Weekly Edition
Return to the Announcements page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Green Hills Software strikes again
(Log in to post comments)
Green Hills Software strikes again
Posted May 4, 2004 14:22 UTC (Tue) by freethinker (guest, #4397) [Link]
Security was not a focus of the original design of Linux, Unix, or Windows. They were all originally single user systems with no network access and therefore no need for security.Um, well, technically true of Unix. For the first couple of years or so, I'd guess, before universities all over the world started using it.
Linus said SCO was smoking crack. Not sure what these guys are smoking...
Green Hills Software strikes again
Posted May 4, 2004 18:42 UTC (Tue) by iabervon (subscriber, #722) [Link]
Possibly the original design of UNIX was a single user system (since it ran on an otherwise little-used computer), but version 2 was a time-sharing system. Back then, you didn't expect a single user to have a computer.It's true that UNIX wasn't design for a public network. On the other hand, the public network was designed for UNIX, which is just as good.
Green Hills Software strikes again
Posted May 4, 2004 14:36 UTC (Tue) by libra (guest, #2515) [Link]
When dealing seriously with security one shall always assume that the ennemy has the information about weak spots and vulnerabilities. It is the only way to come up with designs that are resistant even under well targeted attacks (be there so by luck or by knowledge).Assuming that you can hide information from the ennemy is wrong, and is in itself a mistake that alone can cause your doom. That does not mean you shall not try to make the information hard to get, but you shall always assume the worst case scenario.
With that in mind, and dealing more precisely with OSS, the fact that the code is available is bad only if you have not taken the steps to assume it may be so and that your ennemy may know about it. If you take that step you will check your code and always be aware of what you do, thus lowering risks more dramatically than with any other method.
Of course you can not take that step if you do not have access to code, and that is a mistake because in those conditions you certainly open weak spot in your defense that you can not even be aware of.
By the way, the lasted quoted sentence is just wrong, looking at source code is an effective way of spoting vulnerabilities. Otherwise neither good nor bad guys would ever find them, and computers would be completly unpredictible. And I shall also mention that there are automated tools that can do that to.
Green Hills Software strikes again
Posted May 4, 2004 14:36 UTC (Tue) by maney (subscriber, #12630) [Link]
Our enemies will be able to study the vulnerabilites [sic] [in open source code]...This is based on the misconception that looking at the source code is an effective means of finding vulnerabilities, which it is not.
I've lost count. Is this non-sequiter two for Green Hills, or have they gone down swinging already?
Green Hills Software strikes again
Posted May 4, 2004 16:36 UTC (Tue) by rickfdd (guest, #4519) [Link]
Nevermind that when Microsoft started their government shared source program the first three entitites to sign up were...- NATO
- China
- Soviet KGB
Green Hills Software strikes again
Posted May 5, 2004 1:31 UTC (Wed) by fLameDogg (guest, #11305) [Link]
LOL. That's precious. I'd call that a very foul tip indeed.
Green Hills Software strikes again
Posted May 6, 2004 8:57 UTC (Thu) by ekj (subscriber, #1524) [Link]
The logic is clear: Posting the source allows the enemy to find vulnerabilities in it, and exploit those. It does not, however allow your own people, or your friends to do the same thing.Furthermore, this rises the question; if it's inefficient to fix bugs by looking at, and making changes to, the sourcecode, then how exactly are you supposed to do it ?
Green Hills Software strikes again
Posted May 4, 2004 14:43 UTC (Tue) by phands (guest, #8691) [Link]
Is it just a coincidence that this guy is trashing Linux, just when a $10B DoD contract (win-t) is coming up for award? I don't think Green Hills can compete with Linux, and so are attempting to discredit it. Look how far that's got SCOX!Paul
Green Hills Software strikes again
Posted May 4, 2004 14:49 UTC (Tue) by dcoutts (subscriber, #5387) [Link]
I their second parahraph "Open Source Doesn’t Makes Linux More Secure than Windows", am I confused or are they confusing the number of severe vulnerabilities reported with crackers' preference of OS in systems that they attack?
They say:"In fact, in every year for the last ten years the number of vulnerabilities reported against Linux exceeds Windows!"
Then list a bunch of 'facts', then conclude:
"It seems that the only reason that hackers would prefer to attack Linux over Windows is because Linux is easier to attack."
Green Hills Software strikes again
Posted May 4, 2004 15:11 UTC (Tue) by dcoutts (subscriber, #5387) [Link]
Another givaway; they laugh that Linux has only achieved EAL2 rating (which is not true - SUSE & IBM paid for EAL3) and could only ever achieve EAL4 but then fail to mention what level their own 'dsigned-for-security' OS has achieved or is ever likely to achieve.
In fact, I'm rather incluned to agree with them that "EAL 7 certification should be required for operating systems that run critical defense systems" but I'd put money on Green Hills never producing such an OS. The size of systems that can feasably be produced with current state-of-the-art formal methods (required for EAL7) is a couple orders of magnitude smaller than that required to build an OS kernel. Even when it becomes possible to build a system of the required size, it will still not be economically feasable for a company to build and sell - unless it first gets a contract from a government.
Green Hills Software strikes again
Posted May 4, 2004 15:20 UTC (Tue) by Baylink (subscriber, #755) [Link]
I'm not sure how true that is.IIRC, the communications processor that was the only box/OS ever certified A1 was based on a
stripped and tuned Interactive Unix kernel.
(It's been a long time; that might have been one of the B2 boxes.)
I assume EAL7 ~= A1?
Green Hills Software strikes again
Posted May 4, 2004 15:27 UTC (Tue) by jpb105 (guest, #21364) [Link]
They list their security features here and say it has Do-178B Level A Certification.I'm not sure if Real-Time Linux offers any more features than they give Linux credit for. All their Linux 'information' is here. (I only know about Green Hills Software from what I read on the Web)
Green Hills Software strikes again
Posted May 5, 2004 20:29 UTC (Wed) by obobo (guest, #684) [Link]
When talking to a Green Hills rep a few months ago, I was told that they were in the process of getting Integrity (on a certain hardware platform) EAL 7 certified. Which is a pretty impressive achievement. Their FUD campaigns do make me less likely to buy their OS though (Linux is not an option for a very small RTOS, but Nucleus/ThreadX are, and they don't act as obnoxious as Green Hills).
Green Hills Software strikes again
Posted May 4, 2004 14:58 UTC (Tue) by jpb105 (guest, #21364) [Link]
A full security certification must be performed by someone who is a formal methods mathematician, a software engineer, and an experienced evaluator. That is a rare and expensive breed of individual.This is in my (limited) view the key point, to get high level security certification formal methods are required as far as I know Linux was not developed with formal methods and a system as large and complex as Linux (or Windows or OS X or SCO/Novell UNIXWARE...) would be very costly to verify. This don't mean that a FOSS solution is not possible just that Linux is probably not it.
Is I see it this dosn't mean that Linux is not 'secure' only that it won't be used in jet fighters.
Green Hills Software strikes again
Posted May 4, 2004 18:59 UTC (Tue) by rriggs (subscriber, #11598) [Link]
I read that quote to mean that these formal methods must be used in the certification process, not necessarily in the development process. Isn't that really the case here?
Formal Methods
Posted May 4, 2004 23:26 UTC (Tue) by jpb105 (guest, #21364) [Link]
All I know about Formal Methods is based on two undergraduate courses, but yes I think it is required for certification and optional for development, however if a system has not been developed with formal methods it is often harder to certify.This is a interesting article linked to from Green Hill's site, it states " [Green Hill's CEO] O'Dowd cited Green Hills' Integrity real-time operating system, along with LynuxWorks' LynxOS-178 and Wind River Systems' VxWorks AE653 RTOSes, as secure solutions."
LynuxWorks produces GPL Real-Time Linux Distributions for use in defence and aviation systems. So one of my past posts was wrong (too limited vision and too much FUD) - You can have 'Fly by Linux' systems! They have a response to anti-Linux claims Here. I guess LynuxWorks must drastically simplify the standard Linux kernel.
LynuxWorks is a member of the Embedded Linux Consortium and Wind River Systems has supported it!
Formal Methods
Posted Sep 5, 2005 18:27 UTC (Mon) by speedplane (guest, #32280) [Link]
The formal methods you are talking about basiclly mean documenting every single line of soure code. Every single loop, if statement, and function call has to be checked and rechecked. I've heard that the certification process costs about $1000 per line of source!
The result is software that is rock solid. Linux may be a good operating system for the desktop, but its in a different category alltogether when it comes to defence and extremly critical situations.
There are other benefit to their opertaing system too. Its a real-time operating system which means that the interrupt latency is small and bounded. (Interrupt latency is the time it takes for the computer to respond to something from the outside ie sensors, networks, and human input devices) Linux can't provide that and changing the code to lower interrupt latency would be an extremly difficult endeavor. Real-time is a commendable effort but it is still an order of magnitude different from a true real-time operating system.
Finally there's security. A process running in integrity cannot effect any other process unless it is specifcally allowed. That goes for hardware too. That means that if there is one 'bad' process running on the OS, that process can only do damage to itself and nothing else on the system. Linux has some protections like this but nothing near the detail of integrity.
FUD, FUD, FUD, let's see some facts
Posted May 4, 2004 15:56 UTC (Tue) by jfs (subscriber, #7140) [Link]
The article fails to acknowledge the fact that, if people believe in "security by obscurity" (I don't, YMMV) the GPL introduces provisions for code modifications that do not need to be leaked (if used internally), from the FSF GPL's FAQ):
Does the GPL require that source code of modified versions be posted to the public?
The GPL does not require you to release your modified version. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.
But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.
Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you."
And that's for the most restrictive free software license out there, for BSD-license software, for example, you could even redistribute your changes without ever releasing your changes to it.
It's funny than after saying this the article goes on and bashes "Security through Obscurity", just after saying it should be enforced in software!
I still see a lot of FUD: "The Common Criteria Says Linux Security Problems Can’t be Fixed " when there has not been such a statement. Linux companies just are "behind" regarding Common Criteria certification, SuSE and RedHat are pushing for EAL 4 and they have not failed to obtain it (yet)
Also, he compares apples to oranges when he sums up the vulnerabilities in the ICAT database (in "Open Source Doesn’t Makes Linux More Secure than Windows") and says that "Linux" has had more high-severity vulnerabilities than "Windows". Let's see...
[downloading a new copy of the database, my latest version was from december] .... [opening the database, preparing to do a search ...]
- Search with "Microsoft" in vulnerability references and "High" rating: 221
- Search with "RedHat" in vulnerability references and "High" rating: 110
[ ... hey! less! maybe he meant another distro ...]
- Search with "Debian" in vulnerability references and "High" rating: 199
[ ... hmm understandable ... Debian does provide more software than Red Hat and it does include much more than Microsoft does... ]
[ ... oh, but that includes also applications in the user space. The proponent said Linux, not GNU/Linux, maybe we get more vulnerabilities if ... ]
- Search with "Linux kernel" in vulnerable software and "High" rating: 14
[ .. yeah right ... ]
[... hmm ... but what if we look up for the highest risk: i.e. High severity and remote? .. maybe the proponent meant those ...]
- Search with "Microsoft" in vulnerability references, "High" rating and "Remote" in attacker requirements: 192
- Search with "RedHat" in vulnerability references, "High" rating and "Remote" in attacker requirements: 115
- Search with "Debian" in vulnerability references, "High" rating
and "Remote" in attacker requirements: 139
[ ... hmmm .. well this count again includes user space in the Linux distributions, maybe he meant the linux kernel... ]
- Search with "Linux Kernel" in vulnerable software, "High" rating and "Remote" in attacker requirements: 5
Now, if we do this again but limiting it to "remote code execution" which are the vulnerabilities that worms use (remember Blaster? Sasser sounds familiar?) we get 146 for Microsoft, 112 for Red Hat, 138 for Debian (kernel+user space) and 4 if we only look at the kernel (and those are related to the firewalling code which might be bypassed in some circumstantes to pierce a firewall, but not get access to it)
The only way you get a higher count is if you search for "Linux" in the Vulnerable Software references which is plain wrong since that will include software that is _written_ for Linux (such as RealOne player). That's why you have to make the search in "vulnerability references" to locate advisories (granted, that will not include vulnerabilities which have not been fixed, but the ICAT mapping is not fully up-to-date with CVE, the data from May 2004 only gets up to CAN-2003-1565, which is dated 01/12/2003)
Surprisingly, however you count it, Microsoft has more (reported) security vulnerabilities in ICAT database. Notice those are CVE references, that's the reason I've selected Red Hat and Debian because they are the only distributions that are CVE-compatible (since March 3 2004). Funny that Microsoft isn't because that can only mean that the CVE references are missing vulnerabilities which might have been fixed by Microsoft and the count would only be higher.
FUD, FUD, FUD, let's see some facts
Posted May 4, 2004 16:08 UTC (Tue) by LogicG8 (guest, #11076) [Link]
The linux kernel has already been used in an OSthat has been given EAL4
SuSe did it and RH isn't far behind
http://lwn.net/Articles/42766/
Green Hills Software strikes again
Posted May 4, 2004 16:06 UTC (Tue) by arcticwolf (guest, #8341) [Link]
If looking at the source code is not an effective way to find (exploitable) bugs, then why is publishing the source code a bad thing? :)
Self-contradiction
Posted May 4, 2004 19:41 UTC (Tue) by AnswerGuy (subscriber, #1256) [Link]
I noticed the self-contradiction, too.Publishing the source is bad because the bad guys will find the vulnerabilities *and* it offers no benefit because the good guys can't find the vulnerabilities in the published sources.
Huh?
So the bad guys can see things that the good guys can't. Thus we should strive to keep source code secret from the "good guys" (and all those "nobodies" of nuetral or uncertain provenance).
Keeping the sources secret from the prying eyes of international espionage specialists is predicated on the notion that none of them will ever plant agents in U.S. software firms (perhaps via H1-B visas or as JANITORIAL STAFF), none of them will ever manage to pull a black bag job on any software firm with the sources (that would be a "B&E" --- breaking and entry, preferably a stealthy entrance and undetected escape after copying files or planting bugs), and none of them will ever manage to bribe, blackmail, or extort any of the staff who have access to the source code.
We know the bad guys wouldn't resource to deception, trespass, bribery, blackmail, extortion, wiretapping, or thievery in order to access our vital source code secrets. They are far too unsophisticated for that! They need us to coddle their espionage efforts by publishing our sources in the the web!
Somebody laced their crack with PCP!
JimD
Self-contradiction
Posted May 5, 2004 2:22 UTC (Wed) by hs (guest, #15495) [Link]
Publishing the source is bad because the bad guys will find the vulnerabilities *and* it offers no benefit because the good guys can't find the vulnerabilities in the published sources.does that mean that the bad guys are good and the good guys are bad?
Green Hills Software strikes again
Posted May 4, 2004 16:13 UTC (Tue) by miah (guest, #639) [Link]
Their OS is so secure that they don't even run it!(netcraft)
NetBSD/OpenBSD Apache/1.3.29 (Unix) PHP/4.3.3 7-Nov-2003 63.102.70.69 Green Hills software
NetBSD/OpenBSD Apache/1.3.14 (Unix) PHP/4.0.2 13-Dec-2000 63.102.70.69 Green Hills software
Green Hills Software strikes again
Posted May 4, 2004 18:06 UTC (Tue) by markhb (guest, #1003) [Link]
Of course they aren't running their OS on their web servers; it isn't designed for that at all. Look at their product pages; it's an embedded, real-time OS designed for things like running the onboard systems in Sikorsky helicopters. That's what makes this whole series of articles (and the responses to it on Slashdot, Groklaw, and now here on LWN) so ludicrous; Linux is a general-purpose OS, while Green Hills' product is designed for a narrow niche market. The military is not going to be buying an embedded OS and trying to port OpenOffice to it.Of course, the converse would be interesting; I'd like to see RMS' face when he was told that the USAF was going to use the HURD as the onboard control OS for the Minuteman III.
Then why do they run linux?
Posted May 4, 2004 16:27 UTC (Tue) by mikesalib (subscriber, #17162) [Link]
If linux is such a security nightmare, then I'd love to know why they use it internally so much. After all, if linux allows "bad" people to compromise critical systems, then bad people could easily compromise Green Hills and then compromise their proprietary RTOS.Granted, they don't use linux for everything, but they do use it a fair bit. Their debugger and compiler tools all run on linux, some of their developers run linux on their desktops, and they've done a lot of work adding gcc-compatability to their compiler so they can compile the linux kernel. If linux is such a threat to national security, none of that work seems very patriotic...
These observations are based on what I saw when I interviewed there about 2 months ago.
Green Hills Software strikes again
Posted May 4, 2004 17:39 UTC (Tue) by coolian (guest, #14818) [Link]
I already terminated GHS involvement in my last search for software to use for a major project coming up. This kind of bull is the last thing I need from a company.
SIngle user systems my ass
Posted May 4, 2004 22:30 UTC (Tue) by jae (guest, #2369) [Link]
"They [Linux, Unix, Windows] were all originally single user systems".'nuff said.