Taking the Open Source Road

The National Security Agency’s Review of Emerging Technologies 6 £nn Ó£ U ÓääÓä

Raising the Bar in Operating System Security

Cryptographic Binding of Metadata

Providing a Secure Foundation with CLIP

Open Source—Setting Software Free NSA’s Review of Emerging Technologies

Letter from the Editor

2SHQ VRXUFH VRIWZDUH 266 LV D JURZLQJ SDUW RI WKH VRIWZDUH PDUNHW $OWKRXJK PXFK 266 LV ORZ FRVW HYHQ IUHH D JUHDW GHDO RI LWV JURZLQJ SRSXODULW\ LV EDVHG QRW RQ FRVW EXW RQ WKH DELOLW\ WR VHH DQG PDQLSXODWH WKH VRIWZDUH LQWHUQDOV 7KLV DELOLW\ HQDEOHV JUHDW ÁH[LELOLW\ DOORZLQJ SURJUDPPHUV WR HDVLO\ EXLOG XSRQ RU H[WHQG VRIWZDUH WR PHHW VSHFLÀF PLVVLRQ QHHGV ,QFUHDVLQJ LQWHUHVW LQ 266 LV QRW OLPLWHG WR FRPPHUFLDO PDUNHWV WKH 86 'HSDUWPHQW RI 'HIHQVH 'R' LV ORRNLQJ IRU ZD\V WR KDUQHVV WKH FRPPXQLW\ GHYHORSPHQW PRGHO ZLWKLQ LQWHUQDO SURMHFWV 'R' KDV HYHQ FUHDWHG LWV RZQ FRPPXQLW\ VRIWZDUH VLWH PLOIRUJHPLO WR PLPLF WKH SXEOLF RSHQ VRXUFH FRPPXQLW\ ,Q WKLV LVVXH RI 7KH 1H[W :DYH 71: ZH KDYH D VHULHV RI DUWLFOHV DERXW LPSRUWDQW SURMHFWV WKDW ZHUH HQDEOHG E\ RSHQ VRXUFH VRIWZDUH

7KH DUWLFOH ´5DLVLQJ WKH %DU LQ 2SHUDWLQJ 6\VWHP 6HFXULW\ 6(/LQX[ DQG 2SHQ6RODULV )0$&µ ZULWWHQ E\ 6WHYH 6PDOOH\ SUHVHQWV DQ XSGDWH RQ 6HFXULW\(QKDQFHG /LQX[ DQG LQWURGXFHV D SURMHFW WR EULQJ VLPLODU VHFXULW\ HQKDQFHPHQWV WR 6XQ·V 2SHQ6RODULV RSHUDWLQJ V\VWHP 7KH QH[W DUWLFOH ´3URYLGLQJ D 6HFXUH )RXQGDWLRQ IRU $SSOLFDWLRQV ZLWK WKH &HUWLÀDEOH /LQX[ ,QWHJUDWLRQ 3ODWIRUPµ E\ 7RGG 3DLVOH\ %UDQGRQ :KDOHQ DQG 6WHSKHQ /DZUHQFH LQWURGXFHV DQ 16$ SURMHFW WR HQDEOH TXLFNHU DQG FKHDSHU GHSOR\PHQW RI VHFXUH V\VWHP VROXWLRQV WR PHHW PLVVLRQ QHHGV 7KH DUWLFOH ´&U\SWRJUDSKLF %LQGLQJ RI 0HWDGDWDµ E\ &DOYLQ 0DVRQ FDOOV DWWHQWLRQ WR WKH LPSRUWDQFH RI WUXVWZRUWK\ PHWDGDWD DQG SUHVHQWV D VXPPDU\ RI WZR 16$ SURMHFWV WR SURWHFW PHWDGDWD )LQDOO\ RXU IRFXV DUWLFOH ´2SHQ 6RXUFH 6RIWZDUH³$ *URZLQJ 7UHQGµ E\ 5XVV 6XWFOLIIH DQG 5D\

7X[ WKH FUHDWLRQ RI /DUU\ (ZLQJ OHZLQJ#LVFWDPXHGX KDV UHSUHVHQWHG /LQX[ VLQFH 7KH RULJLQDO 7X[ ORJR ZDV FUHDWHG ZLWK *,03³WKH *18 ,PDJH 0DQLSXODWLRQ 3URJUDP &XVWRP YHUVLRQV RI 7X[ ZLOO VHUYH DV WKH JXLGH WKURXJK WKLV RSHQ VRXUFH HGLWLRQ RI 7KH 1H[W :DYH

7KH /LQX[ SHQJXLQ DQG *,03 DUH WZR H[DPSOHV RI RSHQ VRXUFH SURGXFWV DYDLODEOH IUHH WR WKH SXEOLF IRU XVH DQG PRGLÀFDWLRQ

The Next Wave is published to disseminate technical advancements and research activities in telecommunications and information technologies. Mentions of company names or commercial products do not imply endorsement by the US Government. For more information, please contact us at [email protected]

CONTENTS

FEATURES 7DNLQJWKH2SHQ6RXUFH5RDG 5DLVLQJWKH%DULQ2SHUDWLQJ6\VWHP6HFXULW\ 6(/LQX[DQG2SHQ6RODULV)0$& 3URYLGLQJD6HFXUH)RXQGDWLRQIRU$SSOLFDWLRQV ZLWK WKH &HUWLÀDEOH /LQX[ ,QWHUJUDWLRQ 3ODWIRUP &U\SWRJUDSKLF%LQGLQJRI0HWDGDWD

FOCUS 2SHQ6RXUFH³6HWWLQJ6RIWZDUH)UHH Taking the Open Source Road

The direction is clear. Open-source software is paving a path to the information-centric future envisioned by the U.S. Department of Defense (DoD).

In an address to Department personnel, the Pentagon’s deputy chief information ofﬁ cer (DCIO), David M. Wennergren, explained the reason for taking this new direction.

“In today’s world we have to share information with people we never even dreamed of, using tools and means we never thought of before, [in] non-traditional ways with non-traditional organizations. And that’s the power of the information world.”

FEATURE

SHQVRXUFHVRIWZDUH 266 KDVSURYHQ 2WKHU IHGHUDO 26 SURMHFWV KDYH DOVR FRPH WR EH D SRZHUIXO WRRO IRU GLVWULEXWLQJ RQ OLQH UHFHQWO\ RU DUH LQ WKH ZRUNV ,Q -XQH LPSURYLQJ DQG H[WHQGLQJ QHZ WKH 86 $LU )RUFH UHOHDVHG D IUHH DQG RSHQVRXUFH SURJUDPV2266 OLFHQVLQJ LV JDLQLQJ DFFHSWDQFH YHUVLRQ RI )DOFRQ9LHZ D SHUVRQDO FRPSXWHU E\ LQGXVWU\ DQG JRYHUQPHQWV ZRUOGZLGH ,W LV WKH EDVHG PDSSLQJ DSSOLFDWLRQ GHYHORSHG IRU WKH SRZHU RI RSHQQHVV GHULYHG IURP FROODERUDWLRQ DQG 'R' E\ *HRUJLD 7HFK 5HVHDUFK ,QVWLWXWH (YHQ LQQRYDWLRQWKDW'R'LQWHQGVWRKDUQHVV WKH :KLWH +RXVH KDV HQWHUHG WKH 266 DUHQD 7KH )RU QHDUO\ WZR GHFDGHV 16$·V 5HVHDUFK SRSXODU :KLWH+RXVHJRY ZHE VLWH VZLWFKHG IURP 'LUHFWRUDWH 5' KDV EHHQ H[SORULQJ WKH UROH 266 DSURSULHWDU\FRQWHQWPDQDJHPHQWV\VWHPWRRSHQ FDQSOD\LQKHOSLQJWKH'R'DFKLHYHLWVPLVVLRQV VRXUFH 'UXSOH LQ 2FWREHU &LWLQJ WKH SRWHQWLDO (IIRUWV E\ 5' UHVHDUFKHUV OHG WR WKH SXEOLF UHOHDVH IRU HYHU\GD\ FLWL]HQV FRQWULEXWLQJ WR WKH HYROXWLRQ LQ 'HFHPEHU RI VHFXULW\HQKDQFHG 6( /LQX[ RI WKH ZHE VLWH :KLWH +RXVH PHGLD GLUHFWRU 0DFRQ 6LQFH WKHQ GHYHORSHUV IURP +3 +LWDFKL 6RIWZDUH 3KLOOLSV VDLG ´:H·UH ORRNLQJ IRUZDUG WR JHWWLQJ WKH ,%0 1(& 5HG +DW DQG RWKHU FRPPHUFLDO DV EHQHÀW RI WKHLU HQHUJ\ DQG LQQRYDWLRQµ ZHOO DV SULYDWH LQVWLWXWLRQV KDYH FRQWULEXWHG WR 7KH RSHQVRXUFH URDG DW WLPHV KDV EHHQ D H[WHQGLQJ WKH SURJUDP·V IHDWXUHV DQG PDWXULQJ LWV EXPS\ RQH QRW MXVW IRU WKH 'R' DV ,7 SODQQHUV IXQFWLRQDOLW\ )RU DQ LQGHSWK ORRN DW 6(/LQX[ VHH DWWHPSW WR VWHHU D FRXUVH VWUDGGOLQJ WKH EHQHÀWV ´5DLVLQJWKH%DULQ2SHUDWLQJ6\VWHP6HFXULW\µLQ RI RSHQQHVV ZLWK WKH GHPDQGV RI VHFXULW\ %XW WKLVLVVXHRI7KH1H[W:DYH :HQQHUJUHQ ZKR DOVR VHUYHV DV 'HSXW\ $VVLVWDQW 0RUH UHFHQWO\ 'R' GHYHORSHUV FRQWULEXWHG 6HFUHWDU\ RI 'HIHQVH IRU ,QIRUPDWLRQ 0DQDJHPHQW RYHU D PLOOLRQ OLQHV RI FRGH WR WKH RSHQVRXUFH 7HFKQRORJ\ DUJXHV WKDW WKLV LV WKH ZURQJ ZD\ WR 26 FRPPXQLW\ KHOSLQJ H[SDQG WKH IHGHUDO 26 ORRN DW WKH FKDOOHQJH +H SURSRVHV D GLIIHUHQW PRGHO KLJKZD\ 2QH PLOOLRQ OLQHV LV DERXW WKH VL]H RI LQZKLFKRSHQQHVVDQGVHFXULW\DUHJRDOVWKDWFDQ WKH &RUSRUDWH 0DQDJHPHQW ,QIRUPDWLRQ 6\VWHP UHLQIRUFHHDFKRWKHU &0,6 GHYHORSHG LQWHUQDOO\ E\ WKH 86 'HIHQVH 7KH 'R' KDV RIÀFLDOO\ HQGRUVHG WKH XVH RI ,QIRUPDWLRQ 6\VWHPV $JHQF\ ',6$ ',6$ 266 VWDWLQJ DV PXFK LQ JXLGHOLQHV SXEOLVKHG LQ VSHQW DOPRVW D GHFDGH EXLOGLQJ WKH ZHEEDVHG $ PHPRUDQGXP UHOHDVHG 2FWREHU IHGHUDO ZRUNIRUFH PDQDJHPHQW ZRUNÁRZ DQG E\ WKH &,2 WHDP SURYLGHV ´FODULI\LQJ JXLGDQFHµ DGPLQLVWUDWLYH VRIWZDUH VXLWH IRU XVH E\ PRUH WKDQ LQWHQGHG WR RYHUFRPH ´PLVFRQFHSWLRQV DQG PLOLWDU\ SHUVRQQHO PLVLQWHUSUHWDWLRQV RI WKH H[LVWLQJ ODZV SROLFLHV :KHQ RWKHU JRYHUQPHQW GHSDUWPHQWV DQGUHJXODWLRQVWKDWGHDOZLWKVRIWZDUHDQGDSSO\ ZDQWHG WR DGRSW WKH &0,6 VXLWH RI PRUH WKDQ WR 266µ '&,2 :HQQHUJUHQ VWDWHV LQ WKH PHPR WKDW DSSOLFDWLRQV ',6$·V GLUHFWRU RI PDQSRZHU WKHVH PLVFRQFHSWLRQV DQG PLVLQWHUSUHWDWLRQV KDYH SHUVRQQHO DQG VHFXULW\ -DFN 3HQNRVNH DVNHG KDPSHUHG 'R' HIIRUWV WR HIIHFWLYHO\ GHYHORS DQG ´:K\ QRW OHW WKHP"µ $QG LI VKDULQJ &0,6 ZLWK XVH266 RWKHU IHGHUDO DJHQFLHV ZDV D JRRG LGHD ZK\ QRW 266 KDV DOUHDG\ EHHQ DGRSWHG E\ VHYHUDO LQFOXGH DFDGHPLD LQGXVWU\ DQG WKH HQWLUH 26 'R' DJHQFLHV ZLWK LWV H[WHQVLYH XVH FLWHG DV HDUO\ FRPPXQLW\" DV ,Q D VWXG\ SUHSDUHG IRU WKH 'R' ´8VH ',6$ GLG MXVW WKDW ,Q 0DUFK WKH RI)UHHDQG2SHQ6RXUFH6RIWZDUH )266 LQWKH 3HQWDJRQ·V LQIRUPDWLRQ WHFKQRORJ\ XQLW DQQRXQFHG 86 'HSDUWPHQW RI 'HIHQVHµ 0,75( &RUSRUDWLRQ DFRRSHUDWLYHUHVHDUFKDQGGHYHORSPHQWDJUHHPHQW IRXQGWKDW´)266VRIWZDUHSOD\VDIDUPRUHFULWLFDO &5$'$ ZLWK WKH 2SHQ 6RXUFH 6RIWZDUH ,QVWLWXWH UROH LQ WKH 'R' WKDQ KDV EHHQ JHQHUDOO\ UHFRJQL]HGµ WR PDNH DQ 26 YHUVLRQ RI &0,6 DYDLODEOH WR 1RZ WKH PHPRUDQGXP ZKLFK VXSHUVHGHV RWKHU IHGHUDO DJHQFLHV DFDGHPLD QRQSURÀW 'R' JXLGHOLQHV RI VHYHQ \HDUV DJR RSHQV WKH GRRU RUJDQL]DWLRQV DQG LQGXVWU\ WR UHXVH DQG LPSURYH WRHYHQJUHDWHUSUROLIHUDWLRQRI266SURGXFWVLQWKH ',6$ XVHG $GREH &ROG )XVLRQ DQG 0LFURVRIW 64/ IXWXUH 6HUYHU WR EXLOG 26&0,6 7KH GHSDUWPHQW·V 2QH IRUFH DFFHOHUDWLQJ WKH 'R'·V DGRSWLRQ RI HIIRUW ZDV UHFRJQL]HG E\ *RYHUQPHQW &RPSXWHU 266 PD\ FRPH IURP WKH PHPR·V DIÀUPDWLRQ WKDW 1HZV *&1 DV RQH RI WKH ´ JUHDW JRYHUQPHQW ,7 ´LQ DOPRVW DOO FDVHV 266 PHHWV WKH GHÀQLWLRQ RI SURMHFWVµ IRU ¶FRPPHUFLDO FRPSXWHU VRIWZDUH·µ DQG QHHGV WR EH

The Next Wave Vol 18 No 2 2009 5 WUHDWHGDVVXFK&ODVVLI\LQJ266DVDFRPPHUFLDO ZRUNVµ ÀQDQFLDO JDLQ %\ DSSO\LQJ WKLV GHÀQLWLRQ LWHP JUDQWV LW VSHFLDO FRQWUDFWXDO FRQVLGHUDWLRQ WR 266 VLPSO\ LPSURYLQJ FRGH³VRPHWKLQJ 86 ODZ 86& FDOOV IRU JRYHUQPHQW HQFRXUDJHG E\ WKH RSHQVRXUFH FRPPXQLW\ DQG SURFXUHPHQW WR IDYRU FRPPHUFLDO VXSSOLHV DQG H[SUHVVHGLQWKH26'DQGWKH)6'³LVDIRUPRI VHUYLFHV 7KH ODZ UHTXLUHV KHDGV RI DJHQFLHV WR ÀQDQFLDO JDLQ PDNLQJ WKH VRIWZDUH FRPPHUFLDO HQVXUH WKDW SURFXUHPHQW RIÀFLDOV DUH WUDLQHG LQ 0RUH REYLRXV HIIRUWV WR FRPPHUFLDOL]H 266 WKHDFTXLVLWLRQRIFRPPHUFLDOSURGXFWV(YHU\RQH DUH JDLQLQJ PRPHQWXP DV ZHOO 5HVHDUFK ÀUP ,'& LQYROYHG LQ WKH SURFXUHPHQW SURFHVV PXVW E\ IRUHFDVWVDSHUFHQWFRPSRXQGDQQXDOJURZWK ODZ PDNH HYHU\ HIIRUW WR DFTXLUH FRPPHUFLDO UDWH &$*5 IRU 266 UHYHQXH ZRUOGZLGH RYHU SURGXFWV DQG UHTXLUH FRQWUDFWRUV WR LQFRUSRUDWH WKH QH[W ÀYH \HDUV 7KDW JDLQ ZRXOG SXVK UHYHQXH FRPPHUFLDO SURGXFWV ZKHQ SRVVLEOH $GGLWLRQDOO\ IURP 266 SDVW ELOOLRQ E\ ,Q DGGLWLRQ WR VSHFLÀFDWLRQV IRU FRQWUDFW UHTXLUHPHQWV VKRXOG EH HVWDEOLVKHG 266 YHQGRUV OLNH 5HG +DW DQG 1RYHOO VWDWHG LQ WHUPV WKDW HQFRXUDJH ELGGHUV WR VXSSO\ VHUYLFHEDVHG ,7 EXVLQHVVHV VXFK DV ,%0 DQG FRPPHUFLDO SURGXFWV DQG SURFXUHPHQW SROLFLHV 2UDFOH KDYH EHHQ WDSSLQJ WKH RSHQVRXUFH PDUNHW SUDFWLFHV DQG SURFHGXUHV DUH WR EH ZULWWHQ RU E\ RIIHULQJ 266 VXSSRUW *RRJOH·V 266 VWUDWHJ\ UHYLVHGWRUHGXFHLPSHGLPHQWVWRWKHLUDFTXLVLWLRQ KDV EHHQ WR VKLIW HPSKDVLV DZD\ IURP WKH FRGH LQ 3ROLFLHV VHW RXW LQ )HGHUDO $FTXLVLWLRQ IDYRURIWUDQVSDUHQF\DQGDSSOLFDWLRQSURJUDPPLQJ 5HJXODWLRQ )$5 DQG WKH 'R' VXSSOHPHQW LQWHUIDFHV $3,V (YHQ 0LFURVRIW LV SURPRWLQJ ')$56 VSHFLÀFDOO\ UHTXLUH HIIRUWV WR VXSSRUW LQWHURSHUDELOLW\ EHWZHHQ WKH H[HFXWLYHDJHQFLHVWRLQFOXGH266ZKHQFRQGXFWLQJ FRPSDQ\·V SURSULHWDU\ OLQH RI SURGXFWV DQG 266 PDUNHW UHVHDUFK IRU VRIWZDUH SURFXUHPHQWV 7KLV ,Q DGGLWLRQ WR DVVXULQJ 'R' DJHQFLHV LW·V REOLJDWLRQ SODFHV 266 SURGXFWV RQ HTXDO IRRWLQJ 2. WR XVH 266 DQG UHTXLULQJ WKHP WR LQFOXGH ZLWKDOORWKHUFRPPHUFLDOSURGXFWV 266 VROXWLRQV LQ WKH SURFXUHPHQW SURFHVV '&,2 6WLOO PLVFRQFHSWLRQV DQG PLVLQWHUSUHWDWLRQV :HQQHUJUHQ OLVWHG VHYHQ ´SRVLWLYH DVSHFWVµ RI VWDQGLQWKHZD\RIJRYHUQPHQWDJHQFLHVDGRSWLQJ 266WKDW'R'GHSDUWPHQWVVKRXOGFRQVLGHUZKHQ 266 DFFRUGLQJ WR '&,2 :HQQHUJUHQ $PELJXRXV FRQGXFWLQJPDUNHWUHVHDUFKIRUVHOHFWLQJVRIWZDUH WHUPLQRORJ\ DVVRFLDWHG ZLWK 266 KDV OHG LQ SDUW WR VRPH RI WKHVH PLVFRQFHSWLRQV &RPPRQ XVDJH RI WKH ZRUG IUHH KDV FRQWULEXWHG WR WKH PLVWDNHQ XQGHUVWDQGLQJ WKDW IUHHZDUH GRHV QRW TXDOLI\ DV D FRPPHUFLDO SURGXFW 7KH UHIHUHQFH WR ÍUHHµ LQ )266 RU ÓLEUHµ LQ )/266 IUHHOLEUH RSHQ VRXUFHVRIWZDUH DSSOLHVWRIUHHRUOLEUHDFFHVVWR XVH PRGLI\ DQG H[WHQG D SURGXFW·V XQGHUO\LQJ FRGH DQG QRW WR WKH FRVW RI WKH VRIWZDUH %RWK WKH )UHH 6RIWZDUH 'HÀQLWLRQ )6' DQG WKH 2SHQ 6RXUFH 'HÀQLWLRQ 26' WKH WZR PDLQ GRFXPHQWV JRYHUQLQJ 266 GHYHORSPHQW DQG XVH VXSSRUW WKLV LQWHUSUHWDWLRQ %\ 86 *RYHUQPHQW VWDQGDUGV RSHQVRXUFH VRIWZDUH LV QRW QHFHVVDULO\ IUHH VRIWZDUH HYHQ ZKHQ LW LV DYDLODEOH IUHH RI FKDUJH :KHQ &RQJUHVV HQDFWHG WKH 1R (OHFWURQLF 7KHIW $FW 1(7 RI +5 WR FULPLQDOL]H FRS\ULJKW LQIULQJHPHQW GRQH ´ZLOOIXOO\ DQG IRU SXUSRVHV RI FRPPHUFLDO DGYDQWDJH RU SULYDWH ÀQDQFLDO JDLQµ WKH GHÀQLWLRQ IRU ´ÀQDQFLDO JDLQµ ZDV DGGHG WR 6HFWLRQ RI 86 FRS\ULJKW ODZ 7KH 86 3DWHQW 2IÀFH QRZ FRQVLGHUV WKH ÚHFHLSW RU H[SHFWDWLRQ RI UHFHLSW RI DQ\WKLQJ RI YDOXH LQFOXGLQJ WKH UHFHLSW RI RWKHU FRS\ULJKWHG

6 Taking the Open Source Road FEATURE

5HGXFHGFRVWRIRZQHUVKLS$OOXVHUVRI266 6RXUFH 6RIWZDUH )$4 DYDLODEOH WKURXJK WKH 'R' VKDUH WKH UHVSRQVLELOLW\ IRU LWV PDLQWHQDQFH ZHE VLWH DQG ,QWHOLQN VWDWHV ´«GR QRW XVH WKH WHUPV 7KH RYHUDOO FRVW RI VRIWZDUH RZQHUVKLS LV WKHUHIRUHUHGXFHGIRUDOOSDUWLHV ¶IUHHZDUH· RU ¶VKDUHZDUH· DV D V\QRQ\P IRU ¶RSHQ VRXUFH VRIWZDUH·µ 5DSLG SURWRW\SLQJ DQG H[SHULPHQWDWLRQ 266 LV SDUWLFXODUO\ VXLWDEOH IRU VRIWZDUH $QRWKHU FRQFHUQ DERXW 266 LV WKDW D ODFN RI GHYHORSPHQW 7KH DELOLW\ WR ´WHVW GULYHµ DSSURSULDWH PDLQWHQDQFH DQG VXSSRUW SUHVHQWV DQ WKH VRIWZDUH ZLWK PLQLPDO FRVWV DQG LQIRUPDWLRQDVVXUDQFHULVN%XWWKLVLVWUXHIRUDOO DGPLQLVWUDWLYH GHOD\V SURYLGHV DGGHG EHQHÀWV VRIWZDUH RSHQ VRXUFH RU FORVHG VRXUFH 6\VWHP DQG SURJUDP PDQDJHUV DQG XOWLPDWHO\ GHVLJQDWHG +RZ ZHOO FRPPHUFLDO VRIWZDUH PHDVXUHV XS DSSURYLQJ DXWKRULWLHV '$$V DUH UHVSRQVLEOH IRU DJDLQVW WKHVH VHYHQ FULWHULD VKRXOG EH FDOFXODWHG HQVXULQJWKDWDSODQIRUVRIWZDUHVXSSRUWLVLQSODFH LQ WKH HYDOXDWLRQ RI DQ\ VRIWZDUH DFTXLVLWLRQ DQG DGHTXDWH IRU PLVVLRQ QHHGV EHIRUH DSSURYLQJ ZKHWKHULWLVSURSULHWDU\RURSHQVRXUFH$OWKRXJK WKHXVHRIDQ\VRIWZDUH WKHVHSRVLWLYHDVSHFWVRI266DUHGHHPHGUHOHYDQW 7KH PLVFRQFHSWLRQ WKDW 266 VKRXOG QRW EH IRU D PDUNHW VXUYH\ WKH &,2 PHPR FDXWLRQV WKH\ VKRXOGQ·W EH LQWHUSUHWHG DV RYHUULGLQJ IDFWRUV IRU LQWHJUDWHG RU PRGLÀHG IRU XVH LQ FODVVLÀHG RU RWKHU PDNLQJ SURFXUHPHQW GHFLVLRQV ´8OWLPDWHO\ WKH VHQVLWLYH 'R' V\VWHPV LV DOVR FKDOOHQJHG 7KH VRIWZDUH WKDW EHVW PHHWV WKH QHHGV DQG PLVVLRQ PHPR QRWHV ´«PDQ\ RSHQ VRXUFH OLFHQVHV SHUPLW RI WKH 'HSDUWPHQW VKRXOG EH XVHG UHJDUGOHVV RI WKHXVHUWRPRGLI\266IRULQWHUQDOXVH>HPSKDVLV ZKHWKHUWKHVRIWZDUHLVRSHQVRXUFHµ SURYLGHG@ ZLWKRXW EHLQJ REOLJDWHG WR GLVWULEXWH +RZHYHU D YDULHW\ RI PLVFRQFHSWLRQV VRXUFH FRGH WR WKH SXEOLFµ DERXW 266 DUH LGHQWLÀHG E\ '&,2 :HQQHUJUHQ 6WLOO IHGHUDO DJHQFLHV DUH UHTXLUHG WR DV FRQVWUDLQLQJ WKH DGRSWLRQ RI 266 VROXWLRQV LQ GLVVHPLQDWH QHZ VRIWZDUH DV ZLGHO\ DV SRVVLEOH VRPH 'R' GHSDUWPHQWV 7KHVH PLVFRQFHSWLRQV %HFDXVHVRIWZDUHVRXUFHFRGHDQGDVVRFLDWHGGHVLJQ LQFOXGH FRQFHUQV DERXW UHYLHZLQJ FRGH VXSSRUWLQJ GRFXPHQWV DUH GHÀQHG DV ´GDWDµ E\ 'R' 'LUHFWLYH WKH VRIWZDUH DQG PDNLQJ WKH VRXUFH FRGH SXEOLFO\ WKH\ DUH WR EH VKDUHG DFURVV WKH 'R' WR DYDLODEOH %XW QRQH RI WKHVH FRQFHUQV DUH ZDUUDQWHG VXSSRUWPLVVLRQQHHGV266OLFHQVHVDFWXDOO\PDNH WKHPHPRDVVHUWV LW HDVLHU WR VKDUH WKHVH FRPSRQHQWV SURYLGLQJ HYHQ )RU H[DPSOH 3XEOLF 'RPDLQ 6RIWZDUH EHWWHU VXSSRUW IRU WKH 'R'·V QHWZRUNFHQWULF GDWD &RQWURO '&3' LQ 'R' ,QVWUXFWLRQ VWUDWHJ\ 7KHUHIRUH LW LV XS WR WKH SURMHFW PDQDJHU ´,QIRUPDWLRQ $VVXUDQFH ,$ ,PSOHPHQWDWLRQµ LV SURJUDP PDQDJHU RU RWKHU FRPSDUDEOH RIÀFLDO VRPHWLPHVFLWHGDVUHVWULFWLQJWKHXVHRI2667KH WR XQGHUVWDQG KRZ WKH 'HSDUWPHQW LQWHQGV WR XVH FRQWURO VWDWHV DQG UHGLVWULEXWH DQ\ 'R'PRGLÀHG FRGH DQG WKH VSHFLÀF UHTXLUHPHQWV RI WKH JRYHUQLQJ 266 OLFHQVH $FWLQJ $VVLVWDQW 6HFUHWDU\ RI 'HIHQVH IRU 1HWZRUNV DQG ,QIRUPDWLRQ ,QWHJUDWLRQ $6' 1,, DQG 'R' &,2 &KHU\O 5RE\ FDOOV LQIRUPDWLRQ ´RXU JUHDWHVWVWUDWHJLFDVVHWµ7RWUDQVIRUPWKH'R'LQWR D QHWZRUNFHQWULF RUJDQL]DWLRQ URDGEORFNV WR WKDW LQIRUPDWLRQ PXVW FRPH GRZQ '&,2 :HQQHUJUHQ EHOLHYHV DFKLHYLQJ D QHWFHQWULF IRUFH LV ´PXFK PRUH DERXW FXOWXUH FKDQJH WKDQ WHFKQRORJLFDO FKDQJHµ 7KLVFRQWUROSURWHFWVDJDLQVWWKHSURFXUHPHQW RI VRIWZDUH ZKHQ WKH *RYHUQPHQW GRHV QRW KDYH 3DUW RI WKDW FXOWXUH FKDQJH PHDQV DFFHSWLQJ 266 DFFHVV WR WKH RULJLQDO VRXUFH FRGH PDNLQJ LW DV D YLDEOH VRIWZDUH VROXWLRQ IRU PHHWLQJ PLVVLRQ GLIÀFXOW RU LPSRVVLEOH WR UHYLHZ UHSDLU RU H[WHQG QHHGV7KHDGRSWLRQRIPRUHRSHQVRXUFHVRIWZDUH WKH VRIWZDUH %XW &,2 JXLGDQFH SRLQWV RXW WKDW SURMHFWV E\ IHGHUDO DJHQFLHV FRXOG PDUN DQ LPSRUWDQW EHFDXVH WKH JRYHUQPHQW GRHV KDYH DFFHVV WR WKH VWHSDORQJWKHURDGWRDQLQIRUPDWLRQFHQWULFIXWXUH RULJLQDO VRXUFH FRGH RI RSHQ VRXUFH VRIWZDUH WKHVH IRUWKH'R' WHUPV GR QRW DSSO\ )RU WKLV UHDVRQ WKH 'R' 2SHQ

The Next Wave Vol 18 No 2 2009 7 Raising the Bar in Operating System Security: SELinux and OpenSolaris FMAC

Abstract Over the past several years, the Security-Enhanced Linux (SELinux) reference implementation of the Flask security architecture has undergone a rapid evolution in its capabilities and maturity thanks to a large and growing developer and user community. SELinux has also influenced a wide range of related work in other operating systems, hypervisors, and applications. In 2008, a new project was started to bring the same Flask security architecture demonstrated in SELinux to the OpenSolaris™ operating system via the OpenSolaris Flexible Mandatory Access Control (FMAC) project. These efforts have fundamentally changed the terms of debate about operating system security and ushered security features previously limited to separate niche products into the mainstream. This article describes the major advances and changes in SELinux that have occurred during the last several years; summarizes other related work that has flowed out of the SELinux project; and introduces the goals, design, and status of the OpenSolaris FMAC project. Introduction Security-Enhanced Linux (SELinux) was developed by the National Information Assurance Research Laboratory (NIARL) of the National Security Agency (NSA) starting in 1999 and was first released to the general public via the nsa.gov web site in December 2000. SELinux was created by NSA as a reference implementation of the Flask security architecture for flexible mandatory access control (MAC) in order to show how such controls could be added to a mainstream operating system and to demonstrate the value of MAC [l]. SELinux was intended to serve both as a technology transfer vehicle for encouraging adoption of flexible MAC into mainstream operating systems and as a research platform for advanced security research and development. Prior to the release of SELinux, MAC was only available in separate "trusted" operating system products and was limited to fixed hierarchical security models that were unable to express many kinds of real security goals. The public release of SELinux drew the interest of both advanced Linux users and the Linux kernel developers, which led to an invitation to present SELinux at the Linux kernel developer

8 Raising the Bar in Operating System Security FEATURE

VXPPLW LQ 0DUFK 7KH UHVXOWLQJ &RUH UHOHDVH LQ 1RYHPEHU 7KLV FRQÀJXUDWLRQ WR GHPRQVWUDWH WKH FRQFHSWV GLVFXVVLRQ DW WKDW VXPPLW OHG WR WKH VHFXULW\ SROLF\ FRQÀJXUDWLRQ ZDV FDOOHG DQG WKH YDOXH RI ÁH[LEOH 0$& (DUO\ FUHDWLRQ RI WKH /LQX[ 6HFXULW\ 0RGXOHV WKH ´WDUJHWHGµ VHFXULW\ SROLF\ EHFDXVH LW DGRSWHUV RI 6(/LQX[ XVHG WKDW H[DPSOH /60 SURMHFWDQRSHQVRXUFHSURMHFWWR DSSOLHG 6(/LQX[ WR SURWHFWLQJ VSHFLÀF SROLF\ DV D EDVH DQG EHJDQ FRQWULEXWLQJ FUHDWHDFRPPRQVHFXULW\IUDPHZRUNLQWKH VHUYLFHV LH WKH ´WDUJHWVµ WKDW ZHUH FKDQJHV DQG DGGLWLRQV WR LW OHDGLQJ WR /LQX[NHUQHOWKDWFRXOGVXSSRUWDYDULHW\ OLNHO\SRLQWVRIDWWDFNLQWRWKHV\VWHP YHU\ UDSLG JURZWK LQ LWV FRYHUDJH RI RIVHFXULW\PRGHOV'XULQJWKHQH[WFRXSOH 7KH )HGRUD 6(/LQX[ LQWHJUDWLRQ GLIIHUHQW DSSOLFDWLRQV EXW DW D FRVW LQ RI \HDUV WKH 6(/LQX[ GHYHORSHUV VHUYHG ZRUN DQG WKH UHVXOWLQJ FRPPXQLW\ WHVW WHUPV RI XQGHUVWDQGDELOLW\ DQG HDVH RI DV FRUH FRQWULEXWRUV WR WKH GHYHORSPHQW LQJ DQG UHÀQHPHQW RI 6(/LQX[ IRUPHG WKH FXVWRPL]DWLRQ 16$ VSRQVRUHG ZRUN E\ RIWKH/60IUDPHZRUNDQGUHDUFKLWHFWHG EDVLV IRU LQFOXGLQJ 6(/LQX[ LQ WKH FRP 7UHV\V 7HFKQRORJ\ WR XQGHUWDNH D UH 6(/LQX[WRXVHWKH/60IUDPHZRUN7KH PHUFLDOO\VXSSRUWHG5HG+DW(QWHUSULVH GHVLJQRIWKHEDVHSROLF\IRU6(/LQX[ZLWK /60IUDPHZRUNEHJDQWREHPHUJHGLQWR /LQX[SURGXFW5HG+DW(QWHUSULVH/LQX[ D IRFXV RQ PRGXODULW\ XQGHUVWDQGDELOLW\ WKHPDLQOLQH/LQX[NHUQHOLQDQGWKH UHOHDVHGLQ)HEUXDU\VKLSSHGZLWK WRROVXSSRUWDQGFXVWRPL]DWLRQ7KLVZRUN UHPDLQLQJSRUWLRQVRIWKHIUDPHZRUNDQG 6(/LQX[ DV D GHIDXOWHQDEOHG VHFXULW\ KDV\LHOGHGWKH6(/LQX[UHIHUHQFHSROLF\ WKH6(/LQX[VHFXULW\PRGXOHZHUHPHUJHG IHDWXUH SURYLGLQJ RXWRIWKHER[ FRQÀQH ZKLFKKDVVXSSODQWHGWKHRULJLQDOH[DPSOH LQWRWKHPDLQOLQH/LQX[NHUQHOVHULHV PHQWRIRYHUDGR]HQV\VWHPVHUYLFHV7KLV SROLF\DVWKHVWDQGDUGEDVHSROLF\IRUDOO E\WKHHQGRI UHOHDVH UHSUHVHQWHG WKH ÀUVW LQFOXVLRQ DQG PRGHUQ /LQX[ GLVWULEXWLRQ UHOHDVHV WKDW (YHQ SULRU WR LWV LQWHJUDWLRQ LQWR XVHRI0$&LQDPDLQVWUHDPFRPPHUFLDO VXSSRUW6(/LQX[VWDUWLQJZLWKWKH)HGRUD WKH PDLQOLQH /LQX[ NHUQHO DGYDQFHG RSHUDWLQJ V\VWHP 0$& ZDV QR ORQJHU &RUHUHOHDVHLQ0DUFK /LQX[ XVHUV KDG EHJXQ SDFNDJLQJ OLPLWHGWRVHSDUDWH´WUXVWHGµRSHUDWLQJV\V 7KH UHIHUHQFH SROLF\ ZDV DOVR 6(/LQX[ NHUQHO SROLF\ GHVLJQHGWRWDNHDGYDQWDJHRI DQG DSSOLFDWLRQ VXSSRUW IRU DQHZIHDWXUHLQWKH6(/LQX[ PXOWLSOH/LQX[GLVWULEXWLRQV “Linux security experts are reporting SROLF\ WRROFKDLQ WKDW ZDV VR WKDW WKH\ FRXOG XVH a growing list of real-world security DOVR EHLQJ GHYHORSHG E\ 6(/LQX[ IRU SURWHFWLQJ 7UHV\V 7HFKQRORJ\ LQ WKH WKHLURZQV\VWHPV6(/LQX[ situations in which the US National VDPH WLPHIUDPH VXSSRUW IRU SDFNDJHV IRU WKH 'HELDQ Security Agency’s SELinux security ORDGDEOH SROLF\ PRGXOHV *18/LQX[ GLVWULEXWLRQ 7KH RULJLQDO 6(/LQX[ SROLF\ ZHUH PDGH DYDLODEOH DV framework contains the damage FRQÀJXUDWLRQ DQG FRPSLOHU HDUO\ DV DQG WKH resulting from a ﬂaw in other software.” ZHUH ´PRQROLWKLFµ 7KDW +DUGHQHG*HQWRRSURMHFW D LV LQ RUGHU WR PDNH DQ\ VHFXULW\IRFXVHG VXESURMHFW 'RQ0DUWL/LQX[:RUOGFRP VXEVWDQWLYH FKDQJH WR SROLF\ RI WKH *HQWRR /LQX[ EH\RQG D IHZ VSHFLÀF IRUPV GLVWULEXWLRQ EHJDQ LQFOXGLQJ 6(/LQX[ WHPV DQG KDG EHFRPH D JHQHUDOSXUSRVH RI FXVWRPL]DWLRQ HJ ERROHDQV ORFDO ÀOH VXSSRUW LQ 7KH JURZLQJ GHYHORSHU VHFXULW\IHDWXUH7KHLQFOXVLRQRI0$&LQ FRQWH[WV RQHQHHGHGWRREWDLQDFRPSOHWH DQG XVHU FRPPXQLW\ DURXQG 6(/LQX[ D PDLQVWUHDP FRPPHUFLDO RSHUDWLQJ V\V SROLF\ VRXUFH WUHH PDNH FRUUHVSRQGLQJ DQGWKHHIIRUWVWREULQJ6(/LQX[VXSSRUW WHPVHWWKHVWDJHIRUWKHUDSLGDGYDQFHVLQ FKDQJHV WR WKH VRXUFH ÀOHV DQG UHEXLOG LQWR WKH PDLQOLQH /LQX[ NHUQHO GUHZ WKH 6(/LQX[WKDWKDYHRFFXUUHGVLQFH WKH HQWLUH SROLF\ LQWR WKH ELQDU\ IRUP LQWHUHVW RI 5HG +DW ,QF ZKLFK EHJDQ SELinux: 2005–present UHTXLUHG E\ WKH NHUQHO /RDGDEOH SROLF\ ZRUN WR IXOO\ LQWHJUDWH 6(/LQX[ VXSSRUW PRGXOHVXSSRUWZDVGHYHORSHGWRHQDEOH Policy technology advances LQWR LWV /LQX[ GLVWULEXWLRQV LQ LQGLYLGXDOSROLF\PRGXOHVWREHEXLOWDQG VWDUWLQJZLWKWKHLUQHZFRPPXQLW\EDVHG 2YHU WKH SDVW VHYHUDO \HDUV D QHZ SDFNDJHG VHSDUDWHO\ IURP RQH DQRWKHU )HGRUD GLVWULEXWLRQ 7KH 6(/LQX[ FRGH JHQHUDWLRQRISROLF\WHFKQRORJ\KDVEHHQ 7KLV PHFKDQLVP KDV HQDEOHG XVHUV WR ZDV ÀUVW LQFOXGHG LQ WKH )HGRUD &RUH GHYHORSHG DQG GHSOR\HG IRU 6(/LQX[ HDVLO\ FUHDWH ORFDO SROLF\ PRGXOHV DV UHOHDVHLQ0D\HOLPLQDWLQJWKHQHHG 7KH DGYDQFHV LQ SROLF\ WHFKQRORJ\ KDYH QHHGHG IRU VLWH FXVWRPL]DWLRQ DQG LW KDV IRU VHSDUDWH SDWFKHV IRU WKH NHUQHO DQG LQFOXGHGWKHLQWURGXFWLRQRIWKHUHIHUHQFH HQDEOHG VRIWZDUH GHYHORSHUV WR HDVLO\ DSSOLFDWLRQV7KHLQWURGXFWLRQRIDVHFXULW\ SROLF\ WKH GHYHORSPHQW RI ORDGDEOH SDFNDJH SROLF\ IRU WKHLU DSSOLFDWLRQV SROLF\ FRQÀJXUDWLRQ IRFXVHG RQ FRQÀQLQJ SROLF\ PRGXOH VXSSRUW WKH FUHDWLRQ RI /RDGDEOHSROLF\PRGXOHVXSSRUWZDVDOVR VSHFLÀF QHWZRUNIDFLQJ VHUYLFHV VXFK SROLF\PDQDJHPHQWLQIUDVWUXFWXUHDQGWKH ÀUVW GHSOR\HG LQ )HGRUD &RUH DVWKH$SDFKHZHEVHUYHUDQGWKH%,1' FRQYHUJHQFHRIVWULFWDQGWDUJHWHGSROLFLHV :KLOH WKH ORDGDEOH SROLF\ PRGXOH GRPDLQ QDPH VHUYHU PDGH LW SRVVLEOH WR 6(/LQX[ ZDV RULJLQDOO\ UHOHDVHG VXSSRUW ZDV EHLQJ PHUJHG LQWR WKH HQDEOH6(/LQX[E\GHIDXOWLQWKH)HGRUD E\ 16$ ZLWK D VPDOO H[DPSOH SROLF\ XSVWUHDP 6(/LQX[ XVHUODQG D QHZ

The Next Wave Vol 18 No 2 2009 9 VRIWZDUH OLEUDU\ OLEVHPDQDJH ZDV DQGWRVXSSRUWDNLRVNPRGHRIRSHUDWLRQ Improved usability GHYHORSHGMRLQWO\E\5HG+DWDQGE\7UHV\V ZKHUHWKHXVHUVHVVLRQLVKLJKO\UHVWULFWHG %DVHG RQ XVHU IHHGEDFN WKH 7HFKQRORJ\WRSURYLGHDVWDQGDUG$3,DQG DQGLVFRPSOHWHO\SXUJHGRIVWDWHDIWHUHDFK DGYDQFHV LQ SROLF\ WHFKQRORJ\ GHVFULEHG LQIUDVWUXFWXUH IRU PDQDJLQJ SROLF\ 7KLV VHVVLRQ $V D UHVXOW WKH WDUJHWHG SROLF\ DERYH KDYH JUHDWO\ LPSURYHG WKH XVHU OLEUDU\SURYLGHVDSURJUDPPDWLFLQWHUIDFH DQGWKHVWULFWSROLF\KDYHFRQYHUJHGDQG H[SHULHQFH RI 6(/LQX[ E\ HQDEOLQJ IRUPDNLQJFKDQJHVWRSROLF\DVRSSRVHG WKHUHLVQRORQJHUDVHSDUDWHVWULFWSROLF\ XVHUV WR VROYH PDQ\ RI WKH SUREOHPV WR KDYLQJ WR PDQXDOO\ HGLW WH[W ÀOHV DQG $GPLQLVWUDWRUV FDQ ODUJHO\ REWDLQ WKH WKDW WKH\ HQFRXQWHU ,Q SDUWLFXODU WKH SURYLGHVVXSSRUWIRUDZLGHUDQJHRIORFDO EHKDYLRU RI WKH VWULFW SROLF\ E\ PDSSLQJ ORDGDEOH SROLF\ PRGXOH VXSSRUW DQG WKH FXVWRPL]DWLRQV WR SROLF\ )URQWHQG WRROV XVHUV WR FRQÀQHG UROHV DQG WKH\ FDQ PDQDJHPHQW WRROV KDYH HQDEOHG XVHUV WR VXFK DV VHPRGXOH DQG VHPDQDJH ZHUH RSWLRQDOO\ UHPRYH WKH XQFRQÀQHG SROLF\ SHUIRUPORFDOFXVWRPL]DWLRQVRISROLF\WR FUHDWHG WR HQDEOH XVHUV DQG KLJKHU OHYHO PRGXOHHQWLUHO\DOWKRXJKWKLVODVWVWHSFDQ ÀW WKHLU SDUWLFXODU QHHGV DQG KDYH HQDEOHG WRROVWRSHUIRUPSROLF\PDQDJHPHQWWDVNV EH GHVWUXFWLYH WR UXQQLQJ SURFHVVHV DQG GHYHORSHUVWRVKLSFXVWRPL]DWLRQVIRUWKHLU 7KLVOLEUDU\DQGWKHLQLWLDOIURQWHQGWRROV UHTXLUHVVRPHFDUHWRGRVDIHO\ DSSOLFDWLRQV DOVR ÀUVW DSSHDUHG LQ )HGRUD &RUH $SUDFWLFDOFRPSURPLVHPDGHHDUO\ LQ WKH )HGRUD 6(/LQX[ LQWHJUDWLRQ ZDV WR FUHDWH D VHSDUDWH ´WDUJHWHGµ SROLF\ FRQÀJXUDWLRQ WKDW IRFXVHG RQ SURWHFWLQJ QHWZRUNIDFLQJVHUYLFHVDQGOHIWRUGLQDU\ XVHU VHVVLRQV XQUHVWULFWHG DQG XVH WKDW SROLF\ DV WKH GHIDXOW VR WKDW 6(/LQX[ FRXOG EH HQDEOHG E\ GHIDXOW ZLWKRXW GLVUXSWLQJ XVHUV 7KH FRPSOHWH H[DPSOH SROLF\ ZLWK VLJQLÀFDQWO\ PRUH FRYHUDJH RI VHUYLFHVDQGDSSOLFDWLRQVDQGVXSSRUWIRU XVHU UROHV EHFDPH NQRZQ DV WKH ´VWULFWµ SROLF\ FRQÀJXUDWLRQ DQG WKLV VWULFW SROLF\ FRQÀJXUDWLRQ ZDV QRW ZHOO VXSSRUWHG DQG UHTXLUHG VLJQLÀFDQW H[SHUWLVH WR

VXFFHVVIXOO\ LQVWDOO DQG XVH +RZHYHU Figure 1: system-conﬁg-selinux screenshot WKLV FRPSURPLVH PDGH LW SRVVLEOH WR LQFUHPHQWDOO\ H[SDQG WKH FRYHUDJH RI WKH WDUJHWHG SROLF\ LQ HDFK QHZ UHOHDVH WKURXJK WKH FRPPXQLW\ WHVWLQJ DQG IHHGEDFN SURFHVV VLQFH 6(/LQX[ ZDV HQDEOHGE\GHIDXOW:LWKWKHLQWURGXFWLRQ RIWKHUHIHUHQFHSROLF\ERWKWKHVWULFWDQG WDUJHWHG SROLF\ YDULDQWV ZHUH EXLOW IURP WKH UHIHUHQFH SROLF\ VRXUFHV EDVHG RQ D VLQJOHWXQDEOHVHWWLQJ $V D UHVXOW WKH WDUJHWHG SROLF\ KDV JURZQ IURP FRYHULQJ RYHU D GR]HQ VHUYLFHVLQWKHHDUOLHVWUHOHDVHWRFRYHULQJ RYHUWZRKXQGUHGDSSOLFDWLRQVLQPRGHUQ UHOHDVHV 7KH ODVW VLJQLÀFDQW GLIIHUHQFH EHWZHHQ WKH WDUJHWHG DQG VWULFW SROLFLHV ZDVHOLPLQDWHGVWDUWLQJZLWKWKH)HGRUD UHOHDVHLQ1RYHPEHUZKHQVXSSRUW IRU FRQÀQLQJ XVHUV ZDV LQWURGXFHG LQ WDUJHWHG SROLF\ 7KH )HGRUD UHOHDVH LQ 0D\ XVHG WKLV VXSSRUW WR GHÀQH VHYHUDO XVHU UROHV DYDLODEOH E\ GHIDXOW Figure 2: setroubleshoot screenshot 10 Raising the Bar in Operating System Security FEATURE

6HYHUDO JUDSKLFDO WRROV KDYH DOVR EHHQ GHYHORSHG LQ UHFHQW \HDUV WR DVVLVW XVHUV ZLWK GLIIHUHQW DVSHFWV RI 6(/LQX[ 7KHVHWRROVLQFOXGHV\VWHPFRQÀJVHOLQX[ VHWURXEOHVKRRWDQGWKH6(/LQX[,QWHJUDWHG 'HYHORSPHQW(QYLURQPHQW 6/,'( 7KH ÀUVW WZR WRROV ZHUH GHYHORSHG E\ 5HG +DW DQG ÀUVW LQFOXGHG LQ )HGRUD &RUH LQ 2FWREHU 7KH 6/,'( WRRO FDQ EH IUHHO\ GRZQORDGHG IURP WKH 7UHV\V 7HFKQRORJ\ RSHQ VRXUFH VHUYHU KWWS RVVWUHV\VFRP DQG ZDV LQFOXGHG LQ WKH )HGRUDUHOHDVHLQ0D\ $ JUDSKLFDO IURQWHQG WR WKH VHPDQDJH IXQFWLRQDOLW\ V\VWHPFRQÀJ VHOLQX[DOORZVWKHDGPLQLVWUDWRUWRHDVLO\ VHHDQGPRGLI\WKHFXUUHQWHQIRUFLQJVWDWXV SROLF\ ERROHDQV ODEHO DVVLJQPHQWV IRU Figure 3: SLIDE screenshot ÀOHV DQG SRUWV DQG XVHU DXWKRUL]DWLRQV ,W DOVRSURYLGHVVLPSOHVXSSRUWIRUPDQDJLQJ HQKDQFHG 0XOWL/HYHO 6HFXULW\ 0/6 $9& WR PLQLPL]H WKH QHHG WR SHUIRUP WKHVHWRIORDGHGSROLF\PRGXOHV5HFHQW VXSSRUWQHZQHWZRUNDFFHVVFRQWUROVDQG H[SHQVLYHVHFXULW\FRPSXWDWLRQVRQHDFK YHUVLRQV RI WKH WRRO VHH )LJXUH DOVR ODEHOHG QHWZRUNLQJ VXSSRUW DORQJ ZLWK RSHUDWLRQ DQG VRXJKW WR NHHS RYHUKHDGV LQFOXGHDSROLF\ZL]DUGIRUFUHDWLQJQHZ QXPHURXVRWKHUVPDOOHUFKDQJHV WR UHDVRQDEO\ ORZ SHUFHQWDJHV EXW GLG SROLF\PRGXOHV $VSDUWRIWKHZRUNWRHQDEOH/LQX[ QRW VSHFLÀFDOO\ HQJDJH LQ DQ\ GHWDLOHG $ VHUYLFH IRU QRWLI\LQJ XVHUV RI WR PHHW WKH /DEHOHG 6HFXULW\ 3URWHFWLRQ SHUIRUPDQFH RSWLPL]DWLRQV 7KH RULJLQDO 6(/LQX[ GHQLDOV VHWURXEOHVKRRW KHOSV 3URÀOH UHTXLUHPHQWV 6(/LQX[ ZDV 6(/LQX[ LPSOHPHQWDWLRQ DOVR RQO\ GHDOW XVHUVWRGLDJQRVHGHQLDOVDQGUHVROYHWKHP IXOO\ LQWHJUDWHG ZLWK WKH /LQX[ DXGLW ZLWKHQVXULQJVDIHW\RQV\VWHPVXVLQJDQ ,WKDVLQFUHDVHGXVHUDZDUHQHVVRI6(/LQX[ VXEV\VWHPHQDEOLQJDXGLWWRLQFOXGHDQG 603 V\PPHWULFPXOWLSURFHVVLQJ YHUVLRQ DQG HQDEOHG XVHUV WR LGHQWLI\ DQG VROYH ÀOWHU EDVHG RQ VHFXULW\ FRQWH[WV /LNHZLVH RI WKH /LQX[ NHUQHO WKURXJK WKH XVH RI FRPPRQ NLQGV RI FRQÀJXUDWLRQ HUURUV WKHRSWLRQDO0/6PRGHORIWKH6(/LQX[ FRDUVHJUDLQHGORFNLQJ7KLVDSSURDFKGLG 7KH WRRO FDQ EH FRQÀJXUHG WR GLVSOD\ DOHUW VHFXULW\VHUYHUZDVHQKDQFHGDQGHQDEOHG QRWVFDOHZHOORQODUJH603V\VWHPV6LQFH SRSXSVWRWKHXVHURQWKHGHVNWRSRUDOHUWV E\GHIDXOWDQGXVHUVSDFHVXSSRUWIRU0/6 WKHRULJLQDOLQFOXVLRQRI6(/LQX[LQ/LQX[ FDQ EH KDQGOHG YLD V\VWHP ORJV RU HPDLO UHTXLUHPHQWV ZDV GHYHORSHG 7KLV ZRUN GLVWULEXWLRQV D QXPEHU RI SHUIRUPDQFH QRWLÀFDWLRQV 6HH )LJXUH IRU D VFUHHQVKRW ZDVGRQHZLWKWKHKHOSRIDZLGHUDQJHRI DQG VFDODELOLW\ LPSURYHPHQWV KDYH EHHQ RIVHWURXEOHVKRRW FRQWULEXWRUVIURP+3,%05HG+DWDQG GHYHORSHGDQGLQWHJUDWHG 6/,'( LV DQ (FOLSVH SOXJLQ WR 7UXVWHG&RPSXWHU6ROXWLRQV 7&6 SURYLGH D JUDSKLFDO XVHU LQWHUIDFH IRU $QHQJLQHHUIURP1(&&RUSRUDWLRQ SROLF\ GHYHORSHUV ZLWK WKH FRQYHQWLRQDO 5HG+DWGHYHORSHGDQHZPHFKDQLVP XQGHUWRRNZRUNWRHQDEOH6(/LQX[WRVFDOH IHDWXUHV RI DQ LQWHJUDWHG GHYHORSPHQW IRU ÁH[LEOH QHWZRUN DFFHVV FRQWUROV FDOOHG ZHOORQODUJH603V\VWHPV+HUHSODFHG HQYLURQPHQW VXFK DV SROLF\ FUHDWLRQ 6(&0$5.ZKLFKFRPELQHGWKHSRZHURI WKH FRDUVHJUDLQHG ORFN RI WKH$9& ZLWK ZL]DUGV LQWHUIDFH FRPSOHWLRQ DQG WKH /LQX[ SDFNHW ÀOWHULQJ IUDPHZRUN ZLWK D VFKHPH NQRZQ DV 5HDG&RS\8SGDWH VHDUFKLQJDQGSROLF\V\QWD[KLJKOLJKWLQJ 6(/LQX[ SROLF\ 'HYHORSHUV IURP ,%0 5&8 HQDEOLQJ 6(/LQX[ WR DFKLHYH 5HFHQW YHUVLRQV RI 6/,'( VHH )LJXUH 7&6 DQG +3 FUHDWHG DQG LQWHJUDWHG WZR QHDUSHUIHFW VFDODELOLW\ 7KLV PDGH WKH KDYH LQFRUSRUDWHG VXSSRUW IRU UHPRWH LQGHSHQGHQW LPSOHPHQWDWLRQV RI ODEHOHG GHSOR\PHQWRI6(/LQX[SUDFWLFDORQODUJH SROLF\ GHEXJJLQJ DQG LQWHJUDWLRQ ZLWK QHWZRUNLQJ PHFKDQLVPV ODEHOHG ,36(& V\VWHPV SROLF\DQDO\VLVWRROV DQG1HW/DEHO&,3627KHVHPHFKDQLVPV $VWKHGHIDXOWWDUJHWHGSROLF\JUHZ HQDEOH6(/LQX[SURWHFWLRQVWREHDSSOLHG Enhanced security functionality LQ LWV FRYHUDJH RI VHUYLFHV WKH DPRXQW DFURVVQHWZRUNFRPPXQLFDWLRQV 7KH FRUH VHFXULW\ IXQFWLRQDOLW\ RI NHUQHO PHPRU\ XVHG E\ WKH SROLF\ RI 6(/LQX[ KDV XQGHUJRQH VLJQLÀFDQW Improved performance and ZDV LQFUHDVLQJO\ EHFRPLQJ WRR KLJK DQG HQKDQFHPHQWV DQG LPSURYHPHQWV VLQFH scalability EHJLQQLQJ WR FDXVH SUREOHPV IRU XVHUV 7KHVHHQKDQFHPHQWVKDYHLQFOXGHG 7KH RULJLQDO 6(/LQX[ LPSOHPHQ $VDUHVXOWWKH6(/LQX[FRUHGHYHORSHUV H[WHQGHG VHFXULW\ DXGLW IXQFWLRQDOLW\ WDWLRQ LQFOXGHG DQ $FFHVV 9HFWRU &DFKH GLVFXVVHGDSSURDFKHVWRLPSURYHPHPRU\

The Next Wave Vol 18 No 2 2009 11 XVH DQG D VHW RI PHPRU\ RSWLPL]DWLRQV FRQÀJXUDWLRQ JXLGH IRU /LQX[ LQ WR H[SDQG WKHLU XVH RI LW DQG WR GLUHFWO\ ZHUHLPSOHPHQWHGE\16$WKDWUDGLFDOO\ WKH *XLGH WR WKH 6HFXUH &RQÀJXUDWLRQ VROYH SUREOHPV 7KH DQHFGRWDO HYLGHQFH UHGXFHGWKHNHUQHOPHPRU\XVHE\DIDFWRU RI 5HG +DW (QWHUSULVH /LQX[ $ORQJ RI LPSURYHG XVHU H[SHULHQFH IURP RI; ZLWK PDQ\ RWKHU WRSLFV WKH JXLGH SXEOLF PDLOLQJ OLVW GLVFXVVLRQV LV IXUWKHU $ QXPEHU RI PHPRU\ DQG SHUIRU GHVFULEHV WKH EHQHÀWV RI 6(/LQX[ IRU UHLQIRUFHGE\VWDWLVWLFVEHLQJFROOHFWHGE\ PDQFHRSWLPL]DWLRQVKDYHEHHQGHYHORSHG VHFXULW\ DQG H[SODLQV KRZ WR SHUIRUP WKH)HGRUDSURMHFWZKLFKEHJDQWRFROOHFW LQ UHFHQW \HDUV E\ FRQWULEXWRUV IURP WKH EDVLF FRQÀJXUDWLRQ DQG WURXEOHVKRRWLQJ LQIRUPDWLRQDERXW6(/LQX[VWDWXVVWDUWLQJ -DSDQHVH 6(/LQX[ FRPPXQLW\ ZRUNLQJ RI 6(/LQX[ 7KLV JXLGH MRLQV WKH RWKHU ZLWKWKH)HGRUDUHOHDVH7KHPDMRULW\RI RQXVLQJ6(/LQX[RQHPEHGGHGV\VWHPV FRQÀJXUDWLRQ JXLGHV SURGXFHG E\ WKH )HGRUDV\VWHPVUHSRUWLQJLQWRWKH)HGRUD LQFOXGLQJ FRQWULEXWLRQV IURP 1(& DQG 61$& RYHU WKH \HDUV IRU D ZLGH YDULHW\ SURMHFW VKRZ WKDW XVHUV NHHS 6(/LQX[ +LWDFKL 6RIWZDUH DPRQJ RWKHUV )XUWKHU RIRSHUDWLQJV\VWHPVDQGLVDYDLODEOHIURP HQDEOHG RSWLPL]DWLRQVWRWKHSROLF\GDWDVWUXFWXUHV KWWSZZZQVDJRYLDJXLGDQFH ,Q DGGLWLRQ WR )HGRUD DQG 5HG +DW KDYH \LHOGHG VLJQLÀFDQW LPSURYHPHQWV LQ 7KH &HUWLÀDEOH /LQX[ ,QWHJUDWLRQ GLVWULEXWLRQV 6(/LQX[ KDV FRQWLQXHG NHUQHO PHPRU\ XVH 7KH UHYDOLGDWLRQ RI 3ODWIRUP &/,3 LV D VSHFLÀF FRQÀJXUDWLRQ WR PDNH DGYDQFHV LQ DGRSWLRQ LQ RWKHU UHDG DQG ZULWH SHUPLVVLRQ RQ LQGLYLGXDO RI/LQX[DQGDVVRFLDWHGHYLGHQFHGHVLJQHG /LQX[GLVWULEXWLRQV7KH+DUGHQHG*HQWRR UHDGDQGZULWHV\VWHPFDOOVZDVRSWLPL]HG WR PHHW VHYHUDO HVWDEOLVKHG VHFXULW\ SURMHFWKDVFRQWLQXHGWRVXSSRUW6(/LQX[ WR GHDO ZLWK VLJQLÀFDQW RYHUKHDGV RQ WKH UHTXLUHPHQWV LQFOXGLQJ WKH 3URWHFWLRQ LQ WKH *HQWRR /LQX[ GLVWULEXWLRQ DQG WR 6XSHU+DUFKLWHFWXUHLPSURYLQJRYHUKHDG /HYHO 3/ UHTXLUHPHQWVIURPWKH'LUHFWRU LQWHJUDWH QHZHU 6(/LQX[ IHDWXUHV 7KH E\DIDFWRURIDURXQG; RI &HQWUDO ,QWHOOLJHQFH 'LUHFWLYH '&,' 'HELDQ *18/LQX[ GLVWULEXWLRQ EHJDQ LQFOXGLQJ6(/LQX[VXSSRUWLQWKH'HELDQ Meeting security criteria ´3URWHFWLQJ6HQVLWLYH&RPSDUWPHQWHG ,QIRUPDWLRQZLWKLQ,QIRUPDWLRQ6\VWHPVµ UHOHDVH7KH8EXQWXGLVWULEXWLRQEHJDQ ,Q 5HG +DW (QWHUSULVH /LQX[ DQG WKH +LJK ,PSDFW UHTXLUHPHQWV IURP LQFOXGLQJ PLQLPDO 6(/LQX[ VXSSRUW LQ ZDV YDOLGDWHG DJDLQVW WKH &RQWUROOHG WKH 1DWLRQDO ,QVWLWXWH RI 6WDQGDUGV DQG WKH8EXQWXUHOHDVHZKLFKZDVWKHQ $FFHVV 3URWHFWLRQ 3URÀOH &$33 WKH 7HFKQRORJ\ 1,67 6SHFLDO 3XEOLFDWLRQ IXUWKHU HQKDQFHG LQ WKH 8EXQWX /DEHOHG 6HFXULW\ 3URWHFWLRQ 3URÀOH ´5HFRPPHQGHG6HFXULW\&RQWUROV UHOHDVH 1RYHOO EHJDQ LQFOXGLQJ EDVLF /633 DQG WKH 5ROH%DVHG $FFHVV IRU )HGHUDO ,QIRUPDWLRQ 6\VWHPVµ 6(/LQX[VXSSRUWDVDQRSWLRQDOIHDWXUHLQ &RQWURO 3URWHFWLRQ 3URÀOH 5%$&33 DW &/,3 GHÀQHV D VSHFLÀF FRQÀJXUDWLRQ RI 686(/LQX[ (YDOXDWLRQ $VVXUDQFH /HYHO RQ +3 6(/LQX[ WR SURYLGH WKH IRXQGDWLRQ IRU 7KH EHQHÀWV RI 6(/LQX[ IRU DQG ,%0 KDUGZDUH 7KLV ZDV WKH UHVXOW KRVWLQJ VHFXULW\UHOHYDQW DSSOLFDWLRQV E\ PLWLJDWLQJ YXOQHUDELOLWLHV LQ VRIWZDUH DUH RI D FROODERUDWLYH HIIRUW DPRQJ +3 HQVXULQJWKDWWKHXQGHUO\LQJDVVXPSWLRQV LQFUHDVLQJO\EHLQJUHFRJQL]HG$QDUWLFOH ,%0 5HG +DW DQG 7&6 WKDW OHYHUDJHG PDGHE\WKRVHDSSOLFDWLRQVDUHHQIRUFHGE\ E\ 'RQ 0DUWL SXEOLVKHG RQ /LQX[:RUOG 6(/LQX[ WR SURYLGH WKH ODEHOHG VHFXULW\ WKHRSHUDWLQJV\VWHP,QSDUWLFXODU&/,3 FRP LQ )HEUXDU\ VWDWHG ´/LQX[ DQG UROHEDVHG VXSSRUW 7KLV ZRUN OHG OHYHUDJHV6(/LQX[LQRUGHUWRHQIRUFHWKH VHFXULW\ H[SHUWV DUH UHSRUWLQJ D JURZLQJ WR VHYHUDO LPSURYHPHQWV WR 6(/LQX[ VWURQJ VHSDUDWLRQ RI SURFHVVHV DQG GDWD OLVW RI UHDOZRUOG VHFXULW\ VLWXDWLRQV LQ LQFOXGLQJ LPSURYHG DXGLW 0/6 DQG VXSSRUW GLIIHUHQW XVHU UROHV DQG HQVXUH ZKLFKWKH861DWLRQDO6HFXULW\$JHQF\·V ODEHOHGQHWZRUNLQJ6*,KDVDOVRDFKLHYHG WKDW DSSOLFDWLRQ VHFXULW\ PHFKDQLVPV DUH 6(/LQX[ VHFXULW\ IUDPHZRUN FRQWDLQV YDOLGDWLRQRI5HG+DW(QWHUSULVH/LQX[ WDPSHUSURRI DQG FDQQRW EH E\SDVVHG WKH GDPDJH UHVXOWLQJ IURP D ÁDZ LQ RWKHU RQLWVKDUGZDUHLQ7KHVHYDOLGDWLRQV 7KH&/,3SURMHFWLVVSRQVRUHGE\16$·V VRIWZDUH>@µ,QGLVFXVVLQJWKHPLJUDWLRQ UHSUHVHQW WKH ÀUVW WLPH WKDW D PDLQVWUHDP &XVWRP 6ROXWLRQV *URXS DQG LV EHLQJ RI WKHLU PLVVLRQFULWLFDO WUDGLQJ SODWIRUP FRPPHUFLDORSHUDWLQJV\VWHPSURGXFWKDV GHYHORSHG E\ 7UHV\V 7HFKQRORJ\ &/,3 WR /LQX[ 6WHYH 5XELQRZ WKH &KLHI EHHQYDOLGDWHGDJDLQVWVXFKFULWHULDZKLFK FDQEHGRZQORDGHGIURPKWWSRVVWUHV\V ,QIRUPDWLRQ 2IÀFHU &,2 RI WKH 1HZ @µ UHVXOWLQJ GRFXPHQWDWLRQ DQG WHVW VXLWHV LQWKH)HGRUDDQGWKH5HG+DW(QWHUSULVH 6(/LQX[ KDV DOVR VHUYHG DV D GHVSLWHEHLQJFRPSHWLWRUV /LQX[ GLVWULEXWLRQV SURYLGLQJ RXWRI VHFXUHIRXQGDWLRQIRUDQXPEHURIVHFXUH 7KH6\VWHPVDQG1HWZRUN$QDO\VLV WKHER[ FRQÀQHPHQW RI DQ LQFUHDVLQJ VROXWLRQV GHYHORSHG IRU WKH JRYHUQPHQW &HQWHU 61$& RI 16$ GHYHORSHG QXPEHURIV\VWHPVHUYLFHV7KHLPSURYHG 7KHVH V\VWHPV LQFOXGH WKH 1HW7RS DQG UHOHDVHG WKHLU ÀUVWHYHU VHFXULW\ XVDELOLW\ RI 6(/LQX[ KDV HQDEOHG XVHUV V\VWHP RULJLQDOO\ SURWRW\SHG E\ 1,$5/ 12 Raising the Bar in Operating System Security FEATURE

DQG ODWHU SURGXFWL]HG E\ +3 DORQJ FRQÀJXUDWLRQV\VWHPDQGWKH;:LQGRZ DIRUPDFFHSWDEOHWRWKH/LQX[GHYHORSHU ZLWK VHYHUDO GHULYDWLYH V\VWHPV ,W DOVR 6\VWHPVHUYHUZLWKWKHQHFHVVDU\VXSSRUW FRPPXQLW\ )XWXUH ZRUN ZLOO LQFOXGH LQFOXGHVWKH7&66HFXUH2IÀFH7UXVWHG IRUDSSO\LQJÁH[LEOH0$&WRWKHLUREMHFWV GHDOLQJZLWKKHWHURJHQHRXVSROLFLHV 7KLQ &OLHQW V\VWHP $ QXPEHU RI &URVV DQGRSHUDWLRQV>@:RUNLVRQJRLQJE\ :KLOH ÁH[LEOH 0$& SURYLGHV QHZ 'RPDLQ 6ROXWLRQ &'6 V\VWHPV KDYH 16$WRGHYHORSOLEUDU\VXSSRUWIRUWKHVH FDSDELOLWLHVIRULPSURYHGVHFXULW\LWDOVR EHHQ GHYHORSHG E\ 16$ DQG E\ RWKHU H[WHQVLRQV DGGUHVV RWKHU FRPSRQHQWV RI LQWURGXFHV LWV RZQ VHW RI FKDOOHQJHV RUJDQL]DWLRQV WKDW OHYHUDJH 6(/LQX[ WKH GHVNWRS LQIUDVWUXFWXUH DQG DVVLVW LQ LQFOXGLQJSROLF\VFDODELOLW\DQGXVDELOLW\ WR HQIRUFH VHSDUDWLRQ DQG WR HQVXUH WKH GHYHORSLQJ SROLF\ IRU WKH ; VHUYHU WKDW +HQFHUHVHDUFKE\16$ZLWKVXSSRUWIURP DVVXUHGLQYRFDWLRQRIWKH&'6DSSOLFDWLRQ VXSSRUWV VLPSOH VHFXULW\ JRDOV )XWXUH 7UHV\V 7HFKQRORJ\ LV RQJRLQJ LQWR KRZ $V PHQWLRQHG HDUOLHU 6(/LQX[ LV DOVR ZRUN LQFOXGHV DGGUHVVLQJ SHUIRUPDQFH WRFUHDWHDQDEVWUDFWOD\HUIRUSROLF\DQG EHLQJOHYHUDJHGE\WKH&/,3SURMHFW FKDOOHQJHVUHÀQLQJWKHFRQWUROVEDVHGRQ KRZWRPRUHFORVHO\OLQNWKHHQIRUFHPHQW $ORQJ ZLWK JURZWK LQ LWV XVHU H[SHULHQFHZLWKUHDODSSOLFDWLRQVVHFXULQJ GHEXJJLQJDQGGHYHORSPHQWRISROLF\WR FRPPXQLW\ 6(/LQX[ KDV H[SHULHQFHG WKH GLUHFW UHQGHULQJ LQWHUIDFH SURYLGLQJ HQDEOHXVHUVWRPRUHHIIHFWLYHO\GHYHORS VLJQLÀFDQW JURZWK LQ LWV GHYHORSHU WUXVWHGLQSXWDQGGLVSOD\DQGLQWHJUDWLQJ GHEXJDQGXQGHUVWDQGSROLF\5HVHDUFKLV FRPPXQLW\ VLQFH 'HYHORSHUV IURP ZLWKGHVNWRSDSSOLFDWLRQV DOVRXQGHUZD\DW16$LQWRPRUHDGYDQFHG +3 +LWDFKL 6RIWZDUH ,%0 1(& 16$ %H\RQGWKHGHVNWRSDZLGHUDQJHRI SROLF\ ODQJXDJH IHDWXUHV WR IDFLOLWDWH 5HG +DW 7UHV\V 7HFKQRORJ\ DQG 7&6 DSSOLFDWLRQVHFXULW\UHVHDUFKLVOHYHUDJLQJ SROLF\FXVWRPL]DWLRQDQGH[WHQVLRQ DORQJ ZLWK PDQ\ LQGLYLGXDO GHYHORSHUV 6(/LQX[ DV D EDVH SODWIRUP DQG DV DQ 3ROLF\ PDQDJHPHQW FRQWLQXHV WR KDYH ZRUNHG FROODERUDWLYHO\ WR HQDEOH DUFKLWHFWXUH IRU SURYLGLQJ ÁH[LEOH 0$& EH DQ DUHD RI DFWLYH LQYHVWLJDWLRQ (DUO\ 6(/LQX[WRDGYDQFHUDSLGO\LQLWVIHDWXUH VHUYLFHVWRKLJKHUOD\HUV7KLVLQFOXGHVWKH ZRUN LQ WKLV DUHD E\ 7UHV\V 7HFKQRORJ\ VHWDQGPDWXULW\ 6(3RVWJUH64/SURMHFWDQHIIRUWE\1(& DQG 5HG +DW KDV \LHOGHG WKH FXUUHQW Platform for advanced R&D &RUSRUDWLRQWRGHYHORSÁH[LEOH0$&IRU SROLF\ PDQDJHPHQW LQIUDVWUXFWXUH DQG GDWDEDVH REMHFWV DQG WUDQVDFWLRQV LQ WKH WRROV VXFK DV VHPDQDJH 5HVHDUFK E\ ,QDGGLWLRQWRVHUYLQJDVDWHFKQRORJ\ 3RVWJUHV GDWDEDVH PDQDJHPHQW V\VWHP 7UHV\V7HFKQRORJ\ZKLFKZDVVSRQVRUHG WUDQVIHUYHKLFOHIRUHQFRXUDJLQJDGRSWLRQ 5HVHDUFK KDV DOVR EHHQ SHUIRUPHG E\ E\ 16$ KDV DOVR \LHOGHG H[SHULPHQWDO RI ÁH[LEOH 0$& E\ LQGXVWU\ 6(/LQX[ 16$LQWRHQIRUFLQJ5LVN$GDSWLYH$FFHVV SURWRW\SHV RI D SROLF\ PDQDJHPHQW KDV DOVR VHUYHG DV D XVHIXO SODWIRUP IRU &RQWURO 5$G$& E\ OHYHUDJLQJ WKH VHUYHU WR VXSSRUW ÀQHJUDLQHG DFFHVV DGYDQFHG UHVHDUFK DQG GHYHORSPHQW %\ 6(/LQX[ RSHUDWLQJ V\VWHP IXQFWLRQDOLW\ FRQWURORYHUWKHSROLF\LWVHOIDQGRISROLF\ SURYLGLQJ D EDVH V\VWHP WKDW VXSSRUWV WR SURWHFW DQG LVRODWH DQ DSSOLFDWLRQ PDQDJHPHQW LQIUDVWUXFWXUH WR VXSSRUW ÁH[LEOH 0$& DQG H[SRUWV LQWHUIDFHV SROLF\ HQIRUFHU DQG E\ XVLQJ WKH )ODVN PDQDJHPHQW RI FROOHFWLRQV RI V\VWHPV WR VXSSRUW VHFXULW\DZDUH DSSOLFDWLRQV DUFKLWHFWXUHDQGXVHUVSDFHVHFXULW\VHUYHU :RUN KDV UHFHQWO\ VWDUWHG DW 3HQQ 6WDWH 6(/LQX[ HQDEOHV UHVHDUFK WR SURFHHG LQ WRSURYLGHSROLF\GHFLVLRQVDQGUHYRFDWLRQ 8QLYHUVLW\ WR LQYHVWLJDWH KRZ WR PDQDJH XQGHUVWDQGLQJ0$&LQDFRPSOHWHV\VWHP VXSSRUW>@ SROLF\ IRU YLUWXDOL]HG HQYLURQPHQWV ZLWK IURP WKH ORZOHYHO RSHUDWLQJ V\VWHP XS (QDEOLQJ VHFXUH ÀOH VKDULQJ DPRQJ GLIIHUHQW FROOHFWLRQV RI SROLF\ HQIRUFLQJ WKURXJK LQIUDVWUXFWXUH OD\HUV WR WKH HQG QHWZRUNHG RU GLVWULEXWHG V\VWHPV LV FRPSRQHQWV XVHUDSSOLFDWLRQV DQRWKHUDUHDRIDFWLYHUHVHDUFKEHLQJOHG Inﬂuencing other systems 6HFXULQJ WKH GHVNWRS HQYLURQPHQW E\16$ZLWKVXSSRUWIURP63$57$,QF H[SHULHQFHG E\ W\SLFDO XVHUV LV RQH DUHD 7KLVHIIRUWUHTXLUHVDGGUHVVLQJFKDOOHQJHV 7KH )ODVN VHFXULW\ DUFKLWHFWXUH RIDFWLYHUHVHDUFK7KLVDUHDLVSDUWLFXODUO\ SRVHGE\V\VWHPVZLWKSRWHQWLDOO\GLIIHUHQW GHPRQVWUDWHG LQ 6(/LQX[ KDV VWURQJO\ FKDOOHQJLQJ WR VHFXUH GXH WR WKH WLJKW VHFXULW\ SROLFLHV WKDW QHHG WR VKDUH GDWD LQÁXHQFHG WKH VHFXULW\ RI D QXPEHU RI FRXSOLQJ RI DSSOLFDWLRQV W\SLFDO LQ VXFK VHFXUHO\ DV ZHOO DV SURYLGLQJ WKH EDVLF RWKHU V\VWHPV DQG VRIWZDUH FRPSRQHQWV HQYLURQPHQWVDQGWKHODFNRIFRQVLGHUDWLRQ PHFKDQLVPV IRU FRQYH\LQJ VHFXULW\ ,QWKHDSSOLFDWLRQDUHQDWKLVKDVLQFOXGHG WRDQ\VHFXULW\ERXQGDU\EHWZHHQSURFHVVHV DWWULEXWHV IRU SURFHVVHV DQG ÀOHV DFURVV WKH '%XV PHVVDJH EXV VRIWZDUH WKH ; ZLWKLQDGHVNWRSVHVVLRQ$GGUHVVLQJWKHVH WKH QHWZRUN *LYHQ WKH FRPPRQ XVH RI :LQGRZ 6\VWHP DQG 3RVWJUH64/ DV FKDOOHQJHV LV FULWLFDO LQ RUGHU WR EH DEOH VXFKQHWZRUNHGÀOHV\VWHPVLQHQWHUSULVH SUHYLRXVO\QRWHGHDFKRIZKLFKQRZKDVD WRSURWHFWDJDLQVWH[SORLWDWLRQRIÁDZVLQ HQYLURQPHQWVHQDEOLQJÁH[LEOH0$&WREH VHWRIÁH[LEOH0$&FRQWUROVLPSOHPHQWHG FRPPRQO\XVHGGHVNWRSDSSOLFDWLRQVVXFK HIIHFWLYHO\DSSOLHGWRVXFKÀOHV\VWHPVLV WKDW FDQ H[WHQG WKH UHDFK RI WKH SROLF\ DVEURZVHUVDQGPDLOFOLHQWVVRWKDWDÁDZ OLNHZLVHDFUXFLDOFKDOOHQJH([SHULPHQWDO HQIRUFHPHQW WR WKHLU KLJKHU OHYHO REMHFWV LQ D VLQJOH SURJUDP GRHV QRW H[SRVH DOO H[WHQVLRQV WR WKH 1)6Y SURWRFRO KDYH DQGRSHUDWLRQV,QWKHYLUWXDOL]DWLRQDUHQD RI WKH XVHU·V GDWD WR ULVN 7R GDWH ZRUN EHHQSURSRVHGDQGSURWRW\SHGDQGZRUN WKH )ODVN DUFKLWHFWXUH KDV EHHQ DSSOLHG KDV EHHQ GRQH E\ 16$ WR LPSOHPHQW LV RQJRLQJ WR VWDQGDUGL]H WKH SURWRFRO WR WKH ;HQ K\SHUYLVRU \LHOGLQJ WKH ;HQ WKH '%86 PHVVDJH VHUYLFH WKH *&RQI FKDQJHVDQGWRJHWWKHLPSOHPHQWDWLRQLQWR 6HFXULW\ 0RGXOHV ;60 IUDPHZRUN

The Next Wave Vol 18 No 2 2009 13 DQG WKH ;HQ )ODVN VHFXULW\ PRGXOH LQWHJUDWHG LQWR WKH PDLQ 6RODULV SURGXFW VSHFLÀFREMHFWVDQGWRSURWHFWSULYLOHJHG GHYHORSHGE\16$HQDEOLQJHQIRUFHPHQW DQGUHOHDVHGDVSDUWRI2SHQ6RODULV7KH SURFHVVHV IURP XQWUXVWZRUWK\ LQSXWV RISROLF\RYHUYLUWXDOPDFKLQHVDQGWKHLU 0/6 VXSSRUW ZDV UHGHVLJQHG DURXQG WKH MXVWDVLQ6(/LQX[8QOLNH/LQX[SULRUWR LQWHUDFWLRQV 6RODULV´]RQHVµPHFKDQLVPDQGSURYLGHG 6(/LQX[ 6RODULV KDV DQ H[LVWLQJ 5%$& 7KH 6HFXULW\(QKDQFHG %6' DVDQRSWLRQDOVHWRIH[WHQVLRQVWR6RODULV PHFKDQLVP EXW DW WKH SUHVHQW WLPH WKH 6(%6' DQG6HFXULW\(QKDQFHG'DUZLQ NQRZQDV7UXVWHG([WHQVLRQV 7; ZKLFK 6RODULV 5%$& PHFKDQLVP LV SULPDULO\ 6('DUZLQ SURMHFWVGHPRQVWUDWHGWKDWWKH KDYH DOVR EHHQ VXEVHTXHQWO\ LQWHJUDWHG HQIRUFHG E\ WUXVWHG DSSOLFDWLRQV ZLWK )ODVN DUFKLWHFWXUH FRXOG DOVR EH DSSOLHG LQWR2SHQ6RODULV WKH NHUQHO RQO\ DZDUH RI WKH SULYLOHJH WR RWKHU RSHUDWLQJ V\VWHPV $OWKRXJK 6RODULV ]RQHV DUH D PHFKDQLVP IRU PRGHO)0$&RIIHUVDPHDQVRIELQGLQJ 6(%6'DQG6('DUZLQDUHQRWLQWHJUDWHG OLJKWZHLJKW YLUWXDOL]DWLRQ WKH\ SURYLGH WKH 6RODULV UROH FRQVWUXFW WR SURFHVVHV LQWRWKHLUUHVSHFWLYHPDLQVWUHDPRSHUDWLQJ DQ LOOXVLRQ RI PXOWLSOH YLUWXDO RSHUDWLQJ DQGGLUHFWO\HQIRUFLQJ5%$&UHVWULFWLRQV V\VWHPGLVWULEXWLRQVWKH\KHOSHGWRGULYH V\VWHP LQVWDQFHV ZKLOH VKDULQJ D VLQJOH LQ WKH NHUQHO VWUHQJWKHQLQJ WKH H[LVWLQJ WKHUHTXLUHPHQWVIRUWKH0$&IUDPHZRUN NHUQHOE\SODFLQJJURXSVRISURFHVVHVDQG PHFKDQLVP WKDW FDQ EH IRXQG WRGD\ LQ PDLQVWUHDP REMHFWVLQWRVHSDUDWH´]RQHVµDQGLVRODWLQJ :KLOHFRPSOHPHQWLQJWKHVHH[LVWLQJ )UHH%6' DQG LQ 0DF26 ; RSHUDWLQJ WKHP IURP RQH DQRWKHU 6LQFH 7; UHOLHV 6RODULVVHFXULW\PHFKDQLVPV)0$&ZLOO V\VWHPV 7KH\ DOVR SURYHG WKDW WKH RQ WKH ]RQHV PHFKDQLVP LW LV OLPLWHG WR SUHVHUYH H[LVWLQJ 6RODULV LQWHUIDFHV DQG DUFKLWHFWXUH ZDV DSSOLFDEOH WR D YDULHW\ SHU]RQHVHFXULW\ODEHOV LHDOOSURFHVVHV SURYLGHIXOOFRPSDWLELOLW\IRUDSSOLFDWLRQV RI RSHUDWLQJ V\VWHPV DQG SURYLGHG DQ DQGREMHFWVZLWKLQD]RQHVKDUHWKHVDPH MXVWDV6(/LQX[SURYLGHGIXOOFRPSDWLELOLW\ DOWHUQDWLYHUHIHUHQFHLPSOHPHQWDWLRQIURP VHFXULW\ ODEHO 7KLV UHSUHVHQWV D FKDQJH IRU /LQX[ DSSOLFDWLRQV )0$& ZLOO DOVR ZKLFKRWKHUVFDQOHDUQ IURPWKHSULRU7UXVWHG6RODULVSURGXFWDQG SURYLGHDVHWRIQHZ$3,VWKDWZLOOVXSSRUW DGLIIHUHQFHIURP6(/LQX[ERWKRIZKLFK VHFXULW\DZDUH DSSOLFDWLRQV DQG WKHVH OpenSolaris FMAC: VXSSRUWSHUSURFHVVDQGSHUREMHFWVHFXULW\ $3,VZLOOSURYLGHWKHVDPHVHPDQWLFVDV origin and goals ODEHOLQJ7;LVDOVRSUHVHQWO\OLPLWHGWRD WKH FRUUHVSRQGLQJ 6(/LQX[$3,V VR WKDW ,Q ODWH 16$ DQG 6XQ À[HG 0/6 PRGHO OLNH LWV SUHGHFHVVRUV VHFXULW\DZDUHDSSOLFDWLRQVFDQEHZULWWHQ 0LFURV\VWHPV ,QF EHJDQ D GLDORJXH )0$& DLPV WR DGGUHVV WKHVH SRUWDEO\ WR UXQ RQ HLWKHU 6(/LQX[ RU DERXW LQWHJUDWLQJ VXSSRUW IRU WKH )ODVN OLPLWDWLRQVE\VXSSRUWLQJSHUSURFHVVDQG 2SHQ6RODULV)0$& DUFKLWHFWXUH LQWR WKH 6RODULV RSHUDWLQJ SHUREMHFWODEHOLQJDQGSHUPLVVLRQFKHFNV 8OWLPDWHO\ WKH 2SHQ6RODULV V\VWHP7KLVGLDORJXHOHGWRWKHODXQFKLQJ DQG E\ LQWURGXFLQJ ÁH[LEOH 0$& VXSSRUW )0$& SURMHFW ZLOO SURYLGH D ZLGHU RIWKH)OH[LEOH0DQGDWRU\$FFHVV&RQWURO WR 2SHQ6RODULV WKDW FDQ VXSSRUW D ZLGH VHW RI SODWIRUPV WKDW VXSSRUW WKH )ODVN )0$& SURMHFW RQ 2SHQ6RODULVRUJ LQ UDQJHRIVHFXULW\PRGHOV7KH]RQHEDVHG DUFKLWHFWXUH IRU ÁH[LEOH 0$& DQG ZLOO 0DUFK7KHSURMHFWLVDMRLQWHIIRUW PHFKDQLVP ZLOO VWLOO EH XVHIXO DV D ZD\ H[SDQGWKHGHYHORSHUDQGXVHUFRPPXQLW\ DPRQJ 16$ 6XQ DQG WKH 2SHQ6RODULV RISURYLGLQJFRDUVHJUDLQHGLVRODWLRQDQG IRU )ODVN ,W VKRXOG DOVR KHOS HQFRXUDJH GHYHORSHUFRPPXQLW\WREULQJVXSSRUWIRU QDPHVSDFH VHSDUDWLRQ ZKLOH )0$& ZLOO LQGHSHQGHQW VRIWZDUH YHQGRUV ,69V WR ÁH[LEOH 0$& WR WKH 2SHQ6RODULV RSHUDWLQJ EH XVHG LQ D FRPSOHPHQWDU\ IDVKLRQ WR LPSURYH DSSOLFDWLRQOHYHO VXSSRUW IRU V\VWHPHQYLURQPHQW SURYLGH LQWUD]RQH SURWHFWLRQ KDUGHQLQJ ÁH[LEOH 0$& DQG WR SURYLGH SROLFLHV IRU 8QOLNH /LQX[ ZKHUH WKHUH ZDV RIWKHJOREDO]RQHDQGFRQWURORYHUFURVV WKHLUDSSOLFDWLRQV QR VXSSRUW IRU 0$& DW DOO SULRU WR WKH ]RQHFKDQQHOV,QWKLVPDQQHU)0$&DQG LQWHJUDWLRQ RI 6(/LQX[ WKH 6RODULV 7; VKRXOG EH DEOH WR FRPSOHPHQW RQH FMAC status RSHUDWLQJ V\VWHP KDV DQ H[LVWLQJ DQRWKHUDQGXOWLPDWHO\IRUPDQLQWHJUDWHG 7KH LQLWLDO )0$& FRGH EDVH ZDV 0$& VROXWLRQ 3ULRU WR 6RODULV WKLV VROXWLRQ FRQWULEXWHGE\16$WR2SHQ6RODULVEDVHG IXQFWLRQDOLW\ ZDV SURYLGHG E\ 6XQ YLD )0$&DOVRDLPVWRFRPSOHPHQWWKH RQDYHUVLRQRIWKH)ODVNFRGHWKDWSUHGDWHG D VHSDUDWH SURGXFW WKH 7UXVWHG 6RODULV H[LVWLQJ6RODULVSULYLOHJHDQG5ROH%DVHG DQ\LQYROYHPHQWE\WKH/LQX[FRPPXQLW\ RSHUDWLQJ V\VWHP /LNH RWKHU WUXVWHG $FFHVV&RQWURO 5%$& PHFKDQLVPV-XVW 7KLV FRGH ZDV WKHQ LQWHJUDWHG LQWR WKH RSHUDWLQJ V\VWHPV RI LWV JHQUH 7UXVWHG DV6(/LQX[SURYLGHVDZD\WRFRQWUROWKH 2SHQ6RODULV FRGH DQG DGDSWHG E\ -RKQ 6RODULV ZDV OLPLWHG WR D À[HG 0/6 VHFXULW\ XVHRI/LQX[VXSHUXVHUFDSDELOLWLHVEDVHG :HHNVD6XQHQJLQHHUZKRLVWKHFROHDG PRGHODQGWHQGHGWRODJEHKLQGWKHODWHVW RQ SROLF\ )0$& ZLOO SURYLGH D ZD\ RI WKH )0$& SURMHFW 7KLV FRGH ZDV ÀUVW UHOHDVH RI 6RODULV GXH WR WKH DGGLWLRQDO WR FRQWURO WKH XVH RI 6RODULV SULYLOHJHV UHOHDVHGSXEOLFO\DVDQ$OSKDUHOHDVHRQ HQJLQHHULQJDQGHYDOXDWLRQUHTXLUHPHQWV EDVHGRQSROLF\7KLVFRQWUROZLOOLQFOXGH WKH)0$&SURMHFWZHEVLWHLQ0D\ ,Q 6RODULV VRPH RI WKH VHFXULW\ WKH DELOLW\ WR ELQG SULYLOHJHV WR VSHFLÀF :KHQEXLOWLWSURGXFHGDSROLF\FRPSLOHU IXQFWLRQDOLW\ RI 7UXVWHG 6RODULV VXFK SURFHVVHV DQG SURJUDPV WR OLPLW WKH DQG D NHUQHO FDSDEOH RI ORDGLQJ WKH DV VXSSRUW IRU UROHV DQG SULYLOHJHV ZDV XVH RI SULYLOHJHV E\ D JLYHQ SURFHVV WR UHVXOWLQJSROLF\LQWRWKHVHFXULW\VHUYHU

14 Raising the Bar in Operating System Security FEATURE

6LQFH WKDW ÀUVW UHOHDVH RI )0$& FRQWLQXHWREHSUHVHUYHGDQGEXLOWXSRQLQ Resources MRLQW GHYHORSPHQW E\ 16$ DQG 6XQ IXWXUH FRPSXWLQJ V\VWHPV SURYLGLQJ D NSA SELinux web site, http://www.nsa.gov/ 0LFURV\VWHPV KDV SURFHHGHG UDSLGO\ VROLGIRXQGDWLRQIRUDGGUHVVLQJWKHWKUHDWV research/selinux 6XSSRUWIRUQHZV\VWHPFDOOVDQGXWLOLWLHV SRVHG E\ ÁDZHG DQG PDOLFLRXV SELinux project wiki, http://selinuxproject.org DQGIRUSHUSURFHVVVHFXULW\ODEHOLQJZDV DSSOLFDWLRQV 7KH DGYDQFHV LQ XVDELOLW\ Tresys Open Source Server, http://oss. LQWURGXFHG GXULQJ WKH VXPPHU RI SHUIRUPDQFH DQG IXQFWLRQDOLW\ RYHU WKH tresys com OHDGLQJ WR DQ $OSKD UHOHDVH LQ HDUO\ SDVW VHYHUDO \HDUV KDYH PDGH WKHVH EHQHÀWV OpenSolaris FMAC web site, http:// 6HSWHPEHU 6KRUWO\ WKHUHDIWHU SURWRW\SH IDUPRUHDFFHVVLEOHWRHQGXVHUV opensolaris.org/os/project/fmac VXSSRUW IRU SHUÀOH VHFXULW\ ODEHOLQJ LQ WKH

=)6 ÀOH V\VWHP ZDV LQWURGXFHG ZKLFK References SDYHG WKH ZD\ IRU VXSSRUWLQJ VHFXULW\ [1] Loscocco P, Smalley S. Integrating FRQWH[WWUDQVLWLRQVXSRQSURJUDPH[HFXWLRQ Flexible Support for Security Policies into the DQGIRUSHUIRUPLQJDEDVLFVHWRISURFHVV Linux Operating System. In: Proceedings of DQG ÀOH PDQGDWRU\ DFFHVV FRQWURO FKHFNV the FREENIX Track: 2001 USENIX Annual 7KLV ZRUN SURGXFHG D EDVLF ZRUNLQJ Technical Conference; June 2001. H[DPSOH RI KRZ ÁH[LEOH PDQGDWRU\ [2] Marti D. A seatbelt for server software: DFFHVV FRQWUROV FRXOG EH DSSOLHG WR DQ SELinux blocks real-world exploits. 2SHQ6RODULV V\VWHP 7KLV IXQFWLRQDOLW\ Available from: http://www.linuxworld. DORQJ ZLWK VXEVHTXHQW HQKDQFHPHQWV WR comnews/2008/022408-selinux.html VXSSRUW ODEHOLQJ LQ WKH 703)6 ÀOH V\VWHP [3] Red Hat. NYSE Euronext Chooses Red DQG LPSURYH WKH $FFHVV 9HFWRU &DFKH Hat Solutions for Flexibility and Reliable, $9& LQWHUIDFHV DQG LPSOHPHQWDWLRQ LQ Fast-Paced Performance. Available )0$&ZDVLQFOXGHGLQWKH$OSKDUHOHDVH from: http://customers.press.redhat. PDGHLQODWH2FWREHU com/2008/05/12/nyse/ 7KH QH[W WZR PDMRU DUHDV RI IRFXV [4] Walsh E. Application of the Flask IRU )0$& LQWHJUDWLRQ DUH SULYLOHJHV DQG Architecture to the X Window System 5%$& 6LJQLÀFDQW ZRUN DOVR UHPDLQV Server. In: Proceedings of the 2007 SELinux WR ODEHO DQG FRQWURO RWKHU REMHFWV DQG Symposium; March 2007. RSHUDWLRQV SURYLGHG E\ WKH 6RODULV NHUQHOFUHDWHDFRPSOHWHH[DPSOHSROLF\ [5] Carter J. Using GConf as an Example FRQÀJXUDWLRQ DQG LQWHJUDWH VXSSRUW of How to Create an Userspace Object Manager. In: Proceedings of the 2007 IRU )0$& IXOO\ LQWR XVHU VSDFH 0RUH SELinux Symposium; March 2007. DGYDQFHG GHYHORSPHQW DQG FROODERUDWLRQ ZLWKWKH6(/LQX[SURMHFWLQDUHDVVXFKDV [6] Gregory M. Using the Flask Security VHFXULQJWKHGHVNWRSSROLF\XVDELOLW\DQG Architecture to Facilitate Risk Adaptable PDQDJHPHQWDQGODEHOHG1)6ZLOOOLNHO\ Access Controls. In: Proceedings of the 2007 IROORZDV)0$&PDWXUHV SELinux Symposium; March 2007. Conclusion Trademarks FreeBSD® is a registered trademark of the 7KH 6(/LQX[ SURMHFW KDV EURXJKW FreeBSD Foundation. ÁH[LEOH 0$& LQWR WKH PDLQVWUHDP Linux® is a registered trademark of Linus DFKLHYLQJ VXFFHVV ERWK DV D WHFKQRORJ\ Torvalds. WUDQVIHU YHKLFOH DQG DV D SODWIRUP IRU Red Hat® Enterprise Linux® is a registered DGYDQFHG UHVHDUFK DQG GHYHORSPHQW ,W trademark of Red Hat, Inc. KDV LQÁXHQFHG D ZLGH UDQJH RI V\VWHPV NetTop® is a registered trademark of the DQGVRIWZDUHFRPSRQHQWVDVVKRZQPRVW National Security Agency. UHFHQWO\LQWKH2SHQ6RODULV)0$&SURMHFW Secure Office® is a registered trademark of 7KH GHYHORSHU DQG XVHU FRPPXQLW\ WKDW Trusted Computer Systems, Inc. KDVDULVHQDURXQGWKHFRUHLGHDVHPERGLHG Solaris™ and OpenSolaris™ are trademarks LQ6(/LQX[DQG2SHQ6RODULV)0$&JLYHV of Sun Microsystems, Inc. FRQÀGHQFH WKDW WKLV WHFKQRORJ\ ZLOO

The Next Wave Vol 18 No 2 2009 15 Providing a Secure Foundation for Applications with the Certifiable Linux Integration Platform

he needs of the national security community frequently require custom computing solutions; T however, current development practices result in each solution requiring an individualized secure foundation. Without a common foundation, each computing solution must then be developed and certified separately. The Certifiable Linux Integration Platform [CLIP) provides this common foundation for secure solutions and is targeted to decrease the time and associated cost spent on development and certification. In this article, we describe the CLIP project and highlight what CLIP provides to support custom solution development, particularly solutions that must be certified.

1 6 Providing A Secure Foundation FEATURE

What is CLIP? RI DQ\ VHFXULW\ V\VWHP (YHU\ WLPH D V\VWHP LV DFFUHGLWHG LW PXVW JR WKURXJK WKH FHUWLÀFDWLRQ &/,3 LV DQ HIIRUW SLRQHHUHG E\ WKH 1DWLRQDO SURFHVV WR YHULI\ WKDW LW PHHWV DOO RI LWV VHFXULW\ 6HFXULW\ $JHQF\·V $VVXUHG ,QIRUPDWLRQ 6KDULQJ DQGIXQFWLRQDOUHTXLUHPHQWV7KLVSURFHVVUHTXLUHV 7HFKQRORJLHV DQG 3URGXFWV 2IÀFH ZLWK WKH WKDW GHYHORSHUV VSHQG WLPH FUHDWLQJ V\VWHP JRDO RI GHFUHDVLQJ WKH WLPH DQG FRVW DVVRFLDWHG GRFXPHQWDWLRQ DQG PDSSLQJ WKH GRFXPHQWDWLRQ ZLWK FHUWLI\LQJ DQG GHSOR\LQJ WUXVWHG VROXWLRQV WR UHTXLUHPHQW VHWV 7KH FHUWLÀFDWLRQ WHDPV PXVW 7KLV SURMHFW KHOSV DFKLHYH 1HW&HQWULF 6HFXULW\ DOVR FUHDWH WHVWV WKDW DUH WKHQ XVHG WR YHULI\ WKH 7HFKQRORJLHV· PLVVLRQ WR SURYLGH WHFKQLFDO GHYHORSHUV· FODLPV 7HVWLQJ DQG YHULÀFDWLRQ LV LQIRUPDWLRQDVVXUDQFH ,$ JXLGDQFHDQGWRVXSSRUW FXUUHQWO\SHUIRUPHGIRUHDFKDQGHYHU\V\VWHPWKDW WKHV\VWHPVHFXULW\HQJLQHHULQJSURFHVV7KH&/,3 JRHV WKURXJK WKH & $ SURFHVV EHFDXVH QR FRPPRQ SURMHFWSURYLGHVDQRSHQVRXUFHEDVHWKDWPXOWLSOH FRQÀJXUDWLRQ LV XVHG IRU DOO V\VWHPV SURMHFWV FDQ HDVLO\ XWLOL]H DV D UHVRXUFH 0RUH VSHFLÀFDOO\ &/,3 SURYLGHV Reliance on proprietary hardware and software 8QGHUO\LQJ V\VWHP FRQÀJXUDWLRQ :KHQ FUHDWLQJ DQ\ FXVWRP VROXWLRQ WKH ,QLWLDO DSSOLFDWLRQ FRQÀJXUDWLRQ GHYHORSHU IDFHV WKH KXUGOH RI REWDLQLQJ DFFHVV WR WKH RSHUDWLQJ V\VWHP VRXUFH FRGH ,Q WKH SDVW PDQ\ 8SGDWHG 6HFXULW\(QKDQFHG /LQX[ VROXWLRQVZHUHFUHDWHGRQFORVHGVRXUFHRSHUDWLQJ 6(/LQX[ SROLF\ ZLWK WKH JRDO RI FUHDWLQJ V\VWHPV WKDW OLPLWHG WKH GHYHORSHU·V DFFHVV WR D PRUH VHFXUH HQYLURQPHQW WKH VRXUFH ÀOHV 7KH GHYHORSHU ZDV VXEVHTXHQWO\ 8SGDWHV DQG DGGLWLRQDO SDFNDJHV QHFHVVDU\ OLPLWHG WR RQO\ WKH OLVW RI GRFXPHQWHG FDOOV ZKLFK WR PHHW FHUWDLQ UHTXLUHPHQW VHWV DQG PD\ RU PD\ QRW KDYH EHHQ WKH IXOO VHW RI DFWXDO FDOOV ,Q WKLV PRGHO LI GHYHORSHUV IRXQG D SUREOHP $UWLIDFWV GHVFULELQJ KRZ WKH V\VWHP PDSV WKH\KDGWRUHO\RQWKHYHQGRUWRSURYLGHDVROXWLRQ WRUHTXLUHPHQWVHWVWKDWFDQEHXVHGDVSDUW RI WKH HYLGHQFH IRU FHUWLÀFDWLRQ 7KH XVH RI SURSULHWDU\ KDUGZDUH LV DQRWKHU OLPLWLQJ IDFWRU LQ WRGD\·V VROXWLRQV &XVWRP Need for a secure foundation VROXWLRQV XVH RSHUDWLQJ V\VWHPV WKDW PXVW UXQ RQ SURSULHWDU\KDUGZDUHDQGFDQQRWHDVLO\EHSRUWHG :KHQ FRQVWUXFWLQJ VROXWLRQV YLWDO WR $V WKH KDUGZDUH DJHV SDUWV WKDW DUH QR ORQJHU QDWLRQDO VHFXULW\ V\VWHP GHYHORSHUV VKRXOG HQVXUH PDQXIDFWXUHGPXVWEHUHSODFHG7KLVHQYLURQPHQW FRPSDWLELOLW\ E\ SURSHUO\ FRQÀJXULQJ WKHLU FXVWRP IRUFHVWKHGHYHORSHUWRSXUFKDVHGXSOLFDWHVHWVRI DSSOLFDWLRQV ZLWK DOO RWKHU DSSOLFDWLRQV UXQQLQJ KDUGZDUH WR HQVXUH ORQJWHUP VXSSRUW RQ WKH RSHUDWLQJ V\VWHP DQG ZLWK WKH RSHUDWLQJ V\VWHP LWVHOI +RZHYHU GHYHORSHUV IUHTXHQWO\ KDYH CLIP explained QHLWKHU WKH WLPH QRU WKH RSHUDWLQJ V\VWHP H[SHUWLVH CLIP toolkit WR SURSHUO\ FRQÀJXUH DOO SDUWV RI WKH V\VWHP $QG HYHQ ZKHQ SURSHUO\ FRQÀJXUHG HDFK V\VWHP LV 7KH &/,3 WRRONLW FDQ EH XVHG E\ V\VWHP RIWHQFUHDWHGDQGXVHGIRUDVLQJOHSURMHFWDQGUDUHO\ GHYHORSHUV WR FUHDWH D VHFXUH VWDUWLQJ SRLQW ZKHQ VKDUHG DPRQJ SHHUV 7KLV ODFN RI VKDULQJ FUHDWHV EXLOGLQJ VROXWLRQV (DFK WRRONLW LV VSHFLÀF WR D DQ HQYLURQPHQW ZKHUH WLPH HIIRUW DQG PRQH\ SDUWLFXODU UHOHDVH RI D FRPPHUFLDOO\ VXSSRUWHG PXVWEHVSHQWGXULQJHYHU\GHYHORSPHQWWRUHSHDW RSHUDWLQJ V\VWHP 7RRONLWV KDYH EHHQ FUHDWHG IRU WKH SURFHGXUH RI ORFNLQJ GRZQ WKH V\VWHP DQG LWV 5HG +DW (QWHUSULVH /LQX[ 5+(/ YHUVLRQV DSSOLFDWLRQV DQG WKURXJK 7KH WRRONLW IRU 5+(/ LV FXUUHQWO\XQGHUGHYHORSPHQW Certiﬁcation and Accreditation 7KH WRRONLWV YDU\ LQ WKH VSHFLÀF SDFNDJHV &HUWLÀFDWLRQ DQG $FFUHGLWDWLRQ & $ LV DQ WKH\ SURYLGH EXW DW PLQLPXP HDFK RQH SURYLGHV LPSRUWDQW DQG QHFHVVDU\ SDUW RI WKH GHSOR\PHQW D NLFNVWDUW ÀOH WKDW FRQWUROV WKH LQLWLDO V\VWHP

The Next Wave Vol 18 No 2 2009 17 FRQÀJXUDWLRQ D &/,3 SDFNDJH PDQDJHU 530 JLYHQ D W\SH DQG HYHU\ REMHFW RU VXEMHFW ZLWK WKH WKDW LQVWDOOV &/,3 VSHFLÀF XWLOLWLHV DQG DQ XSGDWHG VDPH W\SH LV WUHDWHG LGHQWLFDOO\$FFHVV GHFLVLRQV 6(/LQX[ SROLF\ 530 WKDW KDUGHQV WKH VWDQGDUG DUHPDGHEDVHGRQWKHSHUPLVVLRQVJUDQWHGWRHDFK UHIHUHQFH SROLF\ SDFNDJH 7KH 5+(/ WRRONLW W\SH 5ROHEDVHG DFFHVV FRQWURO >@ SURYLGHV D SURYLGHV V\VWHP XSGDWHV WR HQDEOH WUXH UROH FRPSOHPHQWDU\ PHFKDQLVP WR W\SH HQIRUFHPHQW VHSDUDWLRQ 7KH 5+(/ UHOHDVH DGGV WR WKH SUHYLRXV LQZKLFKDFFHVVLVJUDQWHGEDVHGRQUROHVDVVLJQHG UHOHDVH ZLWK VXSSRUW IRU ODEHOLQJ SDFNHWV WR XVHUV 0XOWLOHYHO VHFXULW\ SURYLGHV D PHDQV WR (DFK SLHFH RI WKH WRRONLW FDQ EH XVHG SURFHVV GDWD ZLWK GLIIHUHQW VHQVLWLYLWLHV RU OHYHOV VHSDUDWHO\ LI D GHYHORSHU FKRRVHV WR GR VR DOORZLQJ XVLQJ WKH %HOO/D3DGXOD %/3 PRGHO >@ &/,3WRPHHWWKHQHHGVRIWKHG\QDPLFHQYLURQPHQW 6(/LQX[ LV DYDLODEOH LQ D QXPEHU RI /LQX[ LQZKLFKV\VWHPVDUHGHSOR\HG GLVWULEXWLRQV LQFOXGLQJ )HGRUD *HQWRR DQG 'HELDQ DV ZHOO DV WKH FRPPHUFLDOO\ DYDLODEOH SELinux as a basis /DEHOHG 6HFXULW\ 3URWHFWLRQ 3URÀOH /633 $W D PLQLPXP D VHFXUH IRXQGDWLRQ UHTXLUHV (YDOXDWLRQ $VVXUDQFH /HYHO ($/ 5HG +DW VHFXULW\ PHFKDQLVPV HQIRUFHG E\ WKH RSHUDWLQJ (QWHUSULVH /LQX[ 5+(/ ,W DOVR KDV EHHQ SRUWHG V\VWHP 6(/LQX[ SURYLGHV WKH EDVLV IRU WKLV VHFXUH WR RWKHU RSHUDWLQJ V\VWHPV LQFOXGLQJ )UHH%6' IRXQGDWLRQ 6HFXULW\ (QKDQFHG %6' >@ DQG $SSOH·V 'DUZLQ 6(/LQX[ >@ LV DQ LPSOHPHQWDWLRQ RI )ODVN RSHUDWLQJ V\VWHP 6HFXULW\ (QKDQFHG 'DUZLQ >@ >@ D ÁH[LEOH DQG ÀQHJUDLQHG PDQGDWRU\ DFFHVV 7KH 6(/LQX[ 5HIHUHQFH 3ROLF\ >@ SURYLGHV WKH FRQWURO 0$& DUFKLWHFWXUH LQ WKH /LQX[ NHUQHO EDVLVIRUVHFXULW\SROLF\RQPRVWRIWKHVHV\VWHPV 7KH DUFKLWHFWXUH VHSDUDWHV WKH SROLF\ GHFLVLRQ System conﬁguration SRLQW SURYLGHG E\ WKH VHFXULW\ VHUYHU IURP WKH 7KH &/,3 LQVWDOODWLRQ FRQÀJXUHV WKH V\VWHP WR SROLF\ HQIRUFHPHQW SRLQW LPSOHPHQWHG E\ WKH /60 PHHW WKH 'LUHFWRU RI &HQWUDO ,QWHOOLJHQFH 'LUHFWLYH /LQX[ 6HFXULW\ 0RGXOHV IUDPHZRUN >@ '&,' 3URWHFWLRQ /HYHO UHTXLUHPHQWV DQG WKH 7KH )ODVN DUFKLWHFWXUH >@ SURYLGHV 'HIHQVH ,QIRUPDWLRQ 6\VWHPV $JHQF\ ',6$ 8QL[ ÁH[LELOLW\ LQ LWV VXSSRUW IRU VHFXULW\ SROLFLHV 6HFXULW\ 7HFKQLFDO ,PSOHPHQWDWLRQ *XLGH 67,* WKHUHE\ SURYLGLQJ PHFKDQLVPV WR VXSSRUW D ZLGH YU 7KHVH FRQÀJXUDWLRQV IDOO LQWR WKUHH PDLQ YDULHW\ RI UHDOZRUOG VHFXULW\ SROLFLHV $ VHFXULW\ FDWHJRULHV DSSOLFDWLRQ DQG VHUYLFH LQVWDOODWLRQ FRQWH[W LV DWWDFKHG WR HYHU\ REMHFW RQ D V\VWHP HJ DFFHVV FRQWURO DQG DXGLWLQJ ÀOHV SURFHVVHV QHWZRUN SDFNHWV 7KH VHFXULW\ 7R LQFUHDVH VHFXULW\ DQG WKH HDVH RI SROLF\ GHÀQHV DOORZHG DFFHVV E\ VXEMHFW VHFXULW\ DGPLQLVWUDWLRQ &/,3 LQVWDOOV RQO\ WKH EDVH FRQWH[WV WR REMHFW VHFXULW\ FRQWH[WV ZLWK VHWV RI DSSOLFDWLRQV QHHGHG WR UXQ DQG DGPLQLVWHU WKH SHUPLVVLRQVVWRUHGLQDFFHVVYHFWRUV7RPLQLPL]H V\VWHP %\ GHIDXOW LW H[FOXGHV PDQ\ EDVH WKHSHUIRUPDQFHLPSDFWRIFRQVXOWLQJWKHVHFXULW\ DSSOLFDWLRQV QRW UHTXLUHG IRU D IXQFWLRQLQJ V\VWHP SROLF\ D VHFXULW\ GHFLVLRQ FDFKLQJ PHFKDQLVP LQFOXGLQJ DSSOLFDWLRQV VXFK DV ZHE WRROV RIÀFH FDOOHGWKHDFFHVVYHFWRUFDFKH $9& LVXVHG WRROV DQG GHVNWRS HQYLURQPHQWV 6RPH VHUYLFHV 6(/LQX[ LPSOHPHQWV D FRPELQDWLRQ DUHLQFOXGHGLQWKHEDVHLQVWDOODWLRQEHFDXVHRIWKHLU RI PDQGDWRU\ DFFHVV FRQWURO PHFKDQLVPV WR FRPPRQ XVDJH EXW DUH QRW QHHGHG IRU WKH V\VWHP WR SURYLGH PD[LPXP ÁH[LELOLW\ DQG XVDELOLW\ W\SH IXQFWLRQ 7KHVH VHUYLFHV DUH GLVDEOHG OHDYLQJ RQO\ HQIRUFHPHQW 7( UROHEDVHG DFFHVV FRQWURO DKDQGIXOUXQQLQJE\GHIDXOW 5%$& DQG PXOWLOHYHO VHFXULW\ 0/6 7\SH &/,3 LV DOVR FRQÀJXUHG WR JUHDWO\ UHVWULFW XVHU HQIRUFHPHQW >@ KDV EHHQ H[SORUHG IRU PDQ\ \HDUV DFFHVV WR WKH V\VWHP 8QQHHGHG GHIDXOW DFFRXQWV DUH HJ 'RPDLQ DQG 7\SH (QIRUFHPHQW >@ DQG HLWKHU UHPRYHG RU GLVDEOHG 'LUHFW DGPLQLVWUDWLYH 'LVWULEXWHG 7UXVWHG 2SHUDWLQJ 6\VWHP '726 URRW DFFHVV WR WKH V\VWHP LV GLVDEOHG UHTXLULQJ >@ DV DQ HIIHFWLYH DQG ÁH[LEOH 0$& PHFKDQLVP ORJJLQJLQDVDQXQSULYLOHJHGXVHUEHIRUHSULYLOHJH ,Q W\SH HQIRUFHPHQW DOO HQWLWLHV RQ D V\VWHP DUH HVFDODWLRQ $GGLWLRQDOO\ DOO QHWZRUN DFFHVV LV

18 Providing A Secure Foundation FEATURE

GHQLHG DQG QHWZRUN SDUDPHWHUV DUH PRGLÀHG WR FRXOG QRW EH H[WHQGHG WR VXSSRUW WKLV UHTXLUHPHQW SUHYHQW UHPRWH DWWDFNV $Q\ VHUYLFHV UHTXLULQJ D &/,3 FUHDWHG WKH SDPBWDOO\ PRGXOH WR UHSODFH WKH QHWZRUN FRQQHFWLRQ PXVW EH H[SOLFLWO\ DOORZHG FXUUHQW PRGXOH PDNLQJ LW SRVVLEOH IRU GHYHORSHUV DFFHVV RQ D FDVHE\FDVH EDVLV WRVDWLVI\WKHUHTXLUHPHQW ,Q DGGLWLRQ WR XVHU DFFHVV WR WKH V\VWHP &/,3 $UFKLYLQJ XVHV ERWK GLVFUHWLRQDU\ DFFHVV FRQWURO '$& DQG 7KH '&,' UHTXLUHV WKDW D V\VWHP FUHDWH PDQGDWRU\ DFFHVV FRQWURO 0$& PHFKDQLVPV EDFNXSV RI WKH VHFXULW\ ODEHOV VHSDUDWHO\ IURP WR UHVWULFW DOO DFFHVV WR ÀOHV DQG GLUHFWRULHV WR WKH REMHFWV RQ WKH V\VWHP >@ $ PHFKDQLVP WR RQO\ WKH PLQLPDO VHW UHTXLUHG WR PHHW WKH EDVH DFFRPSOLVK WKLV W\SH RI EDFNXS GLG QRW H[LVW IRU UHTXLUHPHQWV &/,3 PRGLÀHV WKH '$& SHUPLVVLRQV 6(/LQX[ EDVHG V\VWHPV 7KH &/,3 SURMHFW FUHDWHG RI PDQ\ LPSRUWDQW V\VWHP ÀOHV VXFK DV ORJ ÀOHV WKH H[WHQGHG DWWULEXWH UHFRYHU\ [DU XWLOLW\ WR FRQÀJXUDWLRQ ÀOHV DQG UXQ FRQWURO VFULSWV WR HQVXUH VDWLVI\ WKLV UHTXLUHPHQW 7KH [DU XWLOLW\ SURYLGHV DQ RQO\ SULYLOHJHG XVHUV PD\ DFFHVV WKHP 8VLQJ WKH HDV\ ZD\ WR EDFNXS DQG UHVWRUH WKH VHFXULW\ ODEHOV 6(/LQX[ SROLF\ IRU 0$& HQIRUFHPHQW &/,3 RI REMHFWV RQ DQ 6(/LQX[ V\VWHP IXUWKHU OLPLWV DQG FRQÀQHV D XVHU·V DELOLW\ WR YLHZ DQG HGLW VHFXULW\UHOHYDQW ÀOHV 1HWZRUNLQJ 5+(/ KDV WKH DELOLW\ WR ODEHO QHWZRUN 7R WUDFN DOO FKDQJHV WR WKH V\VWHP &/,3 SDFNHWV XVLQJ ODEHOHG ,36HF RU &,362 :KHQ HQDEOHV DXGLWLQJ DQG DGGV PDQ\ DXGLW UXOHV WR UHFRUG D FRPSOHWH KLVWRU\ RI DOO VHFXULW\UHOHYDQW RSHUDWLQJLQDQHQYLURQPHQWWKDWGRHVQRWVXSSRUW V\VWHP DFWLRQV 7KLV KLVWRU\ LQFOXGHV XVHU ORJLQV ODEHOHG QHWZRUNLQJ LW LV XVHIXO IRU D V\VWHP WR EH DQG ORJRXWV FKDQJHV WR '$& SHUPLVVLRQV DQG DEOH WR G\QDPLFDOO\ ODEHO SDFNHWV EDVHG XSRQ D VHW 6(/LQX[ ODEHOV XQDXWKRUL]HG ÀOH DFFHVV DWWHPSWV RI UXOHV VXFK DV WKH QHWZRUN WKH SDFNHW ZDV UHFHLYHG XVH RI SULYLOHJHG FRPPDQGV DQG PRGLÀFDWLRQ RI IURP RU WKH SURWRFRO RI WKH SDFNHW /LQX[ XVHV WKH LPSRUWDQW V\VWHP ÀOHV 7R HQVXUH D IXOO DXGLW KLVWRU\ VHFXULW\ PDUNLQJV 6(&0DUN IHDWXUH WR ODEHO LV DOZD\V PDLQWDLQHG DQ\ FULWLFDO HUURU RI WKH DXGLW SDFNHWV XVLQJ ,37DEOHV ÀUHZDOO UXOHV 7KLV VXSSRUW VXEV\VWHP ZLOO FDXVH DQ LPPHGLDWH VKXWGRZQ WR ZDV QRW LQFOXGHG LQ 5+(/ EXW ZDV EDFN SRUWHG SUHYHQWDQ\SRVVLEOHEUHDFKRILQIRUPDWLRQ E\WKH&/,3SURMHFWWRHQDEOHGHYHORSHUVWRFKDQJH WKH ODEHO DSSOLHG WR D SDFNHW DW UXQWLPH RQ D V\VWHP New packages Future directions 7RSURYLGHWKHIRXQGDWLRQWKDWPHHWVPXOWLSOH UHTXLUHPHQW VHWV WKH &/,3 SURMHFW LQFOXGHV XSGDWHG $V WKH ODQGVFDSH RI & $ FKDQJHV WKH &/,3 DQG QHZ SDFNDJHV DV SDUW RI LWV WRRONLW 7KHVH SURMHFWPXVWFKDQJHZLWKLW7KHFXUUHQWWUHQGLVWR SDFNDJHV DXJPHQW WKH EDVH V\VWHP DQG SURYLGH WKH SURYLGH D PHFKDQLVP WR YHULI\ WKDW \RXU FXUUHQW GHYHORSHUDGGLWLRQDOVHFXULW\IHDWXUHV V\VWHP PDWFKHV WKH FHUWLÀHG FRQÀJXUDWLRQ 7KLV $XWKHQWLFDWLRQ YHULÀFDWLRQ LV GRQH XVLQJ WKH 6HFXUH &RQWHQW 7KH 1DWLRQDO 6HFXULW\ 6\VWHPV ,QVWUXFWLRQ $XWRPDWLRQ 3URWRFRO 6&$3 DQG KDV EHHQ 166, UHTXLUHPHQW $& FDOOV IRU HQIRUFHG GHSOR\HG RQ DOO IHGHUDO QRQQDWLRQDO VHFXULW\ OLPLWVIRUXVHUVDFFHVVLQJQDWLRQDOVHFXULW\V\VWHPV V\VWHPV )XWXUH HIIRUWV ZLOO H[WHQG WKH &/,3 SURMHFW DQG LQIRUPDWLRQ 7KHVH OLPLWV LQFOXGH D PD[LPXP WR SURYLGH XSGDWHV WR WKH 6(/LQX[ SROLF\ DQG WKH QXPEHU RI FRQVHFXWLYH IDLOHG ORJRQ DWWHPSWV WR 6&$3FRQWHQWQHFHVVDU\WRYHULI\WKDWWKHV\VWHP DFFHVV D QHWZRUN GXULQJ D VHW SHULRG RI WLPH DQG FRQÀJXUDWLRQ PDWFKHV WKH UHTXLUHPHQWV KRZORQJWKHXVHUKDVWRZDLWEHIRUHWU\LQJWRORJ 2QH ORQJWHUP JRDO RI WKH &/,3 SURMHFW LV WR RQ DIWHU EHLQJ ORFNHG RXW FUHDWHDOLEUDU\WKDWZLOOGHFUHDVHWKHGHYHORSPHQW 7KH FXUUHQW GHIDXOW PRGXOH XVHG E\ WKH /LQX[ DQGDFFUHGLWDWLRQWLPHE\JHQHUDWLQJWKHQHFHVVDU\ DXWKHQWLFDWLRQ V\VWHP GRHV QRW VXSSRUW DOO WKH DUWLIDFWVIURPDVLQJOHVRXUFH6XFKDV\VWHPZRXOG UHTXLUHG IXQFWLRQDOLW\ )XUWKHUPRUH WKH PRGXOH DOORZGHYHORSHUVWROLVWWKHVHWRIUHTXLUHPHQWVWKDW

The Next Wave Vol 18 No 2 2009 19 they must meet for accreditation, and then have the References library generate their system's configuration scripts, [l] Mayer F, MacMillan K, Caplan D. SELinux by generate the documentation that shows the scripts example. New Jersey: Prentice Hall; 2006. meet the stated requirements, and finally generate the SCAP content that could be used for verification [2] Loscocco PA, Smalley SD. Meeting critical of that configuration. The certifiers would have a security objectives with Security-Enhanced repeatable set of artifacts allowing them to Linux. In: Proceedings of the 2001 Ottawa Linux Symposium; 2001. efficiently determine if a system had met

requirements. ~ [3] Loscocco PA, Smalley SD, Muckelbauer PA, Taylor RC, Turner SJ, Farrell JF. The inevitability of failure: the flawed assumption of security in modern computing environments. In: Proceedings of the 21st National Information Systems Security Conference; October 1998.

[4] Smalley S, Vance C, Salamon W. Implementing SELinux as a Linux security module. Rockville (MD): NAI Labs Technical Report; February 2006.

[5] Wright C, Cowan C, Morris J, Smalley S, Kroah-Hartman G. Linux security modules: general security support for the Linux kernel. In: Proceedings of the 11th USENIX Security Symposium; 2002; San Francisco (CA).

[6] Assurance in the Fluke microkernel. Secure Computing Corporation Technical Report; 1999.

[7] Spencer R, Smalley S, Loscocco P, Hibler M, Andersen D, Lepreau J. The Flask security architecture: system support for diverse security policies. In: Proceedings of the 8th USENIX security Symposium; August 1999; Washington (DC).

[8] Boebert WE, Kain RY. A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Compuer Security Conference; August 1999; Gaithersburg (MD).

[9] Badger L, Sterne DF, Sherman DL, Walker KM. A domain and type enforcement UNIX prototype. USENIX Computing Systems. Winter 1996;(1).

[10] Badger L, Sterne DF, Sherman DL, Walker KM, Haghighat SA. Practical domain and type

20 Providing A Secure Foundation .. _ r: :~:~::· :-·:· -~-·.·. ·: ·: :-..:.·: ~ ......

"":: ...... I

FEATURE ):.· ...... ' .. . :--:· .: ·.. . -. . :

. =·· .. ·:-- ·_...... ·=":·.r.. •! ·.·

'. ~· -~. [) 4] YEeU..:-DE1 ~ l:a· Paarrl:a ~ .Lf: . S,;eu(e-::-.cpmpure.t' . ·:· .. =i '· .' .... ~- . >" .. :; . :. .. .,: ... ,. ·: ··: . .. ,. . ;, .... .·.;,: ,_.; .. '.. :: _:: - :.'.; ~· v··. '.... -~ =:..~ =-.·:· •.:-.· - .::._ ... ·~·. • "" .1:": •·;.::.._:..-··-. ~· ~ :._·•• ·.-:·":.)_ _.· .: .... :··.~.__·. : ...·: ••• r ·•;~_.·::~· .: • •.. ~· .... • :._·:··.···r·· ... ·.-.. ~·:·."" .".. ·._ ... :·.·.".-.-":· .. ·. .._ :.· ...... ··.{'._·~· .. •' !··. S_¥1stei;ri~i' =·· mathematrCTil · f1'n1h,dat.}ofi.s ··arrd ·· mocl~f .~. ··' .<{.,·.:.-·.1 :· ·.. · ··= ··- ,. ·• ·· · ·. = ·.~_--;;,·~ · ·! ····"· .;. =' ···. · · ·. ,.,.··, ·· · ··.. .. ·· 1 ., ':-:'~f~fi~ : t~~F.bl1°r;~ f;\ ; __ -::.:.i< · V~-:?::; '~:~·z f''o-;;z W~::~;,~'.,~:F :_f-N-L(:'i''c.~/{•-,)I?:~,{r(/: < [l;,]Vance.C,.Wat&an-R ..S;t!cunty~,eJihae..: .erl -. · ·:. :· !. · ..· ~.-·:· · .... _. ... : · ··;.' ·~ . ':·.:··. ·~ '··: · "L:;,:.. •. ~ ..... -~. ·:,· : ~ ... •; •• :.,,.-,- ..... '; •. , . . .- _...... ) ...... :"" ......

•".I ... :•.

·...... '_._.•_._ .- Cryptographic Binding of Metadata

s most people know, metadata is “data about data.” It may include A security labels and discovery information, as well as user and environ- mental attributes. Metadata is intended to be used by human consumers or by autonomous processes such as access control mechanisms in the Global Infor- mation Grid (GIG), network-centric content discovery services, or automated information dissemination systems. As decisions are made based on metadata content, the assurance provided for the actual metadata must be considered.

In many scenarios, the assurance provided to metadata and to the relationship between metadata and data is essen- tial. Such scenarios range from simple discovery queries to enabling Assured Information Sharing (AIS) through Cross Domain Solutions (CDS). FEATURE

What is cryptographic the community’s needs and can cope with accepts the data, metadata, and previously binding? this ever-changing operating environ- JHQHUDWHG ELI ¿OHV DQG DSSOLHV WKH VDPH ment. The design of cryptographic bind- cryptographic technique to verify the in- Cryptographic binding provides as- ing centers on several key assumptions: tegrity and authenticity of the relation- surance to the relationship between data ship. The validator produces a “valid” or and its associated metadata. A binding 'DWD DQG PHWDGDWD PD\ H[LVW LQ “not valid” response indicating the valid- any discrete format (e.g., XML, also ensures that neither the data nor its ity of the binding. Figure 1 illustrates this HTML, .doc, .xls, .txt, .ppt, .pdf) associated metadata have been mali- model for creating and validating crypto- FLRXVO\ RU DFFLGHQWDOO\ PRGL¿HG ZLWKRXW 0HWDGDWD PD\ H[LVW HPEHGGHG graphic bindings. detection. The binding does not ensure ZLWKLQ GDWD RU DV D VHSDUDWH ¿OH 7KH ELI VDWLV¿HV WKH QHHG WR FUH that the original data or metadata is ac- ate a binding without modifying the data curate or correct prior to the binding. As &U\SWRJUDSKLF ELQGLQJ IXQFWLRQV must not modify the data or meta- RU PHWDGDWD ¿OHV 7KH ELI FRQWDLQV WKH the name implies, cryptographic binding data minimum data required for a validator to uses cryptography as a technique to as- verify the integrity and authenticity of the VHUW D YHUL¿DEOH UHODWLRQVKLS RYHU GDWD DQG 0XOWLSOH PHWDGDWD ¿OHV PD\ H[LVW ELQGLQJ 7KH ¿HOGV LQ WKH ELI ¿OH LQFOXGH its associated metadata. The relationship for data (e.g., discovery metadata, but are not limited to: established with a cryptographic bind- IA metadata, user and environ- ing is claimed valid if the bound data has mental attributes) &U\SWRJUDSKLF YDOXH HJ GLJLWDO signature) integrity and the identity of the binder is &U\SWRJUDSKLF ELQGLQJ IXQFWLRQV authenticated. may exist as embedded applica- &U\SWRJUDSKLF DOJRULWKP LGHQWL ¿ H U How does cryptographic tions or distributed services binding work? The cryptographic binding model 'DWD KDVK YDOXH DOJRULWKP DQG XQLTXH LGHQWL¿HU Data formats, metadata standards, offers two complementary functions, each and cryptography are continually evolv- with a distinct set of inputs and outputs. 0HWDGDWD KDVK YDOXH DOJRULWKP ing within the Department of Defense First, a binding function, often referred to DQG XQLTXH LGHQWL¿HU (DoD) GIG and the Intelligence Commu- as the binder, has the sole responsibility %LQGHU LGHQWLW\ of creating cryptographic bindings. The QLW\ ,& )RU H[DPSOH PHWDGDWD WR IXO¿OO 6HFXULW\ PDUNLQJV WKH QHHGV RI WKH ,& LV VWLOO EHLQJ GH¿QHG ELQGHU DFFHSWV WKH GDWD DQG PHWDGDWD ¿OHV in many areas. With cryptographic bind- and uses a cryptographic technique to cre- %LQGLQJ PHWKRG LGHQWL¿HU ing depending on these evolving data ate the binding. The binder produces the Cryptographic binding builds upon standards and formats, it is important to asserted relationship as a binding infor- underlying cryptographic techniques, HVWDEOLVK D ÀH[LEOH DQG PRGXODU ELQGLQJ PDWLRQ ¿OH ELI 7KH YDOLGDWLRQ IXQFWLRQ such as digital signatures, to provide ad- as well as a validation model that meets often referred to as simply the validator, ditional services and information. First,

Figure 1: Cryptographic binding and validation service models

The Next Wave Vol 18 No 2 2009 23 although the identity of the binder can be the security level of the information could Proving cryptographic authenticated, the identity of the entity be increased due to the data aggregation. binding concepts RULJLQDOO\ FODLPLQJ WKDW WKH ERXQG ¿OHV This modular architecture separates Two cryptographic binding proto- are indeed related must be captured for the functionality from the underlying W\SHV GHYHORSHG E\ WKH 1HW&HQWULF 6HFX WUDFHDELOLW\ DQG DXGLWLQJ 6HFRQG D FU\S cryptographic mechanism that provides rity Technologies Division implement the tographic binding can be thought of as the the integrity and authenticity. Multiple cryptographic binding model and system focal point of data aggregation, possibly interchangeable binding methods are de- architecture. These prototypes made use bringing an increase of the security level ¿QHG WKDW HQDEOH WKH XVH RI DV\PPHWULF of existing technologies and services to to the binding. For example, imagine a cryptography (e.g., digital signatures), demonstrate the cryptographic binding VFHQDULR LQ ZKLFK D GDWD ¿OH FRQWDLQV D OLVW symmetric cryptography, and authenti- capability as a system integrated applica- RI QDPHV DQG D PHWDGDWD ¿OH FRQWDLQV D cated shared secrets (e.g., secure hashes). tion and an enterprise service. The fol- FRUUHVSRQGLQJ OLVW RI GHSDUWPHQWV 6HSD Providing these general binding methods lowing are details of each prototype: UDWHO\ WKHVH LWHPV DUH XQFODVVL¿HG +RZ enables cryptographic binding to seam- ever, once the items are cryptographically lessly incorporate new cryptographic al- Cryptographic binding using XML ERXQG FUHDWLQJ D YHUL¿DEOH UHODWLRQVKLS gorithms and techniques. digital signatures $SSOLHV WR ORFDO DQG GLVWULEXWHG architectures ,PSOHPHQWV ;0/ DQG ;0/ GLJL WDO VLJQDWXUHV '6,* 8VHV ZHE VHUYLFHV DQG PHVVDJH transmission optimization mechanism (MTOM) 6XSSRUWV 56$ ELW HQFU\S WLRQ DQG 6HFXUH +DVK $OJRULWKP 6+$ 'HYHORSHG XVLQJ -DYD 3URGXFHV D ELI VL[ NLORE\WHV LQ size Cryptographic binding using Abstract Syntax Notation 1 (ASN.1) and Cryptographic Message Syntax (CMS)— preferred method $SSOLHV WR ORFDO DQG GLVWULEXWHG architectures ,PSOHPHQWV $61 DQG &06 VWXGLHV VKRZ $61 LV IDVWHU WR decode than XML ,PSOHPHQWV HOOLSWLF FXUYH FU\S tography (ECC) offering more bits of security using smaller key size and faster algorithmic processing 6XSSRUWV 56$ DQG ELW Figure 2: Conceptual view of cryptographic binding encryption

24 Cryptographic Binding of Metadata FEATURE

6XSSRUWV HOOLSWLF FXUYH GLJLWDO VLJ- tory. Once the binding service generates ence implementation and standards pro- QDWXUH DOJRULWKP (&'6$ XVLQJ the .bif, the service will store the .bif in ¿OH IRU KDQGRII WR LPSOHPHQWHUV &U\SWR- DQG ELW SULPH PRGXOL a storage repository. Future repositories graphic binding concepts and techniques VXSSRUWLQJ 6XLWH % &U\SWRJUDSK\ may exist for each element—one for data, need to be expanded and further proven RQH IRU PHWDGDWD DQG RQH IRU ELI ¿OHV²RU to address evolving GIG net-centric en- 'HYHORSHG XVLQJ & RIIHULQJ in combination. vironment needs including methods for more control over memory allot- A validation requestor (shown high assurance bindings and envisioned PHQW WKDQ -DYD DOORZLQJ IRU WKH security domains. binding and validation of larger LQ )LJXUH PD\ EH DQ DFFHVV FRQWURO mechanism or cross domain solution that ¿OHV is required to make a decision based on 3URGXFHV D ELI E\WHV LQ VL]H the contents of the data and metadata. The D UHGXFWLRQ IURP RULJLQDO validation requestor submits a request to ;0/ '6,* ELI the validation service to verify the integrity and authenticity of the binding. 2IIHUV DGGLWLRQDO IXQFWLRQDOLW\ LQ Enterprise services will authenticate the QHZ $61 ELI validation requestor. Once authenticated, - 7KH ;0/'6,* FU\SWRJUDSKLF ELQG the request will be submitted to the vali- ing prototype was successfully integrated dation service. The validation service will into several pilot, test, and experiment en- use retrieval services to gather the data, vironments. Community feedback drove PHWDGDWD DQG ELI YHULI\ WKDW WKH ¿OHV WKH GHYHORSPHQW RI WKH $61 DQG &06 have not been maliciously or accidentally prototype to improve performance, size, PRGL¿HG DQG UHWXUQ WKH UHVXOWV LH YDOLG and strength while maintaining core func- or invalid) to the requestor. Depending WLRQDOLW\ 7KHUHIRUH &06 ZRXOG SHUIRUP on the implementation environment, the better where the bandwidth is limited and binding and validation services could be the end unit has minimum processing re- deployed locally with all authentication source. and authorization checks occurring with- Cryptographic binding in a single community of interest (COI). in future net-centric Future direction environments Cryptographic binding is an en- In the DoD’s prospective net-centric abling technology for systems that must GIG, policies will be established through- rely on the integrity of data and metadata out the enterprise granting authentica- to make critical mission decisions includ- tion and access to resources. As shown in ing information dissemination and access )LJXUH FU\SWRJUDSKLF ELQGLQJ ZLOO EH control. The immediate goal is to make initiated by a binding requestor—man or this capability operational by coordinat- machine. In some instances the binding LQJ ZLWK WKH NH\ ¿JXUHV LQ YDULRXV SL- requestor may be the author of the data or lots, experiments, and test environments PHWDGDWD 5HTXHVWRUV ZLOO EH DXWKRUL]HG within DoD, IC, allied/coalition, national, by access control or policy enforcement and international programs. These exer- services. A request is sent by the requestor cises will provide valuable feedback to to the binding service to create a .bif over improve this technology while allowing WKH VSHFL¿HG GDWD DQG PHWDGDWD ¿OH V the capability to be used in controlled op- The binding service utilizes enterprise erational settings. In the near term, there services to authenticate and authorize are plans to conduct a security assessment the request. Next, the binder will use an RI WKH $61&06 FU\SWRJUDSKLF ELQGLQJ enterprise retrieval service to gather the proof of concept. The next steps are to data and metadata from a storage reposi- complete a full, security-assessed refer-

The Next Wave Vol 18 No 2 2009 25

FOCUS

The libre years GDWDEDVH PDQDJHPHQW V\VWHPV IRU VHYHUDO \HDUV 2SHQVRXUFHVRIWZDUHFDQWUDFHLWVURRWVGHHS 7KH RSHQ VRXUFH GDWDEDVH PDUNHW LV RQ WUDFN WR LQWKHKHULWDJHRIWKHFRPSXWHUDJH&ROODERUDWLRQ VXUSDVVWKHELOOLRQGROODUPDUNE\DFFRUGLQJ DPRQJFRPSXWLQJH[SHUWVVKDULQJDOLPLWHGQXPEHU WR)RUUHVWHU5HVHDUFKSURMHFWLRQV6WLOOWKDWLVRQO\ RI UHVRXUFHV ZDV HVVHQWLDO IRU HDUO\ VRIWZDUH D VPDOO FKXQN RI DQ ELOOLRQ PDUNHW RYHUDOO GHYHORSPHQW ,Q WKH V WKH JURXS 6+$5( 0\64/LVWKHFOHDUOHDGHULQRSHQVRXUFHGDWDEDVHV SURYLGHG,%0PDLQIUDPHXVHUVDZD\WRH[FKDQJH DFFRXQWLQJIRUDERXWKDOIRIDOOLQVWDOODWLRQVIRUWKDW WHFKQLFDO LQIRUPDWLRQ DQG GHYHORS D OLEUDU\ RI VHJPHQW2SHUDWLQJXQGHUD*18*3/0\64/LV FRGH WKDW ZDV DYDLODEOH WR LWV PHPEHUV 8QWLO WKH WKHZRUOG·VVHFRQGODUJHVWLQGHSHQGHQWRSHQVRXUFH ODWH V DIWHU ,%0 XQEXQGOHG LWV VRIWZDUH IRU FRPSDQ\WUDLOLQJRQO\5HG+DWIRUWRSKRQRUV PDUNHWLQJ ÁH[LELOLW\ FRGH ZDV DVVXPHG WR EH %HFDXVHPDQ\RSHQVRXUFHGDWDEDVHSURGXFWV OLEUH³IUHH IRU PRGLÀFDWLRQ DQG UHGLVWULEXWLRQ DUHDYDLODEOHDWOLWWOHRUQRFRVWPDUNHWVKDUHLVPRUH *RYHUQPHQWVSRQVRUHG UHVHDUFK FRQWLQXHG DFFXUDWHO\PHDVXUHGE\WKHQXPEHURILQVWDOODWLRQV WR VXSSO\ OLEUH VRIWZDUH ORQJ DIWHU SURSULHWDU\ LQVWHDG RI WKH DPRXQW RI UHYHQXH JHQHUDWHG %\ SURGXFWVEHFDPHWKHQRUP7KH$GYDQFHG5HVHDUFK WKLVVWDQGDUGSHUFHQWRIWKHHQWHUSULVHVSROOHG 3URMHFWV$JHQF\1HWZRUN$53$1(7UHOLHGRQD E\ *DUWQHU *URXS LQ UHSRUWHG WKDW WKH\ KDG VWUDWHJ\RIRIIHULQJOLEUHVRIWZDUHWRIRVWHUJOREDO GHSOR\HG 0\64/ FRPSDUHG ZLWK SHUFHQW DQG SDUWLFLSDWLRQLQWKHV7KLVVWUDWHJ\HYHQWXDOO\ SHUFHQWGHSOR\PHQWVRI64/6HUYHUDQG2UDFOH JDYHELUWKWRWKH,QWHUQHWDQGLWFRQWLQXHVWRIXHO UHVSHFWLYHO\$QG0\64/ZDVJDLQLQJPDUNHWVKDUH FRXQWOHVVUHVHDUFKHIIRUWV DWDSHUFHQWDQQXDOUDWH ,Q*18EHJDQVXSSO\LQJXVHUVZLWKD 1HZ WR WKH RSHQ VRXUFH GDWDEDVH DUHQD IUHH DQG RSHQ YHUVLRQ RI 8QL[OLNH VRIWZDUH7KH LV D K\EULG V\VWHP XQYHLOHG LQ $XJXVW E\ *18RUJDQL]DWLRQSURPRWHGWKHIUHHGRPWRFRS\ FRPSXWHUVFLHQWLVWVDW

The Next Wave Vol 18 No 2 2009 27 Net book computers- subnotebook-size web content is viewable with a common browser or portables-have contributed significantly to the netapp, consumers are generally indifferent to what adoption of OSS. These low-end computers operating system or software tool was used to cre were designed to be affordable platforms ate it. Users don't even need a computer to access for Internet browsing, Web 2.0 social in Web 2.0 services. Any device that connects to the teraction, and simple tasks like word processing or Internet-a cell phone, camera, GPS, music player, viewing photos. or even a digital photo frame- will suffice. Netbooks were thrust into the spotlight by the People around the globe are probably most One Laptop Per Child (OLPC) project. To achieve familiar with open source software through the In its goal of providing affordable laptops for children ternet. On July 31, 2009, Mozilla's Firefox logged everywhere, the OLPC foundation loaded its XO its one-billionth download, less than five years af laptop with open source software for both the oper ter the open source browser was launched. Over ating system and user software. 300 million users now surf the web using Firefox. The 2007 launch of the XO prompted the Although Firefox still trails Microsoft Internet Ex introduction of several other computer brands plorer (IE) for web searches, its loyal and growing that targeted the information technology needs of user base accounts for 31 percent of the Internet emerging markets. In addition to gaining a foothold browser market. Mozilla's Asa Dotzler points out in developing countries, the new netbook class of that if current trends continue, Firefox will overtake computers managed to establish a niche in mature IE as early as January 2013. markets. The netbook's low price made it a popular Despite the anticipated growth of OSS, it is choice for entry-level computing, and OSS helped important to keep its adoption in perspective. While keep the cost down. Early on, nearly 90 percent Microsoft's overall market share may be shrinking, of netbook computers ran on Linux products, but most consumers and businesses still rely on Mi Microsoft rapidly overwhelmed the netbook mar crosoft products-88 percent of computers in use ket. The company reported boosting its share of today run a Microsoft developed operating system, netbooks in the US running on Windows from less while only one percent run an open source Linux than 10 percent in the first half 2008 to 96 percent product. by February 2009. How secure is open source Netbook computers bridge the world of com software? puters with a growing market of handheld products, The debate about the relative quality of open another seemingly ideal environment for OSS. source software over proprietary software has kept Consumer demand for smaller and smaller hard bloggers arguing for years. A five-year study by The ware has led to the rise in popularity of limited Standish Group that was released in 2008 found function devices. The proliferation of mobile gad that 70 percent of companies surveyed felt Red gets-Kindles, BlackBerries, TomToms, Droids Hat Linux was less vulnerable to security attacks and the apps to customize their performance, has than Windows. But some contrarians propose that given OSS a boost that could lead to changing how this perception is due to hackers mainly targeting software is developed in the future. Windows code, rather than fewer vulnerabilities in Open source operating systems typically in Linux. In a security review of open source prod tegrate well with web-based services like Gmail, ucts, Fortify Security Research Group determined OpenOffice, and YouTube. As more and more ser most OSS lacks adequate documentation or even a vices are being hosted online, the limitations of a secure development process. Security best practices lightweight open source operating system become were found to be a low priority for OSS developers, irrelevant. Designers might justifiably ask, "Why resulting in software plagued by numerous applica add processing power to load native applications tion vulnerabilities. A study conducted by computer when all you need is a web browser that can pull security firm Secunia concluded the number of se more robust services from the cloud?" curity bugs in Red Hat Linux exceeded the number Web applications running inside browsers and of bugs in comparable Microsoft products. Many networked applications (netapps) have increasingly of the vulnerabilities in Red Hat were introduced replaced the operating system as the dominate plat through third-party components. The same study form for building products and services. As long as determined Firefox had considerably more security

28 Open Source-Setting So~ware Free FOCUS

bugs than Microsoft's Internet Explorer. multimedia performance. The Atom chip is already Open-source products still earn high marks found in many netbooks, and the anticipated prolif for their quality. Software analysts at Coverity have eration of mobile Internet devices, or MIDs, should been counting bugs in open source software for the greatly expand its market penetration. Intel turned Department of Homeland Security. Their findings Moblin over to the Linux Foundation in April 2009. in 2008 concluded code in 180 widely used open The Moblin.org group has recently rolled out the source software projects averaged 0.25 defects per first beta of Moblin v2.0, which it expects to be 1,000 lines of code (KLOC)-one error for every come the standard software development kit (SDK) 4,000 lines of code. This represents a 25 percent for MIDs. improvement over 2006 tests. One product had im Google has also ventured into the open source proved to the point that Covarity's test uncovered domain as the company tries to gain a foothold in no defects at all. By comparison, Open Source Ini the software industry. Linux-based Chrome OS, tiative president Michael Tiemann says proprietary set for release in late 2010, is designed primarily software has consistently averaged 20 to 30 KLOC as a secure platform for Goggle's recently released since the 1960s. Chrome browser. Building on the successful launch of Android, its open source OS and SDK for mobile The future of open source devices, Google Chrome OS is targeted directly at The world relies heavily on software from the Microsoft juggernaut. the United States, but some countries are looking Even Microsoft supports a strategy to win over to domestically produced open source solutions as the OSS community in hopes of getting OSS ven a viable alternative. China has long been a global dors to port their software to Windows. Microsoft's advocate for open source software. Many leading Open Source Software Lab is working to integrate brands of computers in China are sold without an OSS with Microsoft Office, SQL Server database, operating system preinstalled, giving consumers the and other Microsoft products. For customers who option to add open source software. The high cost want to continue using Linux, Microsoft will offer of proprietary software has fueled software piracy Hyper-V, its forthcoming virtualization hypervisor. there, putting the country at odds with the global For most consumers software is judged by community. China's adoption of OSS is partly in what it can do rather than how it works. Such prag response to software piracy, but open source prod matism will make it harder for closed-source soft ucts such as home-grown Red Flag Linux are also ware to compete with OSS solutions in the future. getting a boost as an expression of national pride. As the personal computer gives way to the mobile Europe, like China, has also strongly em handset and services move to the cloud, open source braced OSS. European-coded Ubuntu is a user software-whether it is used for the operating sys friendly version of Linux that is gaining market tem, the web browser, or netapps-stands to gain share globally, with Europe providing much of the market share and user acceptance. ~ operating system's support. As of summer 2008,

Linux-based products were pre-installed on three Open Source percent of new computers in the UK. Internet browsers The move to OSS can be seen globally are gaining ground on Microsoft's IE. through its adoption by various government agen cies. In Southeast Asia, for example, the govern ment of Vietnam issued a directive in early 2009 to convert all government servers, networks, and desktop applications to open source. As a hub for IT outsourcing, Vietnam views moving to OSS as a • Other • Firefox way to develop a local software industry. • IE Industry leaders worldwide are conceding a • Netscape growing need to support the OSS community, as well. Intel recently developed Moblin, a Linux based operating system (OS) designed for the com 4·96 4.97 4·98 4.99 4·00 4·01 4·02 4·03 4·04 4·05 4·06 4·07 4·08 4·09 pany's Atom x86 chip, to optimize Internet and Credit: Asa Dotzler (Data from Net Applications)

The Next Wave • Vol 18 No 2 • 2009 29 L