• United States

The NSA’s ultra-secure Linux technology evolves for the enterprise

Apr 05, 20065 mins
Enterprise ApplicationsLinuxOpen Source

LinuxWorld panel discusses the evolution and challenges of Security Enhanced Linux

Boston – Linux and open-source developers are working to make Linux security tools developed by the National Security Agency more accessible and usable by regular system administrators and application developers.

Software developers and users discussed how Security Enhanced Linux (SE Linux) is evolving, and the benefits – and potential pitfalls – it could introduce when deployed in an enterprise data center. This discussion took place in a panel on SE Linux at the LinuxWorld Expo this week.

SE Linux is not a Linux distribution, such as SuSE or Red Hat, but is instead a set of modifications to the Linux kernel that limit the access that applications have to memory, processors, operating system configuration files and other critical components of a server or PC operating system. SE Linux uses mandatory access controls to limit applications’ access only to the minimal amount of resources they need to run. The idea is to prevent hackers from taking over or breaking into a server by exploiting openings in poorly designed code, or by squeezing through small holes in well-designed software.

Introduced in 2000 by the NSA, SE Linux “only covered a small subset of the overall [Linux] system,” said Stephen Smalley, a research scientist for the NSA. “SE Linux policy has since been expanded to cover more of the system. A year ago we had fairly immature support and a monolithic policy. Today we have support for modular policy, enabling third-party application developers to create policies [for SE Linux] and package them with their applications.”

A major step in making SE Linux easier to use has been the development of the SE Linux Reference Policy, an open-source project for creating tools that make it easier to create and apply SE Linux policies to software.

Smalley says other developments the NSA is working on for SE Linux are ways to apply the technology to desktop Linux systems, as well as to multiple virtualized Linux systems running on top of a single hardware platform.

The U.K. Central Government is testing SE Linux with its infrastructure of Linux and IBM WebSphere servers. The goal is to secure the Web services architecture for its municipal-service Web sites and public-facing applications.

“We wanted to enforce policies which say that application servers can only talk to the end points that they’re authorized to talk to,” said Mark Hocking, technical architect for the U.K. Cabinet Office’s e-Government Unit. Such mandatory access controls have been used for a long time in government operating systems and highly customized systems, he said.

The U.K.’s e-Government Unit wanted to apply SE Linux protection to a range of Java 2 Enterprise Edition (J2EE) applications it uses with minimal changes to the WebSphere servers it has up and running. So far, the group’s beta tests have been successful, Hocking says.

“We’re not saying it will have 100% [security] assurance, but it seems to be working quite well. We believe we can apply SE Linux to commercial off-the-shelf products to give us a higher level of assurance than what we would have had without it.”

SE Linux has been included in Red Hat Enterprise Linux 4, as well as Red Hat’s Fedora Core version 4 and the recently released version 5. However, it has been turned off by default, since the policies can disrupt some commonly used system processes and applications, according to Red Hat developers. And turning on SE Linux can frustrate administrators because the severe limitations to resources it puts on applications can cause applications to fail or act erratically.

“SE Linux breaks everything,” or so goes the perception of SE Linux, said Daniel Walsh, principal software engineer at Red Hat. “So what we have to figure out is, if SE Linux causes a problem, what are the actions an administrator can take to fix it. Right now an admin has the ability to turn SE Linux on and off; maybe there’s another solution.”

Walsh says Red Hat is working on tools that will allow for modular implementations of SE Linux, and that can give administrators easier feedback on how SE Linux policies are affecting a server. These tools will be included in the upcoming Red Hat Enterprise Linux version 5, which is expected to be released at the end of this year, Walsh said.

“The problem with [turning on SE Linux] is that all of the sudden, access that was there before isn’t there, and [a system administrator] might not know how to fix it,” Walsh said. “Or worse, they may make a change or take an action in order to just get the system up and running that may make security worse on the system overall.”

In spite of the difficulties that the NSA, Red Hat and other open source developers are working to overcome with SE Linux, the technology itself can be a powerful tool for security an infrastructure based on open-source software – code which is sometimes, and sometimes not, written with security in mind.

“The problem is there’s so much [sloppy] code out there,” Walsh said. “Allowing this crappy code to be out there is a major security problem. What we want to do is lock the memory to make sure that someone does not get into memory to run random code.”