CC EAL-7 level COTS OS??

Ok neel, seriously your ignorance is pissing me off.

Name an open development project that utilizes any semblance of repeatable project management... just one. Open development by its very definition is not repeatable, no matter how professional some of your programmers are. As soon as you accept any input from someone outside the scope of project management you are utilizing an ad hoc system... aka Level 1.

Quote:

---

linking hardware design directly to security then is weird... the software design describes how the hardware resources are used and the rest is a mather of choice and opinion.

---

No it isn't.

"The TCB shall maintain process isolation through the provision of distinct address spaces under its control. The TCB shall be internally structured into well-defined largely independent modules. It shall make effective use of available hardware to separate those elements that are protection-critical from those that are not."
- 3.3.3.1.1 System Architecture - DOD-5200.28-STD

Clearly hardware is critical in achieving this level of evaluation.

This is done in different ways, some use the different security rings available in the Pentium architecture (XTS-400). Others use a completely separate processor to handle the security kernel (LOCK) and still others use physically separated RAM chips in conjunction with a hard-coded security kernel (HYDRA).

These have nothing to do with the application of the system... they have to do with meeting the process separation requirements. They would need to be consistent on a satellite or in a bunker.

catch

Hi Catch,

We use PRINCE2 as a structured PM methodology over here..............possibly SSADM as the development methodology...........they are both UK government so seem to fit, but I do see your points on this one...............if you do not have structured specification and analysis, what is the point in having structured design, implementation and project management?

So how can you get very far into CMM?

Please correct me if I am wrong..............this is really rather interesting to me

:)

Good stuff nihil.

I see this alot, the point in having structured design, implementation, and project management has less to do with high assurance software and more to do with profitable software.

However without structured analysis of both the product and the process, CMM-Level 4 will remain a dream.

"Detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled."
- http://www.sei.cmu.edu/pub/documents...df/tr24.93.pdf

I highly recommend that document to anyone looking to learn about the SW-CMM, though it is a bit dated it is still a nice overview before delving into the CMMI.

cheers,

catch

Hmmm,

Quote:

---

I see this alot, the point in having structured design, implementation, and project management has less to do with high assurance software and more to do with profitable software.

---

Yes, I have studied structured methodologies over the years, particularly in house ones used by contractors. They all seem to start with some sort of bid/tender/proposal process, and take it from there.

There seems to be an underlying assumption that the customer (user) has provided full technical and functional requirements specifications and that they have a "business plan"

I know that we have both worked in defence/aerospace, and that in those sectors that assumption is reasonably true, in my experience at least.

The contractor is out to make a profit, and has structured methodologies to support this, the customer is looking for functionality and value for money, and also has structured methodologies to support this.

Provided that they work in unison on common projects they would be capable of achieving CMM level 5, both individually AND collectively? and we have a full life cycle development environment :)

Now, the problem arises when the customer has not completed the initial phases of the project cycle, and will not pay the contractor to do it. The contractor will probably not worry too much about this if it is a time & materials billed project

In this situation, the contractor could still rate CMM5, but combined with the customer the rating would be CMM1 (it probably should be 0 or a negative value? :D )

In case anyone is in doubt, and thinks that this is academic/theoretical bull****; I have actually worked in both those situations :eek:

So, if we apply this to open source, we have many customers with no clearly defined requirements, and many suppliers with variable development standards and cost models?

I cannot see how that can meet any kind of high level certification?


just my £0.02

Quote:

---

Provided that they work in unison on common projects they would be capable of achieving CMM level 5, both individually AND collectively?

---

No one is analyzing... and the developer isn't utilizing knowledge gained from the customer's previous efforts with perhaps different developers. The process is only as mature as it's least developed point.

You are exactly right with the maturity of the open development process.

cheers,

catch

Quote:

---

Originally posted here by catch
Ok neel, seriously your ignorance is pissing me off.

---

Ok catch, seriously your arrogance is pissing me off.

Quote:

---

Name an open development project that utilizes any semblance of repeatable project management... just one. Open development by its very definition is not repeatable, no matter how professional some of your programmers are. As soon as you accept any input from someone outside the scope of project management you are utilizing an ad hoc system... aka Level 1.

---

KID is one example. Altough everyone can download the source code and modify it, only submitted code is (if qualified) added to the project. Modification that are not added technically belong to other software "based on" KID.

Quote:

---

No it isn't.

"The TCB shall maintain process isolation through the provision of distinct address spaces under its control. The TCB shall be internally structured into well-defined largely independent modules. It shall make effective use of available hardware to separate those elements that are protection-critical from those that are not."
- 3.3.3.1.1 System Architecture - DOD-5200.28-STD

Clearly hardware is critical in achieving this level of evaluation.

This is done in different ways, some use the different security rings available in the Pentium architecture (XTS-400). Others use a completely separate processor to handle the security kernel (LOCK) and still others use physically separated RAM chips in conjunction with a hard-coded security kernel (HYDRA).

These have nothing to do with the application of the system... they have to do with meeting the process separation requirements. They would need to be consistent on a satellite or in a bunker.

catch

---

just like I said the seperation of elements can be done in many ways if you specify them on the software level. It's a mather of choice still if you essentially build two computer in one and using some electromagnetics trickbox to seperate the two, or just use two computers, maybe sharing some resources like RAM or whatever. On the hardware design level you sometimes don't have the options you'd use in a bunker, when yer designing a computer in a satelite. For example when chips get some ghz's more then they have now, there's a shitload of components that start to act like crazy antenna's and ****. You can minimize that using different designs, but you can't totally eliminate it. You'd need software to seperate the elements phisically and in time, making it quite irrelevant what hardware you use.

Quote:

---

KID is one example. Altough everyone can download the source code and modify it, only submitted code is (if qualified) added to the project. Modification that are not added technically belong to other software "based on" KID.

---

First, now you see why I made a point to seperate "Open source" from "Open Development", secondly, random user input cannot be predicted! As soon as you accept anything from outside the scope of your project management, you are using an ad hoc system.
Why do I need to keep telling you the same thing over and over?

And on the hardware issue you are not even close to addressing the issue at hand, so no point in my responding to save this point. No one is talking about the future (or exotic applications), right now... today, this very moment... in order to achieve high levels of assurance, process seperation needs to be done at the hardware level.

catch

Quote:

---

Originally posted here by catch
First, now you see why I made a point to seperate "Open source" from "Open Development", secondly, random user input cannot be predicted! As soon as you accept anything from outside the scope of your project management, you are using an ad hoc system.
Why do I need to keep telling you the same thing over and over?

---

It's an open source project I was talking about, not open development. Do I need to keep telling you that over and over again ?

Quote:

---

And on the hardware issue you are not even close to addressing the issue at hand, so no point in my responding to save this point. No one is talking about the future (or exotic applications), right now... today, this very moment... in order to achieve high levels of assurance, process seperation needs to be done at the hardware level.

catch

---

no, the antenna example is already at hand since you have EM interference everywhere... you think current processors are a bunch of transistors placed in a piece of silicium as its suited without any attention to capacities between wires ? process seperation can be done with software today and that aspect won't change in the (near) future as does the need for security... Process seperation just isn't an aspect of computer security that relies on hardware, just something that can be done with hardware. That's a choice.

Quote:

---

KID is one example. Altough everyone can download the source code and modify it, only submitted code is (if qualified) added to the project. Modification that are not added technically belong to other software "based on" KID.

---

I have to agree with Catch on this one. Anytime you cannot predictable plan and repeat when a piece of software will be available and whom will be the one updating it you are not following very basic principles of CMM. Just because you are following a strict submittal process does not make the process repeatable.

One of the very basic parts of project management is resource management. In an open source or open development project the resources that you have available to you are very flexible and not static. This is definitely not what you want if you are trying to achieve higher levels of CMM. While it could be possible for an open development project to reach higher levels, if properly managed, I've never seen it done.

Open source and open development, however you want to look at it, assumes that the user base will find a problem and fix that problem when they have the time and resources to do so. How is this planned development?

Having seen CMM in action at large telecommunication companies, where I work, and at IBM, where we outsource much of our work, the biggest thing to CMM is pre-project planning, and post project analysis. I've never seen an open source project strictly define the number of programmers needed, who those programmers are, their qualifications, when they work, who they work for, how their work is evaulated, who does the evaluation, etc... Which are all very basic parts of planning a project.

I don't really see how this applies to this piece of software though as this is not really open source software as I don't see them publishing the code, and I highly doubt that they will publish any of this "linux"-like OS under GNU.

Hmmm,

Quote:

---

One of the very basic parts of project management is resource management

---

Absolutely, in fact the classical approach/model says that if the PM does not have the identified and committed resources to start with, he should not even start the project?

Quote:

---

and whom will be the one updating it

---

Not quite true? all you need to know is that you will have a technician ABC123 available at a point in time?

Now may we look at the real world, outside of ivy league walls and the ivory towers within?

All these marvellous self-gratification certifications mean jack sh1t in reality............sure, it tells you about an organisation and its ability to document etc.................BUT:

What it does NOT tell you is if the product will work???????!!!!!!!!!!!!!!!!!!!

CMM, ISO, BSI...................all I have to do is demonstrate that I can replicate the same sh1t product 24/7/365, that my processes and supporting procedures are fully documented, and that all my people follow them...............and voila! I am certified................it is a bit like playing Russian Roulette with a Colt .45 auto...........as long as you can squeeze the trigger?.......................

You cannot judge open source with non-open source standards?

Neither can you expect open source to meet closed source standards.............they are DIFFERENT......the real issue should be which is the most appropriate in a particular situation?

Personally, I see the value of both :)