Slashdot Mirror
Trusted Debian v1.0 Released
Peter Busser writes "The Trusted Debian project releases its first official release, v1.0. Its main focus is solving most (but unlikely all) buffer overflow problems. It features PaX, a kernel patch which does several things. It tries to keep code and data apart, it randomizes stack, code, heap and shared libraries, it does strict mprotect() checking and it also protects the kernel. Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code. It also features FreeS/WAN and RSBAC, an extensive access control framework. More information is available from the website. There is also a demonstration available for the special capabilities of this release."
No remote holes in three minutes will be the new slogan of the Secure Debian project.
:P
This must be a new linux record.
Got Extra Money?
which adds overflow checks to C/C++ code
;-)
Overflow check? But I thought C/C++'ers like the amount of CONTROL that comes from being able to shoot themselves in the foot!
At least, that's what they tell me when I tell them I program in Java now.
Guess you'll need to figure a way around these checks, eh?
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
The naming of this subproject is either poorly thought out, or just downright underhanded.
"Trusted Debian" is clearly targetted to compete with "Trusted Solaris" and "Trusted(?name right?) BSD". However, "Trusted Solaris" has been CERTIFIED to meet B2 level security criteria. There is no mention of any such certification, either performed, or in progress, on the project's home page. It is just a collection of security enhancements and tweaks that is "hoped" will merit the system being trusted, but I see no formal proof or audit of that.
Does it use NSA's SE Linux kernel patches? Ordinarily, I don't see much use for them, but it seems exactly the sort of thing that you would want for a trusted system.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
It's available on BudgetLinuxCDs.com as an upgrade to woody (recommended installation method)
Where is it implemented that a trustworthy operating system is required? there should be a standard for printing the word "trusted" on a software program, so that everyone knows what everyone else is talking about. Companies shouldn't just be able to print "trusted", just like i can't print "low fat" on a hamburger if it's not up to some standard of "low fat".
stuff |
This is added as a GCC option. (-fstack-protector or similar) All the CONTROL and power of C/C++ is still there. It's an optional feature for when you need it. I don't usually use C and/or C++ for the control though. It's all about performance.
The ratio of people to cake is too big
Now that Debian is "Trusted" (like everyone else in the freaking industry picking up the same buzzword), it's time to remember Anti-Trustworthy Computing.
Why do I h8 apple?
Is the "Trusted ***" namespace only given to operating systems that meet B2 security levels?
I assume a commity or something gives you the stamp and that then allows you to use "Trusted" in the name of your project?
The ratio of people to cake is too big
Now it is more secure than Debain Stable and more out-of-date.
Please note that Gentoo Linux also comes with a propolice enabled GCC and a PaX-enabled kernel.
It's up to you to use them or not.
{{.sig}}
...that i never trust any product that has the word "trust" in it?
pr0n - keeping monitor glass spotless since 1981.
I'm not trolling here, but I can't see the benefit of this over OpenBSD.
Admittedly there are apps that run under Linux that don't run under OpenBSD (namely commercial apps) but in this case, I would expect that running those apps on this system would lose the "Trusted" lack of buffer overflow possiblities etc., which defeats the object of the distribution. And the lack of commerical certification for this product would bely using it for such a reason anyway.
A cursory glance over their website doesn't show me anything which would me want to choose this over OpenBSD. In fact given the maturity of the OpenBSD project, and the man hours that have gone in to that piece of work, that is likely to be my first port of call anyway.
I'm not trying to put down the trusted debian guys, I just fail to see the point of their work (apart from the old - "why not" reason). So, if not for the licensing issue which debian has always held close to, why would anyone pick this over OpenBSD?
The Romans didn't find algebra very challenging, because X was always 10
I'll call an OS trusted after its been deployed for at least a year with no intrusions.
How do you call 1.0 of something 'trusted'? Regression testing and looking good on paper is great, but until you can prove that the damn thing works (i.e. make me trust it) it ain't trusted.
That said, I'm going to grab my copy and play around. We need more security-focused distros. BSD has it right (no remote exploits with a base install), linux needs to do a little catching up in the access control area.
uh... apperantly you haven't been reading the comments on this thread. I read through about 20 comments so far and not one praise, a few informational posts, and several critisisms.
What I'm sick of hearing on slashdot are people who think they'll sound smart by making immediate and unsubstantiated remarks against what is percieved by them to be the consensus. By acting this way, you might seem like you're noticing what everyone else is too dumb/blind to see, but it doesn't make you insightful, just contrary, which is equally as closed minded as being zealotous.
"Question with boldness even the existence of a god." - Thomas Jefferson
Here you go, you "too lazy to read the article" newbie
it randomizes stack, code, heap and shared libraries
PaX randomizes the place a program is loaded into memory. Buffer overflow attacks depend on the exact location of memory locations. Attacks are much harder when that location varies every time a program is executed. Thus making it much harder for attackers to locate the exact locations they need for a succesful attack. Again, PaX is the first to implement this kind of protection. No other UNIX system uses this kind of protection against buffer overflows, except OpenBSD. But their implementation is more restricted. It will randomize only one aspect of the memory (which technical people call the stack) where PaX randomizes four aspects (stack, heap, libraries and the main executable) and their implementation uses 10 bits against 24 bits for PaX
it does strict mprotect() checking
it adds proper checking to how memory is being used, to prevent badly written programs from accidentally opening up certain kinds of security holes
it also protects the kernel.
Third, PaX tries to do its best to keep code and data separate. Many buffer overflow attacks try to write some data and then try to execute it, as if it were code. PaX tries to prevent this. Fourth, PaX enforces the same kind of protection to the core of the system, the Linux kernel itself. Again, this is unique to PaX, there is no other UNIX system which offers the same kind of protection of its kernel
Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code.
The second product used by Trusted Debian to solve the buffer overflow problem is called the stack protector, formerly known as propolice. It is a modified GCC compiler written by Hiroaki Etoh at IBM and it adds a kind of ``booby-traps'' inside programs which are triggered when a buffer overflow occurs. The program is then terminated before the overflow can do any damage.
It also features FreeS/WAN and RSBAC, an extensive access control framework. Trusted Debian adds more than just these buffer overflow protection technology. Version v1.0 also ships with RSBAC, an extensive access control framework which will play an important role in future releases. And FreeS/WAN, which is able to encrypt all TCP/IP communication between two machines and can therefore be used for setting up VPNs or securing wireless LAN communication, among other things.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
Shouldn't we be pushing to get this integrated into other linux distros?
If Redhat, for example integrated in into RH 10 or Mandrake into 9.2.
Real security comes by design, not by sticking your thumb in the dike again and again and again.
--sdem
I run a home gateway box with SSH, IMAP, and Apache on open ports. I check for updates daily, and no one else has an account on my box.
/. users) to use something like this? Can someone sum up the benefits?
Is there any compelling reason for someone like me(and most
I'm not downplaying the importance of this kind of project. I can see its usefulness in a corporate environment. I'm just wondering if there's anything I'm forgetting on my current machine, and if this is a good way to address those problems.
http://www.masturbateforpeace.com/
When MS talks about trusted computing you can pretty much assume it's mostly marketing.
When the people at debian talk about trusted computing you can pretty much assume they are serious about putting together a solid and secure system.
It has the do with the character of the people making the annoucement.
War is necrophilia.
I know this is not an answer to many problems, but I wonder, why there is no biger efford put into binary sandboxing. I would LOVE to limit rights of sub-processes. Possible solution would be a user (group) submask. To explain what I mean:
Suppose you are an ordinary user with 32 bit UID
00 00 00 A7 and mask FF 00 00 00, given by the administrator. This mean you can acces all files (and resources) to which you can "chameleonise" UID to xx 00 00 A7
You can also run a subproces, say, x1 00 00 A7 with rights further restricted. This mean that the parent process will have the acces to all result of the child, but not vice-versa. Now you can run a network browser, email program, downloaded binary-only spyware etc. in their own sandboxes with access to particular resources only (say a directory with ownership 01 00 00 A7). They would not mess-up anything else... You would be able to limit network access etc.
Roman Kantor
PS: The beauty of this hack is that it can work with standard POSIX filesystems, you need to add masks only to processes. I am not sure how difficult would be to hack the linux kernel, but it should be relatively straightforward.
I forgot to mention in my original article, that "Trusted BSD" strives to meet the same security standards that Trusted Solaris does.
"Mandatory Access Controls" and all that fun stuff.
[www.trustedbsd.org]
So, "Trusted Debian" is the odd man out.
when m$ talks about trusted, it is a truly Orwellian example of doublespeak.
"You never want a serious crisis to go to waste." - Rahm Emanuel
All the stuff about buffer overflows, code audits, stack randomization... those are all attempts at plugging security issues.
None of them really have anything to do with "trusted computing".
Trusted computing is normally about 2 things: Making sure that nothing has access to anything it's not supposed to, and making sure that there is an audit trail for who did what.
Example: Normal linux distributed -vs- NT.
Okay... I hate windows.. but....
Ever been frustrated because, in windows, if someone sets permissions on a directory they own, and says administrator can't access it... when administrator tries to access it, he gets denied?
In unix, of course, root just ignores said permissions.. or changes them.
In NT.. administrator has to first take ownership of the object THEN change the permissions... and administrator can't assign ownership back to the other user (though of course, administrator can grant access to the object).
Why? So there is a trail of events. Your file was changed? You say you didn't do it? IF administrator did it, it will show in the file permissions.
Trusted sounds past tense. Almost like Debian was trusted at one point, but not anymore; that doesn't do much to instill confidence does it?. I propose a name change to "Trusting" Debian, as it sounds much nicer. Better still, we should drop the word Debian (how many people know what a Debian is anyhow?) and just go with the generic word "Computer". Now it's "Trusting Computer". See how that works?
Everyone likes a trusting computer.
On a normal Linux system running Slashdot, we see this:
On a Slashdot running one of the Trusted Debian kernels, you will see something like this:
As you can see every value is different.
If you own a PC and you dont have a firewall between it and the internet, you are pretty damned dumb.
Everyone always says this, but nobody seems to think about it. Why, exactly do I need a firewall between my PC and the internet at large? I keep up with my patches, I don't execute email attachments (I don't even use Outlook), I'm not "pretty damned dumb" in general... What is a firewall protecting me from, if I'm already being good about security? Anyone want to explain that to me?
If you want security, write in Java.
This kind of naive attitude is why we have so much bloody buggy software. While changing programming languages may reduce a certain class of errors, it will never, ever, ever result in security. It can't. The programming language can't prevent a programmer from being stupid.
If you want security, you'll actually have to do the one thing that few programmers actually take the time for in this industry: don't take shortcuts. Plan your software, plan your security model, code it carefully, have it peer reviewed (carefully, two or three times), etc...
Then you'll have a *hope* of security.
That being said, security in software is all a carefully crafted illusion anyway.
-- sigs cause cancer.
No. OpenBSD 3.3 has 4 different forms of buffer/memory/stack protection, and Theo says that, not only is there NOT a slowdown, but on a couple architectures, it actually speeds things up!
It seems that the Debian organization's main purpose is to emulate OpenBSD... They are dedicated to maintaining older, stable versions of software, they use NetBSD as the core of their Debian BSD distro, and now they almost directly copy OpenBSD's recent security efforts.
Not that there is anything wrong with that. I just find it very interesting.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If all of this stuff is so good and improves security, why isn't it rolled into the main Debian distribution?
Prevent email address forgery. Publish SPF records for y
My mistake... I've read about all this stuff a while ago, so I didn't correctly remember which post talked about which aspects of it.
It can be found in this magicpoint presentation. It's several pages into the presenatiton. it's plain text with some markup, so you can just grep through it (look for "sped") if you don't want to install magicpoint: http://www.openbsd.org/papers/csw03.mgp
I've read it other places before I saw the presentation, but google isn't working very well to find them, I don't have links to everything (I'd have millions of links if I make a link of everything, and kept them for this long), and I'm not going to spend a lot of time tracking down where I read this stuff. Check out deadly.org, or the OpenBSD misc/tech mailing list archives if you want additional confirmation, and discussion on the subject of the speed-up...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Microsoft got C2 certification for a specific NT configuration a while back, and only when NOT CONNECTED TO A NETWORK!!
'C' levels are nowhere close to 'B' levels.