Windows 2000 declared secure

Pete Chown Pete.Chown at skygate.co.uk
Sun Nov 3 10:32:23 EST 2002 

Adam Shostack wrote:

> I don't think that Linux would pass EAL4; as
> you've pointed out, that requires a documented and followed QA
> process.

I agree that the Linux kernel probably couldn't pass because of lack of 
documentation.  This is even more true for "GNU/Linux", the loosely 
defined collection of software that makes up a real Linux system.  If 
wuftpd has a buffer overflow, is that a hole in "GNU/Linux", or a hole 
in wuftpd?  What about the Foo Linux distribution that only comes with 
proftpd?

At the same time, I think a specific distribution probably could be 
evaluated.  Red Hat have a well defined QA process for example.

Another problem might be the granularity of access controls.  IIRC Unix 
systems that were evaluated to C2 had to include some kind of ACL 
system.  The user/group/others split wasn't good enough.  SELinux would 
pass this requirement easily, but vanilla Linux systems might have a 
problem.

On another note, I'd be interested to hear more about how Eros is going 
to get EAL7.  Formal verification of a whole OS sounds horribly 
difficult, but very exciting if it can be done.  One problem I've always 
had with correctness proofs is that they prove the program to satisfy 
some statement of the problem.  They don't prove that the problem stated 
is the one you intended to solve.  How will you avoid this with your 
proofs of Eros' security?

As an example of what I mean, here is a statement of what it means for 
one list to be the concatenation of two others:

concat([], X, X).
concat([H | T], X, [H | U]) :- concat(T, X, U).

In other words, the empty list concatenated with any other list gives 
that list unchanged.  Then, in general, a list X is the concatenation of 
Y and Z iff: (i) X and Y have the same head, and (ii) the tail of X is 
the concatenation of the tail of Y with Z.

Unfortunately, not only is this a statement of the problem, it is also a 
Prolog program which solves the problem. :-) So, it's provably correct, 
because the solution and the statement of the problem are the same 
thing.  Of course it's provably correct in a rather useless way...

-- 
Pete


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list