I agree that chroot isn't the best sandbox out there. I prefer Virtual Machines, although they're a little more resource intensive (& not free).
I've been considering running a machine with two interfaces but not assigning it any IP addresses, at least for the "host" OS. Then, I could run one or more servers within virtual machines. For instance, the firewall VM would have access to both interfaces, and have IP addresses on them both. DNS and DHCP servers would only need a LAN interface.
I'd need a decent processor with lots of RAM to pull this off, but imagine the possibilities. Running snort in the host OS on the WAN port would give me stealth IDS capabilities. Running it on the LAN port listening for packets on port 514 would give me a stealth syslogger. Since there's no IP addresses to access the host OS, there's no target to hack!
Now, lets take it a step further and imagine this scenario: The stealth IDS detects with some certainty that my BIND DNS server was once again compromised and a hax0r l0ser is launching a DDoS attack from it. Since the IDS is running on the host OS, it shuts down the offending VM, restores the VM's disk to a known good one and restarts it. Insta-restore!
One other method I've been contemplating that I consider somewhere between VMs and chroots is running the servers under User-mode Linux. I haven't had a chance to play with that yet, so don't know the security imiplications. I can't imagine it would be worse than chroot, and it wouldn't tie up resources as much as VMs do.
Actually, since Return to Sender is a task that only the U.S.P.S. can give itself, the proper response is to write Refused on the front by the address, sign and date it. Then, if it is first class mail, or return service is guaranteed, the postmaster will stamp it Return to Sender and ship it back.
IANAPM, but I think that's how its supposed to work...
And, yes, you can probably get away with signing it "Grand Poobah."
While some may scoff, the ACM has an article on the Windows 95 interface, a little bit aged by now. Though many in this forum dislike Microsoft for its other faults (the constant crashes, draconian business practices, etc.), a big part of their current success comes from the fact that their user interface is simply easy to use. They do their homework when it comes to that.
My mom couldn't spell WWW when I set up my parent's computer for them a couple years ago. She complained that IE wouldn't go to the website after she typed in the address. It took me a while to realize that she wasn't pressing Enter when she finished typing the address in. That's why they have that little "Go" button next to the address box that I always get rid of right away.. Duh!
The choices of what you don't want to install in Windows is very limited. I do custom installs whenever I install any operating system. Windows comes with all the bells and whistles, free of charge (yeah, right!) and installed whether you want them or not.
Ever try removing the pinball executable in Windows 2000? "System Protection Services" pops it right back in place! Since when can a pinball game be considered part of the operating system?!?
At least Linux allows you to install just the pieces and parts you want. Especially on servers, a minimal system is inherently more secure. Its simple guys and gals: if it ain't installed, you can't exploit it!
Note for the purists: Yes, I've left out some packages that are required for a functional Linux install. Stop nit picking and get my point.
More GP registers is fine, but without a method to access them, they're useless. The r/m operand within current instructions only has room for the existing 8 registers. Expanding that would break all x86 code. Read that as "you have a new and incompatible architecture."
This may boil down to the generic do it in hardware v.s. do it in software debate. Do we reorder the instructions in hardware (ala Pentium and Athlon), or make the compiler do it (ala Itanium)? Do we make the hardware predict branches or have the compiler drop hints? Register renaming as done by modern RISC-core x86 implementations likely address many of the issues he proposes an extension and a smart compiler (or assembler) would solve.
Now, a 386, that would benefit from his technique.
However, if we're going to revise that architecture, I say we add MMX and call it a 486. Then, we can add SSE and call it a Pentium.. And then,...
I found the article intriguing, but during the entire verbose, self-important sounding read, I was wondering how ISRs would be handled. For example, if the RMC were set to revert to the default mapping in three ops, and an ISR interrupted after the first op, would it revert to the default mapping in the middle of the ISR?
Fortunately, that issue is addressed in his Message Parlor. The full text of his response to BritGeek follows:
Presently the registers are saved automatically by the processor in something called a Task State Segment (TSS) during a task switch. There are currently unused portions of TSS which could be utilized and (sic) for RM and RMC during a task switch.
The PUSHRMC and POPRMC instructions are available for explicit saves/restores of the RM and RMC registers in general code. I don't recommend it, however. The decoders would be physically stalled until the RM/RMC registers are re-populated. It would be better to use explicit MOVRMCs in general code.
I stand corrected. Linking is part of the greater compile cycle, but to say that the kernel must be relinked would be more precise.
I think the version I had to work on was in the 3.x range. We were working with some legacy software that only runs on that version, so we were unable to upgrade. It couldn't even be made 2K compliant, but much to the management's chagrin, didn't explode afterall. In fact it's still running like a champ!
How many people here remember the older versions of SCO UNIX? It used to be, when you got drivers for an add-in card, you received only the source or a library file and headers. You'd have to recompile the kernel just to get that old NetCom X.25 card working.
Thankfully, they had an interface to automate that. It was a CUI, of course, because few people had the luxury of enough memory to run X11.. (Ack! I sound like my dad.. "I had to walk to school! Up hill; both ways!) But, all you had to do was run a script. Perhaps more than "./configure; make; make install," but not too involved. An entry-level sys-admin could do it. Of course, they had dead-tree instructions to guide them too; something that's missing all to often today.
Some of you may be thinking there's no need to recompile the kernel if you can just use insmod. Have you heard of the module-based rootkits? My hardened system has loadable modules disabled. If I need to compile something, I do it on another system. A little paranoia pays off in this world.
There are many things to do yet that would help people who aren't gurus create secure, hardened Linux installs. I foresee only good things coming from summits like this.
I bought 6 of 'em about a year ago and hooked them up to my FileZerver as a RAID5. I've got it about half full of music and CD images...
What can I say.. I'm a geek!
Slashdot Mirror
I agree that chroot isn't the best sandbox out there. I prefer Virtual Machines, although they're a little more resource intensive (& not free).
I've been considering running a machine with two interfaces but not assigning it any IP addresses, at least for the "host" OS. Then, I could run one or more servers within virtual machines. For instance, the firewall VM would have access to both interfaces, and have IP addresses on them both. DNS and DHCP servers would only need a LAN interface.
I'd need a decent processor with lots of RAM to pull this off, but imagine the possibilities. Running snort in the host OS on the WAN port would give me stealth IDS capabilities. Running it on the LAN port listening for packets on port 514 would give me a stealth syslogger. Since there's no IP addresses to access the host OS, there's no target to hack!
Now, lets take it a step further and imagine this scenario: The stealth IDS detects with some certainty that my BIND DNS server was once again compromised and a hax0r l0ser is launching a DDoS attack from it. Since the IDS is running on the host OS, it shuts down the offending VM, restores the VM's disk to a known good one and restarts it. Insta-restore!
One other method I've been contemplating that I consider somewhere between VMs and chroots is running the servers under User-mode Linux. I haven't had a chance to play with that yet, so don't know the security imiplications. I can't imagine it would be worse than chroot, and it wouldn't tie up resources as much as VMs do.
Average (reather than worst) case ferformance.
Lewer latency.
Lewer power consumption.
How about a spell checker?
Actually, since Return to Sender is a task that only the U.S.P.S. can give itself, the proper response is to write Refused on the front by the address, sign and date it. Then, if it is first class mail, or return service is guaranteed, the postmaster will stamp it Return to Sender and ship it back.
IANAPM, but I think that's how its supposed to work...
And, yes, you can probably get away with signing it "Grand Poobah."
I'd check out material from Google, Amazon, The HCI Bibliography, NASA, the W3C, and Joel for starters.
While some may scoff, the ACM has an article on the Windows 95 interface, a little bit aged by now. Though many in this forum dislike Microsoft for its other faults (the constant crashes, draconian business practices, etc.), a big part of their current success comes from the fact that their user interface is simply easy to use. They do their homework when it comes to that.
My mom couldn't spell WWW when I set up my parent's computer for them a couple years ago. She complained that IE wouldn't go to the website after she typed in the address. It took me a while to realize that she wasn't pressing Enter when she finished typing the address in. That's why they have that little "Go" button next to the address box that I always get rid of right away.. Duh!
This is a noble quest, young hero. God speed.
Linux kernel
GNU binutils
glibc
Microsoft Windows 2000:
Windows 2000 kernel and DLLS
Internet Explorer
Outlook Express
NetMeeting
Pinball
The Kitchen Sink
etc.
The choices of what you don't want to install in Windows is very limited. I do custom installs whenever I install any operating system. Windows comes with all the bells and whistles, free of charge (yeah, right!) and installed whether you want them or not.
Ever try removing the pinball executable in Windows 2000? "System Protection Services" pops it right back in place! Since when can a pinball game be considered part of the operating system?!?
At least Linux allows you to install just the pieces and parts you want. Especially on servers, a minimal system is inherently more secure. Its simple guys and gals: if it ain't installed, you can't exploit it!
Note for the purists: Yes, I've left out some packages that are required for a functional Linux install. Stop nit picking and get my point.
More GP registers is fine, but without a method to access them, they're useless. The r/m operand within current instructions only has room for the existing 8 registers. Expanding that would break all x86 code. Read that as "you have a new and incompatible architecture."
Your heart's in the right place, tho'.
And this time, as a link to the article on register mapping...
/. Please figure out how to do it when you have an appropriate reference.
Honestly. It's easy to add links in
This may boil down to the generic do it in hardware v.s. do it in software debate. Do we reorder the instructions in hardware (ala Pentium and Athlon), or make the compiler do it (ala Itanium)? Do we make the hardware predict branches or have the compiler drop hints? Register renaming as done by modern RISC-core x86 implementations likely address many of the issues he proposes an extension and a smart compiler (or assembler) would solve. Now, a 386, that would benefit from his technique.
...
However, if we're going to revise that architecture, I say we add MMX and call it a 486. Then, we can add SSE and call it a Pentium.. And then,
Oh, wait. nevermind.
Fortunately, that issue is addressed in his Message Parlor. The full text of his response to BritGeek follows:
He may be onto something afterall...
Nice.. Scary stuff.
/dev/kmem. It's a game!!!
Fortunately, right in the readme file, he has a patch for mem.c to disable write access to
I stand corrected. Linking is part of the greater compile cycle, but to say that the kernel must be relinked would be more precise.
I think the version I had to work on was in the 3.x range. We were working with some legacy software that only runs on that version, so we were unable to upgrade. It couldn't even be made 2K compliant, but much to the management's chagrin, didn't explode afterall. In fact it's still running like a champ!
How many people here remember the older versions of SCO UNIX? It used to be, when you got drivers for an add-in card, you received only the source or a library file and headers. You'd have to recompile the kernel just to get that old NetCom X.25 card working.
Thankfully, they had an interface to automate that. It was a CUI, of course, because few people had the luxury of enough memory to run X11.. (Ack! I sound like my dad.. "I had to walk to school! Up hill; both ways!) But, all you had to do was run a script. Perhaps more than "./configure; make; make install," but not too involved. An entry-level sys-admin could do it. Of course, they had dead-tree instructions to guide them too; something that's missing all to often today.
Some of you may be thinking there's no need to recompile the kernel if you can just use insmod. Have you heard of the module-based rootkits? My hardened system has loadable modules disabled. If I need to compile something, I do it on another system. A little paranoia pays off in this world.
There are many things to do yet that would help people who aren't gurus create secure, hardened Linux installs. I foresee only good things coming from summits like this.
When will we all learn how to make a simple link to the page we're talking about?
I bought 6 of 'em about a year ago and hooked them up to my FileZerver as a RAID5. I've got it about half full of music and CD images...
What can I say.. I'm a geek!
Now, with a link that works!
Err.. pardon me.