Agencies beta-test hardened open-source Unix OS

In new SecureBSD, 2Cactus Development says it gives users a locked-down version of FreeBSD

By William Jackson, Staff
GCN

May 22, 2000

Government users of the FreeBSD Unix operating system now have some security reassurance from 2Cactus Development Inc., which this month released an initial version of SecureBSD.

“We have locked it down,” said Dave Roberts, acting chief operating officer of the Phoenix company, a subsidiary of Inforum Communications Inc. of Denver.

SecureBSD 1.0 applies kernel-level enhancements to correct 133 vulnerabilities in the open-source Unix OS, which runs on more than 2 million servers in the United States.

The first release is for versions 3.4 and 4.0 of FreeBSD, the Berkley Software Distribution of Unix. It is downloadable free from the Web at www.securebsd.com.

Secret beta tests

Beta testers of the product are unidentified so as “not to give any potential hackers a leg up,” 2Cactus president Jeffery Mathias said. He confirmed, however, that some government sites are among those testing SecureBSD.

Michael Dunn, 2Cactus general manager, said the company probably would pursue the government’s trusted certification for the OS when it stabilizes.

Secure Unix systems are nothing new. Trusted Solaris from Sun Microsystems Inc. has been around for years, and a number of proprietary products are hardened Unix in various flavors. But Dave Jarrell, director of the Federal Computer Incident Response Capability Center, said he is a particular fan of the open-source OpenBSD and FreeBSD.

“The source code is available for anyone to see,” making weaknesses easier to spot and correct, he said.

Jarrell said many administrators feel more comfortable loading software on their networks when they can see the code.

FreeBSD, however, is a niche OS for federal users, Jarrell said. “I wouldn’t say it was widely used in the government. There are isolated places that use it. Something like this has been a long time coming, and the more options we have, the better off we’re going to be.”

He said it is difficult to configure services and ports to improve security in many OSes, and even open source code can be hard to fine-tune when users do not know what services are available and which ones they really need.

Rather than create an application that runs under the OS and looks for intrusions, “we added code to the BSD kernel,” Mathias said. The initial release is not an OS itself but a patch that is compiled into SecureBSD.

“When Version 1.1 comes out, it will be a complete operating system,” Roberts said.

Among the security features is a Message Digest Algorithm, which detects changes in files via a cyclic redundancy check before a program is executed to spot and block altered code.

Cyclic redundancy checking is common for detection of transmission errors, and some applications also use file integrity checking to look for malicious code.

Copyright 2000