A couple of months ago, the NSA released an updated version of its
Security Enhanced Linux (SELinux) -- a joint effort between the NSA,
Network Associates, and Secure Computing. Unfortunately, the NSA did
not fix or publish any new vulnerabilities or the new class of
vulnerabilities they had been sitting on. When I heard the NSA was
publishing a Linux distribution, my first instinct was to run diffs
against the sources to see what they had "fixed". Alas, it's not that
kind of distribution.
SELinux (http://www.nsa.gov/selinux)was developed as an example to the
Linux community of how a MAC-based system would operate. The fully
functional and freely distributed SE module seems to be an NSA attempt
to harness the strength of the open source communities and direct it
towards developing more secure systems. SELinux's documentation states
that it allows for the protection of raw data on the system, the
integrity of the kernel and system software, confining potential damage
if a process is compromised, and prevents malicious code from being
run, specifically if it is at a privileged level. It enforces the
separation of duties necessary to ensure the containment of a
SELinux is a series of modified system utilities and system calls that
currently only run under Red Hat. The developers make no guarantees as
to the system's actual security with the security modules installed, as
it is to serve as more of an example of how a system like this should
work. Also, the security of the system is only as strong as the policy
it enforces, so SELinux is by no means a turnkey security solution.
Is business ready for MAC? Is MAC ready for business?
MAC enforces a "separation of duties", which places less emphasis on a
single point of authority or all powerful 'root' account. Because the
access control information is relative to each file or object on the
system, the authority to do things on the system is significantly
Though a product of a radically different culture than that of the
business world, this methodology could benefit businesses by
incorporating some of the MAC principles that were developed in an
environment where the secrecy and integrity of the data was as
important as its availability, if not more so. The data's value was in
its secrecy so, if information was exposed, then you couldn't just make
it secret again by restoring it from a backup.
Information's value in the business world is geared more towards the
availability end of the spectrum. Web sites must get served, reports
must be delivered, and news must be distributed. If confidentiality is
compromised, then recourse moves to the courts.
From a confidentiality and integrity perspective, MAC is an excellent
model. However, it may require multiple sign-offs, which requires more
resources, making it cumbersome from an availability perspective. This
is not just about computational resources, but business processes.
Imagine having to get multiple sign-offs for access to a single, and
seemingly insignificant, piece of information.
Think of it as a dictator vs. a bureaucracy. The dictator will get
things done quickly and efficiently, with a higher probability of
failure due to the lack of checks and balances in the decision making
process; whereas the bureaucracy can pretty much guarantee it will get
done, with the paper trail to prove it, just don't ask when.