Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Silicon Graphics

UPDATED: SGI B1 Linux Patches 103

jd writes, "It's been rumoured for some time, but no code was shown and no announcements were made. Well, they actually did it. The first drop of the necessary code to bring Linux to B1 standards is on their Web site. The code is essentially a rip of their IRIX code, and isn't fully Linuxified, yet, but it's all there and ready." Update: 04/12 05:52 by E : We got mail from Richard, who maintains these pages... He says: "It is true that SGI are working on making Linux C2/B1 as anyone who has been to a SGI Linux University event will attest, and we are working with a number of others to that end. But to say that we have released a patch for Linux is very misleading and is setting expectations way above what is currently available." So, take this with a grain of salt.
This discussion has been archived. No new comments can be posted.

UPDATED: SGI B1 Linux Patches

Comments Filter:
  • by Anonymous Coward
    I'd rather try one of those military food patches
  • by Anonymous Coward
    hehehe [sgi.com]
  • by Anonymous Coward
    you turd, think about it. Linux may get certified, but that will be only one specific distribution. Since all "linuxes" are different, they can't all have the same security rating.

    "Cram it"
  • by Anonymous Coward
    That's IPO syndrome, not the bandwagon hitting a wall. The bandwagon is still there, still plodding forward at the same rate as before the IPOs. Just without the fresh money and IPOs that the idiots out there want, the bandwagon isn't gaining much attendance. Doesn't mean the Linux sector (come on, Linux doesn't deserve a fucking SECTOR of the economy) is dead and buried.
  • True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.

    As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.

    Orange Book criteria are completely obsolete. Read up on Common Criteria [nist.gov]

  • SGI scsi host adapter has a scsi ID of 0, so make sure the hard disk is jumpered for ID 1.
  • Ok, this is something Redmond hasn't been able to achieve. Heck, WinNT can't be C2 unless its been practically disconnected from a network.

    One more thing to silence the FUD.


  • Back in the 80s I had an (unclassified) summer job for a UK government agency which did a lot of secure stuff. One of their core security policies was the "high water mark" policy, which said that a physical document could only go up in classification, never down (although it might be possible to get permission to make a less classified document with the same contents). For paper documents this is really sensible: it is NEVER acceptable to have a document with SECRET crossed out and CONFIDENTIAL written in, for instance. The problem came when they (a) applied this to magnetic media and (b) treated entire physical (hard) disks as single documents. This meant that if a disk had ever had 1 byte of TOP SECRET information on it, then the whole disk, forever, was TOP SECRET. The inevitable result was that disks slowly migrated up the security levels, and there was always a glut of TOP SECRET disks and a shortage of unclassified ones. The surplus TS disks were eventually taken out, hit with a hammer a bit and chained to the wall at the back of the computer building, as no one had yet approved a method of disposing of them.
  • I'm not sure, but one would expect that the requirements would include availability and accessibility.

    Sorry for taking your joke seriously.. I just don't see understand the value of making a system secure by making it practically useless.

  • You're well out of date. NT 4 got a C2 evaluation (with networking) in Dec 99.
  • by vanye ( 7120 )
    Why wouldn't we want to release the source ?

    Security through obscurity isn't....

  • by vanye ( 7120 )
    You cannot be serious.

    If you don't have source you're gambling that I (as a developer of closed source/proprietory protocols) am smarter than every cracker out there ?

    Even I won't take that risk...
  • Trusted IRIX is standard IRIX with some extensions, many of which are gaurded with:


    ie. An IRIX kernel already has much of the code to do this, its just not executed unless you install some extra stuff on the system.
  • It's the same thing, but B1 is better than C2. IIRC, higher numbers and "lower" letters are better ( A > B > C, 1
  • Well, you're right of cause. But then the human element is always the weak link in any security system. However, it doesn't just apply to text, it could be graphical data, formulas, whatever. And having to manually transfer whatever you're copying could be a long winded process, so slowing things down by eliminating a quick cut'n paste does have value.

    Yesterday I only skipped quickly over the mechanisms a CMW X session and GUI have to implement. It's more involved than I described (I only wanted to give you a taste). In addition to Windows having SL's, the root window has a label with a security level attached to it. So does the keyboard and so does the mouse. There are also another set of labels called IL's (Information Labels) which change according to whatever data is being viewed at the time. Restrictions can be placed on how IL's are manipulated too.

    The point I was trying to make is that working in this kind of environment is a whole new ball game compared to C2 or traditional Unix security, even from a users point of view. GUI's need to be modified so that they are aware of all these mechanism and follow the restrictions they impose. The standards that define how a CMW workstation operates also dictate that SL's and IL's present for different elements of the screen are also displayed (and often colour coded: Red for Top Secret, Green for Unclassified, etc). So the window manager has to display this, not just for the window, but also pull down menus, dialogue widgets, the lot.

    I've not seen this implemented in a GUI file manager yet. That would be quite a challenge I'm sure.

  • Exactly. We use everything from very high-end Origin servers to desktop O2s. For one project, everything is server-side Java (no graphics involved). Even with the 4 processor behemouth like the Origin, Java is still quite slow compared to the same code running on a small Win box.

    As far as graphics goes, SGI still has to make decent devices drivers for their own graphics hardware. We have some applications that require Octanes (very expensive) because the O2 can't handle the power we need. A $10K computer can't handle it! And SGI wants to push us to Linux? Make some damn drivers!

    I can care less about what OS I use. Give me power, hardware support, OpenGL and Inventor and I am golden. We have started to use NT because the graphics support on Windows has really improved.

    --Ivan, weenie NT4 user: bite me!
  • There is nothing holding up XFS. The Source has been released, any leagal disputes have been squashed. Won't matter a little bird turd if they want to buy it to resell it or not.
  • I think this announcment certifies SGI's commitment to linux. They've opensourced many of their key proprietary IRIX features.

    Many of you seem confused by what this announcment means, it gives us the ability to make Linux B1 certified on specific hardware, in a networked environment, etc,etc. Microsoft may tout that WindowsNT4+SP6a+C2patch is C2 Certified, but it's that system in that network configuration that's certified, not all generic systems and configurations, just the ability to achieve C2 certification exists... and that's what SGI wants to provide.. the ability to make Linux B1 certified.

    I don't know much about the certifcation process but this is a great step forward for adoption of linux in government systems (maybe now we'll have a reliable, SECURE Government that has no IT excuses left except their incompetence:)

  • See this [slashdot.org] for the REAL requirements.

    Notice that you have to be able to MATHEMATICALLY PROVE your system specification is secure in order to be certified A1 secure. That's a pain.
  • ... chock-a-block full of TLA (three letter acronyms) makes my head swim. I'm left wondering how scalable would this system be? I can see it working in a tight-dense human network where there are enough closely coordinating and communicating entities to determine access levels and policies, apply classification of information into categories, and a regulatory/punishment system for violations. Does this translate well into the rather hap-hazardous nature of the Internet? Just like military style firms (where do you think chief executive *officer* comes from) are a hangover from the industrial age, perhaps we need to rethink the whole idea?

    Perhaps the underlying model has some fundamental constraints on growth? I'm reminded of the genetic case where bacteria which have complex regulatory gene expressions (think a switched network of proteins activating different stages) have a size limitation of 10 megabase pairs. Beyond that the conflicting signals seem to inhibit any higher level functions. The example that I can think of is that person A can look at kernel code, but not the part with patent X, unless they sign an NDA with company K, which is waived if they are no longer competing with company L, etc ....

    Are there other ways of looking at the problem? Kerberos has a ticketing system which is essentially a time-to-live mechanism. Perhaps a commercial implementation at file level could be based on the half-life of information? How long is it before a piece of information becomes commercially irrelevant? And then check thresholds (refreshed periodically) across a range of keys to see the probability that such access violates a critical temporal mass (ie if viewing too many sensitive documents at once, could be indication of someone faking a download).

    Perhaps then it would shift the paradigm of information control away from fine-grained permissions (human intensive) towards detection of unusual patterns of activitiy (AI intensive).

  • It seems that security is generally the opposite of usability. Sad really, when the most secure computers are behind a damned door, and you can't hit them from your desk outside the media centre. One of your sibling posts was more correct. The situation I refer to would me more akin to A0.

    A1 likely involves a secure processing facility, a optical network diverter, and no doubt some heavy-duty Electromagnetic Airlock trapping. It most likely involves a entry-way lined with 2 lead doors and a right angle somewhere. Tempest hardening is illegal though. I suppose the A1 is for military computers only.

    To me it's how steak is done.

  • A1: a unplugged computer, locked in Fort Knox. Even Windows can achieve that.
  • SGI released the B1 stuff a long time ago. I've had a copy from cvs on my system for months now. It's interesting code. But uh... K&R C? I'll leave you to form your own ideas.
  • Why "troll"? This anonimous coward is absolutely right.

    The B1 certification, other than requiring years to be issued, only certifies a given system with a given hardware and a given configuration.

    This means that even the same distribution on the same hardware with only a slight different configuration is no more B1. Even worse for different distributions, which may offer the same functionalities but using sligthly different way to do so.

    There is really little use for this kind of certfication in real world, other than for throwing marketing hype to clueless customers, and just raises a false sense of security.

    Anyway, SGI's involvement in writing securty patches for Linux deserves gratitude. They are working a lot (and somewhat quietly) to really offer interesting solutions for security, debugging, efficiency. I hope some of their ideas will be incorporated in the main source tree (and not just XFS - when it will be ready for prime time).

    My 0.02 Euro.

  • If the GPLed XFS is from SGI then SGI can relicense it under any terms they want. Anyone stupid enough to buy it though would just be an idiot.
  • Someone trying to sell Linux to a security concious site would need to independantly get certified. You can't certify a particular program or OS or piece of hardware as B1/C2 certified. It requires complete validation of the whole package. Change the ethernet card you have to recertify the whole shebang.
  • Security through obscurity isn't....

    Wish someone would put that phrase to rest. The truth of the matter is that if you don't know where the weaknesses are then you can't exploit them. You suddenly have to do a ton of probes looking for possibilities and thus you ring a lot of alarms to a watchful admin.
  • The sentinel utility i wrote is essentially a tripwire clone with MD5 signatures replaced by the more secure RIPEMD-160 algorithm (and patent free to boot). download at http://zurk.sourceforge.net or http://zurk.netpedia.net...also on freshmeat.
  • You know- Every onece in a while I want to give my computer A0 Certification...
  • Mandrake 7.0 uses postfix by default...
  • WRONG.

    Here's the link:

    http://www.radium.ncsc.mil/tpep/epl/entries/TTAP -CSC-EPL-99-001.html

    SAIC's Center for Information Security Technology, an authorized TTAP Evaluation Facility, has performed the evaluation of Microsoft's claim that the security features and assurances provided by Windows NT 4.0 with Service Pack 6a and the C2 Update with networking meet the C2 requirements of the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) dated December 1985.

    It's a common misconception that networked configurations cannot be C2-compliant. That's incorrect. C2 does not address networking. As long as the introduction of networking components does not break anything else that is required for C2 compatibility, then the system is still certifiable as C2.
  • What'cha smokin' dude? :-)

    From their "Future Goals" page:

    "Some day, if ever: Meet B1 security requirements. Now that MAC categories and secure delete are implemented the way has shortened, but it is not really urgent though, since Orange Book is far out of date. "
  • Sigh...

    SGI already has B1 in 4.0. They are currently in the evaluation process for the current OS, 6.5.x.

  • This is just simply untrue. B1 requirements above the C2 auditing requirement are Mandatory Access (don't even need ACL's or CAPabilities).

    MAC labels can easily added to the task struct and file system checks added at the VFS level. Kernel done. Then add MAC to a file system like ext2 or use SGI's xfs when its done being ported. Instant B1 support.

    Darn nay-sayers!

    If we build it, they will come...:-)

    Actually...it is true: a B1 certification is only good for the exact configuration it is done on. However, getting that cert. does mean that Linux can claim to 'have' B1 security, just not cert'ed. Of course anyone can claim C2 or B1 security features (i.e. Solaris) and never have been certified.
  • Um...IRIX 4.0 was certified B1. It didn't have capabilities (priviledges)-- just root. It met DoD criteria for B1.

    The biggy for B1 is MAC, not capabilities or ACL's.

  • CAPP and LSPP are where it's at! CAPP = Controlled Access Protection Profile LSPP = Labelled Security Protection Profile Both of those are defined under the "Common Criteria". Those 2 protection profiles supercede C2 and B1 (and are supposed to be equivalent). To see the 1999 version of DoD requirements, check out http://www.rad ium.ncsc.mil/tpep/library/protection_profiles/inde x.html [ncsc.mil]
  • Postfix as a drop-in Sendmail

    Can anyone tell me why RH (and most other distros) still ship with only sendmail? I can understand that it's useful on big sites, but it would be nice if something a little smaller and more secure (like qmail) was available in the distro.

    install the re-freed Tripwire (or a clone)

    Are there any free (aka GPL or BSD licensed) Tripwire (or clone) versions out there [I hadn't heard that Tripwire was in any way free...]? I was thinking about doing a BSD licensed version for fun sometime this summer, but if they already exist I'm not sure if I should bother.

    encrypt all but your boot partition using Serpent

    Or if you've got the cash, buy a card that encrypts the stuff in hardware. :) Hmmm... A UW2 SCSI card that encrypted everything going in and out of any particular device(s) (configurable so you could read unencrypted CD-ROMs, etc) with 3DES or Serpent would rock (the onboard BIOS prompts you for a passphrase at boot time, hashes it and uses it as a key). Wonder if you can get something like that... [fires up Google]
  • Wasn't NT 4.0 C2 certified with a network connection just a feq months ago?
  • Hey, I LIKE K&R C.
    Beats C++...

  • With large organizations that require some security certifications on their book (read: governments) this kind of certifications is a crucial plus on our side.

    Eventually, more people will use Linux because of the certification. And it is the ultimate source of improvement I can think of.
  • By circular, I meant that your reason for why FreeBSD was better than OpenBSD was because FreeBSD was written by a guy who writes FreeBSD. :)
  • 1) not quite the same type of security issues.
    2) more importantly, it's from a major contributor to FreeBSD.

    1) What type of security issues?
    2) Circular reasoning isn't valid.

  • I'm not sure about that Celeron part, they are already shipping with Xeon's & PIII's. For MIPS.. well they are starting to move away from them since they are excellent ships but are not increasing performance numbers as fast as others (Intel).

    I do know that there is a port going on right now that works (without X windows that is, way too much proprietery info about graphics required). Check out linux.sgi.com which looks old but get on the mailing list much newer stuff.

    You've got a termination problem there, also if your root drive has not been formatted properly your miniroot will hang.
  • I work for a large federal agency where we're supposed to be C2. We're also mandated to use NT as our *only* OS for anything below certain minis and our mainframes. (Luckily, I work in an excepted function.) Sometime back, when it finally became clear that NT couldn't be certified C2, the powers-that-be simply issued an edict that NT had (and this is a precise quote) "achieved C2 functionality." In non-government language, that roughly translates to "we hafta use it so we're pretending it's OK."

    As another poster has said, ya gotta love the government sometimes. Who else can simply change the rules when they become inconvenient?

    It helps, of course, that our CIO apparently bows and prays to Redmond thrice daily. :-)
  • Well, maybe it won't run but how long before someone takes this up to give linux a real security rating (bet it's quicker than M$ managed).
  • How to go about doing this? Security rating on a system running FTP, Sendmail etc? HAHAHA your kidding right?

    Security rating on a system not running any daemons etc? I dunno that just sounded a wee bit vague. You would have to be VERY specific about what you do and how the system is setup and ONLY when it is setup that certain way does it get that rating etc. etc.

  • SGI is no longer promoting IRIX for anything other then its very high end systems. The school I go has an arangement with SGI, so most of the major servers, including the multiuser login machines are SGIs running IRIX. On the very high end machines, i.e. the R12000s with multiple processors they are still advocating IRIX but for the generic workstations and lower end servers they are promoting Linux. They have basically decided to that all these fractured Unixes are a bad thing and to try and phase one of them out. Now if only the rest of the major manufactuarers would decide to adopt this policy, Linux would really go mainstream.
  • hehe but if you'd left out the the sentence about the sun, I would have found it possible this kind of actions DO take place in the US :))

    a well... perhaps we see too much US movies in europe ;)
  • why do _you_ need B1?

    You don't. However, someone trying to sell Linux to a security concious site does need it. B1 should allow system integrators to start using Linux, thus furthering the march towards World Domination.

  • From what I recall with security B1 is every drive, wether being tape, hard drive, zip, etc requires it's open seperate access with different levels... So if you own a file with 'mandatory' access you can't even touch it?

    I think it would be interesting to see how Linux would handle it. While most of us would have no use for it, I wonder how many Universities and Colleges are going to pick on the SGI B1 release. I think it'd be great to see it popping up and being used. While I love using hte IRIX cluster at PSU, I think it'd be great to have an Alternative Linux (with b1 security of course) running for students to work on projects also...

  • Imagine being able to run all your daemons in protected spaces. So -what- if Sendmail gets cracked? It can't -touch- anything outside of it's private universe.

    Mostly, I agree. What you mention already exists in FreeBSD v.4.0; the jail() process command. Jail() sets up a seperate isolated area of the operating system that is accessed by IP address, not through the normal local methods. Because of that, breaking into a jail()ed process won't get you much.

    (I really want this under Linux. So much so, I'm installing FreeBSD just to try it out!)

    If you add integrity checks to the jail()ed process, when it does get exploited -- and you should always plan that your daemons will get exploited -- you'll know it.

    To clean the system, you can swap in a waiting jail()ed process by changing IP addresses. If you want to monitor the intruder, you can...and they won't know you are tracking thier movements!

  • I care. Working as a sysad for a large DoD contractor, I would love to be able to push for Linux systems on the network. There is a strong push to move UNIX workstations and servers to NT from the powers that be while the actual sysads are coming to favor LINUX systems. But they will never get to voice that option without somekind of security review and approval. (By the way, the NT boxes get to be on the networks by hiding behind VPNs)
  • You can obtain a free Trusted OS that sits on top of Solaris 7 (x86 and sparc) from the Argus Revolution [argusrevolution.com]. ISO CDROM images are available for download as well as an online store to order the media from if you like.

    The Trusted OS is called PitBull and is made by Argus Systems Group. We are currently porting to Linux (IA64 and 32bit kernels), AIX, and UnixWare.

    To address issues of certification. An OS can in fact go through certification and receive a "B1" rating. Argus is currently doing this under the Common Criteria scheme which has replaced both the old US TCSEC and European ITSEC methods of certification. This also includes networking as part of the evaluation.

    There is a lot of misinformation being spread around about what "B1" is and how certifications work. I am more than happy to answer any questions in this regard (and am considering writing a FAQ to cover this often misunderstood issue).

    As to whether you need B1? If you are running a system that is connected to a public network and you don't want an application exploit to lead to system wide penetration, then you should be running B1. B1 is not just for the overly paranoid crazy person, millitary, and banks.

    The whole point of the aforementioned Revolution is to raise awareness in trusted os technology and get people talking about it. If you would like to be involved in these discussions please get involved on the site. I'd love to have people running PitBull, but we are happy to engage everyone that is using trusted os's! The most important thing is to get people to use platforms that actually let them secure their systems. Trusted OS technology lets you do this!



    Jeff Thompson
    Software Evangelist and Visionary
    Argus Systems Group, Inc.
    thompson@argus-systems.com [mailto]

  • I attended the Linux U in seattle a couple of weeks ago and the reps said something about the Linux release will be on the Celeron sometime in July 2000. The kernel will be 2.6 but one dude said it is a version of Irix 6.1. SGI is contracted with Intel on this and it is supposedly highly scaleable.
  • I attended the Linux univ. at Seattle a coupla weeks ago and one of the reps said the SGI/Linux will not be configured for the MIPS. The platform will be Intel Celeron and is a version of IRIX 6.1 that is open source. I also have a few questions about the Indy I have. Can anyone tell this foolish youngster how to configure a Quantum Viking 4.5 HD on an Indy. I had the Seagate take a dump on me and replaced it with the Viking. The Indy is scsi-2 fast and the viking is Uw2. I used a somewhat cheesy adapter and now my Indy sees 5 Hd's instead of one. I think mebbe a termination problem? The websites don't seem to have the info I need and SGI wants megabucks to answer my questions. The Indy now will not take the miniroot and cannot install the OS.IRIX 6.2. Dammit. It did seem to accept fx to config and partition but will not run inst. Please help! My E-Mail is madmaxwilliam@netscape.net
  • Thanx man, That solved the problem in about 5 minuits of fucking around. Y'all were a big help.
  • One of the subtle points about MACs is that they are required to be persistent *in all media*. This means that MACs should be preserved (and enforced) when a file is copied to removable media,...

    Actually, this is only true for multilevel devices. There can be single-level devices that are labelled externally (with paper labels). These require procedural controls to ensure that the labels are proper; the operating system enforces the restriction that only data whose label is dominated (i.e., less-than-or-equal to) may be copied to the device (some systems choose to enforce an "equal" policy, which is stricter).

  • Ian Bicking wrote:

    I get the impression they can't, because the certification includes the installation.

    My understanding is they could produce standalone certified system, and offer a service where they install and have certified a network sytem. It would be expensive though. I could be very wrong, since I've never been involved in such a process.

    What I wonder is, what operating systems do B1-ready systems run at the present?

    That's easy one to answer. According to the TPEP Evaluated Products List [ncsc.mil], the following operating systems have been used in B1-rated systems:

    Amdahl UTS/MTS v2.1.5+
    Computer Associates CA-ACF2 MVS v6.1 with CA-ACF2 MAC
    Digital SEVMS, several versions on VAX and version 6.1 on Alpha
    Digital Ultrix MLS v2.1 on VAXStation (Microvax)
    Harris CX/SX v6.1.1 and v6.2.1
    HP HP-UX BLS v8.04 and v9.0.9+
    SGI Trusted Irix v4.0.5EPL (where this code came from)
    Unisys OS1100SR1 and OS1100/2200, Several releases

    You'll see that rather than making their mainstream operating system ratable, most vendors (eg. Digital, HP and SGI) offer a special version of the OS that is set up to meet the rating criterion.

  • by Gleef ( 86 )
    Irix (and Secure Irix, in this case) has some features that Linux lacks. I don't mind them on the Linux bandwagon if it means that the Free Linux kernel can get more functionality, security and scalability .

  • Just one thing to remember, Linux itself can never be B1, or any other level certified, it's only complete evaluated systems - case, drives, os, etc. I'd not know b1+ cert well if I didn't need to know it.. thou never had to use it, gotta love government sometimes, huh? :)

    bash: ispell: command not found
  • VA Linux Systems or Penguin Computing can produce and sell a truly B1 (or C1, for that matter) certified system.
    I get the impression they can't, because the certification includes the installation.

    What I wonder is, what operating systems do B1-ready systems run at the present?

  • 1) I don't know what they are off the cuff; see the article a day or two ago.

    2) circular? The man doing the Trusted FreeBSD is *already* a major player in FreeBSD, making it the more natural choice for him. Code he knows inside and out, or code that's similar. Not a tough choice.

  • But I never said that. I made no claim as to FreeBSD being better than OpenBSD.

    However, for an individual developer, the operating system he already knows and is involved with is a better *choice* unless the existing advantages to the other operating system are compelling.
  • by jd ( 1658 )
    At this point, that wouldn't matter. There's enough of the core system GPLed, and that can't be revoked for that version.

    Veritas can buy the IRIS version of XFS, without GPL complications, as it's encumbered and under a different licence. But if they buy the GPLed version, sure, they can charge for it, but they MUST supply the source code and they MUST NOT restrict your freedom (such as giving the source for free to everyone).

  • I imgine anyone with @Home, an [A|S|I]DSL line or an ethernet connection at school, college or University would benefit.

    Imagine being able to run all your daemons in protected spaces. So -what- if Sendmail gets cracked? It can't -touch- anything outside of it's private universe.

    The same with the web server. Sure, Apache probably has problems, and many CGI scripts certainly do. But if you can't edit the web pages, grab the password files, compromise the system, or rm -fr /, getting in isn't the difficult bit. Finding anything to do, or even showing that you got there, IS.

    Yeah, desktop PCs with dial-in access aren't so vulnerable. Even there, though, if you use IRC or some other easily-compromised real-time service, there -are- advantages in severely limiting the scope an attacker has. (That's why you should NEVER, EVER use something like IRC as 'root'. Most of us do, even though we know better, but whoever said sanity was a hallmark of an admin?)

  • SGI does all sorts of stuff... like porting XFS to Linux, accelerate Apache (they claim by x10), port Linux to the Irix and the B1 stuff, of course.

    Hmmm.... I see a pattern here...

  • I don't know about you guys, but I'm sick of hearing "NT has C2" from the Windows crowd. If this B1 cert takes place, they'll shut up ( and I might just ask ... "so -- what was that you were saying about C2 ?" )

  • There have been quite a few "secure unix" systems produced and B1 certified. HP, Concurent, Harris, DEC all come to mind. But in all of these cases they started with a secure kernel and then layered Posix on top of it to make it look like Unix

    Sorry, but this is not true at all. DEC MLS+ was based on a modified version of the base Unix kernel. Back in the early days of DEC MLS+ it was a long term goal to have B1/CMW functionality available as an installable subset that could be layered on top of the commercial unix product. It could have achieved that in the end as most of the MLS+ specific source code got merged in with the base OS source code, but just ifdef'd out so it wouldn't build into the base product.

    Last I heard DEC MLS+ was being retired, with MLS+ V4.0D (or V4.0E) to be the last version. Don't take that as gospel though, plans do change.

  • by NYC ( 10100 )

    When is SGI going to do something good for IRIX? I am a developer that uses IRIX. No other OS can give us the graphics power that we require. I use Java on IRIX and it is awful. SGI has only 3 developers working on the Java port, and has dozens working on these little Linux projects. Come on SGI, don't forget IRIX.

    --Ivan, weenie NT4 user: bite me!
  • In case you haven't looked recently, the linux bandwagon seems to have crashed into a brick wall... Look at all the linux stock prices today vs 2 months ago... They've been beaten down far more than any other sector.

    SGI's just doing what they think makes good business sense, no more, no less. They're adopting Linux as their low-end OS because it runs on commodity hardware. Many of their customers will probably buy those machines. Many of their customers also want machines with B1 ratings. They'ed probably have to violate the GPL in order to implement B1 Security into a Linux distro without releasing the source, so they're doing what's required.
  • Well... whether the MAC option made it into the mainline Linus tree would depend on how ugly the code was, and how much #ifdef stuff it took, I suppose.

    I would imagine that it all would have to be distributed as a separate patch, though, like the real time kernel, or the 8086-80286 kernel.
  • But that's the point... nobody's suggesting (that I've seen) that MAC be some option you select in make xconfig. :-)

    Especially since some sort of Trusted Linux would have to have a complete pre-configured installation, with each file given the proper capabilities, ACLs, labels, and such in advance.

    Any MAC-enabled linux would have to be a specialised distribution, with a modified kernel, toolset, X server, window manager, shell, and everything.

    It doesn't mean that the basic outline of the file system, programming interface, utilities, and everything can't be modified versions of the originals.
  • *chuckle*

    "Better than A0 is the ultimate in security: the Heisenburg Security Rating. Here, for example, is a system rated as Heisenburg Secure. This locked box may or may not even contain a computer - and until you open it, it actually contains both! Of course, the network connections and power cables inside the box connect to the non-existent portion of the Heisenburg Secure system..."

  • Yes, we should care! If it's a meaningful certificate, that is. Spending millions to get a proper Unix(tm) appellation put upon Linux is not very meaningful. But getting a security certification is.

    Rephrase your question thusly: "I already know how to drive, so why should I take even one hour out of my day to get a driver's license?"

    If you want to drive on the B1 highway, you need a driver's license.
  • Orange book security don't just consider the hardware. It includes the installation, location, and all physical access and environments of the machine. These Certifications are case by case and cost a LOT.
  • Some time ago I went to the SGI LinuxUniversity in NYC, and they announced at their security track that they would be posting C2 and B1 patches to the kernel soon, and they expect to have 'final' versions integrated before the US goverment requirements for secure OSes kick in. I forget the exact dates, but that is the idea. btw Compaq (DEC) is working on this as well. The reason why they posted the code so soon, is that they don't want to be bashed again as they were last time when they released patches to the kernel... last time they were too late, so there was little time to review the patches, hence large chunks of code were refused (AFAIK). SGI is jumping on the linux bandwagon bigtime, but just on the x86 architecture, and the upcoming IA64. I guess they want to compete with solaris, but not with IRIX.
  • Actually you should always use SSH even if you're not paranoid. And personally I'd be inclined to use the md5 replacement for crypt, allowing a passphrase rather than a password to be used. There's also some PAM niftiness that allows you to use a fingerprint scanner which I should look into one of these days.
  • This security package needs to be part of kernel internals, and will probably need a rework of either the filesystem modules, or at some other higher level

    When will it be ready for use ? Kernel 2.6 or before ? This is not a simple standalone RPM to install.

  • It is nice to SGI supporting linux. I guess they don't have much to do now... after selling off Cray. Besides the OpenGL wave, what does SGI do these days?
  • The sample codes SGI put on their web page is just a microscopic portion of a fully functional military grade OS product. It will require a complete rewrite of the whole operating system; a re-implementation of system api's, principals and concepts.


    Let's just focus on a small but important aspect of military grade systems - PRIVILEGE. We can forget about secure networking, trusted windowing, and etc etc for now (eventually we will need to address those too).

    In a trusted system, each user is held accountable for actions taken by processes being their id, even though those actions may be completely beyond perception. As a consequence, the trusted system must regulate not only user actions, but also the actions of user processes. In Linux (or traditional Unix), all power is vested in the root uid 0. Throughout the kernel of the underlying system there are checks for effective uid 0.

    All of these checks are replaced on a trusted system by a check for privilege. Privileges allows the trusted system to control access to system calls, based on the requested operation and the invoking user account - much more reliable and granular than simply checking identity. No more if uid !=0 then deny access. very action which compromise security is estricted with a named privilege, and a process with appropriate privileges is allowed to invoke a system call REGARDLESS of uid.

    So, on Linux a privileged operation succeeds if the effective uid == 0; on a trusted system the operation succeeds if the process has the appropriate privilege.

    So now, you're probably thinking "EEK! r00t d03sn'7 0wn!'.

    There are other topics such as data labelling, auditing, etc etc that I have not mentioned, but
    are critical to the implementation of a trusted system and secure OS kernel.

    If all those could be implemented in form of a patch, perhaps we should consider Windows 2000 a patch too. :-)

  • I'd love to do an interview on the subject. In honesty, I am new to /. and don't know how to go about doing that. I'll certainly look into it.

    In regards to the change a single thing comment.

    How evaluations work under the common criteria is that you make a set of claims and the evaluator (in our case CSC), verifies those claims. This means that in theory one could certify anything.

    However, just getting evaluated to meet certain requirements does not mean anything unless people know what those requirements mean. This is why under the Common Criteria there are predefined descriptions of claims that vendors can try to meet. B1 under the Common Criteria is known as the "Labeled Protection Profile". This is what we are certifying to. One part of the evaluation is what hardware and configuration you are setting up on.

    This is specified under the TOE or Target of Evaluation. So yes, we are in fact being evaluated on specific equipment (you have to pick something to run your systems on for testing!). In the past you were essentially limited by what you are running on. However, because of this there has been a lot pressure to loosen up this restriction as it really does not make a lot of sense. We are in fact trying to put into our claims, a more flexible hardware claim.

    Now with that said, what you have to understand is how certifications are used. In the government and military they are used as tools to help "accreditors" determine if a specific architecture meets the security requirements of the information it will be handling. B1 helps an accreditor determine that a system is sufficient. Being B1 obviously does not guarantee accreditation.

    So, in reality even if you run a B1 system on different hardware or with modifications you still have a B1 system. For example, if the system you are using was evaluated with networking using a 10BaseT card, and you switch to a 100BaseT, your system is still B1. It is still functionally B1 and would still very likely be accredited by an accreditor.

    If you add a piece of software to the system that is not evaluated to B1, then that software is not considered B1, but your underlying system still is. Now you can certainly do things to create an insecure B1 system, just as you can muck up permission bits on UNIX, the real strength of B1 is not in its name, in its certification, but in its functionality.

    B1 systems (and I'm really referring to ours as this is the one I know the best!, though much of this applies to others) break up root powers into a least privilege system. This allows applications to only run with the specific abilities that they need to run. B1 systems use mandatory access controls that allow applications to be isolated from eachother completely. Administrative tools can be isolated, web pages can be made read-only to web servers (not based on UID, but only on security level). Finally, good B1 systems implement mandatory controls in the networking. A web admin that comes in from an internal network can be marked with a label that allows him to read/write web pages. The same user coming in from a public network (internet) can be marked with another level that will not allow them to access the pages at all.

    To sum this up: Certification tells you that a vendor has created a B1 functional system, and had that fact independently verified by a highly scrutiness team of people. B1 is not about protecting "military secrets" (though it can be), but about providing security functionality that allows secure architectures to be built.

    As always, I'm happy to answer more questions.

    If anyone can give me insite on doing an interview, I'd really like to talk about how people can use B1 systems to solve real security problems (not military problems).



    Jeff Thompson
    Software Evangelist and Visionary
    Argus Systems Group, Inc. [argus-systems.com]

  • by Gleef ( 86 ) on Wednesday April 12, 2000 @07:25AM (#1137535) Homepage
    True, Linux can never be B1 (or any level) certified itself (neither can NT be C2 certified, contrary to Microsoft's marketing). It can, however be B1 ready, with all the features needed to produce a B1-rated system. Then, VA Linux Systems [valinux.com] or Penguin Computing [penguincomputing.com] can produce and sell a truly B1 (or C1, for that matter) certified system. That would be a very nice thing to happen.

    As for A1, I don't think any modern operating system can reach that level. The proof requirements for A1 certification would be prohibitively expensive for anything but the most scaled down system.

  • by hawk ( 1151 ) <hawk@eyry.org> on Wednesday April 12, 2000 @06:59AM (#1137536) Journal
    It's been answered before, too :)

    1) not quite the same type of security issues.
    2) more importantly, it's from a major contributor to FreeBSD.
  • by jd ( 1658 ) <imipak@@@yahoo...com> on Wednesday April 12, 2000 @07:11AM (#1137537) Homepage Journal
    I dunno. Remember, mandatory access controls mean that compromising a daemon does NOT give you access to anything outside the scope of that daemon. Nor does read permission mean write permission or chmod permission. Nor can you chown or otherwise give access to a file to someone who has lower clearance.

    Then, of course, you could use OpenBSD's FTP daemon, and Postfix as a drop-in Sendmail, and you'd have a very tidy setup.

    For the uber-paranoid, pipe -ALL- IPv4 and IPv6 traffic via IPSec or SKIP, use SSH rather than Telnet or RSH, use CBQ/RED and SYN cookies to prevent DoS attacks, use client-side certificates for private web-pages, use the shadow password suite + PAM, install the International Kernel Patches and encrypt all but your boot partition using Serpent, install the re-freed Tripwire (or a clone), and use the Linux Kernel capabilities to disable all non-essential functions.

    Personally, I think using the SGI's B1 patches, plus the above configuration, would give you a setup which would be as close to uncrackable as you could realistically get AND still give access to outside individuals.

  • by coyote-san ( 38515 ) on Wednesday April 12, 2000 @07:36AM (#1137538)
    It's been a while since I looked at the B1 definitions, but let me see if I describe MACs as I understand them.

    The key aspect appears to be a distinction with Discretionary Access Controls (DAC) - owner and group permissions, ACL lists, etc. DACs are controlled by the owner of the file, but MACs are controlled by the "security administrator." The terms "mandatory" and "discretionary" reflect the fact that the owner must always accept MAC access control on his files, but he can discard the DAC checks (e.g., using mode 0777).

    One of the subtle points about MACs is that they are required to be persistent *in all media*. This means that MACs should be preserved (and enforced) when a file is copied to removable media, and somehow indicated on all printed pages. (E.g., printing the "sensitivity level" (confidential, secret, etc) in large type on all printed pages.) Obviously you can't preserve MAC information if the format doesn't support it, so a MAC system may be able to write (enhanced) tar images to tape, but not be able to copy files to a floppy/zip/etc disk using MSDOS or even ext2fs filesystems.

    There may be more to MACs; the specs are deliberately vague. A *very* large part of the certification process is going through the appropriate standard and documenting *what* you did and *why* you did it, with some commentary about the implications of that decision. This provides the implementer the flexibility of using whatever technique fits their needs. E.g., nothing says that DACs must be implemented with ACLs, although most people now use them because they're familiar and proven acceptable to the certification agencies.
  • by LindaAthena ( 73082 ) on Wednesday April 12, 2000 @10:11AM (#1137539) Homepage
    Media can be of 2 types -- multi-level or single-level. A Multi-level media supports inclusion of MAC labels. Single:not. You simply define the Sensitivity and Integrity level of the mounted tape drive (or FAT, FAT32, normal NFS, etc).

    Modeling under the Bell-LaPadula Sensitivity and Biba Integrity models (one type of MAC often used), we have a couple of rules and two groups of items: "Subjects" - things that access or do things and "Objects" things that are accessed or done to. Some things in a system can fall into both contexts depending on the situation. For example, a Subject "Process" (they do things to
    objects like files) could also access another process -- the accessed process would be an 'object' as far as security checks are concerned.

    So Rule 1) Subjects (S) can only write to an Object (O) if the Object is at the same sensitivity level or above (O is said to "dominate" the level of S and dominate implies >-).

    Rule 2) says that Subjects can only read Objects that they dominate (their sensitivity level is >= to the object's).

    Biba Integrity works the same but opposite:

    Rule 3) Subject can only write to Objects if Subject's Integrity >= (dominates) the Object's.

    and Rule 4) Subject can only read Objects that have equivalent or greater Integrity (integ(O)>=integ(S)).

    This can be *way* useful for "normal users".

    Think of this:
    Root is allowed Integrity levels 0-2, default=1. All system files at integrity level 2 (both executables and data). Users and their files are set at integrity level 0. Implications:

    1) Any file root creates has I=1 so normal users can't write to it unless the file is specifically downgraded. A subject can write to or create "downgraded" Integrity files, so root is permitted to write lower level integrity files, but this wouldn't be the default creation value. Even if root downgrades the file's Int., Discretionary Access Control (DAC) (i.e. permission bits) still apply.

    2) Root can't write to /etc/passwd unless they specifically log in with S=2 or su to S=2 (requires password again).

    3) Users could read these 'public' files but couldn't write to them even if the file DAC was 0777.

    3) Root couldn't execute any files not in the 'system file list'. No trojans! Only if root overrides security policy and changes the state of a file to 'trusted' (@ int=1 or 2) can it be executed as root.

    Now for Sensitivity, let's imagine /etc/shadow was set to 2. Say users run at S=0. Root is permitted to run at S=2 (say highest) and S=0 (lowest). Implications:

    In order to modify /etc/shadow, root must relogin or su to get S=2. 'Su' to a different integrity or sensitivity level must recheck password and if the user is allowed to run at the requested levels. After root has S=2 can then read /etc/shadow in order to 'modify' it (they have to also have raised their Integrity to '2' to write to it).

    So normal users can't see /etc/shadow because of MAC policy regardless if someone get's sloppy with DAC bits.

    Just these "simple" applications of MAC would not greatly inconvenience any user, but an attacker gaining root (unless they do so via the password) has limited power. This means most attacks that gain 'root-shell' via a 'bug' are still pretty limited in what they can do.

    Now if you add file based capabilities, root can have even less priviledge and/or ability to do damage.

    Also, remember, as I've mentioned before -- if you set MAC,S=0,I=0 for everything in the system, you get traditional Unix DAC behavior.

  • by slashdot-terminal ( 83882 ) on Wednesday April 12, 2000 @06:47AM (#1137540) Homepage
    I am interested in when for example the various distros will impliment this. I already have taken the first step. Namely not having an internet connection as most humans know it. So exactly what is out there. A while ago Trusted BSD [trustedbsd.org] came out. I would really like to get my machine to a B1 raiting so perhaps I can get bragging rights for something.

    Will this ever happen?
  • by slashdot-terminal ( 83882 ) on Wednesday April 12, 2000 @06:58AM (#1137541) Homepage
    "you turd, think about it. Linux may get certified, but that will be only one specific distribution. Since all "linuxes" are different, they can't all have the same security rating. "

    Actually I think anything about C1 has to get evaluated on a case by case basis by a certified DoD contractor. So even if you think you have a secure OS you may in fact not.
  • by billh ( 85947 ) on Wednesday April 12, 2000 @06:42AM (#1137542)
    Okay, I think I understood the nutrient patch article earlier today. But B1 patches? Does it help them avoid refueling, or just replenish the supply of bombs?
  • by Anonymous Coward on Wednesday April 12, 2000 @10:04AM (#1137543)
    Sorry, but I have to remain an AC on this one, for obvious reasons.

    Take a look at the requirements for B1 listed above. There's no way to support MAC, ACL, etc. with the standard Unix model. You can't just layer these things on top of the kernel without inheriting the flaws of the kernel.

    There have been quite a few "secure unix" systems produced and B1 certified. HP, Concurent, Harris, DEC all come to mind. But in all of these cases they started with a secure kernel and then layered Posix on top of it to make it look like Unix.

    So what? So, you can't PATCH the Linux kernel to make it B1. Unless you call "throwing out the kernel and replaceing it with a totally different beast" a patch.

    BTW, if you really want an A1 operating system to play with, there is a free one - mentioned on /. - at:


    It hasn't been certified yet, but the pieces are there.

  • by Rob Kaper ( 5960 ) on Wednesday April 12, 2000 @07:17AM (#1137544) Homepage
    Having a certification might impress some suits, but do *we* really care?

    Most techs still make a choice based on facts and real-life requirements and experience instead of some certification. We like to do it ourselves, no?

    These improvements *will* improve Linux. That's all that matters. Any certifications that might be the result of it are merely a side effect and not very important, to us.

  • by Macka ( 9388 ) on Wednesday April 12, 2000 @10:32AM (#1137545)

    Beefing up Linux to C2 will be a great thing for commercial interest/acceptance, and only small changes to existing GUI interfaces would be needed to accomodate that (adding ACL options to widgets that display/manipulate file permissions).

    B1 however is a different kettle of fish. GUI's like KDE, GNOME, and others would have to be extensively modified to work properly (if at all) in a B1 environment. The standard for this is called CMW (Compartmented Mode Workstation). Commercial products like DEC MLS+ are implementations of B1/CMW on top of the standard Unix product. I don't know what SUN's is called, but they do the same.

    This also applies to almost anything else that is not part of the kernel, eg:

    * TSIX instead of TCP/IP, which automaticly excludes you from participating in non B1 DNS environments, and allows you to configure networks restricting communication between systems of the same SL (Security Level) or perhaps SL's that yours dominates (with the appropriate kernel privs enabled).

    * A new filesystem, or extensions to an existing filesystem, to make it multilevel aware. That way, when you cd(1) into a directory that contains files that have a higher SL than you have Clearance to access, you don't see them. Not from an ls(1) or by any other C hackery you can conjure up, because they are blocked at the filesystem level.

    * A new multilevel print environment, so that for example files with an SL of "Top Secret" cannot be printed out on printers that don't have the same or higher SL (eg, Secret, Confidential, Unclassified, or whatever they have been called in the environment you're in).

    * Getting back to CMW again. On a B1/CMW workstation where the GUI is multilevel aware, if you have logged in selecting an SL of "Secret" (assuming you have Clearance for this) and you open a terminal window with that SL, then open another terminal window with a lower SL, eg "Unclassified" then you will NOT be able to cut and paste text from the Secret window to the Unclassified window (unless you have privs allowing you to override this AND they are turned on). GUI's that are not multi-level aware (like all the ones that currently exist) would only be able to work as they stand on one SL at a time. If you wanted to work with files (or viewable data) at a higher SL than the one you were logged in on, you'd have to log right out and log in again at the higher SL.

    Working with B1 and CMW can be very complicated. Designing and setting up an environment that has all these features is even worse. Which is probably why B1 has never caught on in the commercial world. Applications not specificly written or modified to run in a multi-level environment, can only operate on one level at a time (ie: the level they are start at) which often defeats the object of having a multilevel enviromnent in the first place.

    Maybe Linux could shine here though. Last I heard (maybe it's changed again :-) DEC MLS+ from Compaq was being wound down. What killed it was the lack of applications that could run on it properly because they needed significant re-engineering to be multilevel aware (read huge cost!). Because the source of most linux apps are open, this would not be such a huge barrier to overcome. It will be interesting to wait and see.

  • TrustedBSD [trustedbsd.org] "provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Orange Book B1 evaluation criteria"

    And they also have a mondo-cool logo.
  • by Shadowlion ( 18254 ) on Wednesday April 12, 2000 @07:25AM (#1137547) Homepage
    Actually, there's an even more secure rating than A1.

    A0, as defined by the military, is an unplugged, completely disassembled computer system where all volatile magnetic memory has been exposed to extremely powerful electromagnets for at least 72 hours. Each piece is then separately taken Cape Canaveral via several different types of transportation (horse, plane, submarine, postal carrier), launch into orbit (using Space Shuttle flights randomly chosen from a calendar) whereupon they are loaded into small, disposable rockets and fired towards the sun along with all documentation.

  • by ianezz ( 31449 ) on Wednesday April 12, 2000 @07:23AM (#1137548) Homepage
    since they have it only if NT is not networked.

    Just to be fair, they recently obtained a C2 on NT4+special service pack+certain hardware, in a networking environment. See here [securiteam.com] for more info.

  • by -brazil- ( 111867 ) on Wednesday April 12, 2000 @06:59AM (#1137549) Homepage
    The scale comes from something known as the "Orange Book", and yes, "C2" also comes from there, and if M$ claims they got C2, they're full of shit (as if that were new...), since they have it only if NT is not networked.

    The scale works like this: there are different security levels, each with stronger requirements. The actual requirements are quite numerous, here's a long article [kernel.org] with details.

  • by Amphigory ( 2375 ) on Wednesday April 12, 2000 @07:42AM (#1137550) Homepage
    Bear in mind what these things mean. From the "TCSSEC" FAQ [ncsc.mil]:
    18. What are the requirements for a D/C1/C2/B1/B2/B3/A1 system?

    The Interpreted Trusted Computer System Evaluation Criteria (ITCSEC) available in postscript at contains the definitive set of requirements for each TCSEC class. In Summary:

    Class D: Minimal Protection

    Class D is reserved for those systems that have been evaluated but that fail to meet the requirements for a higher evaluation class.

    Class C1: Discretionary Security Protection

    The Trusted Computing Base (TCB) of a class C1 system nominally satisfies the discretionary security requirements by providing separation of users and data. It incorporates some form of credible controls capable of enforcing access limitations on an individual basis, i.e., ostensibly suitable for allowing users to be able to protect project or private information and to keep other users from accidentally reading or destroying their data. The class C1 environment is expected to be one of cooperating users processing data at the same level of sensitivity.

    Class C2: Controlled Access Protection

    Systems in this class enforce a more finely grained discretionary access control than C1 systems, making users individually accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.

    Class B1: Labeled Security Protection

    Class B1 systems require all the features required for class C2. In addition, an informal statement of the security policy model, data labeling (e.g., secret or proprietary), and mandatory access control over named subjects and objects must be present. The capability must exist for accurately labeling exported information.

    Class B2: Structured Protection

    In class B2 systems, the TCB is based on a clearly defined and documented formal security policy model that requires the discretionary and mandatory access control enforcement found in class B1 systems be extended to all subjects and objects in the automated data processing system. In addition, covert channels are addressed. The TCB must be carefully structured into protection-critical and non- protection-critical elements. The TCB interface is well-defined and the TCB design and implementation enable it to be subjected to more thorough testing and more complete review. Authentication mechanisms are strengthened, trusted facility management is provided in the form of support for system administrator and operator functions, and stringent configuration management controls are imposed. The system is relatively resistant to penetration.

    Class B3: Security Domains

    The class B3 TCB must satisfy the reference monitor requirements that it mediate all accesses of subjects to objects, be tamperproof, and be small enough to be subjected to analysis and tests. To this end, the TCB is structured to exclude code not essential to security policy enforcement, with significant system engineering during TCB design and implementation directed toward minimizing its complexity. A security administrator is supported, audit mechanisms are expanded to signal security-relevant events, and system recovery procedures are required. The system is highly resistant to penetration.

    Class A1: Verified Design

    Systems in class A1 are functionally equivalent to those in class B3 in that no additional architectural features or policy requirements are added. The distinguishing feature of systems in this class is the analysis derived from formal design specification and verification techniques and the resulting high degree of assurance that the TCB is correctly implemented. This assurance is developmental in nature, starting with a formal model of the security policy and a formal top-level specification (FTLS) of the design. An FTLS is a top level specification of the system written in a formal mathematical language to allow theorems (showing the coorespondence of the system specification to its formal requirements) to be hypothesized and formally proven. In keeping with the extensive design and development analysis of the TCB required of systems in class A1, more stringent configuration management is required and procedures are established for securely distributing the system to sites. A system security administrator is supported.



  • by Plutor ( 2994 ) on Wednesday April 12, 2000 @07:38AM (#1137551) Homepage
    B1 Security - "Labelled Security Protection"
    • Object protection can be on a single-user basis, e.g. through an ACL or Trustee database.
    • Authorisation for access may only be assigned by authorised users.
    • Object reuse protection (i.e. to avoid reallocation of secure deleted objects).
    • Mandatory identification and authorisation procedures for users, e.g. Username/Password.
    • Full auditing of security events (i.e. date/time, event, user, success/failure, terminal ID)
    • Protected system mode of operation.
    • Added protection for authorisation and audit data.
    • Mandatory security and access labelling of all objects, e.g. files, processes, devices etc.
    • Label integrity checking (e.g. maintenance of sssensitiy labels when data is exported).
    • Auditing of labelled objects.
    • Mandatory access control for all operations.
    • Ability to specify security level printed on human-readable output (e.g. printers).
    • Ability to specify security level on any machine-readable output.
    • Username and Password protection and secure authorisations database (ADB).
    • Protected operating system and system operations mode.
    • Periodic integrity checking of TCB.
    • Tested security mechanisms with no obvious bypasses.
    • Documentation for User Security, Systems Administration Security, Security Testing, examining audit information, and TCB design.
  • by lar3ry ( 10905 ) on Wednesday April 12, 2000 @07:16AM (#1137552)
    Orange Book certification (C2, B1, etc.) usually requires certification of a total system... not just the operating system. So, even if you could install all their mods in a single package, you would need to certify the OS along with your brand of PC, controllers, etc.

    Be that as it may, it is a great start.

    Security levels C2 and greater (including B1) will be useful for getting Linux into government offices, the same ones where NT is C2 certified (as long as there is no network connection [smile!])... the government already has a large installed base of desktop systems.

    Linux's low cost of entry and now B1 features is just more of the foot in the door for the government and other people that will have to take a look at this system that was once dismissed as a "toy" by others.
  • by Mr. Slippery ( 47854 ) <tms@inf a m ous.net> on Wednesday April 12, 2000 @08:15AM (#1137553) Homepage
    It's a little more complicated than that...

    Here's a whirlwind tour of the Orange Book categories.

    D level systems have no security worth mentioning. Think DOS, Win95, MacOS - no real notion of separate users.

    C level systems have DAC - discretionary access control. Essentially, they have ACLs (access control lists). You can determine who can have access to your stuff. There are two divisions here, C1 and C2, with C2 being more stringent.

    Several Unix-type systems have been certified at C2 (though you have to add ACLs), as has WinNT.

    B level systems add MAC - mandatory access control. Every object (file, device) and subject (process) has a level (often something like unclassified, secret, top_secret) and a set of categories associated with it. If you're cleared for "secret/stealth_bomber, SDI, Area_51", you can't read stuff labeled "top_secret/who_killed_JFK" or "secret/Clintons_little_black_book". And you can't write something "unclassified/Area_51", so you can't spill the beans. (But you can write to objects at a higher level than you are.) There's B1, B2, and B3. I think you can still count the number of certified B-level operating systems on your fingers.

    A1 level systems have been mathematically proven. IIRC there's only one that's ever been certified at this level.

    There's also something called CMW (compartmented mode workstation), which is like the B levels but deals with "information labels" instead of "sensitivity labels" - i.e., it tries to track what's really in the object, so if you paste secret data into a file it gets upgraded.

    It's a bitch to get something certified (I worked on Trusted Mach [tis.com], which was intended to be B3 but never went anywhere); we're talking piles of documentation, many rounds of review, and a pile of money.

"'Tis true, 'tis pity, and pity 'tis 'tis true." -- Poloniouius, in Willie the Shake's _Hamlet, Prince of Darkness_