Date: Wed, 15 Oct 1997 12:37:06 +0100 From: Colman Reilly <careilly@monoid.cs.tcd.ie> To: "Christopher G. Petrilli" <petrilli@amber.org> Cc: security@freebsd.org Subject: Re: C2 Trusted FreeBSD? (and what do we want anyway?) Message-ID: <199710151137.MAA20954@monoid.cs.tcd.ie> In-Reply-To: Message from "Christopher G. Petrilli" dated Tuesday at 21:56.
next in thread | raw e-mail | index | archive | help
On Wed, 15 Oct 1997, Mike Smith wrote:
Security is an all-encompassing thing, not electornic, not physical.
And without verified architecture, ther eis no "proof" that the only way
to get access to the storage location is via physical access. Remember,
that's why it costs a lot of money to build verified systems, one has to
build a boolean algebra description of the system that is provable, rather
than just "good enough."
Heh. Note that even A1 requirements for verification (or European E6) fall
far short of verification. They boil down to having a formal model of wht
you're trying to do and a semi-formal demonstratioin that the code matches
the model.
While things like Van Eck devices can be used for real-time access, hence
the TEMPEST and ZONE restrictions on various foreign installations
(TEMPEST is no longer mandetory for US classified, and ZONE is optional in
many cases), these do not deal with residual data. My issue was that
residual data can be read via various methods.
Not from RAM under the conditions we cre about. If they've got your RAM
you're probalby already well screwed.
I believe that it is totally acceptable
to do a single write over RAM, but that disk storage SHOULD be dealth with
seperately with an appropriate pattern.
This is a good idea, but watch the Linux people scream at our performance
then. :-)
The pattern is designed to stabilize the magnetic properties (remmeber, no
single magnetic domain is totally independent of the ones around it) by
exercising them in a specific order. This is hardly paranoia, but a
provable physical property. Why do you think you can recover data off of
an erased disk? :-)
This is assuming some physical organisation of the disk I assume?
Now, this discussion all brings to mind more basic question. Let's pretend,
just for the moment that we thought an assured high-level of security was a
good idea.
Let's also pretend that we don't care about actual certification - we're
unlikely to ever achieve certification if only because we fail the
administrative requirements as far as I can see ... lot's of very anal
non-functional requirements that are appropriate if your source code is
secret, but inapplicable if your source code is widely available.
Now, in that situation, what security claims would we like to make? What
model of security beyond what we have is appropriate?
I like the ideas of projects, security levels and mandatory access control.
My favourite use for it would be to place the web server and all it's minions
in one project and everything sensitive somewhere else. Apply controls as
appropriate, and I'm much happier a compromise of my web server isn't going
to get my password file or anything useful like that.
I also like ACL's, under some suitable model. Incidentially, I'm probably
capable of modelling the behaviours of proposed ACL structure fairly rapidly,
so we can play with policies and models and see what happens without actually
writing any real code. Abstract prototypes are fun.
I'd also like the sort of control's discussed for sockets previously. This
would remove so much of the requirement for root that servers have that it
would be highly worthwhile. Of course, we should apply ACL's to that too.
This would be part of extending explicit controls to all objects rather
than just files as is currently the case.
Of course, we should meet C2 anyway, and hope someone certifies it free of
charge and effort for us. :-)
On a side note, I was suggesting to Mike Smith that it might be worthwhile
including a configuration sanity checker in the juliet configuration server
he's working on. (Mike, my thoughts on that have changed a bit - I'll e-mail
privately later.) This would be a nice selling point for the OS.
Colman
[My second rant this week. Must be the Category Theory that's doing it to me.]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710151137.MAA20954>