Slashdot Mirror
HP-LX 1.0 Secure Linux
kengreenebaum writes: "Webtechniques has a short but interesting article on HP's approach to a secure but expensive LINUX distro. Basically they started with RedHat 7.1 and added compartments; an extension to the age-old chroot jail concept where the processes representing major services run. Kernel extensions allow HP (or the administrator) to specify which compartments can access which kernel resources including individual files, network stacks, and each other.
HP has
Technical Product Brief as well as other material online. Interesting to compare HP's approach to that of the
NSA's Secure Linux
projects. These concepts sound like a solid way to prevent buffer overflow type security holes in individual services from compromising the entire machine. At $3000 HP-LX is too expensive for many to experiment with but the NSA's code seems to be more readily available. Anybody have experience with these distributions or with similar approaches to Linux security?"
I'd just like to comment upon the NSA's Security-Enhanced Linux project.
It is certainly more accessible, and I've prompted my company to look into it. Considering the current political environment, I believe this is a good way for small consulting companies to distinguish themselves.
"Why, yes, Mr. Customer, we are very familiar with computer security and specialize in using products developed by the National Security Agency. If it's good enough for the NSA, don't you think it is good enough for your business?
I installed their distribution and it works fine, except for the GUI login which says "Welcome to wiretap029114.nsa.gov". How do I change it back to "localhost.localdomain"?
...here.
b&
All but God can prove this sentence true.
Yes and no. They have to release the source to the people to whom the product is distributed. However, they don't have to make it publically available. The catch is that the people who receive the source can also redistribute it at will. As someone else pointed out, the source is available here.
I expect, however, that HP has some proprietary stuff that's included in non-GPLd binaries.
- Buffer overflows and improper argument checking plague every modern
UNIX kernel. Think about the recent sysctl() input validation hole in
Linux. Or the recent
/proc bugs in FreeBSD. Or the LDT handling bugs in
NetBSD, Solaris, and many others.
- Most kernels were not designed with least privilege in mind. For
instance, the mount() syscall allows ordinary users to mount and umount
filesystems. Access checks are performed (to make sure it is mounted
nosuid, and such) but there are undoubtedly holes waiting to be discovered.
- Until only recently, Linux had several bugs allowing users to
commandeer each others' shared memory segments. This could be used to
corrupt memory used by init(1) and several other critical programs, causing
a major security breach.
- Because the X server needs low level hardware access, most OS kernels
allow access to iopl(2) and ioperm(2). This means that attackers can talk
directly with the hardware, bypassing the OS security. The alternative, of
course, is to ban the use of graphical interfaces on that system; but
usually that is unacceptable.
Although these issues can all be addressed, the problem of proper kernel security is at best a "whack a mole" situation in which a new hole will arise shortly after an existing hole is patched. Thus, the HP-LX software probably isn't worth the CD it is pressed onto.vw
Over the next couple of years I saw high level managment with no comprehension of the Unix/Linux/GNU world whatsoever do some very strange things. The HP environment is rife with strange little tribes that lie and steal from one another with no real reason. Their Linux community is no different.
And as far as HP contributing to the open source world - don't count on it. They will happily steal code, re-write it, and release it binary-only if they think they can get away with it. I've seen them do it. The whole damn company has a prima-donna attitude and will do pretty much whatever they think they can get away with.
And as far as HP and security go - take a look at their own damn HP-UX OS for a security model and ask yourself why they think they can release a unique and decent secure linux product if they can't even release their own OS with any semblence of security?
...whatever happened to that commitment? I mean, were there any technical or (and) historical reasons for choosing Red Hat, or is that yet another instance of choice by misinformation or herd instinct?
Leandro Guimarães Faria Corcete DUTRA
DA, DBA, SysAdmin, Data Modeller
GNU Project, Debian GNU/Lin
HP is dumping HP-UX, and will be moving people to Linux...no one ever listens...
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Typical slashdot ranting about gpl violations and how this is nothing new etc.. I wonder if anyone even read the article.
This is much more than just a few kernel modifications but rather a full distribution that comes on 4 cd's. Instead of just having some hacks that improve security the whole distribution is build from ground up with security in mind.
For example: You can't access shell unless you're on a console or use ssh. You can't access the configuration tools unless you are in posession of administrators private ssh key. Also, the installer forces you to set the system up with security in mind instead of installing everything and the kitchen sink..
Best part of this is that it comes with support from a highly reputable vendor. Sure it has it's price tag but imagine the amount of work required to make a full distribution that's security conscious and backing it up with hp's name!
And yes, you can download the source code that goes into kernel..
As a practical matter, it may help a lot because it makes the machine different from other Linux machines. It may be not too hard conceptually to work out how to break through this kind of security, it will likely protect systems from common exploits of common bugs.
However, in the long term, the only solution I see to security problems is to build on foundations that have support for guarding against common bugs and analyzing security-related program properties. That means, among other things, using languages with built-in default checks for buffer overruns and using languages with type systems that can be used to verify that data doesn't get where it isn't supposed to get (Perl's notion of "tainted" is a simple runtime example; similar static type checking is also possible in some cases). Decades of UNIX, Windows, and Linux software development and bug tracking have shown that without such support, even skilled programmers simply cannot write software containing very serious security problems in actual releases. In different words, the Linux and Windows kernels and daemons will have to be rewritten in something other than C or C++. Sorry.
There's a missed point in discussing whether or not HP-LX is practical or whether or not it's worth $3000. HP's target market is and always has been big businesses. What they've done in providing a secure, robust Linux implementation is to take away IT manager's number one fear about Linux: that's it's somehow "insecure."
Practically speaking, it's safe to assume that nobody is going to run out and nuke HP-UX 11 off their servers in favor of this - HP-UX is still very far ahead of Linux (and some of its competition) in several important areas. However, for IT managers interested in considering a partial migration to Linux, this gives them a stable and secure path on which to begin to venture down, and undoubtedly one that's also covered by their existing support contracts with HP.
Charging 3000$ for the CD set means that 99% of the jackasses who would use the GPL in order to buy something and then turn around and release it for free can't afford it while the 1% that can have to pay a pretty penny to be jackasses. I can pretty much assure you some jackass Linux zealot with no understanding on the GPL is sitting in his bedroom right now trying to figure out how he can raise 3k so he can be a folk hero by releasing the code an evil company is keeping secret. At the very least HP is giving some idiot something to do.
I'm a loner Dottie, a Rebel.
The user-mode component is not GPL, but given the kernel API, it's pretty easy to make up the user part.
Bruce
Bruce Perens.
Uh.. How about you go download the GPLed code from hp's site right now instead of speculating about what people could do.
However.. You are not going to get the closed source administration tools without which the kernel mod's are almost worthless. You also don't get a fully set up distribution with all the configuration and will have to duplicate all the effort that went into creating it.
If you want to be reasonably sure that your version is secure you'd have to perform extensive testing on it and have a lot of really smart people take a look at it. This is actually the easiest part as it follows normal linux development method. Still, whose ass is on the line if things are not as secure as they should be?
And you can bet your ass that anything that doesn't need to be GPLed is not and it comes with a very strict HP license that specifically forbids any disassembly, resale, etc.. Support contracts probably also include a clause that you have to have purchased the official hp distribution..
The fact that SELinux (NSA's system) now uses the LSM framework means that it can be extended easily. You can either extend the SELinux modules or add further LSM modules of your own.
It should be extremely trivial to provide a complete, and more flexible, clone of the entire HP security framework inside LSM, as all you're really doing is providing a set of capabilities to each thread, with pre-set defaults.
In fact, you'd probably want to exploit SELinux' existing framework for this, so that you could create pre-set defaults on a per-user/per-login-type/per-thread basis.
All in all, HP's setup doesn't sound novel enough to be worth 3K, but does sound intriguing enough to copy. Which, really, is something the LSM guys seem to already be doing. They've ported a decent portion of the OpenWall framework, which does a lot of this kind of stuff already.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
- "Never let a computer tell me shit." - DelTron Zero
Not installing X doesn't cause the kernal to take note, and alter how it treats the system calls in question.
Vintage computer games and RPG books available. Email me if you're interested.
The alternative, of course, is to ban the use of graphical interfaces on that system; but usually that is unacceptable.
The real way of doing this is putting the hardware drivers into the kernel (frame buffer devices).
No user process is supposed to access hardware directly, and if that meant we have no graphics, it would also mean no keyboard, text, or sound.
Although these issues can all be addressed, the problem of proper kernel security is at best a "whack a mole" situation in which a new hole will arise shortly after an existing hole is patched. Thus, the HP-LX software probably isn't worth the CD it is pressed onto.
That may be true, but it is only because of the nature of UNIX kernels. Kernels built with the principle of least privelege in mind (such as EROS) are definitely worth the fix, as it is quite unlikely to present new holes (and such a design is quite unlikely to have many holes in the first place)