Slashdot Mirror

http://www.trustedbsd.org/2010usenix-security-capsicum-website.pdf

Where can we learn more about this bitfrost-like security model?

It isn't exactly like btfrost. It's actually a port of the mandatory access control system in TrustedBSD. They introduced it in 10.5, applied to select services (like Bonjour) and have expanded it in 10.6. They also provided a way for developers to implement it for end user apps. Here's an decent overview. Another good reference is the original TrustedBSD stuff: http://www.trustedbsd.org/docs.html. There is also a GUI program called "sandbox" that can be used to edit ACLs more easily.

As Linux and FreeBSD in that point today, someone needs to investigate who or which board had the genius idea of putting Windows to Space. It smells really, really dirty.

I like OS X and Apple but if I had something to put on Space, it would be SE Linux ( http://www.nsa.gov/selinux/ ) or Trusted BSD http://www.trustedbsd.org/ and nothing else. It is not like they will play God damn DirectX games there. If scientists require Windows, again, they need to get investigated too. GNU doesn't put millions of hours of free work on Fortran support etc. for nothing. If scientist can't code plain Fortran/Java or C code, he is not a scientist.

This is not a regular, "Oh look how stupid they are" thing. If one digs it enough, there could be some sort of Space-Watergate scandal out of it.

Putting a Windows to space is something like amazing joke. As nobody would joke with billion dollar equipment, it must have some background.

Yeah, that must be why TrustedBSD is copying SELinux

There is no "copying". They all implement the same features and ideas designed by the same people for the same purpose. From NSA's, DARPA's et al. perspective, this is simply "dual sourcing" — what customers with huge budgets and strict requirements are supposed to do for redundancy.

They need them all for their multitude of servers. But since FreeBSD is better to begin with, you want it for your smaller establishment, unless already "married" to Linux for some other reason — just as I said before ;-)

The page you sent me to describes SEBSD as a port, not a "copy". Guess what? Firefox is a port too. Does it make it somehow inferior?.. Mozilla's primary target-platform is Windows — what you have on Linux is also, what you'd call "a copy".

Yeah, that must be why TrustedBSD is copying SELinux (just like opensolaris)...

People claims SELinux is difficult, but they often don't understand how insanely powerful it is....

Unless you are married to Linux already for some reason, you'll want TrustedBSD. Built on top of/as extension to FreeBSD, it had a substantial head-start...

Well, Apple contribute to and make use of the TrustedBSD project; e.g. OpenBSM is derived from code Apple released, and the MAC framework is found on both FreeBSD and OS X.

Well, Apple contribute to and make use of the TrustedBSD project; e.g. OpenBSM is derived from code Apple released, and the MAC framework is found on both FreeBSD and OS X.

Well, Apple contribute to and make use of the TrustedBSD project; e.g. OpenBSM is derived from code Apple released, and the MAC framework is found on both FreeBSD and OS X.

Sorry for the naive question in advance, but I was under the impression that some flavors of BSD (OpenBSD?) were extremely secure as well.

If you're in a hurry to add this functionality, it is freely available from the port of TrustedBSD to OS X which you can get here. It is still pretty difficult for everyday use, however, because applications are not designed to accommodate it very well. In other news Apple had posted mention on an application signing framework and a mandatory access control framework on their public facing developer pages for leopard, but it was pulled with no explanation at the end of 2006. Keep your fingers crossed as this may be coming to OS X a lot sooner than you had anticipated.

It would be nice if that were true, but given the secrecy and lack of information about exactly what the NSA did we have no idea how "helped" any of us are.

Given the fact, that nobody is pushing NSA to say anything on the subject, it is unlikely, that they are lying. The kind of "help" you suspect NSA of providing needs no press-releases...

In any event, if the government wanted to help "the users" it would make it very clear as to what security criteria [...]

That's very strict requirements you are placing there, actually. Making anything "very clear", coming up with reliable estimates of saving/loss from using a particular product, making recommendations — hairy stuff, which NSA is rightly stearing clear from...

[...] helping hand to a private monopoly, because the roll out of their latest software abortion is looking like a flop.

And why does NSA help BSD and Linux? Sorry, your conspiracy theory is less convincing, than NSA's stated reasoning — 90% of personal computers run Windows, thus we all benefit from the OS being more secure. Microsoft is, of course, going to milk this for all they can, but it is no less plausible an explanation because of that...

I certainly understand and share the frustration of tax-dollars helping a healthy and profitable corporation, but another way to look at this is NSA is helping the users. The proper long-term solution would, probably, be to make software vendors liable for flaws in their products — as is the case with most other industries. Short-term, however, National Security Agency making personal computers harder to hijack does, indeed, contribute to, uhmm, national security...

Microsoft is not the only entity to benefit either, BTW. For example, FreeBSD cvs-commit messages have plenty of acknowledgments of government's help (fgrep for TrustedBSD). The NSA-funded SELinux is another example...

NSA is, supposedly, full of very smart, technically adept people, who, no doubt, strongly prefer Unix-like OSes (on average) to Microsoft's offerings. However, with Microsoft's market-dominance, it gives a lot more bang for the NSA's buck to help them, rather than the OSS projects...

Granted, there is a danger of this solution perpetuating the problem, but that's a distant and lesser danger, than the present and grave one of millions of zombies arraigned into bot-nets and immediately usable (and up for hire) against businesses and government institutions alike.

NetBSD has verified exec option, it doesn't prevent you from being exploited if the kernel is compromised though.
But NetBSD's kernel is extremely well written and as far as I've seen is the one with the best track record of all open source kernels.
Together with the Systrace (by NetBSD developer Niels Provos) you can build extremely secure systems that are super portable.

FreeBSD has similar functionality with its TrustedBSD framework.

I would say NetBSD or FreeBSD is your best bet.

Maybe you can make a Linux install with a subset of the same functionality through SELinux, but I dubt it will be as nice as the NetBSD route.

Yeah, modded "insightful" by GPL fanboys. Look, factually speaking, you're wrong. Apple has contributed code to FreeBSD.

Read this:
Since Mac OS X v10.0 was released in 2001, Apple has been filtering BSD code in and out of their kernel, userland, and libraries. This code then makes its way back to FreeBSD.(...) By the time Apple released Panther, their contributions back into FreeBSD had amassed into a new FreeBSD milestone, the 5.x branch. http://osviews.com/modules.php?op=modload&name=New s&file=article&sid=938&mode=&order=&thold=

OpenBSM is derived from the BSM audit implementation found in Apple's open source Darwin operating system, which upon request, Apple relicensed under a BSD licence (wikipedia citation) OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation http://www.trustedbsd.org/openbsm.html

One big step Apple should take in securing OS-X is using Mandatory Access Controls, ala SELinux. SEDarwin is a step in the right direction, and hopefully Apple is taking notice.

I'd love to see the next iteration of OS-X deliver:
1. A standard framework for Mandatory Access Controls
2. A firewall configurable to prompt the user to whitelist the behavior of new applications
3. Clearer encouragement to run as a non-administrator account
4. A virusscanning framework, without necessarily commiting to providing the signatures
5. Use of the virtualization technology built into the CPUs of the Intel macs to more strongly isolate applications

I'd rather see Apple, not McAfee, add this value to the platform. The above features are what an Operating System should provide, in my opinion ... not what a third-party vendor should tack on.

OpenBSD, from what I've heard, is good, but most of its security is based upon correct implementation. This is good, but the OpenBSD team can only audit and control the base system, meaning that applications and libraries added to the system can often degrade the security of the system as a whole.

Judging from the technologies and companies mentioned in the summary, this attempt at Linux security is based on providing better access controls and privilege models in the Linux kernel. By better, I mean that these mechanisms can:

1) Provide finer grain privileges so that fewer programs can be exploited to escalate privilege, and
2) Isolate unrelated programs and users from each other (e.g. an exploit in a DNS server is restricted to only accessing DNS files but is not able to manipulate web server pages).

These two techniques basically reduce the number of avenues an attacker can use to exploit a system. It is less likely that a piece of exploitable software will have sufficient access to whatever it is the attacker wants to get to. Granted, it is not a complete solution, but it's a handy thing to have in one's security toolbox.

I believe that the OpenBSD/OpenSSH teams are beginning to do similar things (e.g. OpenSSH privilege separation), but I don't think they've taken the leap to providing more sophisticated access controls in the kernel.

If you're interested, examples of trusted operating systems/access controls can be found at the following places:

Linux Capabilities:
http://ftp.kernel.org/pub/linux/libs/security/linu x-privs/kernel-2.4/capfaq-0.2.txt

Trusted BSD:
http://www.trustedbsd.org/docs.html

Argus Systems Group (go to the Support section and take a look at the docs for PitBull LX and Foundation; they give a rather complete description of the mechanisms):
http://www.argus-systems.com/

Trusted Computer Solutions (mentioned in the article):
http://www.trustedcs.com/index.html

Disclaimer: I used to work for Argus Systems Group, and I know a few of the TCS employees (as they are also ex-Argus employees).

Like this?

Trusted Solaris from Sun and SecureOS from Secure Computing used in their Sidewinder firewall are just two off the top of my head.

It doesn't necessarily need to be commercial either since there's TrustedBSD for instance. I guess I shouldn't say "designed from scratch" since many of them build on original BSD or System V code as a starting point, but there are certainly MAC based systems built from scratch out there.. probably custom jobs unavailable to us outside the government, but they're out there.

Again, I'm not saying OpenBSD is insecure, far from it. OpenBSD is probably the most secure operating system you'll get without introducing complicated mandatory access controls (type enforcement, RBAC, whatever you want to call it), but we shouldn't kid ourselves by saying that it's as secure as other operating systems available.

It would be nice if operating systems could protect applications from each other.... Are there any operating systems that do that?

My prayers have been answered, yes there are and discusing them on slashdot should have heaponed eons ago... With computers taking more sick days then people you would think people would be asking for a secure OS when they buy a new pc at compusa.

Its called capability based acces control (first implemented in the 70`s). Its just a fancy way of saying that rather then having a program get rights becouse of whoever executes it it gets all sorts of rights all by itself.... yes thats an improvement security wise becouse this way a process can get only the rights it needs.

Ofcourse you could go and build an all new operating system for this priciple. However many operating systems have been hacked to do tiny bits of this already. In fact many personal firewalls do it for windows (I never though I would be advocating something called a firewall considering I tend to call firwalls "stupid packet filters", and claim they do little for security) Ofcourse open operating systems have plenty of implementations of this idea. Now if only people were to ask microsoft for stuff like this. Windows is full of crazy features that are there becouse big customers needed them. With microsoft giving up on their "(backwards) compatibility before anything else" idea (XP sp2) structural changes might someday make it into windows. Ofcourse thats only if paying customers want them.

How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6

The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.

---------
WAP news

Most of the opponents of this war, who, I suspect, are otherwise capable of reason, tend to lose their reasoning abilities rapidly and go into a passionate rage, when talking about it.

Just listen to this guy:

(My bodyguards carry weapons, but everyone else, who does, should be locked up, says Rosie O'Donnel -- the passionate lighting rod of the pro-gun lobby.)

Their laboratories, that are in that business and do distribute modifications, distribute the source too -- the already mentioned SELinux, TrustedBSD...

Nothing wrong with passion per se. It is great in art, in bed (the very special art), etc. But the less of it in politics and computers (what a weird pairing of fields!) the better.

Good riddance, LULA!

Computer security problems almost always fall into a few well-known (beaten to death is more accurate) patterns. One such pattern is the "buffer overflow attack". Why does anyone accept this? There is absolutely no reason for modern software to be subject to buffer overflows. We have languages like Java which run everything within a protected virtual machine and don't use buffers. We can design CPUs which allow sections of memory to be marked "execute only, don't write". We can use safe string libraries instead of creaky old standard lib. And yet I still hear people saying that buffer overflows are a given.

Same with root escalations. For years we have had ideas of how to have systems that are compartmented and don't have root. In the Unix world, we have the idiocy of "trusted ports" (ports I could go on and on. The only reason why computers are so insecure is because we have accepted that they are and decided to live with it. This is just wrong.

--------
Create your own WAP site, or become a Wireless-Enabled Hosting(tm) provider

The article states: "But the other part...called the 'Nexus mode' ... is entirely optional for the user, is the 'trusted computing' model..."

It sounds like the difference between a mandatory access control system and a discretionary access control system. How is this different from what MAC extensions like TrustedBSD are to FreeBSD?

One thing still missing are full POSIX.1e capabilities, but they are being worked on.

Check out the work that is being done on trustedbsd.org, which is based on (and being backported into) FreeBSD 5.X. Also, although not as well documented, FreeBSD 5.X has a storage abstraction layer called GEOM, upon which is built GBDE, "GEOM-Based Disk Encryption". A status report is located here but the FreeBSD email archives are currently the best place to find this information.

I wish FreeBSD had something that cool

I understand filesystem ACL's are coming in fbsd-5.

I'm not sure how they compare to lids but if you have fbsd 5.0 you can read about them in /usr/src/sys/ufs/ufs/README.acls.

this page describes the openbsd port so might be useful.

And of course theres always trusted bsd

Real security comes by design, not by sticking your thumb in the dike again and again and again.

One nice project is TrustedBSD, parts of which will appear in FreeBSD 5.0.

The TrustedBSD project provides a set of trusted operating system
extensions to the FreeBSD operating system, targeting the Common
Criteria for Information Technology Security Evaluation (CC). This
project is still under development, and much of the code is destined
to make its way back into the base FreeBSD operating system.
This Web site will provide access to documentation,
code relating to features that are still under development, and
code that has its fingers in too many places to justify integrating
into the base operating system. Targeted features include:

• Extensible and audited authorization framework to support
  access control modules. This framework provides
  general-purpose labeling of kernel subjects/objects, centralized
  policy management, and access to a variety of run-time security
  events. This will allow the compile-time, boot-time, and
  run-time extension of the operating system security model
  based in both TrustedBSD access control modules, and
  third-party modules that employ the extension framework.
• Mandatory access control modules based on the framework
  supporting a variety of access control models, including fixed
  and floating label Biba integrity policies, the MLS
  confidentiality policy, Type Enforcement, and other customized
  policies designed for common FreeBSD deployment scenarios.
  In addition, the SELinux FLASK and Type Enforcement
  implementations will be provided via an SEBSD module, providing
  access to the higher level FLASK service abstraction, and
  mature TE implementation.
• Improvements in system privilege to reduce the level of
  risk associated with common system management functions.
• Access control lists for the file system and other kernel
  resources allowing fine-grained and manageable discretionary
  access control.
• Event auditing support, and single-host modular IDS system
  to monitor security events and notify administrators in the event
  of irregularities.

The TrustedBSD Project is made possible through the generous
sponsorship and donations of a variety of organizations, including
DARPA, NAI Labs, Safeport Network Services, the University of
Pennsylvania, Yahoo!, and others. Contributions to support the
TrustedBSD Project are welcome; please consider making donations
through the FreeBSD
Foundation.

I remember that 5.0 was meant to use some of their stuff. Will this be done? If so, which features?

• TrustedBSD. Though it has taken some time (and who could write a B1 system overnight?), it now supports MLS extensions, ACLs on files, SAE privilege isolation, and process segmentation spacing to provide a system on which users at different levels cannot interfere with more privileged users.
• Improvements in the -CURRENT branch. Many security improvements, some independent and some from TrustedBSD, are destined to be included in FreeBSD 5.0.
• jail(2). Jail provides process isolation superior to anything found in another UNIX or in Linux. We like to call it "chroot with teeth," and continue to wonder why existing chroot(5) implementations are so hopelessly broken in other lessor unices.
• Protocol support. FreeBSD currently ships without a telnet daemon installed, to keep people from using daemons that have known weaknesses (such as the environment variable handling design flaw) and that allow plaintext passwords to leak onto the network.
• Strong NIS authentication. We've combined the versatility of NIS and the simplicity of Kerberos, and produced an armoured version of NIS that withstands network and host based attacks.

--rwatson

I wonder if apple is planning on making the default file system in Mac OS X to be UFS. This could help reduce costs on FS development. This does not mean the death of metadata. TrustedBSD is working on giving UFS extended attributes and ACLs. So maybe Apple could use those for metadata

Much of the work is to be rolled into a future FreeBSD distro. And that's released under the BSD license -- than which you can't get much less restrictive.

I believe the NSA has provided some funding for TrustedBSD.

In the introduction white paper section II.b (Fine-grained System Capabilities), they describe the root account as being a significat source of risk (if you're rooted, you're owned). The solution under TrustedBSD is to delegate the root responsibilities to various executables. I'm not sure what this solves if root still has access to these new executables. Any ideas on how this will be accomplished?

While audits are important, these features will go a long way, and we'll have them very soon in FreeBSD 5.0

SecureBSD and TrustedBSD are really just extensions to FreeBSD. Similarly, RTMX is a set of extenstions to OpenBSD. I didn't think it would be good to include them in this. Addtionally, with BSD/OS effectively merging with FreeBSD, I didn't include it either. However, it gives me an idea for a new article... :)

CIA director George Tenet said individuals such as Osama bin Laden - the man alleged to have been behind the 1998 bombings of US embassies in East Africa - are using the internet to cloak communications within their organisations. "You recruit people on internet sites and you use encryption," Tenet said. "You move your operational planning and judgements over internet sites' use of encryption. You raise money."

Bin Laden inspires particular alarm in the US. National Security Agency chief Mike Hayden says his own organisation is "behind the curve in keeping up with the global telecommunications revolution", which bin Laden is able to exploit. Hayden blamed this gap for the US's failure to prevent the 1998 embassy attacks, which killed 224 people.

Newer Stealth Arrangements

Never See Anything

Next Superpower Agency

New Snooping Applications

Nothing's Secret Anymore

while($information =~ /[a-z]['")]*[.!?]+['")]*\s/g) {
$conspiracy++;
}

print "Your $information is filled with $conspiracy theories\n";

Where in the world is SpeedyGrl

CIA director George Tenet said individuals such as Osama bin Laden - the man alleged to have been behind the 1998 bombings of US embassies in East Africa - are using the internet to cloak communications within their organisations. "You recruit people on internet sites and you use encryption," Tenet said. "You move your operational planning and judgements over internet sites' use of encryption. You raise money."

Bin Laden inspires particular alarm in the US. National Security Agency chief Mike Hayden says his own organisation is "behind the curve in keeping up with the global telecommunications revolution", which bin Laden is able to exploit. Hayden blamed this gap for the US's failure to prevent the 1998 embassy attacks, which killed 224 people.

Newer Stealth Arrangements

Never See Anything

Next Superpower Agency

New Snooping Applications

Nothing's Secret Anymore

while($information =~ /[a-z]['")]*[.!?]+['")]*\s/g) {
$conspiracy++;
}

print "Your $information is filled with $conspiracy theories\n";

Where in the world is SpeedyGrl

Problem 1:

We can always change the permissions of eth0 to allow it to be put into promiscuous mode by another user if we want.

Letting any user put the NIC into promisc mode isn't a security hazard?

Problem 2:

The statement that there are only two levels of security is completly untrue. You can have as many levels of security as you have users and groups.

This is just wrong. Read up on ACLs, Capabilities, Mandatory Access Control, Auditing.

Traditional UNIX environments have provided extremely limited expressiveness in file system permissions, limited to a single user (owner), a system administrator-defined group, and a set of rights defined for the remainder of users on the system. Access control lists allow for the fine-grained expression of discretionary rights associated with files and other system objects.

(From trustedbsd.org).

Here is a good intro to capabilities.

---
In a hundred-mile march,

It you actually read what TrustedBSD is about, you would see that it is an extension to FreeBSD and should be integrated into FreeBSD-proper before 5.0 is released.

This seems counterproductive, in my opinion. They could have just as easily contributed to the TrustedBSD project. If they had done that, then their code could have actually been used in more than just one operating system, instead of just Linux, due to the incompatibilities between the GPL and the BSD license.

Nothing in the world like a minimal install of FreeBSD. Nice and slim with only the base essentials. After the install is done I go to the /usr/ports collection and install all the extra software that I need. Its also nice to be able to upgrade the entire core of the OS in one shot with make world etc. Plus with mergemaster merging the config files, its almost impossible to hose up an upgrade. You also get an OS that performs better and is more stable than linux. Plus once the Mandatory Access Control TrustedBSD patches gets merged into the CURRENT source tree, we'll have quite good security on an OS that is already quite secure.

What's your opinion of the TrustedBSD project? I know it's relatively green and AFAIK not much has been shipped off the assembly line other than some rough beginnings. But, that aside, do you think it's too ambitious (or not ambitious enough?) And if it ever does complete its goals do you think OpenBSD will utilize any code from it?

Now the DoD model was created back in the early to mid 80's. Everything, if not 99%, is obsolete standards by now. If you still want to bother with what the US government considers secure, then check out TrustedBSD

OpenBSD does an amazing job of presenting an extremely secure distribution, I will stipulate that right at the get go. I think it's a bit premeture to say that it's the Most Secure OS though. There are a number of implimentation of the DoD B1 security standard (as applies to operating systems, specifically) in the world - these include Trusted Solaris from Sun and PitBull from Argus Systems Group.

Granted, these operating systems take a quite different approach to security (rather than requiring strict application audits as in OpenBSD they instead try to eliminate the need for such audits through strict kernel control manifested in a number of sneaky ways). These systems have been, and are currently widely used by military, intelligence, financial, and, increasingly, high end e-commerce systems. In an attempt to increase public awareness and popularity of PitBull Argus Systems Group has begun giving it away for non-commercial use. Anyone interested in high security servers is highly recommended to check it out. It's no holy grail, and by no means the right solution for every problem, but it is a very interesting take on the problem, and quite a different way of looking at system architecture and administration than most of us get exposed to on a regular basis.

None of this is intended to steal OpenBSD's thunder - it's a great accomplishment, and far closer to existing operating environments than it's B1 counterparts (which makes it more accessable, and more flexable). Often, a B1 system will be severe overkill (or just too much of a pain to configure and manage), where OpenBSD will just work. So I'm not saying that OpenBSD is no good, I'm just saying that choosing the "Most Secure OS" isn't quite so clear cut...

Oh, BTW, there is a Trusted BSD project, but it's fairly young and as I understand it building a trusted OS is quite time consuming. When it's ready I think it will likely kick ass, but it may yet be a long way off.
--

Script kiddies don't have enough bandwidth to DoS a major provider, so they use rootkits to crack systems and then use the cracked system as a launchpad for their DDoS attacks, right? Well, maybe a solution is for companies to use a Trusted OS like Argus PitBull, Trusted BSD, (admittedly incomplete) OB1, Trusted Solaris, HP's virtual vault, or find a better match for yourself.

Why people use WinNT as a server platform is beyond me. Something like 65% of web-site defacements listed at Attrition.org are WinNT based. That's insane. Linux is something like 20%. I was very surprised at HOW MANY sites are hacked. The internet's infrastructure needs to be improved, sure. But how about securing your system properly?! Argus has even announced a Linux port for their products; it's the only TOS that I've seen even mention Linux. And, maybe someone should push the Linux Kernel developers to finish implementing the Capabilities and ACL stuff that at least partially exists in the kernel (or in patches); this would allow application coders to write non-suid programs that would still have some of the root capabilities (just the ones they need).

I'm not saying that the sys admins are to blame. These decisions are generally not simple technical ones. However, everyone needs to be educated about the products that are available to protect themselves and others (in the case of DDoS's). If you're a sys admin, educate yourself and pass it on to your boss. They may not get it, but you should at least try.

Just my $0.02.

$ flames > /dev/null 2>&1

Check out Trusted BSD.
They are Targeting Orange Book specs. If I am not mistaken Orange Book is the government's defintion of Trusted.