RE: Trusted Unices Aren't?

["Gregory Perry" <Gregory.Perry () netsec net>]

SCO CMW is hardly secure.  Because of design flaws from the early days of MLS technology, many of the bugs included in 
the traditional variant OS is replicated on the MLS platform.  There are many examples of this on most MLS platforms;  
for example SoftWindows for Trusted Solaris _completely_ breaks the "trusted network" subset of TS 2.5.  SCO CMW is no 
different.

--greg


> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Jeremy Epstein
> Sent: Monday, October 19, 1998 10:29 AM
> To: firewall-wizards () nfr net; firewall-wizards-digest () nfr net
> Cc: ark () eltex ru
> Subject: Re: Trusted Unices Aren't?
>
>
> At 08:12 AM 10/19/98 -0500, ark () eltex ru wrote:
> > /* 
> > First, an "offtopic killer": somebody from SCO suggested using TIS fwtk
> > under SCO CMW+ as very secure firewall solution (fwtk-users () tis com ml)
> > */
> >
> > It seems that nearly nobody noticed that one of latest vendor-initiated 
> > bulletin for CERT (mscreen) listed SCO CMW+, a-claimed-to-be-close-to-B2
> > upgrade for SCO Unix, in the list of vulnerable systems. Said to be
> > possible root compromise.
>
> SCO CMW+ isn't anywhere close to B2.  At the absolute very best, it's in
> the neighborhood of B1.  And that's impossible to know for sure, since at
> this point all we have is vendor claims and no evaluation.  An earlier
> guise of CMW+ was evaluated B1 in the late 80s or early 90s 
> (don't remember
> exactly) on an Apple Mac II, but today's SCO CMW+ is hardly the 
> same system
> as that was.
>
> And even if it were B1 or B2, you'd have to know how it was evaluated
> (e.g., with what daemons, what hardware) to determine whether the 
> evaluated
> product is vulnerable.
>
> Not to doubt that CMW+ is vulnerable (as you say), just that saying B1 or
> B2 in the same sentence as CMW+ is like saying "Clinton" and "faithful" in
> the same sentence :-)
>
> > How can this happen? How can "a serial multiscreen utility", a program
> > that should have nothing like root privileges on an MLS system, be
> > vulnerable _that way_?
>
> Just because something is evaluated (which, again, CMW+ is not) doesn't
> mean it's bug free.  Especially lower assurance systems (B1 and below) are
> very large and complex, and undoubtedly have security flaws.  All the
> evaluation means is that it was looked at closely, not that it's perfect.
>
> > Does that just mean that at least _some_ "hardened unix" vendors just
> > allow generic "suid root" programs running in this environment, thus
> completely trashing the whole MLS model?
>
> B1 and below do not require breaking up root.  B2 and above do.  It really
> has nothing to do with the MLS model.  I believe that CMW+ *does* break up
> root, but I'm not sure of that.  It may also be a configuration option.
>
> > Does that mean that you need, say, VMS, if you need _real_ multilevel
> > security?
>
> There are some trusted UNIX systems that are better than others.  If VMS
> underwent the same degree of scrutiny and attack that UNIX does, I'm sure
> we'd find an equivalent number of bugs.  It's a large complex system...
>
> ---------------------------------+-------------------------------------
> | Jeremy Epstein                 |  E-mail: jepstein () tis com          |
> | TIS Labs at Network Associates |  Voice:  +1 (703) 356-4938         |
> | Northern Virginia Office       |  Fax:    +1 (703) 821-8426         |
> ---------------------------------+-------------------------------------