Information Security News mailing list archives

Uncovering the secrets of SE Linux

From: InfoSec News <isn () C4I ORG>
Date: Thu, 8 Mar 2001 22:42:42 -0600

Forwarded by: Elyn Wollensky <elyn () consect com>

http://www-106.ibm.com/developerworks/library/s-selinux/?n-s-381

The first in-depth look at the SE Linux code
Larry Loeb (larryloeb () prodigy net)
Author, Secure Electronic Transactions
March 2001

In an uncharacteristic move, the U.S. National Security Agency
recently released a security-enhanced version of Linux -- code and all
-- to the open source community. This dW-exclusive article takes a
first look at this unexpected development -- what it means and what's
to come -- and delves into the architecture of SE Linux.

Dropping the bomb

It came from out of the blue, without fanfare. The "new" National
Security Agency threw out a security-enhanced version of the Linux 2.2
kernel (called SE Linux ) into the open source community. Not only
that, they gave out background briefing papers on the research
methodology that they used to model whether or not SE Linux was truly
secure.

If you haven't been following the cryptography area lately, let me
assure you that this action by the NSA was the crypto equivalent of
the Pope coming down off the balcony in Rome, working the crowd with a
few loaves of bread and some fishes, and then inviting everyone to
come over to his place to watch the soccer game and have a few beers.
There are some things that one just never expects to see, and the NSA
handing out source code along with details of the security mechanism
behind it was right up there on that list. Up to this point, the NSA
has embodied in itself the classic Cold War paranoia imperative of the
past 50 years ("If you knew what we knew, you'd agree with us"). To
see it spewing source like some long-haired Stanford student was
enough to make for uncontrollable twitching.

But, they seem to mean it. The distribution .tgz file contains no
secret Trojan horse that reads the data on your hard disk and then
sends it all back to Fort Meade. There's no way to hide a trap door in
code that all can comment upon and analyze. It is true that the NSA
does need a secured OS to do that voodoo that they do so well, and
they seem to have plans to actually use SE Linux internally. By
incorporating a commercial product called NetTop, it's been reported
that the NSA will replace several physically separated computers (this
implies the "air gap" method of operational security -- differing
levels of security on physically separated systems) with one box
running SE Linux (see Resources).

[...]

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".

Current thread:

Uncovering the secrets of SE Linux InfoSec News (Mar 09)
- <Possible follow-ups>
- Re: Uncovering the secrets of SE Linux James Goldston (Mar 12)
- Re: Uncovering the secrets of SE Linux InfoSec News (Mar 12)
- Re: Uncovering the secrets of SE Linux InfoSec News (Mar 13)