Agreed: cooperation is necessary to overcome the forces of market leaders.

Just as important as playing government level politics is the ability to play sand hill politics.

As you mention, Linux security is inferior to some BSD offerings. Some large part of this, as you hint, is due to politics within the Linux developer group.

A paradigm in secure OS implementation is that security must be designed in from the start. It must be a mindset and framework that people program to and within. Efforts to completely restructure Linux security were rejected because the magnitude of changes required. Instead, the latest Linux security offering currently being integrated into 2.5 was hobbled to be another patchwork layer on top of existing security features.

One of the requirements for certification is ability to create a selective audit log of all security relevant events. Meeting this requirement is tedious but fundamental to even the lowest level of security certification (currently CAPP (http://www.commoncriteria.org), used to be C2). It was decided that this base requirement wasn't really 'security' and would not be supported.

Certification of a unix class system can take 12-24 months and includes documentation of the OS's handling of each publicly accessible object in the system as well as a test suite to verify proper functioning of OS features. The NSA's security project was years away from certification.

Most people do not understand the difference between secure algorithms and "proven" (as evaluated by an authorized third party) levels of security. There isn't a binary state of 'secure/non-secure' in modern, complex systems. While a theoretical, mathematically proven level of security (old A1 security) exists on paper, no multi-purpose, general OS (like unix, nt, etc) achieved this.

Another possible minor glitch in a certified security implementation might be _classification_ of a certified Mandatory Access control system.

It used to be the case that B1 (next step above C2) certified systems couldn't be sold overseas (munitions). I don't know if the US government relaxations on crypto export also applied to certified security technology.

While it is convenient to blame Microsoft and politics for the apparent failure of SELinux, SELinux does not a certified-secure system make. It's considered much more fun to go off and implement new security algorithms than to implement (port) existing, certified (1995: http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-001.h
tml, 2002: http://www.serverworldmagazine.com/newsflash2/2002/05/24_iri
x.shtml), security paradigms (1999: http://oss.sgi.com/projects/ob1/).

As long as Linux is considered a playground, it won't be considered a serious security offering. Note: as of July 1st the DoD theoretically began requiring certified systems on new systems (http://www.fcw.com/fcw/articles/2002/0610/cov-lock-06-10-02
.asp).




[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/106/16420#16420