Comments on: Designing a Secure Linux System http://etbe.coker.com.au/2010/03/08/designing-secure-linux/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ary Kokos http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24633 Ary Kokos Wed, 07 Apr 2010 20:22:47 +0000 http://etbe.coker.com.au/?p=1839#comment-24633 It seems that Johanna R made a very interesting proposal for a secure OS : http://qubes-os.org/ A particular effort is put on protecting against some physical attacks and an easier management and conevniant user interface among many other things It seems that Johanna R made a very interesting proposal for a secure OS : http://qubes-os.org/
A particular effort is put on protecting against some physical attacks and an easier management and conevniant user interface among many other things

]]> By: etbe http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24385 etbe Wed, 10 Mar 2010 11:35:42 +0000 http://etbe.coker.com.au/?p=1839#comment-24385 http://www.reddit.com/r/linux/comments/bb21j/designing_a_secure_linux_system/ This article has appeared on Reddit. A Reddit comment make a comparison with "Paranoid Linux". It seems that the Paranoid Linux project is dead. http://ostatic.com/blog/linux-rooted-in-fiction-paranoidlinux The above URL discusses Paranoid Linux and it doesn't seem to have much correlation with what I am proposing. My idea could be implemented by a small distribution for the hypervisor (maybe Debian) and another installation of Linux (it could be Debian or it could be something else like CentOS or Ubuntu LTS) for the virtual machine. As Kristin Shoemaker points out in the above URL it's a lot of work to create a new OS and it's better to add security features to an existing one. To the outside world my proposal might look like two different Linux systems behind a NAT device or it might look like a single Linux system with Squid caching the package updates. http://www.reddit.com/r/linux/comments/bb21j/designing_a_secure_linux_system/

This article has appeared on Reddit. A Reddit comment make a comparison with “Paranoid Linux”. It seems that the Paranoid Linux project is dead.

http://ostatic.com/blog/linux-rooted-in-fiction-paranoidlinux

The above URL discusses Paranoid Linux and it doesn’t seem to have much correlation with what I am proposing. My idea could be implemented by a small distribution for the hypervisor (maybe Debian) and another installation of Linux (it could be Debian or it could be something else like CentOS or Ubuntu LTS) for the virtual machine.

As Kristin Shoemaker points out in the above URL it’s a lot of work to create a new OS and it’s better to add security features to an existing one. To the outside world my proposal might look like two different Linux systems behind a NAT device or it might look like a single Linux system with Squid caching the package updates.

]]> By: Ary Kokos http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24380 Ary Kokos Tue, 09 Mar 2010 13:17:53 +0000 http://etbe.coker.com.au/?p=1839#comment-24380 2 years ago the french National Research Agency launched a similar project, the SEC&SI project The idea was to provide a more secure system for end users which run on a standard computer, and does not rely on specific hardware (like TPM) and based on open source technologies. SAFE-OS is similar to the solution you presented here There are 3 project : - OS^4 by EADS/Supelec: based on Debian + vserver and grsecurity https://os4.wscrp.org/ - SAFE-OS : based on Debian and Xen, 1 VM per environment (1 for email, 1 for web ; 1 for online tax paying system) http://www.lri.fr/~herault/SECSI-SAFEOS/Evaluations/1/lri-slides.pdf (sorry, it is in french but some figure are in english) http://www.lri.fr/~herault/SECSI-SAFEOS/ - SPACLik : Gentoo + SELinux ftp secsi.ensi-bourges.fr The project Website, in French (https://adullact.net/projects/secsi/) 2 years ago the french National Research Agency launched a similar project, the SEC&SI project
The idea was to provide a more secure system for end users which run on a standard computer, and does not rely on specific hardware (like TPM) and based on open source technologies.

SAFE-OS is similar to the solution you presented here

There are 3 project :
- OS^4 by EADS/Supelec: based on Debian + vserver and grsecurity
https://os4.wscrp.org/

- SAFE-OS : based on Debian and Xen, 1 VM per environment (1 for email, 1 for web ; 1 for online tax paying system)

http://www.lri.fr/~herault/SECSI-SAFEOS/Evaluations/1/lri-slides.pdf (sorry, it is in french but some figure are in english)

http://www.lri.fr/~herault/SECSI-SAFEOS/

- SPACLik : Gentoo + SELinux
ftp secsi.ensi-bourges.fr

The project Website, in French (https://adullact.net/projects/secsi/)

]]> By: Robert http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24378 Robert Mon, 08 Mar 2010 23:33:09 +0000 http://etbe.coker.com.au/?p=1839#comment-24378 "Firstly hypervisors have a simpler interface which means less avenues of attack and they have less code." True. But surely this is only because inter-partition communication is currently typically very 'narrowband'. As the need for richer communication between applications/partitions grows (to the point that would be needed in a desktop environment), I bet the same problems will appear. "The extra layer can be significantly stronger than the other layers." Ah, but the abstraction interface is also 100x more inappropriate. Having hosts pretending to their applications to be a rather backwards overextended PC design from the 1980s and pretending to have PCI devices and so on seems absurd to me. And I'm also not totally convinced with the idea of adding more layers of indirection to make a cracker's life more difficult. It reminds me slightly of the reasoning behind security through obscurity. Anyway - I'm sure you have much more real world experience of these things than me - I just don't see virtualization as a security feature, and the current trend to view it as such worries me. “Firstly hypervisors have a simpler interface which means less avenues of attack and they have less code.”

True. But surely this is only because inter-partition communication is currently typically very ‘narrowband’. As the need for richer communication between applications/partitions grows (to the point that would be needed in a desktop environment), I bet the same problems will appear.

“The extra layer can be significantly stronger than the other layers.”

Ah, but the abstraction interface is also 100x more inappropriate. Having hosts pretending to their applications to be a rather backwards overextended PC design from the 1980s and pretending to have PCI devices and so on seems absurd to me. And I’m also not totally convinced with the idea of adding more layers of indirection to make a cracker’s life more difficult. It reminds me slightly of the reasoning behind security through obscurity.

Anyway – I’m sure you have much more real world experience of these things than me – I just don’t see virtualization as a security feature, and the current trend to view it as such worries me.

]]> By: etbe http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24377 etbe Mon, 08 Mar 2010 22:01:20 +0000 http://etbe.coker.com.au/?p=1839#comment-24377 http://etbe.coker.com.au/2007/10/28/xen-and-security/ Stephen: Well NetTop was an attempt to do such things, it wasn't that good. My design above could be considered to be the next generation of NetTop. As for Theo's thoughts on this matter, I've already responded to them at the above URL. http://etbe.coker.com.au/2007/10/28/xen-and-security/

Stephen: Well NetTop was an attempt to do such things, it wasn’t that good. My design above could be considered to be the next generation of NetTop. As for Theo’s thoughts on this matter, I’ve already responded to them at the above URL.

]]> By: Stephen Smoogen http://etbe.coker.com.au/2010/03/08/designing-secure-linux/comment-page-1/#comment-24376 Stephen Smoogen Mon, 08 Mar 2010 21:25:05 +0000 http://etbe.coker.com.au/?p=1839#comment-24376 Oh I wonder how many security considerations about the OpenBSD kernel would go away with a virtual technology embedded in it. It will be interesting if they ever crack that nut. http://kerneltrap.org/OpenBSD/Virtualization_Security Oh I wonder how many security considerations about the OpenBSD kernel would go away with a virtual technology embedded in it. It will be interesting if they ever crack that nut.

http://kerneltrap.org/OpenBSD/Virtualization_Security

]]>