> From: Yiorgos Adamopoulos <Y .
> Date: Thu, 24 Jul 1997 15:32:01 +0300 (EET DST)
> > Could you please explain why a C2 certification on NT requires not
> > having a floppy.
> > If the logic dictating is one of "Well there are to many ways to
> > read the data of the NTFS hard drive if booting from a floppy..", how
> > about a system that is capable of booting from the cd-rom? I know a
> > great many folks who 'burn their own' on kodak disks.
> It is my understanding that the evaluation is *not* on the OS only. The
> evaluation procedure includes the whole system (HW + SW). I suppose that C2
> U*X like systems do not boot from anything else than the hard disk...
> Those of you who have participated at C2 evaluations, please clarify.
Yes and no. For both the TCSEC and the ITSEC, an OS evaluation requires
looking at both the HW and the software. For example, if you can contact
the disk controller during the boot sequence and give it some commands
from the keyboard, then your OS security might be meaningless. If cutting
down the memory causes more swapping, and the swapping code can fail when
stressed, then the amount of memory may be security relevant. There are
many things like this relating to HW that have to be considered as part
of the evaluation, so the HW/OS combination is what is evaluated.
BTW, there has been a lot of talk for many years about a "configuration
independent" evaluation, where the vendor's evaluation documentation
analyzes the effect of various platforms and configurations and then
gives a list of many optional configurations. For example, it may be
possible to have a list of processors, memory sizes, disk controllers,
network cards, hard disks (size and manufacturers), video cards, etc.
and the vendor could claim that any combination is OK. This idea has
been approved by the U.K. ITSEC group, but we haven't done it yet. I
don't know of anyone else who has done it yet either.
UNIX isn't exempt from this at all -- this is really a HW/BIOS type
issue. Any UNIX box going through evaluation is going to have to
address the booting issue, and all have done so to my knowledge. I
know of only 3 x86 UNIX evaluations in the US, and all 3 had floppy
drive restrictions or hardware to limit booting from anything other
than the standard device, partition, and file. If you take a SCO,
Linux, or any other UNIX system running on x86, you can boot the
machine off of most old DOS disks. Then you could use DEBUG to poke
around on the hard drive and make changes to the linux binaries, etc.
The fact that NT can't have a network card is more damning. Is it
that there can't be a card in the machine or just that networking
can't be enabled? There was a Unix box that got a B1 rating but it
could not have networking enabled, and only processes from a single
user could run at a time (multitasking but not multiuser). This
applied to cron jobs as well -- they couldn't run if another user's
process existed. It all goes to show you that just because something
is evaluated, it doesn't mean it is necessarily useful. If you are
willing to cut enough functionality out of a program or OS, you can
get almost anything evaluated to almost any level.
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
com Savoy, IL 61874 USA
FAX 217-355-1433 "Securing the Future"