Recent threads about Windows and UN*X/Linux security have really crystallized something for me... very few people have any idea what exactly constitutes an operating system's security. Needless to say, this situation demands a tutorial. ;)

First let me discuss for a moment what the perceived idea of operating system security is, and why it is incorrect. Many arguments revolve around themes like: “Windows has way more viruses and exploits all the time!” “Apache.org got rooted, twice! Linux sucks.” “My professor said…” “Oh yeah? Hack my computer!” None of these really focus on operating system security at all. The Windows viruses and exploits, like the Apache.org roots only deal with specific systems, be they highly configured or completely default. The operating system itself isn’t discussed. (I have no desire to go into the default configuration subject here as it is a marketing choice and in no way affects they operating systems security.) This is also why the argument “It is only as secure as the person running it” is also flawed. Yes any given system is only as secure as it was configured to be, but again this is no statement on the operating system’s security.

Why then do people constantly dance around and around this subject? Answers about specific configurations are of no use to someone wishing to know which to use or simply just curious. Answers about each only being as good as the admin merely raise further questions, because wouldn’t that mean that all systems can be exactly as secure? Obviously this isn’t true… answers are never reached and the issue gets reopened time and time again.

I wish to close this topic by educating members on exactly what operating system security is and how it is quantified.

Security, as many of you know revolves around the appropriate protection of three elements:

Confidentiality
Integrity
Availability

or "CIA" as someone who is studying for their CISSP will invariably spout. Confidentiality is of course keeping information secret, integrity is preventing the information from being altered incorrectly, and availability is ensuring that the system can perform its function. Now availability is a whole different animal than the other two, and in this day and age essentially moot to discuss without the context of a network, as such it extends beyond the scope of this paper, sorry. Operating system security then consists of six (nine including availability) parts:

Confidentiality: Protection Model
Confidentiality: Capabilities
Confidentiality: Assurances
Integrity: Protection Model
Integrity: Capabilities
Integrity: Assurances

Each of the protection models should be proven (typically against a safety analysis model such as the Harrison, Ruzzo, and Ullman model) to ensure that they are free (or as close as possible) of theoretical exceptions, that is instances where no matter how well it is implemented the model can be circumvented. Well known protection models include the Bell-LaPadula hierarchical mandatory access confidentiality model and the Biba hierarchical integrity model. The model is the most important aspect of security, even if everything else in the system is perfect, it will still be exploitable if a weak model is used. Systems tend to use several protection models for each of the three roles, mostly because the more complicated they get, they harder they are to prove so it is simpler to use a collection of simple models rather than a single comprehensive one.

Capabilities are the tools and functionality the operating system uses to implement a given model and may include things like the specific access controls or what privileges are available and how they are defined. Examples include groups, how setting the system time is controlled, or having the system crash when it is unable to audit particular events.

Assurances are a way of determining that the models are implemented correctly and cannot be bypassed and that the capabilities actually do what they are supposed to. Additionally assurances can cover nearly all aspects of the operating system, from the maturity level of the development team to the quality and comprehensiveness of the documentation to the architecture of the operating system itself (though this also falls under the security model, however I’ve listed it here because it is a function of a higher assurance system rather than a specific protection model.) For example, using a microkernel architecture allows for much higher assurances as all aspects of the protection models may be implemented at a single point known as a reference monitor (“An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects” - Federal Standard 1037C) concept.

Now, rather than making vague accusations about (random OS) sucking because you read some report in “(competing OS) Weekly” about how (random OS) has more reported defacements in the last three months, you could say something along the lines of: “I feel (competing OS) makes for a better web server because it uses the X integrity protection model and (random OS) uses the Y integrity protection model, and that has been proven flawed, so it doesn’t matter how much money/programmers they throw at it, the problem is too deep to fix without additionally functionality.” Doesn’t that look much better? Only problem… if you know what the models, capabilities, and assurances were, you wouldn’t be reading this document, right? So odds are you don’t actually know details about any of these.

Real world operating system protection models fall basically into one of two types: Mandatory and Discretionary. Mandatory access controls tend to be found in higher security systems like those frequently used in the American (imagine my surprise in Australia at the ANZ and NAB… “Trusted operating system, what’s that?”) Financial and aerospace (this includes a lot more companies than you might think, eg. GE) sectors and US military/government (also a growing number of technology companies including IBM, HDS, and HP.) Mandatory access controls can follow any number of models, but they essentially say the same thing: subjects cannot change an object’s permissions. Discretionary access controls are essentially the opposite: subjects (having the required permissions to do so) can change an object’s permissions. Effectively, this means that in mandatory controls the subject’s permissions are defined by the subject’s level/label/compartment/network flag/whatever whereas with discretionary controls the subject’s user ID defines the subject’s permissions. This means both models have different traps; a common one for mandatory controls is that the system becomes unusable and with discretionary controls subjects may attain more rights then they should.

Like I said before, know your models, they define everything on top of them and knowing the model will help you in knowing the potential hot spots of a given system… as any good hacker or admin will tell you, this is essential when dealing with either side of the 0-day question.

Capabilities tend to revolve around not only the specifics of the security model’s access control implementation, but also other supporting elements. An example would be trusted subjects (subjects which are allowed to violate the security model in some predefined way) within a mandatory access control system. These allow the admin to intervene and prevent the system from migrating toward entropy. Other examples of supporting elements include Windows’ crash on audit failure feature and Windows’ (among other operating systems) segregation of administrators and operators. Perhaps a better-known example would be discretionary access controls, which are found in more common operating systems like Windows and Linux. These need to be finely grained. Various rights (read, write, execute, delete, give/take ownership, read/write attributes, email, and print are good ones) should be defined for both allow and deny with granularity to a single subject (subjects, groups, services, and systems ideally). Systems with more anaemic controls then this are likely to have a number of problems including the aforementioned organic propagation of permissions and will be more complicated to maintain in instances with non-related subjects needing similar access to the same or a wide set of different objects.

Just because a system utilizes a good model doesn’t mean it is secure, if the model is badly or incompletely implemented the system will not only have grave security issues, but in the case of supporting capabilities attackers will actually know what exact weaknesses as most supporting capabilities are exist to fix specific theoretical flaws in the applied model.

Finally, to everyone’s favourite part… assurances. Yes, this includes code bugs and to a lesser extent configuration errors. Which are responsible for at least 99% of the exploits discussed here and unfortunately, most systems don’t segregate confidentiality and integrity much, so these code bugs effect both typically. Now comes the more complicated part, and this is considering how the system handles security related checks, and what level of assurance this process has. Clearly having a single, very simple (ideally a finite state machine) security monitor that checks every process is the way to go. Unfortunately systems with this type of assurance tend to be out of yours or my price ranges, but the principal applies to lower assurances systems as well… the closer you are to the theoretical ideal, the better. Obviously a systems that requires every application to be responsible for its own security has lower assurances (countless security checks) than a system which handles security at the kernel level and effectively segregates applications from the rest of the system. The next major aspect of assurance deals with configuration. Does the vendor provide adequate documentation? Note, I did not say “does documentation exist?” because different authors are likely to have different ideas about doing the same things, frequently with more and different types of shortcuts. The vendor should make available some sort of trusted facilities manual and the better this is, the more comprehensive it’ll be. In a perfect world the vendor would provide you with the exact configuration for the most secure stance in any/any combination of roles. Sadly, commercial systems are a loooong way from this ideal. In the meantime however guidelines for specific roles should be made available be the vender and be clear to implement by even a jr. admin.

Hopefully this will give you a better idea of what to compare when comparing the security of various operating systems. If you still are having trouble weighing the relative strengths and weaknesses of different models, capabilities, or assurances, I suggest you check out DOD-5200.28-STD or ISO-15408. Many people will argue that these are dated or just not applicable to real life, the reality is… this couldn’t be further from the truth. It is still possible to evaluate every aspect of the most modern operating system’s security against with these documents. Meaning, they have not been outgrown and why is that? Because they are fairly vague, merely roadmaps, basically they say: “What type of model does the system use? Can this model be proven? If not does the system utilize supporting capabilities to adequately shore up any inadequacies in the model? Has the model been implemented correctly? Is it bypassable through poor assurances or flawed capabilities? Do you have documentation on how to use the system correctly?” So you can see how this is a more or less timeless yardstick and reading a few evaluations will be very helpful in understanding further specifics.

Follow the same approach and you’ll be able to compare the security of any operating systems, organizational systems, applications, networks, anything. :)

Now I realize this makes for threads a little less fun than: “(random OS) sucks because it has too many holes”, but perhaps they might be a little more useful as well.

cheers,

catch

PS. I apologize about the length, my girlfriend is on night shift this week and I was bored outta my mind. ;)

Nice.

Shows that some OSes are better for different applications and enviroments without going on with the constant MS\*nix battle.

Also the importance of the initial setup and documentation.

and finally the administration and support.

And not just on the OS level...but the apps that run on them and the people who will be supporting them are all factors.

I have always believed each OS has it faults and attributes depending on the enviroment and applications it will be used in.

One thing...do you have a link for those docs

I suggest you check out DOD-5200.28-STD or ISO-15408.

I would be interested in reading those.

MLF

Not exactly... it is possible for one system to be more secure than another across the board. The problem is, much of compter security theory is beyond the understanding of the majority it its customers... try explaining why something like the non-interference model is needed to deal with the low water mark problem found in hierarchical labeled systems to someone that can't get past thinking that the real answer to security is to ship a product with basically no services running. It ain't gonna happen... the end result, many very insecure products stay on the market.

As I've said initial setup is a non-issue, the trusted facilities manual should tell the system implementer how to configure it from the default status to the most correct for its current role via a series of guidelines and procedures. Consequently it mustn't be considered when comparing operating systems security as that again falls onto specific systems.

The applications running on the systems and the supporting staff are not relevant to this thread.

DOD-5200.28-STD:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

ISO-15408 (Common Criteria/ITSEC):
http://niap.nist.gov/cc-scheme/index.html

catch

I guess I must of misunderstood...


Thanks for the links

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797508) by catch
“Apache.org got rooted, twice!

PS. I apologize about the length, my girlfriend is on night shift this week and I was bored outta my mind. ;)

Heh, if you think THIS is "long" then I can see why she works nights. ;) Buahahaha

Anyway, I never new Apache.org was rooted. That's not too much of a shock though. Debian.org was, Gentoo.org was and they even got it so bad that some of the ISO files could have been tampered with.

Catch, I know you're not to big on Linux, but have you ever tried SUSE? or Slackware? SUSE has a lot of security tools, and is very nice, and maybe you could try it out?

You know what would REALLY make this a good dicussion? If I started an argument on why you think UNIX will never be secure as long as root exists ;) What do you say man?

http://www.wbglinks.net/pages/reads/hacksexplained/index.html

go there gore and read all about apache.org being owned :)

Apache.org has actually been owned twice... a real interesting document on the subject that I suggest everyone who reads this thread should read can be found here:

http://www.ints.ru/~ilmar/trustedos/trustedos.txt

SUSE is no more or less secure than any other linux, it uses the same protection models, it has the same capabilities, and the same assurances. The fact that it ships with more security tools makes no difference. (in fact you'll note my document had no section on security tools. ;) )

UN*X will never be secure for a number of reasons, root is but one. However, when I speak of "never secure" I mean that it could never be considered a "secure OS" not that it is too insecure for anything. UN*X has other advantages and is secure enough to be cost effective in many commercial and even more research environments.

cheers,

catch

what would you name as the most secure OS in the World?

By default

And Most secureable.

The "by default" question is garbage, which is part of the point I am trying to make. It is garbage for a number of reasons:

The default configuration is the measure of a give system, not the OS.
There is no baseline for default configurations, different systems are defaultly configured to do different things.

As for the most secure OS, any featuring a verified protection model and formalized and verified reference monitor (in the case of KSOS based on a finite state machine) will be equally secure. Why? This means you have a theoretically secure protection model, all the capabilities required to implement it and proven complete assurance. The system as a result is theoretically secure.

cheers,

catch

For the comment on Linux and UNIX having a problem because of root, wouldn't that mean Windows has one because of Admin/System? Root can use sudo and help keep power down, but too me, every OS in existence right now was based on UNIX. In one way or another anyway. Even Windows has borrowed from it.

Kind of makes you wonder though. Is Open BSD actually secure, or is it just a configuration ;)

Catch, what do you use on your home machines?

I have Windows XP Home on my laptop dual booting with SUSE 8.2 Professional, this box is SUSE 8.1 Professional, the box next too me playing my MP3s is SUSE 9.1 Professional, and the box next too it is Slackware 10 / Windows XP.

Admin/System accounts are not the same as the root account. The Admin/System accounts can be resricted by the security policy, root cannot be. Admin/System accounts are just powerful in the context of the policy, not outside of it.

Sudo, doesn't keep the power down in any real way, so long as the account exists, it will be a problem.

Very few systems are based on UN*X actually, Windows is not, nor is MacOS, (any version, OS X is more based on MACH, but for publicity it sounds better to say BSD, though the BSD influences are more slight) nor is MVS, or any TOS (even Trusted Solaris, Trusted IRIX, and HP-VV are just just made to look like UN*X but are not UN*X based), QNX isn't UN*X based either.

OpenBSD is no more secure an OS than Mandrake Linux is. In fact it might even be less secure. This about it for a moment... it uses the same protection model for confidentiality and integrity as Mandrake does. It has the same capabilities (same access control scheme, same lack of non-permission based privileges). The only difference is in assurance, and according to the good people at Stanford Labs, the Linux kernel actually has fewer source bugs than the OpenBSD kernel. So why is OpenBSD more secure? True a given OpenBSD system may be more secure than a given mandrake system, but this fact alone (even in default configuration) in no way makes it a more secure operating system.

I pretty much use Windows 2000 exclusively, I used to have a few more exotic systems, but I didn't want to risk any customs or export issues so those are still back home in California.

catch

"Very few systems are based on UN*X actually, Windows is not, nor is MacOS, (any version, OS X is more based on MACH, but for publicity it sounds better to say BSD, though the BSD influences are more slight) nor is MVS, or any TOS (even Trusted Solaris, Trusted IRIX, and HP-VV are just just made to look like UN*X but are not UN*X based), QNX isn't UN*X based either."

Just curious, but what do you consider a OS ACTUALLY based on UN*X, if none of these qualify.

Windows is not


Do you not consider XENIX an UNIX then?

Cheers,
cgkanchi

Too me, I consider anything POSIX, or with a UNIX style shell, that can handle UNIX based commands to be UNIX like, or maybe UNIX based. Microsoft said in DOS 2.0 they wanted it to be more UNIX like. Catch, you need to come visit sometime. I'll sit you down and give you an accoutnon my SUSE box, well one fo them.

I think you'd like it, regaurdless of security. SUSE is one of the OSs in the World that cares about security.

I've been thinking of setting up a SUSE box, popping it in my DMZ, and letting some of you take a crack at it, literally. Would make a good discussion.

Too me, I consider anything POSIX, or with a UNIX style shell, that can handle UNIX based commands to be UNIX like, or maybe UNIX based.

Not to throw a one-liner in here, but UNIX-like and UNIX-based have completely different meanings. Something written to look like UNIX obviously doesn't mean it was based on UNIX architecture.

Hrmm.. I am curious as to what Catch considers a "true unix". I suppose the AT&T Unix would be it but aren't OSes like BSD (Free, Open, BSD itself), Solaris, HP, etc. evolutions of true Unix???

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797690) by gore
every OS in existence right now was based on UNIX. In one way or another anyway

Hum. Z/OS), Z/VSE, Z/VM arent based on Unix. In fact, for those O.S., Unix is a child. OS/400. OS/2 is not unix based either. Just staying on IBM platform.

IMHO any system that was based on ATT Unix is a "unix like". Even those that was rewritten from scratch, but had used most routines of the "original one", like kernel model, thread model basic config, etc...

However, have a "unix Interface" doesnt means that its a unix flavor. just means "hey, i can use ls and cp here".

I said in one way or another, because all OSs have borrowed from UNIX. Linux is UNIX like, and I know there is a difference, because Linux wasn't a "version of UNIX" although now, is there really a true UNIX still in use? UNIX could pretty much just be called a standard for UNIX like OSs, as said on the Open Group's page, as they make things like that. UNIX 98 for example.

I'm trying to think of the words to actually say this correct, but anyway, Linux isn't something so you can use "ls". Linux doesn't allow you to do that, the Bash shell does. And so do a lot of other shells. If you say Linux isn't UNIX, you might as well say Windows NT isn't Windows because it wasn't based on Windows 95. Linux and BSD are OSs that are UNIX like, and in the case of BSD, it is considered to be UNIX.

Windows 95 and Windows NT and Windows XP are all a version of something that everyone calls "Windows" but the code base for 95, 98, ME, and 3.11 are not the same, or based on anything from the NT line. So why say Linux isn't UNIX? The inspiration for Linux was there because Linus wanted something like SunOS to use on his computer and Minix wasn't cutting it.

UNIX has like 500 different versions, and every company has made their own version.

OS/2 isn't even an OS, it's a bastard child that IBM gave birth too with Microsoft because no one had the balls to hand them a coat hangor.

I doubt anyone in this thread could sit down at a Linux box, a BSD box, and a UNIXWARE box, and be able to actually point out differences if the Kernel names were covered up at log in time. Well, that and not being able to use uname.

I doubt anyone in this thread could sit down at a Linux box, a BSD box, and a UNIXWARE box, and be able to actually point out differences if the Kernel names were covered up at log in time. Well, that and not being able to use uname.

I might be able to ;). The layouts and certain files are vastly different (I see that in Solaris, FreeBSD and Slack). In addition, Unix boxes (or those more closely related to that derivative) tend to view the operator as having a clue (that is, if you type in rm it doesn't ask if you want to remove files, it just does what you tell it to) whereas Linux has been "user-fied" (for lack of a better description).

LOL, in RedHat and Fedora it does that, on my Slackware machines and SUSE boxes though, it doesn't ask unless you tell it too.

I didn't want to sound like no one could tell, just trying to find a way too make my point that just because UNIX code from AT&T isn't in the OS, doesn't mean it's not something like UNIX.

Windows has a command line FTP client, well that was from UNIX, heh, so technically, you could say the same, in one way. OF course I'm just starting shit to keep this somewhat good discussion going. Catch is a buddy of mine so I don't have too worry about him flaming.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797841) by gore
OS/2 isn't even an OS, it's a bastard child that IBM gave birth too with Microsoft because no one had the balls to hand them a coat hangor.

Man, you should go out (of linux) more frequently. :P
OS/2 is an amazing O.S. In fact some HSM still use it instead a Unix flavor.
IT world didnt start when Unix was born. It started far earlier. And some of that T-Rex O.S. are still present nowadays.

However i agree with you about Linux. Its just another "flavor". It was written (copied) from scratch, but it stills use Unix ideas and concept about kernel construction. So, Linux is a *nix.

Although i've read those considerations about xenix (as far i know xenix WAS a Unix flavor), I cant see those structures on Windows NT (and beyond). Can someone list that "similarities" from Windows to *nix? I would like to have those references...

Xenix was yet another UNIX Os that Microsoft sold that SCO made for them, and when IBM came out with the PC, they said the hell with this and went after DOS, which they bought from Tim Patterson from Seattle Computer Products, named Q-DOS. Which stands for "Quick - Dirty - OS".

they bought it, changed the name to MS-DOS and PC-DOS, and renamed it in the OS code, even though if you look hard enough, the original version of DOS still had QDOS written in it somewhere, as they forgot to change it I guess.

Windows now has to have a GUI to run, UNIX does not. There are quite a few differences from UNIX and Windows, and for looking at them... Well, I've never seen much of a comparison like what you're asking for though.

Now, being a BOFH, you're not making me think OS/2 is good in any way shape or form. I wouldn't even whipe my ass with an OS/2 manual. The staples hurt.

I use Linux all the time, but not just Linux. I also use BSD, Windows, DOS (Real DOS, no pussy Windows NT CMD shell) and BeOS. I also play with OSs no one has ever heard of because the only people using it are people writing it and a few who know about it. Heh, I should make a list one day.

so you use alot of operating systems, and play with ones that most people wouldn't have heard about. but by play there, do you mean use ... or are you ripping them appart in hopes of say fashioning your own operating system from pieces of the ones you play with?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797820) by MsMittens
Hrmm.. I am curious as to what Catch considers a "true unix". I suppose the AT&T Unix would be it but aren't OSes like BSD (Free, Open, BSD itself), Solaris, HP, etc. evolutions of true Unix???
Me too, given the BSDs are (or at least were in the not too distant past) genetic unixes. Solaris is a true Unix operating system, as are HP-UX, AIX, AT&T's Unix, etc...

It's all well and good to be vague when labeling "Operating Systems" like linux, but the truth of the matter is Linux is just the kernel, and is highly configurable at that. Combine this fact with the possibility of obtaining supported patches from government organizations whose sole aim is providing security models from government specifications, and you end up with even more vaguely worded half-truth. It is about as correct as saying "IIS is vulnerable to Code Red". It would be nice to see specifics about what is being discussed. As catch says at a number of points, the default install is not relevant because "the default configuration is the measure of a [given] system, not the OS." In turn, default kernel configuration is irrelevant.

Catch, you are however incorrect when you state:
The Admin/System accounts can be resricted by the security policy, root cannot be.
It is incorrect since the root account CAN be restricted, whether it's through something like User Mode Linux, the NSA SELinux patches, or some other means -- the point being the potential to restrict the account is there.

Anyway, SELinux and UserMode Linux are both projects that exist that bring certain types of the functionality being discussed here into the kernel. NSA's SELinux doesn't make linux into a "trusted" operating system, however it does take a large step in the direction of what catch is discussing.
http://www.nsa.gov/selinux/
http://user-mode-linux.sourceforge.net/

I consider any system with a UN*X style architecture that came after UN*X to be UN*X based.

DOS is not UN*X based because it isn't multi-user/multiprocessing.
Windows NT isn't UN*X based because it uses a microkernel architecture.
QNX isn't UN*X based because it too uses a microkernel architecture.
Trusted Solaris/IRIX/HP-VV are not UN*X based because they use labeled protection models and don't have superuser accounts, among other reasons.
etc...

XENIX is UN*X based, Secure (and later Trusted XENIX after being sold to TIS) XENIX is what NT is based on, with influences form VMS of course. Neither Secure XENIX or VMS are UN*X based.

While many of these systems may function similarly from the user's vantage, they are not the same and this is done for simplicity of acceptance. It is easier to introduce a system that seems to work like a system people are already familiar with.

It is incorrect since the root account CAN be restricted, whether it's through something like User Mode Linux, the NSA SELinux patches, or some other means -- the point being the potential to restrict the account is there.
Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.). It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.

There is also a Trusted Linux project that HP is running (last I checked anyhow) and a trusted PS2 Linux as well that the guys from Argus Systems were working on, as well as Pitbull and Pitbull LX also from Argus Systems. Again, these systems are changed in fundemental ways and would no longer be refered to as "Linux."

cheers,

catch

IBM beat you too that multi user DOS thing ;) DOS-2000 is a Multi User OS and is DOS. I have bit more about it in my OS paper I've been working on.

Catch, do you like Linux at all? Or don't use it? Just wondering about that. I knwo you like AIX, I still have the PM from last year where you and me talked about this. Overall I think this has been a very good discussion, and no one has flamed anyone. Some difference in opinion and so on, but no flaming.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797943) by catch
Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.).
So according to your arbitrary decision on what Linux is, all the information in the tutorial is accurate. If you take a differing viewpoint, it is wholly inaccurate. How can you factually state something that varies based on a matter of opinion? Even if I agreed with your statements, you are still incorrect since many of the distribution companies that distribute linux also modify the kernel to suit their needs -- well beyond backporting. Windows XP Home, Windows XP Pro, Windows Mobile, etc., are all variants of Windows, and they offer different security mechanisms, does that mean XP Home is not Windows? No, it means it is simply a variant offered by the vendor. If your contention is that variants should only come with the vendor to be valid it still makes no sense, since the vendor in this instance is whoever distributes the packages. In reality, kernel features in Linux are as interchangable as application software on Windows. You can't restrict Linux's capabilities with your paid Operating System mindset and still offer a constructive discussion IMO, and that is pretty much what I see going on here. Please feel free to explain to me how this isn't the case.


It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.
They don't really complicate the issue when you admit that it can be done. The only thing it complicates is the validity of your argument. The point I am making is not that Linux does this by default, which you yourself say is irrelevant, it is that Linux is CAPABLE of the actions you say it isn't, but it requires a bit of extra work/patches.

There is also a Trusted Linux project that HP is running (last I checked anyhow) and a trusted PS2 Linux as well that the guys from Argus Systems were working on, as well as Pitbull and Pitbull LX also from Argus Systems. Again, these systems are changed in fundemental ways and would no longer be refered to as "Linux."
The changes are not as fundamental as you seem to believe. The kernel is designed in a modular fashion allowing simple modification of various parts while still maintaining the functionality of the rest. It might surprise you to know that there are already a number of built in ACL options, and if I recall correctly, they have either added or will be adding soon experimental support for the NSA's alternate ownership schemas.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797851) by gore
Xenix was yet another UNIX Os that Microsoft sold that SCO made for them
Xenix was straight up 7th Edition Unix licensed to MS from AT&T. MS then modiified it with some BSD code and let other companies distribute in for various 16-bit arches. SCO released the version for the 8086 and later ported it to the 80386(32bit) and renamed it SCO Unix.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797943) by catch
I consider any system with a UN*X style architecture that came after UN*X to be UN*X based.

DOS is not UN*X based because it isn't multi-user/multiprocessing.

There are alot better reasons than that, but fair enough. :)

Windows NT isn't UN*X based because it uses a microkernel architecture.

Windows NT 3.51 was built on modified microkernel architecture but every revision of NT since then has taken it further away from that arch. Of course it depends who you ask but as you have said yourself you do not code, I can tell you as someone who does, that Windows includes device drivers, portions of the Windows subsytem, registry functions, power management , and more which is not what a microkernel is all aobut, and I believe its VERY contestable that it remains a microkernel.


QNX isn't UN*X based because it too uses a microkernel architecture.

True enough, QNX is a true microkernel, you can also get the whole OS on 1.44MB floppy which I think you may be hard pressed to with Windows XP.

Trusted Solaris/IRIX/HP-VV are not UN*X based because they use labeled protection models and don't have superuser accounts, among other reasons.
etc...

Ok, thats just silly. A secure or "trusted" UNIX system (including all the ones above) just means they are on the NSA's EPL (Evaluated Product List) and have been given a indexed rating of the "assurance" level you can expect. This does not make them any less UNIX based or UNIX like. If you are so sure they are not UNIX maybe you can explain to me why all the afore mentioned companies have been paying for their UNIX IP for the last 20 years.

XENIX is UN*X based, Secure (and later Trusted XENIX after being sold to TIS) XENIX is what NT is based on, with influences form VMS of course. Neither Secure XENIX or VMS are UN*X based.

Ugh. VMS was created by Digital and is not UNIX - true. One of the engineers Dave Cutler (also RSX-11) was later hired by MS to design NT - right. However. NT is not based on Xenix (aka UNIX) it was orignally intented to be an extension of the OS/2 api, hence why it was originally named OS/2 3, but after the release of Windows 3.0 they decided to hell with that and to extend the Windows api instead.


Once these changes are made, the system is no longer considered Linux, as the kernel is not the same as the one distributed from kernel.org (This i what I refer to as Linux, anything else would be a variant and no longer Linux by my terms, as I beleve is standard to not do so. I note aditional variants below.). It is true these changes can be made, but I wanted to leave them out because they complicate the issue which so many people are already having trouble with. If I wanted to, I could have a multiuser patch developed for DOS, but I wouldn't say DOS is a multiuser system, same principal applies here.

I understand your point here but for the sake of discussion, is it productive? Lets say they are linux based or linux like. :) I mean is my Windows NT with SP6 still Windows NT? How about SP4? What about the kernel hooks Norton Anti-Virus puts in, still Windows? Yes I realize all these kernel patches (aka Service Packs) come from MS but Windows is a comercial operating system, and Linux is well,er.... Linux. Just keep in mind that all your EPL stuff and government auditing and such, takes time and a shitload of money. Who is going to pay for all this for Linux? Honestly, probably IBM,Novell,or SGI will, heh-heh :), but I digress - SELinux can be used to introduce Mandatory Access Controls as well as some other security models in Linux and is a good application of some of the subject matter you covered in your tutorial.



-Maestr0

For Xenix, well, I guess I read it wrong (Heh, go a week doing what I do and you'd make mistakes too) but I thought it said SCO made XENIX for Microsoft. Guess they only did a port then?

NT being a Micro Kernel... Heh, I had only heard of it but never believed it. NT is actually a Micro Kernel? Or was?

Windows Kernels is a weak point for me, I couldn't tell you a damned thnig about them. Is 2000 Micro? XP?

If they are not, are they mixed in a way at all?

Not that I like Micro Kernels. too much a pain in the ass from the looks of it. Too me a Micro Kernel is like a Network. Well, a poorly designed one. All those cables that seem to forma big ball, all somehow hooked into a router, and none of them marked or color coded. Heh, at that point a lawn mower or an axe are your only hopes.

Does EPL honestly mean anything to any of you other than the fact that a company has money and wants new marketing? I don't pay attention to those ratings. Seems like a load of shit too me. NT had a C2 rating where I read. Special / Ideal conditions, registry edit, no Network Cable... I'm not sure exactly how much all of that is true, and I tend not to believe all of it.

VMS is an Os I've never used, and I didn't think it was really based on UNIX, but it seems to be used for very similar purposes. Does anyone have any images of VMS?

I'm asking questions not because I'm JUST wondering, but too keep this going.

Yes we can dance around what an exact definition of Linux is... the system Torvalds invented did not have the functionality of which you speak. If you say that root can be removed from the security policy and your average person reading this gose out and gets any of the major flavors of Linux, will they be able to do that? Of course not... Linux being open source can be completely modified... so what then is the functional definition of Linux? I used the one I'd heard most frequently (the kernel as provided by kernel.org), you disagree with this, and I recognized your points as valid exceptions... I still contented that systems like SE Linux are the exception to Linux and not the rule, and therefore constitute individual systems and not Linux as a whole.

How about you tell me what, in your expert opinion defines the Linux operating systems and we can continue the conversation from there?

I believe its VERY contestable that it remains a microkernel.
As I replied to chsh, I am going with accepted definitions... the NCSC and NIST both say Windows NT is a microkernel. This was a paper on the abstracts of operating system security, not on arguing semantics of specific systems, variants of these systems, or anything else of that nature.

Ok, thats just silly. A secure or "trusted" UNIX system (including all the ones above) just means they are on the NSA's EPL (Evaluated Product List) and have been given a indexed rating of the "assurance" level you can expect. This does not make them any less UNIX based or UNIX like. If you are so sure they are not UNIX maybe you can explain to me why all the afore mentioned companies have been paying for their UNIX IP for the last 20 years.
I am sorry here Maestr0, but this is incorrect. Trusted Solaris, Trusted IRIX, and HP-VV are completely different operating systems than their untrusted counterparts. They are merely work alikes (that is they can be used for the same tasks, not that they function exactly the same). These systems have modified the architecture to allow for a reference monitor concept, they have their discretionary access policies extended, mandatory access controls added, in fact one of the aspects that is unchanged from their untrusted counterparts is the assurances. Systems like Trusted Solaris are rated at B1, which means no additional assurances over their untrusted counterparts.
The aforementioned companies still pay for UN*X rights with regard to their standard operating systems (Solaris, IRIX, HP-UX) and for specific technologies in these other systems.

The trusted operating system arena has been an interesting one, frequent attempts to make a security kernel, and then run UN*X on top of that have left many people confused about what exactly the definitions of everything is... again I opted to use what I felt to be the most common and widely accepted definitions as I was in no way wishing to enter a debate based on terminology.

Ugh. VMS was created by Digital and is not UNIX - true. One of the engineers Dave Cutler (also RSX-11) was later hired by MS to design NT - right. However. NT is not based on Xenix (aka UNIX) it was orignally intented to be an extension of the OS/2 api, hence why it was originally named OS/2 3, but after the release of Windows 3.0 they decided to hell with that and to extend the Windows api instead.
I didn't say it was based on XENIX, I said Secure XENIX, which is a totally different animal, again that is a functional replacement, but very different on the inside. In fact nearly NT's entire security policy (excluding mandatory access controls) is lifted directly from Secure Xenix.

I understand your point here but for the sake of discussion, is it productive? Lets say they are linux based or linux like.
No, it isn't productive, nor is it the path I wanted this to take. It was supposed to be an abtract about quantifying operating system security... not comparing and complaining about specific definitions of operating systems. I attempted to use the most widely accepted definitions and I hope the fact that I have clairified this will put an end to such debated points here... otherwise the original subject will be left behind over irrelevant semantics.

I mean is my Windows NT with SP6 still Windows NT? How about SP4? What about the kernel hooks Norton Anti-Virus puts in, still Windows?
Again, these matters would need to be resolved by those talking about the systems in which they are comparing, I merely wished to provide the format in simpler terms, which is used to measure OS security. (The norton system, would be a specific system and not the OS as a whole, and NTSP6 vs SP4 offer the same models, and capabilities, the only difference would be assurances.

Just keep in mind that all your EPL stuff and government auditing and such, takes time and a shitload of money. Who is going to pay for all this for Linux?
You are the one that brought up the EPL's, not me. ;) Besides, redhat and I think suse have already been evaluated against ISO-15408.

SELinux can be used to introduce Mandatory Access Controls as well as some other security models in Linux and is a good application of some of the subject matter you covered in your tutorial.
Yes it can, but this article wasn't about specific operating systems or their non-production level, extensions. The operating systems I mentioned were simply to clarify a point with something people might be more famialir with and to make some elements a little less abstract by showing their context.

cheers,

catch

Just had news that I need to be traveling the next two weeks, back after that.

Please keep questions and comments to the subject at hand, that is a way to measure OS security and not specific operating systems questions, as until the original subject matter is understood, specific OS conversations will be dead and go in circles. ;)

cheers

rob

As to what is or is not unix, the question gets even more complicated
when you consider hardware differences. Much of the os is "portable"
in the sense that it can be compiled and run on different processors,
but since so much of the character of an os is in the kernel, there's much
that can't be the same. The kernel runs on the hardware.

A processor that lacks in sophistication really can't support an os the same way
as one with better native capabilities. Now any "unix" kernel regardless of
hardware, is going to try to present the same interface to the higher level
components of the os, and users will never notice the low level stuff,
but os designers obviously know the difference.

So maybe security is also dependent on the processor type. I would bet that those
truly secure os types such as run at nuclear weapons labs only work on special hardware
and prolly no absolutely secure type exists for x86 machines.

One related question. Can an installable os ever be secure? If I have the authority to install the os, doesn't this mean that ultimately I must be totally trusted and own
the system? Or can it have a mind of its own and decide what permissions to allow
me, after I have installed it?
:cool:

Don't take me the wrong way Catch, I wasn't criticizing your tutorial, in fact I think it was quite good and will help many people understand some of the more abstract security priciples. I just thought that some of the finer points were being discussed by people who already had an idea of what you were speaking about. That said I will gently implore you to examine your "Trusted" operating systems a little deeper, I think you will find they are in fact UNIX. In my mind, an OS belongs to the family where its source code orginates. Now the truth is that the the code between the major branches has been swapped llike spit from horny teenagers but I think its fair to go with where the majority of the source code orginates, eg. If you use the AT&T code (owned by SCO now) and are being sued/and or having your license pulled by SCO :), you are in fact a true UNIX (Solaris,AIX,IRIX,Xenix,HP-UX,etc), by the same token if you use BSD code(*This was once alot of AT&T code but was almost completely rewritten) you are a BSD (FreeBSD,OpenBSD,NetBSD,FlavoroftheWeekBSD), if your OS consists mainly of Linus Torvalds an Co.'s code, you are in fact a Linux (Debian,Gentoo,RedHat,SuSE) OS X is in interesiting one because it is MACH as well as BSD, but this actually makes sense in light of the fact that the MACH kernel is a true microkernel and is OS neutral and that this was actually used in developing the MACH, by running BSD as a process of the MACH kernel. This was of course hideously slow due to message passing but as time went by this has been solved (mostly) in various ways. and OS X is the product of this old family reunion. Now, in my view if you are running a kernel/OS based on one of these source trees, altering the code to change the memory manager or improve the security model of it, does not suddenly make an apple an orange (like say turning IRIX into Trusted IRIX, Xenix into Trusted Xenix,or Linux into SELinux) Yes, you may have added/altered 3,000 lines of your 100,000 line kernel. You did not just invent a new OS. If you think you did and try to sell it, you will probably find yourself in court if you are not already there with SCO (see above. :))


-Maestr0


Design and implementation of Secure Xenix (http://portal.acm.org/citation.cfm?id=22861) "This research paper describes the modifications made to Xenix to provide a more secure operating system."
Trusted IRIX/B EPL (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-001.html) "Trusted IRIX/B is a security-enhanced version of IRIX 4.0"
Trusted Solaris 8 (http://wwws.sun.com/software/solaris/trustedsolaris/ds-ts8/index.html) "Based on the leading UNIX[r] operating environment"

That is why they pay SCO. :)

Shit, that's what I forgot too do today: Send SCO my money for using Linux. Ah well.

PS. Gore, VMS is really boring and un-exciting looking like the OS/400. But if you have to know..... :)




-Maestr0

Dude, you have access to it? It seems too have almost the same commands as this OS I was messing with last year. I can't think of what it was though. All I had was a shell account.

If I could get DOS 360, man,... Well I wouldn't be able to use it, it won't run on a PC, but I'd love too try. Thanks for the shot.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post797508) by catch
Recent threads about Windows and UN*X/Linux security have really crystallized something for me... very few people have any idea what exactly constitutes an operating system's security. Needless to say, this situation demands a tutorial. ;)

Why assume very few people have any idea what exactly constitutes an operating systems security? The term "security"is used to refer to all aspects of protecting a computer system from all hazards, e.g physical damage, loss and/ or corruption of data, loss of confidentiality, etc. Integrity is used in a similar context to refer specifically to maintaining the correctness of the data stored. Security pervades all aspects of computing, fom hardware design to system analysis and programming.

Hehehehehehe, that's the joy of it. You can have that thing patched and firewalled to shit, but it won't stop me from walking in with my outfit on that allows me access just about anywhere, and shoving in a BSDeviant, or Slackware bootable CD, opening parted, and either copying all the partitions so I can read them later, or, getting pissed that they won't copy, and just deleting them all.

A lot of companies here think removing the CD-Drive and the Floppy will stop this. RIGHT lol. Then I pop something in the USB drive and use ZIP Slack, or if all of that was thought of, I can pop the case off, grab the RAM, HDs, and fans, and if it's a good processor that too... Hell, I'll pop a couple rocks inside the case so the weight is similar, and gut the thing and take it with me. Not that I ever do that, but if I got hired as a consultent I would.

I have actually walked around a Hospital's IT area, and gotten all over. I never stole anything or tried looking at things. I just wanted too see if I could. Social Engineering over the phone is very easy, but it's a real challenge when they look right at you. And the best part is, if you think they are on to you, you can buy spray cans on the internet that you can use on your Truck's plates, that will make then not show up on camera.

The fact that I'm 6'1 280 pounds and have a mohawk, you'd think it would make it hard, it doesn't. I remember like a year ago, I was walking around this Hospital, and walked through the X-Ray department, and I had access to all the machines that were left logged on...Running Windows.

copy C:WINDOWS/*.PWL A:

Yea, needless to say if I ever get broke I'll just tell the guy who runs that place I need a job.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post798229) by gore
I have actually walked around a Hospital's IT area, and gotten all over. I never stole anything or tried looking at things.
Assume that was during the six months you spent in the physciatric unit pretending to be a patient. I do not know how many times you've been told about this. Please stop it, you are going to get arrested someday and end up in jail, and they might not have computers there :D

They have computers in jail. In my county, all the workstations are running NT4 (as of December). They don't like you touching them unless you work there tho...


Alright... Catch, I like the tutorial. You are one of the few people who doesn't just go off on system services and firewalls. Damn good job.


I'm going to agree with you on the patch issue for the most part. I just want some clarification on one aspect.

Linux is a gray area, do you consider anything coming from kernel.org to be Linux, and patches from other sources to be "Linux-like"?

If so, what is your exact classification of UNIX? I know this has been touched upon, but I want a clear and concise definition on what constitutes the UNIX operating system, as you define it/them.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post798109) by catch
Yes we can dance around what an exact definition of Linux is... the system Torvalds invented did not have the functionality of which you speak.
It didn't support USB, Firewire, or as far as I can recall, PS2, does that somehow make linux today no longer linux? Of course not. Why are you further detracting from the point by talking about history when the discussion is about NOW?

If you say that root can be removed from the security policy and your average person reading this gose out and gets any of the major flavors of Linux, will they be able to do that? Of course not...
No, you're right, they might have to LEARN. Again you are detracting from your very own point about security being an abstract. What can the operating system be MADE to do, not what can it do out of the box? The important point I have brought up is that Linux can be MADE to use the ACL and permissions systems of Trusted operating systems.

Linux being open source can be completely modified... so what then is the functional definition of Linux? I used the one I'd heard most frequently (the kernel as provided by kernel.org), you disagree with this, and I recognized your points as valid exceptions... I still contented that systems like SE Linux are the exception to Linux and not the rule, and therefore constitute individual systems and not Linux as a whole.
See, now you're defeating your own argument because your original point (which I agree with in spirit, if not in your implementation of) was about how secure an operating system can be MADE, not what its capabilities out of the box are. In that sense, with enough time and investment Linux could adhere to every DoD accepted security standard out there, because the source is freely available. Think of linux as more of the modeller's clay, rather than the pottery that is the end result, and maybe my point of view will come across clearer.
As far as I see it, Linux can be made to suit your needs, and a lot of distributors have gone out of their way to do so. If you are looking for "trusted"-style ACLs/permissions schemas, look to SELinux. You cannot define Linux as explicitly as you like since it is easily and readily changed, thus I would put forth that the security models of its various distributions might have to be tested individually and disparate from the "official" kernel from kernel.org.

No, it isn't productive, nor is it the path I wanted this to take. It was supposed to be an abtract about quantifying operating system security... not comparing and complaining about specific definitions of operating systems.
Then why argue non-abstract ideas in an abstract context? Presenting some to reinforce a point is a good idea, however if you are incorrect the original idea can be lost in the ensuing discussion of where and why you were incorrect in your initial statements.

(replying for/from catch)

chsh, by that argument anything could be anything.

With enough investment, you could turn anything into anything else. Does this really contribute to the conversation at hand? It seems to be more in the spirit of arguing and less in the spirit of a conversation about OS security.

The topic of when does Linux cease to be Linux should eb discussed elsewhere and would make a good conversation. This thread is not about the technical intricies of the Linux OS. Linux was used as a sample that members would be familiar with. To this end catch used what he believed to be the most commonly known and accepted definition of Linux. What is more, it is his belief that the changes Linux requires to add such capabilities make the whole subject a very gray area and that these systems, most of which are not considered to be commercial level products must be considered seperately from traditional Linux.

As said above, anything can be made into anything with enough resources. You can add mandatory access controls to Windows 95 if you really wanted to, the fact that it is closed source makes no difference. There are even patches to add mandatory access controls to Windows 2000, should this be part of Windows 2000's working definition? With enough time and effort you could turn "Hello World" into an A1 OS, but is that really useful to keep on the table when discussing OS security?

If the most you have to contribute is nitpicking over the desire for catch to have used far more nebulous definitions, and the inclusing of every obscure research project ever into those definitions, please just stop. It does no one any favors.

Peace.

int main()
{

cout << "Hello World" << Hello << end1;


return 0;
}

This is the start of my AI highly secured OS, and I'm going to Open Source it. Catch, you can have it ready for me in 2 weeks right? I mean I already started it, you just have to finish it up for me ;) Heh, just woke up.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=262757#post798655) by catch
chsh, by that argument anything could be anything.
My argument means no such thing. I said that Linux is versatile and modular and people have already done the work required, and that it EASES the ability to continue to expand on its capabilities. Thank you for detracting from it FURTHER by continuing to ignore the actual points and instead doing exactly what you are accusing me of.

With enough investment, you could turn anything into anything else. Does this really contribute to the conversation at hand? It seems to be more in the spirit of arguing and less in the spirit of a conversation about OS security.
Even assuming I had said something which I didn't (as you seem to believe), the fact remains that security is entirely about taking one thing and, using available tools, turning it into another.

Linux was used as a sample that members would be familiar with. To this end catch used what he believed to be the most commonly known and accepted definition of Linux. What is more, it is his belief that the changes Linux requires to add such capabilities make the whole subject a very gray area and that these systems, most of which are not considered to be commercial level products must be considered seperately from traditional Linux.
You mean changes that are actually present in "shipping official kernels" are somehow not considered linux, even though that is what he earlier stated?

As said above, anything can be made into anything with enough resources. You can add mandatory access controls to Windows 95 if you really wanted to, the fact that it is closed source makes no difference. There are even patches to add mandatory access controls to Windows 2000, should this be part of Windows 2000's working definition? With enough time and effort you could turn "Hello World" into an A1 OS, but is that really useful to keep on the table when discussing OS security?
If it was included in Windows 2000 SP3 or something along those lines it would. Catch's argument (and yours, whomever you may be, and whyever you feel the need to discuss in his stead) is extremely flawed because the work is already done. If it was something that "someone could write" I'm inclined to agree, but again I must reiterate it was catch who broached the topic of "abstract" security -- that it taking a box and making it as secure as possible, default configurations ignored. I don't see what's so hard about saying "I didn't know the SELinux mandatory ACL stuff had been contributed to kernel.org" and just being done with it, which is really what it boils down to in this instance.

If the most you have to contribute is nitpicking over the desire for catch to have used far more nebulous definitions, and the inclusing of every obscure research project ever into those definitions, please just stop. It does no one any favors.
You say nebulous, I say "correct". Scary word, yes, however I don't think it's too much to ask to do a bit of research before posting a tutorial like this and proceeding to litter it with incorrect examples that are apparently based on assumption and lack of research. This isn't really a flame, and I encourage you to re-read the history of this thread and make a genuine effort to come to an understanding of what I'm saying.

It was brought to my attention earlier that catch had been linked several bits of relevant information from another member who refrained from participating in this thread, and catch seems to have summarily dismissed it or felt it better to simply act ignorant. I guess he really wasn't that interested in constructive discussion, and was more just up for a good trolling. Oh well, he hasn't changed a bit I see.