NSA Backing Secure Linux OS Development

ColPanic writes "Looks like the NSA is gonna have a Linux OS of their very own soon. They have selected Secure Computing to develop a high security version of Linux."

Riiight.

Not to start a war, but why not OpenBSD?

Wouldn't it be better to audit OpenBSD for their purposes, since it's already designed for that purpose. Or even FreeBSD?

I asked the question because I am honestly interested in the answer, not some zealot telling me, "LINUX IS SECURE!" or something inane like that.

Pre-emptive strike against cluelessness

Remember, the GPL only requires you to give source to people you give binaries to. If Secure Computing only gives binaries to the NSA, there is no reason they need to give source to Linus.
---

IPO

Will this pave the way for an NSA-Linux IPO? ;-)

Wow

I actually just talked to these guys on the phone today, regarding performing a security audit of our company. They're really with-it, especially about Open Source stuff. The NSA has been running their software for years now, and now they're moving towards Linux and OpenBSD.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Riiight.

Also, the licensing would be cleaner if they don't want to fully release the source. If they use Linux and then release the source, wouldn't they in effect be providing a a very useful tool for U.S. enemies?

Another thing that kind of blows me away is just the fact that there even was a press release. The NSA used to be so secretive, that few even knew it existed. I wouldn't be surprised if this isn't a subtle ploy by them to recruit geeks. They've always been one of the biggest high-tech employers in the DC area, but with the high-tech boom now going on around DC, it is very dificult to hire competent tech staff at government wages (its not like you can count on the feds having an IPO in the near future.)

if you can't beat 'em, join 'em

The latest draft of the US cryptography-export regulations let you post open-source crypto software without any government review or license; all you need to do is send the government the URL where it can be downloaded. These regulations are scheduled to go into effect tomorrow.

As Michael H. Warfield points out in this linux-kernel message [lwn.net], it's a golden opportunity to get IPSEC into the 2.4 kernel, and US-based Linux distributors can now bundle PGP, SSH, etc., with their next versions.

Maybe the spooks (or at least, the spook-meisters) are doing a 180 turn on how to deal with cryptography distribution, from "don't let anyone else have it" to "if everyone else has it, we want it, too".
--
"But, Mulder, the new millennium doesn't begin until January 2001."

Re:GPL Considerations

IANAL but yes, contractors working on GPL have to release source code, but only to those to whom they've sent binaries. And they can't encumber the NSA from further copying/publishing it. But NSA might not want to.

But nothing in the GPL says the contractor has to release it to anyone else. The GPL is privacy-friendly: no-one is obligated to publish modifications. But once they are published, source must accompany it, and copying cannot be restricted.

-- Robert

Licencing thoughts and issues

At first, I couldn't understand why the NSA would want to do this. Linux is GPLed, and they'd have to make any changes public.

Then I remembered a previous GPL argument, when a company had made -internal- changes and did NOT have to make the changes public, as the GPL does NOT cover these.

The NSA version would fall into the same category, I suspect, with contractors deemed a part of the same organisation, as far as the GPL is concerned. Always assuming the contractor developed any of the secret stuff. The NSA has more than enough top people to code that part themselves, just to make sure there isn't a GPL conflict.

Then, I wondered why they didn't branch off from OpenBSD. That's already mostly secure, there's a good base to work from, and it's stabilty is phenominal. Then I realised. They've probably already GOT ultra-secure versions of OpenBSD for PC-based, single-processor servers, but Linux isn't just for PC's or just for one processor.

If you want a lightweight system that'll run on embedded devices (such as wiretaps), massive-scale multi-processor devices (such as extreme number-crunchers eg: code-crackers, etc), or obsolete hardware (such as stacks of IBM S/390's) then Linux is the one to go for. It's ideal for such functions and such platforms. OpenBSD, etc, would require too much work to make them both multi-processor and multi-platform -enough- to be useful in a meaningful timeframe.

This isn't to start any kind of flame-war, but I'm sure OpenBSD is used in it's primary environment (because it's GOOD), and Linux is going to be used everywhere else (because it's GOOD -and- THERE.)

Patriot

Man, talk about a version conflict...

=================================
ERROR 10948:
Red Flag Linux detected. You did
not see this error, and troops have
been dispatched to your location, you
filthy traitor. Remain seated and your
death shall be quick and painless.
=================================
-- RED, WHITE, AND BLUE FLAG LINUX

"Yes, we're developing a distribution.. but if we told you anything more we'd have to kill you (and the binaries)."

Actually they don't allow that

Read more closely. They allow you to post the source-code. The binaries appear to be another kettle of fish...

Take a look at a longer description [slashdot.org] that I got from Frank Hecker in email.

Cheers,
Ben

Re:not trying to pick a fight...

In the standard Unix security model, once an attacker is logged in as root, or gets his/her program to run as root, or exploits a weakness in a program that runs as root ... "game over, man, game over".

According to this summary [securecomputing.com] of Sidewinder's system, the only way you can get this level of access is by booting the "administrative kernel", and when the administrative kernel is running, all network connections are disabled. While running the normal "operational kernel", every process can be restricted to handling certain file types and system calls. This way, for example, your netnews server and FTP server can have administrators who can't access one another files or processes. If, say, a Belgian spy compromises your netnews administrator's account, the spy still couldn't send out anything over FTP.
--
"But, Mulder, the new millennium doesn't begin until January 2001."

Re:yet the paranoid will say "It's for backdoors"

Duh. Of course the NSA wants to analyse Linux and know about any backdoors there; how else will it take advantage of them?

... no wait, you were talking about adding backdoors? Never mind. ;-)

By the way ... You may not know that the NSA has a research arm that's distinct from its SIGINT operations (and export control operations, and secure network operations, and ...). One of their ongoing problems has been to get "Commercial, off-the-shelf" (COTS) software to be good enough for use in sensitive systems. Commercial vendors have been unable to meet those requirements, since the market they'd hit is too miniscule. "Trusted Solaris" and so on; always multiple revs behind. And almost always pains in the behind to administer.

Another possible scenario is that the face value here is the right one: they want to see some standard Linux distributions get hardened, so that some real administrators will identify the problems so they can get fixed. And so the government can use more current technology in those sensitive systems ! They've been getting too far behind, and needing training that's too specialized. Linux would seem to have the potential of hosting a great fix!

Re:Riiight.

I'd say it probably depends on this Type Security thing they talk about. They talk about partitioning the kernel into discrete parts, each one getting specific permissions. That's not what openbsd has. Openbsd has done a very thorough security audit. If openbsd doesn't already use their security technique, it'd probably be just as much work to use this on openbsd. Linux has the advantage of having more functionality and devices working with it, so if it's going to take just as much work for either kernel, why not go with the one with more toys?

Re:Pre-emptive strike against cluelessness

Back in March, I talked to RMS himself on this very topic. And the original poster is correct. RMS stated that he is concerned that those that receive software have the same rights to that software (because they bought it or what not) as the one that gave it to them. If I wrote software for you, then you must have the same rights to sell that or give it away as I did. So, my take from this, is that you must give (not restrict) the rights to those that you distribute it to. If you only distribute it to one person, or company, than that person/company doesn't want to give it away, then noone has to.

I mentioned the way I do business with my company, to RMS. We sell software to our customer (usually the government) and we give them the source and the rights to modify that source (just like GPL) but they don't in turn give it to anyone else, although we don't restrict them from doing so. He told me that, that is custom programming and he has nothing against it. The GPL would not affect that at all, except if the government wanted to imposed their own license.

So, in theory, you can have a little club of people that have some modification of the Linux kernel that no one else can see. But all it takes is one person to give it away to anyone to destroy that. The club cannot (under GPL) restrict anyone from doing so.

Steven Rostedt

Experience with "Type Enforcement"...

A little background.

I've been consulting, installing, and using Secure Computing's Sidewinder firewall for about 3.5 years now, which includes the "Patented Type Enforcement Technology". Here's the skinny..

Type enforcement was developed by Secure Computing to be run on a Motorola mini computer system for the NSA about 10-15 years ago. This was specificly designed to be a system to hold both classified and non-classified information, with both classified and non-classified users.

What type enforcement does is create a series of domains within the context of the operating system. Each file and user is assigned to a domain, or a series of domains, and cannot pass domain boundaries, unless explicitly allowed. Attempting to cross boundaries will result in the offending application being killed by the system kernel, the attempted logged, and alarms rung.

The important thing here is that the domain permissions and rules are set in the kernel itself, and changing those rules requires a recompile. I know that Secure Computing was working on a 'type enforcement lite', where the rules were enforced by a userspace daemon, but I hadn't seen anything about that for quite awhile.

Sidewinder is a damned effective firewall, due to the type enforcement. Even if someone breaks a proxy or service running on the outside of the firewall, you still haven't breached the firewall, since there is no logical path to the inside domains or the internal ethernet card, except through a series of named pipes between dual IP stacks (one for the 'outside' and one for the 'inside'). Breaking through those is extremely non-trivial, since every time you touch the wrong domain, you get kicked and logged.

Type enforcement is real, and it's been around for a very long time. And works very well.


jf

Re:Pre-emptive strike against cluelessness

So, in theory, you can have a little club of people that have some modification of the Linux kernel that no one else can see. But all it takes is one person to give it away to anyone to destroy that. The club cannot (under GPL) restrict anyone from doing so.

Correct..

Legally the way it would work is: If someone starts selling NSA/Linux then they will be required to give away the source, but the NSA could try and stop them from selling NSA/Linux.. and it would be a big fight. Unfortunatly, OSS would probable loose to the NSA in a legal battle over the GPL.. national security and all that crap. On the other hand the NSA knows what kind of contract they are getting into now.

The real question is further restricted distribution, i.e. the NSA giving the NSA/Linux source to a contractor grants the contractor distribution rights. National security can will probable trump this in hind sight, but we might be able to force the NSA not to give it to contractors without distribution rights in the first place.. via the GPL.

Interpretation: Do not try and use the GPL to trck the NSA into giving away stuff, but do use it to push them into giving it away in the first place.

Jeff

DTE for linux - available as a patch!

oops - messed it up last time! Doh!

at this url: http://research-cistw.saic.com/cace/dte.html [saic.com]

(Hope that someone reads down far enough to moderate this up). The site has a good explanation of what DTE is, but I don't know how active they are.

They have a patch against 2.2.13, which was created on Dec 13 1999. So its not too out of date, though it will have to be forward ported to 2.3 I suppose...

Maybe the NSA should be spending their money elsewhere - or maybe they should clue up to what open source is all about.

I wonder what is covered by the patent Secure are so proud of?

Other NSA Secure Linux work

There is another ongoing NSA Secure Linux project. It is being done by the Computer Security Research Division at NSA. They are attempting to port the Flask Security Architecture [utah.edu] to Linux. Flask is a policy-flexible OS security architecture.

Their Secure Linux project page is available [utah.edu].

Patent issues and the GPL

The press release brags about "Secure Computing's patented Type Enforcement technology". Clearly, to make this work they need to put their type enforcement stuff in the kernel. However, the GPL in Clause 7 specifically states

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

This means that Secure Computing must grant a royalty-free license to all direct or indirect recipients to use their patented technologies in Linux kernels. Other clauses of the GPL forbid them from restricting redistribution. So are they giving up hope of making money on their patent? Do they know this?

Some NSA secure system history

NSA has funded a long series of special-purpose secure systems, many of which are on the Evaluated Products List. [ncsc.mil] Unfortunately, many of the more secure systems were developed for unpopular platforms, such as Wang, Unisys, and Data General hardware.

An A1 rating [ncsc.mil] of a high-rated system is worth reading. This gives you an idea of what it takes to get it right. At the lower levels, it's easier; Microsoft NT 4.0 with service pack 6A plus a "C2 hotfix set" [ncsc.mil] finally got a C2 rating (the lowest offered), after years of failed attempts. Microsoft had to use the new "outside evaluator" system to do it, rather than having NSA itself do the evaluation. The difference is that NSA only gives you two tries to pass. You can pay an outside evaluator to let you try again and again. NSA allows this at the lowest security level to encourage vendors to try to meet the minimal C2 requirements.

It makes a lot of sense for NSA to fund an effort based on Linux; they'll get something they can run on popular hardware. But some major kernel changes will be needed to get into the B levels. (NSA never had much interest in C-level systems.)

I've been out of that world for a long time now, but from 1978 to 1982 I worked on KSOS [nist.gov], an early NSA-funded attempt to build a secure UNIX-like OS. The original design was done at SRI International, and we at Ford Aerospace implemented it. It eventually worked, but was too slow. It was for PDP-11 machines (0.5 MIPS, 64K address space per process), and was implemented in Modula I, since C was considered unsafe even back then. The combination of an inefficient Modula compiler and a small address space ruined the thing; we had to cut out speed optimizations to make it fit. This was one of the first systems designed against the Orange Book [ncsc.mil] criteria, which, incidentally, started life as Grace Nibaldi's master's thesis. [nist.gov]

BSD Unix, incidentally, was viewed as hopeless from a DoD security standpoint. The kernel was far too complicated. A rewrite in Ada was considered in the early 1980s, but rejected. The DoD view at the time was that BSD was a dead end, and Mach was the future. They wanted something at least as secure as Multics, which was a system from the late 1960s rated at B2 in 1985. [ncsc.mil] But that's another story.