One of the challenges with a general purpose operating system, it that it is general purpose! It is designed to provide the application developer with a tool set to build their application. When building an application used to enforce security, this is a real challenge.
At Nexor, we have invested in the SE Linux platform as a mechanism to enforce a trusted execution path, this means that even if a component of the application were to fail the ability of an attacker to exploit the failure is significantly reduced. We have used this approach in gaining the required level of security control in the Nexor Sentinel product to gain Common Criteria certification in January 2013.
I note with interest the article: Android 4.2 alpha contains SELinux.
Pretty cool: an alpha image of Android 4.2 from the leaked LG Nexus device includes SELinux. “According to the layout xml, SELinux will have a status readout tacked-on to the current About Phone screen. It will now list SELinux Status at the very bottom, right under Kernel version and Build Number. If youre wondering why there are 3 options and not just on and off, Permissive is a logging mode, which will tell you when it would have blocked something, but wont actually block things. The other key piece of information to get from the string file is that this is an optional mode, dont go around saying that Google is shutting down root functionality or anything. This is for security conscious enterprise and government-types and probably wont be enabled on consumer phones.”
This compliments the NSA announcements about their development of SE Linux for Android, and the GCHQ announcement around a secure configuration of iPhone/iPad being available for UK Government use. This is all good news. As consumerisation takes hold, and users start to demand tablet style devices in the workplace, security of the devices will become a key issues (if it is not already), so the availability of options to secure these device become increasingly important.
Are secure platforms like SE Linux important for your device environment? Please let me have your comments below.