From owner-freebsd-security Tue Oct 14 08:17:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA22947 for security-outgoing; Tue, 14 Oct 1997 08:17:43 -0700 (PDT) (envelope-from owner-freebsd-security) Received: from stt3.com (root@stt3.com [198.107.49.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA22940 for ; Tue, 14 Oct 1997 08:17:39 -0700 (PDT) (envelope-from beattie@stt3.com) Received: from durin(really [192.168.0.88]) by stt3.com via sendmail with smtp id for ; Tue, 14 Oct 1997 08:16:42 -0700 (PDT) (Smail-3.2 1996-Jul-4 #1 built 1997-Mar-5) Date: Tue, 14 Oct 1997 08:16:41 -0700 (PDT) From: Brian Beattie X-Sender: beattie@durin To: Colman Reilly cc: Douglas Carmichael , freebsd-security@FreeBSD.ORG Subject: Re: C2 Trusted FreeBSD? In-Reply-To: <199710131041.LAA08912@monoid.cs.tcd.ie> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I have worked on several "Orange Book" UNIX systems. Not everybody in the INFOSEC community will agree with me on all points. On Mon, 13 Oct 1997, Colman Reilly wrote: > [cc'ed to security, where it possibly really belongs. On the other hand > raises a few issues relevant to hackers. Sorry if you get it twice.] > > [Disclaimer: I haven't had any coffee yet. This could all be wrong.] > > Could FreeBSD be made to comply with B1 or C2 trusted system standards FOR > REAL (unlike NT that can only comply when not hooked up to a network)? > > Well, certainly it could achieve C2, though we would need to do a *lot* of > documentation and testing work, and we may need to include an ACL list based > filesystem, that depends on your reading of the Orange Book. I'm not ACL's are not required at C2, not until B3 (maybe B2 it's been a while. Also I think I could make the case that UNIX already has ACL's, small ones but the spec does not, as I recall, say how big they need to be. Most of the people involved in INFOSEC are absolutely "head over heals" in love with ACL's, big ACL's. I am not convinced of their utility in the real world, especially with suplementary groups. If I were designing a B1 UNIX system I would not change the current access control design. > experienced enough to tell what the "normal" interpretation of the > requirement that access should be controllable down to the granularity of a > single user is. In principle one can deny access to an object by creating a > group with everyone except that user in it and set that to be the object's group > but I'm not sure a certification group would consider that adequate. The UNIX design as understood by most UNIX hackers meets C2 except for auditing. > > Code to handle the C2 auditing requirements is being worked on by someone > whose name I don't have handy on this machine, (sorry). The main problem > after that is adding the appropriate code to all the syscalls and the > relevant programs. > > I think it's mostly admin and verification work after that. And a LOT of documentation. > > As for B1: well, that is an interesting problem. Could we hack FreeBSD to > include labels? Yes. Can we do it without breaking existing software? I > don't know. UNIX could be made to meet B1 and, running at a single level should not break existing software, unless it has intimate knowledge of the filesystem and/or kernel data structures. fsck, mkfs whould need work, ps might. > > The problem is that B1 is the first level at which Mandatory Access Control > is introduced, which requires that you associate with each object (process, > file, whatever) attributes, to include a sensitivity label (top secret, > confidential, etc.) and what is essentially a project label. Essentially, > information is only allowed to move from an object with a lower or equal > sensitivity to one of a higher or equal sensitivity label and not vice > versa. (Not exactly correct, but good enough for this discussion.) > > Now, if we introduce such things we get a somewhat different view of the > world than the traditional UNIX-like security model. I do not know if it > possible to maintain a good enough match to enable us to continue to easily > port UNIX based software to FreeBSD. > > There are also some formal engineering requirements to be statisfied if I > remember rightly. (I don't have the Orange Book to hand, just the equivalent > European ITSEC document, which seperates assurance and security claims.) > > I know there are several UNIX-like B-Class OSes out there, but I'm not sure > whether they break the standard UNIX security semantics. Our more > experienced brethren would have a better idea and will no doubt express > their views in their normal reserved manner. > I just built the things, you don't expect me to use them do you? :-) I do think that as long as you run at a single level you will not notice it. With carefull design, it should still be useable running at multiple levels. > > >From a practical point of view I wonder how pleased developers would be to > have heavy security review requirements hanging over them? I suspect > not very. And the requirements for both C2 and B-Class would probably > impact performance. If one wanted to produce either a C2 or > B-Class system I think it would probably need to be done as a sort > of sub-project using a restricted driver set and a restricted ports > set and with a different distribution produced which would lag a > bit behind the released system. On the other hand any sort of work > towards that level of security would greatly increase both the > security of the base system and our confidence in it. To actually get a system evaluated you would need to specify, exactly what hardware it will run on, mother-board, peripherals, etc. Every option would add significant work, in documentation and evaluation. If somebody actually wanted to get a version of FreeBSD on the Evaluated Products List, they would need to find a sponser to convince NSA (or whoever the evaluating agency is these days) to do the evaluation. There would also need to be a full-time staff member to interface with the agency. It might be possible to find somebody in DoD who would be willing to sponser this and foot the bill, but I would not know where to look. > > On the other hand, wouldn't a free A1-class operating system just be so > funny? > "Mr Gates, please explain why your operating system can't make C2 > yet that pack of wasters manage to maintain a free system at A1 > certification" > > The problem with that is the money that the certifaction process would > require, of course. > > Colman > Just replacing A1 with B1 would be a real "kick in the head".