Firewall Wizards mailing list archives
Re: Trusted Unices Aren't?
From: Jeremy Epstein <jepstein () tis com>
Date: Mon, 19 Oct 1998 10:29:27 -0400
At 08:12 AM 10/19/98 -0500, ark () eltex ru wrote:
/* First, an "offtopic killer": somebody from SCO suggested using TIS fwtk under SCO CMW+ as very secure firewall solution (fwtk-users () tis com ml) */ It seems that nearly nobody noticed that one of latest vendor-initiated bulletin for CERT (mscreen) listed SCO CMW+, a-claimed-to-be-close-to-B2 upgrade for SCO Unix, in the list of vulnerable systems. Said to be possible root compromise.
SCO CMW+ isn't anywhere close to B2. At the absolute very best, it's in the neighborhood of B1. And that's impossible to know for sure, since at this point all we have is vendor claims and no evaluation. An earlier guise of CMW+ was evaluated B1 in the late 80s or early 90s (don't remember exactly) on an Apple Mac II, but today's SCO CMW+ is hardly the same system as that was. And even if it were B1 or B2, you'd have to know how it was evaluated (e.g., with what daemons, what hardware) to determine whether the evaluated product is vulnerable. Not to doubt that CMW+ is vulnerable (as you say), just that saying B1 or B2 in the same sentence as CMW+ is like saying "Clinton" and "faithful" in the same sentence :-)
How can this happen? How can "a serial multiscreen utility", a program that should have nothing like root privileges on an MLS system, be vulnerable _that way_?
Just because something is evaluated (which, again, CMW+ is not) doesn't mean it's bug free. Especially lower assurance systems (B1 and below) are very large and complex, and undoubtedly have security flaws. All the evaluation means is that it was looked at closely, not that it's perfect.
Does that just mean that at least _some_ "hardened unix" vendors just allow generic "suid root" programs running in this environment, thus
completely trashing the whole MLS model? B1 and below do not require breaking up root. B2 and above do. It really has nothing to do with the MLS model. I believe that CMW+ *does* break up root, but I'm not sure of that. It may also be a configuration option.
Does that mean that you need, say, VMS, if you need _real_ multilevel security?
There are some trusted UNIX systems that are better than others. If VMS underwent the same degree of scrutiny and attack that UNIX does, I'm sure we'd find an equivalent number of bugs. It's a large complex system... ---------------------------------+------------------------------------- | Jeremy Epstein | E-mail: jepstein () tis com | | TIS Labs at Network Associates | Voice: +1 (703) 356-4938 | | Northern Virginia Office | Fax: +1 (703) 821-8426 | ---------------------------------+-------------------------------------
Current thread:
- Trusted Unices Aren't? ark (Oct 16)
- Re: Trusted Unices Aren't? Randy Taylor (Oct 16)
- <Possible follow-ups>
- Re: Trusted Unices Aren't? steve . gailey (Oct 19)
- Re: Trusted Unices Aren't? ark (Oct 23)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- Re: Trusted Unices Aren't? Rick Smith (Oct 28)
- Re: Trusted Unices Aren't? Paul D. Robertson (Oct 29)
- Re: Trusted Unices Aren't? dreamwvr (Oct 29)
- Re: Trusted Unices Aren't? Gordon Greene (Oct 29)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- Re: Trusted Unices Aren't? Joseph S. D. Yao (Oct 27)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
- RE: Trusted Unices Aren't? Gregory Perry (Oct 28)
- Re: Trusted Unices Aren't? ark (Oct 23)
- Re: Trusted Unices Aren't? Gordon Greene (Oct 27)
- Message not available
- Re: Trusted Unices Aren't? Gordon Greene (Oct 29)
- Re: Trusted Unices Aren't? Gordon Greene (Oct 27)
- Re: Trusted Unices Aren't? Gordon Greene (Oct 29)