[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nsa code ?

To: securedistros@nl.linux.org
Subject: Re: nsa code ?
From: Crispin Cowan <crispin@wirex.com>
Date: Sat, 17 Mar 2001 15:42:22 -0800
Cc: immunix-users@immunix.org
Organization: WireX Communications, Inc.
References: <A77BEC1A2E6ED4118DD7006008C18DB873890A@stpntmx03.sctc.com> <3AB295EB.9000209@ksu.ru> <3AB2BF40.C56E1F39@sgi.com> <3AB2CC4A.511D4BE9@wirex.com> <20010317102228.B13887@dungeon.inka.de>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

Andreas Jellinghaus wrote:

> what do people here think about the nsa secure linux ?
> is anyone integrating this into a linux distribution ?
> why not ?

SELinux uses Type Enforcement, a form of Mandatory Access Control
(MAC) that is more flexible than the hierarchical access control
concepts suggested by the Orange Book.  Type Enforcement employ a 2-way
"domains & types" approach of (roughly) mapping subjects to Domains and
objects to Types and then specifying which Domains can access which
Types.  This powerful abstraction allows the administrator a lot of
expressiveness in specifying what users may do to each other's files.

Immunix is not going to adopt SELinux.  It's not that we don't like the
work (it's fine) its that it is redundant with respect to our SubDomain
technology http://immunix.org/subdomain.html

In particular, SubDomain is a simplification of Type Enforcement,
intended to facilitate hardening of server appliances.  SubDomain
dispenses with one of those levels of indirection, and associates a
Domain of access (list of files & mode bits) directly with programs.
So, e.g. the BIND program can only read DNS files, and can only execute
the libraries it needs to run.

This makes SubDomain unsuitable for protecting users from one another on
a time share system.  On the other hand, it makes SubDomain efficient at
configuring and securing server appliances, which have a fixed set of
purposes, and "security" means "no unexpected functionality" :-)

While Type Enforcement is generally more powerful & expressive than
SubDomain, there is one possible exception.  SubDomain includes a
facility to contain a sub-process element, e.g. a script executed by an
Apache module.  I don't know if TE, DTE, or SELinux have this
capability.  The only other sub-process security confinement
implementation that I am aware of is JDK 2, but there quite possibly may
be more.  Go back far enough, and the notion of "process" starts to get
muddy.

SubDomain is (we think) more efficient.  We've used it to wrap a large
number of programs, most without any changes at all to the applications
themselves. For performance testing, we wrapped a CGI/Perl script,
executed it with mod_perl (a pathologically bad case for SubDomain) and
measured it with Webstone.  The observed overhead was between 1% and 2%.

SubDomain was first published at the December USENIX LISA conference
http://www.usenix.org/events/lisa2000/ and you can read the paper here
http://immunix.org/subdomain.pdf

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:                http://immunix.org

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: nsa code ?
  - From: Greg KH <greg@wirex.com>

References:
- C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: "Dowd, Alan" <alan_dowd@securecomputing.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: LA Walsh <law@sgi.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Crispin Cowan <crispin@wirex.com>
- nsa code ?
  - From: aj@dungeon.inka.de (Andreas Jellinghaus)

Prev by Date: Re: Is this mail list dead?
Next by Date: Re: nsa code ?
Prev by thread: nsa code ?
Next by thread: Re: nsa code ?
Index(es):
- Date
- Thread