Security is no secret
NSA takes its Flask architecture to the open-source community to offer an inexpensive route to trusted systems<@VM>Sidebar: Flask resources<@VM>Web extra: Policies or containers? Another approach to trusted security
- By Joab Jackson
- Jul 18, 2008
Architecture created by the National Security Agency and expanded with help from the open-source community will save the Defense Department and intelligence agencies millions in hardware costs.
Analysts used to need multiple computers because they worked on separate machines for each classification level of data they accessed. Soon, users will be able to access data from a single console that could cost $500 or less, thanks to the NSA security architecture dubbed Flask.
With Flask, 'we can guarantee that high-integrity data can't be corrupted by untrustworthy entities or that sensitive data doesn't leak to untrustworthy entities,' said Stephen Smalley, one of the chief developers of Flask at NSA. The best part is that the technology requires no specialized hardware or operating system.
And that is only one of the potential security benefits. NSA officials said they hope software vendors will adopt the technology to better secure their products.
The Linux community was one of the first groups to embrace Flask. With the help of open-source developers, NSA created a Linux security module based on Flask, called Security-Enhanced Linux (SELinux). It is now one of the core features in the widely used Red Hat Enterprise Linux.
'What it really helps out with is something called zero-day exploits,' said Daniel Walsh, a principal software engineer at Red Hat and leader of the company's SELinux team. 'If you have a bug in your software that allows a machine to be taken over, SELinux [provides] another layer of controls to make sure that application only does what is was designed to do. SELinux is your last line of defense.'
Flask is not limited to Linux. Earlier this year, one of the heavyweights in multilevel security ' Sun Microsystems ' embarked on its own implementation of Flask for the Open-Solaris operating system. Sun officials hope the open-source community will help it tweak its implementation.
Flask is 'what they are advocating as a future security mod el,' said Bill Vass, president and chief operating officer at Sun Federal. 'They would very much like to have Flask in every operating system.'
And with the help of the most open development community, the most secretive agency could make it happen.Flask's origins
NSA's National Information Assurance Research Laboratory has long grappled with the problem of how to secure computer networks and operating systems. The thinking goes that finding better ways to secure the nation's computers will make the populace safer from attacks.
It is a tough task. NSA researcher Peter Loscocco said any design he and his colleagues came up with would invariably have flaws because of the insecure nature of the end systems the software relied on. As a result, they started a research group to investigate ways to make operating systems more secure. Researchers from the University of Utah and Secure Computing Corp. also participated.
Loscocco said most operating systems follow the principle of discretionary security, in which access rights are assigned on a per-user basis. Users typically receive a set of permissions indicating what files and folders they can access and what applications they can run. And the root account usually has full control over the entire machine.
The problem with that approach is that any program a user executes inherits all the access rights of the user, Loscocco said.
'Any program you execute runs with your full set of permissions, irrespective of its function or trustworthiness,' Smalley said. 'As a consequence, any flaw in a program you may run or any actively malicious software is free to abuse your permissions.'
Flask controls the ability of processes to invoke operations. For example, it determines whether a process can read or write to a given file, send a signal to a given process, connect to a remote process or execute another program. It makes those de terminations in accordance with a policy based on the security labels of the relevant processes and objects. If no explicit permission has been established, the action does not take place. That approach to security is called mandatory access control.
'MAC can confine flawed or malicious software because the access-control rules are defined by a security policy that gets enforced across the system,' Smalley said. 'That access-control policy is based on security labels that allow us to define system properties in terms of confidentiality and integrity for the whole system.'
Administrators can set security policies whenever they add a new program to a computer. Vendors can supply their own policies, though few have done so. Agencies can also craft policies to meet their specific needs, such as providing Multi-Level Security (MLS) access on a single machine.
With Flask, even the root account would not necessarily have total control over a machine. 'Because it is a centralized policy for the entire system, even though multiple users are on the system, none of them can change the security posture of the whole box,' Loscocco said.
'SELinux is all about labeling,' Walsh said. 'There are labels on the processes and labels on the files and objects. If any of the labels are wrong [when a process is started], then SELinux will cause denials.'
Although MAC is nothing new in the world of trusted systems, it is unique in that the policy-enforcement function has been separated from the decision-making function.
That separation might seem trivial, but it is important. Previous schemes for building trusted systems were hardwired for specific policies, such as those for secret government networks. That approach had the unfortunate effect of keeping agencies from enjoying the cost savings that come from using less expensive commercial systems for trusted tasks.
By making policy definition a stand-alone component, Flask allows industries with specialized security needs, such as the government, to easily harness a general MAC framework.Flask for Linux and Solaris
The original Flask implementation took place in an experimental microkernel operating system called Fluke. It proved that Flask could work, but the operating system was too specialized for everyday use. So the NSA team decided to write a module that could be loaded into the Linux kernel; they introduced it in 2000.
Over time, engineers at other companies ' including Red Hat, IBM, Hewlett-Packard, Tresys and Trusted Computer Solutions (TCS) ' helped with development, which was good news given the complexities involved. 'There was no way any OS company could do this technology without an open-source type of environment,' Walsh said. 'It's very complex, and it takes a full community to work on it.'
The effort paid off. Within a few years, Red Hat incorporated SELinux in Version 4 of Red Hat Enterprise Linux, where it was used to safeguard 15 applications. It is even more of an essential security feature in Version 5, which protects more than 200 applications, including essential programs such as Apache and Samba.
Red Hat is offering SELinux as a general-purpose security tool. 'We would love it if all our customers used SELinux,' Walsh said. However, its complexities could hinder widespread adoption for some time (GCN.com/1158). Still, the government market was one of the first to use SELinux for MLS or multidomain systems.
In the past, when agencies needed to combine network nodes of varying security levels on a single machine, they would buy specialized hardware or software. But all they needed was a set of processing rules to ensure that any movement of information across domains happened in a manner that adhered to policy rules.
'SELinux is a system that meets those needs very well,' Smalley said.
'Flask was innovative in the sense that it allowed for MLS to be one implementation of a security policy,' said Ed Hammersla, TCS' chief operating officer.
'You can take [Red Hat Enterprise Linux] 5 right off the shelf and configure it to run your local desktop, and you can crank that up all the way to the highest level of security required for cross-domain operations at multiple classified levels,' Hammersla added. 'To do all that from a mainstream OS is truly an innovation in the history of OSes.'
TCS uses Red Hat Enterprise Linux 5 and a set of MLS policies in its cross-domain systems for classified use.
Linux is not the only operating system to benefit from Flask. Earlier this year, Sun and NSA began augmenting the kernel that will outfit Sun's Solaris operating system with MAC, with the help of the OpenSolaris developer community. OpenSolaris is an open-source implementation of the operating system to which outside developers contribute changes.
Sun's latest implementation, called flexible MAC, is already available on the OpenSolaris site, although more work is needed to integrate it into the Solaris kernel. Eventually, 'it will come bundled with Solaris,' Vass said, and organizations can choose whether to deploy it.Flask everywhere
SELinux and OpenSolaris' flexible MAC are the most well-known implementations of Flask, but other deployments have cropped up. The Defense Advanced Research Projects Agency and NSA have supported development of the Trusted BSD operating system, which has a MAC plug-in module called Security Enhanced BSD. It has been adapted for the Apple Macintosh operating system, under the name Security Enhanced Darwin. According to the project's Web site, the work is in the experimental stages.
Furthermore, Flask technology is not limited to operating systems.
'The architecture can be applied to any software component that enforces security goals,' Smalley said.
Indeed, developers have created Flask modules for the PostgreSQL database; Xen virtualization software; X Window System for Unix; GConf software, which is used for storing Linux application preferences; and the D-Bus message bus system.
Developers have also extended Flask into the arena of network file storage. David Quigley, of NSA's National Information Assurance Research Laboratory, presented the latest work on the project, called Labeled NFS, at a meeting of the Internet Engineering Task Force held earlier this year in Philadelphia. The effort involves integrating Flask into the Network File System protocol, which is widely used for network-attached storage devices.Onward and outward
Although the process is complex, applying Flask to a new set of software code is worth the effort.
'The job of actually instrumenting the kernel is a relatively small one, even for a big operating system,' Loscocco said. 'The more complex part is making sure the controls are in place [to] meet a particular set of security objectives. And that is a much bigger task.'
So could Flask be integrated into the most widely used operating system ' Microsoft Windows? 'Sure,' Loscocco said. 'It would just take the will to do it.'
'One of the things we were hoping early on when we were developing Flask was to build a general-purpose security architecture,' Loscocco said.
'The fact that it has been applied to all these OSes and different applications shows it to be tried-and-true. So there would be nothing stopping Microsoft, or anyone with the source code of Microsoft, from doing a similar kind of thing.'
Flux Advanced Security Kernel: This Web site holds a number of the pivotal papers that
first explained the concept of the Flask architecture.
National Security Agency's SELinux Page:
Offers an introduction to SELinux.
NSA's SELinux documentation Page: Features papers, technical reports and
SELinux mailing list: Much of the communication about development of
SELinux takes place via this mailing list.
SELinux Project Wiki: This site tracks current work on SELinux.
"Writing policy for confined SELinux users": An article in Red Hat Magazine
that serves as a good introduction to using SELinux within Red Hat
Dan Walsh's SELinux blog: Red Hat SELinux engineer Dan Walsh offers tips on for new
users to on figuring out SELinux.
"SELinux: NSA's Open Source Security Enhanced Linux" by Bill McCarty: This book
provides both a high level overview of how SELinux works, as well as details on
how to implement it on Linux.
"SELinux by Example: Using Security Enhanced Linux" by Frank Mayer, Karl
MacMillan and David Caplan: A hands-on guide to deploying SELinux on Linux.
SELinux demonstration site: Australian developer Russell Coker has set
up a server running Fedora Linux with SELinux for visitors to test how SELinux
works in a live setting.
Other FLASK implementations:
SEDarwin: This page presents an
overview of the work on SEDarwin, a project to bring Flask protection to the
Apple Macintosh operating system.
This home page provides details on the project to bring Flask security to the
TrustedBSD operating system.
OpenSolaris Flexible Mandatory Access Control: This project will outfit
the Solaris operating system with a Flask controls.
SE-PostGreSQL: This project will outfit the open source PostGreSQL
database with Flask controls.
Labeled NFS: This project is enabling the Network File System with Flask Flask is not the only approach for using a mainstream operating system to create a trusted computer environment.
controls. The site includes documentation and links to the mailing list.
At least one other approach, called containers, has long been championed by Sun Microsystems. "They both create a strong security model to secure against about anything," explained Bill Vass, president at Sun's federal subsidiary.
Yet debating the merits of each has led to some lively disagreements. "This is really a religious discussion among security experts," Vass added.
The Trusted Extensions module Sun offers for its Solaris OS uses the container approach. "With Trusted Extensions, you can create a container that is labeled as classified or unclassified, and any application you run within that container is protected and runs within that classification level," Vass said.
The advantage of container-based approach over Flask's per-process, per-file approach is that it is much simpler to administer, Vass says. With Flask, you need to create a policy for each version of a program that is being run. If a new version of a program is used, then the policy must be updated. "A new version could open up new application programming interfaces. You have to maintain the policy," Vass said.
Indeed, putting a Flask implementation such as SELinux into action can be a chore for the administrator. About half of the Red Hat Enterprise Linux deployments have deactivated SELinux, admitted Daniel Walsh, principal software engineer, and software lead for SELinux. "SELinux has a reputation for being difficult to work with," Walsh said.
Administering policy is "not rocket science, but its not something you can fall out of bed and do right away," agreed Ed Hammersla, chief operating officer of Trusted Computer Solutions.
Each time a program is added into an SELinux environment, the administrator must record all the actions that program could take when it runs, as well as all the files it consults. All of these actions must then be added in the SELinux policy for that program, a task not unlike writing a new program.
The good news is that tools are being developed that help with all this work. For its own deployments, Red Hat offers semanage, a command that can be help write policies. Another command, setroubleshoot, can decipher error messages. Users of other Linux distributions can use Audoit2Allow, which watches an application and can generate a list of rules that then can be used to define the policy for the application. Tresys also offers graphical user interface-based tools for creating and editing policies.
While label-based security can be a chore, shortcomings exist with the container-based approach as well. Stephen Smalley, one of the chief NSA developers behind Flask, noted that while a container approach isolates an instance of an OS so that any harm that a malicious or flawed program causes will be limited to within that container. Containers don't necessarily ensure that the data within them is protected, something Flask can do, Smalley pointed out. A malicious program could corrupt the data. Also, high-security environments still need a way to pass data back and forth, or a way to enact some form of "controlled sharing," as Smalley puts it.
Ultimately, containers versus labels is not an either-or proposition. Vass noted both can work together for greater security. With Sun ramping up a project to bring Flask to Solaris, called Flexible Mandatory Access Control, users can get both containers and labeled policy on a single box. He gives an arbitrary example.
"You could have an unclassified container and a classified container, and then within the classified label, you could run Apache at three different layers of classification. Say you had one level that is classified for the U.S. military. One is classified for NATO and one is classified for a coalition partner. And though a policy, you can constrain what each one does," he suggested.