Security Design Principles
Matt Bishop’s text Computer Security Art and Science
is an excellent introduction to the field of computer security. Chapter 13 covers the computer security Design Principles
originally laid out in a 1975 paper by Salzer and Schroeder "The Protection of Information in Computer Systems"
. This is the foundational lore of computer security. The design principles are
- Principle of Least Privilege – the best known security principle: allow the user to do what she needs to do and nothing more. The trick is knowing a priori what the user needs to do and expressing it concisely.
- Principle of Fail-Safe Defaults – if it is not explicitly allowed, deny it.
- Principle of Economy of Mechanism – security should be as simple as possible and no simpler.
- Principle of Complete Mediation – all security decisions (object accesses) should be checked.
- Principle of Open Design – security cannot rely on obscurity.
- Principle of Separation of Privilege – This principle is defined as “a system should not grant permission based on a single condition.”
- Principle of Least Common Mechanism – This principle is defined as “mechanisms used to access resources should not be shared”. Bishop additionally says, “This principle is restrictive because it limits sharing.”
- Principle of Psychological Acceptability – This principle is defined as “security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.
SELinux’s main strength and the source of its weakness is in its elevation of the Principle of Complete Mediation above all other principles. The requirement for complete mediation and, more importantly, the requirement that the complete set of in-kernel access control decisions be exported and controlled by policy is the source of the great complexity of the policy language and the extremely high level of knowledge needed to write SELinux policy.
Least Privilege is almost impossible to express succinctly for any system of any complexity. The original strict policy tried to define Least Privilege for a default Linux system and was the source of much frustration because users don’t do what you expect them to do and user space programs have not been written with least privilege in mind. The targeted policy focused on a subset of programs on a typical system and didn’t attempt to get to least privilege. Still common actions were denied by the policy. The policy has continued to improve, but still on a default install the user will be presented with inexplicable AVC deny errors for stuff that standard cron jobs are doing in the background.
The real problem that SELinux faces is that the Principle of Psychological Acceptability was almost completely ignored during the design of the system. Or maybe it wasn’t ignored, it just didn’t consider the psychological acceptability level of the “typical” Linux user as being different from the “typical” NSA employee. Who knows? Almost every criticism that you read about SELinux is based on its lack of adherence to this principle.
Almost all attacks on LSM and alternative security modules are based on the fact that many of them fulfill the Principle of Psychological Acceptability (they are easy to use and unobtrusive), but they fall short on one of the other principles, typically the Principle of Complete Mediation and Principle of Economy of Mechanism (they are simpler than is needed to provide true security). Most of the other modules are designed to address tactical issues, to add another layer to the defense in depth so that attackers go off an pester someone else who is easier to attack. For the NSA and other organizations who require SELinux, there is no one else who their attackers are going to go pester. Their attackers are going after the NSA for a reason. The gulf between the requirements of the NSA and that of the typical user are exactly why there is such vitriol in the debate between SELinux and AppArmor and every other LSM. For the NSA, there really is no alternative.
The SELinux community is making strides towards making SELinux easier to use – setroubleshootd is a great start. But ordinary people when faced with even the simplified messages supplied by setroubleshootd will apply the Principle of Psychological Acceptability and just turn SELinux off. It would be nice that even if they were choosing incomplete mediation over complete mediation that they weren’t deprived of the additional security that some of the other LSMs provide.
That is why I am so happy that Linus re-stated his adamant support for the LSM framework. Thank you Linus.