Another later joiners comments

Spencer Minear minear at securecomputing.com
Fri Apr 21 15:07:45 GMT 2000 

As a relatively newcomer to this mail list I know I'm not up to date
on the details of the ongoing work.  But several items have caught my
attention and lead me to join into the discussion and share a few
views and opinions.  I hope to have some fun in the details in the
future.

I was pleased to see the references to the work by Boebert and Kain,
"A Practical Alternative to Hierarchical Integrity Policies", and the
comments by one individual indicating that that paper was a personal
favorite.  Earl Boebert was "Da Man" at Secure Computing from its
earliest days until he went into semi retirement in 95.  The concepts
defined in that paper have provided a major influence on the
technical work that I have been involved with at Secure Computing for
the past 14 years.

During that time we have had the opportunity to build and experiment
with something like 6 or more different secure OS's.  Some dealt with
classical MLS polices, but all provided facilities at the OS level to
support the Type Enforcement security policy concepts as they have
grown from the concepts laid down by Earl and the others that he
worked with.  Two of these efforts lead to fielded systems, one
military only and one commercial (based on BSD).  The others were R&D
efforts, some externally funded, some internally funded.  All of which
have had an influence in one way or another on the current state of
our commercial firewall product, Sidewinder.  The firewall includes
SecureOS, which is a variant of BSD that enforces a Type Enforcement
security policy.

Due to the influence of Earl's work, and realization over the years
that there is no silver bullet when it comes to security I have to
admit that I am not a fan of measuring a system against the likes of
the Orange Book.  Please don't take me out of context on that point.
That does not mean that I think nothing in the Orange Book is any
good.  It describes many necessary features, but too often it becomes
some form of legal based measuring stick that does not address the
inherent issues of what it might take to have a usable secure system.

For me there are a few basic truism that modern world of computing
systems must deal with.

 1. All systems are large and complex
 2. No modern software product will be fielded without errors.
 3. Security models used in nearly all operating systems supporting 
    large computing systems lack facilities to confine the impact of
    a successful attack on some element of the system.

A really nice example of to support my claims was the information
associated with the successful attack on the hackpcweek Linux
challenge sight last year.  For those that did not see it, the 
hacker paints a beautiful picture of poking around a system looking
for the a tiny crack in a minor element of the web site.  Once through 
that crack he could not be confined and was able to take over the
complete system.

If one accepts these facts and uses them to assess the security of a
system I believe one can see that as a society we have taken see 3
different approaches to dealing with the problem.

 1 Throw your arms in the air and say say it is too complex ignore
   it.  

    - One might argue that that is what commercial computing world
      has been doing for way too long.

 2 Embark on an effort to build the most secure totally perfect
   completely bullet proof computer system.

    - One might argue that is what the government funded research
      (that much of my career has benefited from) has been about for
      that past 20+ years.

 3 Take a pragmatic approach to take good sound security mechanisms, 
   integrate them into an existing OS's and go solve problems.

Not that I'm biased or might suffer from wearing rose colored
glasses, I think that is what we at SCC have done in building the
SecureOS for Sidewinder.  I am aware of the DTE work started by TIS
some years back that was mentioned earlier it shares some of that same 
spirit.  I know of other companies that are successfully doing similar 
things with systems that derived from the early CMW work.

I am happy to see the emerging efforts to add more security mechanisms
into Linux, and now FreeBSD.  It means that a larger body of people
are realizing that the lack of security in our current computing
infrastructure is a problem that will get really serious if something
isn't done.

Given that lots of people have worked on this for a long time however
suggests that it is not as easy as just adding facilities.  In my
opinion the measures of a good usable secure OS are quite simple.

 A) Writing a policy must be easy to do and understand.  If it takes
    an on-site Ph.D. informal methods it will not be accepted.  If it
    takes a month to set up a basic policy for one application it will
    not be accepted.

 B) Obviously it must solve the problems caused by what I call global
    privileges.  The Root can do all model is the absolute worst
    approach possible. The IEEE capabilities model is much better, but
    still has too many global privileges.

 C) One must be able to use the security mechanism of the OS to
    confine an application that was designed with no knowledge of the
    mechanisms.  Application developers will come along later and
    build there systems better once they see the value.  But until
    then the secure OS must be binary compatible with the existing
    version of the comparable OS.

Spence Minear
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list