Linux looks to pass government standards

[InfoSec News <isn () c4i org>]

http://zdnet.com.com/2100-1104-950083.html

By Robert Lemos 
Special to ZDNet News
August 16, 2002, 4:00 AM PT

SAN FRANCISCO -- A technology think tank is campaigning to win Linux a
greater role in government by offering to act as a central repository
for a federally certified version of the open-source operating system.

The Cyberspace Policy Institute, a decade-old technology policy think
tank established at George Washington University, plans to push for
Linux to be certified under the Common Criteria, a standard grading of
technology required by the United States and other countries before
products can be sold into sensitive government applications.

If successful, the initiative would lead to a single, standard version
of Linux acceptable to the government, and hence make it easier for
Linux companies to compete against Microsoft and other large software
makers. Certification costs anywhere from $100,000 to millions of
dollars and takes up to five years--Microsoft is just finishing the
certification of Windows 2000--but the effort could be a boon for
Linux companies.

"The government wants to get open-source certified, but they don't
want to certify for any specific vendor," Tony Stanco, senior policy
analyst for open-source and e-government at the Cyberspace Policy
Institute, said at a panel discussion on promoting Linux to the
government.

A single agency administering the certification process for Linux is a
must, Stanco said. Otherwise, only a few companies will be able to
offer products and the entire community wouldn't benefit from the
effort.

"Only one company (Red Hat) has enough money to get certified," he
said. "I don't think even United Linux has enough money to get Linux
certified."

The initiative would also add the United States to the list of
national governments that are supporting open-source efforts to add a
second choice to Microsoft within federal agencies. On Monday, the
British government confirmed that it would consider open-source
software alternatives to buying Microsoft software. And, in June, the
German government signed a deal with IBM and Linux vendor SuSE to
provide and open-source alternative to Microsoft operating systems.  
China and Taiwan, two nations that rarely agree, have also dipped
their toes into Linux.

A better Linux

Strong support for the open-source operating system within the
government came from a surprising quarter in early 2001 with the
release of Security-Enhanced Linux from the National Security Agency,
which for decades stymied researchers' and technology companies'
efforts to create broadly available strong encryption.

SE Linux adds military-strength architecture improvements to Linux,
the most obvious security improvement being mandatory access controls,
or MACs, based on technology developed by Secure Computing Corp. The
Cyberspace Policy Institute plans to also add authentication and key
management features to the operating system.

Such technologies make computers much less susceptible to attacks.  
Mark Westerman, managing partner with network consultant Westcam,
installed the SE Linux access controls on a critical server for one of
his customers after a common security flaw, known as a buffer
overflow, allowed a hacker to take control of the company's server.  
Westerman configured the access rules but left the buffer overflow
unpatched on the server as a test.

When the hacker came back a second time to the server and attempted to
gain control of the process, the access controls limited what the
attacker could do. Instead of taking control of the computer, the
hacker could only crash the service that had the buffer overflow, but
do no other damage.

"With the access controls, the customer doesn't have to worry about
the next buffer overflow that comes along," said Westerman at a panel
discussion at this week's LinuxWorld Conference and Expo. "SE Linux
gives you military grade security at open-source cost."

Microsoft vs. the NSA

SE Linux may be the NSA's last direct contribution to open-source
security, however. Because of the loud criticism, the NSA will have a
far less direct role in the creation of more secure versions of
open-source software.

"We didn't fully understand the consequences of releasing software
under the GPL (General Public License)," said Dick Schafer, deputy
director of the NSA. "We received a lot of loud complaints regarding
our efforts with SE Linux."

Many complaints criticized the agency for providing the fruits of
research to everyone, not just U.S. companies, and thus hurting
American business.

While stressing that the agency received a loud chorus of support as
well, the chagrined Schafer said that the issue was contentious enough
that "we won't be doing anything like that again."

Sources familiar with events said that aggressive Microsoft lobbying
efforts have contributed to a halt on any further work. "Microsoft was
worried that the NSA's releasing open-source software would compete
with American proprietary software," said a source familiar with the
complaints against the NSA who asked not to be identified.

Microsoft would not comment directly on its lobbying efforts, but did
stress that it wanted to ensure the government continued to fund
commercial ventures. "The federal government plays an important role
in funding basic software research," said a Microsoft representative.  
"Our interest is in helping to ensure that the government licenses its
research in ways that take into account a stated goal of the U.S.  
government: to promote commercialization of public research."

The debate over whether the government should fund open source
projects has been raging for some time. In July, the MITRE Corp., a
defense contractor and think tank, released a much-awaited report
sponsored by the Department of Defense endorsing the use of
open-source software in the government.

"Open source methods and products are well worth considering seriously
in a wide range of government applications," concluded the report.

After news of the favorable report leaked out in May, a second report
appeared in early June from the Alexis de Tocqueville Institution, a
newcomer to the open-source debate, calling such software insecure. A
press release preceding the report breathlessly announced "open-source
software may offer target for terrorists."

Many critics have claimed that Microsoft funded the report, but a
Microsoft representative denied that charge, saying that while the
software giant does fund the institution, it doesn't fund any specific
research.

Despite the intense battle surrounding the open source, the NSA will
still fund research on secure operating systems based on Linux as well
as work with U.S. companies to create better security in their own
operating systems.

Both Red Hat's CEO Matthew Szulik and Chief Technology Officer Michael
Tiemann said the company is working with the NSA on security projects,
but neither would give details about the initiatives. On Tuesday
morning, Tiemann and other technologists from companies including
Intel, IBM and Oracle met to discuss the future of Linux in the
government, said a source familiar with the meeting.

Through the Composable High Assurance Trusted Systems (CHATS) fund,
the Defense Advanced Research Projects Agency, an arm of the
Department of Defense, funds open-source initiatives that improve
security. A year ago, Network Associates received $1.2 million from
the CHATS program to create a common set of security features for
open-source operating systems.

Apple also will push its own operating system, the Mac OS X, which is
based on the open-source Unix variant, FreeBSD, for government
certification. Apple and a coalition of 40 government agencies have
formed the Secure Trusted Operating System (STOS) consortium to create
security features for the base OpenBSD operating system known as
Darwin.

Welcome to certification

The road to certification will not be easy, however.

For one, the co-developer of SE Linux, Secure Computing, has indicated
that it plans to enforce patent claims on part of the access control
technology based on its research and development.

In addition, the Common Criteria process, run jointly by the NSA and
the National Institute of Standards and Technology under the National
Information Assurance Partnership (NIAP), is better suited to certify
proprietary software coming from a single company. It's ill suited to
deal with the myriad updates that the open-source community produces
on a regular basis.

"The big issue is how you fit this wild community into the all the
little boxes that the government bureaucracy wants," said CPI's
Stanco.

NIAP Common Criteria certifications run from Evaluation Assurance
Level 1 (EAL), the lowest level, to EAL 7, the highest. The first four
levels can be obtained through commercial labs, but the levels 5
through 7 require certification from the NSA themselves.

Because it is Linux's first time through the process, the Cyberspace
Policy Institute has modest aims: EAL 2.

"That way we get some validation of open-source security," said
Stanco. "Going straight to EAL 4 would be tough."

Shooting for a modest target gives the open-source community time to
work out some kinks--not in Linux, but in the government's
certification process.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.