LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux Backers To Put OS Through Security Certification (TechWeb)

[Posted February 14, 2003 by ris]

TechWeb looks at security certification plans. "Oracle, Red Hat, and IBM have all announced plans to put Linux through its security paces -- specifically through the Common Criteria certification process -- in an effort to win approval for using Linux among both government and private-sector clients." Here is IBM's press release.
(Log in to post comments)

There are already Linux-based products certified but: what good is certification anyway?

Posted Feb 18, 2003 9:31 UTC (Tue) by jfs (subscriber, #7140) [Link]

Taking a look at the list already under evaluation by the Common Criteria you can see that there are already a number of products based on Linux which are in the certification track (Stonegate) and there are also some Linux-based products which have been certified already (such as Watchguard's Firebox).

Quite sincerely, I've been reading through all the CC documents and what does Linux need to get certified? Just one thing: money. If you take a look at other operating systems' documentation (the Security Target) you will not find that many differences with Linux.

In any case, what good is certification is really? Jonathan Shapiro, shed some light with his article just after Windows achieved CC certification. Despite all the fuzz, CC certification is no guarantee for secure code, secure configuration or secure development. Just take a look at CERT's advisory CA-2002-08 which points the finger at Oracle 9i security issues (promptly after it was released). However, Oracle did achieve certification for Oracle 7.2, Oracle 8.0.5 and Oracle 8.1.7. What's wrong with this?

It's not only the fact that only a given product, in a given version, with a given configuration (all this is the security target IIRC) gets certified. It's also the fact that certification laboratories do not "look inside the hood" of products. They just certify that the document the manufacturer produces complies with a given set of documents and thus is awarded a given assurance level. As with any certification, the manufacturer can blatantly lie in the provided documentation, it's not the job of certification lab to confirm their assertions testing the product. Heck, they don't even need to install it.

Certification in security is IMHO just a (probably smart) market move. Yes, it might make sense to make this move for Linux too, I'm afraid we're not going to see all Linux (stable) kernels certified or all Linux distributions certified. We are just going to see "RedHat Linux v. X with kernel Y.Z with products A, B and C" has been certified EAL[1-4]. The value you give to that assertion is up to you (IMHO the less one knows the more value he gives it to those words).

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds