[e-lang] Re: Windows 2000 declared secure

David Chizmadia vze2729k at verizon.net
Sun Nov 3 20:28:56 EST 2002


> > Is MacOS X EAL4?
> 
> Not so far as I know, but it could probably get there with some amount
> of work if it isn't already.

MAC OS X and MAC OS X Server are currently in NIAP evaluation 
at EAL3 (see http://niap.nist.gov/cc-scheme/InEvaluation.html).
 
> This is sort of what I mean about EAL4 not being good enough. The state
> of affairs at present is that a whole bunch of known-breakable OS's are
> nonetheless certifiable and being touted as secure...

While I agree completely that EAL4 is too low of a bar given the 
current threat level against OSes used to connect to the Internet,
I think that the true failure is in the PPs. Most efforts to create
a PP with functional security requirements that are appropriate to
the *known, existing* Internet threat - even at EAL4 - falter due
to either limitations of the CC Functional Component families or
a growing realization among the writers that no commercial OS could
successfully show compliance with the necessary and sufficient set
of requirements for safe Internet and Web computing.

The fundamental security assurance problem is usually not 
with the basic OS features: i.e., scheduling and process, 
memory, and storage management. Instead, the evaluations 
choke on the networking facilities! It would generally be 
necessary to completely redesign the networking stack in 
most OS to extend the architecture concepts that hold for 
the OS itself. Since the OS stack is normally larger than 
the OS itself and designed using a set of architectural 
principles that are substantially different from those of 
the OS, this is a substantial and costly exercise!

In this sense, the real advantage (which is pragmatically a 
serious problem) of EROS is that its underlying architecture 
will demand the design and implementation of a completely new 
network stack. This is good because the stack can be designed 
according to the same principles as the OS, but is a problem 
because it could delay release of a network-ready, high 
assurance EROS by inhibiting reuse of existing network stack 
implementations.

-DMC

> shap




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list