme in any straightforward way using ACLS and CAP lists.
Re:Current holders of big brother's seal (Score:1)
as well.
Does this have anything to do with TIS? (Score:1)
This was put out by a company called Trusted Information Systems.
Does anyone know if they have anything to do with this?
Re:Source is free, but NSA evaluation process IS N (Score:1)
Re:Stop the FUD! (Score:1)
Re:I choose OpenBSD (Score:1)
Re:@freebsd.org email? (Score:1)
@freebsd.org email addresses are only available to FreeBSD committers - you generally have to prove yourself by doing something really worthwhile (e.g. submitting lots of ports, writing documentation, writing or maintaining nifty code, etc) before you're offered committer status.
Re:Stop the FUD! (Score:1)
Personalites and problems, + other BSD news. (Score:1)
Looks like FreeBSD is going to branch out!
FreeBSD-i18n Dedicated to internationalizing FreeBSD (hopefully the disable will be better addressed in this release...code for the blind, the deaf, etc.)
FreeBSD-PPC Dedicated to making FreeBSD run on PPC platforms.
The web pages don't show it yet...but go for instructions [freebsd.org] on how to get on a list.
>This kinda attitude seems prevalent across among the posts to this article and I find it somewhat annoying.
Hate to break this to ya, but the big reason there WAS a split in OpenBSD's case is it *WAS* personality.
There was a big thread about this on daily.daemonnews.org, but it got deleted by the people who run the site.
The thread went into acusations involving the FBI, malicious code deletion, etc la.
It all reminds me of what the head of EE told me in college. Most technical staffers are never fired/let go because of their lack of technical skills, but because of personality/personal issues. This thread has the 'annoying' comments about personal loyalities because there is much truth to them.
Re:and come to think of it (Score:1)
If what you mean is, "both UNIX and NT possess the features needed to get a C1 rating," you're right. What you said is wrong, though. UNIX can't get a C1 because there isn't any single "UNIX". NT 3.51 with no networking was granted a C-something rating. This has nothing to do with reality, but doesn't prevent marketing using the rating.
There is a lot of extra overhead to do MAC checks and MAC intentionally sort of puts people in a prison.
It is true there is additional work necessary to check additional policies. Traditional DOD-style MAC checks are fast -- one comparison and a few ands and equality checks. This doesn't have to be significant. As for "putting people in a prison," you're actually more interested in putting Trojan Horse programs in prison--and if you don't need the feature, just give everything the same sensitivity label.
Free BSD with trusted base without OpenBSD audit (Score:1)
Interesting choice.
Re:@freebsd.org email? (Score:1)
In case you couldn't take the hint from my last post, I'm as gay as Nik. I may be low brow, but I'm no pizza boy. I've been called many things in my time: slut, tramp, two-timing hussy, but NEVER "pizza boy".
I'm afraid I'm going to have to demand satisfaction. En guarde!
"What's my point?" Wouldn't you like to know, missy... drop by Francis' next time you're in New York and you can see my point as much as you want.
Bitch.
@freebsd.org email? (Score:1)
I'd be willing to help you guys out, if I could get an @freebsd.org email address, so I can be as cool as you and Gay Nik.
Re:@freebsd.org email? (Score:1)
Thank you for the response to my question, Kris. I'd like to talk about your attitude towards Nik, though.
Ignoring the insult to Nik...
It wasn't an insult! Seriously, Nik is gay. And he's proud of it, as well he should be. He shouldn't be forced to hide in the closet just because you think it's "weird". You think that Nik shouldn't be allowed his human rights?
For God's sake, it wasn't an insult. I know his ex-boyfriend. Nik knows who I am. He's not offended. You've obviously never spent time in the gay community. We queer nancies have to stick together, and brotherly ribbing is looked at ironically, rather than patronizingly.
We should all be supporting Nik in his decision to be forthright about his homosexuality. I think he'd appreciate your support too, Kris. It's not easy. Even geeks, traditionlly shunned, are surprisingly homophobic. I find it disgusting.
Nik, if you're reading this, I apologise for Kris.
I don't need the lecture. I know Nik a lot better than you probably do, Kris.
Re:Source is free, but NSA evaluation process ISNT (Score:1)
I really feel stupid now. I thought those folks were attempting to promote open source to government agencies as an alternative to commmercial solutions...
Now if you are talking about the main effort of this is to bring BLS to desktop systems that your average Joe runs because that would be 1337, then I rest my case here.
Mmmm.
Yours,
--Albert
Re:Don't worry... (Score:1)
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com [npsis.com]
Re:Stop the FUD! (Score:1)
Does this mean the code for each *BSD will eventually merge? It's always bothered me that 4.4BSD-Lite forked in the first place.
---
TrustedBSD vs OpenBSD (Score:1)
Re:Current holders of big brother's seal (Score:1)
Security ratings are assigned based on the various components of the OS, and the kernel is just one of those.
You may see "Red Hat Trusted Linux 17.23" there, or [Free|Open|somenew]BSD, but not "Linux".
You could see "MumbleBSD x.x" listed because they each have a single distribution. If they felt like coughing up the dough for testing, that is...
Re:They've bitten off a lot, here.. (Score:1)
This kinda attitude seems prevalent across among the posts to this article and I find it somewhat annoying. I have no issues to the OpenBSD project, I support what they do, but they aren't the only OS attempting to be "secure by default". FreeBSD is taking measures towards that also, by incorporating ssh and ssl libraries in the base distribution and is also working towards a code audit similar to what OpenBSD does.
Re:Do you think... (Score:1)
While there are way too many flavors of Linux floating around, this TrustedBSD may serve a good purpose. It's aiming at B1 level security, so it'll be much more secure that normal x86 unix clones. What's Linux secutiry at? c2? Never reached c1 yet I believe.
Is there anyway to standardize it all?
POSIX does a great job. A lot of source code just needs a minor tweak or fix to compile on other platforms, which there are a few utiliteis at aid in doing that itself... If we standardize it all, we'd be stuck in the same rut... Options are great. I do think it's silly to have a specific linux distribution for a piece of hardware, but to have choice likes this BSD is good... to have Slackware vs Almost_slackware_but_changed_the_opening_installat ion_ascii 9.42b is quite silly :)
I'm confused -- isn't this just Capabilities + ACL (Score:1)
I'm a little confused. While I've looked for details on how to verify that a system is B1 compliant, I only seem to find vauge references.
I don't see the practical difference between a system that's B1 compliant and one where ACLs are added (1) [uni-bremen.de] (2) [bestbits.at] and all accounts including root are severly restricted [lids.org] -- and both of these security measures avaiable under Linux.
I realize that verification testing is done on a per-installation basis, so many of the details will be specific to that installation. ...yet, all security is specific to the tasks and installation, so this doesn't clear up anything.
The general goals including many specific "the system shall" type directives, should be readily available...but where?
Tools like LIDS under Linux [lids.org] and other kernel patches to handle ACLs seem to do the job...so what's missing?
Re:Current holders of big brother's seal (Score:1)
No, but that's not the fault of the OS. They never even evaluated it, nor OpenBSD, nor FreeBSD, none. They've stuck with big name crap. Here's [ncsc.mil] the list of products that have been evaluated. Interesting that NT, the OS of choice when it comes to r00ting servers, is high on the list of secure solutions. Blame the operator I guess..
Re:Shut up bitch (Score:1)
Do you think... (Score:1)
Is there anyway to standardize it all?
OpenBSD? (Score:1)
Are there some features of FreeBSD they wish to preserve? And why not merely attempt to integrate these into OpenBSD?
Re:Stop the FUD! (Score:1)
Its not about money, its about progress. Open Source isn't about true open source, its about progress.
Re:They've bitten off a lot, here.. (Score:2)
Re:and come to think of it (Score:2)
Nope. DG/UX has offered a B2 security option [dg.com] for many years now. Trusted Solaris and Trusted IRIX have both been certified at B1, along with several others. Even Trusted Xenix (!) of all things managed to get a B1 rating in the early 1990s. Personally, I wouldn't trust Xenix with anything. It ranks right up there with Interactive Unix as one of those OSes I'm glad I'll never have to use again :-)
Fair enough (Score:2)
So you eliminate any way of creating a lower security file than the highest level of security you currently are. You can read anything you're cleared to, but can't possibly create a lower security file. The system could then have two paths
a) I can't log in at a lower security level
so I can't under any circumstances share that information; you've removed all discretion from the process. Note that I could still walk down the hall and tell the uncleared janitor, verbally, anything I had learned.
b) I can log back in at a lower security level
In which case I'll just memorize what I read before and write it into a new file at lower security.
You could argue that it's more secure since I can't do that algorithmically; I would have to literally memorize every character I wanted to commit. Certainly a gigabyte of nuclear research data would be hard to compromise that way.
But that doesn't sound like a Secure (in the OpenBSD or BugTRAQ "strongest-possible" sense) solution at all. Just because a secret file happens to be short and in English doesn't mean it should be easier to compromise, since "short and in English" is not part of the security description of the file. I would much rather have a traditional POSIX with well-planned access groups and discretionary security, and assume that anyone I show a file to can share it at lower security. In other words, since the leak is there, I would argue you should make it a flood (so it's unmistakable) rather than claiming it doesn't exist (since it obviously always does).
I note this is equally true of the "military-style" hardcopy document security system in the analogy in the post below. Which is probably why that's a dumb system.
Again, just my opinion. But I don't think MAC does anything more than obfuscate a truly insecure (in the sense that every human is insecure) system.
Re:and come to think of it (Score:2)
Re:and come to think of it (Score:2)
Re:Stop the FUD! (Score:2)
they could release new versions of the code under a binary license, but not change the old copyrights. in a sense it's a contract and needs the consent of both parties.
the fsf owns the copyrights on several projects (not linux though), and it does so in order to help fight violations. only the copyright holder can sue for copyright violations - and i'm sure joe developer isn't interested in hiring lawyers...
Re:BSD License (Score:2)
as for your rather nasty comments i was merely replying to a comment that the bsd license was designed to help share code. it isn't. it's designed to share software. the audience of developers that can use bsd software is theoretically larger since ones that want to release binary only software can do so. bsd proponents will surely feel this is true. obviously some developers who are keen on the gpl won't want that, but since the s/w development industry has been largely binary driven i would guess that the bsd license is more attractive.
Re:They've bitten off a lot, here.. (Score:2)
Aren't you glad nobody made this obversation about Open-Source in the early '90s?
Where would the world be without forward thinking?
For those who've been criticizing why it's just another spliter faction from {Free|Open|Net}BSD, Did you even bother to read their annoucement?
Here's an Excerpt from the Announcement:
Furthermore, there is some POSIX-1E ACL support in FreeBSD 4.0-RELEASE. So your "18 months" of hard work is well underway.
Robert Watson, from the TrustedBSD project wrote them.
sigh.
Re:and come to think of it (Score:2)
WinNT4 never even came close. Yet MS often billed NT as 'secure' to Orange Book "C" level.
As far as I know (and per the Multics home page when I last looked -- a few weeks ago) Multics was the only OS ever certified at the "B" level. That may be the only 'multi-user OS' however.
I haven't used Multics since I was 16, in the late 70's, so I'm not really a partisan of it. Still I did learn my first three programming languages on it (Fortran G/WATFOR/WATFIV, APL, and LISP).
I wouldn't go bcak (to Multics, age 16, or Fortran) for anything!
__________
Re:and come to think of it (Score:2)
That claim was removed from the Multicians [multicians.org] website (possibly as the result of a
Indeed, I wasn't actually prepared to submit the entire article. I was running Mozilla M14 on my beta machine, and it hung while I was fact-checking. I guess I hit the wrong key sequence and the article got submitted by mistake.
__________
Re:and come to think of it (Score:2)
MAC control on the other hand stops this.
Whoa. That's tight. But is that really possible? You could stop someone from doing 'cat A >> B', but what if I, say, load up a text editor, import A, and write to B? Or if anything, write a small program that does open(A); open(B); fread(A); fwrite(B);? Or just looked at A, switched to another virtual terminal, and typed the text verbatim into B?
I see how you could make changing the security level of particular data (not just the file) inconvenient, but how can you make it impossible?
Re:BSD License (Score:2)
The typical free software project has only one copyright holder. There are very few exceptions. Simply being a contributor does not make one an owner.
Re:BSD License (Score:2)
Not only is it possible under the BSD license, IT IS ALSO POSSIBLE UNDER THE GPL or any other license. Licenses do not grant permissions and conditions upon the author, only upon the user.
Re:ACL's using file permissions - a BAD idea. (Score:2)
-russ
ACL's (Score:2)
-russ
Re:Do you think... (Score:2)
Re:and come to think of it (Score:2)
All of MAC stuff is in the core of the IRIX OS. It's just that it is only turned on when booting from specially labeled (has MAC) disk.
It doesn't get in the way but should be in the core OS so people aren't as likely to break it.
MAC also doesn't have to even be turned off for a Unix system to operate 'normally' -- not even that expensive. You set all Sensitivity labels on all users and objects at 0 and Integrity at 0, and have no divisions or categories. That's a 32+32+16 bit compare which is negligible compared to file access times. In that instance,
only discretionary access would actually be checked. Of course then you *could* decide to protect system files from tampering by making root run at an Integrity level of 1 and all system files also having Integrity level 1. Then MAC would prohibit lower level processes writing anything in the "System File Group" (Trusted Computing Base or TCB) and root couldn't execute anything that wasn't in the system group (no trojans). Add file based capabilities for executables and have root having no special privs (or few), and getting root access does you no good. But if you wanted to run as 'normal',
just have Sens=0 for everything.
Re:and come to think of it (Score:2)
Secondly, I have a question: When the system drops your security to a less secure setting, that is only per-session, right ? So if you log out, log back in then you're top secret again, no ? Sooo, there's still the possibility of the user doing what the original poster said, i.e. opening vim in one login session, opening the file in another, and copying it. Or even print out / scan in, if the user had privileges to do both...
Right... ?
Re:openbsd v. the world (Score:2)
Re:Stop the FUD! (Score:2)
> always bothered me that 4.4BSD-Lite forked in the first place.
I don't know about merging - the personality differences between certain
of the project leaders, not to mention so much code divergence (lots of
minor changes) may prevent that from ever becoming a reality -
but the three projects are certainly converging. FreeBSD is being ported
to new platforms, NetBSD and FreeBSD are both gaining new "integrated crypto"
features and increasing the attention to security, OpenBSD and NetBSD
are working on SMP support, etc.
There's a fair bit of parallel effort going on, but on the other hand
there's an awful lot of code sharing. e.g. the USB stack is shared between
at least NetBSD and FreeBSD, with fixes and enhancements going in both
directions, OpenBSD and NetBSD regularly port drivers from FreeBSD, etc.
Re:Current holders of big brother's seal (Score:2)
2. As soon as the NSA opens up their modifications to Linux. They are actually working on it now, but most likely, they won't release it. The NSA isn't in the habit of releasing anything back to the outside world. They think *everyone* is a potential enemy. Look at the history of DES, and there's strong evidence that the NSA had differential cryptanalysis 10-15 years before the private sector.
But it's pretty irrelvant. The "security" implied by these certifications isn't the type of security that is usually of interest to people outside the military. The only case where I can see it being needed would be with medical records or financial records, but in those cases, you also have a whole bunch of data validity and availability issues that the Orange Book doesn't address.
--Kevin
Re:Free BSD with trusted base without OpenBSD audi (Score:2)
*yawn*
If this kind of comment was made about RedHat vs Mandrake vs (anyone but) LinuxOne, it would have been labeled as flamebait/troll.
Audit issues found in OpenBSD that were appropriate to Net and FreeBSD were applied to the release. And, I'd bet some of these issues were then applied to the package they came from, in addition to Linux.
That is the beauty of OpenSource. Unless you can prove that no patches from OpenBSD were applied to Net/FreeBSD then you are either ignorant or spreading FUD.
Now, you seem to be expressing these 2 ideas:
1) lets all work together so we move faster/better
2) OpenBSD has the 'best security'
Lets all work together...each project has different goals. And now a group want to improve FreeBSD. Good for them. If working together is #1, why 150 different Linux distros? And, what about 'many eyes make bugs shallow', does this not apply to design ideas? Many minds working in different directions provide the different lines of thinks that will find a better path.
Best security....Charles Hannum (root@ihack.net) pointed out at a BSD dinner that OpenBSD security isn't, FreeBSD memory management isn't, and NetBSD portability isn't. OpenBSD is as secure as a sysadmin makes it, FreeBSD's VM doesn't work quite right (this statement was made months ago...), and unless you have the toaster that NetBSD runs on and WANT to turn it from a toaster to a NEtBSD Box...it is kind of pointless. Security/VM/Portability is nothing more than examples of successful marketing...taking a small difference and making the biggest possible deal about it. Is the ability to run the OS on Dreamcast worth a better VM? Or, is good security worth giving up a 2500+ ports collection? Or is it worth giving up the ability to run voice recognition software? OS choice is about choice. And when one makes a choice, one gives up something in favor of something else.
Re:Pointless Moaning... (Score:2)
It seems some people take it WAY to seriously. I used to moderate my points I got down all the trolls/flames. But, given there is no reward for beating down the noise, there is no incentive.
If a moderation change is needed, it should be to allow for some people (oh how to choose!) to have massive points to beat down the trolls. If the trolls can't be seen, they will eventually go away. Perhaps 'congratz! U have 20 trol beat'n points. Thump away!'
Right now, as they admit...they only exist to burn moderation points.
Re:and come to think of it (Score:2)
The latest evolutions of HP, based off HP-UX 10.xx tree, are no longer certified, since this auditing must be done every time the source changes, but there
The question at hand is, will the open source movement be able to halt its endless updates and improvements to sit down and do a full audit of FreeBSD, with these extensions. Even HP is loathe to do it, and VV/HP-UX's march of progress is considerably slower in tempo.
Pooh-pooh'ing aside, I am very eagerly awaiting a BSD with finely grained privileges, and I wish the implementors the best of luck!
Pointless Moaning... (Score:2)
Browsing at -1 is a real pain. I'm looking for abuses of moderation, but all I see are hundreds of trolls, flamebaits and idiots posting gibberish. What is it about Slashdot that has attracted these people here? Do they really have nothing better to do?
I really want to moderate positively, I'd love to find a load of articles that are really worth my ticking them as interesting, insightful or funny. But what are the chances that I'm going to come across one of those before I come across five posts that are so full of swearwords (and no content) that I do the slashdot community a greater service by sending them below the surface? Every so often I come across a good post, and it's with a sense of achievement that I can actually moderate it up, but the sheer volume of junk that I have to wade through in order to find the gems means that I tend to run out of points before I get there.
Not moderating down the trolls is not an option. When I'm not moderating I browse at 0 because ACs sometimes post interesting articles, and at that time I tend to thank the moderators that got rid of the trolls for me, so I do the same. The solution isn't about content, nor is this constant moaning about the quality of moderation going to get Slashdot anywhere - you have no real data on who moderated what, and how much they knew about it, and what proportion of moderators do a good or a bad job. The problem is accountability for posts, and this whole veil of anonymity thing is not helping in many cases (please note that I implicitly acknowledge that in other cases it is essential).
All this bitching at moderators is really pissing me off - it demotivates me from making an effort, since there will always be a hundred posters out there to criticise moderators no matter how much time and effort I personally put into it.
A big problem with slashdot is that regardless of the subject topic, people prefer to discuss the value of slashdot, the quality of moderation and the lack of quality articles. This problem is about users, not management.
Re:What "mandatory security" really means. (Score:2)
Source is free, but NSA evaluation process IS NOT! (Score:2)
Yes. The source is free, but the NSA evaluation process IS NOT!
I remain skeptical about this one (and other opensourced BLS projects we came across previously). I mean, where are they going to get the fundings and needed financial support? NSA is, obviously, not going to entertain a bunch of coders with "opensource" bandanas wrapped around their foreheads; On the other hand, if the OS has not formally passed the BLS evaluation (which is going to cost an arm and a leg), they couldn't even use the term BLS (B Level Security) OS.
I remember when Hewlett Packard rolled out its BLS HP-UX 10.24 a couple of years ago (based on earlier version of HP-UX BLS 8.04/9.09, they were B1 at that point I believe), the marketing folks claimed that 10.24 achieved the B2 evaluation standards with MAC/DAC enforcement on system, network level as well as secure windowing systems. Those secure dtterms got this funky colour frame on them showing you which system compartment you are in, etc etc. It's pretty neat.
HOWEVER, the marketing folks also added that the B2 evaluation process could take them several years and LOTS AND LOTS of $$, so they ended up selling HP-UX BLS 10.24 as a B1 system, aka. Virtual Vault.
This is going to be a long journey, but I am still optimistic about it. What do you think?
Yours,
--Albert
creating another BSD could be bad (Score:2)
Don't call it another BSD, just fix what is there. Get your changes committed to the codebase. There are definitely times to fork and this is not one. I know they said that a lot of the code is going back into FreeBSD, but why should it ever be a separate thing, except maybe as patches until it gets committed?
Re:and come to think of it (Score:3)
I cut data from file A, and paste it into file B. I can then control who has access to the information in file A by allowing them access to file B (which contains all the information from file A). This would be the case for ACL's, and all unix style permissions.
MAC control on the other hand stops this. I can cut from file A (confidential A), and paste into file B(Secret A). I can only paste into file B if its label is the same or higher (this case higher). Now only be users cleared to see Secret A files can look at file B. I am not allowed to change the Security Label of the file. Further on most Trusted Operating systems almost all users are even allowed to change their effective Security Labels while logging in (that way you can't open a sensitive file, copy, and then paste into a file with a lower Security Label).
What does MAC give you? Well combine this with breaking up of super user privilege (root) and you can setup a system where if Bind is compromised it does not matter. At the worst the Bind process is currupted, or sends out bad data. From where Bind is running no other part of the machine can be likewise compromised.
(I would login, but I don't like cokies... except chocolate chip ones)
Current holders of big brother's seal (Score:3)
href="http://www.radium.ncsc. mil/tpep/epl/epl-by-class.html [ncsc.mil]
Orange Book (Score:3)
Fair warning, it's ~250K and definitely not light reading.
© 2000 James Lanfear. All rights reserved.
ACL's are dead (Score:3)
I sure hope not. Capabilities address secuity in a MUCH cleaner way then ACL's do.
See:
http://www.eros-os.org/essays/capintro. html [eros-os.org]
Re:and come to think of it (Score:3)
Let's take your simple program that opens a "secret" classification file and opens a "confidential" (lower rated file), then copies the secret file to the classified file.
The program starts life with a default classification inherited from the shell that started it (let's say this shell is top secret rated, just to make it interesting). When it opens the secret rated file for read, the system says "OK, you can read secret since your currently top secret" and the open succeeds. Then you try to open the other file as classified for write. The system says "well, you could do this, but I'd have to drop you to classified level. Oops, you have a file descriptor open at secret. Sorry Charlie, but no. E_BUTIWOULDHAVETOKILLYOU".
Alternatively, let's say you do the classified file first, then the secret file. When you open the classified file for write, your process security goes to "classified", and then the open to the secret file fails.
Now, think about all the various file descriptors a process has open, and think about making them all match in security. Now you see why getting a B rating takes a lot of work.
Re:and come to think of it (Score:3)
Actually, it's only per process. In other words, if you edit a "classified" file with vi, only vi gets knocked down to "classified". However, this is what makes it fun: what if you are running X, and you cut and paste from a secure document? Now you have to track the security level of the X cut&paste buffer. Again, this is why getting to a B2 security level is so hard: every time you think you've got it covered, another issue pops up.
BSD -> Star Trek (Score:3)
What "mandatory security" really means. (Score:3)
The classic DoD security policy is very simple: there are levels (UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET) and compartments (NOFORN, NATO, etc.) Associated with each file is one level and a set of compartments. Information is not allowed to flow downward in level or out of any of its compartments.
You can easily decide whether any information flow is allowed, which is why this model can be enforced reliably. But it's not that useful to most people. For one thing, it's not about protecting systems; when military data is threatened, the military usually prefers it be destroyed rather than revealed. The military assumption is that if it is important, you have copies in multiple locations; after all, the enemy might bomb you. And few civilian organizations have an internal security policy that clear.
Ken Biba tried to extend this security model to include what he called integrity. Integrity is the formal dual of security; data is not allowed to flow upward in integrity or into new integrity compartments. An integrity model might have levels such as (UNTRUSTED DATA, USER, ADMINISTRATOR, PERMANENT FIXED DATA). This is a tough model. For example, if you're running as administrator, you can't read anything except administrator-level data, and you can't run anything except administrator-level programs.. For example, running at administrator level cuts you completely off from any untrusted network. This is exactly what you want for security, but people hate this.
The great thing about mandatory security is that it works. Anything you can't do directly, you can't do at all. It's the brutal simplicity of the system that makes it enforceable.
But imposing this model on the mess of untrusted code that comes with any variant of UNIX is a very painful process. Most of that code will be usable only for non-secure work.
Re:OpenBSD? (Score:3)
I don't feel like being informative, so I will just flame you.
Score: 2 (Informative)
Trolls have nothing on this moderator. I salute you..
Re:creating another BSD could be bad (Score:3)
The reason this work isn't being done to an existing BSD release is that B1 security brings a lot of hassle that isn't appropriate for many (or most) sites.
The different BSDs exist for different goals, and until now B1 security hasn't been one of them.
This is a perfect place to fork, since if you need B1 security, you can't do without it. If you aren't sure you need it, you probably don't want it.
Re:Stop the FUD! (Score:4)
After all, that's what the BSD license is all about :-)
actually, it's quite possible (under the bsd license) for the trustedbsd developers to offer binary only versions - thereby making sure that openbsd would not be able to incorporate those changes.
the bsd license is not all about allowing other people to share your code since at some point someone can hide it away with their changes.
SGI doing this for Linux... (Score:4)
The greatest strength of open source - fast development time - is a burden on secure systems. Everytime something is changed, the whole needs to be reanalyzed so that no security breaches are created by the change. This is why pro-security distributions like OpenBSD are still using BIND 4.X and such - they don't have the time to reverify all the new packages and revisions.
That said, certification means little until tested in the real world, but it can definitely help - look at OpenBSD's record!
Re:an open letter to Taco (Score:4)
But it's worse than that. The problems arise from plain human incompetence:
Clueless, uninformed moderators who don't bother reading the article in question before moderating ("moderate first, read later!"), moderate up posts that are plain wrong, or let their human biases show.
Add to that boring editors who on top of not being able to spell or write, pointlessly editorialize in article postings, using
Don't forget the boring posters. You know, the people who keep posting on Slashdot. The regular posters are really boring (myself included). It was interesting at first, but the same old boring viewpoints just seem to get rehashed over and over.
/. is getting very stale.
====
This isn't a new *BSD... (Score:4)
Stop the FUD! (Score:5)
appear here. Firstly and most importantly, this is NOT a new version of
BSD. Robert Watson is a FreeBSD developer who is building a set of
extensions to FreeBSD which he is calling TrustedBSD. Some of this code
is already in FreeBSD and other parts will follow. Perhaps all of it
won't be for technical or other reasons, but this is only a set of
patches to the code, not a separately developed OS.
It's much the same as the situation with PicoBSD, which is a framework
for building a one-floppy/embedded version of FreeBSD suitable for using
as a dialup modem server, router, go-anywhere terminal, etc (PicoBSD
is distributed within the main FreeBSD source tree).
So why not use OpenBSD? Well, aside from the fact that Robert is a FreeBSD
user and developer, not an OpenBSD one, the fact is that there's not
much of a reason to choose OpenBSD - it's not inherently better suited to
having usage auditing/capabilities/trusted system features. These features
fit well with their philosophy policy, but they're just as appropriate for
either OS. Put another way, there's nothing within the OpenBSD code at
this point in time which would make the job easier/better than implementing
it on FreeBSD.
I should also point out for the record that FreeBSD is undergoing a similar
code audit to the OpenBSD effort of a few years back, and is in the
process of merging most of the OpenBSD code security fixes (it's
been stalled for a little while due to release engineering efforts for
FreeBSD 4.0, but I expect it to pick up steam again now that the
developers can refocus their sights).
Aside from default settings and kernel behaviour, there's becoming less
of a difference between OpenBSD and FreeBSD (and in fact NetBSD as well)
and I expect that trend to continue as time goes on. Everyone agrees that
the often-cited "goals" of the three projects are all worthy things to
pursue, the difference has just been in which order to pursue them, and so
as time goes by the projects are expanding in the directions of the others.
Finally, since the TrustedBSD code is being released under a 2-clause BSD
license, the OpenBSD folks are quite free to incorporate the code, and in fact I
expect them to do so.
After all, that's what the BSD license is all about
So I was wondering (Score:5)
labeled security protection
The B1 system class. B1 (and higher) systems support mandatory access controls. The system architecture must more rigorously separate the security-related portions of the system from those that are not security-related. Documentation must include a model of the security policy supported by the system. It need not be a mathematical one, but it must be a clear statement of the rules enforced by the system's security features. Testing is more stringent.
and come to think of it (Score:5)
the specs say you must rigorously separate the security-related portions of the system from those that are not security-related and Documentation must include a model of the security policy
Which really makes it sound like it's a very formal thing. But actually, [the security model] need not be a mathematical one, but it must be a clear statement of the rules
So
The Mandatory Access Controls (MAC) really sounds like a carefully documented ACL-set; it restricts access to system objects (eg. files, directories, devices) based on the sensitivity of the information in the object (represented by the object's label) and the authorization of the subject. Additionally, the system enforces the policy; users do not have the discretion to share their files. Slightly more compulsive than typical ACL rules, but nothing unreasonable.
It seems like you'd actually want to start with OpenBSD and use a very traditional POSIX style to approach this. The real work is in the documentation.
That said, save from the "rigourous testing" there's no hard guarantee this system is any safer. I'm not particularly impressed by this spec over the state of any reasonably secure UNIX. The real issue is not compliance with the spec itself, but how good your (documented) security policy is (and of course how well you've actually implemented it!). This whole spec really sounds like (imnsho) a way for you to bring in overpaid worthless consultants to read your policy/procedures, do some meaningless tests, and issue you a silly certification.
Shades of ISO9000, anyone?
This "Orange Book" sounds like a good idea at the beginning. But every definition in that glossary is at the level I would use to talk to my mother about computers: leave out all the subtleties or technical considerations. I think a system like WinNT could pass those specs with flying colours (if indeed it hasn't already) and still (duh) suck.
My $0.02.
Re:and come to think of it (Score:5)
Documentation is required to confirm correctness and to specify how requirements were met. There's a lot of modification to the code.
In truth, I'd be surprised if FreeBSD wanted this in the core OS. A B1 level of security can get quite annoying in situations where security is not your paramount goal. There is a lot of extra overhead to do MAC checks and MAC intentionally sort of puts people in a prison.
The Orange Book is not simple either, and reading the glossary is not a substitute for reading the book (which I have not). It's very thick and extremely detailed.
They've bitten off a lot, here.. (Score:5)
Also, it doesn't really matter if they use FreeBSD or OBSD as a base - these are all extenstions. In other words, for B1, you're not going to be running sendmail anyways, so having your daemon code audited aint gonna matter that much.
I do wish they had started with OBSD, tho. They prolly chose FBSD because of personal loyalties to someone(s) on the FBSD project - or because of the opposite on the OBSD project.
I'm sure Theo will re-write everything they do, anyways.
Their web site sucks, it's just a bunch of links pointing to the same non-existant docs. This looks like something that someone started like, last thursday.
--
blue
AT&T System V/MLS was First B1 Unix System (Score:5)
System V/MLS implemented Mandatory Access Controls, but didn't split root into least-privilege. The MAC stuff was wedged into the group permissions, with some bits stolen for security level (I think 0-7) and some for security groups, but a few bits left for Unix groups. This left most of the Unix data structures unscathed, but it was enough, and you could buid ACLs by creating groups that had the right people in them. There were a few modified tools for building groups with, and the rules that control what GID a file has when it's created were seriously hacked. (It looked sort of like the BSD feature that gives files the GID of the directory they're in.)
Mandatory Access Controls were designed for the military's SECRET/TOPSECRET/UNCLASSIFIED worldview, which doesn't match most non-military applications, but they turn out to be quite useful tools for making the system more secure for regular applications. You create a "System Low" classification group and put most of the standard software and critical configuration at that level, and nobody can write to it because MAC protects against higher-classification processes writing information that could be a security leak. And you create a "System High" group for logfiles and such, which nobody can read but loggers can append to.
Networking was very limited - this was in the days before anybody had a good solution for any of the Red Book requirements - trusting messages from other machines and trusting other machines to protect your messages require common administration (which didn't fit the Orange Book certification models well), or else require doing the right things with cryptography (which the NSA had a fairly heavy lock on, plus they didn't want to trust military secrets to civilian cryptography, so it wasn't politically usable even when the technology was good enough.) So we didn't have TCP/IP built into the kernel, but you could do things like UUCP over hardwired lines, as long as you ran different UUCP processes and directories for different security levels and dedicated RS232 ports to specific security levels.
Least privilege is one of the controversial areas, but it was possible to do B1 without it. It's a bit easier in a System V environment, where mail runs as Group Mail and uses setgid programs instead of needing to run as root, and of course if you don't have TCP/IP running you don't need as many privileged daemons (many of which run as root simply because low TCP/UDP port numbers are required to be root in BSD environments.)
Covert channel analysis was a B2 feature. It wasn't very possible back then - there are just too many ways to leak information, like high-classification processes grabbing and releasing disk space in Morse Code or whatever. PCs are 2-3 orders of magnitude faster - it's much harder to limit the speed of those channels today.
There were a few other magic things - a Secure Attention Key is a B3 requirement that gives you a secure, unforgeable communication with the login system; this basically used Ctrl-Alt-Delete on PCs, and I think Break on dumb terminals, which weren't able to be stolen by user processes. And there were some shadow directory things, so a low-classification user couldn't see higher-classification files or directories, but a higher-classification process could see high and low files.
openbsd v. the world (Score:5)
actually, the encryption mechanisms are built right into the operating system, in such a way which would make it illegal to export, if the project were based in the us (which it obviously isn't).
this cryto-integration is what makes openbsd unique.
so yes, you could make freebsd or linux "as secure" as openbsd*, but you won't get crytography on the same level. that's why cypherpunks like myself find openbsd to be such a worthy project.
*(if you can really measure security in such an immature way. security is as much a function of proper administration as it is software. "security is a process, not a product" (paraphrased))
the orange book (and most of the other books in the rainbow series) provide standards for trusted (ie secure) operating systems in different levels of government and military facilities. "trusted" means just that -- a system of trusts, to guarantee that you can trust data to be valid.
trust systems and crytography are two different things.
for instance kerberos [mit.edu] (my favorite trust/authentication system) is NOT a type of encryption, as many here seem to think, but a trust system which USES encryption as part of its processes. kerberos in particular is interesting because it authenicates (gains trust) with multiple methods, including passwords, box address, et cetera. you can put the authenication on one server, the password database on another, and do all sorts of devious little things to make it *very* difficult for interlopers. read some of the MIT material and you'll probably be as impressed as i was when i first began studying it.
the best introduction you can possibly find is this one [mit.edu], which explains kerberos' theories of authentication in the form of a short play, where two developers are designing an authenication system. it shows exactly why kerberos has to be as complex as it is, to establish true trust between hosts.
kerberos can use any type of encryption to do its work. the system isn't tied to one method, even though it usually seems to be implemented with a DES-derived algorithm. if you need maximum data integrity, go with 3DES. if you need speed, use blowfish. do whatever you want.
i seem to have gotten quite a ways off-topic. oh well. just remember that openbsd is NOT just freebsd with the evil daemons turned off.
openbsd users can back me up on this. theo really is a paranoid son a a bitch, and i congratulate him for it. the point is, openbsd probably ALREADY qualifies for most of the rainbow book certifications. plus, theo and crew have a track record of finding and fixing security bugs long before the "competition".
probably the biggest thing holding it back is the lack of smp support, which should be changing in the next year. i'd like one of the openbsd core team members to comment on this, if possible. can you guys use any of the freebsd 4.0 code for the smp kernel? freebsd 4.0 really has some decent locking mechanisms, among other things. if you could take advantage of their work, openbsd-smp could really hit the ground running. god bless the bsd license!