Secure?

Secure?

[Kurth Bemis]

isn't the point of NSA ESL to be secure?  If so why are you using something 
that is buggier than netscape code??  I referring to wu-FTP.  why not put 
efforts toward something that is already secure (like OpenBSD)?  Is there 
some reason that i'm missing as to why you choosing this route?

~kurth


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Secure?

[Ben Breuninger]

I believe linux to be great challenge when it comes to making a secure distribution. However, i think the reason the NSA is chosing to make a secure linux model is due to compatibility with pretty much every hardware and software package (ie, wine for non-linux software even). Keep in mind tho, it is the compatibility and speed at which the army of linux coders code is what keeps linux from achieving security. Should they chose to forgo compatibility for security, linux could make a turning point. But, it would be a toss up.
Now, i must note that i administrate both Linux (GNU/Debian) servers and OpenBSD servers. I use the linux for compatibility issues, and openbsd for security issues. This is why I question why the NSA chose linux over openbsd, but i believe the overlying feature is compatibility.

am i wrong on the compatibility + non_secure vs. non_compatible + secure issue?

(forgive me if this sounds like random babble, i havent had my coffee yet)

Ben Breuninger
DIGI International

-----Original Message-----
From: Kurth Bemis [mailto:kurth@usaexpress.net] 
Sent: Thursday, March 15, 2001 7:52 AM
To: selinux@tycho.nsa.gov
Subject: Secure?


isn't the point of NSA ESL to be secure?  If so why are you using something 
that is buggier than netscape code??  I referring to wu-FTP.  why not put 
efforts toward something that is already secure (like OpenBSD)?  Is there 
some reason that i'm missing as to why you choosing this route?

~kurth

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Secure?

[Pedro Rosa]

Kurth Bemis wrote:

> isn't the point of NSA ESL to be secure?  If so why are you using 
> something that is buggier than netscape code??  I referring to 
> wu-FTP.  why not put efforts toward something that is already secure 
> (like OpenBSD)?  Is there some reason that i'm missing as to why you 
> choosing this route?
> 
> ~kurth
> 
> 
> -- 
> You have received this message because you are subscribed to the 
> selinux list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 

Apart of that stupid OS-war call (I have nothing against OpenBSD and 
even use it in some servers btw), the question has some base... WuFTP 
has been plagued by bugs and security holes for quite long. And on the 
NSA's site this program has also the mark "untested". Frankly why to set 
efforts in a program that seems conceptually flawed? Or is there a 
"light in the end of the tunnel" for WuFTP's troubles? Shouldn't we 
consider other ftp daemons?  Or if we realise that FTP protocol is 
flawed from start, to choose other protocols?

Frankly I would like to see a more clear position about this question as 
the presence of WuFTP is probably the most questionable program in 
selinux. Not only in technical terms but also it arises questions in the 
concept itself.


Ektanoor


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Secure?

[Stephen Smalley]

Security-Enhanced Linux is not a secure Linux distribution.
It is a reference implementation of a flexible mandatory access 
control architecture in the Linux kernel, and an example security policy
configuration that shows how to use those controls.  The mandatory
access controls can confine the actions of any process, so the 
potential damage that can be done by exploiting a flaw in an
application can be strictly limited.  The modified applications
merely serve to help demonstrate some of the kernel features,
but they are not integral to the system.  The ftpd modifications
were an example of how to allow the ftp daemon to transition to a new
security context after authenticating the user.  But even these
transitions are controlled by the kernel in accordance with the security
policy configuration, so a vulnerability in the ftp daemon is still
confined to a limited set of accesses.  We simply used the ftpd sources
that came with our RedHat 6.1 systems, which happened to be wu-ftpd.

As has been mentioned earlier, Linux was simply viewed as the best
platform for transferring the Flask flexible mandatory access control
architecture to a larger developer and user community.  Since the 
SELinux development team is small, it was not practical to create
both a Linux-based and a BSD-based implementation simultaneously.
The TrustedBSD project has expressed the intention of drawing ideas from
the SELinux mandatory access control architecture, so a similar
architecture will hopefully become available for BSD systems as well.
The security portion of the OpenBSD project is really orthogonal to the
SELinux or TrustedBSD projects - OpenBSD is focused on a BSD distribution
that is free from known security problems and that incorporates
cryptographic mechanisms.  The mandatory access controls of SELinux
or TrustedBSD can provide strong security guarantees even in the
presence of security flaws in applications.  Ideally, some of the
TrustedBSD work will filter over to the OpenBSD project as well.

--
Stephen D. Smalley, NAI Labs
sds@tislabs.com


On Thu, 15 Mar 2001, Kurth Bemis wrote:

> isn't the point of NSA ESL to be secure?  If so why are you using something 
> that is buggier than netscape code??  I referring to wu-FTP.  why not put 
> efforts toward something that is already secure (like OpenBSD)?  Is there 
> some reason that i'm missing as to why you choosing this route?
> 
> ~kurth
> 
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Secure?

[Bennett Todd]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

2001-03-16-06:25:27 Pedro Rosa:
> [...] the presence of WuFTP is probably the most questionable
> program in selinux. Not only in technical terms but also it arises
> questions in the concept itself.

I don't see that at all.

The concept of selinux, as it stands today, is (I believe --- if
people think I'm wrong please straighten me out:-) to experiment
with a novel model of mandatory access control, on a system which is
exceedingly wide-spread and getting more so rapidly, one which
stands a chance, in the reasonable future, of being usable in many,
perhaps most settings.

Today it's an early research project, and the specific focus is
on experimenting with the policy definition mechanism, and trying
to evolve a comfortable to manage, flexible, suitably high-level
setup for expressing policy decisions, while letting people get
comfortable with the performance, the stability, and the way the
resulting system behaves. The reasonable decision is to try to
integrate it into the most widely-used distribution, and to confine
the focus of this project to just the MAC features, patching other
components only as necessary to make them work.

Meanwhile, in unrelated developments, it's fair to hope that the
popular distributions may get more secure as time goes by; certainly
they're showing some interest in that area. I believe RH7.1 may be
the best Red Hat to date.

I'm expecting it'll be a year or two before this selinux thing will
be in a state of maturity and stability to become part of a major
distribution outright. Perhaps by then Red Hat will be shipping a
better-founded ftpd. I've rpmmed a port of the OpenBSD ftpd, it's
not particularly tricky to do so.

-Bennett

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Secure?

[Albert D. Cahalan]

Bennett Todd writes:
> 2001-03-16-06:25:27 Pedro Rosa:

>> [...] the presence of WuFTP is probably the most questionable
>> program in selinux. Not only in technical terms but also it arises
>> questions in the concept itself.
>
> I don't see that at all.

Just the opposite is true in fact. The real test of selinux is
running buggy servers. When a major new WuFTP hole is found,
will you be able to ignore it? Will you be safe, in spite of the
hole, because selinux prevents the attackers from doing anything?


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.