Windows 2000 declared secure

[Adam Shostack]

On Sat, Nov 02, 2002 at 03:12:51PM -0500, Jonathan S. Shapiro wrote:
| On Sat, 2002-11-02 at 13:31, Adam Shostack wrote:
| > On Sat, Nov 02, 2002 at 11:54:36AM -0500, Jonathan S. Shapiro wrote:
| > | The effectiveness of
| > | the levels is modestly exaggerated, and the importance of going for
| > | higher levels is grossly understated.
| > | 
| > | One unfortunate consequence is that NSA has seen no need to publish
| > | guidelines on performing higher-level evaluations, because their has
| > | been no demand.
| > 
| > Could you define 'importance' here?  Given a lack of demand, what are
| > you using as criteria?  How can we translate that into something
| > that's important to buyers? Or otherwise convince the buyers of
| > systems to demand better?  (Leading to NSA publishing those higher
| > level eval guidelines, etc.)
| 
| Apologies once again for the length of my reply. The issues are both
| complicated and political. I also need to preface this by saying that I
| am an active participant in the dialog around this issue. My usual role
| is poking sharp sticks into people's eyes, so please read what I have to
| say skeptically.

Certainly, I found your long reply quite interesting, and annoyingly
thought provoking, as I was all set to start flaming you.  ;)

| Context: There are international mutual-recognition treaties covering
| EAL4 and below, so if you get an EAL4 evaluation in Germany, it's
| accepted as binding in the US. Above EAL4 there is no mutual
| recognition. From talking to various assurance evaluators (current and
| former) and also to people within NSA, the alleged rationale behind this
| is in two parts:
| 
| (1) There is a perception that commercial products won't
|     seek higher evaluation, so there has been no real pressure
|     to push the treaties beyond this.
| (2) There is a perception that products seeking assurance
|     above EAL4 are likely to be targeted primarily at military
|     and/or sensitive applications. No country wants to be in the
|     position of being treaty-obligated to accept assurance from
|     another country about militarily sensitive materials.
| 
| Given that an EAL4 certification can fairly be characterized as "nowhere
| near good enough for serious commercial use today", I think it is fair
| to harshly criticize these rationales as rather thin rationalizations.

Here I'd like to disagree.  Unfortunately, EAL4 level stuff is
considered good enough for serious deployment today.  Witness the US
Navy's choice of OS.  Perhaps this is because people haven't learned
to tally up cost of ownerships properly.  Perhaps its because security
is not yet a requirement for commercial use.  But, as you
point out, there is no one agitating in the commercial space to fix
the issues that make EAL4 all we get.

[...]
| There is another subtext. One agenda of the evaluation community is to
| get people in the habit of doing evaluations before they raise the
| stakes. In order for this strategy to work, products have to pass the
| evaluations. The de facto effect is a desire not to set too high a bar.
| I personally disagree with this strategy, but even if I did I would
| argue that EAL4 is not a barrier to any current commodity operating
| system, and the US national interest is not served so long as the best

Actually, I think it is.  I don't think that Linux would pass EAL4; as
you've pointed out, that requires a documented and followed QA
process.  Would any of the BSDs?  (I know NAILabs has done stuff on
FreeBSD, but I'm not sure where it stands.)  How does SELinux stack up
here?

| When pressed, Brian Snow says that until somebody wants to actually do a
| higher level evaluation, NSA cannot justify the expense of doing the
| higher level guidelines, but that they could proceed with a higher
| evaluation today using the older guidelines that were applied under
| TCSEC. This is probably true, but it is not clear whether such an
| evaluation would have any commercial value, because the quality of the
| resulting evaluation is not characterized by a published standard of
| practice. I am publicly on record as saying that EROS will attempt EAL7

Do you think that the buyers of these higher EALs actually know what
they're getting?  My reading of the commentary on Win2k getting
certified is that most people don't know what an assurance level is,
nor do they know that there are other ones..

| So the current state of affairs is that for levels above EAL4 the
| evaluation must be performed with participants from the government of
| the host country, and has no standing outside of the host country. I
| suspect that someone achieving a successful EAL5 evaluation in the US
| could claim EAL4 elsewhere under the treaties, but a US-achieved EAL5
| would not qualify a product to be submitted on, say, a German military
| solicitation requiring an EAL5 certification.
| 
| Note that the current policies have a curious effect. Companies pursue
| evaluation primarily for the marketing benefit of the certification. The
| minute they step from EAL4 to EAL5, they suddenly need to spend millions
| of dollars **per country** and the marketing payoff stops. A consequence

Do you think so?  "Certified Stronger than Windows 2000!"  That the
certification doesn't cut butter with sales to the German government
doesn't change the fact that the system is certified (by someone,
detail, detail, blah, and the commercial customer falls asleep).  So
I think that there is an incentive for someone (Sun?  IBM?) to go get
a EAL5 certification, if only to tweak MSFT's nose.

| Whatever policy NSA thinks is a good idea, the impact on the U.S.
| commercial sector is very clear. Until there is a unified incentive
| structure resulting in the construction of widely available secure
| systems, both U.S. and world businesses will continue to be largely
| bare-ass naked where security is concerned. Further, it follows from
| this that the U.S. civilian sector is vulnerable to attack in the event
| of an extended military action. It has long been recognized that the
| civilian sector is *vital* for provisioning and supply in any extended
| military action (i.e. longer than one week).

Here I strongly agree with you, however, I'm not sure that the CC are
the incentive structure; I think the problem is more fundamental,
which is that costs for insecure software are mis-allocated.  The
benefit of being able to sell a little secure software is pretty low,
and will remain low as long as someone can simply certify that there's
nothing secure that meets the requirement of running win32 code, so
lets just install windows.

As I said above, I think that the costs of running insecure software
aren't really recognized (and/or there is a belief that all software
is roughly equally insecure and thus expensive.)

| So finally, Adam was really asking "what do we do about it?" The key, I
| think, is to recognize that international treaties don't matter. If a
| reputable group of recognized computer scientists were to publish a well
| thought out set of evaluation criteria for higher level evaluation, NSA
| would have little political choice but to adopt them -- perhaps with
| modification. Similarly, performing a successful evaluation against
| these criteria using publicly contributed resources would disenfranchise
| the people who say "real security is too hard". Both activities would
| have to be done in a way that was very much beyond reproach. In part,
| this means that it needs to be done in an open source way -- that is,
| *all* of the process documentation and such needs to be publicly
| reviewable.
|
| Enough said for now, but I will hopefully have more to say on this
| within the next few months.

I look forward to hearing it.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com