Linux wants to earn your trust

Trusted Systems information

Related Links

Trusted Computer Solutions (TCS) Inc. officials are developing Trusted Linux, a highly secure version of Linux that will rival Unix in environments in which security is the highest priority. The operating system will provide a platform for TCS applications.

Defense and intelligence agencies, banks and other financial firms, which all insist on tight security, are the company's main customers, said Ed Hammersla, TCS' chief operating officer.

The concept of trusted computer systems started in the Defense Department during the 1980s. The term refers to systems that have met particular specifications and certifications. Some evaluation criteria that DOD officials established have since been eclipsed by the Common Criteria Evaluation and Validation Scheme, an international set of security standards for technology products, but much of the original work and the concept itself remain vital.

TCS officials expect Trusted Linux to be certified under Common Criteria at Evaluation Assurance Level 4, Hammersla said. The EAL scale runs from 1 to 7, and 7 is the highest score.

TCS officials plan to begin beta testing Trusted Linux this fall, Hammersla said. The operating system will form the foundation of a trusted computing base, a system of software, hardware and firmware that enforces a unified security policy.

"This is a huge improvement over manual and unaudited methods of sharing information or, [in the] worst case, not sharing information at all," he said.

The only other commercially available trusted operating system is Sun Microsystems Inc.'s Solaris version of Unix, he said. "That dictates, then, that if someone wants to use our [trusted] applications, they can only do so if they're on the Sun platform," Hammersla said.

TCS customers began asking for a Linux alternative about two years ago, he said. After TCS officials determined that other Linux distributors were not likely to produce a trusted version, they decided to tackle the job.

To ensure that the system qualifies as trusted, TCS officials sought input from the relevant accrediting bodies early in the development process, Hammersla said.

"We have taken the time and the care to go talk to the various accrediting bodies, to let them know what we're doing and to verify their requirements," he said. "Although I wouldn't say government agencies have had an active role in the actual development, they've been participatory in their desire" for a trusted operating system.

The company based the system on a version of Linux, called SELinux, which National Security Agency officials had already developed, he said. TCS' development team has been enhancing SELinux to make it meet Common Criteria EAL 4 requirements.

Once the operating system is available, it will take a place alongside other versions, such as Red Hat Inc. Linux and SuSE Inc. Linux, as a retail product, he said. "Whether we do that directly or through partners is to be determined," he added.

Tony Stanco, associate director of the Cyber Security Policy Research Institute at the George Washington University, said that the operating system is both the first line of defense against malicious code or hackers and also the source of most vulnerabilities.

Companies are "all trying to get a more secure system around what they're trying to do," he said. "The operating system is one of the big vulnerabilities [on] the whole. It's like the first level. Once you get that secure, where people can't compromise that, you can build some secure applications on top of that."

Trojan horse programs and viruses usually can't penetrate trusted systems, Stanco said. When they do, they usually are not able to affect software, rendering them impotent.

Linux is generally considered more secure than Microsoft Corp.'s Windows operating system, but it still has vulnerabilities, Stanco said.

Retired Army Lt. Gen. Keith Kellogg, who serves as an adviser to TCS, said information sharing is increasingly critical in government, and a trusted Linux system will be an important tool to have.

"The requirement to have secure information, the government knew the importance behind it," said Kellogg, former director of command, control, communications and computers for the chairman of the Joint Chiefs of Staff.

"They put out guidelines and regulations to do it, but so few came to the party that there was always a waiver policy," he said. "One of the reasons [companies] didn't do it was because it costs money. To get yourself certified costs about a million dollars a pop to get just one certification. A lot of corporations didn't see the value proposition. If there was [a] waiver so you didn't need to do it, they didn't see a reason."

Waivers are harder to come by now, and vendors are more likely to be held to the requirements, Kellogg said.

Microsoft officials, however, are not likely to adopt the trusted label, said Quazi Zaman, technology specialist manager for platforms at Microsoft's federal division. They consider the need for trusted systems to be a niche market, he said.

"Microsoft has been focused on solving customer problems," he said. "We have picked up the bigger headaches rather than unique headaches. If it's a unique situation, we will let third-party vendors develop [something]. If we see that it's widespread and they want a trusted version of the OS, then yeah, we will look at it and come out with a trusted version of the OS. But that's speculation. We're not seeing that."

Creating a trusted version means company officials also would have to modify all the applications that run on the operating system to maintain the security continuity, Zaman said.

Microsoft officials have been taking security seriously, however, and are increasing security levels in their products, he said.

To take a familiar example, Windows XP users have to hit the control-alt-delete key combination and enter a password to boot up and log in to their computers, he said. In earlier versions of Windows, "that was an afterthought," he said. "You could work around any password log-on."

***

Ensuring security

The Trusted Linux operating system that Trusted Computer Solutions Inc. officials are developing will be rated at Evaluation Assurance Level (EAL) 4 on the Common Criteria evaluation. EAL 4 is a midlevel rank on a scale of 1 to 7. It means that the developer uses positive security engineering based on good commercial practices, which do not require substantial specialized knowledge. According to National Institute of Standards and Technology officials, "EAL 4 is the highest level at which it is likely to be economically feasible to retrofit an existing product line."

Specifically, EAL 4 includes:

Partial configuration management automation.

Modification detection.

Administrator and user guidance documents.

Well-defined development tools.

Independent vulnerability analysis.

NEXT STORY: Air Force expands Link 16

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.