Security focused operating system
Encyclopedia
This is an alphabetical list of operating system
s with a sharp security
focus. Their order does not imply rank.
In our context, "Security-focused" means that the project is devoted to increasing the security as a major goal. As such, something can be secure without being "security-focused." For example, almost all of the operating systems mentioned here are faced with security bug fixes in their lifetime; however, they do all strive to consistently approach all generic security flaws inherent in their design with new ideas in an attempt to create a secure computing environment. Note it doesn't mean security-evaluated operating system
, which mean operating systems that have achieved certification from an external security-auditing organization. An operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements is Trusted operating system
instead.
is a family of Unix
variants derived from a code base originating at the University of California, Berkeley
. All derived BSD operating systems are released under the terms of a BSD-style license. There are several BSD variants, with only one being heavily focused on security.
is an open source BSD operating system that is known to be concerned heavily with security. The project has completed rigorous manual reviews of the code and addressed issues most systems have not. OpenBSD also supplies an executable space protection scheme known as W^X
(memory is writable xor executable), as well as a ProPolice compiled executable base.
designed to add trusted operating system extensions, targeting the Common Criteria
for Information Technology Security Evaluation (see also Orange Book). Its main focuses are working on access control list
s, event auditing, extended attributes, mandatory access control
s, and fine-grained capabilities. Since access control lists are known to be confronted with the confused deputy problem
, capabilities are a different way to avoid this issue. As part of the TrustedBSD project, there is also a port of the NSA's FLASK/TE implementation to run on FreeBSD. Many of these trusted extensions have been integrated into the main FreeBSD branch starting at 5.x.
itself is inherently security-focused; however, many distributions and projects attempt to make Linux more secure.
was originally forked from Mandriva
to provide a security-focused server distribution that employs ProPolice protection, hardened configuration, and a small footprint. There have been plans to include full support for the RSBAC
Mandatory access control
system. However, Annvix seems to be a dormant operating system with the last version being released December 30, 2007.
is a secure platform designed for servers. It has boasted a browser-based tool for MAC
using SELinux since 2003. Additionally, it can be accompanied with Web, DNS, and Email enterprise applications, specifically focusing on security without any unnecessary software. The community platform of EnGarde Secure Linux
is the bleeding-edge version freely available for download.
is a free, Red Hat
sponsored community developed Linux distribution
. It is one of those mainstream Linux distribution, with a concentrated effort to improve system security, as a consequence it boasts a fully integrated SELinux MAC
and fine-grained executable memory permission system (Exec Shield
) and all binaries compiled with GCC
's standard stack-smashing protection, as well as focusing on getting security updates into the system in a timely manner.
is a subproject of the Gentoo Linux
project. Hardened Gentoo offers a ProPolice protected and Position Independent Executable base using exactly the same package tree as Gentoo. Executable space protection in Hardened Gentoo is handled by PaX
. The Hardened Gentoo project is an extremely modular project, and also provides subprojects to integrate other intrusion-detection
and Mandatory access control
systems into Gentoo. All of these can be optionally installed in any combination, with or without PaX
and a ProPolice base.
is a commercial distribution of Linux focused heavily on security. They supply many systems of their own making, including StackGuard; cryptographic signing of executables; race condition patches; and format string exploit guarding code. Immunix traditionally releases older versions of their distribution free for non-commercial use. Note that the Immunix distribution itself is licensed under two licenses: The Immunix commercial and non-commercial licenses. Many tools within are GPL, however; as is the kernel.
by a developer known as Solar Designer was the first distribution to have a non-executable
userspace stack
, /tmp race condition
protection and access control
restrictions to /procdata, by way of a kernel patch
. It also features a per-user tmp directory via the pam_mktemp PAM
module, and supports Blowfish
password encryption.
- offers the same security benefits as Fedora with the additional support of back-porting security fixes to the released versions of the packages (particularly the kernel) so the sys-admin does not have to perform a significant (and risky) upgrade to get a security fix.
provides security fixes for stable releases. It also has AppArmor
installed by default and supports SELinux. Ubuntu locks the root account by default.https://help.ubuntu.com/community/RootSudo but use user password for root tasks.
variant created by Sun Microsystems
. Solaris itself is not inherently security-focused. Majority of Solaris source code has been released via the OpenSolaris
project, mostly under the Common Development and Distribution License. Enhancements to OpenSolaris, both security related and others, are backported
to the official Solaris when Sun certifies their quality.
, mandatory access control
, additional physical authentication devices, and fine-grained access control. Trusted Solaris is Common Criteria
certified. (See http://web.archive.org/web/20041013000439/http://wwws.sun.com/software/security/securitycert/trustedsolaris.html and http://web.archive.org/web/20070312070621/http://www.sun.com/software/security/securitycert/images/TSol8_7-03CMS.jpg)
The most recent version, Trusted Solaris 8 (released 2000), received the EAL4 certification level augmented by a number of protection profiles. Telenet was vulnerable for 11 years until patched in Jan 2011
, where instead of having the system deciding if an access request should be granted (usually through one or several access control lists), the bundling of authority and designation makes it impossible to request anything not legitimate.
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s with a sharp security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
focus. Their order does not imply rank.
In our context, "Security-focused" means that the project is devoted to increasing the security as a major goal. As such, something can be secure without being "security-focused." For example, almost all of the operating systems mentioned here are faced with security bug fixes in their lifetime; however, they do all strive to consistently approach all generic security flaws inherent in their design with new ideas in an attempt to create a secure computing environment. Note it doesn't mean security-evaluated operating system
Security-evaluated operating system
In computing, security-evaluated operating systems have achieved certification from an external security-auditing organization, such as a B2 or A1 CSC-STD-001-83 "Department of Defense Trusted Computer System Evaluation Criteria" or Common Criteria certification.Note that meeting a given set of...
, which mean operating systems that have achieved certification from an external security-auditing organization. An operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements is Trusted operating system
Trusted operating system
Trusted Operating System generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements....
instead.
BSD
BSDBerkeley Software Distribution
Berkeley Software Distribution is a Unix operating system derivative developed and distributed by the Computer Systems Research Group of the University of California, Berkeley, from 1977 to 1995...
is a family of Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
variants derived from a code base originating at the University of California, Berkeley
University of California, Berkeley
The University of California, Berkeley , is a teaching and research university established in 1868 and located in Berkeley, California, USA...
. All derived BSD operating systems are released under the terms of a BSD-style license. There are several BSD variants, with only one being heavily focused on security.
OpenBSD
OpenBSDOpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
is an open source BSD operating system that is known to be concerned heavily with security. The project has completed rigorous manual reviews of the code and addressed issues most systems have not. OpenBSD also supplies an executable space protection scheme known as W^X
W^X
W^X is the name of a security feature present in the OpenBSD operating system. It is a memory protection policy whereby every page in a process' address space is either writable or executable, but not both simultaneously...
(memory is writable xor executable), as well as a ProPolice compiled executable base.
TrustedBSD
TrustedBSD is a sub-project of FreeBSDFreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
designed to add trusted operating system extensions, targeting the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
for Information Technology Security Evaluation (see also Orange Book). Its main focuses are working on access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s, event auditing, extended attributes, mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
s, and fine-grained capabilities. Since access control lists are known to be confronted with the confused deputy problem
Confused deputy problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
, capabilities are a different way to avoid this issue. As part of the TrustedBSD project, there is also a port of the NSA's FLASK/TE implementation to run on FreeBSD. Many of these trusted extensions have been integrated into the main FreeBSD branch starting at 5.x.
Linux
LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
itself is inherently security-focused; however, many distributions and projects attempt to make Linux more secure.
Annvix
AnnvixAnnvix
Annvix is a Canadian security-focused operating system based on Mandriva Linux . It is a dormant operating system with the last version being released December 30, 2007....
was originally forked from Mandriva
Mandriva
Mandriva S.A. is a publicly traded Linux and open source software company with its headquarters in Paris, France and development center in Curitiba, Brazil. Mandriva, S.A...
to provide a security-focused server distribution that employs ProPolice protection, hardened configuration, and a small footprint. There have been plans to include full support for the RSBAC
RSBAC
RSBAC is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000 .-Features:*Free open source Linux kernel security extension....
Mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
system. However, Annvix seems to be a dormant operating system with the last version being released December 30, 2007.
EnGarde Secure Linux
EnGarde Secure LinuxEnGarde Secure Linux
EnGarde Secure Linux is an open source server-only Linux distribution developed by . EnGarde incorporates open source tools such as Postfix, BIND, and the LAMP stack....
is a secure platform designed for servers. It has boasted a browser-based tool for MAC
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
using SELinux since 2003. Additionally, it can be accompanied with Web, DNS, and Email enterprise applications, specifically focusing on security without any unnecessary software. The community platform of EnGarde Secure Linux
EnGarde Secure Linux
EnGarde Secure Linux is an open source server-only Linux distribution developed by . EnGarde incorporates open source tools such as Postfix, BIND, and the LAMP stack....
is the bleeding-edge version freely available for download.
Fedora
FedoraFedora (operating system)
Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...
is a free, Red Hat
Red Hat
Red Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
sponsored community developed Linux distribution
Linux distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...
. It is one of those mainstream Linux distribution, with a concentrated effort to improve system security, as a consequence it boasts a fully integrated SELinux MAC
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
and fine-grained executable memory permission system (Exec Shield
Exec Shield
Exec Shield is a project started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that emulates an NX bit on x86 CPUs that lack a native NX...
) and all binaries compiled with GCC
GNU Compiler Collection
The GNU Compiler Collection is a compiler system produced by the GNU Project supporting various programming languages. GCC is a key component of the GNU toolchain...
's standard stack-smashing protection, as well as focusing on getting security updates into the system in a timely manner.
Hardened Gentoo
Hardened GentooHardened Gentoo
Hardened Gentoo is a project of Gentoo Linux that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:*SELinux**A system of mandatory access controls...
is a subproject of the Gentoo Linux
Gentoo Linux
Gentoo Linux is a computer operating system built on top of the Linux kernel and based on the Portage package management system. It is distributed as free and open source software. Unlike a conventional software distribution, the user compiles the source code locally according to their chosen...
project. Hardened Gentoo offers a ProPolice protected and Position Independent Executable base using exactly the same package tree as Gentoo. Executable space protection in Hardened Gentoo is handled by PaX
PaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
. The Hardened Gentoo project is an extremely modular project, and also provides subprojects to integrate other intrusion-detection
Intrusion-detection system
An intrusion detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor...
and Mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
systems into Gentoo. All of these can be optionally installed in any combination, with or without PaX
PaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
and a ProPolice base.
Hardened Linux
Hardened Linux is a small distribution for firewalls, intrusion detection systems, VPN-gateways and authentication jobs that is still under heavy development. It includes GRSecurity, PaX and GCC stack smashing protection.Immunix
ImmunixImmunix
Immunix was a commercial operating system that provided host-based application security solutions. The last release of Immunix's GNU/Linux distribution was version 7.3 on November 27, 2003. Immunix, Inc. was the creator of AppArmor, an application security system.On May 10, 2005, Novell acquired...
is a commercial distribution of Linux focused heavily on security. They supply many systems of their own making, including StackGuard; cryptographic signing of executables; race condition patches; and format string exploit guarding code. Immunix traditionally releases older versions of their distribution free for non-commercial use. Note that the Immunix distribution itself is licensed under two licenses: The Immunix commercial and non-commercial licenses. Many tools within are GPL, however; as is the kernel.
Openwall Project
OwlOpenwall Project
The Openwall Project is a source for various software, including Openwall GNU/*/Linux , a security-enhanced operating system designed for servers...
by a developer known as Solar Designer was the first distribution to have a non-executable
Executable space protection
In computer security, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception...
userspace stack
Call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack"...
, /tmp race condition
Race condition
A race condition or race hazard is a flaw in an electronic system or process whereby the output or result of the process is unexpectedly and critically dependent on the sequence or timing of other events...
protection and access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
restrictions to /procdata, by way of a kernel patch
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
. It also features a per-user tmp directory via the pam_mktemp PAM
Pluggable Authentication Modules
Pluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
module, and supports Blowfish
Blowfish (cipher)
Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date...
password encryption.
Red Hat Enterprise Linux
Red Hat Enterprise LinuxRed Hat Enterprise Linux
Red Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
- offers the same security benefits as Fedora with the additional support of back-porting security fixes to the released versions of the packages (particularly the kernel) so the sys-admin does not have to perform a significant (and risky) upgrade to get a security fix.
Ubuntu
Like Fedora and Red Hat Enterprise Linux, UbuntuUbuntu (operating system)
Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
provides security fixes for stable releases. It also has AppArmor
AppArmor
AppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...
installed by default and supports SELinux. Ubuntu locks the root account by default.https://help.ubuntu.com/community/RootSudo but use user password for root tasks.
Solaris
Solaris is a UnixUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
variant created by Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
. Solaris itself is not inherently security-focused. Majority of Solaris source code has been released via the OpenSolaris
OpenSolaris
OpenSolaris was an open source computer operating system based on Solaris created by Sun Microsystems. It was also the name of the project initiated by Sun to build a developer and user community around the software...
project, mostly under the Common Development and Distribution License. Enhancements to OpenSolaris, both security related and others, are backported
Backporting
Backporting is the action of taking a certain software modification and applying it to an older version of the software than it was initially created for. It is part of the maintenance step in a software development process....
to the official Solaris when Sun certifies their quality.
Trusted Solaris
Trusted Solaris is a security-focused version of the Solaris Unix operating system. Aimed primarily at the government computing sector, Trusted Solaris adds detailed auditing of all tasks, pluggable authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, mandatory access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
, additional physical authentication devices, and fine-grained access control. Trusted Solaris is Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
certified. (See http://web.archive.org/web/20041013000439/http://wwws.sun.com/software/security/securitycert/trustedsolaris.html and http://web.archive.org/web/20070312070621/http://www.sun.com/software/security/securitycert/images/TSol8_7-03CMS.jpg)
The most recent version, Trusted Solaris 8 (released 2000), received the EAL4 certification level augmented by a number of protection profiles. Telenet was vulnerable for 11 years until patched in Jan 2011
Solaris 10 and trusted functionality
Trusted Solaris functionality has now been added to the mainstream version of Solaris. In the 11/06 update to Solaris 10, the Solaris Trusted Extensions feature adds mandatory access control and labelled security. Introduced in the same update, the Secure by Default Networking feature implements less services on by default compared to most previous releases which had most services enabled. RBAC, found in both mainstream Solaris and Trusted Solaris, dramatically lessens the need for using root directly by providing a way for fine grained control over various administrative tasks.Object-Capability systems
These operating systems are all engineered around a different paradigm of security, object-capabilitiesObject-capability model
The object-capability model is a computer security model based on the Actor model of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:...
, where instead of having the system deciding if an access request should be granted (usually through one or several access control lists), the bundling of authority and designation makes it impossible to request anything not legitimate.
- KeyKOSKeyKOSKeyKOS is a persistent, pure capability-based operating system for the IBM S/370 mainframe computers. It allows emulating the VM, MVS, and POSIX environments. It is a predecessor of the Extremely Reliable Operating System , and its successors, the CapROS and Coyotos operating systems...
- EROS
- CapROSCapROSCapROS is an open source operating system. It is a pure capability-based system that features automatic persistence of data and processes, even across system reboots. Capability systems naturally support the principle of least authority, which improves security and fault tolerance.CapROS is an...
- seL4L4 microkernel familyL4 is a family of second-generation microkernels, generally used to implement Unix-like operating systems, but also used in a variety of other systems.L4 was a response to the poor performance of earlier microkernel-base operating systems...
See also
- Common CriteriaCommon CriteriaThe Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
- Orange BookTrusted Computer System Evaluation CriteriaTrusted Computer System Evaluation Criteria is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system...
- Comparison of operating systemsComparison of operating systemsThese tables compare general and technical information for a number of widely used and currently available operating systems.Because of the large number and variety of available Linux distributions, they are all grouped under a single entry; see comparison of Linux distributions for a detailed...
- Capability (computers)
- Capabilities vs. ACLs
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- IX (operating system)IX (operating system)IX was a security-focused variant of the Tenth Edition Research Unix operating system, developed by Douglas McIlroy and James Reeds at Bell Labs in 1988.-External links:*...
- OpenBSMOpenBSMOpenBSM is an open source implementation of Sun's Basic Security Module Audit API and file format. BSM, which is a system used for auditing, describes a set of system call and library interfaces for managing audit records as well as a token stream file format that permits extensible and...
- Security-evaluated operating systemSecurity-evaluated operating systemIn computing, security-evaluated operating systems have achieved certification from an external security-auditing organization, such as a B2 or A1 CSC-STD-001-83 "Department of Defense Trusted Computer System Evaluation Criteria" or Common Criteria certification.Note that meeting a given set of...
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Trusted operating systemTrusted operating systemTrusted Operating System generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements....