Security Certification - Does It really mean not much?
Posted Nov 13, 2003 16:51 UTC (Thu) by kweidner
In reply to: Security Certification - Does It really mean not much?
Parent article: Security Certification - The Open Source Way
I know, you're not supposed to feed the trolls...
Chapter four (PDF) in Peter Gutman's book is about software verification techniques and criticizes the Orange Book (the CC predecessor) formal system verification methodology, suggesting a cryptography-based approach instead.
That is rather beside the point here, because formal design specifications and verification are only done at high assurance levels (>= EAL6), involving a complexity and amount of work that are far beyond what would be reasonable for a general-purpose operating system.
If you disagree, please let me know where I can get an operating system that is based on a cryptographic security architecture that could replace a Linux server in real-world use. Similarily, Shapiro claims in his article that the capability-based EROS-OS will be secure enough for EAL7 verification. It's an intriguing concept, but then again EROS-OS also looked very intriguing when I first heard of it a couple of years ago, and I'm not holding my breath waiting for it to be useful. If you want a working capability-based OS, take a look at OS/400, which is an elegant system but not famous for being user-friendly.
I'm not saying that the research Shapiro and Gutman are doing isn't interesting and potentially valuable, but in the meantime there are people who need to get real work done and want to use what is actually available and works.
to post comments)