Do you trust the NSA and SELinux?

Friday, June 1, 2007

The following is an Email conversation that I had a while ago from a reader of my SELinux material. He raises a common question about SELinux - Should I trust this?

G writes:
Hi, I cannot find the needle I am looking for in the haystack of all SElinux info over the Net. Could you advise me where can I look for some security evaluation results of SElinux? Being rather paranoid myself, I believe in the principle "Timeo danaos et dona ferentes" [I fear the Greeks, even when they bring gifts] and do not know whether something bad hasn't smuggled with the otherwise good code - NSA are not the "good guys" in my eyes.


Kerry writes:
Its a good point, and one that has been discussed in mailing lists - I think there was an article on Slashdot a few years ago where the topic was discussed.

Basically you can trust SELinux quite a lot - because all of the code is open source and there is a lot of people looking at it and working on it. A lot of those people aren't in the US, and if they found something they would certainly tell everybody about it.

On the other hand, there is a *lot* of code in SELinux and the policy files and it will probably contain mistakes. There probably hasn't been any exhaustive audit of the code - but since SELinux has been incorporated into the 2.6 kernel you can assume that plenty of people around the world have looked through it. And there are tools (not written by the NSA) that can audit the policy rules.

If the NSA did put something in, it would eventually be found and such a discovery would be extremely damaging to the NSA. I think if they wanted to hide something, they wouldn't have released the source code.


G writes:
Thank you for you kind answer! It is always nice if one (so busy as you are) is paying attention to the public.

That is the tricky part which is bothering me - who, what & when? In the early days it is normal people to have their concerns and to raise them. However a thorough security evaluation is time-consuming and obviously the result of such evaluation cannot be available during early discussions. Afterwards the dust setlles down and people resume their daily activities. As a Bulgarian proverb says "every miracle lasts three days".

Then comes the next problem - *someone* should have done it. But who and to what extent? Should I dig on kernel.org to find who is the maintainer of that portion of the code? Can I identify somehow what was the initially submitted kernel patch? ... etc., etc.

Of course NSA will pretent to deliver if not the greatest achievment of IT mankind at least one of the greatest ;) Similarly Red Hat has to show shining new shield in order to attract both investors and customers. The problem is for me personally - I am a dirty rat cynically not believing one will do good for nothing.

And the last nail in the coffin is that in order to fight the filt of the society one should understand it. Then (s)he gradually (albeit slowly) starts behaving like the other people around, i.e. the filt. For example as Symantec Antivuris is rather popular target to be disabled by malware, it is employing some rather virus-like tactics.

Anyway, all above are my personal thoughts looking more like an essay ;) The question is how can I trust this code? If it is hard to find whether someone have already evaluated it, how can I identify what is contributed by NSA, and where is it now, in order to try evaluating it myself. The best would be to identify that partion and annihilate it with a flamethrower :-))) And then going back to stone age to re-invent the wheel.


Kerry writes:
Interesting comments, although I think that the reason you can't find a good answer is that your question is wrong.

You're asking "Can I trust SELinux?" trying to reach an answer of "yes" or "no", when actually you should be asking "How much can I trust SELinux?", with an answer somewhere between "yes" and "no".

The people that build safes figured this out a long time ago - rather than saying "This safe is secure", they give safes a rating. A rating of TL-15 means the safe will probably resist an attack from a burglar with hand tools working on it for 15 minutes. Then there's TL-30 and so on. There is no absolute rating, no secure safe.

I believe RedHat is putting their Enterprise Linux with SELinux through Common Criteria rating - which will be an official test of the system, including how it was designed and developed. It will then get a rating which will show us how well it stands up against other products.

But this is all quite worthless - a system administrator who doesn't understand what they are doing could set a bad configuration on a server (like a wide-open policy rule on SELinux, or enabling telnet) and the security would go down to about zero.

Personally I put quite a lot of trust in SELinux because I know there's plenty of people looking through the code - not just the NSA. Against all of the other operating systems in the world I would rate it as "pretty secure" and I'd be happy to put quite valuable data on an SELinux machine - assuming it was being well administered. I would put an SELinux machine on the Internet without a firewall and it would probably survive quite a long time.

Symantec Antivirus on the other hand I would rate as "pretty bad", because only Symantec can see the code and what it really does and they don't offer any guarantees. A Windows machine on the Internet without a firewall, even with Symantec anti-virus - it would probably be dead within hours.