The US Common Criteria Evaluation and Validation Scheme, the body that grants Evaluation Assurance Level (EAL) ratings in the US has granted an EAL5 Augmented to BAE System’s XTS-400 and the STOP Unix operating system. This is the first OS to be granted a EAL5 or better and is the first public EAL5 granted in the US. Read more for details.
The “Augmented” means that there were elements of the evaluation that exceeded the requirements for EAL5, specifically in the areas of flaw remediation and vulnerability testing.
Further information about the XTS-400 can be found at BAE’s
XTS-400 web site. Information about the evaluation can be found at NIAP’s
Evaluated Products List.
STOP is a proprietary OS that emulates Linux as its API and ABI are the same. Thus many GNU/Linux applications can be copied and executed on the XTS receiving their security protection from the XTS without the need for recompilation or recoding. The XTS-400 and its predecessors have a 20 year history of being used (in the 3 letter agencies of the US government and by friendly foreign governments) as guards that allow security rules to be imposed on information flowing from one security domain to another. And as application hosts where connecting to networks of different classifications or sensitivities is required.
…. or multiple BSDs.
BSD are completely useless for any kind of Goverment certifications. Linux fares better in that aspect
Or it could be based on actual Unix (TM) code, there are still several different versions out there that ye rarely hear of, for example the version NEC have that they run on their vector computers.
Now using Unix in their press release is dodgy unless they go and get it certified by the opengroup.
the version NEC have that they run on their vector computers.
“NEC SuperUX”
Now using Unix in their press release is dodgy unless they go and get it certified by the opengroup.
Apple does it all the time, without even anything close to POSIX conformance required by the SUS. Open Group threatened to sue Apple, but nothing happened thereafter. It seems that the enforcement of the trademark is extremely poor, especially/even against Open Group members.
im surre saying “unix-like” or “based on unix” will be fine. Most linux companies say that.
It was Wang Federal, Inc. http://appserv.gcn.com/14_28/news/31543-1.html
http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-92-003-C.html
and trace it further back to HFS, Inc (XTS-200)
http://chacs.nrl.navy.mil/xtp1/epl.html
and further back to Honeywell SCOMP which ran on DPS6plus hardware, which was a Level 6 box, that also ran GCOS 6 (all the way back to the old Multics stuff).
http://www.multicians.org/history.html
So, it now has Linux ABI on new hardware.
As BAE Systems own documentation says it isn’t just the assurance level of EAL5 that is important but also the protection profiles. What is most interesting is that LSPP is one of them.
However unlike Trusted Solaris 8 which has LSPP, CAPP, RBAC at EAL4+ the BAE STOP system doesn’t do multilevel cut and paste, trusted path is outside of the window system, so it isn’t a true multilevel desktop in that sense. Both BAE STOP and Trusted Solaris implement the same MAC labeling model for their LSPP claims.
However a great effort none the less, congratulations on the EAL5 for CAPP and LSPP to BAE Systems.
The original solution was developed from scratch back in the early ’80s and was called SCOMP (Secure Communications Processor), which ran on a Honeywell Level 6 minicomputer. SCOMP received NSA A1 validation (back when the A, B, C Orange Book evaluation levels were used), which is the highest validation that NSA ever granted. The OS had to be written from scratch because it had to stand up to formal proofs of its security architecture in order to be validated at the A1 level. The successor to SCOMP was the XTS-200, which ran on the DPS6plus minicomputer from Honeywell, which was still a proprietary hardware platform. The XTS-200 first introduced a *nix-like user environment and API for developing applications designed to run within ring 3, but the core OS was still (and still is today) based on the original SCOMP. The XTS-200 was validated at B3 by NSA. Both the XTS-300 and XTS-400 were/are based on Intel microprocessor technology and the “Wintel” hardware architecture. The *nix-like user/developer environment was further refined on these platforms. The XTS-400, like its predecessors, was designed to be a multilevel secure communications guard platform, allowing the controlled connection of multiple networks, each operating in a different security domain. It was never intended as a desktop multilevel secure platform, which is the space that Trusted Solaris occupies. Honeywell actually worked with Sun, DEC and others to help them develop multilevel secure desktop solutions, but SCOMP/XTS was never intended for that role. As a final note, while Honeywell developed the famous MULTICS OS, this OS was not used as the base for XTS.
EAL sounds nice et all.But the qualification is only valid for an ideal configured system.We have seen and heard from the guy who cracked more than 50 supposed to be highly secure goverment systems.Like a fighter plane who can do more than it’s pilot.Is there an EAL for admins?
Security in the context of a multi-level secure OS means more of: even if you can 0wn the box, it won’t matter — you’ll be sandboxed in a (potentially dynamic) container based on the sensitivity of the information you’re allowed to access. Such a system is intended to prevent disclosure of SecretStuff. An attack is going to have to exploit a vulnerability in the enforcement mechanism, or is going to have to be unconventional (covert channel, DDoS, etc).
A high EAL level does not (necessarily) a secure system make: EAL refers to how much assurance there is that the system does what it is described to do (and nothing more). That description is the Security Target ( http://niap.nist.gov/cc-scheme/st/ST_VID3012-ST.pdf ) and the associated protection profiles (in this case LSPP http://niap.nist.gov/cc-scheme/pp/PP_LSPP_V1.b.html and CAPP http://niap.nist.gov/cc-scheme/pp/PP_CAPP_V1.d.html ). This is why Jon Shapiro of EROS/CoyoteOS ( http://eros.cs.jhu.edu/~shap/NT-EAL4.html ) said that Windows received an EAL 4: it rigorously proved that it did things just as it was intended. Tell that to anyone who was hit by Sasser or whose IIS web server blue-screens regularly (or *cough* is that red-screens, softie afficionados?) So in deciding how secure the system is, you’d have to contrast say, the MS Security Target, which we can assume is total fluff
, against the whichever other product’s ST; in addition, you’d have to consider which PPs are necessary to meet your needs. If the ST sounds good, you use the EAL level to assess the degree to which the product can be trusted to meet those needs. Part of the problem with the CC is that it’s hard to map the arguably more stringent TCSEC requirements ( http://www.radium.ncsc.mil/tpep/library/rainbow/ ) against protection profiles (MRPP http://niap.nist.gov/cc-scheme/pp/PP_MLOSPP-MR_V1.22.html comes closer to this, but targets EAL4) and an appropriate EAL level.
I expect the short of it is that if you are trying to market your product to a customer that requires a specific EAL level evaluation, and can’t get a waiver for it, then having such a high EAL level is an important (and costly) rubber stamp
The XTS folks have been doing this for some time, up to 20 or so years ago when they were SCOMP folks (the highest A1 TCSEC rating).