Mandatory Access Control: Silver Bullet or Kafkaesque Nightmare?, Part 2

Enter SELinux

A couple of months ago, the NSA released an updated version of its

Security Enhanced Linux (SELinux) -- a joint effort between the NSA,

Network Associates, and Secure Computing. Unfortunately, the NSA did

not fix or publish any new vulnerabilities or the new class of

vulnerabilities they had been sitting on. When I heard the NSA was

publishing a Linux distribution, my first instinct was to run diffs

against the sources to see what they had "fixed". Alas, it's not that

kind of distribution.

SELinux (http://www.nsa.gov/selinux)was developed as an example to the

Linux community of how a MAC-based system would operate. The fully

functional and freely distributed SE module seems to be an NSA attempt

to harness the strength of the open source communities and direct it

towards developing more secure systems. SELinux's documentation states

that it allows for the protection of raw data on the system, the

integrity of the kernel and system software, confining potential damage

if a process is compromised, and prevents malicious code from being

run, specifically if it is at a privileged level. It enforces the

separation of duties necessary to ensure the containment of a

compromise.

SELinux is a series of modified system utilities and system calls that

currently only run under Red Hat. The developers make no guarantees as

to the system's actual security with the security modules installed, as

it is to serve as more of an example of how a system like this should

work. Also, the security of the system is only as strong as the policy

it enforces, so SELinux is by no means a turnkey security solution.

Is business ready for MAC? Is MAC ready for business?

MAC enforces a "separation of duties", which places less emphasis on a

single point of authority or all powerful 'root' account. Because the

access control information is relative to each file or object on the

system, the authority to do things on the system is significantly

decentralized.

Though a product of a radically different culture than that of the

business world, this methodology could benefit businesses by

incorporating some of the MAC principles that were developed in an

environment where the secrecy and integrity of the data was as

important as its availability, if not more so. The data's value was in

its secrecy so, if information was exposed, then you couldn't just make

it secret again by restoring it from a backup.

Information's value in the business world is geared more towards the

availability end of the spectrum. Web sites must get served, reports

must be delivered, and news must be distributed. If confidentiality is

compromised, then recourse moves to the courts.

From a confidentiality and integrity perspective, MAC is an excellent

model. However, it may require multiple sign-offs, which requires more

resources, making it cumbersome from an availability perspective. This

is not just about computational resources, but business processes.

Imagine having to get multiple sign-offs for access to a single, and

seemingly insignificant, piece of information.

Think of it as a dictator vs. a bureaucracy. The dictator will get

things done quickly and efficiently, with a higher probability of

failure due to the lack of checks and balances in the decision making

process; whereas the bureaucracy can pretty much guarantee it will get

done, with the paper trail to prove it, just don't ask when.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies