Slashdot Mirror
DARPA to Fund Open Source Security Research
divert writes "Just got an email on the SEC-PROG mailing list that DARPA is looking to fund security research for open source operating systems." Maybe someone should just tell them about OpenBSD, save some time and money.
Maybe someone should just tell them about OpenBSD, save some time and money.
This is sooo arrogant, I'm disgusted. Dude, you're talking about DARPA. They funded the development of The Internet. Were it not for them this site wouldn't exist.
And why exactly do you need a full featured Unix system to run a firewall?
There are environments where you need performance and security. This is especially true of supercomputing environments where different people with different security levels all have access to the same physical machine(s).
Just because you have a firewall, doesn't mean you aren't prone to attack. You are certainly less likely to be attacked from the outside world, but who said the attack had to come from the outside world?
If you have a person with physical access to a machine you are trying to secure, it should still be extremely difficult for the person to gain entry into it.
The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.
DARPA, like anything else governmental, is inherently politcal. While they have to frame these proposals as public processes, the fact is, if you weren't working on this proposal months ago, well before it was first published, you don't have a chance. I'll guarantee you that there are already 5-10 different labs working on the problem, who have already extensively discussed the DARPA program manager's expectations (most likely with the program manager or the program manager's close colleagues).
Yes, it's a very inbred, good-ol-boys type of process, but that's life in military research...
Let's try not to let fact interfere with our speculation here, OK?
... it is by standing on the shoulders of Giants." --Newton to Hooke, 5 Feb. 1676
*Real* research is about incremental improvements to the existing base of knowledge.
2) System configuration and administration tools and methods
That'd help.
Sounds like they have some pretty high goals that require a lot of cooperation between various groups. I wonder how they intend to solicit that cooperation.
Who do you think put up the money to develop BSD in the first place? DARPA, of course.
Maybe someone should just tell them about OpenBSD, save some time and money.
I've seen OpenBSD folks make a lot of claims, but I've never before seen one claim that all research into secure OSes should come to a halt now that it exists.
-
I wouldn't say that's the way they "usually" work. If you are a university or a non-profit, maybe. If not, you work under contract to them. If you are a small business or individual, you can get an SBIR contract.
It's a lot easier if you affiliate yourself with a business or academic institution that already does business w/DARPA.
DARPA does do some interesting stuff. A lot of it has ended up with pretty wide utility. Take, for example, the Internet. That's right. If you didn't know already, DARPA is the organization that funded the development of TCP/IP and the earliest versions of the Internet. So, in a lot of ways, this is right up DARPA's ally. I wouldn't be suprised if there is still DARPA-funded code floating around in things like telnetd, sendmail, bind, etc.
I think the point is to push the state of the art ahead, not fiddle with existing systems. I mean your analogy is similar to "Would you rather take a bicycle or a skateboard to fly to the moon" instead of researching how to make rockets.
-- Remember: Wherever you go, there you are!
Ok.
You seem to have got the userspace/kernelspace split mixed up with the root/normal user split.
The first is a difference in memory mapping. When you are running a normal program, your own memory is mapped appropriately as some of readable, writable, and executable. The kernel is always mapped non readable, non writable, and non executable. When entering the kernel ( eg system call, page fault, interrupt), the kernel memory is changed to be readable, writable, and executable.
The second is how the kernel responds to system calls. When a system call is called, if it is a privileged operation, the kernel will perform a check to see if the program is allowed to do this.
In old unix, this was often just a check to see if the uid in the process control structure was 0. In linux, it is usually a check of a privelege bit ( evilly called capabilities by posix and linux). So different processes can have different set of priveleges.
So, in unix, you su to root. This doesn't make you run in kernel mode. You are still running just like a normal user. The only difference is, when you do a system call, the kernel grants you a special privelege to bypass normal security checks.
This is wierdo special casing. Not nice.
In a capability system, a token is passed along with any other arguments to a system call. This token proves to the kernel that you are allowed to do the call you asked for. No wierd special cases. No acl systems or even the concept of a "user" in the kernel.
This can and is being implemented on x86. See eros - www.eros-os.org
OpenBSD is still based on the fallacy that affects unix and all clones. That you trust every program you run as much as you trust yourself. Ie security is done at a per account granularity.
Any program you run can do anything to every file you have write access to, and can also leak information by default to anyone on the internet. Not good. This means a very large trusted code base, which is a bad thing. The set of code which need to be trusted (ie the kernel and very few programs) should be as small as possible.
There are some approaches to improving security. Capabilty models look like the best hope for the future. This comment is too small to hold a reasonable explanation - take a look at http://www.eros-os.org .
Don't get me wrong, OpenBSD is a good firewall and general unix server platform, but its security model is limited by posix compliance.
Unfortunately, whilst unix does kick ass in many respects, there are a few deficiencies when it comes to security. Here are a few that come to mind:
/tmp can leak a lot of information.
1) All programs you run are trusted with all files you have access to.
2) All programs are also given a default set of actions they can perform, eg open random connections to the internet. This is nice for leaking information. This can be amelorated via so called posix capabilities. These are more properly called privelege bits as in VMS.
3) Global filesystem. Everyone can see the filesystem.
Chroot may help. Plan 9 style namespaces are better too. Better would be to take the human namespace out of the kernel and only give it to programs that need it.
probably lots of other things. Basically unix was designed when everything you ran on your computer was written by yourself of someone you knew and trusted. And then commercial unix just got featuritis. It would probably not be good to declare it the one true operating system.
As an ex-contractor at the USPTO, i can tell you, they are much more technologically on the ball than they are given credit for. 100mb to the desktop, oc-12's between buildings, multiple redundant internet connections, and with the exception of some old sun systems, they run hp-ux exclusively for their major systems. They are also doing extensive work on building a PKI system, to enable inventors to file and conduct all related transactions online. I'm not saying they are the most open-source friendly, but they DO have quite a setup.
/. poster #104543567
-stax
The submission deadline was two days ago.
Incidentally, if we want secure OS's, it's long past time to give up on UNIX. EROS is the way to go.
www.eros-os.org.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
i agree trustedbsd is probably more up their alley, maybe they will be interested in porting the trustedbsd changes to openbsd, since the method the two took towards being secure is different.
Why don't they just use the NSA's secure Linux?
Claims of Linux stability and scalability fall apart rather quickly when its #1 advocacy site is constantly failing,
What basis do you make THIS claim?
The 'byline' is "news for nerds, stuff that matters". Slashdot has a BSD section.
What reasons do you have for thinking *THIS* site is the #1 advocacy site?
If it was said on slashdot, it MUST be true!
Dunno if they ever pursued the project further.
Read the EFF's Fair Use FAQ
Absolutely true. I didn't mean to impugn the project managers at all. I actually reported directly to a project manager at the ISO, and he was astute at political infighting, but his overwhelming passion was the technology behind his project.
No doubt about it - there are some very smart, very clearheaded people running projects at DARPA.
I also agree with your analysis as to why they'd be delving into Open Source. Many of these program managers are military folks who came in through the military-industrial-govt merry-go-round, but many of them are also essentially hackers who pay attention to things like.. well.. Slashdot.
Read the EFF's Fair Use FAQ
DARPA is interested not in current technology, or even next-generation technology. Their mandate is to fund and evaluate what they call "high-risk, high-payoff" projects. They fully expect that most of their projects will fail to achieve their goals. However, they also realize that even those projects that fail will stimulate advances in other, sometimes unforseen areas. Of course, those projects that succeed become the wonder-technologies of tomorrow.
Another thing to keep in mind is that DARPA is a government agency, and as such has a mandate to diseminate their findings as far as possible within the federal government. I actually worked on a liason project with FEMA, where we were trying to help kick-start FEMA's web-based emergency-mitigation effort.
The secondary effect of this mandate to spread the wealth is that it's key for an agency's survival that they be known as the originators of the wealth. That is, when DARPA comes up with something, they sure as hell make sure that every other agency knows it came from DARPA. That way when the budget axe comes along, DARPA isn't first on the chopping block.
So DARPA's desire to fund this project probably has a lot more to do with going beyond what's already been done, and taking the credit for it, than it has to do with acknowledging what's already out there.
Read the EFF's Fair Use FAQ
The way DARPA usually works is on a grant basis. Those people qualified should get together (or stay seperate) and write up a grant. DARPA isn't going to look for grantees. The potential grantees must go to DARPA (with a proposal).
What are you talking about. A bulk of the first-generation open source stuff out there was at least partially funded by DARPA. Get a clue. This is a great opportunity for those with open source experience to put forth a proposal that may fund them for a year or more.
Maybe someone should just tell them about OpenBSD, save some time and money.
The DARPA program is called Composable High Assurance Trusted Systems (CHATS) which implies that they are interested in Trusted Systems not systems that claim to be secure because a bunch of hackers allegedly have fixed all the buffer overflows. Being "secure" and being a trusted system are completely different things.
Maybe micheal meant to mention TrustedBSD which is attempting to become certified as a Trusted System?
AtheOS (http://www.atheos.cx for the paranoid) is an open-source OS which seems to fit your requirements. While it is still under heavy development, it already supports preemptive multithreading, symetric multiprocessing, protected memory, and, most importantly for you, a band-new, fully integrated GUI with a companion BeOS-like C++ toolkit. It's hardly ready for prime time, but if you've got the skills, check it out and see what you can do to help.
The tools are available! RSRE Malvern now part of DERA (UK DARPA) released them some years ago as an open standard for static testing which is used world wide to verify critical systems. I assume it is on the Net but I can't find the URL.
how much of a difference would it make to assign each executable its own "user" space - ie, executables have access to whatever the user has access to, so implement an interface framework to always run executables as their own user (unless directed otherwise by trusted real user)? this would seem to define another layer of security, with all the security checks already in place for users.
next implement interface for users to run apps...
could then a simple(?) tmp redirect to "user-app" space take care of the global tmp access problem as well?
does any of this make sense?
[|]
Government involvement in an open source development project would certainly do a lot to validate the license as a viable alternative to close source projects. DARPA is a pretty interesting group, though. After all, these are the guys who want to bring enhancing exo-armor to the military in a decade or so. Will other, more banal, branches of the government adopt open source soon? Will we see the IRS running their own financial oriented flavor of BSD or even more ironically, the USPTO running an opened source setup. Or are other sectors of the Federale already using open source?
Pax Digitalia
Sorry to diagree, but I don't think this guy deserves to be modded back up. He is apparantly one of these guys that thinks open source means a guy like myself can go change the official linux code, and no one will know. His post should be ignored and everyone should move along.
The problem with OpenBSD is that it takes years to verify the security of new software releases and integrate them into the distro. Consequently, many of the included packages are old versions that have since been replaced. If DARPA could come up with a methodology that accelerated the pace of verification, they would be very useful to OpenBSD and other OS projects.
ByteMyCode.com: A Web 2.0 code sharing community.
So this is exactly the sort of thing Allchin had in mind when he was ranting about how Free software is unAmerican. In fact, he may have even gotten advance wind of this or parts of it. Thankfully he came out looking like a jackass ahead of time.
I do not have a signature
This'll definitely be the wave of the future, I can hear it now:
"Hello ladies and gentlemen and welcome to CounterStrike 2002: Judgement Day. I'm Al Micheals along with my lovely co-host Killcreek, who knows a thing or two about pointy weapons, err, I mean "pointing" weapons at people.
Tonight's matchup will be Iraq, headed by the "Multikill" master Saddam Hussein versus that tenacious Colt weilding mastermind George W. Bush, who currently leads the United States in terrorist headshots. It's gonna be a winner take all brawl of the century!"
Godlike killing spree's: The Linux Pimp
--It's Pimptastic!--
Many people do research on reliability and repair costs before buying a new car and will be reluctant to buy a car from a company with no track record. Even VCs give money preferentially to people with track records (most of them won't even talk to you unless you have been referred--it isn't worth their time). If anything, DARPA seems a bit more open to new ideas and new people.
Perhaps some of this research will be done on top of one of the BSD platforms. Perhaps it will be done on Linux. Perhaps some of it will be completely platform independent. But no matter what it will be done on, there are more interesting research questions to ask about open source, secure operating systems, and heterogeneous environments than whether we can fix a few more bugs in BSD or Linux.
While the various *nix's and BSD's are most likely going to be the major targets of this research, what I'd really love to see come out of this is a new Open Source OS, ala BeOS, that was built on a GUI base and had shell functionality rather than the other way 'round. Not a lot of difference, you say? Sit Granny down in front of BeOS and and a shell prompt and see which one she prefers. Gnome and GTK are a little better, but to make any real changes to the OS, you still have to drop down to shell-level controls. As a graphic artist, this is bit of a dream of mine.... *sigh*... Of course, the problems here are that DARPA is going to be a lot more concerned with things like number-cruching, DB manipulation, and cryptography rather than pixel-pushing or artistic representation. There's also the fact that vast majority of developers who are even moderately going to be interested in this project are going to be *nix hackers. Artistic skill and coding skill are often found in hackers, but for some reason, you seldom see them combined.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
If anything the Open Source development model is more secure... any code to modify the official kernel and tools has to pass many different eyes and can be viewed by even more, almost any backdoor would be easily noticed before it was added to the development tree. In a closed source enviroment much fewer people need to see the code and, as proven with the "Netscape engineers are Weenies" backdoor for IIS, therefore delibrate backdoors can be placed easily into the code. This response is to what i THINK the poster is talking about, because by speaking about "installing exploits" im assuming he means backdoors in the code. The only other issue would be modifications to a system already in use and since this can only be done as root its not really a big issue as to whether the system is open or closed. The truth of the matter is you cant trust software unless you can see the code, and even that should not be enough, precotions always must be taken but DARPA is on the right track... if they want security the only way they will ever truely have it is if they stick to open source software.
Oh Well, Whatever, Nevermind...
Instead of Flaming you, like a certain moderator would like to see, I'm going to give you a fair chance to run a quick logical exercise, kay?
Intial Premise:
I write a firewall that requires you to specify which ports should be open initially and how often to rotate them. It also allows you block access of information, in-going and out-going, or IP's you don't specify. Then, I allow to decide the level of access each net-accessing application and external IP may have to your system.*
Concept:
This is all done Raymond style, i.e. open source. Any script-kiddie and his uncle can stare at the source. By your conception, allowing this makes my firewall weak.
Environment:
Now, naturally, only a person with root priveleges can make alterations to the entailment of the firewall, unless otherwise specified, right? That's obviously yes if you have ever used any firewall worth it's weight in electrons.
On top of that, we'll assume you were smart enough to download from MY site, not some third party site, which would put you at risk. You know that already, like most of us, and that's why you're at MY site.
Nothing mentioned so far is abnormal, or even sufficiently outside the realm of what's expected of a super user, i.e. the ability to think.
Paradox:
The script-kiddie knows of some really stupid flaw that I didn't think of, oy, well, that happens***. He/She will assume you will initialize ICQ/ICU on its normal port****. Why do you do that? Same reason you wrote this post to begin with. Anywho, they create a portal string through ICQ/ICU. You're not tracking the IP movement because of the pre-mentioned reason. Ditto for why you don't cut&rotate for additional IP-links. Now, how's this script-kiddie going to affect the firewall? He doesn't have the localhost IP or root priveleges.
You're thinking, "But he got inside, he can do stuff!" NO HE CAN'T!!! Where have you been!? He doesn't have root priveleges! He has NO user priveleges! THIS IS LINUX!**
Conclusion:
Well written, open-source software is more than secure enough*, especially on the right system**. Even if the software has a flaw***, a capable user can take extra precautions to increase it's ability****.
Comment:
Hack your own box, but, whatever happens to you will nolonger be my fault:P
I will avoid saying, "Class dismissed," only because it's used ATLEAST once a week on Slashdot.
Besides, I now have lots of time, because I'm on strike due to an anti-semetic comment in, I think, The Mandrake article. As long as that's up, I have all sorts of extra time to kvetch an jibber. Actually, I'm thinking about making "Dotslash: The Crossfire of the Geeks" text adventure...well, slashdot-facade, but that's all; it'll be like that old commodore 64 game "Portal" but less plot and more "Nonsense", see Jon's Humorix Toys at i-want-a-website.com/about-linux and yes, Jon likes dashes very much.
Hmm, I guess I will now be intergrating Nonsense; feh, now Jon will want a copy before I release it.
I hope this was informative to you "Open Source Isn't Secure" types. In fact, just to mention about BSD for a moment: The reason why it seems constantly out of date is because it is constantly being tested for those "flaws" and insecurities. I compliment the effort, but it does cause the appearance of antiquation. Sure, their 3.0 compiler is more stable than your 4.0, but it lacks features and advancement. Their 4.6 firewall is more powerful than your 6.2, but it's not as customizable or as scalable. However, if you would consider OpenBSD, or any for that matter, you would have little in the ways of worries and only the occasional woe. And, every once in awhile...you can get an impressive application that makes us GNU-ists stop and say, "Woah!"
^_^
Now...about that anti-semetic AnonCow, could someone do something...NOW-ish?
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum
..."This program will fundamentally change the existing approach to development and acquisition of high assurance trusted operating systems technology by advancing the security functionality, security services, and the state of assurance in current open-source operating systems and developing a long-term architectural framework for future trusted operating systems."
Can you see it? Someday, all transactions on digital networks will require secure p2p operation such as this would provide. Meaning, that companis would only do business with you if they can be assured you won't take advantage of them.
This would be a very marketable product in the future. Wouldn't the MPAA love it when all television sets in the future run this future OS? It would assure them that your TV is who it says it is, and would make sure those silly kids aren't trying to record a TV shows... God forbid.
- Never Undrestimate the Power of Stupid People in Large Groups... -
One reason that commercial companies are reluctant to use OSS is that they do not like to relinquish control to unknown elements. We all know the standard rebuttals to this point, but the military could be worse.
The military and security agencies are incompatibvle in terms of ethos with the OSS atmosphere. Will they give outside developers, like Joe Bloggs from Birmingham, UK, or Pu Kong Yon from Bangkok, the same access to internal information and the same time of day as external developers?
I fear , very much, that there could be difficult times ahead in this project. I am hedging my bets as to the outcome.
You know exactly what to do-
Your kiss, your fingers on my thigh-
You know exactly what to do-
Your kiss, your fingers on my thigh-
I think of little else but you.
Maybe someone should just tell them about OpenBSD, save some time and money.
Maybe someone shuld just tell Michael about EROS, a GPL'd x86 capabilities OS currently under development.
Read more on capabilities and why they're important to OS security. A capabilities system is relatively resistant to a lot of the big security issues that plague other types of systems. For example, even if buffer overruns do occur, the damage that can be done is very limited. This is a really cool project.
Too bad that DARPA INVENTED the Internet! Back when they were still ARPA (Advanced Research Projects Agency). Now they've become DARPA by throwing a Defense in front of the ARPA.
So as Mr. T would say, "Cut that jibba-jabba, fool! Internet wuzn't no creation of the free-market!"
Billygoat Gruff III - killing trolls DEAD since 1616!
DARPA is trying to advance what's already available - and advances in security would be great. I suspect they will be able to make advances, since they're planning to spend $10 million on the winning proposals. As has been noted, OpenBSD is not a perfect solution - its packages are often quite old and it has many functionality limits (e.g., no support for SMP). It also doesn't meet the principle of "least privilege" - root is still all-powerful, programs can do anything their owners can, etc.
The deadline is soon for those interested in submitting a proposal. The full proposal (all copies) must be submitted in time to reach DARPA by 4:00 PM (U.S. Eastern Time) Monday, March 5, 2001, in order to be considered; it CANNOT be sent by email or fax (they REQUIRE PHYSICAL COPIES).
People interested in submitting a proposal should also read the Proposer Information Pamphlet (PIP), which isn't easy to find unless you know where it is.
- David A. Wheeler (see my Secure Programming HOWTO)