Re: mqsvc fun

[robert () dyadsecurity com]

Dave Aitel(dave () immunitysec com)@Tue, Apr 12, 2005 at 03:35:45PM -0400:
> Once you accept that 0day exists, you need to look into 
> secondary layers of defense that actually work. Whining about the
> amount of exploit information available to the public is missing the
> point.

Secondary layers of defense that actually work? Surely you jest :)

"The systems to which security enforcement mechanisms have been added,
rather than built-in as fundamental design objectives, are not readily
amenable to extensive analysis since they lack the requisite conceptual
simplicity of a security kernel.  This is because their TCB extends to
cover much of the entire system.  Hence, their degree of trustworthiness
can best be ascertained only by obtaining test results.  Since no test
procedure for something as complex as a computer system can be truly
exhaustive, there is always the possibility that a subsequent
penetration attempt could succeed.  It is for this reason that such
systems must fall into the lower evaluation classes."

"Layers of Defense" doesn't seem appropriate in a discussion about
choosing technology that can provide the security mechanisms and
assurances you require to process sensitive information.  This is the
mindset that needs to be changed in the industry if we're going to start
providing valid products or services.  Right now the "security industry"
is selling cough medicine as a treatment for cancer.

Simply stated, Windows is performing at the disclosed security level.

First some quick terminology:
TOE - The principal inputs to a CC evaluation are the Security Target,
the set of evidence documentation about the product under evaluation,
and the product itself (referred to as the Target of Evaluation or TOE).

ST - The Security Target (ST) is the basis for the agreement between the
product vendor, evaluators and certification agencies as to what
security functionality the product (TOE) offers and the scope of the
evaluation. The Security Target identifies, and refines as appropriate,
a set of CC IT security and assurance requirements. It provides a
definition of the TOE security functions claimed to meet the functional
requirements and the assurance measures taken to meet the assurance
requirements. The ST also addresses the organizational security policies
with which the TOE must comply and the security aspects for the
environment in which the TOE will be used.

CAPP - Controlled Access Protection Profile -
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf

=-=-=-=-=-=-=-=-=-=-=

Windows 2000 ST document:
http://www.commoncriteriaportal.org/public/files/epfiles/CCEVS_VID402-ST.pdf

The ST and TOE for this are consistant with CAPP.

The Strength of Environment statement is:
The evaluation of Windows 2000 provides a moderate level of
independently assured security in a conventional TOE and is suitable for
the environment specification in this ST. The assurance requirements and
the minimum strength of function were chosen to be consistent with this
goal and to be compliant with the Controlled Access Protection Profile
(CAPP). The TOE assurance level is Evaluation Assurance Level (EAL) 4
augmented with ALC_FLR.3 and the TOE minimum strength of function is
SOF-medium.

Commentary:
CAPP is a low bar to shoot for.  It offers minimal security mechanisms. 
If you are processing sensitive information, it is advisable to choose a
product that has a greater ability to protect your information.

=-=-=-=-=-=-=-=-=-=-=

Mac OSX:
http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID4012-ST.pdf

Strength of Environment:
Mac OS X provides a moderate level of independently assured security in
a conventional TOE and is suitable for a cooperative non-hostile
environment. The assurance requirements and the minimum strength of
function were chosen to be consistent with this goal and to be compliant
with the Controlled Access Protection Profile (CAPP). The TOE assurance
level is Evaluation Assurance Level (EAL) 3 and the TOE minimum strength
of function is SOF-medium.

Commentary:
I like this Strength of Environment statement.  It is honest and
consistant with the CAPP goals they were shooting for.  OSX and Windows
are essentially providing an equivilant level of security mechanisms as
prescribed by the CAPP protection profile.

=-=-=-=-=-=-=-=-=-=-=

Trusted Solaris 8
http://www.commoncriteriaportal.org/public/files/epfiles/TSolaris8_Issue3.1.pdf

The Trusted Solaris protection profile's include:
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf
http://www.commoncriteriaportal.org/public/files/ppfiles/lspp.pdf
http://www.commoncriteriaportal.org/public/files/ppfiles/RBAC_987.pdf

Intended Use:
Trusted Solaris 8 4/01 is intended for use in organisations who need to
safeguard sensitive information (e.g., organisations concerned with
processing commercially sensitive or classified information) and who
require security features unavailable in standard commercial operating
environments.

Commentary:
If you have sensitive information, it would be wise to choose technology
that was designed to be able to protect it.

Robert

-- 
Robert E. Lee
CEO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave