LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security Certification - Does It really mean not much?

Security Certification - Does It really mean not much?

Posted Nov 13, 2003 9:33 UTC (Thu) by noxxi (subscriber, #4994)
Parent article: Security Certification - The Open Source Way

working for a company who did ITSec certification (german security
certification) a few years ago and does it again I must say that
the certification process itself can make a product a lot more secure.

For ITSec Level 3 you have (among other things) to:
- document all tools and interfaces
- document the design and not only document it, but
also explain all the security relevant decisions and
show potential weaknesses
- provide a lot of tests for *fully* testing the certified functionality

If you've done this you
- rethought a lot of design decisions (because you need to
explain it to someone who knows, not some marketing guy)
- have a test suite which you can rerun again and again while
you continue to develop the product, thus making sure that none
of the important stuff breaks

This way you don't get a 100% secure product, but the product is
way better than before.

(Log in to post comments)

Security Certification - Does It really mean not much?

Posted Nov 13, 2003 10:53 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

We could start a long thread on certification but well, I have to do other things. So just one hint: Get Peter Gutman's book and read the relevant chapters to see how useless certification of software is. A few of the other chapters are online.

  Werner

Security Certification - Does It really mean not much?

Posted Nov 13, 2003 16:51 UTC (Thu) by kweidner (subscriber, #6483) [Link]

I know, you're not supposed to feed the trolls...

Chapter four (PDF) in Peter Gutman's book is about software verification techniques and criticizes the Orange Book (the CC predecessor) formal system verification methodology, suggesting a cryptography-based approach instead.

That is rather beside the point here, because formal design specifications and verification are only done at high assurance levels (>= EAL6), involving a complexity and amount of work that are far beyond what would be reasonable for a general-purpose operating system.

If you disagree, please let me know where I can get an operating system that is based on a cryptographic security architecture that could replace a Linux server in real-world use. Similarily, Shapiro claims in his article that the capability-based EROS-OS will be secure enough for EAL7 verification. It's an intriguing concept, but then again EROS-OS also looked very intriguing when I first heard of it a couple of years ago, and I'm not holding my breath waiting for it to be useful. If you want a working capability-based OS, take a look at OS/400, which is an elegant system but not famous for being user-friendly.

I'm not saying that the research Shapiro and Gutman are doing isn't interesting and potentially valuable, but in the meantime there are people who need to get real work done and want to use what is actually available and works.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds