When it comes to operating systems, its a matter of trust—or mistrust, as the case may be.
Its often suggested that Microsoft Corp.s security woes stem in part from the companys tardiness in updating the security assumptions it had developed when solitary, disconnected desktop PCs had little reason to fear network-borne attacks.
However, the problem of operating systems that are too trusting for anyones good in todays wide-open, tightly connected environment extends beyond Microsoft—although Unix and Linux systems derive certain security benefits from their networked, multiuser roots, these systems are also much more permissive than they should be.
Perimeter-focused security elements such as firewalls play an important role in securing an enterprise infrastructure, but with many services, such as Web servers, its necessary for companies to expose portions of their infrastructure to the Internet.
Enter the trusted operating system, which can make an enterprise infrastructure significantly more secure by bringing servers an access control scheme thats more fine-grained than the DAC (discretionary access control) of most operating systems.
Trusted operating systems provide for and enforce mandatory access control policies, which limit user and application privileges to the minimum required to do whatever job needs to be done. With the DAC schemes of most operating systems, in contrast, a process has access to everything available to the user who launched it.
Many applications, including potentially vulnerable Internet-facing services, require superuser privileges to do things such as bind to low-numbered ports. This means that a compromised name server or Web server can give potential attackers the keys to all the data and processes on a breached machine. By limiting processes to the resources they require, trusted operating systems let companies limit the damage that a compromise can cause.
Trusted-operating-system products arent new, and there is a variety of options available. These include Sun Microsystems Inc.s Trusted Solaris and the National Security Agency-developed Security-Enhanced Linux, as well as PitBull LX from Argus Systems Group, a division of Innovative Security Systems Inc.
However, since the early 1980s, when trusted operating systems began to be used in government and security-sensitive private deployments, these products have typically occupied a niche position. This is because of how the systems have been marketed and, as with other computing systems, because security is inversely related to convenience—trusted operating systems typically are trickier to configure and work with than are their more trusting counterparts.
But with increasing attention being paid to security on both the vendor and consumer sides of the enterprise IT market, trusted-operating-system features are beginning to make their way into mainstream operating systems.
Sun, for example, has announced that Solaris 10, due early next year, will leverage some of the process rights management functionality present in the companys Trusted Solaris, which limits privileges for users and tasks.
In addition, Microsoft has launched a major project called NGSCB (Next Generation Secure Computing Base) for improving the security of “Longhorn,” the next major Windows revision. NGSCB is designed to tighten the control that users and administrators have over their systems. However, responding to developer and user pushback, Microsoft is re-evaluating what role NGSCB will play in Longhorn when that operating system ships. (Longhorn is expected to ship sometime in 2006.)
Linux serves as a base platform for trusted-operating-system products such as PitBull LX and Immunix Inc.s Secured OS, and SELinux provides a common option for bringing trusted-operating-system features to various Linux distributions.
Red Hat Inc. officials have said that SELinux will be included in Red Hat Enterprise Linux 4, which is expected to ship in the first quarter of next year. SELinux also integrates well with the Debian and Gentoo distributions of Linux.
Senior Analyst Jason Brooks can be reached at [email protected]