How trustworthy is SELinux?

Question

Given the ongoing leaks concerning mass surveillance and the fact that the NSA is the original developer of SELinux, I'm wondering whether that means that backdoors should be expected in there?

As every other obfuscated C contest, not at last the Underhanded C Contest, shows, well-written backdoors can elude the reviewer. And just because software is FLOSS doesn't imply people always make use of the opportunity to read the code (not to mention the vast majority that wouldn't be able to comprehend it).

In case of SELinux it's not so much about crypto as the recent NIST RNG debacle, but backdoors in there would certainly provide an inroad into seemingly secure hosts.

Need we be worried? And if not, why not?

i disagree with Scott Pack, tylerl, TildalWave, Xander, NULLZ — T-student, Apr 02 '14 at 15:47
If the question could be quantified, then it would no longer be opinion-based. — schroeder, Apr 13 '15 at 02:36
I disagree as well with the decision to close this. This needs a healthy debate. — costa, Jan 20 '17 at 19:49
Ignore anyone who still argues with the "many eyes" theory. The fact that the NSA easily put a backdoor inside OpenSSL, of all projects, makes it brutally obvious how delusional that view is. — Evi1M4chine, Feb 03 '18 at 13:10

Tom Leek · Accepted Answer · 2013-09-13T19:59:43.670

Expecting backdoors is a bit strong...

There are several strong arguments against the plausibility of such backdoors:

Linux is used by a lot of people, including US corporations. A big part of the mandate of modern security agencies is to protect the interests of their country. In particular, the NSA shall, as much as possible, protect US corporations against spying from foreign competitors. Putting a backdoor in Linux implies the risk of allowing "bad people" (from the NSA point of view) to spy on US corporations through this backdoor.
Linux is open-source and the kernel is believed to be under rather thorough scrutiny from competent programmers. This is the "many eyes" theory. SELinux is right in the middle of all this inspection. Whether the "many eyes" theory actually holds is debatable (and debated). However, there are people who do PhD theses on SELinux, so it is not preposterous to assume that this particular piece of code was thoroughly investigated.
Any patch committed into the Linux kernel is followed through revision control. SELinux comes from the NSA and is tagged as such. If a backdoor was inserted and then subsequently discovered, it would be easy to track it back to the apparent author. A very basic protection measure is to not do such things in your own name ! If I were the NSA, I would first build up a virtual persona who is not associated with the NSA, so that even if he gets caught pushing backdoors, this will not incriminate my organization. Spy agencies know a lot about spy network segmentation. It would be singularly dumb of them to inject backdoors in their own name.

There is also a strong argument for the existence of such backdoors:

Spying on a lot of people and organizations is the core business of the NSA.

Honestly, until you find the corpse (i.e. the backdoor itself), your question is unanswerable. It is a matter of many parameters which can only be know through subjective estimates...

(Personally, I still find that backdoors in PRNG, especially hardware PRNG, are much more plausible than backdoors "hidden in plain sight".)

Good points. And given your arguments I think you may be right about it being unanswerable. Thanks +1 — 0xC0000022L, Sep 13 '13 at 19:51
Detailed answer, but I have a question. What if you're working for the NSA and avoided some facts and stated the ones that suggest that there is no backdoor. I'm not saying that you're, but if I were the NSA and had a backdoor, I'd make my employees write good things about SELinux.LOL! — Ufoguy, Dec 23 '13 at 15:49
I don't think the NSA's official mission is a good reason to believe it wouldn't add backdoors. The agency [considers American citizens to be adversaries](https://www.techdirt.com/articles/20130905/15531224420/nsa-gchq-admit-that-enemy-is-public.shtml), not beneficiaries of its operations. — augurar, Oct 21 '14 at 04:23
**The "many eyes" theory is dead since the NSA backdoor in OpenSSL clearly showed how delusional that belief is.** SELinux has never been audited by any trustworthy truly US-independent entity, making it nearly as untrustworthy as closed source. On top of that, there is always **The Underhanded C Contest**, proving that looking at the source is not enough. You need to be an expert who can detect underhanded backdoors too. — Evi1M4chine, Feb 03 '18 at 13:05

void_in · Answer 2 · 2013-09-13T19:33:27.160

From the beginning open source solutions have this advantage that when in doubt, you can verify it yourself by checking the code. This assumption that open source can have backdoors without anyone's noticing in my point of view is rather weak. The reason is that if that is indeed the case, then what is the assumption that Linux Kernel don't have such a pull request that is merged within the main source tree long time ago and it is providing uninterrupted access to NSA or any other intelligence agency? Why should I trust the people on stack exchange and their advice? They might all be agents of the NSA!

The reason why these arguments don't hold the ground is because stack exchange is not a one man forum. NSA is not the only place on earth where good C/C++ programmers work. No one can backdoor an open source package for so long just because of this reason that there won't be anyone who would bother looking at the code. Kernel or OS is not the only place where you need to hide the backdoor. There are networks on which your backdoor need to communicate. There are log and network traffic monitors which analyse every action performed at the system or network level. All these devices and systems are developed by people of different countries and backgrounds. If one component is compromised, there are other components that can detect it and report it to the user. Therefore, I believe this argument is fundamentally flawed that popular open source packages can have backdoors for so long because there is no capable programmer in the whole world who can spot the anomaly.

"Every time some [developer] says, ‘Nobody will go to the trouble of doing that,’ there’s some kid in Finland who will go to the trouble.”

The above is true not only for software development but for any type of development (including backdoors).

I'm sorry, but belief is the last thing I want involved in an answer to my question. Thanks for answering, but it tries to invalidate the proposal in my question, thereby carefully dodges the actual question. If we have learned one thing from the leaks, it's that paranoia can't be classified as paranoia if the subject of the alleged paranoia turns out to be a fact. Extending on your argument, it should be equally impossible to hide backdoors in closed source, because it is always theoretically possible to reverse engineer and vet it. The origin of SELinux is suspicious enough to raise concern. — 0xC0000022L, Sep 13 '13 at 19:45
+1 for "Kernel or OS is not the only place where you need to hide the backdoor. There are networks on which your backdoor need to communicate. There are log and network traffic monitors which analyse every action performed at the system or network level." — Question Overflow, Aug 09 '15 at 04:21
Sorry, the fact that **OpenSSL, of all projects, had an NSA backdoor deliberately put in without anyone noticing**, completely kills the "many eyes" argument dead in the water. Unless an entity outside US control (like a true enemy, not a fake one like Putin or the IS/Saudis/Pakistan/…) who is also an expert at detecting underhanded backdoors, audited all of the code of the used version/patch, the code must be considered no more safe than closed source directly from the NSA. (Aka the worst cast scenario possible on this planet.) — Evi1M4chine, Feb 03 '18 at 13:08

How trustworthy is SELinux?

2 Answers2