HP-LX 1.0 Secure Linux 182
kengreenebaum writes: "Webtechniques has a short but interesting article on HP's approach to a secure but expensive LINUX distro. Basically they started with RedHat 7.1 and added compartments; an extension to the age-old chroot jail concept where the processes representing major services run. Kernel extensions allow HP (or the administrator) to specify which compartments can access which kernel resources including individual files, network stacks, and each other.
HP has
Technical Product Brief as well as other material online. Interesting to compare HP's approach to that of the
NSA's Secure Linux
projects. These concepts sound like a solid way to prevent buffer overflow type security holes in individual services from compromising the entire machine. At $3000 HP-LX is too expensive for many to experiment with but the NSA's code seems to be more readily available. Anybody have experience with these distributions or with similar approaches to Linux security?"
NSA SELinux (Score:4, Interesting)
It is certainly more accessible, and I've prompted my company to look into it. Considering the current political environment, I believe this is a good way for small consulting companies to distinguish themselves.
"Why, yes, Mr. Customer, we are very familiar with computer security and specialize in using products developed by the National Security Agency. If it's good enough for the NSA, don't you think it is good enough for your business?
Re:NSA SELinux (Score:1)
Somewhat like Magic Lantern? Or was that some other USGov organization?
I'm not so sure I want to trust "government-level" security these days...
Re:NSA SELinux (Score:1)
Re:NSA SELinux (Score:2)
What about GPL, GNU, etc? (Score:2, Insightful)
Re:What about GPL, GNU, etc? (Score:5, Insightful)
I expect, however, that HP has some proprietary stuff that's included in non-GPLd binaries.
Re:General GPL Question (Score:2)
If party A just modified someone else's code, a-la the linux kernel, then gave out the software with a special contract not allowing distribution, then they would be violating the GPL. Which would mean that by distributing the code that they modified they would be breaking copyright law, and Linus or anyone who contributed to the Kernal could "DMCA" their ass, so to speak.
Re:What about GPL, GNU, etc? (Score:1)
Grteg
Re:What about GPL, GNU, etc? (Score:2, Insightful)
Re:What about GPL, GNU, etc? (Score:1)
NSA Linux distribution (Score:5, Funny)
Re:NSA Linux distribution (Score:1)
root@wiretap029114.nsa.gov:/ > hostname localhost.localdomain
Get your source code... (Score:5, Informative)
...here [hp.com].
b&
kerberos anyone? (Score:2)
Re:kerberos anyone? (Score:1)
You think it'll take any more or less time to learn the HP stuff?
Eh? How can they get away with selling that? (Score:1, Interesting)
Secondly, I'd like to know exactly how they can get away with this and not violate the GPL? They are clearly writing software that interacts with the components of a GPL'ed piece of software (the Linix kernel), and according to the GPL, that means that their extensions ought to be under the GPL as well. So where are the source code downloads, HP? Hmmm? Maybe you'll be getting a letter from the FSF's legal team sometime soon.
Re:Eh? How can they get away with selling that? (Score:2)
Re:Eh? How can they get away with selling that? (Score:4, Funny)
Re:Eh? How can they get away with selling that? (Score:4, Insightful)
However.. You are not going to get the closed source administration tools without which the kernel mod's are almost worthless. You also don't get a fully set up distribution with all the configuration and will have to duplicate all the effort that went into creating it.
If you want to be reasonably sure that your version is secure you'd have to perform extensive testing on it and have a lot of really smart people take a look at it. This is actually the easiest part as it follows normal linux development method. Still, whose ass is on the line if things are not as secure as they should be?
And you can bet your ass that anything that doesn't need to be GPLed is not and it comes with a very strict HP license that specifically forbids any disassembly, resale, etc.. Support contracts probably also include a clause that you have to have purchased the official hp distribution..
Re:Eh? How can they get away with selling that? (Score:1)
Why not? They've paid for it, sure... but once that's been done it's no money out of their pockets to give it away to other people. And since the GPL allows it, I don't see any reason why they wouldn't other than the rather irrational view that if they had to pay so much for it, then so should everyone else. But giving it away in that case would only be injurious to their pride, not their actual financial situation.
This raises what in my mind is an interesting question: is it possible to pirate GPL code? That is, say a school buys this and then some student who has access copies it and then gives it away. Since the student hasn't personally forked over the $3K, he's not going to be motivated by pride to not give it away. Further, keeping in mind that all he would have copied is stuff that was GPL'd anyways, would the student have actually done anything wrong? If not, then it's as good as certain that HP-LX will be freely available in a relatively short time. Apologies for digressing from the topic somewhat, but I believe that such a scenario illustrates the can of worms that might be opened by charging for a GPL project.
There are major problems with compartmentalization (Score:5, Interesting)
- Buffer overflows and improper argument checking plague every modern
UNIX kernel. Think about the recent sysctl() input validation hole in
Linux. Or the recent
/proc bugs in FreeBSD. Or the LDT handling bugs in
NetBSD, Solaris, and many others.
- Most kernels were not designed with least privilege in mind. For
instance, the mount() syscall allows ordinary users to mount and umount
filesystems. Access checks are performed (to make sure it is mounted
nosuid, and such) but there are undoubtedly holes waiting to be discovered.
- Until only recently, Linux had several bugs allowing users to
commandeer each others' shared memory segments. This could be used to
corrupt memory used by init(1) and several other critical programs, causing
a major security breach.
- Because the X server needs low level hardware access, most OS kernels
allow access to iopl(2) and ioperm(2). This means that attackers can talk
directly with the hardware, bypassing the OS security. The alternative, of
course, is to ban the use of graphical interfaces on that system; but
usually that is unacceptable.
Although these issues can all be addressed, the problem of proper kernel security is at best a "whack a mole" situation in which a new hole will arise shortly after an existing hole is patched. Thus, the HP-LX software probably isn't worth the CD it is pressed onto.vw
Re:There are major problems with compartmentalizat (Score:2)
On a server? I never install X, too many performance and security trade offs.
Re:There are major problems with compartmentalizat (Score:3, Insightful)
Re:There are major problems with compartmentalizat (Score:1)
Re:There are major problems with compartmentalizat (Score:1)
...with compartmentalization? (Score:1)
Re:There are major problems with compartmentalizat (Score:2, Insightful)
Kernel bugs aren't the big problem though. Look thru bugtraq and see what the kernel/user-app ratio of security problems is.
Now look at how many of the kernel level bugs that are remotely exploitable. (Ummm, I mean exploitable from remote, not that they're unlikely.) Not to say that local problems aren't problems too, but they're a lot easier to manage.
You're right about the bug whack a mole, but this time you'll be playing on a table with most of the moleholes plugged.
The X thing is a bit of a red herring. The problem is that it has hardware access (disregarding fbdev and stuff like that), and hence (from a security POV) could almost just as well be part of the kernel. Solutions:
- Don't run it. And don't allow other processes the priviliges it would/could have had. (This is easy with any MAC and even DAC system, X is always a bit of a special case.)
The Selinux system is very fine grained and you can grant a subject a capability or not depending on its' type.
- Compartmentalize X itself. To some extent this is getting worked at, but not (mostly at least) for that reason.
(X apps are a little different from other apps, since they have other IO options (Atoms, cut+paste buffer etc.) Look up CMW (Compartmented Mode Workstation) if you want to get into that.)But even if you can't do a thing about X, this is still worthwhile. Think about someting like xntpd. It's root because it needs to open a low port and because it needs to be able to update the system time. But there's no reason that it needs to be able to, say, mount filesystems, read protected files, or load kernel modules. with traditional unix security we can't do that, but with this stuff we can. The attutude that "because it only fixes 99% of the problem, it's not worthwhile" has been a problem long enough.
Re:There are major problems with compartmentalizat (Score:1, Insightful)
Yes, kernel holes are implementation or design bugs that should be fixed. Ideally, compartmentalization would be a decent security solution for userland, although if the kernel is secure then finer-grained access controls are just as good (and IMO nicer).
Re:There are major problems with compartmentalizat (Score:4, Informative)
The real way of doing this is putting the hardware drivers into the kernel (frame buffer devices).
No user process is supposed to access hardware directly, and if that meant we have no graphics, it would also mean no keyboard, text, or sound.
Although these issues can all be addressed, the problem of proper kernel security is at best a "whack a mole" situation in which a new hole will arise shortly after an existing hole is patched. Thus, the HP-LX software probably isn't worth the CD it is pressed onto.
That may be true, but it is only because of the nature of UNIX kernels. Kernels built with the principle of least privelege in mind (such as EROS [eros-os.org]) are definitely worth the fix, as it is quite unlikely to present new holes (and such a design is quite unlikely to have many holes in the first place)
Re:There are major problems with compartmentalizat (Score:1)
Isn't this what M$ did between NT 3.x and 4.0? And didn't this cause some stability problems, in that a required video driver for a server could crash the system? And didn't the UN*X crowd curse and swear when they did this? ;-)
Low confidence in anything from HP (Score:4, Informative)
Over the next couple of years I saw high level managment with no comprehension of the Unix/Linux/GNU world whatsoever do some very strange things. The HP environment is rife with strange little tribes that lie and steal from one another with no real reason. Their Linux community is no different.
And as far as HP contributing to the open source world - don't count on it. They will happily steal code, re-write it, and release it binary-only if they think they can get away with it. I've seen them do it. The whole damn company has a prima-donna attitude and will do pretty much whatever they think they can get away with.
And as far as HP and security go - take a look at their own damn HP-UX OS for a security model and ask yourself why they think they can release a unique and decent secure linux product if they can't even release their own OS with any semblence of security?
Re:Low confidence in anything from HP (Score:5, Insightful)
Bruce
Re:Low confidence in anything from HP (Score:1)
The SecureWare code is decent (I've once worked on it), but what I really would like is to get Data General to release their code (which is supposed to come from Adamax, now defunct I believe). THAT code I really respect and I believe it would be advantageous to get a real audit sub-system into Linux. I'll even settle for the AIX 4.x code for the audit sub-system, as it is already SMP-ready (I was the architect, so it would be extremely easy to retrofit it into Linux).
Off-topic, I know....
Roland B.
Re:Low confidence in anything from HP (Score:2)
Re:Low confidence in anything from HP (Score:1)
As a current HP employee I would tell you that the quality of it's products all depends on the origin from within HP. HP is highly comparmentalized, and many of the things this poster comments about can be characterized as semi-accurate in certain circumstances. However, HP-LX comes out of the Virtual Vault Group, the guys who have been making the security software that is used by a number of major Banks for online banking and the like. It uses much of the same mindset and the same technology, so if it's crap...then I would suggest you abandone your online banking. It might very well be powered by HP.
As far as HP contributing to the Open Source community. Like any other company, HP is driven by the all-mighty dollar (many times without a conscience), so they're going to do what they think will make them a decent buck. Right now, upper management thinks that Linux products and services will make them a decent buck, which is deffinately beneficial to the open source community whether their motives are pure or not.
HP was committed to Debian... (Score:4, Interesting)
Re:HP was committed to Debian... (Score:3, Informative)
Thanks
Bruce
Re:HP was committed to Debian... (Score:2)
Does HP commitment to Debian does not translate into Debian being used as a development, reference and first release platform? Or this has happened for some technical reason? Or for historical ones, like the effort being started before HP's Debian commitment?
Re:HP was committed to Debian... (Score:2)
This product is just begging for someone to take the GPL component and run with it. It could be on Debian tomorrow, without the $3000 fee. Consider that a challenge.
Bruce
Re:HP was committed to Debian... (Score:2)
Doesn't that mean a lot of different distributions? Or is the development focus really aimed at various components in the kernel and on the outside that can be "dropped in" onto most distributions (e.g. the LSB-compliant ones)? I'm sure the target customer, being one who is swayed by the RH popularity, wasn't capable of just dropping in the individual components onto a RH (despite the "ease" of RPM) box, hence a whole distribution is needed. While as a geek, a whole distribition isn't of interest to be, I can certainly see how it gives PHBs that warm and cuddly feeling.
Maybe you can clarify. I've read LSB and it certainly comes across to me as vague in this area, and I've heard conflicting interpretations that say yes and say no. Does LSB require the multiple runlevel separated directories of symlinks pointing to the init.d directory? As a security-conscious sysadmin, I do not want packages to touch my system initialization whatsoever (and some have). So I moved things around (and eliminated the symlinks altogether). The old directories are still there as a sort of "honeypot" but changes to them have no effect. Of course, for more security, I'm moving to doing more of the installs from source instead of packages.
BTW, it is chapter 13, in section VII (LSB's weird two parallel section numbering scheme that isn't really hierarchical is certainly confusing), that by itself makes me want to avoid LSB. Why can't they accept other packaging systems? Why do they have to mandate the bloated and goofy one?
Re:HP was committed to Debian... (Score:1)
What is "bloated and goofy"?
Re:HP was committed to Debian... (Score:2)
Perhaps. But my question is exactly, which would be such a reason?
Re:HP was committed to Debian... (Score:2)
As I have said before... (Score:3, Interesting)
ttyl
Farrell
Re:As I have said before... (Score:4, Troll)
And I especially don't care for users who think they've got clout [slashdot.org] just because they have a low UID. Remember, if you win a race in the special olympics you may have first place, but you're still retarded.
NSA selinux (Score:2, Interesting)
More than just kernel modifications! (Score:4, Informative)
This is much more than just a few kernel modifications but rather a full distribution that comes on 4 cd's. Instead of just having some hacks that improve security the whole distribution is build from ground up with security in mind.
For example: You can't access shell unless you're on a console or use ssh. You can't access the configuration tools unless you are in posession of administrators private ssh key. Also, the installer forces you to set the system up with security in mind instead of installing everything and the kitchen sink..
Best part of this is that it comes with support from a highly reputable vendor. Sure it has it's price tag but imagine the amount of work required to make a full distribution that's security conscious and backing it up with hp's name!
And yes, you can download the source code that goes into kernel..
I'm not sure it helps enough (Score:3, Interesting)
As a practical matter, it may help a lot because it makes the machine different from other Linux machines. It may be not too hard conceptually to work out how to break through this kind of security, it will likely protect systems from common exploits of common bugs.
However, in the long term, the only solution I see to security problems is to build on foundations that have support for guarding against common bugs and analyzing security-related program properties. That means, among other things, using languages with built-in default checks for buffer overruns and using languages with type systems that can be used to verify that data doesn't get where it isn't supposed to get (Perl's notion of "tainted" is a simple runtime example; similar static type checking is also possible in some cases). Decades of UNIX, Windows, and Linux software development and bug tracking have shown that without such support, even skilled programmers simply cannot write software containing very serious security problems in actual releases. In different words, the Linux and Windows kernels and daemons will have to be rewritten in something other than C or C++. Sorry.
Re:I'm not sure it helps enough (Score:1)
May I suggest Cyclone [cornell.edu]?
Re:I'm not sure it helps enough (Score:2)
Re:I'm not sure it helps enough (Score:1)
Simply providing security minded functions in a library, e.g. snprintf() and vsnprintf(), and employing them is all that is really needed.
Kernel and daemon developers commonly use C and C++ because they are time tested tools that produce efficient and maintainable code for those applications. This isn't likely to change any time soon.
Re:I'm not sure it helps enough (Score:2)
Why do we need safety belts and airbags? Can't people just drive carefully?
Kernel and daemon developers commonly use C and C++ because they are time tested tools that produce efficient and maintainable code for those applications.
Yes, indeed, we know exactly what kind of code real programmers produce in C and C++: systems full of security holes and buffer overruns. The fact that these bugs keep occurring even though programmers know better is exactly what demonstrates that C/C++ are not up to the task.
Re:I'm not sure it helps enough (Score:1)
Of course it's a tradeoff, all information security is a tradeoff. What you're trading is ease of use, simplicity, and convenience for accountability, verifiability, and access control. Having these tools for security is less like dominos and more like roadblocks. The more you throw up, the more you slow down attackers, and the more that are going to give up before they do any damage. Your whole post indicates a desire for bandaids to hide real bugs.
Linux implements traditional Unix security with some twists in its own unique way. We still have all the traditional tools. If you want to design a program to utilize things like chroot jails and capabilities you can do that today. HP's tools are just a nice addition to this. Linux having poor subsystem isolation is not the same as having no security at all. Now that I think about it, until we're all running Security Enhanced HURD, we won't have the overdesigned hyper-secure OS you're describing.
However, in the long term, the only solution I see to security problems is to build on foundations that have support for guarding against common bugs and analyzing security-related program properties. That means, among other things, using languages with built-in default checks for buffer overruns and using languages with type systems that can be used to verify that data doesn't get where it isn't supposed to get...
Oh you mean like this [avayalabs.com].
In different words, the Linux and Windows kernels and daemons will have to be rewritten in something other than C or C++. Sorry.
Oops, sorry, I guess SE HURD won't be enough then. I'll just have to go back and see if I have my OS/360 tapes handy ;-)
Regards,
Reid
Re:I'm not sure it helps enough (Score:1)
The point is that for any real world task, the problem-specific requirements dwarf all other considerations. The hard part is not some abstract "checking your input" -- the hard part is knowing what to check for.
Programming is just hard. It's a complete fallacy to suggest that you can make it easier by shielding programmers from the implementation detail. Because it's exactly the implementation detail that we are being paid to get right.
Re:I'm not sure it helps enough (Score:2)
Instinctively I've never trusted jail based solutions Linux or otherwise. If you want to compartmentalise build a small reasonably verifyable core and run Linux unpriviledged on it - its one of the uses for real microkernels (not Mach but something thats actually -micro-).
Re:I'm not sure it helps enough (Score:1)
Alan Cox wrote:
I Am Not A Kernel Hacker (IANAKH) but..
Jonathan Shapiro's Ph.D. thesis work impressed me in this regard - a "nanokernel"-based OS that attempts to better support low-level security:
It would be nice to implement a linux-like system on top of this, or perhaps use such a system to provide virtual machines on top of the hardware (like IBM mainframes or VMWare GSX Server).
Remember the 432 (Score:2)
Bruce
Re:I'm not sure it helps enough (Score:2)
Lisp dammit!
What this world needs is a free Lisp OS (with the low-level stuff written in Modula or something if necesssary.)
Too bad all the free Lisp OS projects deteriorate into arguments about implementation details...
Re:I'm not sure it helps enough (Score:2)
There are many systems programming languages that are as fast as C/C++ and have similar memory footprints. Examples are Ada, Modula, and various Pascal derivatives. These languages allow you to do everything you can do in C/C++, they simply are safe by default.
Re:I'm not sure it helps enough (Score:1)
Re:I'm not sure it helps enough (Score:2)
C++ is a little better than C in that it at least lets you define a reasonably safe framework, but the Linux kernel developers have been strenuously opposed even to C++.
Prior to the rise of UNIX and Windows, most kernels were written in other languages, so it's not hard to do.
GC experience from GCC 3.0 (Score:2)
Missed Point: HP all about business (Score:3, Insightful)
Practically speaking, it's safe to assume that nobody is going to run out and nuke HP-UX 11 off their servers in favor of this - HP-UX is still very far ahead of Linux (and some of its competition) in several important areas. However, for IT managers interested in considering a partial migration to Linux, this gives them a stable and secure path on which to begin to venture down, and undoubtedly one that's also covered by their existing support contracts with HP.
$3000 if you're the Kernel fearing type (Score:2)
That is only if you're afraid to do a little kernel hacking. Unless it's a binary only module (I doubt it, the're not hiding info about hardware) kernel patches should be available for Free. And really, $3000 beans isn't a whole lot for what sounds like a dreamy setup for internet boxen serving holy DNS and FTP. This is how internet services really should be ran by default. Unlike IIS that runs as user profile SYSTEM so that it can do impersonation (sorry for the M$ dig, but it's a really good example of how not to run internet services).
Re:$3000 if you're the Kernel fearing type (Score:2)
We'll it depends. This article [microsoft.com] explains it all but at one point the author says:
Where does the ASP
The article is from Nov 2001. This is WRT web services with authentication options on.
HP's kernel component is GPL-ed. (Score:4, Informative)
The user-mode component is not GPL, but given the kernel API, it's pretty easy to make up the user part.
Bruce
NSA's distribution (Score:4, Informative)
The fact that SELinux (NSA's system) now uses the LSM framework means that it can be extended easily. You can either extend the SELinux modules or add further LSM modules of your own.
It should be extremely trivial to provide a complete, and more flexible, clone of the entire HP security framework inside LSM, as all you're really doing is providing a set of capabilities to each thread, with pre-set defaults.
In fact, you'd probably want to exploit SELinux' existing framework for this, so that you could create pre-set defaults on a per-user/per-login-type/per-thread basis.
All in all, HP's setup doesn't sound novel enough to be worth 3K, but does sound intriguing enough to copy. Which, really, is something the LSM guys seem to already be doing. They've ported a decent portion of the OpenWall framework, which does a lot of this kind of stuff already.
Value added (Score:1)
The NSA's work has only been to patch the kernel, patch many of the common utilities, and create a few specialized utilities. It must be installed over a previous distro, which might discourage some less confident admins from using it.
A 3 grand price tag might not be so bad, if HP is providing a turn key solution. For $3000, new admins can avoid the pain of patcing and manipulating their systems, and they also recieve support from HP. The NSA does provide any kind of support.
Also, 3K is that much if the license permits unlimited implementation. If companies don't need to buy an additional license for each box, that is. Compared to licensing costs for Microsoft products, this would be fantastic. (I don't know if the license permits this. Like most slash readers, I didn't actually look at the article.:)
While I don't see myself using this product, I see how other situations might warrant it.
Security concerns with HP-LX (Score:2, Interesting)
If you are (or were) a network admin, would you host an Internet server without a firewall just because you used one OS and not another? I don't think so. Total security involves additional layers on top of the OS - firewalls, requiring passwords for many or all access points, and so on - as well as an admin that keeps up to date on security holes and works to plug them.
That's not to excuse OS developers who leave their products ripe for abuse, but so long as reasonable steps are taken as part of the OS I wouldn't be slandering its maker - that is, unless they're promising something they know they can't deliver.
Looks like "Secure Linux for Retards" (Score:4, Insightful)
Re:Looks like "Secure Linux for Retards" (Score:2)
Re:Looks like "Secure Linux for Retards" (Score:2)
Re:Looks like "Secure Linux for Retards" (Score:2)
Re:Looks like "Secure Linux for Retards" (Score:1)
The Confused Deputy (Score:2)
The only real approach to security is a pure capability system [eros-os.org], and ofcourse the combination of pure capbility systems with safe languages [sourceforge.net].
Re:The Confused Deputy -- Red Herring example. (Score:1)
uhm.. on UNIX, directories and uids exist.
They should be used properly.
Why "must" billing information be stored in
the same place the compiler stores debug stats?
UNIX accounting runs under a particular user
(typically adm) and the information is written
by kernel calls to the pacct file on process termination.
There are very sound reasons for this separation
of concern, like making it impossible for the
compiler (or any other arbitrary program) to
overwrite system accounting data.
There is no reason for a compiler to have to have
any ability to write to the accounting files.
If that is considered a design requirement,
then the design was wrong.
In terms of debug/frequency stats, create a
directory, make the compiler setuid or gid
to be able to write there, and put the stats
and ONLY the stats in that directory (
you do the set(ug)id, at the very end,
just to write the stats file as the last
hurrah.) Or even just leave it public write,
if someone wants to futz with your stats
they really have time on their hands.
I have nothing to say on the merits of capabilities,
but the given example is quite weak, in that it
Fixes a design error by creating an elaborate security
mechanism. The simpler solution would be to
fix the design.
Re:The Confused Deputy -- Red Herring example. (Score:2)
any ability to write to the accounting files.
If that is considered a design requirement,
then the design was wrong.
But the compiler IS outputting accounting information here.
Its easy to claim that any design requiring a certain feature *nix cannot provide is wrong, but it sounds quite an absurd claim to me. You're trying to adjust the world to your OS, rather than write an OS that fits your needs.
In terms of debug/frequency stats, create a
directory, make the compiler setuid or gid
to be able to write there, and put the stats
and ONLY the stats in that directory (
you do the set(ug)id, at the very end,
just to write the stats file as the last
hurrah.) Or even just leave it public write,
if someone wants to futz with your stats
they really have time on their hands.
Problems:
How is your solution preventing the original problem of a malicious user naming a billing filename as an output file?
As long as the compiler 'changes hats' (Setuid/gid), the privelege-checking is quite complex and will probably result in VERY complex ACL's to achieve the goal.
These stats are used for billing information, and people would thus be VERY willing to mess with them.
All these security settings require root to set up, meaning that only a system administrator is capable of setting up any system involving security checks.
Alternative approach:
The mechanism used to identify (name) objects is that of unforgable, OS-implemented keys called "capabilities". These capabilities are much like *nix file descriptors, but they are never open()'d or close()'d. Having the capability is a necessary and sufficient condition to access the named object, the object does not care who access it.
The above example, is very simply solved by capabilities:
In order to name the billing file to the compiler, the user must have a capability to that billing file. In that case, the user is fully authorized to access this file. Obviously, the user does not have a capability to this file, only the compiler does, and since there is no way to forge a capability (just like file descriptors), the user cannot name the file he must not access, and may not confuse the deputy.
Advantages:
Users (code) can only express requests by access to a capability, meaning that code is only capable of expressing authorized requests. This means that there is no ACL test failure that may give false access to this user, as the mere ability to express a request is an indication of authority to do it.
The only security test required at runtime is that the capability is valid, which is equivalent to the validity test of a file descriptor, nearing 0 time.
Capability systems are in fact simpler systems, and many security properties of such can be mathematically proven, as demonstrated by Shapiro, in his proof of part of his EROS [eros-os.org] system.
Capabilities have per-process granulity, rather than per-user granulity, and very fine-grained control of which objects every process has access to, thus the principle of least privelege is implemented.
No need for a 'super user' that bypasses ACL's, because that would destroy the principle of least privelege. Every user can create objects and spawn capabilities to use those objects, and distribute them through every channel he has a capability to.
This means any process with some minimal set of capabilities can set up a security system, not requiring any super user to bother, and killing the vast majority of threats involving a superuser.
Re:The Confused Deputy (Score:1)
Safe languages (Score:2)
Re:Safe languages (Score:2)
I suppose you meant that programmers do not bound-check properly. Obviously this is the cause of the failures. However, safe languages solve this problem by guaranteeing this can't happen.
We see a lot of buffer overruns occur however, because the only languages truly suitable for most problem domains are the languages that allow these things to happen.
Tell me, how are the unsafe languages such as C or C++ more suitable for daemon coding than Python, Lisp, Scheme, etc?
Python, along with Twisted Matrix, for example, allows for easy, safe, and very fast network daemons. Medusa is an example of a very fast Python webserver, written in much less code than equivalent C\C++, and executing at least as fast.
If Python allows performance, ease of development, reliability and guarantee of security (from such volunerabilities), how is it less suitable than C or C++ for the development of network daemons?
Completeness has nothing to do with that by the way. Reliability, memory usage, speed and portability issues have.
Reliability, and portability issues are both voting against C and C++.
As for speed, safe languages prove to be at least fast enough for I/O-bound applications. Some safe languages (Common Lisp, OCaml) even prove to compile to much more efficient code than C\C++ in many cases.
Besides, if programmers can't get something simple like array indexing right, then how are they going to get the much, much, much more complicated domain-specific safety issues right?
That's bull. All programmers make mistakes. What you are talking about here is the ability to make 0 mistakes as far as array indexing, pointer management, and other low-level issues are concerned. Firstly, there are always potential mistakes in any part of a program. Secondly, pointer management (killing dangling pointers correctly, managing complex pointing graphs, etc) is not trivial at all.
Therefore, a language that makes you a guarantee of safety in those regards, and handles all those low-level issues automatically and correctly, is a huge benefit.
And how are you going to prove that your favorite Common LISP implementation actually does not violate any of the requirements? Look at how "safe" a language like Javascript is. Or Visual Basic.
You're not going to prove it, but debugging a single, finite code base (A compiler) is a hell of a lot easier than debugging and correcting infinite amounts of code written all the time. To claim it is as hard to maintain correctness of the compiler as it is of EVERY program out there is absurd.
As for Visual Basic and Javascript, my experience is that they are safe in those regards. They are obviously (at least Visual Basic) not examples of stable well-tested platforms, as many of the Lisp, Python, and other compilers/VM's are (especially when considering the reputation of the creators).
You see where I am coming from, when your C code malfunctions, that is not a flaw with C -- it's a flaw in your code.
Assuming the goals of your language are to ease development and provide the best platform for developing software, a language that does not provide a guarantee of safety is far inferior to one that does, in terms of fulfilling those goals.
Re:Safe languages (Score:2)
Your claims sum up to:
Popularity is a measure of quality:
Should I really have to discredit this one? What has NetBSD or FreeBSD done to make Windows less popular? Nothing. Are they better than Windows for many many useful purposes? Most people think so.
Python webservers, and Python code is often used in server-side, but maybe you haven't done your homework.
Major sites like Google, NASA, Yahoo, FourEleven, Nortel... use it in the core of their products.
There is a huge list of Lisp users, not to mention Java server-side code.
C and C++'s popularity is dying down, and now that Microsoft Marketing will be pushing C# down everyone's throats, it'll probably remain only in the *nix domain, and as hardware improves, eventually die down.
Safe languages are slow:
Much research and comparison of different languages, such as Lisp and C++ seem to contradict this. Many show that most Common Lisp code using a good compiler will in fact execute faster than most C++ code.
Already C compilers try to analyze the low-level code, making out high-level details of it in order to optimize it. Higher-level languages are in fact becoming more optimizable than C as compilers are getting more advanced.
C is more portable:
This is sort of a paradox as Python, Java, etc have C implementations, and require only high-level access, allowing portable implementations anywhere.
Java VM can run both Java and Python code. Java VM's are implemented on more platforms than proper POSIX-compliant C compilers, last I checked.
C is conceptually less portable. High-level languages will easily/natively make use of the new technologies like VLIW, whereas C compilers will have a VERY hard time using that technology in such low-level code.
Programming is hard - therefore lack of safety (note: safety, not security) is acceptable:
Note that not all, but most security problems result from this lack of safety. Unlike your claim, this safety really exists in languages like Python and Lisp.
When was the last time pure Python or Lisp (without C modules) crashed? I've writtens dozens to hundreds of thousands of Python lines, and never experienced crashes in pure Python code. Some C extension modules crashed, as C code often tends to.
The guarantee of safety is not worth the performance hit:
Maybe running a pure Python-code webserver on a 586 100 with 16 megs of RAM is a bad idea.
However, Common Lisp, OCaml, Python code to 'glue' optimized C modules, etc executes fast enough even on the older hardware, and the memory requirements are generally not that bad. Usually something like a factor of 2 or 3, with some constant size addition to C code.
Today's hardware makes the language of your choice irrelevant, as the differences become more and more unnoticable.
This almost-unnoticable 'hit' on performance is definitely worth the guarantee of safety, that eliminates almost all security problems.
Outlook security holes were not solved by safe languages:
True, but VBS *is* safe (not secure, SAFE). This means it does not crash.
Most security problems are already eliminated. As for complete access to the machine, that's a security problem that has nothing to do with the use of safe languages.
RSBAC & *plug* (Score:2, Interesting)
Castle [altlinux.ru] from ALT Linux Team is a Linux distribution that uses RSBAC and chroot jails. Also, recently, the tcb scheme has been adopted for secure access to system passwords without need for setuid root.
The Prize Tag Is A Good Thing[tm] (Score:2)
You know how PHBs think: If it's free, then you can't make money off of it. If HP is able to sell this at $3000 a piece, maybe they will get their eyes opened for the possibility that there is money in Free Software.
Name collision with HP LX Palmtop series (Score:2, Interesting)
For more information on the LX palmtops, see the FAQ at http://www.hplx.net/faq.faq.html [hplx.net]. Attached below is a short excerpt from the FAQ that provides some background.
---
Q. What is the HP100LX?
Depending on your point of view, it's either an IBM PC-XT stuffed into a very tiny case with some Personal Information Management (PIM) software and Lotus 1-2-3 built into ROM, or it's a high-end electronic organizer that also runs MS-DOS software.
Q. What is the HP200LX?
It's the successor to the 100LX. It's essentially a 100LX with cosmetic changes and the addition of Pocket Quicken, LapLink Remote, and some feature enhancements for the PIM applications in the ROM.
Q. What is the HP Omnigo 700LX?
It's basically a somewhat faster 200LX with a docking cradle for a Nokia GSM cellular phone, some LEDs on the front, and some extra built-in communications software. It is only available in Europe and Asia/Pacific, where the GSM standard is, well, standardized. This product has been discontinued by HP and is no longer sold. If you can get a used one, it's possible to use it in the US if you live in an area where GSM coverage is offered (i.e. California, Nevada, etc.) if you get a compatible phone. The Nokia 2190 fits the OmniGo 700LX's cradle and works in the US, for example.
Q. Why would I want an outdated DOS palmtop when I could get a modern Windows CE machine?
The 200LX may be a few years old, but it is a far better computing device than any Windows CE machine. A few of its strengths:
- Battery life (up to 2 months on a single pair of batteries)
- DOS compatibility (can run millions of programs written for desktop computers)
- High-resolution screen (fully CGA compatible, 640x200 [33% wider than most WinCE units])
- Better keyboard (separate numeric keypad; nice solid feel with good tactile feedback)
- Better PIM apps (built-in apps are unsurpassed for quality and ease of use)
- Pocket Quicken built in (keep track of your finances without spending any extra money for the financial software)
- Better expansion support (see flash cards and other memory expansions as a drive, not just a folder)
Q. Why would I want an outdated DOS palmtop when I can get a sleek PalmPilot or Palm III?
The PalmPilot series is made for a completely different purpose than the 200LX. The 200LX is essentially a full-blown computer that fits in your pocket, and doubles as an organizer. The PalmPilot series are meant to be organizers and to help connect with desktop computers. Both platforms have their strengths and weaknesses, but for real computing in the palm of your hand, the 200LX is the only choice.
---
Re:Name collision with HP LX Palmtop series (Score:1)
Secure Linuxes (Score:2, Informative)
The two OSs are fairly similar in what they hope to accomplish -- isolate the risky software and users from the rest of the system so if something bad happens it doesn't take everything down. From the sound of the HP presentation, this is all HP Secure Linux does. You create compartments and then specify what the compartment can do. You can do the same thing with the NSA's SE Linux and much much more. I was really impressed with the flexibility offered by SE Linux. You can setup your system with about any security policy you like. The biggest problem is the great complexity. You need to do a good deal of research before even thinking about modifying the sample security rules that come with SE Linux. There are thousands of rules in the included security policy. This is where HP Secure Linux probably has an advantage--it's a bit simpler to user. Though I haven't had a chance to try it out yet.
You don't really need to pay $3000 for it either. The kernel patches are GPLed and part of the kernel security interface used by SE Linux also (NSA and HP have cooperated here). You are really paying for the tools, but those are just programs that make certain sys calls. It shouldn't be a problem to write your own open source versions. Though there might be a nice gui that would take more work to create.
If you are interested in secure linuxes also take a look at Immunix [immunix.org] and EnGarde [engardelinux.org]. Both also have kernel level security controls, but not to the level of NSA Linux. Immunix has a comparment system like HP Secure Linux called SubDomain. EnGarde uses the Linux Intrusion Detection Project.
A paper doing a detailed comparison of the four would be welcome!
Another couple to look at (Score:1)
At one time I looked into SE Linux but noted there was some problem with using LVM with it due to attributes that were used on files, But maybe this has changed? I suppose I could go look again.
I like the idea of setting things up my way (LFS) anyways and using it as the base server and having other virtual servers.
Re:Another couple to look at (Score:2)
The latest versions use the Linux Security Module (lsm), like LIDS, that hooks in at the VFS layer. so far, ext2 and ReiserFS have been confirmed to work. The only requirement the fs is persistent inode labelling(?-my terminology is off-?), but (IIRC) ext3 and xfs have also been tested.
Check the mailing list for details.
Immunix (Score:2, Informative)
- Complexity and Flexibility: The more complex a product is, the more flexible it can be. SubDomain is less complex to manage than SELinux, but offers more flexibility than HP-LX.
- Price: SELinux is free, Immunix Systems are $90 each [elinux.com], and HP-LX is $3000 each.
Immunix also features other security protections:- StackGuard: resists most buffer overflow attacks.
- FormatGuard: resists most printf format bug attacks.
Crispin----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. [wirex.com]
Immunix: [immunix.org] Security Hardened Linux Distribution
Available for purchase [wirex.com]
What the price tag really means. (Score:2, Insightful)
It's not really that expensive. In fact, I'll probably recommend it to the company I work for. If your company is security conscious, and you don't want to have to maintain something, then this seems like a great option.
This is probably one of the first really good business plans I've seen with Linux. The greatest part is that HP didn't try to mess around and not release the kernel stuff. So, they've helped out the community by adding a cool concept (I always hated that Linux does have jails) and they also are delivering a good, reasonably price, product.
I am of course assuming that this software works
If you do the math though for a server running Windows NT plus an email server, web server, and remote admin package that would be as robust as what Linux has, then it's a no brainer which one is cheaper.
Especially since alot of software is based on the number of users (especially email suites). So you kind of end up getting screwed when you hire more people.
More to the point... FTP & most mail services (Score:1)
Why yet another CWM/B1 effort? (Score:2, Interesting)
Audit trails that can be (semi-) trusted is what most of us security people demand, and which Linux doesn't deliver (don't tell me about syslog, as it is designed for IT administrators, not security administrators).
These seems to be present in the HP-LX (can't access HP's website right now, but I assume it is based on the old SecureWare code HP purchased a while back and been using the last couple of years). Unfortunately, what Bruce (Perens) says about that it would be easy to reconstruct the user space parts of the auditing subsystem I disagree with, as this is the majority of the code and also the most complex part.
With Best Regards
Roland B.
Re:Why yet another CWM/B1 effort? (Score:1)
None of the code for the audit subsystem in HP-LX is from SecureWare. But the lessons learned from SecureWare/VirtualVault is what motivated this audit subsystem.
The audit kernel driver and the audit daemon are all open sourced. The reduction program is not open sourced. (I hope to change that in the future
The goal of the audit subsystem was to get the audit data out in any format that the user wanted. You could view this audit data in a format that you wanted or you could pipe your audit data into an IDS system of your choice.
HP-LX audit is 1.0 software. It is missing many things. But, after some evaniglizing (sp??), it was a 6 month effort from the "go" word to out the door. So, somethings needed to be cut back on.
Surprised nobody's mentioned TrustedBSD Project (Score:2, Informative)
Much of the work is to be rolled into a future FreeBSD distro. And that's released under the BSD license -- than which you can't get much less restrictive.
How to build secure applications (Score:2)
For example, a mail handler should be composed of several components in separate security compartments:
That's what NSA Secure Linux is intended to support. DoD secure systems have been built like this for at least two decades.
Again, and I cannot overemphasize this, the key is that the trusted components must be small. All other architectural considerations, including performance, must yield to this if you want security.
Re: (Score:1)
The mythical idiot-proof distro/OS (Score:2, Interesting)
Look, I'm sure someone else has said this already a million times here, and I know Bruce Schneier makes it his mantra, but I'll repeat it for those of us who came late: Most of security has nothing to do with software, and everything to do with poor procedure. All the chroot jails in the world cannot restrain the sheer magnitude of people's apathy toward secure practice and process.
And yes, sometimes even the best security is broken. Let's face it, if you want your data secure, you are already outnumbered millions to one. Yet, this is a default condition - the majority of security vulnerabilites are relative to the actions of script kiddies, who use network flooding and other lame attacks to force people off the net and crash systems. Adding another security layer will make it harder to brute-force your way in, certainly, but what's the point of sealing the door with concrete if lazy administration practice leaves the windows wide open?
And, how does this differ from OpenBSD? I'm not a BSD zealot, but way too much of this sounds like the exact practice taken toward OpenBSD development. Does this software deserve extra creds because it costs more? Are people more likely to take security seriously if they spend $3000 on an operating system than if they get it for free? How much of this code is audited? All the default packages? Did they audit anything, or did they just implement chroot jails and assume they have found a "workaround" for a malignent problem in UNIX security?
I'm not saying that this is a bad idea. I'm sure this distro will provide for a more secure environment by default, for those of us who don't have the time to audit our production boxes. But I just don't see reason to presume that this distro is any more secure than a properly configured SELinux or OpenBSD box. And please, if you think I'm wrong, enlighten me, because I'm no expert. I just think that building a better mouse trap is pointless when the trap operators don't know how to operate it.
Hardening is VERY expensive (Score:2)
Trusted Solaris (Score:1)
some clarification (Score:2, Informative)
HP-LX has no VirtualVault code. There is nothing in HP-LX code that is derived from VV.
A trusted/secure OS should not be your ONLY security mechanism. It is just a part of the overall architecture.
So, what were the goals of this product:
VirtualVault covered the ultra security needs. But at a cost. You needed to intergrate your applications on a VV. You had to teach your sysadmins about VirtualVault. Many smaller shops could not justify the cost of these. So an alternative was created by HP.
Some form os security is better than no security at all. So, what HP wanted to do is lower the complexity of the security mechanism and raise the ease of use. This would allow people to get applications up and running quick on their machine and not have to retrain their systems on a new os.
So, the product had to be:
1. Help protect services on the network boundry. So, this is not designed as a multi-user system. It is designed to protect any type of service that is made available on a public network.
2. Easy to use. Without this, it would be an interesting product, but acceptence by the non-security folks would be hard.
3. Security should not be intrusive. So, as little code change as possible. By this I mean, try not to make changes to user space programs. The admin should be familiar with the environment that he is running in. Only 2 programs are changed, init and xinetd.
4. Sometimes security had to be relaxed in order to keep it easy to use.
These were the four high level drivers for this product.
From a feature set, there are three major components:
1. Containment. Protecting agains ALL buffer overflow attacks is difficult. So, lets contain the damage. Compartments helps us issolate the application from other applications/subsystems on the system.
2. An audit subsystem to be able to watch what is going on on the system. Collection audit does not help if you can't do anything with it. So, it had to be flexible. It is in it's early stages.
3. Lockdown. This mean, locking down most of the permissions on the system. Use tripwire to monitor what is going on on the system. Turn off most of the service that are needed. Generally, do whatever you would do to lockdown a system that is put on a public network.
This should give a little insight into the motivation for the product. This should help shed some light why some decisions where made. The goal of this product to to find a right balance between "ease of use and security". You can be the most secure product, but if it is difficut to use, it will be cast aside. HP-LX is an attempt to achive this balance. More work is needed, but it is the first step...