NSA Releases High Security Version Of Linux

We had an extremely interesting submission from Ted T'so,, Linux kernel developer, who also has an obvious interest in security, given his work with Kerberos ^[?] . He wrote in concerning the release by the NSA (Yes, that NSA) of a high security version of Linux. I've included his comments below.

tytso writes: "I recently attended a DARPA workshop which focused on high security open source operating systems. It turns out that parts of the U.S. government are really interested this topic; having an operating system with the necessary high-security features which they need, and for which source code is available, would be a really good thing for them. Among other things, for example, it would mean that they wouldn't have to live in terror about what might happen if Sun, IBM, SGI, et. al decided to pull the plug on Trusted Solaris, Trusted AIX, or Trusted IRIX. And they're serious enough that DARPA's willing to throw money at the problem.

While I was at this workshop, I met some folks from the NSA and they told me about a really neat project that they've been working on, called Security-enhanced Linux. One of the cool things about it is that it separates enforcement and policy. So selinux can easily support many different security policies, from the old (some would say outdated/silly) Multi-Level Secure/Bell-LaPadula model, to Domain-Type enforcement and Rule-Based Access Control models. So if you think that high-security features means the old silly, Secret / Top Secret / CMW bullshit, and needing to make sure that Secret windows don't get expose events from Top Secret windows, think again. A number of folks have found Domain Type Enforcement and Rule-Based Access Control systems very useful for securing Web servers and other real world systems.

The NSA folks just recently got permission to make their stuff available on the Web. It's just a proof of concept, and no doubt a lot of changes will need to made before people will accept integrating it into the kernel, but they have released a working system (both kernel and userspace patches --- RPM's aren't quite ready yet) based on Linux 2.2 and RedHat 6.1. So it's definitely worth a look, and in fact some folks with specialized needs might find it useful, even though it's a prototype.

Of course, the source code is all there, and we're encouraged to look at and audit the code. So paranoiacs who think that the NSA is trying to infiltrate trap doors into the Linux kernels needn't worry. (Besides, it's a different part of the government who's interested in spying on U.S. citizens, and it's much more efficient for them to break into your house, and insert a wiretapping device between your computer and your keyboard as part of a black bag job. :-)

The Web site is http://www.nsa.gov/selinux. I think it's really great that some folks at NSA's Information Assurance Research Office (IARO) have made this contribution to the Linux community. They're really nice folks (even if they can't talk about a lot of what they do at work :-).

P.S. Apparently it's not easy to get stuff published by the NSA, since their entire culture, not surprisingly, is based around not letting stuff out. This Web page went up a few days ago, and then some bureaucrats made the folks in the IARO take it down temporarily, much to their disappointment. At the moment it looks like they've finally crossed all of the bureaucratic t's and dotted all of the bureaucratic i's. But just in case, it might not be a bad idea if someone mirrored the entire tree just in case some flack in some other part of the agency tells them to take it down again....

"

No problem...

[G-Man]

...just be sure to comment out "backdoor.h" before compiling anything...

What potential!

[dsplat]

The NSA has a mandate to protect the information security of our government. I believe they would interpret that to include protection of the information security of the industrial base that supports our country. I would love to see a group within the NSA charged with working with the open source community to enhance the security of open source software. I would never trust software solely because it comes with a security seal of approval only from an agency which also has other priorities which may be at odds with my privacy. However, I would consider their assurance to be a valuable addition.

I applaud the effort that these people within the NSA who brought this project to light went to. The fact that they have released this work at all is surprising. But they have demonstrated their good faith by honoring the GPL. Bravo.

rsh and WU-FTPd

[pete-classic]

According to the package list it includes rsh and WU-FTPd.

Come on, an ultra-secure system with rsh and WU-FTPd?

Okay, so it says WU-FTPd is untested, but there is no excuse for using rsh.

This makes me skeptical of the whole thing.

Nice step forward

[CaptJay]

Like it or not, NSA is an organization that really cares about tough and efficient security in computer systems. They also have alot of experts in that domain, and the fact that they make all of their modifications public is great for the open source software.

Even without taking all their modifications directly and integrating them, they might just show developpers innovative ways to secure Linux, which can lead to better security for everyone and alot of other software in which security is critical.

So in short, I think they're contributing to open source as a whole, not only to Linux. I also think their contribution is a BIG one. This sounds great!

Re:Nice step forward

[Ranten_N_Raven]

If you check the "background" page, you'll see the work is actually done by Secure Computing Corporation (SCC). SCC (http://www.securecomputing.com/) has a STRONG background in making "Trusted Systems." They invented Type Enforcement for the "LoCK" program, which is the basis of the LOCK Secure Server. They really know the business. LOCK is designed to be used to connect classified networks to the internet. You gotta really trust the OS to make the right decisions for the right reasons. It's now old and slow, but it remains trustworthy.

An offshoot of LOCK is the Sidewinder firewall, which the AF picked as the standard firewall to protect all AF bases. (I don't, and haven't worked for SCC, but I did spend a year installing Sidewinders at AF bases.) While some hate it for its relatively slow throughput, I've *never* heard anyone say it was insecure. "Type Domain" security is a series of serious brick walls for an attacker to breach.

Yes, NSA is usually reticent about most things, but not about Computer Security. When I worked at the National Computer Security Center (part of NSA), other NSA entities shunned us because we were so open. Ever heard of the old "Orange Book" and the rest of the "Rainbow Series?" All NSA stuff!

History: NSA had an earlier project to secure Tannebaum's Minix in a similar way. It was targeted at the C2 level. I was saddened when they abandoned that effort.

Now, I look eagerly forward to checking out SCC/NSA's "Secure Linux!"

Dont just assume. Audit it yourself

[simpleguy]

As we saw in the Red Hat pirahna saga, you should not assume that because something is open source, it must be secure. People assumed that because pirahna was open sourced, someone would have noticed the obvious password flaw within hours or just a few days after it was released. But NO, it took longer than that.

Do not rely only on peer review. If you want to be sure about what you are using, especially in environments needing ultimate security, do your own damn auditing and testing or pay someone to do it.

Oh, and Merry Christmas.

Re:Dont just assume. Audit it yourself

[John+Sullivan]

People assumed that because pirahna was open sourced, someone would have noticed the obvious password flaw within hours or just a few days after it was released. But NO, it took longer than that.

Of course it did, that's the point. Security isn't something you achieve overnight, the status of any particular system is very much the result of consensus building which takes time. It's down to how many eyeballs have looked at the system, how deep they've looked at it, and how long they've looked at it.

Opening up the source results, eventually, in a more secure system because those people who do so can look deeper, and also because the skills to analyse source code are more widespread than the skills required to analyse a running binary, so hopefully more people will do so. But anyone who takes a newly released system and immediately relies on it for security has to be insane.

Do not rely only on peer review. If you want to be sure about what you are using, especially in environments needing ultimate security, do your own damn auditing and testing or pay someone to do it.

And while doing your own audit is good advice, the most valuable result will be a new data point to add to the global consensus. Relying on your own analysis isn't much better than relying on no analysis at all, but if 100 people have looked at the system over 5 years or so and not found it wanting, then we start to feel some level of confidence in it.

Of course this is if you want to do security properly, but for most people, for most applications, this level of care is just not necessary.

I have to disagree

[dizee]

The more secure a computer is, the less useable it is.

This statement is opinion and is fundamentally flawed. Of course it is possible to have a completely secure and completely usable multi-user system. Where did you get the idea that a secure system is less usable than an unsecure one?

It is true that many vulnerabilities are discovered on a daily basis. These vulnerabilities are the result of only ONE thing: programmer error.

Eliminate programmer error and, assuming we're not introducing vendor/admin error into the equation, you have a secure system. The largest causes of programmer error are:

ignorance

carelessness

laziness

Unfortunately, even the best coders in the world are still human, and that leaves the possibility for error. The larger and more complex the project, the larger the chance for error. So what's the answer? Collaboration. Peer review. Open source is the best method for peer review.

You could also set it so you have NO ports open, but then you can't get on most irc networks because of no ident...

This is a moot point. IRC is not something you would be running on a mission-critical must-be-secure box. You must also understand that just because a box has no ports open doesn't mean it's secure.

so just stick with slak 7.1 with a chmod'd suid perl

Are you implying that slackware 7.1 is a secure system? Have you audited the entire distribution yourself? Can you honestly say that you trust your distribution to be 100% secure?

If you do, one of these days, you're going to be in for a rude awakening. Unfortunately, that's a problem with admins these days. They blindly trust their systems. I don't care if a specific OS wasn't vulnerable to ANY bugs disclosed in the last 3 years, that doesn't mean that that OS is secure. You should ALWAYS assume all systems to be insecure and untrusted.

It's not really a question of secure/insecure, because no system is completely secure; it's more a question of faith and trust.

Mike

"I would kill everyone in this room for a drop of sweet beer."

Re:As long as they release the code...

[Black+Parrot]

> Considering their history, they will have to show us the code.

I'm not one to read the articles either, but in this case I made a special exception, and yes, there is a download link.

You may also find this note at the bottom of the main site interesting:

Security-enhanced Linux is being released under the conditions of the GNU General Public License (GPL). The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and/or improvements is welcome.

--