Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Linux Software

IBM Running Linux On Secure Hardware 143

Schmad writes: "IBM announced at LinuxWorld today that IBM Research and Cryptographic Appliances have Linux running on FIPS 140 Level 4 hardware. Imagine, Linux running in a totally secure environment! Peter Gutmann, father of the crypto toolkit cryptlib, has some things to say about it here."
This discussion has been archived. No new comments can be posted.

IBM Running Linux On Secure Hardware

Comments Filter:
  • I would just like to take this moment to thank IBM for their continued support of free software. :-)
    • The reason they are supporting free software is because they all see the possible marketing opportunities. They are going to milk this cow,err, I mean penguin dry until its dead.

      Although I must admit they are developing some very cool technology.
      • I don't see how this is a bad thing. Sure, they're probably _using_ Linux for marketing, but at the same time they promote and develop for Linux.

        It's a win-win situation for both the Linux community and IBM.
      • IBM is an R&D company, they don't need to produce to make money, they rather rely on the royalties they get on each patent they may "rent" to their customer.
        Actually this is the most secure way to make money as you can still rely on what you already patented.
  • As a key product for secure e-business, its main applications are financial-related solutions, such as electronic coupon dispensers, Internet postage meters, intellectual property protection (web subscription services), signatures for digital documents and certificate authorities.

    So this new hardware will allow for the protection of intellectual property, which in turn will allow for cesorship and government control over the internet. This doesn't sound like good news to me.
    • So this new hardware will allow for the protection of intellectual property, which in turn will allow for cesorship and government control over the internet. This doesn't sound like good news to me.

      Jesus H. Christ on a freakin' popsicle stick, man! I am really tired of people who immediately blow up when they hear the phrase "intellectual property". Yes, there have been some stupid patents approved by the US Patent Office. Yes, companies have been crying "protect intellectual property" whenever someone comes up with a way to view/edit/manipulate "protected" data. Does this mean that intellectual property is bad? No.

      All this means is that some intellectual property laws need overhauling, and the Patent Office needs a swift kick in the ass. I bet that if you invented something that could conceivably make you a lot of money, you wouldn't want every Joe Schmoe making a cheap knock-off of it and selling it for 1/4 the price you could have charged. Someone will always lose; TANSTAAFL. Either the inventors lose, and there's no more innovation, or the consumers pay a bit more and support people who are inventing and making our world better.
  • I guess it finally proves once and for all which operating system is more secure. Windows can go cry in the corner.
    • um, huh? (Score:1, Insightful)

      by Anonymous Coward
      It isn't like these cards and systems were running windows before you know. This doesn't prove anything in that department. What it does prove is that IBM feels the linux kernel is superior to their proprietary one. Still a nice feather in Linux's cap but not a 'wind0ze is sux lol' situation.
  • since when do 'totally secure environments' exist? oh right..

    they don't!
    • 'totally secure environments' exist when a product needs to be sold.
    • by Anonymous Coward
      http://csrc.nist.gov/publications/fips/fips1401.ht m [nist.gov] Check the facts before you mouth off. I quote:
      "Security Level 4 provides the highest level of security. Although most existing products do not meet this level of security, some products are commercially available which meet many of the Level 4 requirements. Level 4 physical security provides an envelope of protection around the cryptographic module. Whereas the tamper detection circuits of lower level modules may be bypassed, the intent of Level 4 protection is to detect a penetration of the device from any direction. For example, if one attempts to cut through the enclosure of the cryptographic module, the attempt should be detected and all critical security parameters should be zeroized. Level 4 devices are particularly useful for operation in a physically unprotected environment where an intruder could possibly tamper with the device."
      These puppies self-destruct (zero out) if they're tampered with. They even had problems sending them by plane - they self-destructed because of the cabin pressure differences! Great for PKI - and that can PROTECT privacy, not harm it. Banks love them - 'cept the cost.

      t00t TooT

    • Single machine, not networked, in a lead lined room, with two marine infantrymen guarding the door = secure enviroment.

      But I guess that *would* be kinda impractical...
    • The basic premise is that everything is housed on a single PCI card.

      The card is "tamper sensitive" i.e. it goes into one enormous sulk if the the case is opened, it feels its electorodes being tweaked etc. etc.

      As hardware this is tried and tested technoligy. What is new is that IBM are dumping there specially written, proprietory (an presumably short of applications and development tools) "CP/OS" for LINUX.

      In the financial information business there is a big demand for this type of device. e.g. you are a company which has at great expense aquired data on every trade from every major stock exchange as it happens, you broadacast this compressed and encrypted via satelite to all your cutomers, but, each customer only pays for a subset of this data, easy, you program one of these cards to decompress and decrypt the data, then, filter out all the data the customer hasn't paid for.

  • Linux running in a
    totally secure environment!

    Hands down linux is better than MS but totally?!? unless the box is in hell, unpluged from anything and protected by lava it aint TOTALLY secure. don't ever forget that. you'll thank me later, trust me

  • By running Linux, it enables much easier migration and porting of applications into the secure environment than with the current CP/Q operating system

    So, um, would CP/Q be the fifth version of CP/M? That would certainly explain why they found it lacking...
    • So, um, would CP/Q be the fifth version of CP/M? That would certainly explain why they found it lacking...

      No the fifth version of CP/M is MS-DOS 5.0.

    • CP/Q is a protected-mode operating system originally developed by IBM research in the mid 1980's. At one point it was under consideration for adoption as IBM's strategic PC OS, but the nod went to OS/2 instead.

      It's been used as an embedded OS in a number of boxes, including high-end printers.

      The desire to move away from CP/Q to Linux is prompted more by "political" considerations than technical ones (e.g., broaden the toolset/developer experience base)
  • One word: COOL.

    No seriously, it's really neat that Linux can be used in an environment designed for maximum security. This kind of thing (despite the IP-hating people's snyde comments) is probably "the future" of e-commerce (if there is going to be any, See Also: Dot Bomb). It takes a lot of entropy to do SSL on a very active secure web server like the E-Commerce places do.

    This shows that Linux can in fact deal with the things that are needed for businesses to succeede on the Internet (along with all the other things being done, clusters, apache, etc). When they are all combined, I think the result will be "kick-ass".

    --MonMotha
    • That's not cool.

      What's COOL is that I dowloaded your IPTables firewall roughly 2 hours ago (unless there are multiple monmothas running around).

      Kick ass... today is MonMotha day. Thanks!!!
  • IBM Research Demonstrates Linux Running on Secure Cryptographic Coprocessor

    IBM Research has demonstrated Linux running on the IBM 4758 secure cryptographic coprocessor, a hardware security module. This is the first general purpose operating system (OS) running on a secure coprocessor. The IBM 4758 cryptographic coprocessor is an advanced, tamper-sensing and responding, programmable PCI card. Its specialized cryptographic electronics, along with a microprocessor, memory and random number generator are housed within a tamper-responding environment to provide a highly secure subsystem in which data processing and cryptography can be performed.

    By running Linux, it enables much easier migration and porting of applications into the secure environment than with the current CP/Q operating system. As a key product for secure e-business, its main applications are financial-related solutions, such as electronic coupon dispensers, Internet postage meters, intellectual property protection (web subscription services), signatures for digital documents and certificate authorities.

    The Linux-based IBM 4758 also offers significantly better performance, including eight times improved communication latency and four times faster throughput, over the current custom OS based product offering. In addition, Linux provides better support for new features, which are not supported by the custom OS such as running multiple potentially hostile applications on the same 4758 coprocessor card and allowing cross card communications that enables load balancing among multiple cards.

    IBM Research developed the 4758 coprocessor hardware, along with its internal operating system, secure configuration and bootstrap software, and custom software development tools that can run on multiple platforms, including all IBM servers and non-IBM servers, about five years ago. By creating the Linux version, IBM hopes to provide Linux developers the opportunity to create high security applications, and to encourage such development and interest in industry. We are working on making this software package available as a free download for existing 4758 coprocessor users. Parts of the Linux port were jointly developed with Cryptographic Appliances, Sacramento, California.

    The 4758 secure coprocessor was the first device ever to earn the highest possible certification for commercial security granted by the U.S. Department of Commerce's National Institute of Standards (NIST) and the Communications Security Establishment (CSE) of the Government of Canada.

    For further information, visit the IBM Research Mycroft Website at
    http://www.research.ibm.com/mycroft

    • Uhm. Not that I understood very much of it. What exactly does this co-processor thing? My assuptions (based more on guesswork than on the article):
      • Generates public/private key using internal random generators
      • exports the public key (no way to know the private key, or the whole thing would be useless)
      • Fast encoding for outgoing data:
        • in: clear data;
        • out : data cripted with private key
      • If somebody tamper with it, destroys the private key (??)

      What else (or something completely different) ?

      Also, how does Linux fit in the picture. It is used to run the co-processor (??) or to run a box including a general-purpose processor and the co-processor?

      • The idea is that it does all of the heavy crypto work to take the load off the main cpu, and be completely tamper proof (not sure what this means, but you wont be able to steal the key by pulling it out of the box or plugging some wires into it). Linux comes into it because it is running on the coprocessor. I did not see it on the list of OSs that you can use with the coprocessor, but it would be a logical step.
    • by Lumpy ( 12016 )
      Sounds like a simple PC locked in a safe surrounded by Plastic explosive would be a cheaper option...

      It's funny, they spend billions to make a "secure" hardware platform while you only have to spend a few million and common knowlege to make a generic platform secure. -- Put the PC where no-one can get to it, inside a faraday cage, and shoot anyone that comes near it.

      pretty darn simple to get a secure computer.
  • It's been said before, and will certainly be said again, but there is no such thing as a "totally secure environment." The best realistic target is "an evironment which will cost more to penetrate than the contents are worth." It's important to maintain feasable security expectations.

    There's a famous quote about the only secure computer being turned off, buried in concrete, protected by nerve gas and armed guards, and still not quite secure enough...
  • As cool as it is, it's hardware like this that will make it impossible to control our own computers - It will make content controll almost unbeatable, and turn personal computers into unfathomable black boxes. Into black boxes that are not beholden to us, the purchasers, but to others who wish to controll the use of our computers. Hardware will increasingly become an inscaleable wall, and we will have lost controll.

    bleah..
    • > As cool as it is, it's hardware like this that will make it impossible to control our own computers - It will make content controll almost unbeatable, and turn personal computers into unfathomable black boxes.

      Depends on the firmware, doesn't it?

      I'd like to see hardware like this with field-programmable parts. Stick in a CD-ROM and a blank hard drive and boot.

      I'd like to see it commoditized. You buy this box just like you'd buy a PC and an unformatted hard drive. The CD-ROM installs the OS and sets up everything through a series of dialogs.

      I'd like to see such a box in every hax0r'z closet, effectively acting as a router with a big-ass cache, and hooked up by wire to another router, the other end of that router hooked up to a wireless link.

      I'd like to see Freenet scale.

  • by doorbot.com ( 184378 ) on Wednesday August 29, 2001 @12:24AM (#2228803) Journal
    Apparently, the PCI card itself detects (physical?) intrusion attempts. What exactly it does when an attempt is made would be nice to know..

    Does it shut down?
    Send a pack of dogs with bees in their mouths for you?
    High amperage electrical shock?
    Immediately, and permanently bond itself to the intruding device/intruder?
    Explode a packet of purple paint?

    So while that sounds good and all, it still is a PCI card. Is this a "Linux as an OS" product or a "Linux Embedded" product?
    • I believe that, upon intrusion detection, the IBM card zeroizes all its RAM in a secure and non-recoverable fashion. The idea is that you can generate your crypto keys and keep them on the card, never exposing them anywhere outside its secure perimeter. This means that if an attacker gains physical access to your server (by breaking into the machine room or somesuch), even that level of access will be insufficient to recover the key material.


      This level of paranoia is appropriate for organizations for whom Crypto is Life (think CAs, credit card companies, banks, big e-commerce houses, etc.)

      • This level of paranoia is appropriate for organizations for whom Crypto is Life (think CAs, credit card companies, banks, big e-commerce houses, etc.)


        The MPAA... The RIAA... Adobe...

    • by Shortwave ( 2793 )
      During the situation with the US Navy EP-3 on Hainan Island, CNN interviewed a gentleman (think he was NSA or some agency, not sure) who demonstrated some of the boxes on board the plane. Just removing a screw causes the box to zap to firmware inside and you're just left with an anchor - useless silicon with nothing on it.

      I like the Superman III scenario personally. For some reason that scared the crud out of me when I saw it in the theater. I was about 7 then. Didn't look at my C64 for a week :-)
    • Where did the bit about "dogs with bees in their mouths" come from? Was it a Monty Python episode? I can't remember now, but I love that line.
      • It's a line from that famous fat-ass sage, Homer Simpson. Read the quote [psu.edu] in all its glory.

        Also quoted here (Homer actually shouts the line, or at least says it frantically, so the CAPS are not out of order..):

        "ARE YOU GOING TO SEND THE DOGS, OR THE BEES, OR THE DOGS WITH BEES IN THEIR MOUTHS, SO WHEN THEY BARK THEY SHOOT BEES?" -Homer Simpson

        Regards,
        Stephen
      • Homer: Bart, you're coming home.

        Bart: I want to stay here with Mr. Burns.

        Burns: I suggest you leave immediately.

        Homer: Or what? You'll release the dogs, or the bees, or the dogs with bees in their mouths and when they bark they shoot bees at you? Well, go ahead -- do your worst! [Burns slams the door and locks it] [disbelieving] He locked the door! I'll show him -- [rings the doorbell and runs away]


        Episode 1F16 -- Burns' Heir [snpp.com]

    • Is this a "Linux as an OS" product or a "Linux Embedded" product?

      According to quantum Linux theory, it's both.
  • Linux running in a totally secure environment

    You mean that Linux runs on a powered-off PC cast in concrete? (That's the only totally secore environment I know)
  • Seems like there has been alot in the news latly about Linux. I for one am happy about it. I know the BSD guys are going to rip me apart. I am a MCSE MCT and I am glade to see a product that is over hyped losing its market share. I work with 2k in the classroom and server room everyday and I am here to tell you it blows. IT is good for running games and that is all. With IBM and others getting behind linux we all have a better brighter tomarrow to look forword to.
  • I can get a mobile version same thing by tying my Agenda VR around the neck of a pit bull.His rate is actually quite competitive with that of a well-trained security specialist.
  • This is simply a continuation of an established progression, i.e. open source the traditionally proprietary internal workings of specialized devices.

    Check out http://www.networkrobots.com/ [networkrobots.com] for a functionally similar development on the router side of things.

    Hopefully this will continue to happen, but the production run of this IBM thing is not large enough to justify a slashdot piece on this. (no offense intended) If the linux-router-thing (above) takes off, that would be big.
  • I'm looking forward to play with such a device.
    How long will it remain secure?
    I think the best thing would be if part of the Linux kernel is embedded in the crypt-hardware. (Don't panic, you can flash for a new kernel image.)
    Anyway, I think that would be a lot more secure.
    Please correct me if I'm wrong here!
  • I sure hope that this isn't running RedHat 6.2.

    Jokes aside, secure hardware is useless when combined with insecure software -- and so far it seems that the software part has been a much bigger problem.
  • Imagine, Linux running in a totally secure environment!



    Ok...no network, no keyboard, no floppy, no CD-ROM, and locked up in a sealed room. Totally secure!

  • by Anonymous Coward
    Perhaps before strings of "it's not this or that in terms of security", you should read the white papers on the IBM 4758 design, so you at least understand the issues before making broad and sweeping comments.

    More importantly, being able to run something like SE Linux inside of a piece of tamper responsive hardware that has isolation mechanisms offers the ability to securely run software in places where it can't be physically assured. Even for things like data center applications, the possibilites are broad.
  • News stories like this one always tend to cloud the real issue. I admit, it's neat that Linux can run on an advanced tamper-resistant co-processor. But honestly, from an overall security perspective that's not really that interesting.

    A processor like this just provides yet another way to do "reliable" digital signatures. Such signatures are getting increasing legal status. The real security threat is the fact that it's not really the user that is doing the signature, i.e. the RSA calculations, it's the device. Regardless of how secure the device is, if a trojan horse fools the user into giving his PIN to the device, the trojan can then make a legally binding "digital signature" using a "totally secure device". On any document of the trojan's choosing.

    If you thought identity theft was bad, think again.
    • Ever so slightly off topic.

      Every time someone metions "digital signitures" I want to scream "digital seals".

      They bear much more similarity to the medieval "royal seal" than an actual signiture. Like the "prince and the pauper" story by Mark Twian where the evil baron steals the royal seal so he can make his own laws.

      Also, the signiture is a very hazy legal device having become accepted over hundreds of years of common law. Depending on the type od contract it is usually only one of many "indications of intent" a signature alone, unwitnessed, is not legally binding on anyone.

      • nope he's actually correct. crpyto is only one piece of a security puzzle. Crpyto provides confidentiality in communications, but there's also intergrity which is something like computing an md5 of the clear-text message and attaching it to the clear text then encrypt it, and authentication which is being able to determine that the public key given to you actually belongs to the person it says it does. Primary way of doing that is digital signitures.
  • For some time I've been thinking about the problem of having REAL computer security. I'm not a crypto expert, but at the end of the day it seems to me that the nub is that you need a good algorithm (these seem to exist) and you need to keep your secret key secret.

    Now, I can run a secure version of Linux behind a decent firewall and keep my secret key on that, but what stops the feds from breaking into my house whilst I am at work a sniffing it straight off the hard drive. I could perhaps keep the key on a PDA or some sort of dongle and lug it around with me, but I could always be "mugged".

    Bottom line. Is this IBM doo-hickey tamper resistant against the average thief or can it keep the feds at bay? As the DMCA (and forthcoming EUCD) makes more and more of us into potential felons this sort of issue is becoming increasingly relevant.

    BTW, how much do they cost?

    • From the article, it appears that the device stores the "private" key in RAM (ROM? Would make more sense for reboots...), and if a physical intrusion is detected, it zeroes all of its memory, thus destroying the key. The whole machine is not "secure", but the part that is performing crypto operations is. It is very doubtful that anyone could ever get your private key from this device.
    • I think they're around $10,000 each.
    • Is this IBM doo-hickey tamper resistant against the average thief or can it keep the feds at bay?


      Probably not, but it's as close as you're going to be able to get.

      BTW, how much do they cost?


      The CP/Q-based version is about USD 2K. I don't think the Linux-based version is for sale yet.


    • The encryption algorithms are secure. You can find more then a few solid encryption schemes available on the net if you look. Others that I trust say the mathmatics behind them are sound, and that by today's standards, breaking them would be difficult, if not impossible, even with the resources the feds have.


      So, if you never keep your key on the hard drive, and instead only keep it in ram, having to manually retype it every time you want something, there is no possibility of anyone rebooting and having easy access to your encrypted data (if you disclude the possibility of unencrypted stuff showing up in swap, and with memory prices the way they are, I'd just throw a gig of ram at the problem and turn swap off.) If I had such a setup (and I don't, I'm a windows luser that is content with E4M), that actual encryption scheme and the way it was carried out would be secure to my heart's content.


      Now, if this data is very important to you, I would only decrypt it when nessessary. That way, if the feds come, the chance of you having the data accessable is small. If you need to remotely access the data and it has to be up all the time, then you are in more trouble. However, it seems that when the feds do seize your equipment, they remove it, with removal, the power is turned off, and the memory is thus cleared. If you are really paranoid, just setup something in the door that as soon as its opened, it resets the power of the computer. Actually, it would be trivial for a skilled person to setup a nice motion sensor hooked up to the computer that can be remotely turned on/off, and if turned on, would reset the computer if it detects motion.


      Just my $.02

    • Try an OpenBSD box with encrypted root and encrypted swap. Turn it off when you aren't using it.
  • First, the stupidity: the article says:
    In addition, Linux provides better support for new features, which are not supported by the custom OS such as running multiple potentially hostile applications on the same 4758 coprocessor card....

    This rather defeats the whole purpose: if you allow a "hostile app" (read: an application you don't control, don't have the source for, and don't trust implicitly (e.g. Windows)) to run on this card, you have just thrown the security of the card out the window. The whole idea is that the crypto functions take place in a secure environment where everything can be trusted. If you want to run Realplayer or something, run it on the host CPU, not the card!

    Second, the nit. I work with secure comms products, and the term "zeroize" has always grated on my ears: You zero the keys, you randomize the keys, but you don't "zeroize" them. This is a typical case of the government type making up a word because it makes him sound more important. Yes, I know full well that "zeroize" is the accepted term in secure comms, but it still sounds stupid!
  • everytime you see the word(s) "OS", substitute with the word "ship" and it's a promotional ad for the Titanic. Think of the possibilities....(we've got a movie in the making)
  • We use these at work (Score:2, Informative)

    by landtuna ( 18187 )
    We use IBM 4758s at work. They're a huge pain to deal with - we've had a bunch spontaneously die. Apparently the earlier boards were more sensitive to pressure and things like that, and they just gave up on life as a result.

    The difficult thing about programming these boards is all the states they go through in the lifecycle of getting code securely loaded. There are a million different utility scripts to change the state of code trust.

    I'm curious to see how linux handles all this secure code loading stuff. Let's hope it's easier.

    (Not that I'm disparaging these boards. What they do is really amazing, as far as they can assure you that your secrets inside will never get out and the code that you have running there is your code.)
    • The difficult thing about programming these boards is all the states they go through in the lifecycle of getting code securely loaded. There are a million different utility scripts to change the state of code trust.

      I'm curious to see how linux handles all this secure code loading stuff. Let's hope it's easier.


      It probably won't be. The segment 0 and segment 1 code (which dictate the lifecycle) presumably won't change much...
    • They're a huge pain to deal with - we've had a bunch spontaneously die. Apparently the earlier boards were more sensitive to pressure and things like that, and they just gave up on life as a result.

      Here is my understanding of the situation. The internals of the 4758 are wrapped in paper that has a grid of conduting ink inside it. If any change in the conductivity of the ink is detected the 4758 is zeroed. So if someone manages to stick a logic probe thorugh the epoxy that seals the box, piercing the paper will zero the memory.

      The supplier of this wrapper intially used ink that was past the expiration date. It degraded after manufacture and the boards detected this as an intrusion attempt. This has been fixed now.

      Shipping the boards is also a pain. I think they are made in Italy and the changes that occur in temperature and pressure while they are in transit used to cause them to zero.

  • Saw the thread, headed out to the machine room with digital cam. Pics of the outside here [dragonwerks.net] Anyone have pics form the inside of a dead one?
  • Among physical and electronic tampering detection and reaction (zeroing out the memory upon detection), and the requirment that data on the device doesn't leave the device (like secret keys, etc), you get detection against enviornmental attacks such as super cooling the device in an attempt to disable or disarm other tamper detection.

    So if your IBM 4578 gets stolen, recovering the data there in will be that much more difficult.

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...