SELinux Panel at FOSE in Washington

Tony Stanco writes: "Newsforge has an article on what happened at the Security Enhanced Linux panel in Washington about certification under the Common Criteria for Information Technology Security Evaluation standard."

newsforge has been flaky recently...

(lost are some of the links)

The Cyberspace Policy Institute at The George Washington University is launching an effort to get international security ratings for the U.S. National Security Agency-driven Security Enhanced Linux project, a move that organizers hope will make Linux more attractive to cautious technology purchasers, including government agencies.

Martin R. Dean, senior security researcher at the Cyberspace Policy Institute (CPI) and principal engineer at Science Applications International Corp., said SELinux still needs some enhancements, such as becoming a fully integrated operating system instead of a patch to Red Hat Linux, but the institute is starting to look for partners to help guide the ultra-secure Linux distribution through the rigorous EAL4 security certification, known formally as the Common Criteria for Information Technology Security Evaluation standard.

Dean spoke at a panel discussion on SELinux, one of the last events at the FOSE technology-in-government trade show Thursday. Other panelists were Peter Loscocco, the SELinux project leader at the NSA; Tony Stanco, senior policy analyst for Open Source and e-government at CPI and founder of FreeDevelopers.net; and Mark Westerman, senior consultant with network security company Westcam and administrator of the SELinux project at SourceForge.net.

Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating.

CPI will coordinate activities like looking for developers and seeking sponsors to finance the security rating. The plan is to seek security ratings from the United States and at least one other country, possibly Great Britain, because some countries have different security standards, and some non-U.S. users might not trust the U.S. rating, Dean said.

Among Dean's goals is making SELinux easier to install and configure. Loscocco admits SELinux, which NSA released to the public in January 2001, is still hard for non-experts to set up.

NSA's SELinux documentation includes a sample security policy, but configuring the fine-grained controls, down to what programs individual users can run, does take some knowledge, Loscocco said.

Westerman has written a graphical installer that's a first step to pitching SELinux to mainstream users. "What we're looking at is getting the operating system to the point where we can roll it out to an elite IT organization, or where a user can run it on the desktop," Dean said. "What we looking at is getting the SELinux patch and the Linux operating system to the point where it's a robust operating system, so it's not just the small thing that sits on the server, but on everybody's desktop."

Dean expects that gaining the security rating will take a couple of years. "What we're going to have in a couple of years is an operating system that's been evaluated ... and an operating system that's as easy to use as other operating systems," he said.

During the panel discussion at FOSE, Loscocco and Westerman talked about the benefits of SELinux. Westerman described a customer's experience with a cracked DNS server, which was cracked a second time as soon as the customer reloaded the DNS software.

"At that point in time, I grabbed my CDs ... and we loaded the SELinux kernel and left everything else identical on the system -- same DNS server with the same vulnerability," he said. "We were watching that hacker hack into the DNS server to perform his buffer overflow and try to execute all the programs." But with SELinux's mandatory access controls, the hacker couldn't execute a program once inside the box even though he had root access.

"With SELinux, we're not as worried about the next buffer overflow," Westerman said.

Among the 30 audience members were several Microsoft booth workers. One asked a couple of questions about the SELinux project, including, ironically, whether changes made to ready it for the security certification would be released back to the community under the GNU General Public License. Panelists said that although the rules of security certification and the GPL sometimes conflict they were looking at ways to resolve the potential problems. Among those issues: A security certified operating system that's had outside changes made to it may lose its certification, and a distribution that's downloaded from a site that's not part of the official certification channels loses its certification, Westerman said.

However, Loscocco said his goal would be to release changes back to the GPL, and Dean argued that companies and government agencies looking for the security certification seal of approval may only need to see it once to trust a product.

"You need that check mark," Dean said. "It's important for organizations that have greater security needs than the norm to have this assurance process done."

Re:NSA Enhanced Linux.

are you not aware that the model is one that was developed by non-govie folks that has been verified time after time by researchers?

Re:Windows is secure???

[Yankovic]

It is very very likely that Win2k will be certified as Secure (the capital S is due to the fact that this is a title, and not a state of being). NT was certified as C2 Secure (in the scenarios required for C2 Security) by the NSA, and Win2k will most likely be rated the same.

Here's an out of date link for more info:

http://www.zdnet.com/windows/stories/main/0,4728 ,2 214860,00.html

Here's one from MS's site (NT 4 was also certified):

http://support.microsoft.com/default.aspx?scid=k b; EN-US;q137018

Plenty of other info from google. This is a very exact definition, so if you change one thing, video driver, processor, etc, you no longer have a certified secure installation.

Re:SELinux vs. LIDS

[Crispin+Cowan]

See my post on LSM: the Linux Security Modules project. This is precisely what LSM is about: give Linux a kernel loadable module interface that lets you load SELinux, SubDomain, LIDS (which got its security model from SubDomain), etc. into the kernel.

Stacking modules (loading more than one module at once) is problematic, because security policies are known to not be composable in general. However, if the modules have been designed to be stacked, then LSM will let you stack them.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase

Re:Windows is secure???

[wannabe]

According to the NSA Commercial Product Evaluations for Trusted Systems CD (September 2001), Windows NT service pack 6 with the C2 security patch is the spec on the M$ Product.

According to the documentation, not only does the product have to pass muster, but the company must have the financial viability to support the testing. The financial health of the company must be good enough so that there are no serious doubts about its long term existence. Apparently the NSA doesn't want to certify a product, bring it into deployment and then have the company fold. That I can see being the biggest hold back to a Linux Distro being certified.

All this information is free on the web. Do a search for rainbow series on google and you will find a link to the nsa site. There's also a number you can call and get a copy of the specs sent to you on cd on Uncle Sam's dime.

SE-Linux from long line of Trusted OS's

[AIXadmin]

People may be interested to know that there have been open source trusted operating systems for years. The most notable being Flash from the University of Utah.
SE-Linux, SE-Darwin, and TrustedBSD actually have the same ancestry.

TrustedBSD - http://www.trustedbsd.org
SE-Darwin - http://www.stosdarwin.org/

Cheers,
Thomas Vincent

Re:Windows is secure???

[fw3]

The NT certs under TSEC are not new, 3.5 was evaluated & certified in '95, 4.0 in '99.

see nt 3.5 and nt 4.0

Curiously the 3.5 eval was just weeks after I reported NT's vulnerable management of passwords over network links to CERT. CERT's reply was "well not enough people are using NT on the internet for this to be an issue.

I also forwarded my data to the TSEC evaluators. They indicated that since the evaluated version of the OS(sic) had had all networking capabilities removed (orange-book doen't cover network security), that the evaluation would not be affected by this hole.

As it happened the vulnerability I'd found was further tied to the internal storage of passwords in the NT Reigisty, later examined in L0ptCrack.

Anyhow enough people want to use NT in secure environments that MS will continue to seek these certifications.

Secure vs. secure

[snopes]

As hinted at in another post here, there's a difference between what's certified and what individual practioners would see as accurate. The reason is the individual practioner sees systems applied in real world scenarios and these don't necessarily have anything to do with certification standards. For instance, Cold Fusion and IIS problems are simply not a factor in evaluating the OS even though in the case of IIS it's arguable as to whether this should be.

Additionally, you need to understand just what is being evaluated at the different levels. As mentioned, WinNT was given C2 certification. Understand that this has everything to do with a particular feature set (fine grained ACLs primarily) and little to the with the penetrability of the system. Actual pen testing doesn't become a requirement until B1, IIRC.

The type of security that many are trying to achieve now (secure design, design verification, secure distribution, etc. i.e. security from the start) really doesn't come into play until A1 and that's the highest level of security deemed practicle in the TCSEC.

If you read the Orange book all the way through, what you'll see is that the majority of the security is intended to be achieved via mandatory access controls, subject and object labeling, and the careful application of these concepts. Each level has a new set of requirements for how much of the system is submitted to manadatory access control, whether the TCB (trusted computing base) is a subsystem of a greater insecure system, modularity and seperation of duties, etc. Much higher level system design issues and features, really. Until B2, B3, and really A1 IMHO there's only basic and passing concern with what we're coming to realize as the one true requirement of security engineering: security from the start. Secure design, verification, implementation, and review.

I haven't closely studied the Common Criteria and the handful of protection profiles yet, but I suspect you'd find the same or a similar issue. These are evaluation criteria and they tend to be focused on evaluating a stated set of features and capabilities. In high security environments product certification is not a replacement for careful product evaluation by the end user/customer any more than skills certification (e.g. Cisco, MS certs) is a replacement for careful interviewing and skills assessment by a hiring manager.

EAL4

[karlm]

I breifly worked for a startup that ran a brief stint at getting thier new programming language certified as EAL7... until they realized that it would probably take at least a minimum of $500,000 for each try at certification. This stuff is expensive (and with good reason). On top of that, each attempt at certification comes back with either "yes" or "no, and here's why...". If you try and get your system certified as EAL7 and it meets the criteria for EAL4 but not EAL7, you don't get an EAL4 certicifation, you get a failed EAL7 certification attempt.

A lot of this suff is based on design documentation (and an analysisof the design), demonstration that the design was followed, and solid clear end-user documentation. I can't imagine a design that requires IE to be integrated with the OS will pass EAL4 certification, so they may end up purgering themselves durring the certification process. Too bad the certification documents don't need to be made public. I would strongly hope that nobody will EAL4 certify anything with I.E. integrated. It's track record seems to indicate that the design was not well reflected in the implementation. Keep an eye out, if the certified version of Win2K doesn't have I.E. integrated, maybe the DOJ can slap MS on the wrist one more time.

Solaris 8 has a special EAL4 version, but you (rightly) pay quite a premium for that version, as I understand it. In order to get something certified, you submit an exact copy of the system to be certified. If one bit (other than passwords, usernames, and groups) is different from what is certified (besides allowable changes specified in the certified end-user documentation), it's no longer EAL4 certified.

This is pretty hard-core stuff. THe previooous security record of Win2K doesn't really come into account, becuase the EAL version would be best described as aspecificconfiguration of an OS based on Win2K, not actually Win2K.

Debian is pretty hard core with quality standards. Bastille and Debian probably stand the best chance of beilng able to put together an EAL4 distro, but niether of them is that well off financially. RedHat has some quality issues, but should be able to put something together as good as the certified version of NT. I don't think the costs would be justified for RedHat right now, though. The chances are slim to none that you'll ever be able to serve web pages from an all-microsoft EAL4 system within a decade. I highly doubt that EAL4 version of Solaris 8 has a vebserver, at least one capable of dynamic content.