WASHINGTON -- Super-secure additions to the Linux operating system are inching closer to the mainstream.
Developers have turned Security-Enhanced Linux (SELinux), a prototype created in part by the National Security Agency, into a module that operates almost seamlessly on the Linux operating system.
"Even though SELinux wasn't intended as a complete secure system, we knew that as released it could make a substantial impact to the security of systems that incorporated it," says Grant Wagner, technical director for NSA's Secure Systems Research Office.
It might seem a little unusual for the NSA to be working hand-in-hand with free-software aficionados. After all, this is the agency depicted as a clutch of inveterate snoops in the movie Enemy of the State, not to mention a top contender for the highest number of "Big Brother" awards.
But to the NSA, there's no disconnect. In addition to codebreaking, the NSA is responsible for keeping the U.S. government's secrets secure -- in other words, codemaking.
In the finest military-ese, that task is handled by the NSA Information Assurance Directorate, which also works on such mundane tasks as sounding an unclassified warning in April about macro viruses, e-mail worms and other problems infesting Microsoft applications.
When the NSA announced SELinux last year, its goal was to show it was possible to bolster a mainstream operating system with extra security features like "mandatory access controls."
Such controls verify information that the user generally cannot control, such as IP address. Most operating systems use the more conventional "discretionary access controls" method, which validates only credentials given to them at the discretion of the user -- such as the typical user name and password.
Translation: It becomes more difficult to impersonate someone.
NSA's Wagner says that SELinux's adoption rate "has exceeded our original expectations. This release has also caused developers of non-Linux systems to consider incorporating similar controls based upon our earlier prototypes."
The decision to make SELinux into an add-on for Linux was motivated by the Linux Security Modules Project. This project attempted to invent a general way to add security modules.
"We have had reports of successful deployments in both the public and private sectors," Wagner said. "These reports indicate that SELinux is very effective and has countered actual attacks mounted against systems."
Wagner refused to answer questions about specific government agencies that were using SELinux.
Much of the work on SELinux is being done by volunteer programmers, such as those on the SELinux mailing list, a small but growing community of enthusiasts.
Mark Westerman, a senior consultant at Westcam and a member of the list, said his company uses SELinux for work it does for NASA through a contract with Lockheed Martin.
"I use SELinux primarily for its security aspects. SELinux gave us proper security to thwart hackers," Westerman said. "The major advantage is mandatory access control. As a platform, specifically for Internet services, I see it will be used for Web servers and DNS servers. You're not as worried about the latest vulnerability."