NSA attempting to design crack-proof computer

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2681205,00.html

By Robert Lemos
ZDNet News
February 1, 2001 11:57 AM PT


Software emulation firm VMware announced it has teamed up with
researchers at the National Security Agency to create a nearly
crack-proof computer that can place sensitive data in virtual vaults
inside the PC.

The concept, assuming it works, would streamline the methods
intelligence agencies use to manage data. At present, the NSA--the
military surveillance arm of the United States intelligence
community--physically separates networks carrying data of a particular
classification. For example, top-secret data might be kept on a
different computer than data classified merely as sensitive material.
Sometimes, in order for a worker to have access to the information
they need, up to six different computers can be on a single desk.

That type of security is called--in typical intelligence community
jargon--an "air gap." It works, but its days could be numbered, said
Ed Bugnion, founder and manager of research and development for Palo
Alto, Calif.-based VMware.

"I believe we have a solution out there that provides security
comparable to having multiple computers," he said.

Called "NetTop," VMware's answer would turn each computer into a
number of virtual PCs running on a Linux computer that would sit on
each worker's desk. The security system would erect supposedly
impenetrable, but virtual, walls between public data and more
sensitive information on the same computer.

If successful, the project could mean huge cost savings and
convenience for the NSA and other security-conscious government
agencies by eliminating one or more computers--and a variety of
network components--cluttering desktops at the agency.

Saving money through software

Paul Pittelli, director of information assurance research at the NSA,
said the move is part of the agency's new emphasis on saving money
through the use of commercial software.

"Users in the national security community have an increasing need for
commercial off-the-shelf software," he said in a statement. "We
currently require them to use different computers for different
applications." That, Pittelli said, will stop if efforts like NetTop
succeed.

VMware's plan is to use an offshoot of the company's current virtual
machine technology that allows Linux users to install and run Windows
or any other PC-based operating system on top of Linux.

The reason the company believes it can succeed is because it doesn't
emulate the software but the hardware underneath.

"Java needs a proprietary environment to run," said VMware's Bugnion.
"We can run arbitrary operating systems within the PC." Last year, the
company also released a version of its software that runs on Windows
NT and 2000, enabling users to run Linux (or any other operating
system) in a virtual machine on top of Windows.

Makes sense

NetTop will run on top of a more secure distribution of Linux that the
NSA has developed and an initial version of which it released in
December 2000.

While nothing is certain in security, University of New Haven's
Professor of Digital Forensics Investigation Fred Cohen said VMware's
idea seems to be a good one.

"It makes sense," he said, adding that "the current VMware technology
is not up to a level of assurance necessary for this."

To make Linux secure, Cohen said, better handling of various access
levels--essentially, the ability to classify data for various secrecy
ratings--needs to be added.

But Cohen agreed the decision to run the VMware technology on top of
Linux, not Windows, is key to a government agency like the NSA.

In a nod to the open-source community, he said that--for the NSA's
purposes--seeing the source code and testing its security is extremely
important. "You wouldn't want to do it on Windows NT, because you know
nothing about what is going on inside NT," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".