Linux in Government: Open Source Innovation within the DoD

When a National Security directive became effective, this DoD team took the initiative with open-source software.

Prior to implementing an integrated software solution for its hospitals in 1993, the military experienced bottlenecks in its computer services. Each branch of the armed services used different legacy systems and manual procedures to control the flow of medical supplies and equipment, facilities, contractors and record keeping. Then, the Department of Defense (DoD) automated the processes with a common standard platform to conduct medical logistics for every branch of service. When you manage as many hospitals and health-care facilities as the military does, standards-based solutions and coordinated automation are essential.

The Assistant Secretary of Defense for Health Affairs embraced what is referred to as the DoD information superiority initiative. Simply stated, as service members are deployed into various theaters of operations, new and better standards became essential. That's where the Defense Medical Logistics Standard Support (DMLSS) program comes into play. The DMLSS System is an automated information system used by the four major branches of the service to provide medical logistics support to military hospitals and other medical facilities.

DMLSS provides the four services with a common, standard platform for conducting medical logistics. It provides end-to-end information technology that enables the services to order and receive products and services electronically as well as to create and release invoices for payment. DMLSS also provides record keeping services, such as inventory control. The system complies with the accounting standards of the DoD, allowing the Comptroller's office to more efficiently compile its financial records. Finally, DMLSS serves as a source of record for DoD medical assets.

Open-Source Components

The Program Management Office (PMO) for DMLSS is located in Falls Church, Virginia. Continuing development and support facilities exist at Ft. Detrick, Maryland, at the Joint Medical Logistics Functional Development Center. At Ft. Detrick, programmers support open-source components in applications that require cryptography. They open-source components include Stunnel, Apache, ModSSL and OpenSSL.

Although Stunnel does not contain any cryptographic code itself, it relies on external SSL libraries, such as OpenSSL. ModSSL provides strong cryptography for the Apache 1.3 WebServer by way of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, with some help from the open-source SSL/TLS toolkit, OpenSSL. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured and open-source toolkit that implements the SSL v2/v3 and TLS v1 protocols, as well as a full-strength general purpose cryptography library.

The PMO supported the use of open source and saw it as an enabling technology. As DMLSS became the standard throughout the military, the department heads enjoyed the success of their program. It has won 17 awards, beginning with the 1997 Government Information Technology Leadership Award and most recently winning the E-Business Transformation Award in 2003.

The Other Shoe Falls

Some of us may find it hard to imagine, but in January 2000 members of the National Security Agency promulgated a policy that required any military program using information assurance to have its products validated by National Institute of Standards and Technology (NIST). The open-source components of DMLSS lacked such validation, called a FIPS 140-2 validation.

That led Steve Marquess, the technical manager of DMLSS, to the job of finding replacements for the OpenSSL libraries so prominently used in DMLSS. It also led him on a journey that blended serendipity with the realities of DoD chains of command. After months of research, Steve says he "discovered two things: not much commercial software was available and what existed was very expensive. Secondly, OpenSSL had already been validated multiple times."

Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

Steve took the idea to his superiors: Debbie Bonner, Director of Operations in the PMO, and Colonel Dan Magee, the DMLSS Program Manager at the time. Both actively encouraged Steve to go forward. Steve said, "The path of least resistance [for Debbie Bonner and Col. Magee] would have been to fork over a pile of taxpayer dollars for proprietary software, but they backed this out of the box move instead. That took guts, I think, especially when we were being told by nearly everyone that it couldn't be done."

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Validating binary integrity with untrusted compilers?

Anonymous's picture

Validating the source's behavior when compiled with a relatively trustworthy compiler makes sense, and you should also be able to validate the binaries you get. But just because you compile from trusted source doesn't mean somebody hasn't tricked out your compiler, as Ken Thompson once did...

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

"The trick here, then, was to produce a mechanism by which cryptographic fingerprints could be chained from the original source code all the way to the final runtime executable."

Any more details of how this was done ? It would be a useful technique for auditing voting machines.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

Trent signs a tar ball.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

It might also be interesting for some security-enhanced software distros(openbsd, trustix?, etc..) to be able to validate updates, wouldn't it? Anyone have comments on this? My first reflex was to think it might also help TCPA but I just remembered that was a bit off-topic.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

I dont think TCPA is so much out of topic here. TCPA is based on validated integrity metrics. The more Open SOurce software is validated in the way it was done here the better ! The Trusted Platform will become more "trusted" with this kind of validations.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

not that the TCPA is trustable, period ..... but that really is off-topic.

GNU TLS

Anonymous's picture

It's a pity they spent the time on OpenSSL, which isn't quite Free Software, instead of the more modern, and by report more structurally sound, GNU TLS.

I wonder how the procedures deal with bug fixes and security fixes. It would ironic if security certification requirements prevented them from incorporating security patches.

Re: GNU TLS

Anonymous's picture

GNU TLS does not include the AES, SHA, DSA, DES, or 3DES encryption primitives that they have validated so far. It uses another library (libgcrypt) to provide those. Libgcrypt has a much smaller user base than OpenSSL, and until quite recently the only release was officially "alpha-quality" and not intended to be used for production software (not that that prevented GNUTLS from using it as the crypto back-end).

It's a shame that OpenSSL has a crummy license, and yet has so much more support...

Re: GNU TLS

Anonymous's picture

Ah ha ... so that's why broken security software doesn't seem to get fixed as often as it should.

Re: GNU TLS

Anonymous's picture

Is GNU TLS a drop-in replacement for openSSL? Doesn't seem to be looking at the GNU TLS web page, and even then, wouldn't help since its license is incompatible with Apache. So them paying to get GNU TLS certified doesn't really help them out, does it?

Maybe FSF (or you, for that matter) should solicit donations of time and money so GNU TLS can get certified, but that would be much harder than whining. As the movie Megaforce so eloquently put it, "Deeds Not Words."

And since this is the first time I've even heard of GNU TLS, they might want to think about pushing it a bit more.

What about the small stuff...

Anonymous's picture

This is a great achivement for OpenSSL and I applaud everyone's effort.

However, what about the smaller opensource projects that don't have the resources or the clout to get management support? Or what about a set of libraries that one programmer finds useful?

What happens then?

Re: What about the small stuff...

Anonymous's picture

That seems like a rhetorical question.

It's like voting. Most people that don't vote say that their vote doesn't make a difference. Maybe it doesn't.

I vote because I think it does make a difference.

It's up to every individual to take action according to his/her own personal commitment. Everyone has to start somewhere. Who knows if the field will open up and you'll get to the big time? You should always be prepared and believe that at any moment your personal miracle can occur.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

I'd like to see this sort of thing happen in Canada. Our governments could use a reality check in the way they spend our dollars.

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

Last time I heard about Canadian government it was rated #1 e-Government position by Accenture. US was #3 (or #4).

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

hummmm. Accenture who is winning large contracts with Canadian government to move it to MS is rated #1. Surprise. I am willing to bet that US moves to #1 once the contract with Accenture goes through

Re: Linux in Government: Open Source Innovation within the DoD

Anonymous's picture

If you want to help the situation in Canada, join with the folks in GOSLING (Getting Open Source Logic INto Governments). We have active chapters in Ottawa and Toronto, and could use your help!

We also worked with the Canadian Internet Policy and Public Interest Clinic (CIPPIC) to ask candidates and parties questions during the election campaign about their knowledge of and position on Open Source.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix