Brief itemsCommon Criteria Evaluation Assurance Level 2+ (EAL2+) in July. Much of the documentation that was done to accomplish this is available from the SuSE and IBM Linux Technology Center web sites.
"This very open approach is unusual for a certification," according to Klaus Weidner, senior IT security consultant for atsec, the German firm responsible for the evaluation. "The overall effort for another distribution is significantly lower if they re-use the material that has been released to the Open Source community from the evaluation of SLES 8," he said. The material that has been released includes a high-level design, a security guide, the security target, test plans, and the certification report. In addition, bugs found during the process have been fixed and the resulting patches fed back to the developers for inclusion in upcoming releases.
Common Criteria security certification consists of two elements: the "security target" (or "protection profile") that specifies the security features of the product to be evaluated and the "assurance level" which provides a level of confidence that the security functions perform as documented. For the EAL2 certification, the security target was created by IBM and SuSE. The evaluation process looked at SuSE's "configuration management, acceptance procedures and development security," Weidner said, and SuSE was "found to meet and exceed all requirements for this evaluation." A few bugs were found in the testing process, particularly in PAM authentication, and they were fixed and funneled back to the development community.
Looking forward, the evaluation and testing for an EAL3 certification is currently under way using the Controlled Access Protection Profile (PDF format) (CAPP), which is a standardized security target created by the NSA. CAPP is the target that was used by Microsoft to achieve an EAL4 certification for Windows 2000. These certifications are widely seen by companies and government agencies as a seal of approval for the security functions of a product.
The main areas that need work for the EAL3 certification are adding an auditing subsystem and documenting what Weidner called "security-relevant subsystem interfaces". As part of that process, any undocumented Linux system calls need to have man pages written for them; the resulting pages will, of course, be provided back to the Linux community. The audit subsystem has been completed and is undergoing tests, the kernel portion is based on the systrace patch along with a set of user-space utilities that were developed by IBM and SuSE. These too will be open source.
EAL4 certification (should IBM and SuSE take that step) will require even more documentation, including internal interfaces inside the kernel. "Kernel hackers may be happy with using the source code as a reference, but EAL4 requires a descriptive low-level design document," Weidner said. This effort would be huge and it is not known whether it will be done, but it would obviously serve as a great reference to kernel internals.
One of the bigger questions surrounding these certifications is what they really mean for the security of the system. Unfortunately, the answer seems to be: not much. Professor Jonathan Shapiro of Johns Hopkins University has an analysis of the Windows 2000 EAL4 certification and much of what he says can be applied to the EAL2 (and presumably upcoming EAL3) certification of SLES 8. In summary the CAPP (and the target used for EAL2) both define away most of the "real world" security problems that operating systems face. From the CAPP document:
which Shapiro translates into:
While CAPP is the "standard", it really does not provide requirements that would make a system secure from the biggest security threats that exist today. It seems somewhat unlikely that the cracker community is particularly well funded, but they certainly are hostile, clever, and persistent. Given the volume of exploits against the CAPP/EAL4 certified Windows 2000, it seems clear that certification is mostly a marketing bullet point to make purchasers more comfortable without actually providing a secure system.response from Red Hat is:
The first update (for EPIC) has found its way to the download directory, and the ethereal update is in the testing directory. Announcements will go to the fedora-announce list soon. Fedora Core is a new distribution, and some of the mechanisms are still going into place, but it should all be there before too long.
|Created:||November 10, 2003||Updated:||November 13, 2003|
|Description:||Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorized access to the group conquest.|
|Created:||November 10, 2003||Updated:||November 25, 2003|
|Description:||Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.|
|Package(s):||ethereal||CVE #(s):||CAN-2003-0925 CAN-2003-0926 CAN-2003-0927|
|Created:||November 10, 2003||Updated:||December 17, 2003|
|Description:||Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution.|
|Created:||November 10, 2003||Updated:||November 20, 2003|
|Description:||Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax's default configuration. The "capi4hylafax" packages also need to be updated as a dependency where they are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details.|
|Created:||November 12, 2003||Updated:||February 19, 2004|
|Description:||Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.|
|Created:||November 11, 2003||Updated:||November 13, 2003|
|Description:||Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorized access to the group games.|
Resourceswrites about validating input in this installment of the Secure Programmer, on IBM developerWorks. "One of the biggest mistakes developers of secure programs make is to try to check for 'illegal' data values. It's a mistake because attackers are quite clever; they can often think of yet another dangerous data value. Instead, determine what is legal, check if the data matches that definition, and reject anything that doesn't match that definition. For security it's best to be extremely conservative to start with, and allow just the data that you know is legal. After all, if you're too restrictive, users will quickly report that the program won't allow legitimate data to be entered. On the other hand, if you're too permissive, you may not find that out until after your program has been subverted."
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds