Trustifier™ over SE Linux—Technical Case

snottysurfsideServers

Dec 9, 2013 (3 years and 4 months ago)

78 views


GOOGGUN COM
P
ARATIVES



1

Why

Trustifier


Over

SE Linux


GOOGGUN COM
P
ARATIVES



2

This document discusses the business and technological advantages of
GOOGGUN
’s
Trustifier™ over NSA SE Linux as an access control, auditing and privilege management
system for Linux environments.

Securing an operating environ
ment from internal threats is complex

this does not mean
however that the security solution ought to be difficult to use by the end users.

T
T
r
r
u
u
s
s
t
t
i
i
f
f
i
i
e
e
r
r




o
o
v
v
e
e
r
r


S
S
E
E


L
L
i
i
n
n
u
u
x
x


T
T
e
e
c
c
h
h
n
n
i
i
c
c
a
a
l
l


C
C
a
a
s
s
e
e


SE Linux is implementation of the Orange
-
Book standard B1 (labeled security
). B1 labeled
security by its own admission as well as what NSA declares about SE Linux is not enough
for meeting corporate needs.

Implicit Object Labeling over Explicit Object Labeling

SE Linux’s Explicit Labeling:
The B1 labeled security specification d
oes not outline the
nature of the labeling implementation. SE Linux relies on generic explicit (manual) labeling
implementation. That is to say the onus of actually labeling objects, processes, users, devices,
files, and data lands squarely on the shoulder
s of the security administrator with little or no
programmatic or automation help. While this is acceptable in tightly controlled defense
environments or for experimental or research systems with few users, it is utterly
impractical for any production syst
em running business applications; because
typical
business information systems can have several tens of users (both real and pseudo
-
users
need security policies), several input and output paths (devices, network accesses etc.)
thousands of programs, and hu
ndreds of thousands of files. The need to not only explicitly
label all these objects is completely mind boggling; the technical quality assurance and
auditing processes are superlatively impossible.

Trustifier implicit (automatic) labeling algorithm:
Trus
tifier achieves labeled security by
employing sophisticated labeling algorithms that automatically label all objects to the lowest
access security needed by them to do the work


all of the protection of labeled security
with maintenance load that is
TWO

o
rders of magnitude (a hundred times) less than that
needed in properly maintaining SE Linux with the same level of care and quality.

System, Security and Administration Auditing

SE Linux lacks secure auditing functionality. Security system without traceab
ility is like a
boat without a rudder


going nowhere fast.

Trustifier has an extensive and extensible audit system that provides verified auditing of all
operations, access, permissions, grants and attempted security breaches.

CPU, RAM and Computer Resour
ce impact

SE Linux security engine is
five times larger in source code size (
>
25,000 lines of code) than
Trustifier (
<
5000 lines). Memory foot print of SE Linux policies on RedHat Fedora 3 and
RedHat ES, out of the box is 7MBs for the 290,000 rules in the

out

of

the

box default rule
set. Roughly eight to ten percent (23,000


29,000) of the rules are checked for violation for

GOOGGUN COM
P
ARATIVES



3

each process on the system. There are no algorithmic guarantees of how much time a rule
check may take

because a good chunk of th
e rules are bound to extended parameters
stored on file systems.

Unlike SE Linux,
Trustifier is not an
ad
-
hoc

system
. It is a carefully crafted security engine
that uses
smart
optimization
techniques.

For instance, on the Intel platform the access
lookup

is an
O

(
1)

algorithm that uses exactly 48 CPU instructions and the control code use
exactly 237 CPU instructions when working in full control mode
.

File system access is only performed when enforcing rules on or about file objects.

User
-
land dependencies

SE Linux requires the user to install special file
-
systems that support extended file attributes,
special versions of system libraries, heavily modified system services and programs.

Trustifier is c
ompletely user
-
land independent and
is therefore able to
work with any
settings, programs, software on the system.

T
T
r
r
u
u
s
s
t
t
i
i
f
f
i
i
e
e
r
r


B
B
u
u
s
s
i
i
n
n
e
e
s
s
s
s


C
C
a
a
s
s
e
e


SE Linux lacks auditing:
Lack of
formal auditing component
s

in
SE Linux
makes it
impractical for business use.


Usable
Locked
Usable
Locked
Usable
Locked
Usable
Locked
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
System usability
Usable
Locked
Locked
40%
20%
5%
2%
Usable
60%
80%
95%
98%
SE Linux (min)
SE Linux (max)
Trustifier (min)
Trustifier (max)

Trustifier has
a
formal auditing:
Trustifier’s
formal audit
ing capability, including the ability
to create kernel

signed audit trails gives a tamper

proof large audit system.


GOOGGUN COM
P
ARATIVES



4

SE Linux carries incalculable cost of ownership:
SE Linux relies on too many components
to work in tandem and its total impact on a server (
let alone the whole network) cannot be
determined. Even assuming that the impact remains at its lowest (20%) of a system’s
computing resources then


a system that costs $100,000 per year to maintain is using up
$20,000 to maintain just the security syste
m. Since the total resource impact is really difficult
to determine the cost of maintenance may be as high as $40,000 for such a system. This is
unacceptable TCO.

Trustifier gives more security with a feasible
cost of ownership
:

Thanks to the efforts
GO
OGGUN

has spent optimizing and reducing the code to a predictable algorithm the
percent cost of maintaining Trustifier on a system hardly varies. Moreover, Trustifier
impact is an order

of

magnitude lower than
that of
SE Linux
,

which decreases the total c
ost
of ownership of Trustifier ten fold. For a system
that costs
$100,000/
year to maintain,
Trustifier only nibbles at one to two thousand just on basis of its optimized design. The
auditing functions give added information about what to specifically con
trol and can
potentially lower the Trustifier impact farther, which in turn would further lower the TCO.


SE Linux
causes unacceptable strain
o
n

corporate resources:
Due to its complexity and
steep learning curves, SE Linux is no child’s play to maintain a
nd requires higher education
of the security operators and administrators. Admittedly, that would be feasible by its self;
however the expenditure doesn’t stop there, because of SE Linux’s requirement of explicit
interaction with
the
users and
other system

software, the
general

users

of the system have to
be trained, supported and upkept. This is an enormous, unnecessary and



to an extent



unpleasant
burden on the corporate wealth
, resources and culture.


Trustifier helps alleviate stress on corporate res
ources:
By virtue of being as unobtrusive as
possible, Trustifier not only helps enforce security policies with relative ease, it delivers real
return on investment by lowering the cost of overall system maintenance. Using its ability
to isolate rogue and

faulty components, Tru
stifier keeps the rest of the environment
chugging along without modification


thus eliminating the need for ad
-
hoc maintenance
operations which lowers the total cost of ownership. Smooth running and non
-
obtrusive
security operations lead to more effecti
ve use of corporate resources


turning expense into
investment.