NSA Security-Enhanced Linux (SELinux)

1. http://www.nsa.gov/selinux Grant M. Wagner gmw@tycho.nsa.gov Information Assurance Research Group National Security Agency NSA Security-Enhanced Linux (SELinux)

2. The Need for Secure OS • Increasing risk to valuable information • Wide variety of application space security solutions • Dependence on OS protection mechanisms • Inadequacy of mainstream operating systems • Discretionary access controls can't do the job • Key missing feature: Mandatory Access Control (MAC) • Administratively-set security policy • Control over all processes and objects • Decisions based on all security-relevant information

3. What can MAC offer? • Strong separation of security domains • Separate data based on confidentiality/integrity/purpose • System, application, and data integrity • Protect against unauthorized modifications • Prevent ill-formed modifications • Ability to limit program privileges • Safely run code of uncertain trustworthiness • Prevent exploit of flaw in program from escalating privilege • Limit each program to only what is required for its purpose

4. What can MAC offer? • Processing pipeline guarantees • Ensure that data is processed as required • Split processing into small, minimally trusted stages • Encryption, sanitization, virus scanning • Authorization limits for legitimate users • Decompose administrator role • Partition users into classes based on position, clearance, etc.

5. SELinux provides Flexible MAC • Flexible comprehensive mandatory access controls for Linux implemented as a Linux security module • Building on 12 years of NSA’s OS Security research • Application of NSA’s Flask security architecture • Cleanly separates policy from enforcement using well-defined policy interfaces • Allows users to express policies naturally and supports changes • Comprehensive fine-grained controls over kernel services • Transparent to applications and users • Role-Based Access Control, Type Enforcement, optional Multi-Level Security, easily extensible to other models • Highly configurable (example configuration provided)

6. SELinux Security Impact • Limits damage from virus/trojan horse infection • Can inhibit virus propagation • Eliminates most privilege elevation attacks • Constrains damage from undiscovered exploits • Servers need not be granted admin privileges • Reduces need for immediate security patching • Reduces dependence on all-powerful admin • Critical services and data can be isolated • Allows control over user actions

7. SELinux Research Success • SELinux developed at NSA as research prototype • Public release in Dec 2000 w/regular updates since • Currently included as security module in 2.6 Kernels • Continues to be excellent platform for security research

8. SELinux Acceptance • SELinux was released as a reference implementation • Direct benefit to Linux • Other OS groups incorporating technology • Direct User benefit • Meeting real security needs • Growing user/developer community is contributing back • Open Source can be powerful technology transfer tool

9. Interest in SELinux • Corporate • Used or being used considered for use in products/solutions • Wide variety of industries including OEMs, ISPs, Defense, Telecommunications, SCADA systems, PDAs and other consumer electronics • Linux Distributors accepting technology • Red Hat/Debian/Gentoo/Others??? • SELinux deployments • Corporate, government, universities

10. Research Direction • Further user space integration • Complete integration into networked environment • Integrate with 2.6 IPSEC and NFSv4 implementations • Security-Enhanced X Windows • Policy specification and analysis tools • Policy management service • Platform for application security mechanisms

11. Available at: http://www.nsa.gov/selinux Mailing list: Send 'subscribe selinux' to majordomo@tycho.nsa.gov e-mail: selinux-team@tycho.nsa.gov Want to learn more?