Firewall Wizards mailing list archives

RE: Re: Trusted OS...

From: Rick Smith <rick_smith () securecomputing com>
Date: Tue, 11 Apr 2000 11:06:23 -0500

At 10:41 AM 03/31/2000 -0800, Starkey, Kyle wrote:

Todd...
I am with you on the fact that the TOS certification is a little much for
the corporate standard, but I can not accept the fact that there is any
other way to certify that the OS is truly tursted.  The OS and ALL of it
subcomponents must be broken down and mathematically proven to adhere to the
security structure that the OS was designed for.  Most of us have no time to
read through 4000 pages of mathematical proofs, but to be a TOS you must be
able to provide this document before I will accept that certification.


4000 pages is a good guess. Todd Fine, a colleague, had roughly a dozen 2"
binders that held the LOCK machine-checked proofs, and they only addressed
the TCB interface. They did not include proofs of the underlying
instruction sequences.

As far as I know, there are no "operating systems" in the commercial sense
of a "platform used by unrelated third parties to develop applications"
that have up to date formal proofs consistent with the Orange Book
expectations. There are perhaps a handful of products (like the LOCK guard)
with the canonical bucket of proofs, but I don't know of any that are
really "state of the art."

Tha being said, a TOS like that would be a PIA to work with in the corporate
environment and is a little too restrictive for everyday business, but may
be better suited for the NSA and other such agencies with 3 letter acronyms
for names.


Not even NSA has much interest in Orange Book-style formal proofs any more,
at least, not for use in "practical" applications.

The most promising thing I've seen is the use of formal proofs to identify
crucial security features of an architecture. We leaned more towards that
as the LOCK effort wound down, and applied such lessons to Sidewinder,
though of course we never came close to doing a formal analysis of it. A
better and more recent example is the way that Jonathan Shapiro analyzed
the EROS security mechanism. It's not a full-interface proof like
traditional Orange Book proofs, so it's smaller, more accessible, and
therefore more convincing in a lot of ways.

Rick.
smith () securecomputing com

Current thread:

Re: Re: Trusted OS... Paul D. Robertson (Apr 04)
- <Possible follow-ups>
- Re: Re: Trusted OS... Civ David R. Sears (Apr 04)
- Re: Re: Trusted OS... Pere Camps (Apr 10)
- RE: Re: Trusted OS... Michael . Owen (Apr 10)
- Re: Re: Trusted OS... Iván Arce (Apr 10)
- RE: Re: Trusted OS... Starkey, Kyle (Apr 10)
  - Re: Re: Trusted OS... Bennett Todd (Apr 10)
- Re: Re: Trusted OS... Rick Smith (Apr 10)
- RE: Re: Trusted OS... Rick Smith (Apr 13)
- RE: Re: Trusted OS... Matthew . Hannigan (Apr 17)