Author: Joab Jackson
Original article published on GCN.com July 21,2008. Reprinted with permission.
NSA takes its Flask architecture to the open-source community to offer an inexpensive route to trusted systems.
Architecture created by the National Security Agency and expanded with help from the open-source community will save the Defense Department and intelligence agencies millions in hardware costs.
Analysts used to need multiple computers because they worked on separate machines for each classification level of data they accessed. Soon, users will be able to access data from a single console that could cost $500 or less, thanks to the NSA security architecture dubbed Flask.
With Flask, “we can guarantee that high-integrity data can’t be corrupted by untrustworthy entities or that sensitive data doesn’t leak to untrustworthy entities,” said Stephen Smalley, one of the chief developers of Flask at NSA. The best part is that the technology requires no specialized hardware or operating system.
And that is only one of the potential security benefits. NSA officials said they hope software vendors will adopt the technology to better secure their products.
The Linux community was one of the first groups to embrace Flask. With the help of open-source developers, NSA created a Linux security module based on Flask, called Security-Enhanced Linux (SELinux). It is now one of the core features in the widely used Red Hat Enterprise Linux.
“What it really helps out with is something called zero-day exploits,” said Daniel Walsh, a principal software engineer at Red Hat and leader of the company’s SELinux team. “If you have a bug in your software that allows a machine to be taken over, SELinux [provides] another layer of controls to make sure that application only does what is was designed to do. SELinux is your last line of defense.”
Flask is not limited to Linux. Earlier this year, one of the heavyweights in multilevel security — Sun Microsystems — embarked on its own implementation of Flask for the Open-Solaris operating system. Sun officials hope the open-source community will help it tweak its implementation.
Flask is “what they are advocating as a future security model,” said Bill Vass, president and chief operating officer at Sun Federal. “They would very much like to have Flask in every operating system.”
And with the help of the most open development community, the most secretive agency could make it happen.
Flask’s Origins
NSA’s National Information Assurance Research Laboratory has long grappled with the problem of how to secure computer networks and operating systems. The thinking goes that finding better ways to secure the nation’s computers will make the populace safer from attacks.
It is a tough task. NSA researcher Peter Loscocco said any design he and his colleagues came up with would invariably have flaws because of the insecure nature of the end systems the software relied on. As a result, they started a research group to investigate ways to make operating systems more secure. Researchers from the University of Utah and Secure Computing Corp. also participated.
Loscocco said most operating systems follow the principle of discretionary security, in which access rights are assigned on a per-user basis. Users typically receive a set of permissions indicating what files and folders they can access and what applications they can run. And the root account usually has full control over the entire machine.
The problem with that approach is that any program a user executes inherits all the access rights of the user, Loscocco said.
“Any program you execute runs with your full set of permissions, irrespective of its function or trustworthiness,” Smalley said. “As a consequence, any flaw in a program you may run or any actively malicious software is free to abuse your permissions.”
Flask controls the ability of processes to invoke operations. For example, it determines whether a process can read or write to a given file, send a signal to a given process, connect to a remote process or execute another program. It makes those de terminations in accordance with a policy based on the security labels of the relevant processes and objects. If no explicit permission has been established, the action does not take place. That approach to security is called mandatory access control.
“MAC can confine flawed or malicious software because the access-control rules are defined by a security policy that gets enforced across the system,” Smalley said. “That access-control policy is based on security labels that allow us to define system properties in terms of confidentiality and integrity for the whole system.”
Administrators can set security policies whenever they add a new program to a computer. Vendors can supply their own policies, though few have done so. Agencies can also craft policies to meet their specific needs, such as providing Multi-Level Security (MLS) access on a single machine.
With Flask, even the root account would not necessarily have total control over a machine. “Because it is a centralized policy for the entire system, even though multiple users are on the system, none of them can change the security posture of the whole box,” Loscocco said.
“SELinux is all about labeling,” Walsh said. “There are labels on the processes and labels on the files and objects. If any of the labels are wrong [when a process is started], then SELinux will cause denials.”
Although MAC is nothing new in the world of trusted systems, it is unique in that the policy-enforcement function has been separated from the decision-making function.
That separation might seem trivial, but it is important. Previous schemes for building trusted systems were hardwired for specific policies, such as those for secret government networks. That approach had the unfortunate effect of keeping agencies from enjoying the cost savings that come from using less expensive commercial systems for trusted tasks.
By making policy definition a stand-alone component, Flask allows industries with specialized security needs, such as the government, to easily harness a general MAC framework.
Flask for Linux and Solaris
The original Flask implementation took place in an experimental microkernel operating system called Fluke. It proved that Flask could work, but the operating system was too specialized for everyday use. So the NSA team decided to write a module that could be loaded into the Linux kernel; they introduced it in 2000.
Over time, engineers at other companies — including Red Hat, IBM, Hewlett-Packard, Tresys and Trusted Computer Solutions (TCS) — helped with development, which was good news given the complexities involved. “There was no way any OS company could do this technology without an open-source type of environment,” Walsh said. “It’s very complex, and it takes a full community to work on it.”
The effort paid off. Within a few years, Red Hat incorporated SELinux in Version 4 of Red Hat Enterprise Linux, where it was used to safeguard 15 applications. It is even more of an essential security feature in Version 5, which protects more than 200 applications, including essential programs such as Apache and Samba.
Red Hat is offering SELinux as a general-purpose security tool. “We would love it if all our customers used SELinux,” Walsh said. However, its complexities could hinder widespread adoption for some time (GCN.com, Quickfind 1158). Still, the government market was one of the first to use SELinux for MLS or multidomain systems.
In the past, when agencies needed to combine network nodes of varying security levels on a single machine, they would buy specialized hardware or software. But all they needed was a set of processing rules to ensure that any movement of information across domains happened in a manner that adhered to policy rules.
“SELinux is a system that meets those needs very well,” Smalley said.
“Flask was innovative in the sense that it allowed for MLS to be one implementation of a security policy,” said Ed Hammersla, TCS’ chief operating officer.
“You can take [Red Hat Enterprise Linux] 5 right off the shelf and configure it to run your local desktop, and you can crank that up all the way to the highest level of security required for cross-domain operations at multiple classified levels,” Hammersla added. “To do all that from a mainstream OS is truly an innovation in the history of OSes.”
TCS uses Red Hat Enterprise Linux 5 and a set of MLS policies in its cross-domain systems for classified use.
Linux is not the only operating system to benefit from Flask. Earlier this year, Sun and NSA began augmenting the kernel that will outfit Sun’s Solaris operating system with MAC, with the help of the OpenSolaris developer community. OpenSolaris is an open-source implementation of the operating system to which outside developers contribute changes.
Sun’s latest implementation, called flexible MAC, is already available on the OpenSolaris site, although more work is needed to integrate it into the Solaris kernel. Eventually, “it will come bundled with Solaris,” Vass said, and organizations can choose whether to deploy it.
Flask Everywhere
SELinux and OpenSolaris’ flexible MAC are the most well-known implementations of Flask, but other deployments have cropped up. The Defense Advanced Research Projects Agency and NSA have supported development of the Trusted BSD operating system, which has a MAC plug-in module called Security Enhanced BSD. It has been adapted for the Apple Macintosh operating system, under the name Security Enhanced Darwin. According to the project’s Web site, the work is in the experimental stages.
Furthermore, Flask technology is not limited to operating systems.
“The architecture can be applied to any software component that enforces security goals,” Smalley said.
Indeed, developers have created Flask modules for the PostgreSQL database; Xen virtualization software; X Window System for Unix; GConf software, which is used for storing Linux application preferences; and the D-Bus message bus system.
Developers have also extended Flask into the arena of network file storage. David Quigley, of NSA’s National Information Assurance Research Laboratory, presented the latest work on the project, called Labeled NFS, at a meeting of the Internet Engineering Task Force held earlier this year in Philadelphia. The effort involves integrating Flask into the Network File System protocol, which is widely used for network-attached storage devices.
Onward and Outward
Although the process is complex, applying Flask to a new set of software code is worth the effort.
“The job of actually instrumenting the kernel is a relatively small one, even for a big operating system,” Loscocco said. “The more complex part is making sure the controls are in place [to] meet a particular set of security objectives. And that is a much bigger task.”
So could Flask be integrated into the most widely used operating system — Microsoft Windows? “Sure,” Loscocco said. “It would just take the will to do it.”
“One of the things we were hoping early on when we were developing Flask was to build a general-purpose security architecture,” Loscocco said.
“The fact that it has been applied to all these OSes and different applications shows it to be tried-and-true. So there would be nothing stopping Microsoft, or anyone with the source code of Microsoft, from doing a similar kind of thing.”
