MADFW IaaS Program Review
A presentation at Xyratex NSA Event in in Columbia, MD, USA by Shawn Wells
Secure Foundations: An SELinux Primer Shawn Wells Director, Innovation Programs & Lead Developer, SCAP
20 MINUTES, 2 QUESTIONS
- How do we label data? 2. How do we verify security compliance?
FIRST: An SELinux History Lesson • Originated from NSA R&D • First release in December 2010 • Integrated into mainline Linux in 2003
FIRST: An SELinux History Lesson Exploit Exploit
What An Attacker Can’t Do • Read/manipulate user data • Read/manipulate system files • Attack data/processes owned by other compartments (via polyinstantiation) • Attack other machines on the network, unless authorized to pass traffic on specific port • Evade audit subsystem
Role Based Access Control
SCAP Security Guide
SCAP OpenSCAP HTML Firefox
Red Hat Enterprise Linux 6 with KVM Red Hat Enterprise Linux 5.6 with KVM CAPP: Users control who access’ their data RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. Certification Date IBM z/VM Version 5 Release 3 (for IBM System z VMWare Mainframes) vSphere 5.0 VMWare ESXi 4.1 Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-1 5 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO EAL Level
Co-presented with Terry Seibel, the MSD SETA, on the system purpose and capabilities of the MSD Application Development Framework (MADFW).
