Commack, NY Green Hills Software announced today that its Integrity-178B operating system has achieved EAL6+ certification, the highest level of proven security for any OS to date, and that it would be launching a new company, Integrity Global Security, LLC, a wholly owned subsidiary, to market the OS to the enterprise.
The certification was awarded by the National Information Assurance Partnership (NIAP), a U.S. government initiative operated by the National Security Agency (NSA), to Common Criteria Evaluation Assurance Level (EAL) 6+, High Robustness. This protects against well-funded, sophisticated, hostile attackers. To date, the highest certification awarded to any OS has been EAL4, which is a little more than basic protection against inadvertent or casual attacks.
"EAL 4 means essentially you've documented the system, but no-one has looked at your source code and has not undergone any attempts to break into it," said Dan O'Dowd, founder and chief executive officer of Green Hills Software. "But when you go to EAL6+, it requires formal mathematical proof that the system is secure." In this case, the government hired,"a bunch of Ph.Ds" to write formal proofs and evaluate the code and check code for correctness. "This is the first time anyone has proven that an operating system is secure," he said.
The implications for the military and government are many. Today, various levels of security are achieved using multiple computers on a desk -- one for regular Internet access and others for security levels ranging from confidential to top secret. This results in up to four systems on a single desk, causing system cost, IT support costs, power consumption and desk space issues. Similarly, humvees in the field need multiple systems.
"The NSA [National Security Agency] asked us four years ago to solve that problem, they said, 'this is killing ushow can we put them all on one computer? What standard do you have to meet in order to be able to do that?'". According to O'Dowd, that's where SKPP, shorthand for Separation Kernel Protection Profile, came from, and that's the standard to which GHS reached EAL6+. While there are seven levels, O'Dowd said that the government felt level six was sufficient.
According to O'Dowd, it would take at least four years for OSes such as Windows, Linux, Solaris or VxWorks to catch up. "None of these have even begun the process," he said. Integrity was designed from the ground up to be secure and incorporates many features these OSes do not.
"Security is always about not making mistakes," said O'Dowd. "The people who designed Windows, Linux or VxWorks didn't know anything about security when they wrote it. It was big huge and complicated with thousands of bugs in it before they decided they wanted to use it for security."
Security depends a great deal on minimizing the number of lines of code running in the security kernel and that are thus susceptible to an attack, and testing fully the remaining lines. According to O'Dowd, both Linux and Windows have millions of lines that are susceptible, while VxWorks has 100,000 lines. "In Integrity it's about 10,000," he said, and GHS hired mathematicians to fully test each line.
Figuring out how to avoid running drivers in the security kernel is only part of the story, other aspects include guaranteeing response time in user mode, not granting full privileges to new processes and not letting new processes rank their own priority or get access to full system resources.
While Windows and other OSes may not be EAL6+ certified, they can run on top of Integrity using the OSes binary virtualization layer.
New company launch
Given GHS's history in embedded applications, the company decided it was best to launch Integrity Global Security LLC as a wholly owned subsidiary to market the operating system to the enterprise to protect government and corporate cyber assets. David Chandler, GHS's senior vice president of sales will take the helm of the new company as chief executive officer. A key member of the company's advisory board is General Gene Habiger (retired), a 35-year veteran who, among other roles, served as commander in chief of all nuclear forces' command and control.
Habiger acquired a healthy skepticism of so-called secure systems when he was told that the SatCom system had a back door that could've potentially compromised email traffic. However, he said he was honored to be part of the Integrity Global Services team. "I've been very selective with putting my name with any initiative," but that the new company was something he was particularly excited about. Habiger has had ties to many government initiatives since his retirement, having been asked by Gov. Richardson himself to serve as 'security czar' for nuclear and cyber attacks.