SELinux business and community in...
Transcript of SELinux business and community in...
![Page 1: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/1.jpg)
1
2005 SELinux Symposium
SELinux business and community in Japan
Yuichi Nakamura([email protected])Japan Open Source Advocacy Organization
![Page 2: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/2.jpg)
2
Contents
1. Introduction2. Promotion3. Business4. R&D5. Problems
![Page 3: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/3.jpg)
3
1. Introduction
![Page 4: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/4.jpg)
4
Activities in Japan
Promotioncompanies, communities , government are promoting
Before kernel2.6 Promotion is successful
Many people are interested in SELinux in Japan
BusinessSystem constructionProductEducation
R&D
![Page 5: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/5.jpg)
5
2. Promotion
![Page 6: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/6.jpg)
6
Promotion of SELinux
With secure operating systemPublishing companyGovernmentCommunity
![Page 7: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/7.jpg)
7
Promotion of SELinux with secure operating system(1)
SELinux is promoted with commercial secure operating system
Many commercial secure OS are used.Pitbull (Argus System, USA)Hizard (Secubrain, South Korea)Secuve TOS (Secuve, South Korea) Compartment Guard (HP Japan)
SELinux is good “entry point” to secure OS for business sceneFree, many documents, included in Linux distributions..
![Page 8: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/8.jpg)
8
Promotion of SELinux with secure operating system(2)
SELinux is promoted cooperating with other secure OS.Develop market of secure OS together.
Cooperate in conference, exhibitions, write article together, discussionExample: “Secure OS Conference” 2004/4,12
More than 200 people
As a resultSELinux is more well known.Side-effect
SELinux is often compared with other secure OS.Many people think :SELinux is much more difficult than other secure OS
![Page 9: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/9.jpg)
9
Promotion with publishing company(1)
Publish companies are interested in SELinuxSince kernel 2.4 SELinux.
Articles in magazinesmore than 15 articles in 2004, 6 articles in 2003, many others in web magazines.
First(?) SELinux book(2004/3)http://www.amazon.co.jp/exec/obidos/ASIN/4822221113
Exhibitionnet&com 2004Linux World Japan
![Page 10: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/10.jpg)
10
Promotion with publishing company(2)
As a resultMany people know SELinux Many Japanese documentation
Side-effectThey think SELinux is difficult.
No targeted policy in 2003Some concepts are difficult
RBAC, security context , domain transision
As a entry-point to SELinux: LIDS is being promoted.LIDS(http://www.lids.org/)
Easy MAC system.No type label
![Page 11: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/11.jpg)
11
Government
Ministry of Internal Affairs and CommunicationsResearch committee of Secure OS
IPA (Information Technology Promotion Agency)2001-2002: Research of OS security and SELinux
http://www.ipa.go.jp/security/fy13/report/secure_os/secure_os.html(Japanese)2003: Development for SELinux tool(SELinux/Aid)
http://www.ipa.go.jp/security/fy15/development/selaid/documents/selaid-abst.pdf(Abstract only is English most of this is Japanese),
2004: Research about Secure Operating System (In progress)
Other ministriesClosed committee about Secure OS
![Page 12: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/12.jpg)
12
Promotion by Community
Japan SELinux Users groupJOSAOOther Groups
![Page 13: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/13.jpg)
13
Japan SELinux Users Group
Provide place to communicate for engineerHomepage: http://www.selinux.gr.jp/Mailing List
About 750 people , 1-2 mails per dayEvent for discussion
Workshop 2004/7/16 SELinux BOF 2004/11/30
5 presentationsTrend of SELinux, Performance improvement of SELinux, Commercial
secure OS vs SELinux , Tutorial, Usage of SELinux
Place for development2.4 install package (now stopping..)Maintenance of SELinux Policy Editor
DocumentationNever involved in business.
![Page 14: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/14.jpg)
14
JOSAO SELinux committee
Japan Open Source Advocacy Organization(JOSAO)http://www.josao.jp/
Members from various companiesSoftware company, Data center, Linux Distributor
Promote business usage of SELinuxFor more promotion, “case study” is necessaryTrying to find case study of business usage
SELinux trial campaign (In progress)SELinux hacking demo in LinuxWorld Japan
![Page 15: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/15.jpg)
15
Other communities
Linux consortium(http://www.linuxcons.gr.jp/)Comparison of secure OS
Secure OS research group In the information network law association
http://in-law.jp/index-eng.htmDiscussion of secure OS
Secure OS research group In Japan Society of Security Management
http://www.jssm.net/Developing criteria of secure OS
![Page 16: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/16.jpg)
16
3. Business
![Page 17: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/17.jpg)
17
Business
System construction& support using SELinuxIt will be main, currently not so big but some examples.In combination with other products
Education, publishingProduct using SELinux
SELinux is used to enhance security of productsExample: Distribution, single-sign on server
ToolsAvailable tools are free however.
![Page 18: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/18.jpg)
18
System Construction: Advantage of SELinux for customer(1)
WWW DNSMail
FireWall
Typical system for DMZ without SELinux
Internet
• One application for one machine• Must apply security patch immediately
![Page 19: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/19.jpg)
19
System Construction: Advantage of SELinux for customer(2)
DMZ system using SELinux : Simple SystemWWW+Mail+DNS
FireWall
Internet
SELinux
• Multiple applications in one machine • Need not apply patch immediately
• time to evaluate patch
SELinux can reduce costs of machine and maintenance
![Page 20: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/20.jpg)
20
System construction:Customer Example
Single-sign on systemDeveloped by Hitachi SoftwareSold as “SRGate” with SELinux
Customer: a manufacture company
SELinux based on SUSE Linux 9
Customer chose SELinux because:1)Within one machine three applications
Proxy, LDAP, PostgreSQL2) Security level is enhanced
SELinux
Proxy (SRGate by Hitachi Software)
LDAP PostgreSQL
Single Sign on Machine
authenticate information
![Page 21: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/21.jpg)
21
Education
MotivationFew engineers can construct SELinux system
SELinux Training course by Japan Trusted System(www.jtsl.co.jp)1day, 2day courses 7 companies are selling Total about 170 students
StudentsMarketing dept, R&D dept, Education Dept etc.Some of them become teacher in their company
SELinux spread from teacher!
Future:Qualifying examination with Turbo Linux
![Page 22: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/22.jpg)
22
Product example:Turbo Linux
Turbo Linux http://www.turbolinux.com/Japanese Distributor Main market is Japan ,China
Server: No2 in Japan, No1 in ChinaTurbo Linux 10 Server
Latest server distribution (2004/11)SELinux support
based on strict policyNot general use
Apache, BIND,postfix.. etc are supportedSELinux/Aid
tool developed by Hitachi SoftwareEducation
SELinux training course with Japan Trusted SystemSELinux qualifying examination(2005/5)
![Page 23: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/23.jpg)
23
4. R&D
![Page 24: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/24.jpg)
24
R&D
NECPerformance improvement
NTT DataDynamic state change extension
Japan Research InstituteLBSM
Hitachi SoftwareTools: SELinux Policy Editor, SELinux/Aid
Available on http://www.selinux.hitachi-sk.co.jp/
IPTelecomDevelop and maintain original security-enhanced distribution, “Nature’s Linux”.
running with some part of code in grsecurity based-on kernel 2.4currently developing with SELinux based-on kernel 2.6 for next version
![Page 25: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/25.jpg)
25
Performance improvement
By NECIncluded in mainline kernelImproved scalability of SELinux
Rewrite AVC by using RCUBefore using RCU: SELinux was not scalable
Example : performance of write() call2CPU:58%, 4CPU:10 %, 32CPU:0.1%!
After RCU: SELinux is scalableperformance of write()call
almost the same up to 32 CPU!
![Page 26: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/26.jpg)
26
Kernel based IDS
Developed by NTT Data(http://www.nttdata.co.jp/en/)For detail: Adaptive Access Policy for the Linux Kernel, Horie et.al., The 2005 International Symposium on Applications and the Internet
http://ieeexplore.ieee.org/xpl/tocresult.jsp?isNumber=30170&page=1
Extension of SELinux Policy1) Register “Trigger” access by policy extension2) Change policy state dynamically when trigger comes
Like cond policy extensionExample:
strict ftpd_t shell_exec_t:file { execute } ; … Watch execute access of /bin/shallow ftpd_t user_home_t:file rw_create_file_perms 1; State 1: ftpd can upload fileallow ftpd_t user_home_t: file r_file_perms 3 ; State 3: ftpd can not upload file
When shell exec is detected,policy changes from state 1(ftp can upload) to state 3(ftp can not upload)
![Page 27: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/27.jpg)
27
Linux Basic Security Modules(LBSM)
Developed by Japan Research Institute (http://www.jri.co.jp/english/)Log gathering function
Works on SELinuxMAC by LOMAC model Prevention of Buffer Overflow by libsafe
Available at http://sourceforge.jp/projects/lbsm/
![Page 28: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/28.jpg)
28
SELinux/Aid
Available under GPL http://www.selinux.hitachi-sk.co.jp/tool/selaid/selaid-top.html
Developed by Hitachi Softwaresponsored by IPA(Information technology Promotion Agency, Japan)
Included in Turbo Linux 10 ServerEnglish is supported
Composed of 3 toolsSELinux Policy Editing and Configuration(selpec)
Policy view/edit toolX, Web browser, console interface
SELinux LOG analyzer(sellog)SELinux log analyze tool
SELinux CHecKer(selchk)policy, file context check tool
![Page 29: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/29.jpg)
29
Screenshot of selpec(1)
To allow permission only check
![Page 30: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/30.jpg)
30
Screenshot of selpec(2)
Three interfaces: GUI・WUI・CUI
GUI
CUI
WUI
![Page 31: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/31.jpg)
31
Sellog
• sellog– Analyze SELinux audit log
• Show statistics• Search suspicious log
![Page 32: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/32.jpg)
32
sellog screenshot
Search suspicious logby pattern match
Explanation of Log
![Page 33: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/33.jpg)
33
5. Problems
![Page 34: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/34.jpg)
34
Problems
Many think SELinux is difficultSide effect of early promotion
R&D After development, few maintenance
Budget Promotion is only within Japan
Japanese culture?language, paper works
Need more case study, solutionsSolutions understandable to customers
![Page 35: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/35.jpg)
35
New law enforcement
We have to focus on Security in 2005.The new law, “Personal Information Protection Act” will be enforced from April 1st.Network service vendors, software vendors, system integrators and any vendors work for services treating private information, have to build for strong defensive system and order to take a measures to cope with this new law.For usual unix security system and open source system have been cracked …so new security systems based on LSM attract end user’s attention now.We’ve not still had enough experience and skills for security system like SELinux …now trying to research and make good case studies.It’s going to be huge market about Security services in Japan for these reasons.We’d like to ask foreign security specialists to take notice of our security market in this year.
![Page 36: SELinux business and community in Japanselinuxsymposium.org/2005/presentations/session8/8-1-nakamura.pdf · Workshop 2004/7/16 SELinux BOF 2004/11/30 5 presentations Trend of SELinux,](https://reader035.fdocuments.net/reader035/viewer/2022081617/6057a9e87bf11b4f9c40fe2c/html5/thumbnails/36.jpg)
36
Acknowledgements
Dr. Jonathan Stanton@ The George Washington UniversityAdvice and review of Abstract and bio
Mr. Hideaki Saisho@ Hitachi SoftwareInformation about SRGate
Mr Hiroyuki Kojima@JOSAODiscussion about business usage, information about Nature’s Linux
Mr. Kohei Kaigai @ NECInformation about his work on performance improvement
Mr. Naoki Yoshida @ Turbo LinuxInformation about Turbo Linux 10 Server
Mr. Takashi Horie@ NTT DATAInformation about Kernel based IDS
Mr. Takefumi Onabuta @ Japan Research InstituteInformation about promotion of government and LBSM
Mr. Yuya Taguchi @ Japan Trusted SystemInformation about education of SELinux
And, SELinux Developers!