Slashdot Mirror
NSA Backing Secure Linux OS Development
ColPanic writes "Looks like the NSA is gonna have a Linux OS of their very own soon. They have selected Secure Computing to develop a high security version of Linux."
← Back to Stories (view on slashdot.org)
Not to start a war, but why not OpenBSD?
Wouldn't it be better to audit OpenBSD for their purposes, since it's already designed for that purpose. Or even FreeBSD?
I asked the question because I am honestly interested in the answer, not some zealot telling me, "LINUX IS SECURE!" or something inane like that.
Remember, the GPL only requires you to give source to people you give binaries to. If Secure Computing only gives binaries to the NSA, there is no reason they need to give source to Linus.
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Will this pave the way for an NSA-Linux IPO? ;-)
-----------
"You can't shake the Devil's hand and say you're only kidding."
As Michael H. Warfield points out in this linux-kernel message, it's a golden opportunity to get IPSEC into the 2.4 kernel, and US-based Linux distributors can now bundle PGP, SSH, etc., with their next versions.
Maybe the spooks (or at least, the spook-meisters) are doing a 180 turn on how to deal with cryptography distribution, from "don't let anyone else have it" to "if everyone else has it, we want it, too".
--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
IANAL but yes, contractors working on GPL have to release source code, but only to those to whom they've sent binaries. And they can't encumber the NSA from further copying/publishing it. But NSA might not want to.
But nothing in the GPL says the contractor has to release it to anyone else. The GPL is privacy-friendly: no-one is obligated to publish modifications. But once they are published, source must accompany it, and copying cannot be restricted.
-- Robert
Then I remembered a previous GPL argument, when a company had made -internal- changes and did NOT have to make the changes public, as the GPL does NOT cover these.
The NSA version would fall into the same category, I suspect, with contractors deemed a part of the same organisation, as far as the GPL is concerned. Always assuming the contractor developed any of the secret stuff. The NSA has more than enough top people to code that part themselves, just to make sure there isn't a GPL conflict.
Then, I wondered why they didn't branch off from OpenBSD. That's already mostly secure, there's a good base to work from, and it's stabilty is phenominal. Then I realised. They've probably already GOT ultra-secure versions of OpenBSD for PC-based, single-processor servers, but Linux isn't just for PC's or just for one processor.
If you want a lightweight system that'll run on embedded devices (such as wiretaps), massive-scale multi-processor devices (such as extreme number-crunchers eg: code-crackers, etc), or obsolete hardware (such as stacks of IBM S/390's) then Linux is the one to go for. It's ideal for such functions and such platforms. OpenBSD, etc, would require too much work to make them both multi-processor and multi-platform -enough- to be useful in a meaningful timeframe.
This isn't to start any kind of flame-war, but I'm sure OpenBSD is used in it's primary environment (because it's GOOD), and Linux is going to be used everywhere else (because it's GOOD -and- THERE.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Man, talk about a version conflict...
=================================
ERROR 10948:
Red Flag Linux detected. You did
not see this error, and troops have
been dispatched to your location, you
filthy traitor. Remain seated and your
death shall be quick and painless.
=================================
-- RED, WHITE, AND BLUE FLAG LINUX
"Yes, we're developing a distribution.. but if we told you anything more we'd have to kill you (and the binaries)."
Read more closely. They allow you to post the source-code. The binaries appear to be another kettle of fish...
Take a look at a longer description that I got from Frank Hecker in email.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
According to this summary of Sidewinder's system, the only way you can get this level of access is by booting the "administrative kernel", and when the administrative kernel is running, all network connections are disabled. While running the normal "operational kernel", every process can be restricted to handling certain file types and system calls. This way, for example, your netnews server and FTP server can have administrators who can't access one another files or processes. If, say, a Belgian spy compromises your netnews administrator's account, the spy still couldn't send out anything over FTP.
--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
Duh. Of course the NSA wants to analyse Linux and know about any backdoors there; how else will it take advantage of them?
By the way ... You may not know that the NSA has a research arm that's distinct from its SIGINT operations (and export control operations, and secure network operations, and ...). One of their ongoing problems has been to get "Commercial, off-the-shelf" (COTS) software to be good enough for use in sensitive systems. Commercial vendors have been unable to meet those requirements, since the market they'd hit is too miniscule. "Trusted Solaris" and so on; always multiple revs behind. And almost always pains in the behind to administer.
Another possible scenario is that the face value here is the right one: they want to see some standard Linux distributions get hardened, so that some real administrators will identify the problems so they can get fixed. And so the government can use more current technology in those sensitive systems ! They've been getting too far behind, and needing training that's too specialized. Linux would seem to have the potential of hosting a great fix!
A little background.
I've been consulting, installing, and using Secure Computing's Sidewinder firewall for about 3.5 years now, which includes the "Patented Type Enforcement Technology". Here's the skinny..
Type enforcement was developed by Secure Computing to be run on a Motorola mini computer system for the NSA about 10-15 years ago. This was specificly designed to be a system to hold both classified and non-classified information, with both classified and non-classified users.
What type enforcement does is create a series of domains within the context of the operating system. Each file and user is assigned to a domain, or a series of domains, and cannot pass domain boundaries, unless explicitly allowed. Attempting to cross boundaries will result in the offending application being killed by the system kernel, the attempted logged, and alarms rung.
The important thing here is that the domain permissions and rules are set in the kernel itself, and changing those rules requires a recompile. I know that Secure Computing was working on a 'type enforcement lite', where the rules were enforced by a userspace daemon, but I hadn't seen anything about that for quite awhile.
Sidewinder is a damned effective firewall, due to the type enforcement. Even if someone breaks a proxy or service running on the outside of the firewall, you still haven't breached the firewall, since there is no logical path to the inside domains or the internal ethernet card, except through a series of named pipes between dual IP stacks (one for the 'outside' and one for the 'inside'). Breaking through those is extremely non-trivial, since every time you touch the wrong domain, you get kicked and logged.
Type enforcement is real, and it's been around for a very long time. And works very well.
jf
oops - messed it up last time! Doh!
at this url: http://research-cistw.saic.com/cace/dte.html
(Hope that someone reads down far enough to moderate this up). The site has a good explanation of what DTE is, but I don't know how active they are.
They have a patch against 2.2.13, which was created on Dec 13 1999. So its not too out of date, though it will have to be forward ported to 2.3 I suppose...
Maybe the NSA should be spending their money elsewhere - or maybe they should clue up to what open source is all about.
I wonder what is covered by the patent Secure are so proud of?
There is another ongoing NSA Secure Linux project. It is being done by the Computer Security Research Division at NSA. They are attempting to port the Flask Security Architecture to Linux. Flask is a policy-flexible OS security architecture.
Their Secure Linux project page is available.
The press release brags about "Secure Computing's patented Type Enforcement technology". Clearly, to make this work they need to put their type enforcement stuff in the kernel. However, the GPL in Clause 7 specifically states
This means that Secure Computing must grant a royalty-free license to all direct or indirect recipients to use their patented technologies in Linux kernels. Other clauses of the GPL forbid them from restricting redistribution. So are they giving up hope of making money on their patent? Do they know this?
An A1 rating of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.
It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)
I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS, an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book criteria, which, incidentally, started life as Grace Nibaldi's master's thesis.
BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. But that's another story.