Maybe What We Need Here is Some Common (Criteria) Sense
A Q&A with Green Hills Software and VDC’s Analysis
What Happened?
Military Embedded Systems Magazine published an article in Q&A format that was conducted with
Green Hills Software was quick to forcefully respond to the article with a press release to address what they described as false and misleading statements made by
After covering both of these companies for over nine (9) years my first reaction after reading the original interview was “oh my”. My second reaction was “get ready for the shock and awe to follow”.
On Monday of this week VDC conducted a Q&A with Green Hills Software CTO, Dave Kleidermacher, to give the company an opportunity to address the issues, from their perspective, on the EAL6+ / High Robustness validation issue. After this interview we did reach out to speak with
VDC’s Interview
VDC: The NIAP Validated Products listing shows “High Robustness” for INTEGRITY-178B. In addition, the SKPP (Separation Kernel Protection Profile) has a “High Robustness” conformance claim. Does this mean that INTEGRITY-178B is not EAL6+ certified?
Kleidermacher: No. While it is true that the SKPP’s conformance claim is “High Robustness”, INTEGRITY-178B is certified to both EAL6+ and High Robustness, as evident on the certificate, signed by Directors of NSA and NIAP.
VDC: What is the difference between EAL6+ and High Robustness?
Kleidermacher: EAL6+ indicates a combination of assurance requirements leveled at EAL6 and requirements leveled at EAL7. These requirements are selected from a menu of assurance requirements defined by the Common Criteria standard. “High Robustness” is a
VDC: If INTEGRITY-178B was certified to EAL6+ and High Robustness why not EAL7?
Kleidermacher: INTEGRITY-178B was designed for and is compliant to EAL7 requirements. However, our project sponsors required certification against the SKPP, a
VDC: Is it true that designing from the ground up to meet high assurance (e.g. SKPP) is a better approach than retrofitting to a product that wasn’t necessarily designed for that?
Kleidermacher: Yes. SKPP assurance cannot be retrofitted. For example, the SKPP’s formal methods requirements are only practical for software that was originally designed for formal security evaluation.
VDC:
Kleidermacher: No. Green Hills Software’s INTEGRITY-178B was originally designed and developed for formal security evaluation at EAL7 and based on a deep understanding of the mathematical basis of operating system security and hence was successfully certified against SKPP.
VDC: Does INTEGRITY 178B use a Type 1 or Type 2 hypervisor? Please explain.
Kleidermacher: With modern virtualization hardware such as Intel® VT technology, the distinction between Type 1 and Type 2 is becoming blurred and of questionable relevance. However, the best way to describe INTEGRITY-178B is that provides an “Enhanced Type 1” hypervisor. INTEGRITY runs on the bare metal, providing the high performance and reliable resource management expected from a Type 1 hypervisor. INTEGRITY takes this a step further, providing a level of secure partitioning and access control between virtual machines that is not possible with commercial Type 1 hypervisors. However, INTEGRITY-178B is first and foremost an RTOS, with a native applications interface (something which has – until now – only been available with Type 2 hypervisors), enabling critical software – such as real-time components – to safely and securely co-exist on the same processor with fully virtualized guest environments. A traditional Type 1 hypervisor requires guest operating systems for sophisticated functionality and lacks a deep ecosystem of device drivers, middleware, and applications already available fwith the enhanced type 1 approach.
VDC’s View
There are numerous documents that are available for your reading for those of you intrigued by this topic, including:
Green Hills Validated Product reports including:
· Green Hills Software INTEGRITY-178B Separation Kernel Security Target Version 1.0 Dated May 30, 2008
· Common Criteria Evaluation and Validation Scheme Validation Report, Green Hills Software INTEGRITY-178B Separation Kernel, Report Number: CCEVS-VR-10119-2008, Version 1.0 Dated September 1, 2008
· Common Criteria Certificate awarded to Green Hills Software
One last web-link you should check out is from the Common Criteria Portal.org.
If you read all of these documents (not quite as many pages as the various health care bills passing through the U.S. Congress) you might find yourself confused by some statements that seem contradictory to an EAL6+ validation for SKPP High Robustness such as:
From the SKPP document …….“Assurance requirements contained in this PP reflect techniques, activities, and evidence, appropriate for the establishment of trustworthiness in a compliant TOE for application in U.S. Government high robustness environments. The assurance requirements are comprised of both CC-defined assurance components from EAL6 and EAL7 and explicitly stated assurance components which are either new (i.e., not contained in the CC) or modifications of existing CC assurance components. Hence, this PP makes no EAL claim.” and “This protection profile has been developed for
Or
From the Security Target Report……..“The Separation Kernels PP claims that the combination of assurance components is equivalent to an Evaluation Assurance Level 6 with augmentation (EAL6+). This ST does not claim conformance to EAL6+, because of the large number of explicitly stated assurance requirements specified in the Separation Kernels PP. The ST author leaves it to the Separation Kernels PP to justify any claims for EAL conformance. This ST claims conformance to the Separation Kernels PP.”
Or
From the Validation Report…...“Science Applications International Corporation (SAIC) determined that the while the product doesn’t technically satisfy any evaluation assurance level (EAL) as defined within the Common Criteria (CC), it does satisfy the requirements for “High Robustness” as defined within the SKPP.”
Confused?- well maybe we should be but here’s the bottom line – Both the National Security Agency (NSA) and National Information Assurance Partnership (NIAP/a U.S government initiative) signed the certificate for INTEGRITY-178B Separation Kernel at Assurance level EAL6+, High Robustness. One can only assume that both of these U.S. government organizations determined from the various supporting validation documentation that the INTEGRITY-178B product met the Common Criteria EAL6+ assurance level in addition to that of High Robustness as specified within the SKPP for separation kernels and awarded the certificate as such.
This case is further supported by the fact that the Common Criteria Recognition Agreement (CCRA – see link above) lists INTEGRITY-178B as EAL6+ assurance level only since the Common Criteria does not recognize the U.S. Government SKPP for High Robustness which includes explicitly stated assurance components which are either new or not contained in the Common Criteria.
One last thought as I close out this very long blog post (and I apologize for the length) – Wind River VxWorks MILS 2.0 product is in evaluation with a conformance claim of EAL6 Augmented under the PP_SKPP_HR_V1.03 which is the same protection profile and version under which Green Hills INTEGRITY product was validated against. If this is the case should they both then meet the High Robustness and EAL6+ conformance claim?
This all brings me back to my original thought here that maybe what we need here is some common (criteria) sense. The good news for the industry is that there are multiple RTOS suppliers in the market investing in supporting the needs of government and commercial industry for products that will offer highly secure environments for military, critical infrastructure, and other systems connected to cyberspace to protect personal, corporate, medical and other types of information from cyber attacks.
Comments