[ISN] SELinux aims for security certification and credibility among cautious IT purchasers

From: InfoSec News (isnat_private)
Date: Sun Mar 31 2002 - 23:53:43 PST

  • Next message: InfoSec News: "[ISN] Re: Hoax or hoard? Mystery code holds out promise of millions to some"

    Friday March 22, 2002 
    [06:12 PM GMT]
    By Grant Gross 
    The Cyberspace Policy Institute at The George Washington University is
    launching an effort to get international security ratings for the U.S.  
    National Security Agency-driven Security Enhanced Linux project, a
    move that organizers hope will make Linux more attractive to cautious
    technology purchasers, including government agencies.
    Martin R. Dean, senior security researcher at the Cyberspace Policy
    Institute (CPI) and principal engineer at Science Applications
    International Corp., said SELinux still needs some enhancements, such
    as becoming a fully integrated operating system instead of a patch to
    Red Hat Linux, but the institute is starting to look for partners to
    help guide the ultra-secure Linux distribution through the rigorous
    EAL4 security certification, known formally as the Common Criteria for
    Information Technology Security Evaluation standard.
    Dean spoke at a panel discussion on SELinux, one of the last events at
    the FOSE technology-in-government trade show Thursday. Other panelists
    were Peter Loscocco, the SELinux project leader at the NSA; Tony
    Stanco, senior policy analyst for Open Source and e-government at CPI
    and founder of FreeDevelopers.net; and Mark Westerman, senior
    consultant with network security company Westcam and administrator of
    the SELinux project at SourceForge.net.
    Microsoft is currently trying to get the EAL4 for its Windows 2000 OS,
    and Dean argues that for Linux to be competitive at places like
    government agencies, where security ratings are used as a big
    evaluation tool for buying technology products, SELinux also needs the
    EAL4 rating.
    CPI will coordinate activities like looking for developers and seeking
    sponsors to finance the security rating. The plan is to seek security
    ratings from the United States and at least one other country,
    possibly Great Britain, because some countries have different security
    standards, and some non-U.S. users might not trust the U.S. rating,
    Dean said.
    Among Dean's goals is making SELinux easier to install and configure.  
    Loscocco admits SELinux, which NSA released to the public in January
    2001, is still hard for non-experts to set up.
    NSA's SELinux documentation includes a sample security policy, but
    configuring the fine-grained controls, down to what programs
    individual users can run, does take some knowledge, Loscocco said.
    Westerman has written a graphical installer that's a first step to
    pitching SELinux to mainstream users. "What we're looking at is
    getting the operating system to the point where we can roll it out to
    an elite IT organization, or where a user can run it on the desktop,"  
    Dean said. "What we looking at is getting the SELinux patch and the
    Linux operating system to the point where it's a robust operating
    system, so it's not just the small thing that sits on the server, but
    on everybody's desktop."
    Dean expects that gaining the security rating will take a couple of
    years. "What we're going to have in a couple of years is an operating
    system that's been evaluated ... and an operating system that's as
    easy to use as other operating systems," he said.
    During the panel discussion at FOSE, Loscocco and Westerman talked
    about the benefits of SELinux. Westerman described a customer's
    experience with a cracked DNS server, which was cracked a second time
    as soon as the customer reloaded the DNS software.
    "At that point in time, I grabbed my CDs ... and we loaded the SELinux
    kernel and left everything else identical on the system -- same DNS
    server with the same vulnerability," he said. "We were watching that
    hacker hack into the DNS server to perform his buffer overflow and try
    to execute all the programs." But with SELinux's mandatory access
    controls, the hacker couldn't execute a program once inside the box
    even though he had root access.
    "With SELinux, we're not as worried about the next buffer overflow,"  
    Westerman said.
    Among the 30 audience members were several Microsoft booth workers.  
    One asked a couple of questions about the SELinux project, including,
    ironically, whether changes made to ready it for the security
    certification would be released back to the community under the GNU
    General Public License. Panelists said that although the rules of
    security certification and the GPL sometimes conflict they were
    looking at ways to resolve the potential problems. Among those issues:  
    A security certified operating system that's had outside changes made
    to it may lose its certification, and a distribution that's downloaded
    from a site that's not part of the official certification channels
    loses its certification, Westerman said.
    However, Loscocco said his goal would be to release changes back to
    the GPL, and Dean argued that companies and government agencies
    looking for the security certification seal of approval may only need
    to see it once to trust a product.
    "You need that check mark," Dean said. "It's important for
    organizations that have greater security needs than the norm to have
    this assurance process done."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 02:44:57 PST