NSA Grants $1.2 Million Contract to Continue Work on Its Security Enhanced Linux

By Michael Hall,
LinuxToday

The work undertaken by the National Security Agency with its
SELinux, a version of the
Linux kernel with a modified access control policy, will be further
extended under a $1.2 million contract the agency has awarded to
NAI Labs, a division of PGP Security.

Under the terms of the deal, NAI will spend the next two years
extending the work the NSA released late last year, with an eye to
demonstrating the usefulness of mandatory access control policies
in an operating system. Though the work will be done on Linux,
NAI’s Mark Feldman, the company’s technical manager, said he hopes
companies specializing in other operating systems will adapt some
of the specification his company’s work will provide.

According to Feldman, mandatory access control schemes provide a
number of advantages over “discretionary access control,” the model
upon which most modern operating systems, including Unix and its
descendants as well as Windows NT, are built. Though discretionary
access control schemes are often adequate, Feldman said Linux and
Unix in general betray their academic origins, where security isn’t
generally as much of a priority during the conception and creation
of operating systems.

Under discretionary access control, typically based on the
concepts of user id’s and file ownership, users are permitted to
change permissions on files they have ownership of regardless of
the potential outcome those changes could entail. Further, under
discretionary access control, programs generally run with the
permissions of their owning users. Experienced Linux and Unix users
are usually familiar with the warnings that come with software
requiring root or super user permissions to function correctly,
something that’s often considered dangerous since the software, if
properly exploited with malicious intent, can be used to cause
serious damage outside the scope normally permitted to an
unprivileged user. Users are often protected from running such
software via special password prompts, but enough dangers still
remain that at least a few Linux distributions provide a means to
audit binaries on a system that operate with super user privileges
and automate the process of stripping such privileges to prevent
malicious exploits.

Mandatory access control, the focus of the NSA’s SELinux kernel,
differs from discretionary access control in that it provides a
layer of management built around the roles files on a system play
as categorized by their relative sensitivity, the role of the user
executing or accessing a file and other factors keyed to an
organization’s specific needs.

Outside the needs of an organization like the NSA, where
security is of critical importance, NAI’s principal investigator on
the SELinux contract, Stephen Smally, says the advantages of
mandatory access control can apply both to businesses with their
own security needs and to programs running on an end user’s desktop
machine. By way of example, Smally pointed out the dangers
presented by allowing web browsers and other end-user clients to
execute content, something Microsoft’s Internet Explorer and
Outlook have repeatedly been criticized for. Smalley said that
under a mandatory access control scheme, a policy can be created
that determines the scope of access to a user’s files the client
can be granted, guaranteeing that it is rendered less capable of
doing harm if content with malicious effects is accessed by the
user.

Despite the advantages of the extensions they hope to add to the
Linux kernel, both Smally and Feldman said operating system
producers have been reluctant to add similar functionality to their
products, which is something they hope will change once Linux has
demonstrated the usefulness of the enhanced security features. The
openness of Linux’s development process, he said, made it an
attractive target to introduce the broader computing world to the
enhancements. Smally said the TrustedBSD Project has already
expressed an interest in the work being done. TrustedBSD provides
operating system extensions to the FreeBSD operating system,
targeting the Common Criteria for Information Technology Security
Evaluation (CC).

Feldman characterized the Linux kernel developer community as
largely interested in contributing to the work NAI Labs will be
continuing. At the Linux
kernel developer’s summit, representatives from the NSA gave a
presentation on SELinux and walked away with a request from Linus
Torvalds to work with other, existing Linux-oriented security
projects to provide a common interface to the new features and to
avoid potential conflicts in kernel code that might require
Torvalds to avoid inclusion of existing work. The end goal of their
work, according to Feldman, will involve inclusion in the mainline
Linux kernel. The work will also extend to the IP security protocol
(IPsec).

In addition, Feldman said he doesn’t expect that all the work
NAI produces will be used in its exact form, providing instead a
reference implementation that he hopes will be widely emulated as a
general specification for mandatory access control security.

NAI won’t be the only organization outside the Linux development
community contributing to the work Feldman said the NSA will
continue to partner with them as well as the MITRE Corporation, a federally funded
research and development center.