Comments

Clive RobinsonDecember 14, 2012 8:05 AM

"The History..."

It only seams like the other day when Ross started talkiing about it.

Daniel FaiginDecember 14, 2012 9:30 AM

The link to the page with Ross's presentation can be found here. Here's the Presentation and the Paper.

I was at ACSAC last week (I'm in charge of the training program), and it was a great conference. I particularly enjoyed Ross' talk -- made me want to be 20 years younger to I could explore the field.

Nick PDecember 14, 2012 12:26 PM

@ Daniel Faigin

" I particularly enjoyed Ross' talk -- made me want to be 20 years younger to I could explore the field."

You're never too old to expand your mind. ;)

I noticed on your About page that you worked on BLACKER and SD-DBMS. That's neat. I'm rather known for promoting Orange Book era tech or designs to solve modern problems, as I've noticed people keep reinventing the wheel. Anyway, I've often wanted to get a hold of the old B3/A1 class software for general curiosity and expanding my security engineering capability. (Also, I could probably put them to use in certain projects with a little modernization. Probably still more secure than many things available today.)

Do you know how to get a copy of BLACKER, DTMach, LOCK, KeyKOS, SAT or any of the old projects code? Who else might know? (I didn't get a response from "cryptosmith".) Thanks ahead of time for any help.

Side note: GEMSOS still exists and they're the only A1 vendor that returns calls. ;) You've worked with GEMSOS before. In your opinion, is it a good platform to use in a modern (simple) secure appliance? Or would you recommend a different option? And for what reason?

Daniel FaiginDecember 14, 2012 12:41 PM

Nick - I doubt the code for BLACKER is available, given the nature of the product. I can't answer for the others. SDC, alas, is long-gone, although lots of us ex-SDCers are still in the 'biz. I will note that there is one legacy of BLACKER in use every day -- Perl was written to meet the A1 CM requirements for BLACKER (for details, see the history section in the Camel book, which I wrote -- Larry Wall, Mark Biggar, and I shared an office when the first version of Perl was developed)

As for GEMSOS -- although Gemini is gone, Roger's company Aesec is still around and has the product.

As for using GEMSOS -- I can't really answer the question for today. Last time I used the product, it was on the 286 and 386 platforms. If the capabilities of the product meet your specific need, it is certainly work exploring.

As for A1 and B3... I'll note that another Ross -- Ron Ross, of NIST -- is working to bring back aspects of A1 and B3 in the improved assurance controls in NIST SP 800-53 Rev 4. You can get an idea of what is coming by looking at the initial public draft of earlier this year (available from NIST). Look particularly at Appx E. I believe the next draft should be out in early 2013.

Nick PDecember 14, 2012 7:54 PM

@ Daniel Faigin

I didn't have my hopes up re BLACKER and other exemplar designs of the past. I figure someone has them somewhere on floppies collecting dust. Maybe one of the original researchers. If I ever find one, the idea is to use FOIA to get it released for historical and educational purposes as I can't imagine anyone is using pre-TCSEC software in production. (Although, I might be able to squeeze some use out of it.)

"I will note that there is one legacy of BLACKER in use every day -- Perl was written to meet the A1 CM requirements for BLACKER (for details, see the history section in the Camel book, which I wrote -- Larry Wall, Mark Biggar, and I shared an office when the first version of Perl was developed)"

Wow! I didn't know that at all. I didn't even know it was that old: I discovered it in the very late 90's. Thanks for that tidbit!

It's funny you mentioned CM b/c it was one of the first EAL5-7 products I intended to build (if funded) to bootstrap security in further high assurance products. Hard to put plenty of faith in a binary whereby A1-class source was translated by EAL4 black box tools likely running on EAL1-4 OS.

"As for using GEMSOS -- I can't really answer the question for today. Last time I used the product, it was on the 286 and 386 platforms. If the capabilities of the product meet your specific need, it is certainly work exploring."

They did send me some marketing material. From what I see, they haven't really changed it much at all. They spent most of their modern effort on software that runs on top of it or integrates it with other modern stuff.

"As for A1 and B3... I'll note that another Ross -- Ron Ross, of NIST -- is working to bring back aspects of A1 and B3 in the improved assurance controls in NIST SP 800-53 Rev 4. You can get an idea of what is coming by looking at the initial public draft of earlier this year (available from NIST). Look particularly at Appx E. I believe the next draft should be out in early 2013."

It's about time they consider that! Again, thanks for the info. I'll surely look into it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..