Linux Scores Highest in UK Government Security Assessment

As we discuss in Learning Tree’s Cloud Security Essentials course, the cloud is based on open-source technology including Linux, and cloud customers use Linux more than any other operating system. Now a major report makes that look like a good trend for security reasons.

The Communications — Electronics Security Group or CESG is a group within GCHQ (the Government Communications Headquarters), the U.K. organization corresponding to the NSA in the U.S. I suppose that DISA in the U.S. would be quite similar to CESG in purpose and activity.

Anyway, CESG recently published its findings for operating systems for
laptop computers and mobile devices. A report is available here from Ubuntu, but to be honest it’s a little awkward to read unless you can view multiple pages of the same PDF file simultaneously. Or see the CESG report itself.

Let me summarize it.

CESG assessed 11 operating systems:

  • Android 4.2
  • Android 4.2 on Samsung devices
  • Apple iOS 6
  • Apple OSS 10.8
  • Blackberry 10.1 Corporate
  • Blackberry 10.1 Regulated
  • Google Chrome OS
  • Ubuntu Linux 12.04
  • Windows 7 and 8
  • Windows 8 RT
  • Windows Phone 8.

Of those, Linux got the best overall score! They selected Ubuntu Linux 12.04 for their test, but if you think about what the distinction between Linux distributions really means (and doesn’t), the same or at least very similar assessment should result for other distributions with similar profiles of kernel and service versions.

CESG analyzed these operating systems for their support of twelve security features:

  • VPN
  • Disk encryption
  • Authentication
  • Secure boot
  • Platform integrity and application sandboxing
  • Application whitelisting
  • Malicious code detection and prevention
  • Security policy enforcement
  • External interface protection
  • Device update policy
  • Event collection for enterprise analysis
  • Incident response

Ubuntu Linux’s score was 9 passed, 3 “with some notes about risks to be aware of”, and zero “significant risks”.

The three categories with notes about some risks were VPN, disk encryption, and support for Secure Boot. For both VPN and disk encryption, CESG commented that the implementations had not been “independently assured to Foundation Grade”. So, they’re saying that they can’t conclusively say that they’re exactly right.

The two tied for second place were Android (also Linux based) on Samsung and Blackberry Regulated, they lacked event collection for enterprise analysis, basically a lack of Rsyslog from mobile devices.

My best interpretation for the notes about Linux are that the VPN and disk encryption implementations (the second using LUKS and dm-crypt, exactly what we use in an exercise in in Learning Tree’s Cloud Security Essentials course) meet the technical requirements but the cryptographic libraries have not been formally vetted.

As for Secure Boot, that has its serious detractors. For example, the German government has criticized it for preventing the installation of specially hardened operating systems. And of course, if you’re considering what to select for your IaaS server running out in the cloud, hardware issues like Secure Boot are irrelevant.

Ubuntu points out that starting with version 12.10 they use Grub2 as the default bootloader, which supports Secure Boot but also supports disabling Secure Boot in order to replace the operating system with a hardened variant.

Congratulations to the Linux community, keep up the good work!

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.