The ability to enhance security in information systems and networks is limited by the operating systems that underpin them. Recognizing this, the Institute of Electrical and Electronics Engineers (IEEE) has begun work on a standard to formulate consistent baseline security requirements for general-purpose (GP), commercial, off-the-shelf (COTS) operating systems.
IEEE Begins Standard to Create Baseline for More Secure OSes
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I’m hopeful this puts an end to insecure-by-design operating systems, such as Unix (having a “super user” that can do anything? wtf?).
This can only be a good thing for most of the OSs out there.
Having a root user is insecure?
Being able to do what you want on YOUR computer is a bad thing?
I cant figure out if you’re ignorant or a troll.
Hmmm….well, you sould like someone that would be interested in Phoenix’s DRM BIOS. Check it out. 😉
I’m glad there are others out there that agree that Windows 2003 is superior in every respect. I’m really hopeful that some laws get passed making DRM mandatory, that way everyone can enjoy Windows without Linux zealots forcing them to learn an inferior command-line based system.
Diluting the control of the system would probably lead to more problems than it would fix. Furthermore, many systems suffer from this. Novell for years and by design has always needed to install an administrator for the root of any tree. Microsoft has it hard coded that the administrative account is able to take ownership of any file, and since the filesystem really becomes the root of your entire systems security (delete a necessary file, system is wiped out…. change a file which contains user authentication info and you can gain access).
The key isn’t diluting the ability of the single account, but making that single account 1) more inaccessable than other accounts 2) Not the default name 3) and giving it a good password.
Don’t forget that these standards are completely voluntary. They are just guidelines. They can be completely ignored or people can take from it what they will. I buy lots of non-ISO9000 products.
Isn’t “Administrator” on a Windows system exactly the same as “super user” in Unix in the sense that you point out?
The only problem with role-based security management is that users (especially admins) hate to be constantly changing their logins to do different tasks and like having one login that does everything for convenience. Maybe if an “su” type login could only be custom created on a case-by-case basis and was not a given standard on every system…
BTW, nice troll on that last post. That kind of moral ambiguity shows class…
Please, stop feeding the troll.
Unix is secure, idiot. It would be your fault is you had your network connected while you logged in as root.
I do run a rootless box, but not really.
I run some special stuff, so, I’m sorta talking down at ya.
It ain’t microslop, though.
why, after more than 30 years of operating system research, hasn’t anybody been able to come up with a totally secure os? i know we keep hearing building a secure operating system that is constantly connected to the internet is impossible — but is it really? is it really so difficult to implement a secure, unbreakable firewall and add d.o.s (buffer overflow) protection to the kernel? wouldn’t it be possible to create an operating system to be totally secure with one open port – say 80 – be constantly open?
it will be interesting to follow how and if the standard will be accepted… especially in ms case, since it’s well known, they just love to implement standards ;>
I’m thinking these standarts are useless. Just a useless stamp for an OS. I havent seen the rules/standarts or whatever, but how the hell do you test for all of the vulnerabilities in an os so you could say “hey its secure, now gimme that stamp”.
IMHO all of the work is in the actual implementation of the spec, and the spec behind the implementation means next to nothing if the implementation itself is not ‘perfect’. So I agree that I don’t really understand what all the fuss is about either. Sun’s Trusted Solaris OS would probably be the best bet in practical terms.
I’m glad there are others out there that agree that Windows 2003 is superior in every respect. I’m really hopeful that some laws get passed making DRM mandatory, that way everyone can enjoy Windows without Linux zealots forcing them to learn an inferior command-line based system.
What DRM has to do with secure OS? Regarding your comment of CLI’s usability:
# apt-get update
# apt-get dist-upgrade
VOILA!
“I’m glad there are others out there that agree that Windows 2003 is superior in every respect. I’m really hopeful that some laws get passed making DRM mandatory, that way everyone can enjoy Windows without Linux zealots forcing them to learn an inferior command-line based system.”
I think that you read a little too much into my statement. I meant that it would be good for mainstream OSs, including Windows as well as Unix, BSD and Linux. None do security particularly well right now.
You can’t write a standard and make a system secure by that.
People shouldn’t write software in type-unsafe C-dialects and use shoddy string/buffer functions in their programs.
Other than these problems today’s systems _are_ fairly secure.
Did I miss something here… If you didn’t have a root, super-user, administrator, etc…how the heck would you configure the darn system in the first place, ragardless of OS!!?? Problem is most users running with admin rights, or ‘power’ users that still allows executeable installs, etc…
“I’m hopeful this puts an end to insecure-by-design operating systems, such as Unix (having a “super user” that can do anything? wtf?).”
“super user” doesn’t have a free-for-all on the OS. I think what you meant is root and they do make OS with the root account disabled.
“I’m glad there are others out there that agree that Windows 2003 is superior in every respect. I’m really hopeful that some laws get passed making DRM mandatory, that way everyone can enjoy Windows without Linux zealots forcing them to learn an inferior command-line based system.”
Considering that you can’t make the distinction between root, admin and super-user, you really shouldn’t be taking cheap shots at Linux.
Try reading this:
http://slashdot.org/article.pl?sid=02/11/17/2343231&mode=thread&tid…
http://www.eros-os.org/
http://eros.cs.jhu.edu/~shap/NT-EAL4.html
The most secure commerical operating systems are “trusted” such as Trusted Solaris and AIX. All of these operating systems have passed Common Criteria evaluations at EAL4 and in the case of Trusted Solaris, passed more rigurous standards than Windows 2000.
I really don’t think we need more standards, we just need a commitment to writing quality code and not to let marketing decide when something should be released. The tools and documentation for writing secure code has been around for years, people just have to start using it.
The most secure commerical operating systems are “trusted” such as Trusted Solaris and AIX. All of these operating systems have passed Common Criteria evaluations at EAL4 and in the case of Trusted Solaris, passed more rigurous standards than Windows 2000.
Negative. Windows 2000 is also an EAL4 OS, and, in fact, Sun shipped the evaluation overseas to be performed by a company that is not as strict with its requirements. Win2k’s eval was done right here in the states by SAIC, who is regarded as the top Common Criteria evaluation lab out there. They’re also doing the WinXP/Win2k3 eval.
Negative. Windows 2000 is also an EAL4 OS, and, in fact, Sun shipped the evaluation overseas to be performed by a company that is not as strict with its requirements. Win2k’s eval was done right here in the states by SAIC, who is regarded as the top Common Criteria evaluation lab out there. They’re also doing the WinXP/Win2k3 eval.
Another anti-MSer busted spreading lies, who’d a thunk it?
Having a root user is insecure?
Having a UID that bypasses all the security features of the OS and that can’t be restricted is.
Being able to do what you want on YOUR computer is a bad thing?
No, someone else being able to bypass all the OSes security on YOUR computer because (UID == 0) is.
There are vastly better ways of managing access and permissions than the Unix “root/everyone else” paradigm, which has resulted in developers having to come up with horrible kludges like “privilege separation”, SUID binaries and enormous group files to work around the inherent primitiveness of the system.
Remember, when you are root on a Unix box, all that multiuser stuff and the security it offers may as well not exist. That’s why lines like “God, Root, what is difference ?” are coined.
The key isn’t diluting the ability of the single account, […]
Yes, yes it is.
but making that single account 1) more inaccessable than other accounts 2) Not the default name 3) and giving it a good password.
These are just workarounds and kludges trying to hide the design flaw. They don’t take away the underlying weaknesses and they suffer from the same problem as any other “security by obscurity” scheme – once an attacker gets past the obscurity, there’s nothing else to slow them down.
Incidentally, it’s not the username that matters in Unix, it’s the UID. You can make root’s username equal to whatever you want, the code just looks for (UID == 0).
Isn’t “Administrator” on a Windows system exactly the same as “super user” in Unix in the sense that you point out?
No. The things “Administrator” can do can be restricted. The things root can do cannot.
The only problem with role-based security management is that users (especially admins) hate to be constantly changing their logins to do different tasks and like having one login that does everything for convenience.
There’s a marked difference between a user able to do everything necessary to manage the system and a user who can do anything at all to the system.
Maybe if an “su” type login could only be custom created on a case-by-case basis and was not a given standard on every system…
A reasonable solution would be an efficient way to temporarily grant the managing user the necessary rights to do whatever they want to do. No need to change logins, just change the user’s permissions on the fly.
I’m thinking these standarts are useless. Just a useless stamp for an OS. I havent seen the rules/standarts or whatever, but how the hell do you test for all of the vulnerabilities in an os so you could say “hey its secure, now gimme that stamp”.
The objective is to check for and certify a secure *design* (which, say, DOS and MacOS don’t have) rather than a source code audit looking for things like buffer overflows.
It’s a lot easier to secure an OS that has a fundamentally good design, where all the vulnerabilities are (theoretically) going to just be configuration or coding errors than it is to secure one whose design is fundamentally flawed.
why, after more than 30 years of operating system research, hasn’t anybody been able to come up with a totally secure os?
Because a “totally secure” system would be too intrusive for most people to use.
i know we keep hearing building a secure operating system that is constantly connected to the internet is impossible — but is it really?
As long as end users are going to run files from unknown sources promising them porn, yes.
Remember, a computer has no way of telling if the things the users are *telling* it to do are really the things the users *want* it to do.
is it really so difficult to implement a secure, unbreakable firewall and add d.o.s (buffer overflow) protection to the kernel?
A secure firewall is relatively easy.
Protecting from DDOS attacks is practically impossible though. Again, the upstream router has no way of telling whether or not any arbitrary piece of data is legit or not.
wouldn’t it be possible to create an operating system to be totally secure with one open port – say 80 – be constantly open?
You could kludge most of that together today with something like a FreeBSD jail and a firewall.
However, your condition of “totally secure” implies there are no software bugs anywhere in a fairly complex system. While that’s certainly possible, I don’t think there’s enough incentive to implement it in current systems. It’d cost too much (in terms of either time or money, take your pick).
For as long as I’ve known about them, I’ve liked both the NSA’s Security Enhanced Linux and FreeBSD’s TrustedBSD MAC framework. Like anything, they are not perfect, but when used can certainly eliminate many of the issues some of you folks have with the generic Unix security architecture.
To Bubbajo Mophoe and Maser,
First Common Criteria is an International standard, so the tests can be conducted in any country and be recognized as opposed to individual nation standards. I am sure if we were talking about Linux, nobody would object about the tests giving Suse Linux EAL2 being conducted in Germany would be a problem.
Second, I am both Sun and Microsoft certified (Solaris 8 SCSA and Windows NT MCSE), so it is not just “anti-Microsoft” whining. And considering Microsoft’s recent security problems that stretch into Windows Server 2003, I am not impressed!
Third, did you actually read the articles or just post. Sun’s EAL4 is based on much tougher criteria than Microsoft (Role Based Access Control PP, Labeled Security PP, and Controlled Access PP) as opposed to Microsoft’s Controlled Access PP alone. Go to http://www.commoncriteria.org and read the reports.
If I was building servers for the most demanding security requirements, it would be either Trusted Solaris, or Gentoo Linux with Security Enahnced Linux.
…is that one only has to gain access to a single account (or compromise a single privileged process) in order to effectively perform any privileged task on the system.
Mainframe operating systems such as OS2200 and miniframe OSes like VMS have used the concept of a “permissions bitmap” for decades, with one or more of those bitmaps assigned to each user, and with each bit indicating a specific privilege or class of privileges, or in some cases the use of a privileged machine instruction. Some platforms even go so far as to enforce many of those permissions in hardware.
That way, something like a buffer overflow in a given process would only grant an intruder access to those things that are explicitly associated with that process’ privilege mask; all other privileged functions remain inaccessible.
POSIX “capabilities” are based on this concept, I think, but they are not yet in mainstream use, at least in Linux.
To all those who speak of spreading the superuser’s powers over several users as needed, how exactly does one go about doing this? Wouldn’t you still need an account with the power to grant permissions to other users, and couldn’t this account give itself any permissions a user desired?
It certainly seems like another step, but I (with my very minute understanding of the idea) don’t really see how that ends up being any more secure, except in adding a trivial step that an attacker would have to overcome.
The key is…
simplicity
Keep it simple. Dont add unnecessary crap that the user doesnt really need (activeX,RPC etc etc). Microsoft keep adding more and more crap to thier operating systems then spend years fixing security holes in that crap.
If you must have extra stuff in your OS-HAVE IT SWITCHED OFF BY DEFAULT. You dont need to be a friggin rocket scientist to realise this.
The same goes for many Linux distros and other flavours of UNIX-too much crap running by default that isnt really needed.
There are secure OSs. See DigitalNet’s STOP. But there is no such thing as a free lunch and to get a secure OS you have to abandon all existing design and code and start from a security perspective, be willing to place security over speed (checking everything every time takes cycles) or functionality (can’t make it too complex or you can’t test/evaluate it) in every design decision, be willing to spend many many millions on process/documentation/testing/independent evaluation knowing that the market for highly secure systems is in the very low thousands, not per year, but total installed.
I should add it takes about 10 years.
Whay aren’t there more, because we as consumers haven’t demanded that level of security, we valued the lates glitz instead. And you can’t have both.
It can be done, one company did it. But it took a sustained committment to the possibility through many business cycles.
> To all those who speak of spreading the superuser’s powers
> over several users as needed, how exactly does one go about
> doing this?
I don’t think you understand. It isn’t about subdividing all existing privileges amongst several user accounts, but rather about only giving each user account precisely what it needs in order to perform its assigned tasks. Nothing more.
It is quite possible that some types of privileges will not be granted *at all* on a given system…
> Wouldn’t you still need an account with the power to grant
> permissions to other users, and couldn’t this account give
> itself any permissions a user desired?
That depends on whether or not you allow an existing account to be modified. Some OSes do not — a change of privileges requires the creation of a new account, and old account names may not be re-used.
In any case, I would limit such an account to being used only by a specially-keyed hard-wired system console (no users on other hard-wired consoles and no remote users could sign into that account), and I would strictly limit the account to that subset of privileges required to perform account maintenance.
SU is Substitute User
hmmm… i _suspect_ the reason why Ackman’s trollish comments weren’t modded down is that he paid some subscription fees.