I have to admit that I had never before heard of a certification called EAL6+ High Robustness until the folks at Green Hills Software reached out to tell me that they were about to get it for their operating system, formally called INTEGRITY 178B.
EAL6+ High Robustness, I've since learned, means that the government has put Integrity through the most rigorous hacking and security tests to determine if its strong enough to meet the needs of the most sophisticated and critical computer systems, such as those that support electrical grids, power plants and banking systems. EAL is an acronym for Evaluation Assurance Level - basically a national and international standard for IT security - and Green Hills execs say that INTEGRITY is the first OS to earn the ELA 6+ rating. In a statement, David Chandler, CEO of the new Green Hills subsidiary INTEGRITY Global Security, said:
This certification is the first time the (government's National Information Assurance Partnership) has certified that an operating system is capable of defeating intentional, hostile attacks - the types of threats we now face from sophisticated criminals, corporate espionage spies, international terrorists, and foreign defense and intelligence agencies.
It's been a long time coming, though. For years, government geeks put the technology through test after test after test. They attack it and hack it. They dig deep into source codes and try to find its vulnerabilities. It's not a quick process, for sure. But now that Green Hills has earned the certification, they've also earned some IT bragging rights - sort of.
I was kind of surprised to hear how vulnerable we all are seeing how important computer networks are running on systems like Windows or Unix, which only have EAL4 ratings. I also couldn't help but wonder: If ELA6+ is so critical to the security of things like power plants and electrical grids, why has it taken so long for the government to approve Green Hills' Integrity operating system?
In search of an answer, I stumbled upon Z Trek: The Alan Zeichick Weblog, which has had a couple of different postings about the ELA certifications, including a December 2006 entry titled, "EAL4, EAL6: How Secure is Secure?" In it, Zeichick - blogging from Green Hills' Embedded Software Summit - explains why EAL6+ certification is important but doesn't necessarily mean that computer systems will be more secure:
Certainly, we want the OS to be secure, because vulnerabilities in the OS can undermine applications. This is true not only of publicly exposed server operating systems, such as those hosting Web sites, but anything on a LAN or WAN needs to be sure. However, a secure OS is a baseline; it’s not a goal. Flaws in application servers are potentially just as devastating as those in the underlying operating system. Flaws in runtimes and libraries are devastating. Flaws in applications themselves, including faulty logic and insufficient data checks, are devastating.
Your operating system can be EAL6+, but if the Web application doesn’t perform checks against SQL Injection, you’re just as hosed as if it were EAL4+ or not certified at all. EAL4+ and EAL6+ don’t promise that the operating system is unhackable, and they don’t imply anything about the quality of the non-OS code running on that system. What they do is show that the operating system can be deployed in a secure manner. Emphasis on can be.
So, yes, it’s important to want an operating system that can be deployed. But that’s only one requirement for a secure system, and pushing for EAL6+ isn't the end-all and be-all that Green Hills insists it is.
At least one other company, called WindRiver, is also waiting for EAL6+ certification. In June, the company announced that its VxWorks MILS 2 was being evaluated for the certification, as well.