A note from Carl Landwehr
December 20, 2000
For CIPHER:
I had the opportunity to participate in
a DARPA-sponsored invitational
workshop on open source operating systems and security last
month that I thought might be of interest to CIPHER readers.
The workshop was convened by Dr. Doug
Maughan of DARPA ITO, as the first
step in a new program called Composable High Assurance Trusted Systems
(CHATS), aimed at developing technologies for high assurance open-source
operating systems. This workshop followed one held about
a year earlier on a similar topic.
Goals of the workshop were to:
1) Identify and describe key technical
research areas to improve the
assurance and security of existing open-source operating systems.
2) Begin discussions toward the
development of a long-term architectural
framework for composable, high-assurance open-source operating
systems.
3) Provide a forum for interchange and
community building among participants
from the open source and operating system security communities.
Participants were an interesting mix of
prominent contributors to open
source systems, including FreeBSD, OpenBSD, Linux, and Apache,
vendors,
including Apple, Silicon Graphics, IBM, and Microsoft, and members
of the security research community from Penn, Berkeley, Maryland,
Utah, NSA, NRL, SRI, NAI Labs, Wirex, Argus (apologies to any
group I have omitted!).
I was personally pleased to see a great
deal of interest on the part of the
open source community members on improving the security of
their systems in practical ways. While I don't buy the
"millions
of eyes" argument that simply opening the source to a system
will assure that it gets reviewed thoroughly for security flaws,
it seems to me that having the source available at least makes
it possible for anyone who wishes to invest in reviewing the
source to do so.
Cipher readers interested in this topic
should be alert for announcements
from DARPA expected to issue early in 2001. Program
information and workshop results (both from the 1999 workshop
and the 2000 workshop will be placed at
http://schafercorp-ballston.com/CHATS/
as they are released; some information is
there already.
--Carl Landwehr
--Mitretek Systems