Green Hills spins off Integrity operating system
Green Hills Software announced this week that it is spinning off a new company to bring its military-grade Integrity operating system to the enterprise market.
Integrity, which sits on top of the processor controlling access to hardware and devices, has received the EAL6+ (Evaluation Assurance Level), the highest rating for an operating system.
It's already being used in the B1 bomber, the F35 joint strike fighter, the Airbus 380, Boeing 767, and NASA's next-generation shuttle, and now will be available for use on computers running Windows, Linux, and other desktop operating systems.
The operating system's virtualization features can protect corporate networks by isolating viruses and other malware from other parts of the computer system, said David Chandler, chief executive of Integrity Global Security.
The software can be particularly beneficial for critical infrastructure and call centers, which are often outsourced and staffed by contractors, he said. "We can provide a secure environment and only show the information necessary for someone to do their job," he said.
"What Integrity has is much better than what's currently available on the market," said Neil MacDonald, a vice president of analyst firm Gartner.
"The challenge will be convincing people that they need this; that they have to be doing something different from what they're doing now with commercial software like VMware or Microsoft's Hyper-V technology," he said. "In the commercial world there is the challenge of 'good enough' security and do they really need military-grade or gold-plated security versions of what commercial companies have to offer."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
A Common Criteria evaluation gives an assurance that the "process" a product was developed with was sound (with adequate design, review, change management, testing, etc), and an assurance that the product can meet its intended specification. But EAL does *not* assure that the product is secure.
In short, EAL validates the process, not the product. So an EAL6 rating does NOT mean Integrity is actually any more secure than VMware or Hyper-V. In fact, Integrity is generally used in "closed" systems (such as avionics,) and hasn't been "battle tested" in the open Internet, so I would take Integrity's security claims with a dose of skepticism.
Some other factors to consider:
1) The version of Integrity 178B available to enterprises in the future must have numerous added hypervisor management features not evaluated as part of the EAL6 certification. Therefore the EAL6 certification is meaningless in this context.
2) Features that make Integrity a great RTOS for safety-critical systems may also make it a poor general-purpose hypervisor. Such as.... lack of support for diverse hardware, no dynamic memory, restrictive scheduler, etc.
3) In an commercial setting (with layered defense), the security of the hypervisor hasn't been such a huge concern, in comparison to other security problems an enterprise typically face (internal fraud, compliance drivers, etc.) Companies might be reluctant to pay for Integrity's unproved security claims, given its marginal benefit in this context.
No doubt having Integrity pass EAL6 is a big achievement for Green Hills (they should be congratulated) and will have an impact for the government / military markets. But in the commercial world EAL doesn't mean much (aside as a marketing talking point.) Nevertheless I'm looking forward to read the Integrity's validation report when it becomes available.
In short, EAL validates the process, not the product. So an EAL6 rating does NOT mean Integrity is actually any more secure than VMware or Hyper-V. In fact, Integrity is generally used in "closed" systems (such as avionics,) and hasn't been "battle tested" in the open Internet, so I would take Integrity's security claims with a dose of skepticism.
</quote>
EAL actually validates the product (as well as the process). 100% code coverage testing, formal mathematical proof and design validation is part of the process. Additionally full penetration testing by full-time security experts with access to source code is also required. It's not theoretical, the testing is done against a specific Target Of Evaluation (TOE), which is a combination of hardware and software.
Basically, if the core infrastructure of the system isn't secure then there's not much point worrying about anything else. It's like building a skyscraper on quicksand.
You may be interested in the following excerpts from GCN, which explains why (in the commercial world) few have confidence in EAL evaluations .
[link http://qwix.com/31]
"Common Criteria evaluations are assigned one of seven assurance levels reflecting the requirements met for the development process of the product. Evaluation Assurance Levels reflect the degree of confidence a user can have in the results of the evaluation and the performance of the product. The lower assurance levels, EAL 1 through 4, where the vast majority of products are evaluated (see chart), do not require evaluation of the software, only of the development process and documentation.
Because of this, critics say evaluation does nothing to prove or improve the security of a product.
?You are not testing the product at all,? Paller said. ?You are testing the paperwork.?
Shapiro says that even the higher assurance levels do not provide assurance of security because they do not require a code review for bugs, but only a rigorous correspondence between the code and the specifications. "