Slashdot Mirror
Trusted Debian v1.0 Released
Peter Busser writes "The Trusted Debian project releases its first official release, v1.0. Its main focus is solving most (but unlikely all) buffer overflow problems. It features PaX, a kernel patch which does several things. It tries to keep code and data apart, it randomizes stack, code, heap and shared libraries, it does strict mprotect() checking and it also protects the kernel. Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code. It also features FreeS/WAN and RSBAC, an extensive access control framework. More information is available from the website. There is also a demonstration available for the special capabilities of this release."
No remote holes in three minutes will be the new slogan of the Secure Debian project.
:P
This must be a new linux record.
Got Extra Money?
which adds overflow checks to C/C++ code
;-)
Overflow check? But I thought C/C++'ers like the amount of CONTROL that comes from being able to shoot themselves in the foot!
At least, that's what they tell me when I tell them I program in Java now.
Guess you'll need to figure a way around these checks, eh?
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
The naming of this subproject is either poorly thought out, or just downright underhanded.
"Trusted Debian" is clearly targetted to compete with "Trusted Solaris" and "Trusted(?name right?) BSD". However, "Trusted Solaris" has been CERTIFIED to meet B2 level security criteria. There is no mention of any such certification, either performed, or in progress, on the project's home page. It is just a collection of security enhancements and tweaks that is "hoped" will merit the system being trusted, but I see no formal proof or audit of that.
For those of us who are simply novice linux users, can someone who understands the technical jargon explain why a home linux user would want to use this?
Thanks.
Don't all these "overflow checkers" kill the speed of C(++) apps? I'd like to see some comparisons between the two distributions.
Are the packages the same or unique? If the latter, why not merge w/ the original code and help us all out?
Is this better or worse than the NSA's secure kernel? Why is a new distribution required if a kernel is all that's changed?
You can't judge a book by the way it wears its hair.
Does it use NSA's SE Linux kernel patches? Ordinarily, I don't see much use for them, but it seems exactly the sort of thing that you would want for a trusted system.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
It's available on BudgetLinuxCDs.com as an upgrade to woody (recommended installation method)
hint - read the article before responding/modding
Where is it implemented that a trustworthy operating system is required? there should be a standard for printing the word "trusted" on a software program, so that everyone knows what everyone else is talking about. Companies shouldn't just be able to print "trusted", just like i can't print "low fat" on a hamburger if it's not up to some standard of "low fat".
stuff |
Well I don't think this project is trying to push a tightly controlled hardware platform to get better security.
This is added as a GCC option. (-fstack-protector or similar) All the CONTROL and power of C/C++ is still there. It's an optional feature for when you need it. I don't usually use C and/or C++ for the control though. It's all about performance.
The ratio of people to cake is too big
Now that Debian is "Trusted" (like everyone else in the freaking industry picking up the same buzzword), it's time to remember Anti-Trustworthy Computing.
Why do I h8 apple?
It seems like Cyclone is designed explicitly for this -- somewhere where safety guarantees are worth some slight (but not major) performance penalties. It's a low-level language designed to be very compatible with C, but adds a bunch of safety features to the language (with a mind towards optimization; for example, you can declare a pointer "never-NULL" to avoid run-time NULL-pointer checking). And it gets rid of pretty much all buffer-overflow or pointer-dereferencing style errors, rather than just catching some of them as these ad hoc approaches do.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Is the "Trusted ***" namespace only given to operating systems that meet B2 security levels?
I assume a commity or something gives you the stamp and that then allows you to use "Trusted" in the name of your project?
The ratio of people to cake is too big
Now it is more secure than Debain Stable and more out-of-date.
Please note that Gentoo Linux also comes with a propolice enabled GCC and a PaX-enabled kernel.
It's up to you to use them or not.
{{.sig}}
...that i never trust any product that has the word "trust" in it?
pr0n - keeping monitor glass spotless since 1981.
You suggest reading the article, yet the article says explicitly that this is the only distro other than OpenBSD (or, in one case, FreeBSD, and at the beginning, "encumbered" unices. So I guess I wonder, what would you know if somebody from the Trusted Debian project said, "The answer is seven."
It seems to me that your question is poorly phrased. What is it that you really wonder?
Oh, go on, check out my job.
I'm not trolling here, but I can't see the benefit of this over OpenBSD.
Admittedly there are apps that run under Linux that don't run under OpenBSD (namely commercial apps) but in this case, I would expect that running those apps on this system would lose the "Trusted" lack of buffer overflow possiblities etc., which defeats the object of the distribution. And the lack of commerical certification for this product would bely using it for such a reason anyway.
A cursory glance over their website doesn't show me anything which would me want to choose this over OpenBSD. In fact given the maturity of the OpenBSD project, and the man hours that have gone in to that piece of work, that is likely to be my first port of call anyway.
I'm not trying to put down the trusted debian guys, I just fail to see the point of their work (apart from the old - "why not" reason). So, if not for the licensing issue which debian has always held close to, why would anyone pick this over OpenBSD?
The Romans didn't find algebra very challenging, because X was always 10
I'll call an OS trusted after its been deployed for at least a year with no intrusions.
How do you call 1.0 of something 'trusted'? Regression testing and looking good on paper is great, but until you can prove that the damn thing works (i.e. make me trust it) it ain't trusted.
That said, I'm going to grab my copy and play around. We need more security-focused distros. BSD has it right (no remote exploits with a base install), linux needs to do a little catching up in the access control area.
Some might say there is a bit of a cause/effect relationship there. You are able to get better performance because you have greater control over your code, etc.
But I do take your point about the insight of making the protector an option.
uh... apperantly you haven't been reading the comments on this thread. I read through about 20 comments so far and not one praise, a few informational posts, and several critisisms.
What I'm sick of hearing on slashdot are people who think they'll sound smart by making immediate and unsubstantiated remarks against what is percieved by them to be the consensus. By acting this way, you might seem like you're noticing what everyone else is too dumb/blind to see, but it doesn't make you insightful, just contrary, which is equally as closed minded as being zealotous.
"Question with boldness even the existence of a god." - Thomas Jefferson
Shouldn't we be pushing to get this integrated into other linux distros?
If Redhat, for example integrated in into RH 10 or Mandrake into 9.2.
I can see this as a use for a firewall or in the wild pc.
If you own a PC and you dont have a firewall between it and the internet, you are pretty damned dumb.
This really is of no use to the average user.
I'd love to see a floppy distro for floppy firewall set up from it though. (upgrade the kernel to 2.4 so we can use modern firewall rules.)
Do not look at laser with remaining good eye.
Real security comes by design, not by sticking your thumb in the dike again and again and again.
--sdem
I think OpenBSD has been at it with such efforts for a while. Why is FreeBSD shifting its niche, or nudgeing OpenBSD out of the ring?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I run a home gateway box with SSH, IMAP, and Apache on open ports. I check for updates daily, and no one else has an account on my box.
/. users) to use something like this? Can someone sum up the benefits?
Is there any compelling reason for someone like me(and most
I'm not downplaying the importance of this kind of project. I can see its usefulness in a corporate environment. I'm just wondering if there's anything I'm forgetting on my current machine, and if this is a good way to address those problems.
http://www.masturbateforpeace.com/
When MS talks about trusted computing you can pretty much assume it's mostly marketing.
When the people at debian talk about trusted computing you can pretty much assume they are serious about putting together a solid and secure system.
It has the do with the character of the people making the annoucement.
War is necrophilia.
Well, in this case the security they're trying to achieve is that of your system, as opposed to certain tightly controlled platforms that simply "secure" data from pirates :). Or your own copies of media that you should be able to fairly use, for that matter (but that's a different discussion entirely).
The main gripes about Microsoft's 'trusted' computing were about:
Disclaimer: I am not in the security business, and all these are based on stuff I heard on Slashdot etc.
Thank you
GrimReality
2003-04-21 20:21:22 UTC (2003-04-21 16:21:22 EDT)
I know this is not an answer to many problems, but I wonder, why there is no biger efford put into binary sandboxing. I would LOVE to limit rights of sub-processes. Possible solution would be a user (group) submask. To explain what I mean:
Suppose you are an ordinary user with 32 bit UID
00 00 00 A7 and mask FF 00 00 00, given by the administrator. This mean you can acces all files (and resources) to which you can "chameleonise" UID to xx 00 00 A7
You can also run a subproces, say, x1 00 00 A7 with rights further restricted. This mean that the parent process will have the acces to all result of the child, but not vice-versa. Now you can run a network browser, email program, downloaded binary-only spyware etc. in their own sandboxes with access to particular resources only (say a directory with ownership 01 00 00 A7). They would not mess-up anything else... You would be able to limit network access etc.
Roman Kantor
PS: The beauty of this hack is that it can work with standard POSIX filesystems, you need to add masks only to processes. I am not sure how difficult would be to hack the linux kernel, but it should be relatively straightforward.
I forgot to mention in my original article, that "Trusted BSD" strives to meet the same security standards that Trusted Solaris does.
"Mandatory Access Controls" and all that fun stuff.
[www.trustedbsd.org]
So, "Trusted Debian" is the odd man out.
when m$ talks about trusted, it is a truly Orwellian example of doublespeak.
"You never want a serious crisis to go to waste." - Rahm Emanuel
All the stuff about buffer overflows, code audits, stack randomization... those are all attempts at plugging security issues.
None of them really have anything to do with "trusted computing".
Trusted computing is normally about 2 things: Making sure that nothing has access to anything it's not supposed to, and making sure that there is an audit trail for who did what.
Example: Normal linux distributed -vs- NT.
Okay... I hate windows.. but....
Ever been frustrated because, in windows, if someone sets permissions on a directory they own, and says administrator can't access it... when administrator tries to access it, he gets denied?
In unix, of course, root just ignores said permissions.. or changes them.
In NT.. administrator has to first take ownership of the object THEN change the permissions... and administrator can't assign ownership back to the other user (though of course, administrator can grant access to the object).
Why? So there is a trail of events. Your file was changed? You say you didn't do it? IF administrator did it, it will show in the file permissions.
About a dozen years ago, I worked on an OS called Trusted Xenix. It was put out by
Trusted Information Systems.
It ran quite nicely on about 15 MB of hard drive space on a 386.
But searching the web today, I don't think it is alive anymore.
It was no where near as nice to work with as Linux is, though.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Especially when you can get Linux emulation in OpenBSD.
Trusted sounds past tense. Almost like Debian was trusted at one point, but not anymore; that doesn't do much to instill confidence does it?. I propose a name change to "Trusting" Debian, as it sounds much nicer. Better still, we should drop the word Debian (how many people know what a Debian is anyhow?) and just go with the generic word "Computer". Now it's "Trusting Computer". See how that works?
Everyone likes a trusting computer.
If you want security, write in Java. You will never get overflow attacks, will be able to restict access of potentially buggy code to files, network and so on and will greatly reduce the chance that your server will crash because of memory corruption. If you want top performance, write raw C code. If you want both, use JNI for tasks other than processing network data or a C++ class library with bound checking.
/etc/passwd. At the very least, the process will be still crashed by bad input.
The overflow checker only makes a difference when compiling buggy code. And in this case it leaves every single bug exploitable in another way, by changing function's local variables rather than return address. Your network deamon might find itself writting log messages to
I don't think "trusted Debian" name is justified, since the method used only gives a slight increase in security.
No really. Imagine if someone told you of this über-super-deluxe secure system, and told you to "trust me" on that. I'd be a lot more sceptic than if they just gave me a demo and said "have a go at it, see what you think". Why? Because any college drop-out can say "trust me". But actually having something that looks secure and robust is in fact far more complex, even that too might be just good snakeoil.
Kjella
Live today, because you never know what tomorrow brings
On a normal Linux system running Slashdot, we see this:
On a Slashdot running one of the Trusted Debian kernels, you will see something like this:
As you can see every value is different.
No, but Scott got to choose...
Trusted according to some B2 level security criteria? Microsoft just got some kind of certification similar to that. This is bullshit. Getting these kind of certifications -- like getting the POSIX-compliant certification -- also costs millions of dollars, which FS and OSS developers can't afford and don't need.
Putting some fucking label on a product like B2 level security is NOT going to make it any more or less secure. It is bullshit to assist the mindless masses, and it in fact hinders theme, because it can lie. Does anyone really think that Slowlaris is more than OpenBSD, for example?
Quite frankly, we don't need some security certification to tell us whether or not a FS or OSS software is secure or not. Most of these projects have honesty policies, requiring that they disclose any problems, and we can always look at the code, if we're developers; furthermore, the community is highly organized in the OSS and FS worlds -- much more so than will ever be possible in the proprietary world -- we we can evaluate these things by user-rating and comment.
Formal proof will come with time, as people realize that these "tweaks" and "security enhancements" prevent buffer overflow attacks. We're not going to waste millions of dollars, however, to get a certification that doesn't mean shit. Real-world testing means something. See the F117 Stealth Fighter. Lab-based testing in a narrowly confined environment, however, doesn't mean shit.
social sciences can never use experience to verify their statemen
What are the benefits of implementing this versus an OpenSBD box? I would think that OPENBSD has the highest level of security fanaticism needed but maybe Debian can top that :)
Guess the whole OSS community benefits.
This guy is way out there
If all of this stuff is so good and improves security, why isn't it rolled into the main Debian distribution?
Prevent email address forgery. Publish SPF records for y
Well isnt this the target that palladium is supposed to achieve(or at least the claimed target by M$).
So is this like a palladium competitior, and if it is, why didnt M$ use this approach?
Why is there a penguin on my screen?
The lunatic is in my head
look at the top 2 items of this link
propolice is the same gcc stack protection that trusted debian uses, written by the same author whose email address is etoh@openbsd.org.
w^x is similar in concept to pax, but it is faster and doesn't break applications.
this has produced a hilarious 'debate' on the openbsd misc mailing list, as evidenced in threads like this and this
News update: Kurt Cobain is dead. The White House and Congress are both under Republican control. The Dallas Cowboys suck.
Yggdrasil?!?!?!
dinner: it's what's for beer
This is the lesson: assume your OS is insecure and adopt a level of risk acceptance. Don't put all your eggs into one basket unless you really can handle loosing them all. Don't every trust anyone who says they have a "fool proof" or "hacker proof" system or anything to that degree of finality including, "Oh, don't worry... no one will ever break this." If you are running a home server and the worst you have to loose is some of your prized pumpkin pie recipes then I would not worry much at all. If however you store customers' personal information and financial information then yes I would be a bit more concerned.
Two words: marketing buzzword.
1. Create more secure operating system.
2. Give it away for free.
3. ????
4. PROFIT!
Ok, I give, wtf _IS_ the third step that would require a marketing buzzword? I guess you can market for bragging rights, but I am guessing it was more of an afterthought than a business plan.
I bet I can name everyone that has gotten rich on Debian on one hand.............and still have 5 fingers left.
Tequila: It's not just for breakfast anymore!
There seem to be more zealot zealot-haters than any other kind of zealots..
See Jason1729 for version updates:
his likely response will be:
"Well its just, like, Trusted Debian, renamed to Secure Debian....the GNU license lets me do that..and stuff."
I do think we should rewrite the legacy net applications. They are old, bloated, and full of security holes. Cyclone is a cool language that no low-level security nut can ignore, but I also don't think it's necessary to write network apps in low-level languages. That's really tedious.
For instance, I rewrote ftpd in SML because I got sick of buffer overflows. It only took me a few days and the result was much leaner (wu_ftpd is 30,000 lines, mine was about 800) and definitely has fewer buffer overflows / heap overflows / double-frees / integer overflows / printf-exploits (SML, like other safe languages, makes it impossible to write such code). If I was able to rewrite that by myself in such a short amount of time, I don't think it would be so much work to reimplement the standard services with a talented team of programmers. Such services would be optimal for the kind of user who wants, say, a working ssh daemon that he doesn't need to update so often, which has support for all of the standard features but nothing fancy (hardware-based authentication, etc.).
If this is how you feel. Send a check to RH and MDK with a letter explaining what you'd like it to be used for. If you provide enough, I'm sure it will happen.
Really important stuff, like say SSHd, should be written in something safe. Just compiling in bounds-checking in an ad hoc manner is both slower and less safe than writing it safely to begin with.
Though as the other poster mentioned, if people just abandoned C in the first place, we'd solve a lot of the problems. Cyclone is nice in that it's a way for people who still want C's low-level control to abandon C's security holes without using a high-level language like SML.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
" So you are personally acquainted with employees of the respective organizations? I thought not... "
Although I have met several MS developers and have interacted with several Debian developers via email I would not say that I am "personally aquanted" with any of them.
I am simply judging the intent of these two organizations based on their past behavior.
War is necrophilia.
No offense to you, but I keep hearing people parrot "regression testing" and I wonder if its not just because it sounds cool.
Note that I didn't say anything about having just one machine. What about risk assesment, I think the 30 minutes spent on installing shorewall are worth if they avoid a full reinstall of the OS. With Windows just getting it installed, then installing drivers, programs, updates and configuring can take about 6 hours. Things like retinal scanners wouldn't help since that'd be definitely more trouble than it's worth.
Anyway, what I meant is that a firewall can be an useful addition, especially when you have computers with a narrow function. This is pretty much the setup I have here, btw, firewall, DMZ, and 3 computers in the private network. The firewall protects things pretty well, and also does some bandwidth limiting.
Were all three used equal amount of times doing similar tasks?
I'm not trying to debunk your claim, the whole idea of it wouldn't hold a whole lot of water if the linux box was your NAT box or the like, and you used the Windows machines as your workstations fulltime. What did the roles of the three machines play?
DrPascal: Not the language, the mathematician.
hey, good post! Actually informative in e-z to understand english for non-programmers.
Hope the other distros jump all over these innovations!
sorry, no mod points,, give ya a virtual +1 though.
They should drop the word "Debian" because it isn't an official Debian project. Those people have never contacting the Debian developers at all.
Who made this distribution? This isn't an official Debian project at all, in fact the Debian developers knew nothing about it until today. On the whole site there isn't a single email or name given, and the mailing list archives are password protected. I wouldn't trust this project at all, if the developers don't even say their names.
I certainly think binary sandboxing would be a good idea, though implementing it has a lot of various tricky issues I'd imagine. It wouldn't solve all problems though; for example, the recent OpenSSH root exploit would've been prevented if it had been written in Cyclone, but would not have been prevented by binary sandboxing, since OpenSSH has to run as root (or some other priviliged user) to be useful.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
A couple of Alexa links... OpenBSD http://www.alexa.com/data/details/traffic_details? &range=3m&size=medium&compare_sites=&url=http://ww w.OpenBSD.org/#top
FreeBSD
http://www.alexa.com/data/details/traffic_details? q=&url=http://www.freebsd.org/
Both pages are trending up.
I agree, the project I am working on "talks the talk" but can't "walk the walk" on security. They base their level of security on a scan and the DISA USTIG, do not care about SSH and allow telnet! And God forbid we don't audit everything, despite the lack of tools to exploit the information. It's just another box to check off saying it's done! What needs to happen is for Government agencies to get slammed in a "real" security audit conducted by "outside" personnel. After a few senior managers get canned the rest will fall in line. I have personally never worked with a "Trusted" OS, despite working on systems up to and including Top Secret. In too many cases security takes a back seat to cost. I like the idea of Trusted operating systems, and I hope Debian gets there.
That should set expectations straight....
It seems that when the OS/distribution is hard to install it's usually more secure.
Windows - easy install, crappy security
Linux - medium installation, somewhat secure
OpenBSD - You can install it?
So, will Trusted Debian include even poorer and harder installation than normal Debian?
Yes, well, I think we can all rejoice in the knowledge that the DoD doesn't dictate proper uses of words outside their own backyard. There is absolutely no reason why any distribution of any operating system whatsoever (especially ones not stemming from the United States, like Trusted Debian) should have to conform in its naming to the definitions set by the Pentagon.
So what you are saying is that it's impossible to build a trusted system?
I don't follow, sorry. THe point is the system is designed to enforce a certain issue; the fact that there may be a way around it by going outside that system is irrelevant.