Slashdot Mirror
NSA Releases High Security Version Of Linux
tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.
While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.
The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.
Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)
The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).
P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....
"
Actually, they CAN'T release it under GPL! Huh? It's worse (better?) than that - It's public domain! We PAID for it.
Yes, to the extent that the work is done by government employees, this is true --- however, since it is based on GPL'ed code, only the changes to the code are in the public domain. The overall piece of work is still covered by the GPL. This is part of the "infectious nature" of the GPL.
Also, there's an absolutely trivial way to get around the "work done by government workers must be in the public domain". You just simply hire government contractors to do the work for you, in which case the rule doesn't apply any more. This is a really nasty loophole, especially since many senior government employees get tired of getting paid sh*t wages, and simply resign, and start working for a government contractors, who (after taking a cut, of course) resells that persons time back to the government at a much higher rate. It's a 100% lose all around for the taxpayer. We end up paying more for the same person's work, with a percentage cut being paid to the a third party as sheer overhead, and the work doesn't get have to get released into the public domain any more (the government contractor can resell code developed at government expense as some propietary, commercial product.) Lovely, eh? All because the idiots in Congress aren't willing to pay government workers --- especially in a hot field like software engineering --- what they're worth.
If you'll note on the NSA SE Linux web page, you'll see that some of the work was indeed done by contractors. Fortunately, thanks to the GPL, the overall work still has to be released under the GPL, if it's going to be released at all.
First sign: Courts finding Microsoft guilty of leveraging a monopoly
Second Sign : NSA releasing information to the public about security
Third sign : Rivers turn to blood
The end is coming just one more sign
As x approaches total apathy I couldn't care less.
Mirror being built Here.
...just be sure to comment out "backdoor.h" before compiling anything...
The OpenBSD SMP branch is probably just waiting for code from NetBSD (where SMP is being worked on.)
Whatever your opinion of the NSA might be, this is going to be a real boost to fighting the argument that "an open source operating system can't be secure."
While I agree with you, it's important to make the distinction between an operating system which is secure, and an operating system which has high-security features. After all, this is based on Red Hat 6.2, and if the version of WU-FTPD they used happens to have some stack overruns, you can still break into the darned thing. Of course, the fact mandatory access controls are in place means that the attacker can't do as much damage, but letting someone have shell access even on a trusted OS is still a bad thing.
Having a high-security operating systems means that you both have to have the right set of features, *and* you still have to worry about fixing all of those little annoying stack overruns and format string bugs. Both parts of the story are very important.
Just go to the bars in Georgetown where the younger NSA members hang out, but them a few brews, and in an hour or two they're giving you their lifestory, and handing out floppies of classified algorithms.
All they really want is a little human warmth.
The only thing I can think of at the moment is how bad this is going to piss off Microsoft. Doesn't Microsoft have a web page someplace dedicated to dissing Linux? Isn't security one of Microsoft's hot buttons?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I have noticed several posts which have expressed some concern with the idea of NSA produced/approved code getting into the kernel, and therefore concievably providing a covert insurgence of back doors.
...Uhm, have you ever read the source for the D. Beckers networking drivers [and derived code]?
/usr/src/linux/drivers/net and run
"grep "National Security Agency" *"
Go to
Oh NO! All of those unaudited strcpy's in kernel space! IEEE! And I thought linux was safe! hehe.
Moderators::Note(humor)
---
man sig
---
the pen is mightier then the sword. the sword is mightier then the court. the court is mightier then the pen.
Actually, they CAN'T release it under GPL! Huh? It's worse (better?) than that - It's public domain! We PAID for it.
There are other government groups that talk about this. There is a Linux probram called EMC (Enhanced Machine Controler) that has been let out by the government, and there was a whole discussion of the GPL issue, and they said "We can't GPL it, we MUST Public domain it"
Go to www.linuxcnc.org for more details!
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
The NSA has a mandate to protect the information security of our government. I believe they would interpret that to include protection of the information security of the industrial base that supports our country. I would love to see a group within the NSA charged with working with the open source community to enhance the security of open source software. I would never trust software solely because it comes with a security seal of approval only from an agency which also has other priorities which may be at odds with my privacy. However, I would consider their assurance to be a valuable addition.
I applaud the effort that these people within the NSA who brought this project to light went to. The fact that they have released this work at all is surprising. But they have demonstrated their good faith by honoring the GPL. Bravo.
The net will not be what we demand, but what we make it. Build it well.
If they pull the site again, would that be a violation of the GPL? And could the NSA be sued over it?
IANAL, but my understanding is that:
You only have to release changes that you re-distribute. This does not include changes that you keep entirely within your own organization, company, or whatever.
The GPL would forbid the NSA from releasing a binary-only distribution without making the source code available, but it wouldn't have any effect on whether they can make their own in-house distribution.
Dewey, what part of this looks like authorities should be involved?
According to the package list it includes rsh and WU-FTPd.
Come on, an ultra-secure system with rsh and WU-FTPd?
Okay, so it says WU-FTPd is untested, but there is no excuse for using rsh.
This makes me skeptical of the whole thing.
There's also other simple reasons besides "Linux is the in thing". OpenBSD would probably have been a good place for them to start, except for some serious factors against it. OpenBSD isn't scalable. At all. It's great for small corporate networks, or home firewalls and such, but wiht no plans for SMP in the future, it can't compete as a server environment. OpenBSD is great for IDS sensors, and specific appliance type hardened boxes, but it's not well rounded enough to put into a big multi user production environment. Have you ever heard of any major e-commerce site using OBSD as their primary server software? Then there's the whole problem with Theo not playing well with others. And being Canadian. Because Theo wholly manages the project himself, it would cause issues. I believe the NSA folks are looking to put together something that can go into general release, possibly as an option on any distribution. OBSD can't do this, because a) the NSA would have to pay Theo to audit their code [see how OBSD architecture ports end up getting made.. its interesting], or he wouldn't let them integrate it into his source tree, and B) there's all kinds of weird issues with the project maintainer not being a US national. I'm not knocking OpenBSD. I'm a big supporter. I run it on a lot of appliance type boxes, rnuning security centric tasks. However, don't believe for a second its secure. It requires the same amount of tweaking as any other operating system to get it into shape. I've had OBSD machines get owned before, where there were serious user errors in judgement. Just because there aren't any *remote* exploits, doesn't mean your users aren't going to get drunk and give away their account. Trusted OSes are a little more forgiving when this kind of thing happens. My $.02 . Take it for what its worth. Or ask for change back.
Maybe you missed the part of the article where they will be releasing source code?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Because Canada is also part of NORAD (NORth American [Air?] Defense). I don't recall all the details of the arrangment, but it goes back to the early cold war days with the setting up of the DEW (Distant Early Warning) line across northern Alaska and Canada, and various other arrangements that had to do mainly with protecting the US from Russian bombers (and later missiles) that might take the direct route over the North Pole and Canada.
There are even a few Canadian officers routinely posted to the NORAD facility in Cheyenne Mountain, although I don't recall seeing any US military in the "Diefenbunker" underground facility north of Ottawa when I was posted there.
All that said, however, there are plenty of US secrets that Canadians don't have access to.
There's also the recognition that the border between the US and Canada is pretty open both to people and information, and that strong encryption can benefit the many companies that do business and have offices in both countries.
-- Alastair
Like it or not, NSA is an organization that really cares about tough and efficient security in computer systems. They also have alot of experts in that domain, and the fact that they make all of their modifications public is great for the open source software.
Even without taking all their modifications directly and integrating them, they might just show developpers innovative ways to secure Linux, which can lead to better security for everyone and alot of other software in which security is critical.
So in short, I think they're contributing to open source as a whole, not only to Linux. I also think their contribution is a BIG one. This sounds great!
"I remember Y1K, every abacus had to get another bead"
Whatever your opinion of the NSA might be, this is going to be a real boost to fighting the argument that "an open source operating system can't be secure." What I am looking forward to, though, is the incorporation of some of the NSA's code into some of the existing major Linux Distributions. Most of us would have a problem running the NSA's software right out of the box because we are so well trained to mistrust authority. Still... very cool.
Wow the government is waking up to the fact that security through obscurity is not security at all.
Plus think of all the money they save with all us crypto geeks hacking at their code testing for bugs, coming up with new additions just because it would be cool to say you helped write part of the NSA's security system
As x approaches total apathy I couldn't care less.
As we saw in the Red Hat pirahna saga, you should not assume that because something is open source, it must be secure. People assumed that because pirahna was open sourced, someone would have noticed the obvious password flaw within hours or just a few days after it was released. But NO, it took longer than that.
Do not rely only on peer review. If you want to be sure about what you are using, especially in environments needing ultimate security, do your own damn auditing and testing or pay someone to do it.
Oh, and Merry Christmas.
This statement is opinion and is fundamentally flawed. Of course it is possible to have a completely secure and completely usable multi-user system. Where did you get the idea that a secure system is less usable than an unsecure one?
It is true that many vulnerabilities are discovered on a daily basis. These vulnerabilities are the result of only ONE thing: programmer error.
Eliminate programmer error and, assuming we're not introducing vendor/admin error into the equation, you have a secure system. The largest causes of programmer error are:
ignorance
carelessness
laziness
Unfortunately, even the best coders in the world are still human, and that leaves the possibility for error. The larger and more complex the project, the larger the chance for error. So what's the answer? Collaboration. Peer review. Open source is the best method for peer review.
You could also set it so you have NO ports open, but then you can't get on most irc networks because of no ident...
This is a moot point. IRC is not something you would be running on a mission-critical must-be-secure box. You must also understand that just because a box has no ports open doesn't mean it's secure.
so just stick with slak 7.1 with a chmod'd suid perl
Are you implying that slackware 7.1 is a secure system? Have you audited the entire distribution yourself? Can you honestly say that you trust your distribution to be 100% secure?
If you do, one of these days, you're going to be in for a rude awakening. Unfortunately, that's a problem with admins these days. They blindly trust their systems. I don't care if a specific OS wasn't vulnerable to ANY bugs disclosed in the last 3 years, that doesn't mean that that OS is secure. You should ALWAYS assume all systems to be insecure and untrusted.
It's not really a question of secure/insecure, because no system is completely secure; it's more a question of faith and trust.
Mike
"I would kill everyone in this room for a drop of sweet beer."
Does anyone want to speculate why the NSA chose linux instead of OpenBSD, or some other BSD?
Actually they aren't forced to make it public, they are only forced to give the source code to who the os is distributed. They could just distribute internally and make it avaliable to anyone who uses their systems. This release is really a decision they made based on the need for security or publicity. Which one doesn't matter, what matters is they were not forced to do this.
As x approaches total apathy I couldn't care less.
I'm not one to read the articles either, but in this case I made a special exception, and yes, there is a download link.
You may also find this note at the bottom of the main site interesting:
--
Sheesh, evil *and* a jerk. -- Jade
The key concept of mandatory access controls is that ordinary users are prevented from leaking information even if they want to. Discretionary access controls, all standard UNIX has, allow any user to change their own file modes to 777 and allow access by anybody.
Once you have mandatory access controls, you have to figure out new ways to do many administration tasks. Logging in as root isn't an option. Getting the Linux community thinking about how that can work is a major step forward.
If Linux system administration and applications get worked around to where they can live with mandatory security, that's a big win. Then a kernel with mandatory security can become widely used.
Just think, soon you'll be hearing "Hi, I'm Bob and I run NSALinux."
Wonder when they're going to have their IPO.
--
Sheesh, evil *and* a jerk. -- Jade