NSA shows the way to develop secure systems
-{ Quote: "The development of highly secure, low defect software will be dramatically helped by the release of the Tokeneer research project to the open source community by the US National Security Agency (NSA).

The Tokeneer project was commissioned by the NSA from Praxis High Integrity Systems as a demonstrator of high-assurance software engineering. Developed using Praxis’ Correctness by Construction (CbyC) methodology it uses the SPARK Ada language and AdaCore’s GNAT Pro environment. The project has demonstrated how to meet or exceed Evaluation Assurance Level (EAL) 5 in the Common Criteria thus demonstrating a path towards the highest levels of security assurance." }-
http://www.net-security.org/secworld.php?id=6619

Hi,

Such projects for secure OS already exist in many government security agencies, and most of them are Unix/Linux based OS.

There is some secure Linux distributions which take advantage of the NSA work with SeLinux like Engarde (http://www.engardelinux.org/).
For commercial OS, Secure64 has build,SourceT MicroOS (http://www.secure64.com/technology.shtml), a secure OS designed for critical infrastructures.
It has been audited as immune of malwares, rootkits and vulnerabilities by Matasano.
And the team provides an interesting paper aout the how to of a secure OS.
But of course, absence of flaws does not mean non-existence of flaws.


An OS can be considered as statistically secure, without beeing technically secure.
The end user just need to get a confidential OS like those (http://www.osfiles.com/os_other/ospg_other_others.htm) ones, instead of an OS for the mass like Windows.
The Insecurity/Security world focus for the most part on Microsoft products which represent a kind of heresy from a business point of view (in which industry could we find such monopole ?).


So finally can we build secure systems without the need of the NSA ?

YES WE CAN

regards

Hello,

The NSA herself seems to have already found and certified (http://www.integrityglobalsecurity.com/pages/learnCommon.html) this secure (http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212100421) OS wih Integrity.
But like any commercial real-time (http://www.lynuxworks.com/rtos/rtos.php) or embedded OS, it is not designed and accessible for the mass.

Microsoft is not sleeping, and must not if we consider the latest (http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-11/msg00130.html) official TCP/IP BO which affects Vista...
Midori (http://www.sdtimes.com/MICROSOFT_S_PLANS_FOR_POST_WINDOWS_OS_REVEALED/About_CLOUDCOMPUTING_and_MOBILEDEVELOPMENT_and_NET_and_SOASAAS_and_SOFTWAREDEVELOPMENT_and_WINDOWS_and_MICROSOFT/32627), based on the Syngularity (http://research.microsoft.com/os/singularity/) research OS (http://www.codeplex.com/singularity/Release/ProjectReleases.aspx?ReleaseId=19428#ReleaseFiles), might be the future (http://www.osnews.com/story/20145/Is_Midori_Really_the_Next_Windows_) of Windows...

so wait and see...

regards

Interesting, thank you kareldjag.