Red Hat, Sun aim for security certification
But experts say Common Criteria evaluation is too limited to assure security in general-purpose situations
In 2006, network administrators in high-security environments will have two new general-purpose operating systems to choose from. Both Sun Microsystems Solaris 10 and Red Hat Enterprise Linux 5 are undergoing Level 4 Common Criteria Evaluation Assurance. With those certifications in hand, vendors are planning to offer desktop OSes that operate across many security levels, eliminating the need to put multiple computers'one for each security level'on analysts' desks.
But defense and intelligence organizations aren't the only ones with an eye on the Solaris and Red Hat proceedings. Even in less sensitive areas, Common Criteria can be a handy guide to how secure an operating system is.
Or can it? Experts caution that Common Criteria evaluates OSes only for trusted environments.
'We're assuming that you are not in an environment such as the Internet where you are exposed to millions of hackers,' said Helmut Kurth, chief scientist and lab director for Atsec Information Security of Austin, Texas. Atsec is evaluating RHEL on behalf of IBM Corp. 'If you want that, you would want to look for a higher assurance level.'Common Criteria: the details
The Common Criteria Evaluation and Validation Scheme, managed by the National Information Assurance Partnership, contains a collection of Protection Profiles, or a list of specifications of what a system should do in a given situation.
Solaris 10 is currently being evaluated against two profiles'the Controlled Access Protection Profile and the Role-Based Access Control Protection Profile.
The Controlled Access Protection Profile assures that OS access controls enforce limitations on the actions that users and data objects can perform on a system. It also evaluates the audit capabilities of security-relevant events.
The Role-Based Access Control Protection Profile describes how the software handles the roles or rights applied to a group of users, such as database administrators.
Sun submitted Solaris 10 for Common Criteria testing in part because it plans to phase out its Trusted Solaris secure operating system, said Mark Thacker, product line manager of Solaris security. Long used by agencies with classified and sensitive data networks, the current version of Trusted Solaris, Version 8, has been certified to Common Criteria Evaluation Assurance Level 4 for the two profiles Solaris 10 is being tested for. Trusted Solaris is also certified against a third profile, the Labeled Security Protection Profile.
Labeled security applies a tag to each data file identifying an appropriate security level. The labels allow the operating system to handle data with appropriate controls, eliminating the need for the multiple computers of varying security levels.
To cover the functionality in the third profile, Sun plans to introduce a software add-on called Solaris Trusted Extensions, which will also undergo Common Criteria evaluation. Solaris Trusted Extensions will offer a set of labels that map directly to sensitivity levels in organizations such as the National Security Agency and the Central Intelligence Agency.
Pending the results of Sun's evaluations, customers who would have bought Trusted Solaris in the past will now purchase the current version of Solaris along with the Solaris Trusted Extensions, Thacker said.
The evaluation of Red Hat Enterprise Linux 5 is also part of a plan to replace Trusted Solaris in classified and sensitive environments, said Ed Hammersla, chief operating officer of Trusted Computer Solutions Inc. of Herndon, Va. Trusted Computer has developed some of the security extensions that were incorporated into RHEL 5.
'This allows our traditional customer base to look at Linux as a viable alternative,' Hammersla said.
Although earlier this year Red Hat submitted its Enterprise Linux for EAL 3, an EAL 4 certification would enable the company to offer the OS to secure environments, Hammersla said. RHEL includes Security-Enhanced Linux, a set of software controls to confine the actions of any process to a predetermined set of options.Agency use
Agencies in general are increasingly relying on Common Criteria evaluations to judge the security of product purchases. The National Security Telecommunications and Information Systems Security Policy No. 11, for instance, mandates that agencies use Common Criteria-evaluated equipment and software for networks carrying sensitive information.
Still, experts say administrators should not assume a Common Criteria rating means an OS is bulletproof. The Common Criteria Evaluation Assurance Level specifies a degree of confidence between 1 and 7, with 7 being the highest.
EAL 4 ensures that the vendor has methodically designed, tested and reviewed the software, and that a party reviewing that software, such as Atsec, has done a basic review of the system itself. It does not, however, guarantee a full source code review.
'An evaluation at Level 4 is not a guarantee that there won't be vulnerabilities,' Kurth said.
One concern voiced about Common Criteria evaluation is that it does not take into consideration the networked environments most software operates in. Johns Hopkins as-sociate professor Jonathan Shapiro laid out this case in a paper he wrote about Microsoft Windows 2000's EAL 4 certification [read it at www.gcn.com
Shapiro pointed out that the protection profiles were designed to judge software in nonhostile environments, or environments where no malicious software could infect the system. The criteria checklist assumes that hundreds of operating system services are shut off from day-to-day use. This is an unrealistic expectation, Shapiro said.
To fully enjoy the secure features of a Common Criteria-related product, 'You can't hook it to the Internet, you can't run shrink-wrap software, and you will spend days turning off 'features' in the shipped product that break the security of the base system,' Shapiro told GCN in an e-mail exchange.
'With a lot of different services open, it would be an extreme amount of work to guarantee that none of those would be misused,' Kurth said. Higher evaluation levels would cover all the possible combinations of services, though assessing software as complex as an operating system would be a truly arduous job.
Kurth estimates that EAL 6 certification would indicate an operating system that was ready for direct contact with the Internet. No commercial OS has achieved EAL 6 yet. An EAL 4 certification itself can take a year or longer.
Nonetheless, Kurth says that a Common Criteria evaluation can be a good guide for agencies purchasing an OS.