Apple pushes feds toward broader open-source use

Apple Computer Inc. is seeking Common Criteria evaluation of Mac OS X, which could open government doors wider to open-source software.

Apple wants a Common Criteria Evaluated Assurance Level 3, which 'costs big bucks,' said John Hurley, Apple's security policy architect. 'It's a pain in the neck to spend that money.'

But, Hurley told an audience at the recent Secure Trusted Operating System symposium in Washington, the entire open-source community could benefit from the effort. The OS X kernel is based on the Darwin open-source operating system.

'OS X wouldn't be here without open-source,' Hurley said. 'Everything that isn't graphical is open-source.'

That means other open-source developers could incorporate the evaluated elements in their software.

'Sure, you'll still have to spend the bucks getting it through evaluation,' he said, 'but you won't have to spend the time doing the implementation.'

The Secure Trusted OS Consortium, established in 2000, in part aimed to develop a security-enhanced version of Darwin.

The international Common Criteria standards, recognized by 14 nations, evaluate security software against vendor claims or user re-quirements, based on work by ap-proved private laboratories. In the United States, the overseer is the National Information Assurance Partnership, a collaboration between the National Institute of Standards and Technology and the National Security Agency.

The Defense Department requires Common Criteria certification for security products, and it is a prerequisite for national security systems elsewhere in government.

The evaluation requirements have hindered open-source software in wide government use, said W. Douglas Maughan, a former program manager for the Defense Advanced Research Projects Agency.

'This has been to date probably the largest stumbling block for open-source,' said Maughan, now a senior Potomac Institute for Policy Studies fellow doing work for the Homeland Defense Department. 'Nobody owns open-source, so it's difficult to find people to put up the money for certification.'

That has limited government's software choices and possibly hurt government systems security.

'It's still a debate whether open-source development produces more security than the proprietary method,' Maughan said. But a diverse environment with multiple operating systems could make an organization less vulnerable to exploits, but diversity is limited today.

Steve Cooper, CIO of the Homeland Security Department, has drawn criticism for standardizing the department's systems on Microsoft Windows'a continuing target for hacker exploits.

'I maintain Cooper made the choice he had to make,' Maughan said. 'Government is looking for higher assurance than it has today' from open-source software.

A 2000 report by the President's IT Advisory Committee recommended that because the usual federal funding models don't work for grassroots development, the government should pursue nontraditional methods to get improved open-source software.

Raise the bar

At DARPA, Maughan managed the Composable High Assurance Trusted Systems program, a 2.5-year effort to fund research in Linux, OpenBSD and FreeBSD OSes.

'We were trying to raise the bar on some existing products so they could start to get into the Defense procurement pipeline,' he said. 'I think this is just the beginning of an incubator environment for open-source research.'

The most recent releases of the OS include DARPA-funded security enhancements. But certification requirements still keep open-source software out of government.

Maughan called Apple's Common Criteria effort a 'right first step' toward correcting this but said other open-source software vendors would have to follow suit.

The DHS Advanced Research Projects Agency should continue DARPA's work, he said, and 'I certainly plan to do CHATS Phase 2 at DHS.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above