NSA SELinux on embedded devices: surveillance-oriented applications

NSA SELinux on embedded devices: surveillance-oriented applications

[Lorenzo Hernandez Garcia-Hierro]

[-- Attachment #1: Type: text/plain, Size: 3411 bytes --]

Hi,

Time ago I started working on SEGumstix, a fork of the Gumstix
distribution based on the uClibc buildroot which provides a reliable and
versatile development environment for embedded devices platforms. For
those who don't know about the Gumstix, it's a SBC (Single Board
Computer) ARMv5-based platform (Intel XScale PXA255, future boards with
PXA27X) providing serial output and input, GPIOs, bluetooth, etc.

SEGumstix would help to deploy low-cost (well, relatively "low" cost)
devices using well known technologies, including SELinux, the IBM
SSP/ProPolice, etc (see http://wiki.tuxedo-es.org/SEGumstix).

It's not really a project by itself, but more an independent effort
(with support from Craig at Gumstix Inc. who provides SVN and valuable
guidance) to know the possible applications of SELinux in embedded
devices.

I had difficulties for deploying it in a real world application that
could show the benefits of SELinux. Then started reading on UAVs
(Unmanned Air Vehicle, some variants and their acronym like URAV, TUAV,
etc).

After gathering some experience with embedded platforms and electronics
I started to work on a surveillance device, small and low-cost that
could be attached to an {U,TU,UR}AV for controlling and storing securely
the positioning/tracking information and any other sensors data. Using
polyinstantiation and roles, in couple with ciphered storage,
information could be contained in different levels and depending on it's
source.

Right now I have a prototype but not working yet (not yet developed
software, still finishing and assembling hardware). Photos at:

 http://pearls.tuxedo-es.org/photos/sdp-1/

Note that the Gumstix platform is missing, and the GPS unit is a
Motorola Oncore with RS232 interface. It's a prototype, don't expect it
to be as small as the final version nor using anything really
exceptional. Final version will probably make use of a Lassen IQ module
(http://www.trimble.com/lasseniq.html). The Oncore is a power
consumption beast. In any case I'll to have to look at industrial usage
rated devices rather than end-user ones. That will come hopefully after
the business. To see how the final version could look like, check photos
41, 42 and 45 (GSM/GPRS CF connected).

I can't give any further details now until I finish it as I'm planning
to patent the design of the whole system and try to find investors for
funding. The main reason is for being able to afford my relocation to US
in a near future (hopefully next year, that is, 2006). I would prefer to
work this on non-private-industry, as the main goal of this is to
provide confinement of data gathered by sensors driven platforms used in
military and intelligence-related operations, rather than end-user and
commercial usage.

Once it gets stable I'll start publishing information about how it
works, etc.

Anyways, SELinux development for this will be open and released to the
community (ie. buildroot integration, etc).

I'm interested on getting in touch with the guy who developed the JFFS2
xattr patch. If you're reading this, please drop me a line.

I'm CC'ing Craig (from Gumstix Inc.) and Russell, as he worked with
iPAQs and SELinux and more concretely the buildroot integration.

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]


[-- Attachment #2: Esta parte del mensaje está firmada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]