SELinux Symposium Notes: Session 5

[Editor's note: still more notes taken during the talks at the SELinux Symposium earlier this month. For entertainment use only.]

Keynote Address:UK e-Government: Security Challenges and Solutions for Innovative Service Delivery (Dr. Steve Marsh, UK Cabinet Office)

2000 — put all govt services online by 2005; govt must meet citizens’ needs
requires entire process change to shared services, not just putting up web pages; could save 10%
fun fact: recenue from online crime in US exceeds drug trafficking — suggests risks at play
public sector, man-in-street don’t know how to secure infrastructure, but not just an IT dept problem
must secure govt services and assure public it’s secure — if not used, investment is wasted
testing sees if code behavior matches requirements; doesn’t check for security faults & unexpected behavior
products becoming more complicated, & lifecycle shorter than time need to evaluate their security
locking machine away fails due to networking; air gaps not practical for public services
remote access + secure network = difficult but necessary; esp w/ mobile code; from walls to communities of interest
public sector, public don’t expect to run into barriers day-to-day — have to implement domain separation?
separate networks, VMs to isolate apps; lockdown removes functionality and tends to break apps –> MAC better
crime follows value; can’t let crime erode confidence in govt services — need cost-effective technologies for security
domain separation needed to protect supply chains
[Q: how does compartmentalization hinder operations in emergencies (e.g. Katrina)? A; need to evaluate the risk that a security mechanism blocks business]

Case Study: Open Source and Commercial Applications in a Java-based SELinux Cross Domain Solution (Boyd Fletcher, Joint Forces Command – Joint Experimentation Directorate, USA)

sharing information across networks & classification/information domains
want to securely share as much information with as many people as fast as possible
allow only desired flows and verify only valid, clean data is being moved
TE MAC simplifies the problem; allows assured pipelines to be constructed & reduces burden of software developer (can lock down & isolate parts)
chat tool: operates at ingress & egress of box, though for historical reasons not truly a secure pipeline
in Java, need init scripts & jar files for proper domain assignment; improperly handled exceptions leads to fail-open
commercial apps often ill-behaved but can be constrained by policy; leverages all aspects of SELinux
minimize technical expertise to deploy system

Case Study: Enhancing IBM Websphere with SELinux (Marc Hocking, Technology Cabinet Office, e-Government Unit, UK; Karl MacMillan, Tresys Technology, USA, and Doc Shankar, IBM, USA)

goal: access to data “anytime, anywhere, anyhow” by UK govt user to departmental data in a low-assurance env
federated identity among departments, central authorization w/ permissions decided by depts
desired capability: access to system throughout UK, providing mobility & disaster recovery
support of above UK program & explore SELinux with complicated middleware
sandboxing, enforce n-tier architecture, network security at process level (per-app firewall)
allow Websphere admin to specify security configuraiton, w/o SELinux-specific expertise
and support full Websphere functionality
problem: current SELinux policies are rigid and inflexible, difficult to customize in app-specific, & changes require writing policy
soln: run Websphere-specific tool to take description of app & emit refpol modules, packages for each system

Comments Off

Happy Pi Day

Hey hey
Pi Pi Pi

I’ve got a circle here
How long is it from front to rear
And how far is it clear around the circle
Now take the ratio
It’s a number that we all know
What is it here we go
Yeah, let me tell you
Circumference and diameter, side by side
It’s 22 divided by 7
Pi Pi Pi

Archimedes‘ was a brilliant mind
Thought to be the very first man to find
A theoretical value for
Pi Pi Pi
‘Cause of Lindemann we know today
It doesn’t stop or repeat in any way
Its seven hundredth number’s 5
Pi Pi Pi

In 1999
Dr. Kanada of Japan did fine
While he was figuring the numbers in pi
He did all this you know
While working in Tokyo
Just how far did he go
Yeah let me tell you
206 billion, 158 million,
430 thousand numbers
Pi Pi Pi

It don’t matter how big or small
Pi will be the very same for them all
You do not have to wonder why
Pi Pi Pi
‘Cause of Lindemann we know today
It doesn’t stop or repeat in any way
Its seven hundredth number’s 5
Pi Pi Pi

3.1415926535 8979323846 2643383279 5028841971 6939937510 5820974944

Circumference and diameter, side by side
It’s 22 divided by 7
Pi Pi Pi

Archimedes‘ was a brilliant mind
Thought to be the very first man to find
A theoretical value for
Pi Pi Pi
‘Cause of Lindemann we know today
It doesn’t stop or repeat in any way
Its seven hundredth number’s 5
Pi Pi Pi

Comments Off

Citizen Parker

Scott “Klaus” Parker has his new website up:

You should check it out, if only because I played a role in choosing its name. Namely, my suggestion of got the Most Obscure Reference nod, and I called his bluff on the unavailability of,, and

Comments Off

SELinux Symposium Notes: Session 4

[Editor's note: more notes taken during the SELinux Symposium earlier this month. Insert standard disclaimer of accuracy here. My notes from this session are less detailed than for the others, too.]

Progress of SELinux Policy Editor (Yuichi Nakamura, The George Washington University, Hitachi Software)

[for full effect, read the following with microphone feedback in the background]
editor for simplified SELinux policy — path-name based, reduced set of permissions
18% permissions removed — unused, DAC-related, redundant

SLIDE: An Integrated Policy Development Environment (James Athey, Tresys Technology)

Eclipse plugin for refpolicy development
set of usual IDE features, module browsers, etc.

Integrating Multi-Category Security into Fedora (James Morris et. al., Red Hat)

MCS uses categories, not sensitivities, complements targeted policy (better for commercial users) discretionary/advisory scheme
some discretionary control (mail, labeled printing, etc.)

Protecting the Internet from Zombie Armies with DeSPAC-SE (Eric Freudenthal, University of Texas at El Paso)

end user can’t write policy, wants to download & run code off the internet w/o labeling manually appropriately
idea: automatically determine & install labels for downloaded data
on exec of unknown file, query agent to classify it (but assumes agent knows …)
based on virus scanner model

A User-Space Monitor for High-Assurance Workflows (Jacques Thomas, Purdue University)

use MAC to generate control flow through workflow, a la Clark-Wilson, including SoD
high assurance in demand (e.g. Sarbanes-Oxley) — workflow protection all the way down
flexible framework makes auditing easier
workflow split into separate, individually confined tasks; only valid transitions are allowed

Playing Well With Others: Implementing CIPSO on Linux (Paul Moore, HP)

CIPSO labels IPv4 packets using options (e.g. MLS labels, TE types)
Linux currently lacks interoperable support for labeled networking
original attempt rejected (too invasive); now try using LSM hooks

Setools: Current Status and Future Directions (Kevin Carr, Tresys Technology)

enhancing sediff, seaudit; add sechecker
sediff used to help refpolicy transition; visualization & filtering improved
sechecker checks for common policy errors (e.g. incomplete permissions, lack of domain/type separation)

Comments Off

Quote of the Week #83

Why are you such a bunch of big girls? Why don’t you tell the content owners to just get stuffed? You’re too seduced by the content industry, Hollywood is not even a $10 billion industry. Hollywood is small compared to the telecom industry. Why don’t you take a stronger line? Consumers don’t want DRM at all. You can’t sell DRM.

David Birch

Bliss Diss

Some jugglers can juggle three balls to a Beatles song. Better jugglers can do the same routine with five balls.

(via Penn Radio)

Crash Course in Information Theory

I recently had the idea to write a quick introduction to information theory, but a new blog came along called Good Math, Bad Math and beat me to it. Here’s Part 1 and Part 2.

Even with that introductory background, you are already well equipped to refute the creationist claim that random mutation can’t add information to a genome. The fact that people like William Dembski, promoted as the “Isaac Newton of information theory,” make this claim proves they don’t have a clue how “information” is even defined.

Needless to say, as a computer science, that’s the creationist claim that hurts the most.

Good Math, Bad Math also has a pretty good description of the halting problem. However, mine’s better, because it includes dinosaurs.

Comments Off

More Links

Some more links have been added to the sidebar:

Also, note that there’s now a link to the RSS feed for comments to this blog. The feed’s always been there, but now there’s a way for you to find out about it.


Comments Off

SELinux Symposium Notes: Session 3

[Editor's note: More notes taken during the talks at the 2006 SELinux Symposium. Use at your own risk, etc., etc.]

Reference Policy for Security Enhanced Linux (Chris PeBenito et. al., Tresys Technology)

goal: make policy understandable; close-coupling means developers must understand entire policy
3rd parties need to be able to create policy modules — lack of understanding hurts security
refpolicy reduces complexity & exploits software engineering: documented, modular, configurable
core infrastructure is mature, large # of modules (70%)
security goals: OS self-protection, secure extensability (protect code & modules from each other), assurance, improved role separation (not there yet)
loadable modules, enhanced support for tools, managing complexity, better comprehension, single unified src
design concepts: layering, modularity, encapsulation, abstraction (all “enforced” by convention) [eventually native language support...]
layering only organizational
modules have private code, public interfaces, labeling statements — no global types/attributes

Dynamic Policy Enforcement in a Network Environment (Mark Butler et. al., University of Tulsa)

booleans + expert system to switch security states based on observed state of system (events – IDS/logs)
tools to let admin associate events & booleans to modify
agent collects “facts” (events or static) as system runs, & generates boolean changes
requires a large amount of initial configuration

SELinux Protected Paths Revisited (Trent Jaeger, Pennsylvania State University)

network MAC, client-server MAC forking new procs based on client’s label, location-independent MAC (access control follows objects across networks)
leverages labeled IPSec for secure communications
get label of network peer to make decisions (via getsockopt)
goal: distributed (n-machine) MAC & protected paths & authenticated communication
protected paths between users (even more than app-to-app) — i.e. can we trust the labels we get?
challenges: user-to-app (X server, WM); app-to-OS (labeled IPSec); OS-to-OS (refmon, labels, remote attestation, secure hardware)
secure coalition system — VMs running within a coalition using MAC & between coalitions
distributed, shared reference monitor: VM hypervisor, labeled IPSec to secure inter-VM communications, all w/ common MAC policy
VMs allow coarser-grained policy & simpler reference monitor
build trust from secure hardware up

Comments Off

SELinux Symposium Notes: Session 2

[Editor's note: more notes taken during the talks given at the 2006 SELinux Symposium. There are probably errors and they are definitely incomplete. Use at your own risk, etc.]

Moving FLASK to BSD Systems (Chris Vance, SPARTA, Inc.)

no perfect security model or policy for all applications –> want framework, not direct kernel mods
good design durable — don’t reinvent wheel; get frameworks correct, then use them
split policy from enforcement; port Flask framework to other kernels’ MAC framework
FreeBSD servers, OS X desktop, but shared heritage
Mach IPC – 1000s msgs/sec to secure; BSD, I/O Kit, Mach all have syscall interfaces
Flask, TE stuffed into MAC module; userspace easily ported, no special kernel headaches
LSM less invasive; MAC provides more hooks — different despite similar goals
Darwin: ubiquitous app-level IPC, bleeding b/t BSD & Mach
BSD coverage fairly complete; Mach experiment

Design and Implementation of the SELinux Policy Management Server (Karl MacMillan et. al., Tresys Technology)

incremental deployment & customization of policy; foundation of loadable policy modules
policy access control, not current all-or-nothing model
fine granularity of modifications made to policy — facilitates local mods (e.g. network contexts)
policy controls policy access — class user, class type, etc., & policy components are labeled
metapolicy to specify how domains are allowed to modify the policy
policy hierarchy restricts scope of modifications (e.g. child can’t exceed perms of parent)
policy mgmt server has same libsemanage interface, enforces metapolicy
future: network policy mgmt
(“metapolicy”: small subset of overall policy in most cases)

Towards Automated Authorization Policy Enforcement (Vinod Ganapathy, University of Wisconsin (et. al. from Pennsylvania State University))

i.e., where do we install hooks into a kernel or user app? how to build them?
(security-aware apps need to ask for policy decisions too for app-level objects) e.g. X
common features: multiple clients, shared resources, operations on behalf of clients
building security-aware apps: proactive or retrofit legacy code: add ref mon checks to code
insight: security-sensitive operations have fingerprints; how to find them? how to use them?
use: locate using static analysis, and add hooks at those locations
find: analyze runtime traces & compare them to shorter traces, paring down to the fingerprint (which traces contain the operation must be given)
must know what the security-sensitive operations are conceptually, but not their implementation

Comments Off

Planet SELinux

Apparently this blog is now being syndicated on Planet SELinux.

Thanks to whomever added me, though you’ll probably want the SELinux-specific feed instead of the Coding one that (as of this writing, at least) is currently being syndicated.

Hopefully I’ll get a chance soon to finish posting my notes from the symposium and put up some more SENG-related materials, but right now things like homework and midterms are taking up most of my time.

Comments Off

Missouri Legislature v. Establishment Clause

Behold HCR13, which if passed would move Missouri towards establishing Christianity as the state’s official religion.

Ed Brayton has a good point-by-point analysis, but he misses one important if subtle point:

Whereas, as elected officials we should protect the majority’s right to express their religious beliefs while showing respect for those who object;

Besides fanning the religious right’s martyrdom complex, note how Christians have the “right” to express their beliefs but others merely should be “show[n] respect” for theirs. Clearly, those proclaiming how their religious beliefs are under attack are reluctant to extend the protection they demand to those who might think their beliefs are under attack by, I don’t know, the legislature wanting to establish an official state religion.

But since HCR13 would be such a blatant and egregious violation of the Establishment Clause, why would anybody even propose it in the first place? Joshua Holland has the right idea:

But people who write bills like this aren’t trying to make law. Their intent is to further the right’s narrative that Christians are a persecuted minority under siege. They want to guarantee that the good folks at the Anti-defamation league, the ACLU and Americans United fight to have their silly legislation overturned, proving that those civil rights groups have an anti-Christian agenda (and perhaps even a direct association with Satan). And bills like this — you couldn’t write a piece of legislation that more obviously violates the Establishment Clause –are meant to give those groups a victory in court, thereby proving the existence of out-of-control activist judges dedicated to stymieing the popular will of the Christian majority.

Quote of the Week #82

They laughed at Copernicus. They laughed at the Wright brothers. Yes, well, they also laughed at the Marx Brothers. Being laughed at does not mean you are right.

– Michael Shermer

Comments Off

SELinux Symposium Notes: Session 1

[Editor’s note: these were notes I took during the talks given at the SELinux Symposium. The nodes probably have errors and are definitely incomplete, so don’t go treating them as canonical sources of information or anything. Enjoy the behind-the-scenes peek at how I take notes: a minefield of lousy formatting disjointed grammar.]

Keynote Address: The Road to Practical Mandatory Security in Mainstream Operating Systems – an historical perspective (Steve Walker, Steve Walker & Associates)

research into building security into OSes never got into mainstream systems
world isn’t going to build many more new OSes…
[fun fact: "Al Gore invented Internet" jokes still not funny]
NSA acquiring whatever computer hardware they could purchase (no OSes – none existed yet, largely – just hardware)
on to ARPA, in charge of security stuff
Multics origin of many ideas, but never became mainstream – targetted non-mainstream hardware
UNIX developed –> KSOS effort to make secure kernelized OS – never caught on
as with multi-level VMs, secure XENIX (acquired by TIS), trusted Mach (B3) (died because buzz around NT, not UNIX)
SELinux the exception? (Red Hat backing) – bringing security to mainstream OS
network security:
sending classified data over ARPAnet – encryptors keyed using paper tape, only point-to-point
no control cables around crypto in theory, but did it in practice (covert channels)
limitation: getting multiple copies of paper-tape key – led to developing built-in crypto
DoD using ARPAnet instead of separate network sank funds into Internet’s development
fun fact: TIS hosted originally until White House set up connectivity –> June ’93 + 20 months (messages put on floppies, send to White House for volunteers to answer)

SELinux Year in Review (invited talk) (Stephen D. Smalley, NSA)

year ago: distro support either optional ad-on or with limited scope (eg only server environments)
now: coverage expanded in Fedora, becoming mainstreamed in Debian & elsewhere
MLS, auditing: enhanced & increasingly mainstreamed; RHEL5 undergoing evaluation
monolithic & static policy w/ little, ad-hoc customization –> modules, refpolicy, management APIs (foundational support is now there to build on)
labeling: not for networking, nonatomic file labeling, etc –> new overcome
future: distributed mgmt, IDE, protecting networks, desktop support & protecting app-level objects (SELinux aware apps…), etc

Back from the SELinux Symposium

In case you couldn’t tell from the last post, I’m back from this year’s SELinux Symposium.

The talk I gave went very well. My approach towards improving the policy language seems to have struck a chord with quite a few people there; whereas most other efforts at policy languages are geared either towards policies for individual applications or only provide a subset of SELinux’s power, SENG aims at being suitable for anything without sacrificing power. If the existing policy language is like assembly, SENG is like C whereas other efforts are sort of like Python.

People from Tresys, MITRE, and elsewhere were interested in what I’ve been doing. The downside to that is now I need to get moving making things available for people to look at and play with.

My paper is published in the Proceedings of the Second Annual Security Enhanced Linux Symposium, pages 49 through 53.

Copious notes on the seven sessions I attended (having had to skip the eighth in order to catch my flight back) will be forthcoming. But for now, here’s a grab-bag of random stuff.

The hotel charges guests $10/day for Internet access. The conference organizers tried to negotiate access for the attendees, but the hotel wanted $2000/day for that. At lunch some of us plotted next time for someone to pay for a connection and secretly hook up an access point for everyone else to use.

The PGP/GPG key fingerprint I carry around in my wallet finally got used, when somefrom from the Air Force Research Lab and I traded signatures. He then proceeded to spin a copy of Advanced Programming in the UNIX Environment, 2nd Ed. on one finger above his laptop. When I said that might not be a good idea, he then spun his laptop on one finger.

The desktop background on the computer the MITRE guys used to demo the latest generation of their policy generation tool? Touched By His Noodly Appendage

Stephen Smalley, despite what you’d expect, looks nothing like your stereotypical fat bearded UNIX geek.

… There’s loads more, but that’s all that comes to mind at the moment.