SEO

Does anyone know of any evaluation work - underway or planned - to
certify one of the BSD's for EAL Common Criteria approval?

For background, a customer's project is _mandated_ to use an OS which
has passed Common Criteria evaluation - see www.commoncriteriaportal.org

Some OSes with EAL certification include:
- MS Windows 2000, XP, 2003;
- Apple Mac OS X 10.3.6;
- SUSE Linux Enterprise Server 9 (text mode only);
- RedHat Enterprise Linux 4 Update 1 (text mode only).

BSD would be a great fit for this project, but sponsoring an EAL
Evaluation would be prohibitively expensive for the customer, unless
there is previous work to base it on. The Mac OS X approval is
interesting, but unlikely to help very much.

www.trustedbsd.org has some info, but doesn't mention any EAL approval
applications.

Thanks for any pointers.

- Martin.

Martin wrote:
> Does anyone know of any evaluation work - underway or planned - to
> certify one of the BSD's for EAL Common Criteria approval?
>
> For background, a customer's project is _mandated_ to use an OS which
> has passed Common Criteria evaluation - see www.commoncriteriaportal.org
>
> Some OSes with EAL certification include:
> - MS Windows 2000, XP, 2003;
> - Apple Mac OS X 10.3.6;
> - SUSE Linux Enterprise Server 9 (text mode only);
> - RedHat Enterprise Linux 4 Update 1 (text mode only).
>
> BSD would be a great fit for this project, but sponsoring an EAL
> Evaluation would be prohibitively expensive for the customer, unless
> there is previous work to base it on. The Mac OS X approval is
> interesting, but unlikely to help very much.
>
> www.trustedbsd.org has some info, but doesn't mention any EAL approval
> applications.
>
> Thanks for any pointers.
>
> - Martin.

I'm a fan for standards. I'd love to hear any update as it happens. I
check newsgroups often, but don't prefer to subscribe to email lists.

If you don't mind, keep us posted here. You have crossposted, and I
think that's the best way to do it.

Let us know, thank you very much for the link!

In comp.unix.bsd.netbsd.misc Martin <not-for-mail@example.com> wrote:
>
> For background, a customer's project is _mandated_ to use an OS which
> has passed Common Criteria evaluation - see www.commoncriteriaportal.org
>
> Some OSes with EAL certification include:
> - MS Windows 2000, XP, 2003;
> - Apple Mac OS X 10.3.6;
> - SUSE Linux Enterprise Server 9 (text mode only);
> - RedHat Enterprise Linux 4 Update 1 (text mode only).

I agree about the advantages of being certified, but I see certification
laboratories as a business instead of quality assurance organizations.
If you want additional information about the Common Criteria project
you can look at http://www.commoncriteriaportal.org/
(I guess that you already know this URL.)

Even if not certified I really trust on BSDs (mainly NetBSD and OpenBSD)
on security matters. I will not care about Microsoft or Linux-based
products certified for security compliance. Even if not certified,
I will certainly choose a BSD for both performance, reliability and
security to any other operating system. Just take a look at security
reports for these operating systems. I will not care about security
certifications obtained by per-release payments to a laboratory for a
software product. That is a business and these certification authorities
are in business for earn money. Instead of that, I prefer looking at
facts (e.g., the United States Department of Justice is using OpenBSD)

> BSD would be a great fit for this project, but sponsoring an EAL
> Evaluation would be prohibitively expensive for the customer, unless
> there is previous work to base it on. The Mac OS X approval is
> interesting, but unlikely to help very much.
>
> www.trustedbsd.org has some info, but doesn't mention any EAL approval
> applications.

BSD is great for security even if not certified. I will certainly not
trust on someone that classifies operating system security based on its
certification level. Ok, try to explain a black hat that "he cannot
break into a computer because its operating system has EAL certification."

Of course, certification would be great just for the fun to see how
a BSD performs on this matter when compared to other operating systems.

Cheers,
Igor.

In comp.unix.bsd.netbsd.misc Igor Sobrado <igor@nospam.invalid> wrote:
> In comp.unix.bsd.netbsd.misc Martin <not-for-mail@example.com> wrote:
>>
>> For background, a customer's project is _mandated_ to use an OS which
>> has passed Common Criteria evaluation - see www.commoncriteriaportal.org
[...]
> If you want additional information about the Common Criteria project
> you can look at http://www.commoncriteriaportal.org/
> (I guess that you already know this URL.)

D'oh! Indeed, I should have read more carefully your post. Obviously
you were aware of that URL.

Best regards,
Igor.

Igor Sobrado wrote:

> BSD is great for security even if not certified.

Yes, of course, that's why I like to use BSD! Good security, plus
stability, performance, easy maintenance...

The problem is that some customer projects have regulatory constraints
that *mandate* the use of Common Criteria certification. So not only
must the OS be secure, but also the project must show the regulator that
all required security functionality has been tested by a certified
external assessor. The problem here is cost, especially if no previous
BSD release has been evaluated in this way before.

For those interested, here is another URL for Common Criteria info:
http://niap.bahialab.com/cc-scheme/index.cfm
This page contains details of products which are currently undergoing
evaluation, but BSD is not listed.


- Martin.

Martin <not-for-mail@example.com> wrote:
> The problem is that some customer projects have regulatory constraints that
> *mandate* the use of Common Criteria certification.

Which regulatory constraints are they? I've worked on a number of products
that have been CE and FCC (among the other usual suspects) approved, but I
can't say I ever encountered ``Common Criteria'' in the relevant bibles.

> So not only must the OS be secure, but also the project must show the
> regulator that all required security functionality has been tested by a
> certified external assessor. The problem here is cost, especially if no
> previous BSD release has been evaluated in this way before.

Approval is expensive... BSD is a Unix-style operating system. Many of the
operating systems you mention that have been approved derive more or less
substantial portions of their code from BSD. Since BSD has not been standing
still since those derivations happened, I would be quite confident that BSD
would be pass approval provided some details are checked.

- Philip

--
Philip Paeps Please don't email any replies
philip@paeps.cx I follow the newsgroup.

Mynd you, m00se bites Kan be pretty nasti ...
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

In comp.unix.bsd.freebsd.misc Martin <not-for-mail@example.com> wrote:
> Does anyone know of any evaluation work - underway or planned - to
> certify one of the BSD's for EAL Common Criteria approval?
....
>
> www.trustedbsd.org has some info, but doesn't mention any EAL approval
> applications.

best ask this question on trustedbsd-discuss@ [1]. There are the people
who will probably be able to tell you all the details.


References:
[1] http://lists.freebsd.org/mailman/lis...tedbsd-discuss

--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT

In comp.unix.bsd.netbsd.misc Martin <not-for-mail@example.com> wrote:
> Igor Sobrado wrote:
>
>> BSD is great for security even if not certified.
>
> Yes, of course, that's why I like to use BSD! Good security, plus
> stability, performance, easy maintenance...

Hi Martin.

Agreed. I usually prefer a BSD to other Unix OSes (Solaris, HP-UX,
IRIX...) I am running here because they are cleaner, very easy to
maintain, and preemptive secure [1]. Hopefully, most Unices are
comparable in stability these days.

> The problem is that some customer projects have regulatory constraints
> that *mandate* the use of Common Criteria certification. So not only
> must the OS be secure, but also the project must show the regulator that
> all required security functionality has been tested by a certified
> external assessor. The problem here is cost, especially if no previous
> BSD release has been evaluated in this way before.
>
> For those interested, here is another URL for Common Criteria info:
> http://niap.bahialab.com/cc-scheme/index.cfm
> This page contains details of products which are currently undergoing
> evaluation, but BSD is not listed.

I see the point. Indeed, there are no BSD products in evaluation on
that list. On the other hand, HP is certifying its LaserJet printers.
How funny, these printers come open by default. Just sending a
PostScript file with a firmware upgrade is allowed by default to
any user with access to that printer, either local or remotely,
and it can only be closed by using SNMP. Not very secure, in my
humble opinion.

Well, I am sorry. I can only point to this article [2] where we can
read that OpenBSD is used by the U.S. Department of Justice to track
and catch cyber-terrorists. In fact, I guess that the only open
source operating systems that will join that list are these supported
by corporations for business purposes (i.e., some Linux flavours).

Of course, certifying a BSD operating system (or all of them) would
be easy. As I said in a previous post, it is just a matter of
money. Perhaps your customer would be glad to pay for certification
(and donate it to a BSD development team or Foundation) if this
customer really cares about true security and not only being officially
listed as secure.

Cheers,
Igor.

------------------------
[1] Hal Berghel, David Hoelzer. Pernicious Ports. Communications
of the ACM 48(12), December 2005.

[2] http://www.landfield.com/isn/mail-ar.../Apr/0025.html

In comp.unix.bsd.netbsd.misc Philip Paeps <philip+usenet@paeps.cx> wrote:
>
> Which regulatory constraints are they? I've worked on a number of products
> that have been CE and FCC (among the other usual suspects) approved, but I
> can't say I ever encountered ``Common Criteria'' in the relevant bibles.

Common Criteria is a new buzzword for security officially released
in 2005, but unofficially available in drafts since 1999. Nothing
we must seriously consider, though, only another way to make money
using approval seals.

>> So not only must the OS be secure, but also the project must show the
>> regulator that all required security functionality has been tested by a
>> certified external assessor. The problem here is cost, especially if no
>> previous BSD release has been evaluated in this way before.
>
> Approval is expensive... BSD is a Unix-style operating system. Many of the
> operating systems you mention that have been approved derive more or less
> substantial portions of their code from BSD. Since BSD has not been standing
> still since those derivations happened, I would be quite confident that BSD
> would be pass approval provided some details are checked.

Indeed, most BSDs are secure, highly secure. Small and closed by
default. On the other hand, on that list we can find operating
systems (what an oxymoron!) as Windows 2000, 2003 or XP with
selected sets of patches. Nothing wrong, just to note that this
list is in no way related with the security level of the products.
Something is not better just for being on that list; it is just
approved.

On certain environments (e.g., military, banks, hospitals, data
management centers...) certifications are required. The real problem
is that the existence of these security certifications instead of
providing lists of secure software/hardware tools usually mean that
good and well-known secure products cannot be used. A customer that
blindly chooses following these certification authorities usually
drops excellent tools in favour of tools of financially wealthy
corporations without real caring on quality.

Best regards,
Igor.