Sr. Developer, Backend Professional Technical Resources US-OR-Portland Post A Job | Post A Resume

By Michael Hall, LinuxToday

The work undertaken by the National Security Agency with its SELinux, a version of the Linux kernel with a modified access control policy, will be further extended under a $1.2 million contract the agency has awarded to NAI Labs, a division of PGP Security.

Under the terms of the deal, NAI will spend the next two years extending the work the NSA released late last year, with an eye to demonstrating the usefulness of mandatory access control policies in an operating system. Though the work will be done on Linux, NAI's Mark Feldman, the company's technical manager, said he hopes companies specializing in other operating systems will adapt some of the specification his company's work will provide.

According to Feldman, mandatory access control schemes provide a number of advantages over "discretionary access control," the model upon which most modern operating systems, including Unix and its descendants as well as Windows NT, are built. Though discretionary access control schemes are often adequate, Feldman said Linux and Unix in general betray their academic origins, where security isn't generally as much of a priority during the conception and creation of operating systems.

Under discretionary access control, typically based on the concepts of user id's and file ownership, users are permitted to change permissions on files they have ownership of regardless of the potential outcome those changes could entail. Further, under discretionary access control, programs generally run with the permissions of their owning users. Experienced Linux and Unix users are usually familiar with the warnings that come with software requiring root or super user permissions to function correctly, something that's often considered dangerous since the software, if properly exploited with malicious intent, can be used to cause serious damage outside the scope normally permitted to an unprivileged user. Users are often protected from running such software via special password prompts, but enough dangers still remain that at least a few Linux distributions provide a means to audit binaries on a system that operate with super user privileges and automate the process of stripping such privileges to prevent malicious exploits.

Mandatory access control, the focus of the NSA's SELinux kernel, differs from discretionary access control in that it provides a layer of management built around the roles files on a system play as categorized by their relative sensitivity, the role of the user executing or accessing a file and other factors keyed to an organization's specific needs.

Outside the needs of an organization like the NSA, where security is of critical importance, NAI's principal investigator on the SELinux contract, Stephen Smally, says the advantages of mandatory access control can apply both to businesses with their own security needs and to programs running on an end user's desktop machine. By way of example, Smally pointed out the dangers presented by allowing web browsers and other end-user clients to execute content, something Microsoft's Internet Explorer and Outlook have repeatedly been criticized for. Smalley said that under a mandatory access control scheme, a policy can be created that determines the scope of access to a user's files the client can be granted, guaranteeing that it is rendered less capable of doing harm if content with malicious effects is accessed by the user.

Despite the advantages of the extensions they hope to add to the Linux kernel, both Smally and Feldman said operating system producers have been reluctant to add similar functionality to their products, which is something they hope will change once Linux has demonstrated the usefulness of the enhanced security features. The openness of Linux's development process, he said, made it an attractive target to introduce the broader computing world to the enhancements. Smally said the TrustedBSD Project has already expressed an interest in the work being done. TrustedBSD provides operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC).

Feldman characterized the Linux kernel developer community as largely interested in contributing to the work NAI Labs will be continuing. At the Linux kernel developer's summit, representatives from the NSA gave a presentation on SELinux and walked away with a request from Linus Torvalds to work with other, existing Linux-oriented security projects to provide a common interface to the new features and to avoid potential conflicts in kernel code that might require Torvalds to avoid inclusion of existing work. The end goal of their work, according to Feldman, will involve inclusion in the mainline Linux kernel. The work will also extend to the IP security protocol (IPsec).

In addition, Feldman said he doesn't expect that all the work NAI produces will be used in its exact form, providing instead a reference implementation that he hopes will be widely emulated as a general specification for mandatory access control security.

NAI won't be the only organization outside the Linux development community contributing to the work Feldman said the NSA will continue to partner with them as well as the MITRE Corporation, a federally funded research and development center.

Related Stories:
IBM developerWorks: Uncovering the secrets of SE Linux: Part 2(Mar 25, 2001)
IBM developerWorks: Uncovering the secrets of SE Linux: Part 1(Mar 06, 2001)
NewsFactor Network: The Great Security Debate: Linux vs. Windows(Mar 06, 2001)
LinuxSecurity.com: Linux 2.4: Next Generation Kernel Security(Mar 01, 2001)
InfoWorld: U.S. government moves to secure Linux; will NSA's efforts shape the future of security?(Feb 05, 2001)
VNU Net: US security agency (NSA) eyes open source(Feb 02, 2001)
CNET News.com: NSA looks to Linux for virtual security(Feb 01, 2001)
Linux Journal: Some Thoughts on the Occasion of the NSA Linux Release(Jan 27, 2001)
Slashdot: Robert Watson on FreeBSD and TrustedBSD(Jan 18, 2001)
The Register: NSA preps Spook Linux 0.1(Jan 08, 2001)
LinuxPlanet: .comment: A Golden Opportunity(Jan 03, 2001)
Security-enhanced Linux available at NSA site(Dec 22, 2000)
Slashdot: NSA Releases High Security Version Of Linux (Dec 22, 2000)

Index Mode   |   Flat Mode   |   Thread Mode   |   Thread Flat     Talkback(s) Name  and Date   Yay!    James Ryan Apr 9, 2001, 20:26:55     Another attempt?    Kent Nguyen Apr 9, 2001, 21:13:23     ANYONE but NAI...    g Apr 9, 2001, 21:46:54     Re: Another attempt?    Anonymous Apr 9, 2001, 21:56:53     Secure OS    trey Apr 9, 2001, 22:12:17     Terrorists    Brian Hall Apr 9, 2001, 22:15:06     NSA backdoors    Sean Apr 9, 2001, 22:26:33     Re: Secure OS    Rick James Apr 9, 2001, 22:55:15     Re: NSA backdoors    none Apr 10, 2001, 02:00:42     Re: Another attempt?    tc Apr 10, 2001, 03:50:33     Re: ANYONE but NAI...    Julio Sánchez Apr 10, 2001, 08:38:23     Re: Re: NSA backdoors    Sean Apr 10, 2001, 09:17:11     Re: Another attempt?    JFM Apr 10, 2001, 14:19:04     Re: Secure OS    JFM Apr 10, 2001, 14:33:15     Alternatives    Isaac-Lew Apr 10, 2001, 15:07:21     Hey, lighten up.    Miss Information Apr 10, 2001, 21:12:18     Home | Search Talkbacks | Customize View    Top of Page   Enter your comments below: * Your Name: * Your Email Address: * Subject: CC: [will also send this talkback to an E-Mail address] * Comments: Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content. Fields marked with * are required!