« FAQ: Where can I... | Main | Updates to: Solaris... »

Monday Dec 18, 2006

Solaris 10 has achieved Common Criteria evaluation!

I have it on good authority (from Sun Federal COO Bill Vass) that Solaris 10 03/05  has completed its Common Criteria evaluation.  It will take us a while to issue a formal press release, but the evaluation is complete.  This evaluation was at EAL 4+ using the Controlled Access Protection Profile (CAPP) and the Role Based Access Control PP.  The process has taken over a year and cost a significant bundle of cash.  Solaris 10 with Solaris Trusted Extensions (found in the 11/06 update) is current under evaluation with the addition of the Labeled Security PP and should complete next year.

Congratulations and thanks to Sun's evaluation team including Jane Medefesser, Vanessa Kong, and Linda Gallops.

A little history.....

A long, long time ago (back in the 1980s) the NSA created a program known as the Trusted Computer System Evaluation Criteria (TCSEC). As an employee of Gould Computer Systems (RIP!) at that time, I know that Gould's UTX-32 OS was the first commercial Unix to receive a TCSEC C2 evaluation by the NSA.  Gould sold about 5 copies of that OS after spending millions of dollars to complete the process.  The UK had an equivalent program known as ITSEC. The TCSEC labeled OSes using a letter/number scheme still referred to by some today:

  • C2 is roughly equivalent to today's CAPP
  • B1 is roughly equivalent to today's LSPP

There were two major problems with the NSA system.

  1. The process took so long and cost so much that an evaluated product was no longer competitive and didn't run on the latest hardware.
  2. An evaluation completed by the NSA meant nothing to the UK, Germany, or other countries who had their own evaluation schemes.

As a result, the Common Criteria process was established and a number of countries agreed to abide by it.

What is a CC Evaluation?

 The Common Criteria is an international set of standards for evaluating software products against a set of  requirements.  There are two parts to a CC designation; Evaluation Assurance Level and Protection Profile (more info)

 Evaluation Assurance Level

The EAL designates the level of rigor that was applied to an evaluation.  Levels range from 1-7 and are defined as:

  • EAL1 - functionally tested
  • EAL2 - structurally tested
  • EAL3 - methodically tested and checked
  • EAL4 - methodically designed, tested and reviewed
  • EAL5 - semiformally designed and tested
  • EAL6 - semiformally verified design and tested
  • EAL7 - formally verified design and tested

At this time, EAL4 is the highest level that can be transferred from one country to another. 

Protection Profile

A protection profile defines the technical functions required to be evaluated.  For example, the Controlled Accesss Protection Profile includes requirements for (among others):

  • User authentication  (you have to login)
  • Access control (Unix-style permissions)
  • Auditing (know what has happend on the system)
  • Prevention of object re-use (clear memory and disk before giving it to another user) 

There are a variety of protection profiles for product classes including OS, Database, Firewall, Encryption etc.  It is also possible to get a CC Evaluation without a protection profile although the usefulness of such a thing is debatable.

Other protection profiles that apply to Solaris include:

  • RBAC Role Based Access Control
  • LSPP - Labeled Security PP for multi-level data 

Who cares about Common Criteria.

The US Federal Goverment and Department of Defense have a variety of policies (FISMA and DoD Directive 8500.2) dictating that CC evaluated products should be use where they exist and are preferred over non-evaluated products.  As a result, nearly all purchases by the US government require that an OS be evaluated or at least in the evaluation process.  Sun has a long history of evaluated Solaris OS versions over the last 10 years.

As an engineer at Sun with many years of DoD customer experience, I'm frequently asked a number of questions about the interpretation of the CC requirements in the DoD (see the questions in the comments section):

Can I use a Solaris update that's different than the certified version?

Strickly speaking, any change that you make to the certified baseline (platform, version, patches) means you are running an "uncertified configuration."  This doesn't make you less secure.  Strict conformance to this policy would seriously prevent you from running the latest Solaris version or taking advantage of the latest hardware.

What is the US DoD policy on using later Solaris updates?

While I can't speak for the government, I can relate my direct conversations with officials at the Defense Information Systems Agency (DISA) who create and enforce these policies.  I have been told that a CC evaluation is a "Checkbox" activity that is NOT the most important item in a security accreditation.  The fact that a more recent update of Solaris has not been certified directly should not prevent you from using it.  However, if the update has a new security feature that has not been evaluated and you are planning to use that feature, it may be more difficult to get your system accredited.  DoD customers should work directly with DISA in this area.  There is a help desk available at the DISA Field Security Office

What about commercial customers?

Each customer has their own policy.  Some simply require that a product be "in evaluation."  Others require that some version of the product has been certified.  Work with your customer's security office to determine their policy.

What does DoD Directive 8500.2 say about CC?

Feel free to read it, however, to paraphrase section E3.2.5:  If there is a certified product, you must use it.  If there is no product that's certified, it should be "in evaluation."  If there is no product in evaluation, a commitment from the vendor to evaluate should be made before you buy.  If there is no defined protection profile for a product class (eg. VMware), the vendor should create a security target and have it evaluated.

If the process was not designed to actually detect software bugs or vulnerabilities in an OS, then what does it check?

This question emphasizes the current disappointment that DoD officials have with the process.  They are paying extra money for evaluated products but not necessarily getting better products because of the evaluation process.  The process is designed to ensure that a product behaves as documented but it is NOT a source code scrub for buffer overflows, coding errors or other issues (The fact that MS Windows products are evaluated at EAL4 should make this point painfully obvious!).

Does every product need to be CC  evaluated?

The DoD directive refers only to "IA products, and IA-enabled IT products."  They define IA-enabled product as "Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems."  By this definition a product like StarOffice is NOT IA-enabled, however, a web portal or identity management systems is IA-enabled in my opinion.  Some would say, "If it asks for a username and password, it's IA-enabled."

What is NIAP and who does the evaluations?

NIAP is the National Information Assurance Partnership between NIST and NSA.  They control the CC program in the U.S.  An evaluation is done by an independent commercial laboratory known as a commercial licensed evaluation facility or CLEF.  Sun's evaluation was done by a Canadian CLEF.

What's wrong with the current Common Criteria process?

Although the current process is somewhat better than the old NSA process, it still leaves something to be desired.  I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals.   Current problems include:

  • It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
  • The process is not designed to actually detect software bugs or vulnerabilities in an OS
  • The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
  • It is not flexible in handling OS updates and patches

What is the difference between a CC evaluation and a site accreditation?

Products are CC evaluated, sites and solutions are accredited.  For example, a particular site may take a number of CC evaluated products, install them on computers, connect to different classifications of network and put the whole solution in a particular building.  An accreditation ensures that all these steps were followed with security in mind and that the products, policies, people and procedures meet the security requirements of  the mission.  An accounting system has different requirements than a warfighting or intelligence gathering system and the accreditations will vary for each even if they use the same products.

Why should you  care?

CC evaluations provide an assurance that a product has been documented properly and behaves in accordance with its documentation.  It is an external, third party audit of a product that provides a higher level of assurance on the capabilities of the delivered product. Sun takes our responsibility for security very seriously and our goal is to ensure that Solaris is the preferred platform for Federal mission critical systems.

Sun has a long history of evaluated versions of Solaris including 2.5.1, 2.6, 8, 9, 10 and various Trusted Solaris versions.

CC evaluated products are preferred by most US Federal and DoD procurements.


 

Posted at 09:05AM Dec 18, 2006 by jimlaurent in Sun | Comments[12] | Permalink

Comments:

Great news, and a very well-considered article - particularly when discussing some of the shortcomings associated with Common Criteria :-).

However, I thought that a Protection Profile was absolutely required in order to gain certification - while a PP could be written by the product vendor rather than the NSA (authors of CAPP, RBACPP and LSPP), and the CC certification would probably lose some authoritative weight as a result, a certification must always be a tuple of at least one PP and EAL...

Posted by Dave Walker on December 18, 2006 at 09:47 AM EST #

In theory that's true, but if a vendor simply makes up his own protection profile, he can be a loose as he likes. An example is VMwares EAL2 evaluation as an OS. According to the page:http://niap.bahialab.com/cc-scheme/st/ST_VID10056.cfm "VMware meets all of the security functional requirements stated in the VMware ESX Server 2.5.0 and Virtual Center 1.2.0 Security Target, version 1.6.7" They can write whatever they want in the security target. I'm not sure what value this provides to an end user. It's the moral equivalent of "I paid my friend to evaluate that this does what I say it does." This is in contrast to, "I paid my friend to evaluate that this meets a set of standards agreed to by a wide array of customer."

Posted by Jim Laurent on December 18, 2006 at 12:56 PM EST #

[Trackback] Dave Walker and Jim Laurent reports: Solaris 10 has completed its Common Criteria evaluation. It will take us a while to issue a formal press release, but the evaluation is complete. This evaluation was at EAL 4+ using the Controlled Access Protection ...

Posted by UNIX-WORLD NEWS on December 18, 2006 at 01:35 PM EST #

Thanks for the good introduction to CC history and process. I have a question: if the process was not designed to actually detect software bugs or vulnerabilities in an OS, then what does it check? How does it evaluate an OS is safe or not?

People in SUN like to claim Solaris as "the most advanced OS in the world". That is arguable among open source communities, because different people have different interpetion(and even bad, different religions :( ) on what "the most advanced" means. Just curious why we don't call it "the most secure commercial OS in the world" also? (I read some reports on this, but I am not really sure if that is true, and if the "commercial" prefix is necessary or not).

Posted by rayx on December 19, 2006 at 12:09 AM EST #

To quote the "Introductin to CC" document: "An evaluation is an assessment of an IT product or system against defined criteria." Therefore it is not a complete code scrub for vulnerabilities, it only intends to check whether the product (Solaris) conforms to the rules (Protection Profiles) set forth. We refer to Solaris as "the most advanced" because of the award winning innovations that are going on in Solaris. Innovations like Zones, dtrace, network virtualization put Solaris in the lead when it comes to advanced features.

Posted by Jim Laurent on December 19, 2006 at 06:53 AM EST #

Does CC cover updates to Solaris? IE. Does update 3 inherit the CC status? I want update 3.

Posted by Jim H on December 20, 2006 at 08:01 AM EST #

Strickly speaking an evaluation only applies to the OS, patches and platforms that are specified in the security target and evaluation report. I work closely with the US DoD, however, and have spoken to high level officials at Defense Information Systems Agency (DISA) about this topic. They have told me that updates are fine to use as well and that too many DoD users get hung up on the strict interpretation. Perhaps if an update introduces a new security feature, then the customer might want to evaluate or not use that security related feature. Keep in mind that Solaris 10 updates consist of patches and occasionally new packages (such as ZFS). The same logic applies to MS Windows and their service packs. Only a single version of WinXP was evaluted but that doesn't stop customers from adding additional service packs. The bottom line is that each customer has their own policy on how they use a CC evaluation. For US DoD customers, you should go to the help desk at iase.disa.mil to get official guidance. Finally, "Update 3" that you are interested in (officially known as Solaris 10 11/06) is in the CC evaluation as described above. Thanks for the comment.

Posted by Jim Laurent on December 20, 2006 at 09:08 AM EST #

Note to Dave Walker regarding Protection Profiles:

NIAP's web page ( http://www.niap-ccevs.org/pp/ ) defines the Protection Profile as follows:

"A Protection Profile (PP) is an implementation-independent specification of information assurance security requirements. Protection profiles are a complete combination of security objectives, security related functional requirements, information assurance requirements, assumptions, and rationale."

The page then goes on to say:

"The purpose of a PP is to state a security problem rigorously for a given collection of system or products - known as the Target of Evaluation (TOE) - and to specify security requirements to address that problem without dictating how these requirements will be implemented."

Jane Medefesser's paraphrase:

Protection Profiles give us a convenient way of showing the customer that we have met a pre-defined business objective when we meet these claims in our Security Target. Key customers (Military, smart card, firewall, etc) often require that certain PP's be met within a given evaluation as entry criteria to their purchasing decisions. However, this does not mean a PP is required in order to pass through a CC evaluation. The requirements of the CC evaluation are outlined in the Common Evaluation Method, which is detailed in documentation found on the Common Criteria Website at http://www.commoncriteriaportal.org/public/consumer/index.php?menu=2

Hope this helps -

Jane Medefesser

Posted by Jane Medefesser on January 23, 2008 at 05:49 PM EST #

Now I'm looking for a replacement, inexpensive NAS device that I can put in my closet to act as a backup server for my family of Macs in the house. If anyone has any favorites, post a comment.
http://www.watchrolexshop.com
http://www.gamegoldme.com
http://www.cheap-lotrogold.com
http://www.globalsale.me/Aion-gold-083.aspx
http://www.cheap-gamegold.org
http://www.gamegoldvip.org

Posted by lotro gold on June 24, 2009 at 11:15 PM EDT #

custom printing
custom printing like hot pancakes come the month of December. Every end-of-the-year transactions, impressive sales are made with custom printing alone. Whether for personal, individual or corporate uses, custom printing are simply useful in all ends.<a href="http://www.7days-printing.com"> custom printing </a>. Our custom printing works closely with our customers to create the best card designs for your business. We are an online custom printing company that provides various services for making cards. Our company is composed of people who are experts in custom printing and effective custom printing facilities.
[URL=http://www.7days-printing.com]custom printing[/URL]Our custom printing can create cards that you can use for type of advertisement. We can offer high quality production of cards using different custom printing services. We usually use custom printing for making cards.
pvc cards
pvc cards, pvc cards are one of the best ways you can step ahead of your competion. Their durability shows your customers that you are building a long lasting relationship with them and that you value their pvc cards.
<a href="http://www.7days-plasticcards.co.uk"> pvc cards </a> our pvc cards works closely with our customers to create the best card designs for your business. Check you pvc cards your cards online today and we will start the process to make your new pvc cards. [URL=http://www.7days-plasticards.co.uk]pvc cards[/URL]For customers who have never ordered pvc cards before, it is simple to find out pvc cards .we also have made available an informative pvc cards our customer support professinals today if you need help with your pvc cards or if you have questions regarding the pvc cards printing process.
plastic card supplies
plastic card supplies is popular with business owners who are looking for a unique way to promote their companies. plastic card supplies are a great way to distinguish your business from others that may be competing with you.
[URL=http://www.7daysprinting.com]plastic card supplies[/URL].The people to whom you give plastic card supplies are much more likely to remember you because your plastic card supplies distinguishes your business. We’ll present some information about high quality plastic card supplies for business owners who are interested in using plastic card supplies as they are cost-effective tool to increase traffic, sales and customer base.
<a href="http://www.7daysprinting.com">plastic card supplies </a>. plastic card supplies can be printed on two basic types of stock. You know that plastic card supplies stock have a significant advantage over paper because it is more durable and feels different from typical buseness cards. This is plastic card supplies’s advantages. plastic card supplies are especially good choice for high tech companies that might want to use the plastic card supplies as a plastic.
hologram maker
after hologram maker in many years of experience, we have developed a step-by-step procedure that keeps you ,the customer, in full control of your order.
[URL=http://www.hologram-sticker.co.uk]hologram maker[/URL]And we know you will remember the hologram maker. You can jost log yourself into our members area and and you will see the hologram maker. The hologram maker is quick and easy to find. If you have questions, please view our company. We with hologram maker will be happy to help you.<a href="http://www.hologram-sticker.co.uk">hologram maker</a>. hologram maker offer quality service as well as expert support. With hologram maker, you will receive free art work&sepup of your graphic design. That’s right ,every customer has the chance to know our hologram maker. that is usually enough time to recognize the hologram maker. you will be pleased with our serveice in hologram maker.
hologram design
the hologram design and other types of plastic cards for some of the most recognizable and prestigious names around. Our company made its mark with full hologram design. hologram design just sits there, quietly waiting to be found.
<a href="http://www.dynamicworldwide.co.uk"> hologram design </a>. The hologram design represent the front line image of your business, after all, hologram design is very often used to make first contact with a prospect. hologram design is imperative that your primary marketing tools portray professionalism and high quality. [URL=http://www.dynamicworldwide.co.uk]hologram design[/URL]
Moreover, efforts put towards your hologram design card, will give your customers a sense of how much attention is brought to your products and services. Our hologram design will help you competing with others to get customers to contact you. hologram design will help you grap attention, and then provede information.
metal card
the mental card and other types of plastic cards for some of the most recognizable and prestigious names around. Our company made its mark with full mental card. mental card just sits there, quietly waiting to be found.
<a href="http://www.metal-card.co.uk"> metal card </a>. The mental card represent the front line image of your business, after all, mental card is very often used to make first contact with a prospect. mental card is imperative that your primary marketing tools portray professionalism and high quality.
[URL=http://www.metal-card.co.uk]metal card[/URL]
Moreover, efforts put towards your mental card card, will give your customers a sense of how much attention is brought to your products and services. Our mental card will help you competing with others to get customers to contact you. mental card will help you grap attention.
gifts shop
the gift shop and other types of plastic cards for some of the most recognizable and prestigious names around. Our company made its mark with full gift shop. gift shop just sits there, quietly waiting to be found.
<a href="http://www.printing-gift.co.uk"> gift shop</a>. The gift shop represent the front line image of your business, after all, gift shop is very often used to make first contact with a prospect. [URL=http://www.printing-gift.co.uk]gift shop[/URL]gift shop is imperative that your primary marketing tools portray professionalism and high quality. Moreover, efforts put towards your gift shop, will give your customers a sense of how much attention is brought to your products and services. Our gift shop will help you competing with others to get customers to contact you. gift shop card will help you grap attention.
smart card technology
You might want to consider a smart card technology with printing in a vivid color. Like most other types of business cards, smart card technology ‘s a good idea to keep the design simple. [URL=http://www.smartcard-supplier.co.uk]smart card technology[/URL]This is also true of any artwork you might want to use on a unique smart card technology. The smart card technology will emphasize your message and make people easy to remember. smart card technology include many things. A smart card technology can be printed on bothe sides. A smart card technology tends to encourage customers to keep it rather than discard it .
<a href="http://www.smartcard-supplier.co.uk"> smart card technology </a>. smart card technology includes many techniques and tips. And the smart card technology hasmany types. Owners who are looking for smart card technology should seriously consider plastic rather than paper cards. Due to their versatility and impact, smart card technology is a great and cost effective way to promote companies all over the world.

Posted by molly on July 24, 2009 at 10:27 AM EDT #

That very important for me to heard what you said above. It gave me a lot advices and let me rejudge myself from different aspects.Thank you very much.
Besides this, I want to tell you that I am a replica watches seller, <a href="http://www.progiftstore.com">replica watches</a>, if you are interested in those watches, please visit our website.

Posted by replica watches on October 09, 2009 at 04:11 AM EDT #

Do you want to get a new brand cool replica watch? If you are interested in our high qualities but low price replica watches, please contact us on www.progiftstore.com.

Posted by progiftstore on October 10, 2009 at 01:36 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed

About This Weblog

Author: James Laurent

Archives

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 779