NSA Grants $1.2 Million Contract to Continue Work on Its Security Enhanced LinuxApr 09, 2001, 19:50 (16 Talkback[s])
(Other stories by Michael Hall)
By Michael Hall, LinuxToday
The work undertaken by the National Security Agency with its SELinux, a version of the Linux kernel with a modified access control policy, will be further extended under a $1.2 million contract the agency has awarded to NAI Labs, a division of PGP Security.
Under the terms of the deal, NAI will spend the next two years extending the work the NSA released late last year, with an eye to demonstrating the usefulness of mandatory access control policies in an operating system. Though the work will be done on Linux, NAI's Mark Feldman, the company's technical manager, said he hopes companies specializing in other operating systems will adapt some of the specification his company's work will provide.
According to Feldman, mandatory access control schemes provide a number of advantages over "discretionary access control," the model upon which most modern operating systems, including Unix and its descendants as well as Windows NT, are built. Though discretionary access control schemes are often adequate, Feldman said Linux and Unix in general betray their academic origins, where security isn't generally as much of a priority during the conception and creation of operating systems.
Under discretionary access control, typically based on the concepts of user id's and file ownership, users are permitted to change permissions on files they have ownership of regardless of the potential outcome those changes could entail. Further, under discretionary access control, programs generally run with the permissions of their owning users. Experienced Linux and Unix users are usually familiar with the warnings that come with software requiring root or super user permissions to function correctly, something that's often considered dangerous since the software, if properly exploited with malicious intent, can be used to cause serious damage outside the scope normally permitted to an unprivileged user. Users are often protected from running such software via special password prompts, but enough dangers still remain that at least a few Linux distributions provide a means to audit binaries on a system that operate with super user privileges and automate the process of stripping such privileges to prevent malicious exploits.
Mandatory access control, the focus of the NSA's SELinux kernel, differs from discretionary access control in that it provides a layer of management built around the roles files on a system play as categorized by their relative sensitivity, the role of the user executing or accessing a file and other factors keyed to an organization's specific needs.
Outside the needs of an organization like the NSA, where security is of critical importance, NAI's principal investigator on the SELinux contract, Stephen Smally, says the advantages of mandatory access control can apply both to businesses with their own security needs and to programs running on an end user's desktop machine. By way of example, Smally pointed out the dangers presented by allowing web browsers and other end-user clients to execute content, something Microsoft's Internet Explorer and Outlook have repeatedly been criticized for. Smalley said that under a mandatory access control scheme, a policy can be created that determines the scope of access to a user's files the client can be granted, guaranteeing that it is rendered less capable of doing harm if content with malicious effects is accessed by the user.
Despite the advantages of the extensions they hope to add to the Linux kernel, both Smally and Feldman said operating system producers have been reluctant to add similar functionality to their products, which is something they hope will change once Linux has demonstrated the usefulness of the enhanced security features. The openness of Linux's development process, he said, made it an attractive target to introduce the broader computing world to the enhancements. Smally said the TrustedBSD Project has already expressed an interest in the work being done. TrustedBSD provides operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC).
Feldman characterized the Linux kernel developer community as largely interested in contributing to the work NAI Labs will be continuing. At the Linux kernel developer's summit, representatives from the NSA gave a presentation on SELinux and walked away with a request from Linus Torvalds to work with other, existing Linux-oriented security projects to provide a common interface to the new features and to avoid potential conflicts in kernel code that might require Torvalds to avoid inclusion of existing work. The end goal of their work, according to Feldman, will involve inclusion in the mainline Linux kernel. The work will also extend to the IP security protocol (IPsec).
In addition, Feldman said he doesn't expect that all the work NAI produces will be used in its exact form, providing instead a reference implementation that he hopes will be widely emulated as a general specification for mandatory access control security.
NAI won't be the only organization outside the Linux development community contributing to the work Feldman said the NSA will continue to partner with them as well as the MITRE Corporation, a federally funded research and development center.