EAL4, EAL6: How secure is secure?
Santa Barbara, Calif. – I’m down at the 4th annual Green Hills Software Embedded Software Summit, where GHS CEO Dan O’Dowd is talking about the company’s big push into secure networking. He’s citing that the company’s INTEGRITY operating system is certified as Common Criteria Evaluation Assurance Level 4+ (EAL4+), and is currently under evaluation for EAL6+. O’Dowd insists, as you’d expect, that EAL6+ is better, but further claims that all systems that are anything less can be easily hacked into and should be avoided.
Yes, O’Dowd used the word “easily,” and also hinted at a conspiracy between Microsoft and IBM to “hide” the existence of secure operating systems like Green Hills’ INTEGRITY.
O’Dowd is right in emphasizing security certifications in operating systems, and it is shameful that so few operating systems are certified (though, admittedly, it is a complex multi-year process). From Microsoft, the only certified OS that I know of is Windows 2000 at EAL4+. Windows XP and Windows Server 2003 have not been certified. Solaris 10 is undergoing EAL4+ evaluation. Novell’s NetWare and SUSE Linux Enterprise 9 are EAL4+. I believe that Red Hat Enterprise Linux is also undergoing the EAL4+ evaluation.
How important is this? Answer: It depends. Certainly, we want the OS to be secure, because vulnerabilities in the OS can undermine applications. This is true not only of publicly exposed server operating systems, such as those hosting Web sites, but anything on a LAN or WAN needs to be sure.
However, a secure OS is a baseline; it’s not a goal. Flaws in application servers are potentially just as devastating as those in the underlying operating system. Flaws in runtimes and libraries are devastating. Flaws in applications themselves, including faulty logic and insufficient data checks, are devastating.
Your operating system can be EAL6+, but if the Web application doesn’t perform checks against SQL Injection, you’re just as hosed as if it were EAL4+ or not certified at all.
EAL4+ and EAL6+ don’t promise that the operating system is unhackable, and they don’t imply anything about the quality of the non-OS code running on that system. What they do is show that the operating system can be deployed in a secure manner. Emphasis on can be.
So, yes, it’s important to want an operating system that can be deployed. But that’s only one requirement for a secure system, and pushing for EAL6+ isn’t the end-all and be-all that Green Hills insists it is.
Alan
Interested in your thoughts on EAL6. Your blog from 2006 says that you don’t think it’s the be all and end all. Now in 2008, is that still your opinion?
Andy
Andy – my thoughts haven’t changed. There’s more to security than just asking, “Is it EAL6?”