DARPA Open Source Security Helped FreeBSD, Junos, Mac OS X, iOS 22
An anonymous reader writes "In a February 2013 ACM Queue / Communications of the ACM article, A decade of OS access-control extensibility, Robert Watson at the University of Cambridge credits 2000s-era DARPA security research, distributed via FreeBSD, for the success of sandboxing in desktop, mobile, and embedded systems such as Mac OS X, iOS, and Juniper's Junos router OS. His blog post about the article argues that OS security extensibility is just as important as more traditional file system (VFS) and device driver extensibility features in kernels — especially in embedded environments where UNIX multi-user security makes little sense, and where tradeoffs between performance, power use, functionality, and security are very different. This seems to fly in the face of NSA's recent argument argument that one-size-fits-all SELinux-style Type Enforcement is the solution for Android security problems. He also suggests that military and academic security researchers overlooked the importance of app-store style security models, in which signed application identity is just as important as 'end users' in access control."
Re:Unix WIndows NT security? (Score:3, Interesting)
"To discuss operating system security is to marvel at the diversity of deployed access-control models: Unix and Windows NT multiuser security [acm.org] .. This diversity is the result of a stunning transition from the narrow 1990s Unix and NT status quo to security localization"
To mention Unix and Windows NT security in the one sentence, just begs credulity ...
"Windows NT [wikipedia.org] and its successors .. were not initially designed with Internet security in mind"
I think you're confusing Windows NT the operating system (NT3, NT4, 2000, XP, etc.) with NT the kernel and security model, which was designed to be POSIX compliant, which implies lining up with "unix multi-user security" and is also done in such a way as to be tweakable to mimic many of the SELinux advancements. The OS I could do without; the security model as originally baked in (and then ignored in preference of interoperability with DOS/9x -- but it's still there) is actually pretty network-savvy. It's not the architecture team's fault that the OS team dumped a sieve on top of their nicely designed core and taped over some of the main security features on which the architecture hinges.
Not meant to sound like an apologist; it's just that I'm really impressed with a lot of the work that early team did. They did it well enough that you can, even now, modify the commercial OSes that Microsoft releases to run in a manner that reflects the original network-savvy security architecture, without resorting to Active Directory etc. Of course, a lot of "Made for Windows" software won't run on it in that configuration, but we've learned to expect that with every MS OS after XP anyway.
Re:SELinux != UNIX multi-user security (Score:1, Interesting)
Except that the essentially randomized configurations of SELinux are so complex that no one, and i mean *no one*, uses it in production. Out of roughly 30,000 Linux systems I've helped deploy, it's been left active in "Strict" mode in about 3, and those had to turn it off pretty quickly as projects found it hampered actual work.