The quest for secure computing has come to a crossroads. On one hand the most popular computing platform in the land, Microsoft Windows, is being significantly upgraded with many security enhancements, but the biggest IT advisory firm in the land says wait until 2008 to use it with confidence.
On the other hand, the U.S. government's pursuit of general standards for secure computing, Don't hold your breath waiting for military-grade Windows.capped under the umbrella of Common Criteria Evaluation and Validation Scheme, is now being publicly embraced by scores of IT vendors as they rush to show how their products meet or exceed these latest dictates of military- and national security-level best practices for IT security.
One nice thing about the new Common Criteria 3.0 (CC) is that you don't have to wait for some third-party research firm to give the thumbs-up on whether it is safe to use software. Once a software product, or any controlled code distribution, has gained CC-level accreditation, you should feel pretty darn good about using it. If it's good enough for the National Security Agency and the Pentagon, it should be be good enough for my address book.
Indeed, if Microsoft could attain CC validation when it brings Vista to market in about a year, then there would be no need to wait to use it. In fact, you'd be a damned fool not to rip out any of your older Windows, Linux, Netware, or Solaris right then and there and replace it all with CC-grade Vista. And you wouldn't have to wait for Gartner to say it's okay to use it. You'd know: Bada-bing, bada-boom.
But don't hold your breath waiting for military-grade Windows. The validation process for those many millions of lines of code -- even if the stuff was secure enough -- would take hundreds of man-years of labor and testing. Seeking such accreditation wouldn't make market nor financial sense; Windows 2011 would be out by then.
It's really hard to get CC-type security clearance. Even Sun's Trusted Solaris is operating on waivers from some of the strictest military certifications. The certifiers reckon that Trusted Solaris has been so good for so long that it should be "trusted," but that is still does not mean it has actually attained the highest levels of security clearance. It has simply gained an a priori clearance of sorts. You have to imagine that Sun would call it "Totally Certain Solaris" if it weren't for those pesky waivers.
Indeed, one of the biggest hurdles for vendors to gain the CC-level clearance and Pentagon's MILS/MLS-level benefits is size. When there is so much code, all the ins and outs need to be checked and cleared. So a general rule of thumb is the smaller the code base, they easier it is to certify. It's no coincidence that smaller code also usually means more secure, too. Also, each part of the code needs to be independently secure from all the other parts, hence the Multiple Independent Levels of Security (MILS) part. The key is independent levels of security, initially proposed brilliantly more than 20 years ago by J.M. Rushby. Thanks, doc.
So why are we at a crossroads for computer security? Because as more vendors gain CC-clearance, it makes sense to swap out non-CC stuff, or at least to put the CC stuff around the non-CC stuff as a wrapper, or at least build your firewalls and defenses with CC-grade solutions. Windows in a CC-grade container is better than just plain old Windows (POW).
Here's an example. At a Green Hills Software conference last week I saw an awesome demonstration of a standard x86 PC running a military-grade certified embedded software real time operating system, Green Hills' INTEGRITY, that itself acted as the security blanket for Windows and Linux, themselves running natively their applications. They call it running the commercial OSes in a padded cell, but I like calling it a security blanket better.
They say that many of the vulnerabilities of Windows or Linux still exist in such a mode, but at least the OSes are fully isolated. And you can manage the apps' access by giving them different levels of security, with no way to allow contact between apps not cleared for access.
That means for those needing real security -- you people with my credit card number online, that means you -- no longer need a separate PC on a separate network for multiple applications. They can run them in an INTEGRITY PC or server and gain beautiful and certified isolation. This is good news for military (or financial) controllers who sit at a desk with a half-dozen PCs, each running one or two applications, only to properly isolate them from potential security lapses between them and from the OSes.
The notion of a small, tight, highly certified OS -- one good enough to fly a fighter jet -- offering a powerful security benefit and full partitioning on an off-the-shelf PC has major ramifications. Sun has been chatting up the benefits of the partitioning in Solaris 10 and its Janus Project for doing a similar security blanket benefit, but INTEGRITY is small enough to run on an electric razor, and has some of the highest security clearance of any software anywhere.
Green Hills is being coy about how and when it will come to market with its security blanket PC solution. CEO Dan O'Dowd says they have an initial happy customer using the Padded Cell approach, but he won't say who. Probably some agency with three letters.
Perhaps an OEM deal might make sense with some other vendors. HP, are you listening? Red Hat? How about Microsoft? Why not make Vista market ready when it ships by getting it a security blanket?