A year after the National Security Agency (NSA) released its Security Enhanced Linux (SELinux), only the hardest-core conspiracy theorists have anything but praise for the project.
Everyone knows the NSA collects and analyzes signals intelligence. Its lesser-known mission is providing infosec services, including computer security research, to government agencies. SELinux, the latest in a series of NSA OS security projects, is a research prototype to demonstrate the value of mandatory access controls (MAC) to the Linux community. Its history goes back to 1992-'93 when NSA and Secure Computing Corp. (www.securecomputing.com) developed DTMach, an experimental OS incorporating security mechanisms in its kernel. This was followed by another Secure Computing Corp. collaboration, DTOS. Finally, NSA, partnering with Network Associates' NAI Labs and MITRE (www.mitre.org), followed up with SELinux.
Choosing Linux both for its openness and popularity, the NSA hoped for -- and got -- feedback and suggestions from the widest possible audience. General acceptance of SELinux technology "is happening more quickly than we expected," says Grant Wagner, technical director of the NSA Secure Systems Research Office.
MAC is the key to SELinux. Most OSes use discretionary access controls (DAC), based on user ID and file ownership. If users are authorized to modify a file, they can do almost anything. SELinux adds two security policy abstractions -- type enforcement (TE) and role-based access control (RBAC) -- for more precision in controlling who can do what.
TE associates every process with a domain and assigns every system object to a type. TE-enabled kernels use the policy configuration to determine which domains may interact, which interactions are permitted, and which objects the domains may access.
Adding policy-defined roles increases security granularity. OSes with RBAC link all processes with defined roles. For example, system processes might be associated with a system role, while processes executed by a sysadmin are associated with a system administrator role. The sysadmin might have enough privilege to access a user's files, but the system administrator role might forbid it.
Though MAC policies permit fine-grained security decisions, programs that access many files and interact with many programs are harder to write policies for. "The difficulty expands exponentially with the complexity of the program," says Linux security expert and developer Shaun Savage, a contributor to the SELinux project.
The NSA never intended SELinux as a complete Linux security solution. Lacking sample configurations, or even support for any major Linux distribution, no one expects SELinux to be widely used -- yet.
After SELinux was presented at the Linux 2.5 Kernel Summit last April, Linux creator and kernel guardian Linus Torvalds said he prefers a generic set of kernel security hooks to foster other kernel security implementations.
To that end, the SELinux team has collaborated with other security projects in the development of a Linux Security Modules (LSM) kernel patch, and SELinux is being implemented using the LSM hooks. The entire SELinux community is optimistic that LSM -- and by extension SELinux -- will be incorporated in the 2.5 kernel.
For now, tools such as the Bastille hardening script are still better at securing production Linux systems. Immunix from WireX Communications supports a feature similar to TE, but lacks the granularity available in SELinux.
For off-the-shelf security, OpenBSD still leads the pack. However, most of these tools protect against poorly configured systems and applications, rather than against attacks on the kernel itself.
Security consultant Larry Loeb, principal of pbc enterprises, believes SELinux will gain market share only when it's adopted by resellers capable of taming the user interface. "This doesn't mean SELinux isn't useful -- it is -- but it currently requires far too much customization to be used off the shelf."
Developers like Savage are already putting SELinux to work. His prototype Firewall Router Micro Server (FRMS) includes a Linux-based firewall, crypto, IPSec VPN, DHCPD, DNS and even CA services with the basic SELinux kernel. Solid state, with 8 Mb of flash memory and no disk drives, FRMS may improve reliability as well as security.
Despite room for improvement in network integration and windowing, NSA's Wagner says, "From one perspective, SELinux is complete now. It's a fully functioning system, incorporating pretty much the entire set of controls we'd envisioned."
Wagner says his organization will continue transferring SELinux technologies into real-world products. There's interest in the open-source community, particularly for FreeBSD and Apple's Darwin, he says, but "it's still premature to be thinking of products based on those systems."
What about a Security Enhanced Windows? Again, it's too soon to speculate, Wagner says. However, several "commercial entities" are interested in SELinux, so, one never knows.