Linux gains embedded security framework

Click here to learn
about this Sponsor:

Home | News | Articles | Polls | Forum

Keywords: Match:

Aug. 15, 2008

LWN.net has published an article on a new Linux access control mechanism called the Simplified Mandatory Access Control Kernel (Smack). Part of the mainline kernel since version 2.6.25, Smack is simpler and less resource-intensive than SELinux, especially for embedded developers, says the story.

"OLS: Smack for embedded devices," written by Jake Edge, reviews a presentation about Smack given at the recent Ottawa Linux Symposium (OLS) by Smack developer Casey Schaufler. (His logo for Smack is pictured at top.)

Like SELinux, Smack is designed to harden the security of Linux systems via mandatory access control (MAC) policies. SELinux is an open source project maintained by the U.S. NSA (National Security Agency) that leverages MAC to confine the actions of any process, including a superuser process, within Linux. Linux distributions such as Red Hat Enterprise Linux and MontaVista Carrier Grade Edition have been configured with SELinux extensions.

So far, SELinux has ruled supreme, yet Smack appears to be gaining adherents among embedded developers. "Smack has the distinction of being the second user of the Linux Security Module (LSM) kernel interface to be merged into the mainline," writes Edge. "This finally put to rest the idea that the LSM might some day be removed from the kernel, requiring all security solutions to be implemented in terms of SELinux."

Smack differs from SELinux in that it requires MAC rules to be explicitly specified, rather than suggested implicitly in a set of policies, explains Edge. Smack labels entities as either being active "subjects" or passive "objects," with a subject -- typically a task -- acting on an object, such as a file. Smack compares subject and object labels to see if they match. If they do not, it further consults a list of explicit access rules to see if access can be offered.

Furthermore, unlike with SELinux, objects "inherit the label of the subject that creates them," so that an executables label "is only relevant to determine whether the subject process is allowed to execute it," he explains. "The process that gets created has the label of the subject that executed it, not the label associated with the executable file." In Schaufler's OLS presentation, he argued that this simplicity makes sense for single-purpose embedded devices that need only implement a limited set of functions. In such cases, reductions can be achieved in development time, as well as the amount of required RAM and flash.

Developers are also working on trimming down SELinux "and its enormous policy file" for embedded development, explains Page, but he argues that Smack is still likely to be far simpler and more resource-efficient. "Clearly Smack is vastly simpler," concludes Page. "Whether it has enough capabilities to provide the protection that embedded developers require remains to be seen."

Availability

The LWN.net article by Page should be available here. A previous LWN.net article on Smack written last October by Jonathan Corbet may be found here. Schaufler's OLS paper on Smack may be found on this OLS proceedings page, hosted by the Fedora Project. Schaufler's Smack site may be found here.

Related Stories:

(Click here for further information)

FUEL Database on MontaVista Linux
Whether building a mobile handset, a car navigation system, a package tracking device, or a home entertainment console, developers need capable software systems, including an operating system, development tools, and supporting libraries, to gain maximum benefit from their hardware platform and to meet aggressive time-to-market goals.

Breaking New Ground: The Evolution of Linux Clustering
With a platform comprising a complete Linux distribution, enhanced for clustering, and tailored for HPC, Penguin Computing¿s Scyld Software provides the building blocks for organizations from enterprises to workgroups to deploy, manage, and maintain Linux clusters, regardless of their size.

Data Monitoring with NightStar LX
Unlike ordinary debuggers, NightStar LX doesn¿t leave you stranded in the dark. It¿s more than just a debugger, it¿s a whole suite of integrated diagnostic tools designed for time-critical Linux applications to reduce test time, increase productivity and lower costs. You can debug, monitor, analyze and tune with minimal intrusion, so you see real execution behavior. And that¿s positively illuminating.

Virtualizing Service Provider Networks with Vyatta
This paper highlights Vyatta's unique ability to virtualize networking functions using Vyatta's secure routing software in service provider environments.

High Availability Messaging Solution Using AXIGEN, Heartbeat and DRBD
This white paper discusses a high-availability messaging solution relying on the AXIGEN Mail Server, Heartbeat and DRBD. Solution architecture and implementation, as well as benefits of using AXIGEN for this setup are all presented in detail.

Understanding the Financial Benefits of Open Source
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss.

Embedded Hardware and OS Technology Empower PC-Based Platforms
The modern embedded computer is the jack of all trades appearing in many forms.

Data Management for Real-Time Distributed Systems
This paper provides an overview of the network-centric computing model, data distribution services, and distributed data management. It then describes how the SkyBoard integration and synchronization service, coupled with an implementation of the OMG¿s Data Distribution Service (DDS) standard, can be used to create an efficient data distribution, storage, and retrieval system.

7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.

Got a HOT tip? please tell us!

Click here for a profile of each sponsor:

PLATINUM SPONSORS

(Become a sponsor)

ADVERTISEMENT
(Advertise here)

Check out the latest Linux powered...

Mobile phones!

MIDs, UMPCs
& tablets

Mobile devices

Other cool
gadgets

BREAKING NEWS

• Die-shrunk x86 SoC draws 2 Watts at 1GHz
• Webinars explore RTOS-to-Linux driver migration
• Open phone goes robotic
• MontaVista touts Android readiness
• USB Linux key targets netbooks
• Via panel PC resists shock, liquids
• Linux provider touts support award
• World's smallest humanoid robot can run Linux
• Linux connects TVs to 'Net video
• Mot camera-phone runs widgets
• Linux-ready MILS kernel gains POSIX
• Multimedia processor plays H.264 video
• $7 ARM9 SoC gains mainline support
• Mini-ITX board has HDMI port
• Papers sought for Embedded Linux Conference

DesktopLinux headlines:
• "Moonlight" ready to shine
• Adobe unleashes 64-bit Flash
• Debian Lenny installer arrives
• Ubuntu announces ARM port
• Amazon offers Linux XOs
• Windows 7 "no threat" to netbook Linux
• Creative frees Sound Blaster driver code
• Linux, netbooks threaten Microsoft's fat profits
• Ibex inspires GNOME switch
• Linux to outship Windows in 2009?

Also visit our sister site:

Sign up for LinuxDevices.com's...

news feed

Home \| News \| Articles \| Polls \| Forum \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.

Home \| News \| Articles \| Polls \| Forum \| About \| Contact

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| Channel News
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep
Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.