Notes from the Intelpocalypse
Notes from the Intelpocalypse
Posted Jan 5, 2018 9:38 UTC (Fri) by ortalo (guest, #4654)In reply to: Notes from the Intelpocalypse by mtaht
Parent article: Notes from the Intelpocalypse
I think your summary is too negative. Admittedly, the Orange book (and the general requirements of academic) security requirement have always been high and ambitious ; but the primary reason they appear today to be unachievable is because so many people lowered their own security requirements so low in the meantime that decades old objectives sound impossible.
B1 (or ITSEC E5+ or CC EAL5+) systems is achievable with networking - of course. Orange book et al. requirements are too old to be used as-is but the way they have been built and designed should not have been thrown away carelessly as, IMHO, they were much more pertinent to computer security than many recent useless recipes. E.g. I keep on repeating that vulnerability analysis is only the last ten percent of the security work and the most effort should be spent on protection design, not breaking thing. Yes, I know, I said it once again - it must be senility luring. (or is it disinformation?:-)
And sometimes the tools are even already here. The main difference between B and C levels is the multilevel mandatory policy. Mandatory policy mechanisms have come back in mainstream Linux systems. Row level security mechanisms are available in mainstream PostgreSQL, etc. And eveyone sees that they are not so easy to use as is, so more work would needed to make them usable. But in fact, very logically given the technology improvements, some implementations have already advanced much further than what these decades old standards were proposing.
What is misleading is the way the general objective of computer security has been twisted. The end user should trust the system. Several lines of defense should be installed. Security kernels (TCBs) and their properties should be well defined (and realistic). Security documentation should be available (including for the vulnerabilities). These objectives were present in the old books. Hopefully they are still present in many works but they do not seem to gather the most valuable effort (typically money). Maybe they were not as well defined as their writers thought - but I also think too few people fought for them.
B1 (or ITSEC E5+ or CC EAL5+) systems is achievable with networking - of course. Orange book et al. requirements are too old to be used as-is but the way they have been built and designed should not have been thrown away carelessly as, IMHO, they were much more pertinent to computer security than many recent useless recipes. E.g. I keep on repeating that vulnerability analysis is only the last ten percent of the security work and the most effort should be spent on protection design, not breaking thing. Yes, I know, I said it once again - it must be senility luring. (or is it disinformation?:-)
And sometimes the tools are even already here. The main difference between B and C levels is the multilevel mandatory policy. Mandatory policy mechanisms have come back in mainstream Linux systems. Row level security mechanisms are available in mainstream PostgreSQL, etc. And eveyone sees that they are not so easy to use as is, so more work would needed to make them usable. But in fact, very logically given the technology improvements, some implementations have already advanced much further than what these decades old standards were proposing.
What is misleading is the way the general objective of computer security has been twisted. The end user should trust the system. Several lines of defense should be installed. Security kernels (TCBs) and their properties should be well defined (and realistic). Security documentation should be available (including for the vulnerabilities). These objectives were present in the old books. Hopefully they are still present in many works but they do not seem to gather the most valuable effort (typically money). Maybe they were not as well defined as their writers thought - but I also think too few people fought for them.