Bill Frantz <[EMAIL PROTECTED]> writes:
>At 12:26 PM -0700 7/26/99, Rick Smith wrote:
>>At 10:48 AM 7/26/99 -0700, Tom Perrine wrote:
>>>At that time (1985), every MLS-possible system that had been produced
>>>had been cancelled (or died for other reasons) .... Sure,
>>>some of these (ours included) had serious performance problems, but
>>>*every* one was cancelled?
>>
>>This is a digression from the legislative issue, but the cancellations were
>>probably for commercial reasons. Many of the early efforts were more or
>>less funded by vendors, and they pulled out when no market developed that
>>could justify the obscene cost and schedule of a government security
>>evaluation. I could go on at length about the cost effectiveness of A1
>>style formal methods at finding significant security flaws, even if you
>>assume a pliant set of evaluators (NOT the government). NSA ended up
>>funding the LOCK program in the late '80s probably because vendors had
>>realized that there was no financial benefit in A1's formal assurance of
>>OSes. NSA still had some True Believers in A1 a decade ago, but they're all
>>gone now as far as I can tell.
>I can support this conclusion from the KeyKOS experience. KeyKOS could be
>configured to support the B3/A1 requirements. (The requirements for the two
>levels were the same, only the level of assurance differed.) Because our
>kernel was written in 370 Assembler, our evaluation team suggested we start
>with a B2 evaluation. Our cost estimate for that evaluation was $1,000,000.
>Our investors didn't see a market, so we dropped out.
A rule of thumb I've been using is a million dollars (pounds, DM, rubles,
zorkmids, whatever) and a years work for an E3 certification (one person going
through the process once described progress as "$800K into the certification",
the expectation seems to be that once you've burned up a million dollars,
you're done). At the moment there are only two justifications for this sort of
extravagance, the prospect of (one would assume fairly lucrative) government
contracts, or the requirement for a certain level of certification to comply
with digital signature laws (only a few European laws have done this, although
Australia may follow suit).
I'm not saying certification is a bad thing, it certainly helps in providing
some level of assurance that the product you're using is OK, it's just
unfortunate that there's no way to do it in any economically viable way. For
what I'm working on I'll just claim "designed to meet B3 (until proven
otherwise)" if anyone asks[0], I don't think anyone will pay several million
dollars and wait several years[1] just to get a bit of paper affirming this.
Peter.
[0] Before I get flamed for this, this is exactly what it is, "designed to
meet", no more, no less.
[1] There isn't any rule of thumb for the work involved in attaining the higher
assurance levels because it's done so rarely, although in terms of cost and
time I've seen an estimate of $40M for an A1 Multics (it never eventuated)
and DEC's A1 security kernel took nearly a decade to do, with 30-40 people
working on it at the end (just before it was cancelled). A lot of this
overhead was due to the fact that this hadn't been done much and there was
a lot of research work involved, an estimate I've had for doing a
commercial-product A1 system now would be about 3-5 years (probably closer
to 5), ramping up from an initial 10 to 30 people at the end, and costing
maybe $15-20M.
