SELinux Symposium Notes: Session 5

[Editor's note: still more notes taken during the talks at the SELinux Symposium earlier this month. For entertainment use only.]

Keynote Address:UK e-Government: Security Challenges and Solutions for Innovative Service Delivery (Dr. Steve Marsh, UK Cabinet Office)

2000 — put all govt services online by 2005; govt must meet citizens’ needs
requires entire process change to shared services, not just putting up web pages; could save 10%
fun fact: recenue from online crime in US exceeds drug trafficking — suggests risks at play
public sector, man-in-street don’t know how to secure infrastructure, but not just an IT dept problem
must secure govt services and assure public it’s secure — if not used, investment is wasted
testing sees if code behavior matches requirements; doesn’t check for security faults & unexpected behavior
products becoming more complicated, & lifecycle shorter than time need to evaluate their security
locking machine away fails due to networking; air gaps not practical for public services
remote access + secure network = difficult but necessary; esp w/ mobile code; from walls to communities of interest
public sector, public don’t expect to run into barriers day-to-day — have to implement domain separation?
separate networks, VMs to isolate apps; lockdown removes functionality and tends to break apps –> MAC better
crime follows value; can’t let crime erode confidence in govt services — need cost-effective technologies for security
domain separation needed to protect supply chains
[Q: how does compartmentalization hinder operations in emergencies (e.g. Katrina)? A; need to evaluate the risk that a security mechanism blocks business]

Case Study: Open Source and Commercial Applications in a Java-based SELinux Cross Domain Solution (Boyd Fletcher, Joint Forces Command – Joint Experimentation Directorate, USA)

sharing information across networks & classification/information domains
want to securely share as much information with as many people as fast as possible
allow only desired flows and verify only valid, clean data is being moved
TE MAC simplifies the problem; allows assured pipelines to be constructed & reduces burden of software developer (can lock down & isolate parts)
chat tool: operates at ingress & egress of box, though for historical reasons not truly a secure pipeline
in Java, need init scripts & jar files for proper domain assignment; improperly handled exceptions leads to fail-open
commercial apps often ill-behaved but can be constrained by policy; leverages all aspects of SELinux
minimize technical expertise to deploy system

Case Study: Enhancing IBM Websphere with SELinux (Marc Hocking, Technology Cabinet Office, e-Government Unit, UK; Karl MacMillan, Tresys Technology, USA, and Doc Shankar, IBM, USA)

goal: access to data “anytime, anywhere, anyhow” by UK govt user to departmental data in a low-assurance env
federated identity among departments, central authorization w/ permissions decided by depts
desired capability: access to system throughout UK, providing mobility & disaster recovery
support of above UK program & explore SELinux with complicated middleware
sandboxing, enforce n-tier architecture, network security at process level (per-app firewall)
allow Websphere admin to specify security configuraiton, w/o SELinux-specific expertise
and support full Websphere functionality
problem: current SELinux policies are rigid and inflexible, difficult to customize in app-specific, & changes require writing policy
soln: run Websphere-specific tool to take description of app & emit refpol modules, packages for each system

Comments are closed.