Security is hard, let’s go shopping

I’ll be giving a talk on the SELinux project at the next Linux Foundation Symposium in Japan, to be held 9th and 10th of July. Details of the symposium are here in Japanese, while a PDF schedule in English lives here.

From the abstract for my talk:

This talk will provide an overview of the project, covering its rationale, design goals, and milestones. Recent significant developments and ongoing work will be discussed. The aim of the talk is to help the audience better understand SELinux and how it might be utilized to implement a diverse range of security goals.

A specific topic I’d like to cover at some level is expectations. There’s no silver bullet for security, and likely never will be, unless perhaps the OS is redesigned from scratch with all applications coded in a security-aware language, and people totally change the way they use computers.

The concept—endlessly proposed by snake-oil merchants—that security can be dramatically improved without any disruption to the user experience, is unrealistic. A practical approach will involve attempting to avoid disruption as much as possible, and to find optimal ways of handling difficult cases. It will not pretend there is no complexity.

As an analogy, consider network firewalling, where you are able to obtain an increased level of protection against several common threats by configuring a packet filter to only allow expected traffic. This may break some previously common use-cases, such as ad-hoc deployment of new network services, unless the user learns how to reconfigure the packet filter. Even with a high-level GUI tool, some fundamental understanding of networking and security is still required for the user to be able to make informed use of the tool.

There is very little history of significant adoption of improved security without a change to the user experience. Even in what may be the most successful case—the migration from telnet and R commands to SSH—people had to gain new knowledge, master new skills, and change their behaviour. Even with the relative simplicity of SSH and ubiquitous availability of implementations, there are still mission critical systems using telnet over unprotected networks, which should surprise nobody working in the real world. Before sighing wearily, consider how so many smart people can still get it so wrong.

Security is hard. Real improvements only come with continuous effort and innovation, where innovation is not just “inventing” but also transforming the practice of a community. It does not happen overnight, nor even overyear. Recall the various iterations of packet filtering in Linux prior to the integration of Netfilter in the 2.4 kernel, along with the R&D effort around firewalls before Linux even existed. It seems to me that it takes around a decade for substantial change to occur, including the changes to both the technology and the culture.

There may not be the time to dive too deeply into this topic during the talk itself, although I’m sure there’ll be plenty of opportunities for conversations during the always important hallway and after-hours sake tracks.

Also speaking:

  • Thomas Gleixner on the Completely Fair Scheduler
  • Paul Moore on Labeled Networking
  • Toshiharu Harada on the experience of trying to get TOMOYO upstreamed
  • Andrew Morton (tentatively) on kernel stuff

There are BoF sessions on the second day covering security, the kernel scheduler and general kernel discussion.

After that, I’ll be back in Sydney for a few days before flying to Ottawa for OLS and the SELinux developer summit.