Security achievement at Green Hills
In terms of security, the big news Green Hills Software keeps talking about at its Technology Summit 2008 in Santa Barbara, Calif., is achieving Common Criteria Evaluation Assurance Level (EAL)6 + certification by the National Information Assurance Partnership (NIAP), a U.S. government initiative operated by the National Security Agency (NSA).
The system, which gained the certification in November, is the Integrity -178B operating system.
EAL6+ High Robustness operating system can protect classified information and other high value resources at risk of attack from hostile and well-funded attackers. This is secure by anyone’s definition.
The next level protection below EAL 6+ protects against “inadvertent or casual attempts to breach the system security.”
“Hackers are learning about the vulnerabilities every day,” said Dan O’Dowd, founder and chief executive at Green Hills Software at the company’s Technology Summit 2008 in Santa Barbara, Calif. “That is the bad news. The good news is it is now easy to determine if a computer system is secure.”
Common Criteria states that “EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.” INTEGRITY was designed for EAL7 – the highest level of security – and thus was able to meet the NSA’s High Robustness requirements.
INTEGRITY-178B was certified against the Common Criteria’s Separation Kernel Protection Profile (SKPP), requires security services and mechanisms to provide the most stringent protection and rigorous security countermeasures.
The gap between EAL4+-certified products and SKPP-certified products is quite large. While EAL4+ does not require examination of the product source code, SKPP requirements include the use of formal methods to mathematically prove the security policies, formal specifications, formal correspondence between design and implementation, complete test coverage of all functional requirements, and penetration testing by the NSA, which has complete access to the source code.
The system, which gained the certification in November, is the Integrity -178B operating system.
EAL6+ High Robustness operating system can protect classified information and other high value resources at risk of attack from hostile and well-funded attackers. This is secure by anyone’s definition.
The next level protection below EAL 6+ protects against “inadvertent or casual attempts to breach the system security.”
“Hackers are learning about the vulnerabilities every day,” said Dan O’Dowd, founder and chief executive at Green Hills Software at the company’s Technology Summit 2008 in Santa Barbara, Calif. “That is the bad news. The good news is it is now easy to determine if a computer system is secure.”
Common Criteria states that “EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line.” INTEGRITY was designed for EAL7 – the highest level of security – and thus was able to meet the NSA’s High Robustness requirements.
INTEGRITY-178B was certified against the Common Criteria’s Separation Kernel Protection Profile (SKPP), requires security services and mechanisms to provide the most stringent protection and rigorous security countermeasures.
The gap between EAL4+-certified products and SKPP-certified products is quite large. While EAL4+ does not require examination of the product source code, SKPP requirements include the use of formal methods to mathematically prove the security policies, formal specifications, formal correspondence between design and implementation, complete test coverage of all functional requirements, and penetration testing by the NSA, which has complete access to the source code.
posted by ISA at 2:02 PM
<< Home