On Mon, 28 Dec 1998, Bennett Todd wrote:
> Well --- sure. Those don't strike me as hard to solve well enough, without a
> trusted OS.
Securelevel and ACLs start to solve them, but don't do the whole job.
"Well enough" depends on your situation, I happen to believe that
building secure infrastructure scales "well enough" quite a bit beyond
semi-secure infrastructure, YMMV.
> The Hard problem is assuring that the CGI doesn't damage the most valuable
> data on the same machine, which is to say the data it must be able to
> manipulate to do its job. That requires auditing, no way around it.
Of course, that depends, not all CGI access needs to be "change"-type.
Write-only is also a good thing. Also, the CGI data *isn't* the most
valuable data on the machine, the administrator's access is, everything
scales down from there.
> What I hear you saying is that trusted OSes are good for sandboxing. Sure. So
> is separate hardware, and at the level of security-critical CGIs it's an easy
> fix --- and one I'm more likely to trust than an OS used by a few people here
> and there, who don't have access to its source.
That's only a good thing if you can sandbox developers, administrators,
or if your trust model dictates extending trust to them. For things like
SEC-controlled data that may not be the best option, your lawyers may vary.
>
> As for the trustworthiness of the evaluation process, for whatever its worth,
> military machines attached to the internet are routinely burgled, and the
Most "military machines" are general purpose OS based systems. Having run
and been a user of quite a few "military machines" in a past life I think
I can speak with at least some insight...
> standard "oh this is no problem" response from the press flacks is that
> _important_ machines cannot be attached to the internet; I am inclined to read
This, at least during my time in was true, I'd hope it's still true,
compromise of a single administrator shouldn't compromise the computing
system or its information and on GP OS' that's pretty much a given [it is as
well on some trusted OS', something I'd like to see changed]...
> here that the evaluation process is expected to produce OSes that cannot be
> configured to withstand the grade of attack that will be mounted from the
> internet.
Well, I can set that straight I think. The model we used followed the
rainbow series, mostly TNI (The Red Book). Classified systems weren't
attached to *any* public network without so many hoops it's not funny,
*including* the PTN, or even a private point-to-point circuit and that
required strong crypto at both ends with hand-couriered encryption
keys. It's really got nothing to do with grade of attack, and everything to
do with security model.
Systems and networks are traditionally rated for the level of classification
they can process, a particular installation has an accreditation based on the
implementation of it's evaluated systems. You don't traditionally connect a
system rated for [value] to one rated for less than [value], or even put users
who's classification level is less than [value] on a system that isn't MLS
capable. The goal being that only someone with legitimate access to some
particular information can compromise it, same with accounts and machines
and facilities. The problem we're left with is limiting the scope of
legitimate access and auditing that access. MLS systems are a design which
seeks to take care of the scope problem (as are compartments in the user
space). All trusted systems are designed to ensure the audit mechanism and
role is at least somewhat strong, MLS systems provide a great solution there
too.
Most of the systems I've seen that handled classified data weren't
B-level systems either, hence a large part of the physical seperation
issue. Trust extended to an untested system is less than that extended
to a C-level system, is less than that extended to a B-level system...
Just like everyone else, our government can't afford to put strong
systems everywhere, and has a large number of managers who don't have
INFOSEC clue 1. Hopefully things like RSBAC will help to raise the bar
of what's possible, and drive GP OS' to include more tools and mechanisms
for building real security.
> In other words, the boys setting gov't security practices seem to count on
> separate-hardware for their sandboxing.
There's an initiative underway for Dockmaster II to hold both
unclassified and classified data and be on the Internet. AFAIK it's
waiting the OS to pass B2 before they add anything beyond unclassified.
http://www.nsa.gov:8080/isso/brochure/hiassur.htm
So, it would appear that NSA seems to think a B2 (red book B2) system has
enough of what it takes to sit on both red and black networks at the same
time, including the Internet. They don't seem to think the same thing of any
general purpose OS. alt.conspiracy theories aside, I happen to think they're
right.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
