Secure Linux

Question 1: Why did you enter into this Contract?

The National Security Agency (NSA) awarded this contract to develop a secure application system for potential NSA use that required Linux with Type Enforcement ^TM (TE) as a component. Secure Computing Corporation (SCC) saw that such a component would also be able to play a valuable role in its commercial business strategy.

As Linux continues its rapid acceptance, it is critical to provide security capabilities to the Linux community. This contract serves as a vehicle to provide such a capability, that leverages the best of technologies developed by both organizations.

Question 2: Why is this program / technology important? Who needs these solutions?

For some time now Industry analysts, including Michael Zboray at the Gartner Group and Jeffrey Zammas at the Meta Group, have identified the need for trusted operating systems that provide mandatory access control, confinement, and least privilege as a prerequisite for secure e-commerce. This is precisely the sort of protection that Type Enforcement provides. It is a crucial component of Secure Computing's Sidewinder firewall. Once it is available on Linux, vendors can use TE to protect a wide variety of servers that are critical to the enterprise, including web, directory, and database servers. The need for new security mechanisms, including Type Enforcement ^TM, is explained in "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments" [Loscocco, Peter; Smalley, Stephen; et al., Proceedings of the 21^st National Information Systems Security Conference, October 1998] http://www.cs.utah.edu/flux/fluke/html/inevit-abs.html

Question 3: Describe the partnership between SCC and NSA?

The NSA has been involved with TE from the beginning, having sponsored a number of TE related projects at SCC, including LOCK, DTMach, and DTOS. The technical team in NSA's Information Security Computer Science Division worked very closely with the SCC DTOS technical team. Over the past six months, the team at NSA has been developing a version of Secure Linux. Both NSA and SCC believe that combining the collective knowledge and experience of the two teams will result in a very solid security solution for us to submit to the Linux community.

As the two teams work together, SCC and NSA will leverage each other’s expertise to develop a code base. Once the code is published, we hope a number of other people and organizations will choose to propose extensions and improvements to it. We are excited about this opportunity to contribute what we believe is a solid security solution to the Linux community, and we look forward to fruitful, stimulating technical discussions on how to make it better.

Question 4: How widely do you expect this type of system to be accepted or deployed?

We see broad applicability for such a system. Recent traffic on the Internet in response to SCC’s press release appears to confirm this belief. At this point, it is impossible to quantify the number of security enhanced Linux systems that will be deployed.

Question 5: What is the project’s position with respect to the GPL and open source requirements for Linux?

We plan to provide the security enhancements made to Linux under this project to the community without restriction in full compliance with the letter and spirit of the GPL.

Question 6: Will SCC use its patent on Type Enforcement ^TM to restrict use, future development, derivative work, or release of the source code of the system?

There will be no restrictions on the use of TE by the Linux open source community. We believe that leveraging the resources of the Linux community is the best way to develop robust security for Linux. Our modifications to Linux will consist of:

• strong policy enforcement code which is integrated into the kernel itself and
• a flexible policy engine which is structured as a separate kernel component.

We will release source code for all the modifications to the existing kernel and for a general-purpose security policy engine under the GPL. We are still defining the exact functionality of this engine, but it will support a broad set of basic applications, it will be functional, and it will be complete enough to enable the Linux community to develop other policy engines. We expect that others will choose to enhance this code and return their enhancements to the community.

Question 7: What is the timeline for completing this development activity?

We recognize that this development activity is only the first step in providing security mechanism into the Linux kernel. We are aiming for an initial release of the kernel and key operating system utilities in June 2000. Subsequent updates to the initial release will be made available through the life of the contract and beyond as this technology gains acceptance and we receive feedback and comments from the Linux community.

Question 8: Where can one learn more about this technology?

SCC and the NSA have both spent years investigating and developing operating system security. Both organizations have published numerous papers on these technologies. A good summary of the most recent NSA project, FLASK, and pointers to details are available at http://www.cs.utah.edu/flux/fluke/html/flask.htmlSCC will have a library of security technology documents available on their web page, http://www.securecomputing.com available in March. The library section will provide technical white papers describing TE as well as reports on previous SCC secure operating system development.

Question 9: How can I learn more your security enhancements for Linux, and how can I contribute?

The mail alias strong-linux@securecomputing.com has been established for these purposes.