Slashdot Mirror
Trusted Debian v1.0 Released
Peter Busser writes "The Trusted Debian project releases its first official release, v1.0. Its main focus is solving most (but unlikely all) buffer overflow problems. It features PaX, a kernel patch which does several things. It tries to keep code and data apart, it randomizes stack, code, heap and shared libraries, it does strict mprotect() checking and it also protects the kernel. Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code. It also features FreeS/WAN and RSBAC, an extensive access control framework. More information is available from the website. There is also a demonstration available for the special capabilities of this release."
No remote holes in three minutes will be the new slogan of the Secure Debian project.
:P
This must be a new linux record.
Got Extra Money?
which adds overflow checks to C/C++ code
;-)
Overflow check? But I thought C/C++'ers like the amount of CONTROL that comes from being able to shoot themselves in the foot!
At least, that's what they tell me when I tell them I program in Java now.
Guess you'll need to figure a way around these checks, eh?
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
The naming of this subproject is either poorly thought out, or just downright underhanded.
"Trusted Debian" is clearly targetted to compete with "Trusted Solaris" and "Trusted(?name right?) BSD". However, "Trusted Solaris" has been CERTIFIED to meet B2 level security criteria. There is no mention of any such certification, either performed, or in progress, on the project's home page. It is just a collection of security enhancements and tweaks that is "hoped" will merit the system being trusted, but I see no formal proof or audit of that.
Don't all these "overflow checkers" kill the speed of C(++) apps? I'd like to see some comparisons between the two distributions.
Are the packages the same or unique? If the latter, why not merge w/ the original code and help us all out?
Is this better or worse than the NSA's secure kernel? Why is a new distribution required if a kernel is all that's changed?
You can't judge a book by the way it wears its hair.
Does it use NSA's SE Linux kernel patches? Ordinarily, I don't see much use for them, but it seems exactly the sort of thing that you would want for a trusted system.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
It's available on BudgetLinuxCDs.com as an upgrade to woody (recommended installation method)
hint - read the article before responding/modding
Where is it implemented that a trustworthy operating system is required? there should be a standard for printing the word "trusted" on a software program, so that everyone knows what everyone else is talking about. Companies shouldn't just be able to print "trusted", just like i can't print "low fat" on a hamburger if it's not up to some standard of "low fat".
stuff |
Well I don't think this project is trying to push a tightly controlled hardware platform to get better security.
This is added as a GCC option. (-fstack-protector or similar) All the CONTROL and power of C/C++ is still there. It's an optional feature for when you need it. I don't usually use C and/or C++ for the control though. It's all about performance.
The ratio of people to cake is too big
Now that Debian is "Trusted" (like everyone else in the freaking industry picking up the same buzzword), it's time to remember Anti-Trustworthy Computing.
Why do I h8 apple?
It seems like Cyclone is designed explicitly for this -- somewhere where safety guarantees are worth some slight (but not major) performance penalties. It's a low-level language designed to be very compatible with C, but adds a bunch of safety features to the language (with a mind towards optimization; for example, you can declare a pointer "never-NULL" to avoid run-time NULL-pointer checking). And it gets rid of pretty much all buffer-overflow or pointer-dereferencing style errors, rather than just catching some of them as these ad hoc approaches do.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Is the "Trusted ***" namespace only given to operating systems that meet B2 security levels?
I assume a commity or something gives you the stamp and that then allows you to use "Trusted" in the name of your project?
The ratio of people to cake is too big
Now it is more secure than Debain Stable and more out-of-date.
Please note that Gentoo Linux also comes with a propolice enabled GCC and a PaX-enabled kernel.
It's up to you to use them or not.
{{.sig}}
...that i never trust any product that has the word "trust" in it?
pr0n - keeping monitor glass spotless since 1981.
I'm not trolling here, but I can't see the benefit of this over OpenBSD.
Admittedly there are apps that run under Linux that don't run under OpenBSD (namely commercial apps) but in this case, I would expect that running those apps on this system would lose the "Trusted" lack of buffer overflow possiblities etc., which defeats the object of the distribution. And the lack of commerical certification for this product would bely using it for such a reason anyway.
A cursory glance over their website doesn't show me anything which would me want to choose this over OpenBSD. In fact given the maturity of the OpenBSD project, and the man hours that have gone in to that piece of work, that is likely to be my first port of call anyway.
I'm not trying to put down the trusted debian guys, I just fail to see the point of their work (apart from the old - "why not" reason). So, if not for the licensing issue which debian has always held close to, why would anyone pick this over OpenBSD?
The Romans didn't find algebra very challenging, because X was always 10
I'll call an OS trusted after its been deployed for at least a year with no intrusions.
How do you call 1.0 of something 'trusted'? Regression testing and looking good on paper is great, but until you can prove that the damn thing works (i.e. make me trust it) it ain't trusted.
That said, I'm going to grab my copy and play around. We need more security-focused distros. BSD has it right (no remote exploits with a base install), linux needs to do a little catching up in the access control area.
uh... apperantly you haven't been reading the comments on this thread. I read through about 20 comments so far and not one praise, a few informational posts, and several critisisms.
What I'm sick of hearing on slashdot are people who think they'll sound smart by making immediate and unsubstantiated remarks against what is percieved by them to be the consensus. By acting this way, you might seem like you're noticing what everyone else is too dumb/blind to see, but it doesn't make you insightful, just contrary, which is equally as closed minded as being zealotous.
"Question with boldness even the existence of a god." - Thomas Jefferson
Here you go, you "too lazy to read the article" newbie
it randomizes stack, code, heap and shared libraries
PaX randomizes the place a program is loaded into memory. Buffer overflow attacks depend on the exact location of memory locations. Attacks are much harder when that location varies every time a program is executed. Thus making it much harder for attackers to locate the exact locations they need for a succesful attack. Again, PaX is the first to implement this kind of protection. No other UNIX system uses this kind of protection against buffer overflows, except OpenBSD. But their implementation is more restricted. It will randomize only one aspect of the memory (which technical people call the stack) where PaX randomizes four aspects (stack, heap, libraries and the main executable) and their implementation uses 10 bits against 24 bits for PaX
it does strict mprotect() checking
it adds proper checking to how memory is being used, to prevent badly written programs from accidentally opening up certain kinds of security holes
it also protects the kernel.
Third, PaX tries to do its best to keep code and data separate. Many buffer overflow attacks try to write some data and then try to execute it, as if it were code. PaX tries to prevent this. Fourth, PaX enforces the same kind of protection to the core of the system, the Linux kernel itself. Again, this is unique to PaX, there is no other UNIX system which offers the same kind of protection of its kernel
Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code.
The second product used by Trusted Debian to solve the buffer overflow problem is called the stack protector, formerly known as propolice. It is a modified GCC compiler written by Hiroaki Etoh at IBM and it adds a kind of ``booby-traps'' inside programs which are triggered when a buffer overflow occurs. The program is then terminated before the overflow can do any damage.
It also features FreeS/WAN and RSBAC, an extensive access control framework. Trusted Debian adds more than just these buffer overflow protection technology. Version v1.0 also ships with RSBAC, an extensive access control framework which will play an important role in future releases. And FreeS/WAN, which is able to encrypt all TCP/IP communication between two machines and can therefore be used for setting up VPNs or securing wireless LAN communication, among other things.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
Shouldn't we be pushing to get this integrated into other linux distros?
If Redhat, for example integrated in into RH 10 or Mandrake into 9.2.
I can see this as a use for a firewall or in the wild pc.
If you own a PC and you dont have a firewall between it and the internet, you are pretty damned dumb.
This really is of no use to the average user.
I'd love to see a floppy distro for floppy firewall set up from it though. (upgrade the kernel to 2.4 so we can use modern firewall rules.)
Do not look at laser with remaining good eye.
Real security comes by design, not by sticking your thumb in the dike again and again and again.
--sdem
It's harder to compromise the machine and access your data. However, if you are a basic home user, then you probably aren't running any services (web server, email server, DNS server, etc.) that would cause you to be vulnerable to attack. This kind of initiative makes it harder to use a connection to a computer to compromise it. If your computer doesn't have any services that answer connections, then it can't be compromised. Thus, for a home user, this probably doesn't do much for you.
You might want to look at the Debian Desktop project or check out LindowsOS or Xandros. They are more targeted towards home users than this (or than straight Debian for that matter). The stable versions of Debian are primarily aimed at servers. Unstable and testing are geared towards techies and developers.
There are also several other distros that are not based on Debian that are aimed more towards home users. Debian has an advantage here, however, since they have apt-get to manage package dependencies, downloads, and installs.
I run a home gateway box with SSH, IMAP, and Apache on open ports. I check for updates daily, and no one else has an account on my box.
/. users) to use something like this? Can someone sum up the benefits?
Is there any compelling reason for someone like me(and most
I'm not downplaying the importance of this kind of project. I can see its usefulness in a corporate environment. I'm just wondering if there's anything I'm forgetting on my current machine, and if this is a good way to address those problems.
http://www.masturbateforpeace.com/
When MS talks about trusted computing you can pretty much assume it's mostly marketing.
When the people at debian talk about trusted computing you can pretty much assume they are serious about putting together a solid and secure system.
It has the do with the character of the people making the annoucement.
War is necrophilia.
I know this is not an answer to many problems, but I wonder, why there is no biger efford put into binary sandboxing. I would LOVE to limit rights of sub-processes. Possible solution would be a user (group) submask. To explain what I mean:
Suppose you are an ordinary user with 32 bit UID
00 00 00 A7 and mask FF 00 00 00, given by the administrator. This mean you can acces all files (and resources) to which you can "chameleonise" UID to xx 00 00 A7
You can also run a subproces, say, x1 00 00 A7 with rights further restricted. This mean that the parent process will have the acces to all result of the child, but not vice-versa. Now you can run a network browser, email program, downloaded binary-only spyware etc. in their own sandboxes with access to particular resources only (say a directory with ownership 01 00 00 A7). They would not mess-up anything else... You would be able to limit network access etc.
Roman Kantor
PS: The beauty of this hack is that it can work with standard POSIX filesystems, you need to add masks only to processes. I am not sure how difficult would be to hack the linux kernel, but it should be relatively straightforward.
I forgot to mention in my original article, that "Trusted BSD" strives to meet the same security standards that Trusted Solaris does.
"Mandatory Access Controls" and all that fun stuff.
[www.trustedbsd.org]
So, "Trusted Debian" is the odd man out.
when m$ talks about trusted, it is a truly Orwellian example of doublespeak.
"You never want a serious crisis to go to waste." - Rahm Emanuel
All the stuff about buffer overflows, code audits, stack randomization... those are all attempts at plugging security issues.
None of them really have anything to do with "trusted computing".
Trusted computing is normally about 2 things: Making sure that nothing has access to anything it's not supposed to, and making sure that there is an audit trail for who did what.
Example: Normal linux distributed -vs- NT.
Okay... I hate windows.. but....
Ever been frustrated because, in windows, if someone sets permissions on a directory they own, and says administrator can't access it... when administrator tries to access it, he gets denied?
In unix, of course, root just ignores said permissions.. or changes them.
In NT.. administrator has to first take ownership of the object THEN change the permissions... and administrator can't assign ownership back to the other user (though of course, administrator can grant access to the object).
Why? So there is a trail of events. Your file was changed? You say you didn't do it? IF administrator did it, it will show in the file permissions.
Trusted sounds past tense. Almost like Debian was trusted at one point, but not anymore; that doesn't do much to instill confidence does it?. I propose a name change to "Trusting" Debian, as it sounds much nicer. Better still, we should drop the word Debian (how many people know what a Debian is anyhow?) and just go with the generic word "Computer". Now it's "Trusting Computer". See how that works?
Everyone likes a trusting computer.
If you want security, write in Java. You will never get overflow attacks, will be able to restict access of potentially buggy code to files, network and so on and will greatly reduce the chance that your server will crash because of memory corruption. If you want top performance, write raw C code. If you want both, use JNI for tasks other than processing network data or a C++ class library with bound checking.
/etc/passwd. At the very least, the process will be still crashed by bad input.
The overflow checker only makes a difference when compiling buggy code. And in this case it leaves every single bug exploitable in another way, by changing function's local variables rather than return address. Your network deamon might find itself writting log messages to
I don't think "trusted Debian" name is justified, since the method used only gives a slight increase in security.
On a normal Linux system running Slashdot, we see this:
On a Slashdot running one of the Trusted Debian kernels, you will see something like this:
As you can see every value is different.
If all of this stuff is so good and improves security, why isn't it rolled into the main Debian distribution?
Prevent email address forgery. Publish SPF records for y
This is the lesson: assume your OS is insecure and adopt a level of risk acceptance. Don't put all your eggs into one basket unless you really can handle loosing them all. Don't every trust anyone who says they have a "fool proof" or "hacker proof" system or anything to that degree of finality including, "Oh, don't worry... no one will ever break this." If you are running a home server and the worst you have to loose is some of your prized pumpkin pie recipes then I would not worry much at all. If however you store customers' personal information and financial information then yes I would be a bit more concerned.
Two words: marketing buzzword.
1. Create more secure operating system.
2. Give it away for free.
3. ????
4. PROFIT!
Ok, I give, wtf _IS_ the third step that would require a marketing buzzword? I guess you can market for bragging rights, but I am guessing it was more of an afterthought than a business plan.
I bet I can name everyone that has gotten rich on Debian on one hand.............and still have 5 fingers left.
Tequila: It's not just for breakfast anymore!
Microsoft got C2 certification for a specific NT configuration a while back, and only when NOT CONNECTED TO A NETWORK!!
'C' levels are nowhere close to 'B' levels.
I do think we should rewrite the legacy net applications. They are old, bloated, and full of security holes. Cyclone is a cool language that no low-level security nut can ignore, but I also don't think it's necessary to write network apps in low-level languages. That's really tedious.
For instance, I rewrote ftpd in SML because I got sick of buffer overflows. It only took me a few days and the result was much leaner (wu_ftpd is 30,000 lines, mine was about 800) and definitely has fewer buffer overflows / heap overflows / double-frees / integer overflows / printf-exploits (SML, like other safe languages, makes it impossible to write such code). If I was able to rewrite that by myself in such a short amount of time, I don't think it would be so much work to reimplement the standard services with a talented team of programmers. Such services would be optimal for the kind of user who wants, say, a working ssh daemon that he doesn't need to update so often, which has support for all of the standard features but nothing fancy (hardware-based authentication, etc.).
'C' levels are nowhere close to 'B' levels.
For 'B' you have to pull the power out too. 'A' requires metalworking skills.
Yours Sincerely, Michael.