Section 1.1. The Inevitability of Software Failure

1.1. The Inevitability of Software Failure

Appropriately enough, we derive the title of this first section of a book on SELinux from a paper ^[1]that the principal creators of SELinux coauthored before the SELinux project was even started. The authors of that paper pointed out that software is flawed, and that too much of the software being developed assumes that applications can enforce security without the support of the underlying operating systems. As they note:

^[1] P. Loscocco, S. Smalley, P. Muckelbauer, R. Taylor, S. Turner, J. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In Proceedings of the 21st National Information Systems Security Conference, pp. 303314, October 1998, available at www.nsa.gov/selinux/papers/inevit-abs.cfm.

The necessity of operating system security to overall system security is undeniable … If it fails to meet this responsibility, system-wide vulnerabilities will result.

A design that tries to create security without the support of the underlying operating system is a "fortress built upon sand" ^[2] with no secure foundation upon which to sit.

^[2] D. Baker. Fortresses Built Upon Sand. In Proceedings of the New Security Paradigms Workshop, pp. 148153, 1996.

In the years since that paper was published in 1998, the problem of flawed application software has become practically an everyday news headline. Rarely does a week go by that some new virus, computer theft, or system vulnerability is not announced. The fact of life in the computer era is that application software is flawed and will remain flawed. We certainly applaud the efforts to make software better and more reliable, but flaws will undoubtedly remain an ongoing problem for the foreseeable future. Some people will always try to exploit these flaws. Our challenge as a community is to find ways to have secure systems knowing that flawed application software will always exists. We cannot meet this challenge successfully without first finding firm ground upon which to build (that is, the operating system).

Thus we find the goal of SELinux: specifically, to promulgate a better form of operating system security. As we discuss in this book, the state of the art in operating system security is inadequate. We as a computer security community have known this for nearly 40 years. We have conducted much research but have had limited success improving this situation for mainstream operating systems. Finally, with SELinux, we believe real progress has been made in a way that we will prove lasting. SELinux is indeed a security enhancement to the Linux operating system. This enhancement can effectively mitigate the problem of flawed application software, including those flaws not yet discovered or created. This same enhancement can also enforce many security goals, ranging from data confidentiality to application integrity to improved robustness.

With SELinux, we have made a great stride toward moving our "fortress" off the shifting sands on which it currently sits.