Trusted Debian v1.0 Released 259
Peter Busser writes "The Trusted Debian project releases its first official release, v1.0. Its main focus is solving most (but unlikely all) buffer overflow problems. It features PaX, a kernel patch which does several things. It tries to keep code and data apart, it randomizes stack, code, heap and shared libraries, it does strict mprotect() checking and it also protects the kernel. Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code. It also features FreeS/WAN and RSBAC, an extensive access control framework. More information is available from the website. There is also a demonstration available for the special capabilities of this release."
No Remote... (Score:5, Funny)
This must be a new linux record.
Re:No Remote... (Score:5, Insightful)
Jason
ProfQuotes [profquotes.com]
Re:No Remote... (Score:2)
Jason
ProfQuotes [profquotes.com]
AHA! (Score:4, Insightful)
Overflow check? But I thought C/C++'ers like the amount of CONTROL that comes from being able to shoot themselves in the foot!
At least, that's what they tell me when I tell them I program in Java now.
Guess you'll need to figure a way around these checks, eh?
Oh, come ON (Score:5, Informative)
Re:Oh, come ON (Score:2)
Re:Oh, come ON (Score:2)
Overflow protection!? WTF do you need that for, it's only one or two lines per buffer to do it! Keep it out of the compiler! Occassionaly, ouch my foot ensues!
I mean a lot of C programmers I know (no idea what percentage of the total, anectodotal, blah, blah) dislike C++ because of inheritance!
Definately a funny AND an insightful comment for that particular type of programmer.
bad/evil marketing by debian (Score:5, Interesting)
"Trusted Debian" is clearly targetted to compete with "Trusted Solaris" and "Trusted(?name right?) BSD". However, "Trusted Solaris" has been CERTIFIED to meet B2 level security criteria. There is no mention of any such certification, either performed, or in progress, on the project's home page. It is just a collection of security enhancements and tweaks that is "hoped" will merit the system being trusted, but I see no formal proof or audit of that.
Eh? (Score:4, Interesting)
I assume a commity or something gives you the stamp and that then allows you to use "Trusted" in the name of your project?
Re:Eh? (Score:5, Insightful)
Profit?!? (Score:3, Insightful)
1. Create more secure operating system.
2. Give it away for free.
3. ????
4. PROFIT!
Ok, I give, wtf _IS_ the third step that would require a marketing buzzword? I guess you can market for bragging rights, but I am guessing it was more of an afterthought than a business plan.
I bet I can name everyone that has gotten rich on Debian on one hand.............and still have 5 fingers left.
Re:Profit?!? (Score:2)
Money is not the only reason for doing such things, you know.
I've been in marketing in one form or another for 20 years. Funny thing, the only reason _I_ have been in marketing is to make money. Silly me.
I'm still betting it was less marketing and more simply naming it "trusted" as a goal. I mean, you have to call it SOMETHING to differentiate it from their regular distro. I usually a
Re:Profit?!? (Score:2)
The irony is I have a few boxes running redhat 7.2 (with a newer 2.4 kernel), and a few I am testing with redhat 9, and formally with rh8. I miss 7.2 and now they no longer support it, even though I am paying them to (rhn). Although I love RH9 on the desktop, it leaves me
Re:Eh? (Score:2, Informative)
trusted BSD (Score:4, Insightful)
"Mandatory Access Controls" and all that fun stuff.
[www.trustedbsd.org]
So, "Trusted Debian" is the odd man out.
trusted according to WHO? (Score:2, Interesting)
Putting some fucking label on a product like B2 level security is NOT going to make it any more or less secure. It is bullshit to assist the mindless masses, and it in fact hinders theme, because it
Re:trusted according to WHO? (Score:5, Interesting)
Microsoft got C2 certification for a specific NT configuration a while back, and only when NOT CONNECTED TO A NETWORK!!
'C' levels are nowhere close to 'B' levels.
Re:trusted according to WHO? (Score:3, Funny)
For 'B' you have to pull the power out too. 'A' requires metalworking skills.
Re:bad/evil marketing by debian (Score:2)
Re:bad/evil marketing by debian (Score:3)
So, it's equivelent to the B1 level. Don't have an Orange Book hand
Re:bad/evil marketing by debian (Score:2, Informative)
This project is based on debian, but not by debian. It is an independent project. Hence it cannoty be bad/evil marketing by debian.
Re:bad/evil marketing by debian (Score:2)
speed? (Score:3, Interesting)
Are the packages the same or unique? If the latter, why not merge w/ the original code and help us all out?
Is this better or worse than the NSA's secure kernel? Why is a new distribution required if a kernel is all that's changed?
Re:speed? (Score:2, Insightful)
Speed and security are two completely different objectives. If you are going to use something like Trusted Debian, its because the security is much more important than the speed. I mean, what good does speed do you after your web site is hacked?
Re:speed? (Score:2)
It also uses a different access mechanism (calls it RSBAC) as do most "Trusted" (i.e. security enhanced) distributions. Based on ACL's it allows the Sys Admin more granularity on determinig who can access what.
Halfway measures (Score:3)
The overflow checker only makes a difference when compiling buggy code. And in this case it leaves
Re:Halfway measures (Score:3, Insightful)
This kind of naive attitude is why we have so much bloody buggy software. While changing programming languages may reduce a certain class of errors, it will never, ever, ever result in security. It can't. The programming language can't prevent a programmer from being stupid.
If you want security, you'll actually have to do the one thing that few programmers actually take the time for in this industry: don't take shortcuts. Plan your software, plan your security m
Re:speed? (Score:5, Interesting)
No. OpenBSD 3.3 has 4 different forms of buffer/memory/stack protection, and Theo says that, not only is there NOT a slowdown, but on a couple architectures, it actually speeds things up! [theaimsgroup.com]
It seems that the Debian organization's main purpose is to emulate OpenBSD... They are dedicated to maintaining older, stable versions of software, they use NetBSD as the core of their Debian BSD distro, and now they almost directly copy OpenBSD's recent security efforts. [deadly.org]
Not that there is anything wrong with that. I just find it very interesting.
Re:speed? (Score:3, Informative)
In Theo's post on theaimsgroup.com web site, I don't see anything supporting your assertion that OpenBSD's new memory protection "actually speeds things up".
Re:speed? (Score:5, Informative)
My mistake... I've read about all this stuff a while ago, so I didn't correctly remember which post talked about which aspects of it.
It can be found in this magicpoint presentation. It's several pages into the presenatiton. it's plain text with some markup, so you can just grep through it (look for "sped") if you don't want to install magicpoint: http://www.openbsd.org/papers/csw03.mgp
I've read it other places before I saw the presentation, but google isn't working very well to find them, I don't have links to everything (I'd have millions of links if I make a link of everything, and kept them for this long), and I'm not going to spend a lot of time tracking down where I read this stuff. Check out deadly.org, or the OpenBSD misc/tech mailing list archives if you want additional confirmation, and discussion on the subject of the speed-up...
SE Linux (Score:5, Interesting)
-Erwos
Re:SE Linux (Score:5, Informative)
Available on BudgetLinuxCDs (Score:4, Informative)
compared to other systems (Score:3, Insightful)
hint - read the article before responding/modding
Hmmm, offtopic or troll... (Score:2)
It seems to me that your question is poorly phrased. What is it that you really wonder?
Re:Hmmm, offtopic or troll... (Score:2)
trusted for what? (Score:4, Insightful)
Re:trusted for what? (Score:5, Informative)
Re:trusted for what? (Score:2)
But then that does depend on your goals. Debian is the least corporate of all the Linux distro's. They have always been end user based and not corporation based. Indeed the goal of this project is "to create a secure Linux platform and make it available to everyone". They probably aren't concerned with the majority of criticisms in this thread because they aren't looking ot create a product
Re:trusted for what? (Score:2, Informative)
You mostly do tho tasks on that computer:
- Managing your money in spreadsheet.
- Browse the web.
In trusted RSBAC system you can create different
levels of information protection: for example
your spreadsheets will be marked "My Own Important
Data" and you can have access to them only if you
switch your security level to "Manage Important Data". In this case browsing will be disabled and only trusted programs will be allowed to run.
No web data or malicious programs can then
anti-trustworthy (Score:3, Funny)
why not use Cyclone? (Score:2, Informative)
Re:why not use Cyclone? (Score:2)
Yes, let's reimplement (Score:3, Interesting)
For instance, I rewrote ftpd in SML because I got sick of buffer overflows. It only took me a few days and the result was much leaner (wu_ftpd is 30,000 lines, mine was about 800) and definitely has fewer buffer overflows / he
well, at least the security-critical stuff (Score:2)
Though as the other poster mentioned, if people just abandoned C in the first place, we'd solve a lot of the problems. Cyclone is nice in that it's a way for people who still want C's low-level control to abandon C's security holes without using a high-level language like SML.
Binary sandboxing instead of safe languages? (Score:4, Interesting)
Suppose you are an ordinary user with 32 bit UID
00 00 00 A7 and mask FF 00 00 00, given by the administrator. This mean you can acces all files (and resources) to which you can "chameleonise" UID to xx 00 00 A7
You can also run a subproces, say, x1 00 00 A7 with rights further restricted. This mean that the parent process will have the acces to all result of the child, but not vice-versa. Now you can run a network browser, email program, downloaded binary-only spyware etc. in their own sandboxes with access to particular resources only (say a directory with ownership 01 00 00 A7). They would not mess-up anything else... You would be able to limit network access etc.
Roman Kantor
PS: The beauty of this hack is that it can work with standard POSIX filesystems, you need to add masks only to processes. I am not sure how difficult would be to hack the linux kernel, but it should be relatively straightforward.
More out of date (Score:5, Funny)
Trusted Gentoo (Score:5, Informative)
It's up to you to use them or not.
Re:Trusted Gentoo (Score:3, Informative)
Why is it... (Score:5, Funny)
Re:Why is it... (Score:2)
It's probably an immune reaction to all the fud that flew around Slashdot during the Microsoft anti-trust suit.
Because it's too easy? (Score:2)
Kjella
Why not OpenBSD? (Score:5, Interesting)
Admittedly there are apps that run under Linux that don't run under OpenBSD (namely commercial apps) but in this case, I would expect that running those apps on this system would lose the "Trusted" lack of buffer overflow possiblities etc., which defeats the object of the distribution. And the lack of commerical certification for this product would bely using it for such a reason anyway.
A cursory glance over their website doesn't show me anything which would me want to choose this over OpenBSD. In fact given the maturity of the OpenBSD project, and the man hours that have gone in to that piece of work, that is likely to be my first port of call anyway.
I'm not trying to put down the trusted debian guys, I just fail to see the point of their work (apart from the old - "why not" reason). So, if not for the licensing issue which debian has always held close to, why would anyone pick this over OpenBSD?
Yo unixbob... (Score:2)
Re:Yo unixbob... (Score:2)
to quote [trusteddebian.org]
There is no other UNIX system which adds the same kind of protection against buffer overflows and at the same time protects against some less well-known or even some unknown problems. Except for OpenBSD
OK, the next line does say that the trusted debian developes think that OpenBSD falls short on these things. Having seen the maturity of the trusted debian project, it seems to me that whilst this may or may not be true, certainly trusted debian has a long way to go before it can accomp
yes (Score:2)
propolice is the same gcc stack protection that trusted debian uses, written by the same author whose email address is etoh@openbsd.org.
w^x is similar in concept to pax, but it is faster and doesn't break applications.
this has produced a hilarious 'debate' on the openbsd misc mailing list, as evidenced in threads like this [theaimsgroup.com] and this [theaimsgroup.com]
Don't forget this (Score:2)
Re:Why not OpenBSD? (Score:2, Informative)
Re:Why not OpenBSD? (Score:2)
I can understand how it may be easier to do that with a Linux distribution than a BSD based distro due to familiarity. However my Linux expe
Re:Why not OpenBSD? (Score:2)
My take on this is that we should have Linux distro's for newbies such
Re:Why not OpenBSD? (Score:2)
Re:Why not OpenBSD? (Score:2)
Does each of these *really* have some unique features that just couldn't be added to one of the main distributions?!
Let's see... we have OpenBSD, NetBSD, BSDI, FreeBSD, Solaris, HP-UX, AIX, Tru64, IRIX, UnixWare, SCO, Mac OSX,
Of course just for Linux we have: RedHat, Mandrake, Debian, Slackware, SuSe, Caldera, Gentoo, Antartica, Lycoris, Yggdrasil, Conectiva, Corel, Elfstone, RockLinux, SharkLinux, Sisyphus,
Yggdrasil????? (Score:2)
News update: Kurt Cobain is dead. The White House and Congress are both under Republican control. The Dallas Cowboys suck.
Yggdrasil?!?!?!
Re:Why not OpenBSD? (Score:2)
name recognition amoung the suits (they have heard about linux, but probably not OpenBSD (as opposed to nerds).
prepackaged binaries? (not sure if OpenBSD has that).
I can see a market for commercial apps that is targeted for a "trusted OS". It would properly be
easier to use Trusted Debian for this for a "desktop" rather than OpenBSD, even though both are possible.
True OpenBSD does have an impressive record, but that doesnt mean that cant be space for more "trust
Re:Why not OpenBSD? (Score:2)
And in terms of industty support? Well if it was Trusted SUSE, or Trusted RedHat, you may have a point. Debian in the corparte environment? Give me a break.
Re:Why not OpenBSD? (Score:2)
Why not? From a TCO perspective it's much better than other distros. Administration is slick. If you want a piece of software, there it is, already packaged. Upgrades don't require hours of sweat and reboots. If I see a bug, I discuss with the maintainer.
The only missing part of the equation is support. But that's just a niche waiting to be filled by people like me (i.e. I'm already supporting Debian in the corporate environment).
Granted, most commerci
Re:Why not OpenBSD? (Score:4, Informative)
From the Article:
Hmm, well that sounds exactly like the memory protection that has already been implimented in OpenBSD 3.3. Interestingly enough, all this software was available long before this article was written, it just wasn't put into the base system at the time.
It's rather hypocritical if you ask me. He ran down all the protection mechanisms available for Linux (none of which come together in a single distro), but completely and entirely neglected similar software that WAS available for OpenBSD.
TCP port ACLs are still not in OpenBSD, BUT there is a patch that is available to do this, it's just not in the OpenBSD base as of yet. Of course, TCP port ACLs don't come with the base Linux kernel either.
Also worth a footnote is that Systrace can be used to enforce TCP/UDP port ACLs on any software run under systrace. In other words, you run bind under systrace, and there is no way for it to open any ports other than 53, which you specify. It's not what people typically think of when they consider TCP/UDP port ACLs, but it does the same job. Systrace is in the OpenBSD base system.
Well Systrace easilly accomplishes the above. You can impose arbitrary restrictions on binary programs, wether they are native OpenBSD binaries, or Linux binaries under emulation.
Re:Why not OpenBSD? (Score:2)
A trusted 1.0... (Score:5, Insightful)
How do you call 1.0 of something 'trusted'? Regression testing and looking good on paper is great, but until you can prove that the damn thing works (i.e. make me trust it) it ain't trusted.
That said, I'm going to grab my copy and play around. We need more security-focused distros. BSD has it right (no remote exploits with a base install), linux needs to do a little catching up in the access control area.
Other distros? (Score:3, Insightful)
If Redhat, for example integrated in into RH 10 or Mandrake into 9.2.
Firewall anyone? (Score:3, Interesting)
If you own a PC and you dont have a firewall between it and the internet, you are pretty damned dumb.
This really is of no use to the average user.
I'd love to see a floppy distro for floppy firewall set up from it though. (upgrade the kernel to 2.4 so we can use modern firewall rules.)
Re:Firewall anyone? (Score:3, Interesting)
Everyone always says this, but nobody seems to think about it. Why, exactly do I need a firewall between my PC and the internet at large? I keep up with my patches, I don't execute email attachments (I don't even use Outlook), I'm not "pretty damned dumb" in general... What is a firewall protecting me from, if I'm already being good about security? Anyone want to explain that to me?
Re:Firewall anyone? (Score:2)
Are you sure webmin is configured to not accept remote connections? And xfs? And {x,d,g}dm? And mysql?
And so on.
Much easier to say explicitly say what you _do_ want to be allowed access to from the internet, than to try to make everything is always configured correctly. Of course want to do make sure it is also configured correctly, but a firewall will help you when you do make a mistake. Not to mention when you automatically upgrade a piece of software and
Re:Firewall anyone? (Score:2)
Why copy OpenBSD (Score:2, Insightful)
I think OpenBSD has been at it with such efforts for a while. Why is FreeBSD shifting its niche, or nudgeing OpenBSD out of the ring?
Whats in it for me? (Score:5, Interesting)
Is there any compelling reason for someone like me(and most
I'm not downplaying the importance of this kind of project. I can see its usefulness in a corporate environment. I'm just wondering if there's anything I'm forgetting on my current machine, and if this is a good way to address those problems.
Re:Whats in it for me? (Score:2, Insightful)
Re:Whats in it for me? (Score:2)
You are probably the kind of person who will get this most beneift from a project like this because you are aware of security issues and are proactive about it. I'm guessing you've spent time locking down your email, ssh and www services so that they can't be abused. So you are going
Trusted Computing. (Score:4, Insightful)
None of them really have anything to do with "trusted computing".
Trusted computing is normally about 2 things: Making sure that nothing has access to anything it's not supposed to, and making sure that there is an audit trail for who did what.
Example: Normal linux distributed -vs- NT.
Okay... I hate windows.. but....
Ever been frustrated because, in windows, if someone sets permissions on a directory they own, and says administrator can't access it... when administrator tries to access it, he gets denied?
In unix, of course, root just ignores said permissions.. or changes them.
In NT.. administrator has to first take ownership of the object THEN change the permissions... and administrator can't assign ownership back to the other user (though of course, administrator can grant access to the object).
Why? So there is a trail of events. Your file was changed? You say you didn't do it? IF administrator did it, it will show in the file permissions.
Re:Trusted Computing. (Score:3, Informative)
does that and more.
Re:Trusted Computing. (Score:2)
Presumably the administrator can run programs to defrag the disk and repair the disk, and these require direct (and often online) access to the raw data -- they could probably play with the data while the machine is up bypassing the entire permissions model.
And where does this leave you? With the administrator saying in a court of law "It couldn't be me! You wo
Re:Trusted Computing. (Score:2)
The usual way this works is that if you do need to make changes that root isn't allowed, then you need to have physical access to the machine. Then you switch to a particular console (not an xterm, and not all consoles - just one or two of them would be valid) log in as root, and then you sort of su
Re:Trusted Computing. (Score:2)
Ah, I get it! Trusted computing is about not trusting anyone!
Re:Trusted Computing. (Score:2)
To be more precise that depends on the filesystem; one of the strong points of AFS [openafs.org] is that not only root cant access the files but it can't also change the permissions of the shared AFS namespace. Since it uses Kerberos only users with the pr
Trusted? (Score:4, Funny)
Everyone likes a trusting computer.
Will this help prevent duplicates at Slashdot? (Score:5, Funny)
On a normal Linux system running Slashdot, we see this:
On a Slashdot running one of the Trusted Debian kernels, you will see something like this:
As you can see every value is different.
Benefits (Score:2)
Guess the whole OSS community benefits.
Why not roll this into Debian? (Score:5, Interesting)
Re:Yet when MS talks about "trusted" computing... (Score:3, Informative)
Re:Yet when MS talks about "trusted" computing... (Score:2)
Re:Yet when MS talks about "trusted" computing... (Score:4, Interesting)
uh... apperantly you haven't been reading the comments on this thread. I read through about 20 comments so far and not one praise, a few informational posts, and several critisisms.
What I'm sick of hearing on slashdot are people who think they'll sound smart by making immediate and unsubstantiated remarks against what is percieved by them to be the consensus. By acting this way, you might seem like you're noticing what everyone else is too dumb/blind to see, but it doesn't make you insightful, just contrary, which is equally as closed minded as being zealotous.
Re:Yet when MS talks about "trusted" computing... (Score:2)
Re:Yet when MS talks about "trusted" computing... (Score:4, Interesting)
When the people at debian talk about trusted computing you can pretty much assume they are serious about putting together a solid and secure system.
It has the do with the character of the people making the annoucement.
Re:Yet when MS talks about "trusted" computing... (Score:2)
Although I have met several MS developers and have interacted with several Debian developers via email I would not say that I am "personally aquanted" with any of them.
I am simply judging the intent of these two organizations based on their past behavior.
Re:Yet when MS talks about "trusted" computing... (Score:4, Funny)
when m$ talks about trusted, it is a truly Orwellian example of doublespeak.
Re:Can someone explain this? (Score:5, Informative)
it randomizes stack, code, heap and shared libraries
PaX randomizes the place a program is loaded into memory. Buffer overflow attacks depend on the exact location of memory locations. Attacks are much harder when that location varies every time a program is executed. Thus making it much harder for attackers to locate the exact locations they need for a succesful attack. Again, PaX is the first to implement this kind of protection. No other UNIX system uses this kind of protection against buffer overflows, except OpenBSD. But their implementation is more restricted. It will randomize only one aspect of the memory (which technical people call the stack) where PaX randomizes four aspects (stack, heap, libraries and the main executable) and their implementation uses 10 bits against 24 bits for PaX
it does strict mprotect() checking
it adds proper checking to how memory is being used, to prevent badly written programs from accidentally opening up certain kinds of security holes
it also protects the kernel.
Third, PaX tries to do its best to keep code and data separate. Many buffer overflow attacks try to write some data and then try to execute it, as if it were code. PaX tries to prevent this. Fourth, PaX enforces the same kind of protection to the core of the system, the Linux kernel itself. Again, this is unique to PaX, there is no other UNIX system which offers the same kind of protection of its kernel
Trusted Debian also uses the stack protector patch for GCC developed by Hiroaki Etoh at IBM, which adds overflow checks to C/C++ code.
The second product used by Trusted Debian to solve the buffer overflow problem is called the stack protector, formerly known as propolice. It is a modified GCC compiler written by Hiroaki Etoh at IBM and it adds a kind of ``booby-traps'' inside programs which are triggered when a buffer overflow occurs. The program is then terminated before the overflow can do any damage.
It also features FreeS/WAN and RSBAC, an extensive access control framework. Trusted Debian adds more than just these buffer overflow protection technology. Version v1.0 also ships with RSBAC, an extensive access control framework which will play an important role in future releases. And FreeS/WAN, which is able to encrypt all TCP/IP communication between two machines and can therefore be used for setting up VPNs or securing wireless LAN communication, among other things.
Re:Can someone explain this? (Score:2, Interesting)
You might want to
Trite bullshit (Score:5, Insightful)
Real security comes by design, not by sticking your thumb in the dike again and again and again.
Re:Trite bullshit (Score:4, Insightful)
Well, I think it's better to see someone starting to walk that path, rather that just sitting there complaining that Linux doesn't even begin to approach the level of security of some other OS.
From what I saw, after a cursory look at their page, they are using the RSBAC patch, which allows for quite a lot of security models (it is even extensible, like PAM on steroids, it seems). ACLs are just one of the supported models. The capabilities and resource models look quite useful, and I am very interested in learning more about their "functional control", "privacy" and "role compatibility" models. Also note the "malware scan" model, which scans for viruses and the likes on execution. Also, they state that models can be combined, and, furthermore, it seems that this can be applied to network accesses, not just files, which sounds like something I really, really want.
(Read the list of models with brief descriptions at their overview page [rsbac.org].)
Note that I'm not familiar with this software (yet), so I can't say if it really is as good as it seems. But it looks very interesting --and a far cry from a "half-assed attempt at a security audit". I intend to try it as soon as I can.
don't mod this down (Score:2, Insightful)
This is the lesson: assume your OS is insecure and adopt a level of risk acceptance.