Windows 2000 declared secure

Jonathan S. Shapiro shap at eros-os.org
Mon Nov 4 06:38:25 EST 2002 

I'm answering this publicly, because there is a surprise in the answer.


On Sun, 2002-11-03 at 13:12, Arnold G. Reinhold wrote:
> "Jonathan S. Shapiro" <shap at eros-os.org> wrote:
> >... If a
> >reputable group of recognized computer scientists were to publish a well
> >thought out set of evaluation criteria...
> 
> If I may ask a naive question, couldn't such a set of evaluation 
> criteria be abstracted from the design goals of Eros?

Funny you should ask that. First, I need to correct my original
statement: one needs both evaluation criteria and an effective
requirement set for a secure OS. The Common Criteria evaluation process
needs to be augmented with quantitative tests on the actual software
artifact, but it's actually pretty good.

Requirements, on the other hand, is a tough problem. David Chizmadia and
I started pulling together a draft higher-assurance OS protection
profile for a class we taught at Hopkins. It was drafted in tremendous
haste, and we focused selectively on the portions of CC we would cover
in class, but it may provide some sense of how hard this is to actually
do:

	http://www.eros-os.org/assurance/PP/ASP-OS.pdf

Sorry about the formatting errors - it's an automatically generated
document that needs cleanup.

The difficulty in drafting a PP like this is avoid specifying solutions.
A PP is supposed to be a requirements document. Unfortunately, you get
into quandries. Some of the requirements we think are important can be
done in capability systems but not in non-capability systems (at least
based on published verifications to date). It becomes tempting at that
point to introduce requirements that can *only* be done by capability
systems.

Also, much is present only by reading between the lines. An annotated
document is needed in order to really make any headway on understanding
what is implied by some of the requirements.

> Also there is no reason such a document need be as voluminous as 
> existing criteria.  It is high time we departed from the quality 
> industries practice of focusing on tangential issues, ignoring 
> substance and generating mountains of paper as a proxy for 
> accomplishment.

Having read a number of existing protection profiles, I have to say that
people have done quite well on this. There *is* some unneeded bulk, but
this is primarily due to conventions that yield consistently styled
documents. Once you understand how to read one PP you can read pretty
much any PP. A modest amount of size expansion is a reasonable price to
pay.


shap


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list