SELinux aims for security certification and credibility among cautious IT purchasers

[InfoSec News <isn () c4i org>]

http://newsforge.com/article.pl?sid=02/03/22/1716241&tid=23

Friday March 22, 2002 
[06:12 PM GMT]
By Grant Gross 

The Cyberspace Policy Institute at The George Washington University is
launching an effort to get international security ratings for the U.S.  
National Security Agency-driven Security Enhanced Linux project, a
move that organizers hope will make Linux more attractive to cautious
technology purchasers, including government agencies.

Martin R. Dean, senior security researcher at the Cyberspace Policy
Institute (CPI) and principal engineer at Science Applications
International Corp., said SELinux still needs some enhancements, such
as becoming a fully integrated operating system instead of a patch to
Red Hat Linux, but the institute is starting to look for partners to
help guide the ultra-secure Linux distribution through the rigorous
EAL4 security certification, known formally as the Common Criteria for
Information Technology Security Evaluation standard.

Dean spoke at a panel discussion on SELinux, one of the last events at
the FOSE technology-in-government trade show Thursday. Other panelists
were Peter Loscocco, the SELinux project leader at the NSA; Tony
Stanco, senior policy analyst for Open Source and e-government at CPI
and founder of FreeDevelopers.net; and Mark Westerman, senior
consultant with network security company Westcam and administrator of
the SELinux project at SourceForge.net.

Microsoft is currently trying to get the EAL4 for its Windows 2000 OS,
and Dean argues that for Linux to be competitive at places like
government agencies, where security ratings are used as a big
evaluation tool for buying technology products, SELinux also needs the
EAL4 rating.

CPI will coordinate activities like looking for developers and seeking
sponsors to finance the security rating. The plan is to seek security
ratings from the United States and at least one other country,
possibly Great Britain, because some countries have different security
standards, and some non-U.S. users might not trust the U.S. rating,
Dean said.

Among Dean's goals is making SELinux easier to install and configure.  
Loscocco admits SELinux, which NSA released to the public in January
2001, is still hard for non-experts to set up.

NSA's SELinux documentation includes a sample security policy, but
configuring the fine-grained controls, down to what programs
individual users can run, does take some knowledge, Loscocco said.

Westerman has written a graphical installer that's a first step to
pitching SELinux to mainstream users. "What we're looking at is
getting the operating system to the point where we can roll it out to
an elite IT organization, or where a user can run it on the desktop,"  
Dean said. "What we looking at is getting the SELinux patch and the
Linux operating system to the point where it's a robust operating
system, so it's not just the small thing that sits on the server, but
on everybody's desktop."

Dean expects that gaining the security rating will take a couple of
years. "What we're going to have in a couple of years is an operating
system that's been evaluated ... and an operating system that's as
easy to use as other operating systems," he said.

During the panel discussion at FOSE, Loscocco and Westerman talked
about the benefits of SELinux. Westerman described a customer's
experience with a cracked DNS server, which was cracked a second time
as soon as the customer reloaded the DNS software.

"At that point in time, I grabbed my CDs ... and we loaded the SELinux
kernel and left everything else identical on the system -- same DNS
server with the same vulnerability," he said. "We were watching that
hacker hack into the DNS server to perform his buffer overflow and try
to execute all the programs." But with SELinux's mandatory access
controls, the hacker couldn't execute a program once inside the box
even though he had root access.

"With SELinux, we're not as worried about the next buffer overflow,"  
Westerman said.

Among the 30 audience members were several Microsoft booth workers.  
One asked a couple of questions about the SELinux project, including,
ironically, whether changes made to ready it for the security
certification would be released back to the community under the GNU
General Public License. Panelists said that although the rules of
security certification and the GPL sometimes conflict they were
looking at ways to resolve the potential problems. Among those issues:  
A security certified operating system that's had outside changes made
to it may lose its certification, and a distribution that's downloaded
from a site that's not part of the official certification channels
loses its certification, Westerman said.

However, Loscocco said his goal would be to release changes back to
the GPL, and Dean argued that companies and government agencies
looking for the security certification seal of approval may only need
to see it once to trust a product.

"You need that check mark," Dean said. "It's important for
organizations that have greater security needs than the norm to have
this assurance process done."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.