Re: Trusted Unices Aren't?

[Gordon Greene <Gordon.Greene () netsec net>]

> VMS started its life in the mid '70s, well before the Orange Book, so it's
> unlikely the role of MLS was well understood by VMS developers. They put a
> heap of effort into trying to do an A1 VMS about 10 years later, but the
> effort died from escalating costs and evaluation requirements, combined
> with anticipated problems with export approval (there's a lesson here).
MLS doesn't seem to be well understood by many developers even now.  Just
because VMS didn't start out as an MLS system doesn't mean it couldn't be
adjusted.  Look at Argus.  They make an add-on to Solaris (called Pitbull)
which make it MLS.

Admittedly, A1 is a big job, and the only A1 box I've heard of was from
Wang, called the SCOMP.  Actually, Wang Federal was called Honeywell at
that point.  Or something like that.


> It's my impression, from both experience and observation, that it's a pain
> to get something evaluated no matter how carefully you engineer the system
> for evaluation.
It seems like as tough as it is to get the OS evaluated, you have to go
through at least as much to get a system that incorporates it through
accreditation.


> I'd anticipate a very serious case of software rot, brought on by changes
> in available hardware and I/O devices. It's a real pain to keep a custom OS
> up to date and compatible with evolving combinations of off the shelf
> hardware. I remember Trusted Xenix was reputed to be "slow" several years
> ago, but given modern processor speeds and the state of competing
> bloatware, it would probably run fast in comparison, if it can be gotten to
> run at all.
This is the perennial problem of MLS systems, though.  There is always a
cost in performance and convenience.  And it gets worse, the higher up the
evaluation scale you go.  Up around B3 it gets hard to accomplish anything.
 Sure, no one can cause any mischief, but no one can do anything useful
either.  Imagine having to do formal proofs of such a thing.  Just sitting
down in front of the box should give a good feel of how restricted a user is.


> I was mildly surprised that TIS never used it to field some sort of
> firewall in the mid '90s. (cue to Marcus for Orange Book flame :-> ).
Actually, having done some firewall stuff on MLS systems, I was kind of
surprised, too.  At the time I noticed that it existed, I was informed (by
a not very reliable source) that it was extinct.  Don't believe everything
you hear!