Last month's unveiling of the US National Security Agency's attempt to create a truly secure Linux was the first good security news of the year. On Jan. 2 the NSA announced that it had been figuring out how to harden the popular open-source OS, and that it was sharing its prototype, dubbed Security-Enhanced Linux, and source code with the public.
(Attention marketing types: I propose abbreviating this mouthful to SEL, pronounced "seal," with a cute little mascot, a la Tux the Penguin.) After all, this is coming from a federal agency whose penchant for secrecy is so notorious that its initials were once reputed to stand for "No Such Agency." A friend of mine from college completed a summer internship at the NSA -- and as I recall, that was all she was allowed to say about her work. (We got more interesting stories from the guy who spent his summer on a ballistic missile submarine, and he couldn't say much either.) So why is Fort Meade, Maryland, suddenly a hot spot for Linux security enhancements? Well, Linux is no longer strictly an OS for longhaired, ponytailed types; the Feds use it too. Some of the Linux gurus and security experts quoted in press reports were skeptical of the agency's intentions, although the NSA is making its enhancements available under the GNU Public License (GPL), and the source code is, as noted, available for inspection. That's a better deal than we're getting with Carnivore, in case one is concerned with bona fides.
Linux tough to secure
One of my beefs about Linux is that it's a bear to secure. Few distributions (Red Hat Inc. being a notable exception) offer any tools for automating the process of downloading and installing system patches that affect security. In most cases, you're running a command-line tool, which is tolerable when you have to install one or two patches. But when you're setting up a new Linux machine, you may have dozens of these to add before the system is safe to connect to a public network.
The bad news is that the NSA's Security-Enhanced Linux prototype doesn't do anything to address that problem, nor should it; that's a vendor's responsibility, and it's a shame that few have recognized their obligation to make this process easier. The good news is that the agency is using its decades of experience in securing its own machines to help with the greater chore of fortifying the OS itself and making the system architecture less vulnerable to assault.
The focus of the NSA's enhancements is on mandatory access controls, and the foundation for these is built into the kernel's major subsystems. The hope is that when the controls are properly applied, attackers can no longer expect to be able to subvert application-based security mechanisms, and victims can be assured that the damage caused by flawed or malicious applications can be contained. This can even be applied to processes running as "superuser," which ordinarily would have unlimited access to the system.
The two security policy abstractions that the NSA's enhancements currently embrace are type enforcement and role-based access. Under type enforcement, each system process is associated with a domain, and each object is assigned a type. The system configuration files determine how domains interact with each other and with object types. You can define how program types can access process domains, how transitions from one domain to another take place, and when they're allowed. With role-based access, each process has an associated role. This helps segregate ordinary processes from privileged ones. Again, the system configuration determines how roles access domains and transition from one security domain to another.
Of course, because this is a prototype, there's a lot of work to be done before we can call Linux truly securable. According to the NSA's Web site, Red Hat 6.1 on Intel is the only system the agency has used for testing, and the development was done using the older 2.2.12 kernel. In addition, the agency hasn't done any performance testing on the enhancements, so heaven knows how this software behaves in reality. Other key elements of a secure system, such as security auditing and system assurance, are beyond this project's scope.
As you might have noticed, I'm not buying into the paranoiac arguments that nobody wants the NSA's help and that this represents a way for the government's mail-opening service to subvert Linux the way it allegedly subverted Microsoft. Balderdash, I say. The NSA (for once) is serving the public interest by making it harder to subvert private as well as public systems and thus is preserving the foundations of our economy: the systems that run banking, communications, and other key services. Although the NSA's Security-Enhanced Linux prototype has several limitations, it still represents a huge step in the right direction. Now if only the agency's people would spend some time thinking about securing Windows, I might sleep easier.
Senior analyst P.J. Connolly (firstname.lastname@example.org) doesn't believe that any system is secure until it's powered down. He rarely trusts the government, but will occasionally make an exception.