OpenBSD's security rating in the Orange Book classification system.

OpenBSD's security rating in the Orange Book classification system.

Post by RobRPM22 » Mon, 31 Jan 2000 04:00:00



Most Unices have around a C.2 rating in the Orange/Rainbow Books series on
computer security.

( The Orange Book is also known as - "Trusted Computer System Evaluation
Criteria, DOD standard 5200.28-STD, December, 1985" )

What security rating would a well-configured and security-patched copy of
OpenBSD have under that rating system?

--

Student, Assassin, Nice Guy |       " Witty quotes mean nothing. "
North Avenue Trade School |        

 
 
 

OpenBSD's security rating in the Orange Book classification system.

Post by Theo de Raad » Mon, 31 Jan 2000 04:00:00



> Most Unices have around a C.2 rating in the Orange/Rainbow Books series on
> computer security.

> ( The Orange Book is also known as - "Trusted Computer System Evaluation
> Criteria, DOD standard 5200.28-STD, December, 1985" )

> What security rating would a well-configured and security-patched copy of
> OpenBSD have under that rating system?

None.  Unlike what you say, Unix systems do not have such ratings by
default.

Some vendors make C2 additions which typically amounts to adding
logging features to the system (and leaving all the insecure parts of
the system intact).

Many of us feel that C2 has nothing to do with security.  Regarding at
least this level, the DOD appears to live on a different planet, where
security has to do with accountability and activity logging.

To us, security means people can't manipulate the system into doing
something it was not configured for.  We think that is what most
people really want, when they say "security".

And do they have a security classication for that?  No, they don't.

--

Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions.  OpenBSD is Free Software.

 
 
 

OpenBSD's security rating in the Orange Book classification system.

Post by RobRPM22 » Tue, 01 Feb 2000 04:00:00


Quote:>None.  Unlike what you say, Unix systems do not have such ratings by
>default.

>Some vendors make C2 additions which typically amounts to adding
>logging features to the system (and leaving all the insecure parts of
>the system intact).

>Many of us feel that C2 has nothing to do with security.  Regarding at
>least this level, the DOD appears to live on a different planet, where
>security has to do with accountability and activity logging.

>To us, security means people can't manipulate the system into doing
>something it was not configured for.  We think that is what most
>people really want, when they say "security".

>And do they have a security classication >for that?  No, they don't.

Sorry, I've never read the Orange Book, but I assumed it was the standard
rating system in the field. I also assumed it required more in the way of
general security to earn high ratings.

Thank you for a interesting and informative answer.

--

Student, Assassin, Nice Guy |       " Witty quotes mean nothing. "
North Avenue Trade School |        

 
 
 

OpenBSD's security rating in the Orange Book classification system.

Post by James J. Lippa » Tue, 01 Feb 2000 04:00:00



>>None.  Unlike what you say, Unix systems do not have such ratings by
>>default.

>>Some vendors make C2 additions which typically amounts to adding
>>logging features to the system (and leaving all the insecure parts of
>>the system intact).

>>Many of us feel that C2 has nothing to do with security.  Regarding at
>>least this level, the DOD appears to live on a different planet, where
>>security has to do with accountability and activity logging.

>>To us, security means people can't manipulate the system into doing
>>something it was not configured for.  We think that is what most
>>people really want, when they say "security".

>>And do they have a security classication >for that?  No, they don't.

>Sorry, I've never read the Orange Book, but I assumed it was the standard
>rating system in the field. I also assumed it required more in the way of
>general security to earn high ratings.

It does, but real security doesn't really appear until you get to B.

The exhaustive test suite we had to do for the Multics Trusted Computing
Base (approximately analogous to a Unix kernel) to get the first B2
rating awarded really did help demonstrate Multics security (and find
a few bugs in the process).  Basically, we had to feed all kinds of
data to each and every entry point into the TCB.

(BTW, Multics was distributed with full source code, mostly in PL/I,
starting back in the 1970's.  All development work was documented,
peer reviewed and tested prior to even submission for production
release.  See http://www.best.com/~thvv/multics.html)

--

Unsolicited bulk email charge:   $500/message.   Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8  43C8 7AD2 B485 DE75 841C

 
 
 

OpenBSD's security rating in the Orange Book classification system.

Post by Theo de Raad » Tue, 01 Feb 2000 04:00:00



Quote:> >>And do they have a security classication >for that?  No, they don't.

> >Sorry, I've never read the Orange Book, but I assumed it was the standard
> >rating system in the field. I also assumed it required more in the way of
> >general security to earn high ratings.

> It does, but real security doesn't really appear until you get to B.

To some degree I could agree.  When you get to B, you get security as
a trade-off against convenience.  The typical unix semantics you are
used to change significantly.  As a system administrator, you can
expect to do a fair chunk of re-learning.

Now, the OpenBSD goal is to not impact convenience.  We try to keep
the expected semantics and behaviour of the machine the same, but just
fix all the bugs.  It's basically ... security as a side effect of
quality control.

--

Open Source means some restrictions apply, limits are placed, often quite
severe. Free Software has _no_ serious restrictions.  OpenBSD is Free Software.