| 1 |
Let me draw your attention to an effort on gcc-4.x based hardened toolchain: |
| 2 |
https://hardened.gentooexperimental.org/secure/ |
| 3 |
|
| 4 |
Any interest from a professional would be greatly appreciated (or a PhD |
| 5 |
student specializing in the internals of the hardened toolchain - |
| 6 |
perhaps...). |
| 7 |
|
| 8 |
Regards, |
| 9 |
Dwokfur |
| 10 |
-- |
| 11 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 12 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 13 |
|
| 14 |
On Ked, Augusztus 5, 2008 14:39, dante wrote: |
| 15 |
> Ned Ludd wrote: |
| 16 |
>> On Fri, 2008-08-01 at 08:24 -0400, dante wrote: |
| 17 |
>> |
| 18 |
>>> Hi everyone, |
| 19 |
>>> |
| 20 |
>>> My students and I have started a new gnome-based desktop linux distro |
| 21 |
>>> derived from hardened Gentoo. It may be of interest to people on this |
| 22 |
>>> list. |
| 23 |
>>> |
| 24 |
>>> Tin Hat is pretty much Gentoo, but it runs purely in RAM. It boots |
| 25 |
>>> from |
| 26 |
>>> CD or pen drive, but is not a liveCD in that it doesn't mount a file |
| 27 |
>>> system from the boot device. Rather it copies its squashfs from CD to |
| 28 |
>>> tmpfs in RAM. Booting is slow, it requres 4 GB of RAM or more, but it |
| 29 |
>>> is lightening fast once up. ("emerge --sync" takes about a minute |
| 30 |
>>> between a Tin Hat system offering portage, and one sync-ing from |
| 31 |
>>> scratch. Firefox starts in about 1 second.) |
| 32 |
>>> |
| 33 |
>>> Tin Hat was started before the recent coldboot attacks. Within the |
| 34 |
>>> limit of such attacks, Tin Hat aims at "zero information loss" if |
| 35 |
>>> physical access is obtained to a system which is powered down. We add |
| 36 |
>>> Ruusu's loop-aes patch to the kernel so that any hard drives are |
| 37 |
>>> mounted |
| 38 |
>>> using one of the best implimentations of block cipher encryptions we |
| 39 |
>>> know of. During power up, Tin Hat uses GRSEC/PaX hardening to hedge |
| 40 |
>>> against all the usual attacks. We are now thinking about our own patch |
| 41 |
>>> to obfuscate data in RAM to protect against coldboot --- but to be |
| 42 |
>>> honest, we think we can only make it harder, not impossible. |
| 43 |
>>> |
| 44 |
>>> Tin Hat is stable. We run 6 systems persistently on clean power and |
| 45 |
>>> have typical up times of a couple of months. |
| 46 |
>>> |
| 47 |
>>> We never intended on releasing Tin Hat, but the students love it so |
| 48 |
>>> much |
| 49 |
>>> (the speed!) we thought of announcing it on freshmeat. I thought I'd |
| 50 |
>>> post to this list because of it is a successful implementation of |
| 51 |
>>> hardened Gentoo. |
| 52 |
>>> |
| 53 |
>>> Home page: http://opensource.dyc.edu/tinhat |
| 54 |
>>> Freshmeat: http://freshmeat.net/projects/tinhat |
| 55 |
>>> |
| 56 |
>> |
| 57 |
>> |
| 58 |
>> I absolutely love seeing others create things with hardened. |
| 59 |
>> |
| 60 |
>> Feel free to keep this list apprised of regular updates. |
| 61 |
>> |
| 62 |
>> |
| 63 |
> Thanks Ned. When there are more updates, I'll post. And, thanks to |
| 64 |
> whoever mentioned the project to Josh Saddler. He says he wants to |
| 65 |
> mention the project in the next Gentoo Monthly Newsletter. |
| 66 |
> |
| 67 |
> I'm very indebted to hardened gentoo. I use it for any project where I |
| 68 |
> need an operating system environment. Eg, another project on that web |
| 69 |
> site (tor-ramdisk) uses a micro hardened gentoo uclibc-based |
| 70 |
> environment. The entire portage system of gentoo let's me build it as I |
| 71 |
> need it, and hardened-gentoo brings in all those extra security |
| 72 |
> features. So, I teach about gentoo in my modern operating systems |
| 73 |
> course and I use hardened gentoo to teach kernel hardening in my |
| 74 |
> security course. The team's work is appreciated. |
| 75 |
> |
| 76 |
> Anthony G. Basile, Ph.D. |
| 77 |
> Chair of Information Technology |
| 78 |
> D'Youville College |
| 79 |
> Buffalo NY 14201 |
| 80 |
> USA |
| 81 |
> |
| 82 |
> (716) 829-8197 |
| 83 |
> |
| 84 |
> |
| 85 |
> |
| 86 |
> |
| 87 |
> |
| 88 |
> |
| 89 |
> |
| 90 |
> |
Archives