USL dares corporate hackers to try and break new secure UNIX

SUMMIT, N.J. -- JULY 23, 1991 -- UNIX System Laboratories, Inc. (USL), today challenged selected computer system vendors and major corporations to put the enhanced security features of a new version of UNIX(R) System V Release 4 to the test. The challenge gives vendors and customers hands-on experience with next- generation computer security technology. It also exposes participants to the corporate policy and management issues involved in coming to grips with information security threats, USL said.

The new release of the operating system, called UNIX System V Release 4.1 Enhanced Security, replaces traditional add-on approaches to corporate computer security with security built into the operating system itself. In that way it implements what USL calls "the security paradigm shift of the 1990s."

"MIS directors can no longer build firewalls around computer systems and data repositories that are distributed throughout an organization. The security paradigm will shift in the 1990s from predominantly physical approaches to increased reliance on software security," said Roel Pieper, executive vice president, Sales and Marketing at USL. "The foundation of software security is an inherently secure operating system."

"Only by building security into operating system software," Pieper said, "can you be sure that the people, the data and the programs in a distributed information system interact within a disciplined and secure environment. That way you can be confident that the systems and information on the edges of a network are as well protected as the systems and information traditionally kept behind locked doors."

The Enhanced Security version of UNIX System V Release 4 provides enterprise security features that are required to support UNIX International's "Corporate Hub" environment. The Corporate Hub environment, described today by UNIX International, is designed to support open, distributed transaction processing, standards-based networking and other data processing and management capabilities required by corporate MIS organizations.

The USL challenge is open initially to a limited number of beta site vendors and end users, but ultimately will be open to all UNIX System V Release 4 source code customers and corporations that have a special interest in commercial enterprise security.

Those who accept the challenge will be given dial-up logins on an AT&T 3B2 computer running UNIX System V Release 4.1 Enhanced Security. They will be challenged to break security on the system by demonstrating that they have accomplished tasks that map closely to the most common and potentially most costly kinds of security breaches experienced by commercial organizations. Such tasks might include:

• Reading and/or writing new information to a secure file, such as a payroll file.
• Executing programs, such as a check-writing program, that the user is not authorized to use.
• Changing read/write permission on a file that has the highest possible protection to a lower security level, for example, moving a document labeled "Proprietary" to "Public" status.

These challenges illustrate features of SVR4.1 ES that are critical to corporations whose primary concern is protecting the integrity of data and programs against unauthorized use or change. The challenges also illustrate how SVR4.1 ES answers the government imperative of preventing users from reading files that they are not authorized to read.

The ability to restrict access and manipulation of information by valid computer users is critical since, according to the Data Processing Management Association, 81 percent of computer crime is perpetrated by current employees and 6 percent by former employees. Only 13 percent of computer crime, they say, is perpetrated by outsiders who gain unauthorized access to a system.

SVR4.1 ES source code for the AT&T 3B2 computer is now generally available to industry vendors. Availability of binary product for use by end users depends on the market strategies of individual vendors. Availability of SVR4.1 ES source code for the Intel 386/486 and additional processors will be announced by USL at a later date.

UNIX System V Release 4.1 Enhanced Security Fact Sheet

UNIX System V Release 4.1 Enhanced Security, five years in development, is based on a new security paradigm designed for emerging distributed computing environments. Central to the new security paradigm is the principle that in order to limit threats to information security throughout an enterprise, security technology, as well as security policy and management control, must be integral parts of the total computing environment.

In contrast to existing add-on security products, UNIX System V Release 4.1 Enhanced Security is based on a fundamental modularization of the operating system. This modularization was followed by an exhaustive assurance of the security capabilities of each functional software module within the UNIX System V Release 4.1 ES operating system itself.

Key development activities included:

• Modularization and intensive code analysis of all UNIX System V kernel functions and interactions to identify and close potential security holes;
• Exhaustive system test to further identify and close potential security holes;
• Identification and closure of leakage paths, that is, communications channels that allow processes with different authorized levels to transfer information in a way that, without violating security access controls, still violates a corporate security policy;
• Implementation of user-friendly administration features in order to reduce potential for human error during system administration and maintenance;
• Extensive documentation describing how to configure and manage secure systems, also aimed at minimizing the potential for human error.

The functional modularization of each of the software modules that together make up the UNIX System V Release 4.1 ES kernel, and the exhaustive assurance of the security of each of those modules and their interactions, accounted for approximately half the work involved in the development of the system. USL believes that the assurance of security is necessary in order to demonstrate not only that SVR4.1 ES does what it is intended to do, but also that it does not permit undesirable or potentially exploitable side effects to compromise overall corporate computing security.

To make effective use of SVR4.1, companies should first define a Corporate Security Policy that tells everyone in an organization how information is to be handled and stored. In addition, company administrators must also establish Management Controls that define administrative, procedural and technical mechanisms and techniques that will be used to implement Corporate Security Policy. Effective management controls cover all aspects of information security, including physical security, classification of information, and training to instill awareness and acceptance by users. USL is developing a corporate security educational program for end users, aimed at addressing issues involved in establishing security policy and management controls.

Features of UNIX System V Release 4.1 Enhanced Security that enable companies to implement appropriate management controls and Corporate Security Policy include:

Mandatory access control

MAC lets an administrator restrict read and/or write access to information in accord with Corporate Security Policy, enabling the administrator to define at a corporate level who has access to what kinds of information. Access can be controlled by a hierarchical structuring (such as Restricted, Proprietary, Private, Public) as well as on a functional or project-related "Need to Know" basis. MAC also enables an administrator to separate system administration functions from user functions; that is, to specify that an administrative login can only do be used to do administrative activities, such as file backup or adding news users, assigned to that login. In the same way, users can be prevented from executing any administrative functions.

Discretionary access control (DAC)

DAC enforces default security on all user files and activities. By default, the system restricts access to all user files, compelling users to create and specify Access Control Lists that define who can have access--other individual users, workgroups or sets of groups--to their files.

Identification and authentication facility (IAF)

IAF, part of the login process, ensures that only valid users gain access to a system. Typically, users identify themselves to a system by typing in a login name and then authenticate their login identities with a password. SVR4.1 ES includes a password authentication mechanism, but also provides facilities for implementing non-password authentication controls, such as fingerprint or retina scans, magnetic card readers, or other mechanisms. This enables customers to tailor authentication mechanisms to meet the degree of security they deem necessary.

Trusted facility management/least privilege module (TFM)

TFM provides checks and balances that keep individuals doing administrative tasks from putting corporate information at risk. Administrative permissions to perform tasks can be granted on a "per command" basis, so that an administrator using a "file backup" administrative login would be able to back up files, but not to read the information in those files.

Trusted path

This feature provides a "clean" direct connection between a user and a system during the login process, thereby eliminating deceptive practices such as "spoofing"--the insertion of a program that pretends to take a user through a normal login process but really just captures someone else's login information for later, unethical use.

Trusted import/export

When files have been corrupted or destroyed, users need a mechanism to restore those files to their previous state. TIE extends system backup/restore capabilities to recover not only files, but also the security level and access controls associated with the files, so that the backup process continues to maintain system security.

Networking security

SVR4.1 ES networking security features enable both mandatory and discretionary access controls and administrative privileges to be utilized for file sharing services over both RFS and NFS networks and for file transfer and remote command execution, making it a particularly good operating system choice for gateways between a corporate network and outside networks. Ultimately, however, a computer network is only as secure as the least secure system on the network--typically a desktop PC. In addition, information security also depends on controlling access to the physical networking media (that is, wire, optical fiber or radio); for that reason, the most common, and currently most cost-effective way to protect information as it is transported across the physical media in a network is to install dedicated encryption/decryption hardware at network termination points.

Auditing

Auditing provides a clear trace of all activity on a computer system by recording the actions of all users as to which files were accessed, when, and by whom, and which commands were used. Audit trails help identify where a security break-in took place or if any suspicious activity is in progress, and help assess the amount of damage done after unauthorized access has occurred. SVR4.1 ES provides extensive flexibility in the implementation of audit functions by letting administrators define how much system activity is to be recorded.

SVR4.1 product packaging

• SVR4.1 ES Platform--the secured base operating system, which provides support for new security access features and enhanced system management facilities.
• Security Access Feature Packages
  • The Auditing Package, in combination with the SVR4.1 ES base system, enables customers to create as complete an audit trail of system events as they wish; the Auditing package with SVR4.1 ES also enables vendors to provide "C2" level secure systems to the U.S. Government market.
  • The Enterprise Security Package lets customers access enterprise security features, such as mandatory and discretionary access controls and administrative enhancements, that ensure the security of all interactions among people, data and programs. This package also enables vendors to provide "B1" and "B2" level secure systems to the U.S. Government market and "F4/Q4" systems to European customers.
  • The B2 Rating Kit provides tools to OEMs and system software vendors that help reduce the time and expense of putting a product through the formal U.S. Government Security Certification process. The ratings kit includes a Covert Channel Analysts tool, a certification test suite, and design documentation.
• The Enhanced Administration and Networking Package--provides new system management software and electronic software distribution for SVR4 and SVR4.1 ES.

SVR4.1 ES performance

A common complaint about existing add-on security packages, or special-purpose secure systems, is degradation of systems performance, sometimes by as much as 30 to 50 percent. The SVR4.1 ES base operating system performs at the same level as SVR4. While system performance will degrade in conjunction with the level of auditing selected for an individual system, SVR4.1 ES performance is exceptional: With all security features enabled, but no auditing, SVR4.1 ES runs within 96 to 97 percent of SVR4. With all security features enabled and default auditing and journaling, SVR4.1 ES runs within 93 to 94 percent of SVR4. With all security and auditing enabled, SVR4.1 ES runs within 85 to 90 percent of SVR4.

UNIX is a registered trademark in the Unites States and elswhere, licensed exclusively through X/Open Company Ltd.

Dick Muldoon
908-522-6274

D. Scott Belin
908-522-5006