Mandrake shoots for EAL5 [LWN.net]

September 29, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

A consortium of five companies, including MandrakeSoft, has been awarded a contract from the French Ministry of Defense to deliver a Linux-based OS certified at Common Criteria Evaluation Assurance Level 5 (CC-EAL5). The three-year contract is worth €7 million, with MandrakeSoft's share totaling €1 million. Participating in the contract with MandrakeSoft are Bertin Technologies, Surlog, Jaluna, and Oppida.

We contacted MandrakeSoft co-founder Gaël Duval about the contract and to get a little more information about the process. The EAL5 certification may seem a bit ambitious, particularly since no other Linux vendor has achieved that level of certification for a Linux OS. In fact, none of the competing OSes have reached that level of certification either. At the moment, the Linux distribution with the highest level of EAL certification is Novell's SUSE Linux Enterprise Server (SLES) 8 (PDF), which achieved EAL3+ with IBM's help.

There are seven levels of CC-EAL certification. In a nutshell, a EAL5 certification designates that a system's features and security level are certified, and that development follows "formalized or semi-formalized methods."

We asked Duval if MandrakeSoft had any prior experience with this type of project:

Not exactly but we introduced advanced security features in Mandrakelinux products early (Mandrakelinux 7.0 which was released on early 2000). We also sponsored projects several Open Source security projects. And we have a line of security products (Single Network Firewall & Multi Network Firewall). So security is a long-time tradition at Mandrakesoft.

Of course, MandrakeSoft is not the only vendor working on this project. Oppida is an officially authorized Common Criteria Information Technologies Security Evaluation Facility (ITSEF), making it an ideal partner for a project of this kind. Surlog's expertise is in providing tools to evaluate software and system dependability. Jaluna provides real-time and high-availability solutions, including solutions based on Linux.

We also asked Duval how MandrakeSoft became involved with this effort, and how the consortium came into being. Duval didn't provide a great deal of detail:

We know these companies and they know us, so it's a natural arrangement because every actor has some technology and expertise to bring.

Unfortunately, it will be some time before the work that the consortium is doing shows up for use by the community. According to Duval, the plan is to keep development separate from Mandrake Linux development:

It will be totally outside of the Mandrakelinux product roadmap. Several actors take part in this project, which will be released in Open Source after completion.

Duval did allow that some of the work might show up "later" in the development process. We also asked what license would be used for any work created for this project. Duval said that he doesn't have any information about licensing details, just that it would be an open source license.

Three years is quite a long time, so it will be interesting to see whether MandrakeSoft is the first Linux vendor to reach EAL5, or if Novell or Red Hat beat them to the punch. Novell has already said that it hopes to gain EAL4 certification in the near future. No doubt, Novell will be setting its sights on EAL5 shortly thereafter.

For the larger picture, of course, it won't matter whether Novell or MandrakeSoft reach the finish line first. Achieving EAL5 will be yet another feather in Linux's cap, another milestone reached that will allow governments and organizations to move to Linux instead of proprietary offerings.

(Log in to post comments)

Mandrake shoots for EAL5

Posted Sep 30, 2004 13:17 UTC (Thu) by pdc (guest, #1353) [Link]

I suppose it depends on what counts as 'semi-formalized'. It might be that part of the job is creating a 200-page SSADM description of the present Linux kernel-development process, thus retroactively making it semi-formalized...?

I don't know how much of the system needs to be in the formal-methods category. Perhaps only the SELinux subsystem needs to have formal proofs, on the grounds that it then has oversight on the rest of the kernel. Maybe it already does (I do not know much about the SELinux internals, and it would depend on what counts as a proof).

True formal methods cannot be used direcly on anything with the scope of an operating-system kernel; I think that most research uses formally-verified tools to verify software that is then itself used to verify the rest of the system. Maybe this means the semi-formal methods could include creating new security-auditing code-checkers?

The value of CC EAL[1234567] certification

Posted Sep 30, 2004 13:38 UTC (Thu) by scripter (subscriber, #2654) [Link]

The typical scenario with CC certification is that to sell to a government, they want your app or your OS to be CC certified. So you say "We'll get version 2 certified". You sign a contract for the gov to buy version 2 of your product. While you're working on CC certification, the gov starts using the app, even though it's not certified yet because certification takes a long time.

During the certification process, you realize that there are several (perhaps 300) EAL targets that your app, OS or dev process should meet at EAL5 to be considered secure. But you can only meet two targets. So, you produce the documentation to show that you can satisfy those two EAL5 targets, and now your app or OS is EAL5 certified! Maybe another competitive app is certified at EAL5 for fifty EAL targets -- but few people care really, because now that you've completed a lot of red tape, you can sell your app to even more governments and banks, etc.

By the time you've completed EAL5 certification with a lot of hand waving, perhaps you've produced versions 3, 4, 5, and 6 of your application. The government can still use the latest version of the app, even though it wasn't the one that was certified -- as long as some previous version was certified.

So, CC certification is a lot of hand waving. It might give some semblance of assurance, but it's almost meaningless to compare two competing apps that are EAL5 certified without looking at how many targets each actually met. The real reason for CC certification is so that you can sell your app to governments in several countries.

The value of CC EAL[1234567] certification

Posted Sep 30, 2004 19:01 UTC (Thu) by Max.Hyre (subscriber, #1054) [Link]

There's a great article on the subject by the security researcher Jonathan S. Shapiro (Johns Hopkins University Information Security Institute). My favorite comment therein is:

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.
An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.