User: Password:
Subscribe / Log in / New account


Brief items

Security Certification - The Open Source Way

November 12, 2003

This article was contributed by Jake Edge.

An open approach was used in the first ever security certification for Linux, as befits the open source nature of the operating system. IBM and SuSE teamed up to certify SuSE Linux Enterprise Server 8 (SLES 8) on IBM eServer xSeries hardware and achieved Common Criteria Evaluation Assurance Level 2+ (EAL2+) in July. Much of the documentation that was done to accomplish this is available from the SuSE and IBM Linux Technology Center web sites.

"This very open approach is unusual for a certification," according to Klaus Weidner, senior IT security consultant for atsec, the German firm responsible for the evaluation. "The overall effort for another distribution is significantly lower if they re-use the material that has been released to the Open Source community from the evaluation of SLES 8," he said. The material that has been released includes a high-level design, a security guide, the security target, test plans, and the certification report. In addition, bugs found during the process have been fixed and the resulting patches fed back to the developers for inclusion in upcoming releases.

Common Criteria security certification consists of two elements: the "security target" (or "protection profile") that specifies the security features of the product to be evaluated and the "assurance level" which provides a level of confidence that the security functions perform as documented. For the EAL2 certification, the security target was created by IBM and SuSE. The evaluation process looked at SuSE's "configuration management, acceptance procedures and development security," Weidner said, and SuSE was "found to meet and exceed all requirements for this evaluation." A few bugs were found in the testing process, particularly in PAM authentication, and they were fixed and funneled back to the development community.

Looking forward, the evaluation and testing for an EAL3 certification is currently under way using the Controlled Access Protection Profile (PDF format) (CAPP), which is a standardized security target created by the NSA. CAPP is the target that was used by Microsoft to achieve an EAL4 certification for Windows 2000. These certifications are widely seen by companies and government agencies as a seal of approval for the security functions of a product.

The main areas that need work for the EAL3 certification are adding an auditing subsystem and documenting what Weidner called "security-relevant subsystem interfaces". As part of that process, any undocumented Linux system calls need to have man pages written for them; the resulting pages will, of course, be provided back to the Linux community. The audit subsystem has been completed and is undergoing tests, the kernel portion is based on the systrace patch along with a set of user-space utilities that were developed by IBM and SuSE. These too will be open source.

EAL4 certification (should IBM and SuSE take that step) will require even more documentation, including internal interfaces inside the kernel. "Kernel hackers may be happy with using the source code as a reference, but EAL4 requires a descriptive low-level design document," Weidner said. This effort would be huge and it is not known whether it will be done, but it would obviously serve as a great reference to kernel internals.

One of the bigger questions surrounding these certifications is what they really mean for the security of the system. Unfortunately, the answer seems to be: not much. Professor Jonathan Shapiro of Johns Hopkins University has an analysis of the Windows 2000 EAL4 certification and much of what he says can be applied to the EAL2 (and presumably upcoming EAL3) certification of SLES 8. In summary the CAPP (and the target used for EAL2) both define away most of the "real world" security problems that operating systems face. From the CAPP document:

The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security.

which Shapiro translates into:

Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

While CAPP is the "standard", it really does not provide requirements that would make a system secure from the biggest security threats that exist today. It seems somewhat unlikely that the cracker community is particularly well funded, but they certainly are hostile, clever, and persistent. Given the volume of exploits against the CAPP/EAL4 certified Windows 2000, it seems clear that certification is mostly a marketing bullet point to make purchasers more comfortable without actually providing a secure system.

Comments (5 posted)

Where are the Fedora updates?

Some users of the Fedora Core 1 release have noted that it contains at least one package (ethereal) with a known vulnerability and have asked when security updates will become available. The response from Red Hat is:

With the switch to Fedora, we have to rejigger some of the infrastructure in pushing updates. This has hit a few delay snags, we hope to get things straightened out soon.

The first update (for EPIC) has found its way to the download directory, and the ethereal update is in the testing directory. Announcements will go to the fedora-announce list soon. Fedora Core is a new distribution, and some of the mechanisms are still going into place, but it should all be there before too long.

Comments (none posted)

New vulnerabilities

conquest: buffer overflow

Package(s):conquest CVE #(s):CAN-2003-0933
Created:November 10, 2003 Updated:November 13, 2003
Description: Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorized access to the group conquest.
Debian DSA-398-1 conquest 2003-11-10

Comments (none posted)

epic4: buffer overflow

Package(s):epic4 CVE #(s):CAN-2003-0328
Created:November 10, 2003 Updated:November 25, 2003
Description: Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.
Red Hat RHSA-2003:342-01 EPIC 2003-11-17
Fedora FEDORA-2003-008 epic 2003-11-12
Debian DSA-399-1 epic4 2003-11-10

Comments (none posted)

ethereal: multiple remote and local vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927
Created:November 10, 2003 Updated:December 17, 2003
Description: Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution.
Mandrake MDKSA-2003:114 ethereal 2003-12-10
Fedora FEDORA-2003-022 ethereal 2003-11-25
Gentoo 200311-04 net-analyzer/ethereal 2003-11-22
Red Hat RHSA-2003:323-01 ethereal 2003-11-10
Conectiva CLA-2003:780 ethereal 2003-11-07

Comments (none posted)

hylafax: remote code execution

Package(s):hylafax CVE #(s):CAN-2003-0886
Created:November 10, 2003 Updated:November 20, 2003
Description: Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax's default configuration. The "capi4hylafax" packages also need to be updated as a dependency where they are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details.
Gentoo 200311-03 net-misc/hylafax 2003-11-10
Debian DSA-401-1 hylafax 2003-11-17
Conectiva CLA-2003:783 hylafax 2003-11-12
Mandrake MDKSA-2003:105 hylafax 2003-11-11
SuSE SuSE-SA:2003:045 hylafax 2003-11-10

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
SCO Group CSSA-2004-002.0 mpg123 2004-02-19
Debian DSA-435-1 mpg123 2004-02-06
Conectiva CLA-2003:781 mpg123 2003-11-12

Comments (none posted)

omega-rpg: buffer overlow

Package(s):omega-rpg CVE #(s):CAN-2003-0932
Created:November 11, 2003 Updated:November 13, 2003
Description: Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorized access to the group games.
Debian DSA-400-1 omega-rpg 2003-11-11

Comments (none posted)


Secure programmer: Validating input (IBM developerWorks)

David A. Wheeler writes about validating input in this installment of the Secure Programmer, on IBM developerWorks. "One of the biggest mistakes developers of secure programs make is to try to check for 'illegal' data values. It's a mistake because attackers are quite clever; they can often think of yet another dangerous data value. Instead, determine what is legal, check if the data matches that definition, and reject anything that doesn't match that definition. For security it's best to be extremely conservative to start with, and allow just the data that you know is legal. After all, if you're too restrictive, users will quickly report that the program won't allow legitimate data to be entered. On the other hand, if you're too permissive, you may not find that out until after your program has been subverted."

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds