Coyotos, A New Security-focused OS & Language

← Back to Stories (view on slashdot.org)

Coyotos, A New Security-focused OS & Language

Posted by Hemos on Tuesday January 25, 2005 @05:36AM from the locking-things-down dept.

wap writes "For those who haven't been following the EROS project, it has now migrated to the Coyotos project. EROS, the Extremely Reliable Operating System, was a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root. Capabilities allow a rigorous verification of the security of a system, something which is not possible in Unix-style and MS Windows systems. Coyotos is to be a real-world usable implementation of the ideas from EROS, complete with a Linux emulator layer. It also specifies a new language, called BitC which allows the programmer to prove that the code implements certain semantics, thus providing another layer of verifiable security. Could this be the most leet OS and language of 2005?" Another submittor asks how this stacks up against using Systems Management and "standard" OSes.

9 of 296 comments (clear)

Min score:

Reason:

Sort:

Need for a superuser? by PornMaster · 2005-01-25 05:42 · Score: 3, Interesting

One of the problems I see with high levels of security without a superuser-style account is the possibility of someone leaving, dying, or forgetting his password, and not being able to get to critical business data.

How is this resolved without a superuser?

--
500GB of disk, 5TB of transfer, $5.95/mo
1. Re:Need for a superuser? by Coryoth · 2005-01-25 05:50 · Score: 5, Interesting
  
  One of the problems I see with high levels of security without a superuser-style account is the possibility of someone leaving, dying, or forgetting his password, and not being able to get to critical business data.
  
  In SELinux, which I am more familiar with, and which also gets rid of the "superuser" account, everything is handled by context or role. That means you can isolate a process that wants "root" access to certain files by restricting its role to one that has access to only those files. Thus there is no "root" account that has access to everything. At the same time, it's possible to create a role that allows suitable access to make changes and/or recover lost data if necessary.
  
  I presume Coyotos, with its "capabilities" will work similarly - ie. there is no "root" account that has access to everything, but instead various capabilities that bound access to various resources.
  
  Jedidiah
  
  --
  Craft Beer Programming T-shirts
2. Re:Need for a superuser? by GeckoX · 2005-01-25 06:01 · Score: 3, Interesting
  
  And who has the rights to create that new user that has sufficient rights to get at all of that critical data that the guy who just died left behind?
  
  I see a bit of a chicken or an egg thing here.
  
  There will always have to be either the concept of a superuser, or there must be a way to create an account with any rights possible, otherwise it would be a very easy system to lose data to.
  
  So, no superuser. This means there must be some way to create an account with sufficient rights to recover lost data, which kinda undermines the security in the first place.
  
  Hope I'm missing something ;)
  
  --
  No Comment.
3. Re:Need for a superuser? by m50d · 2005-01-25 07:18 · Score: 2, Interesting
  
  So a determined malicious insider can do everything they can do under traditional unix, yes. But there's defense in depth here. For example, you can probably eliminate all your setuid binaries, just give them the capabilities they need. Cdrecord gets the "set own niceness very high" capability, but a cdrecord vulnerability doesn't make a local root one. Mplayer gets the "direct access to video card" capability. People who just need to be able to mount iso images don't need the root password. It's not a panacea, but it's another layer of protection.
  
  --
  I am trolling
4. Re:Need for a superuser? by 3TimeLoser · 2005-01-25 07:49 · Score: 2, Interesting
  
  It helps separate responsibility.
  
  I'm thinking out loud here, but let's assume there is an account or role (lets call it Auditor) that is used to create admin accounts and can recover password/encryption keys. Ideally, this account would be separate from the admin accounts used to manage the system and be the only one with access to certain audit logs/resources/encryption keys.
  
  This way, the Auditor account cannot manage the system or have root access to the file system, but it can recover encrypted data or create/delete admin accounts. On the other hand, the admin accounts cannot administer the Auditor account or delete audit logs, but can do just about anything else on the system.
  
  Granted, there is nothing that prevents the Auditor from resetting an admin password or creating a new admin, but that can be tightly controlled and monitored by manual process. For example, the Auditor credentials are only known by the CIO and only used when needed with direct supervision. These credentials can also be sealed and locked up in case the CIO dies or something. Any other use of those credentials should immediately throw up red flags and launch black helicopters.
  
  It would be nice if the OS enforced these roles, and I think that's what this discussion is all about.
  
  I'll shut up now.
Capabilities by Tet · 2005-01-25 05:49 · Score: 4, Interesting

a project to create an operating system whose security relied on capabilities rather than the traditional Unix model of root or non-root.
This has been possible in Linux (and some proprietary Unices) for some time now. Why the need for a separate OS? But mechanism alone won't solve your problems. You need to have suitable policies that make use of those mechanisms. And as the Fedora guys have found out with their SELinux adventures, getting the policies right for any non-trivial system is a bitch.

--
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Hmmm... by noblesse+oblige · 2005-01-25 06:19 · Score: 4, Interesting

While that was nice, my favorite feature of EROS (besides the name) was the idea that instead of a filesystem a disk was simply non-volitile memory cache. That facilitated my next favorite idea, orthogonal persistance, the somewhat like a persistant software suspend. I'd be interested in finding out (while the home page does not say) if these were the shortcomings of EROS it was alluding to.

--
Some will always be above others. Destroy the equality today, and it will appear again tomorrow. --Ralph Waldo Emerson
Re:Comparison with Multics? by Elwood+P+Dowd · 2005-01-25 06:32 · Score: 4, Interesting

Dunno about this Coyotos thing, but a major point of EROS was its checkpointing system & memory architecture. In my completely uninformed understanding, the idea was that there was no filesystem, and the persistent disk was only used to provide virtual memory and checkpoint the memory state.

So if you turn off the computer, and turn it back on again, it loads the last checkpoint, and your processes are all running and in the same state. That's what they mean by "Extremely reliable". There are supposedly processes running in KeyKOS, a similar OS, that have been running since before the computer's current hardware had been built. If that makes sense.

Dunno if Multics did that.

--

There are no trails. There are no trees out here.
Re:That's not the right question by Doctor+Memory · 2005-01-25 09:08 · Score: 2, Interesting

It would probably be simpler to encrypt person A's encryption key with trusted person B's public key and escrow it. Then, if something happens to A, B can retrieve the key from escrow and decrypt it. You could cascade this to produce a "chain-of-command"-style process, whereby the key must be sequentially decrypted by a string of people before the original is recovered.

--
Just junk food for thought...