1 |
Let me draw your attention to an effort on gcc-4.x based hardened toolchain: |
2 |
https://hardened.gentooexperimental.org/secure/ |
3 |
|
4 |
Any interest from a professional would be greatly appreciated (or a PhD |
5 |
student specializing in the internals of the hardened toolchain - |
6 |
perhaps...). |
7 |
|
8 |
Regards, |
9 |
Dwokfur |
10 |
-- |
11 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
12 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
13 |
|
14 |
On Ked, Augusztus 5, 2008 14:39, dante wrote: |
15 |
> Ned Ludd wrote: |
16 |
>> On Fri, 2008-08-01 at 08:24 -0400, dante wrote: |
17 |
>> |
18 |
>>> Hi everyone, |
19 |
>>> |
20 |
>>> My students and I have started a new gnome-based desktop linux distro |
21 |
>>> derived from hardened Gentoo. It may be of interest to people on this |
22 |
>>> list. |
23 |
>>> |
24 |
>>> Tin Hat is pretty much Gentoo, but it runs purely in RAM. It boots |
25 |
>>> from |
26 |
>>> CD or pen drive, but is not a liveCD in that it doesn't mount a file |
27 |
>>> system from the boot device. Rather it copies its squashfs from CD to |
28 |
>>> tmpfs in RAM. Booting is slow, it requres 4 GB of RAM or more, but it |
29 |
>>> is lightening fast once up. ("emerge --sync" takes about a minute |
30 |
>>> between a Tin Hat system offering portage, and one sync-ing from |
31 |
>>> scratch. Firefox starts in about 1 second.) |
32 |
>>> |
33 |
>>> Tin Hat was started before the recent coldboot attacks. Within the |
34 |
>>> limit of such attacks, Tin Hat aims at "zero information loss" if |
35 |
>>> physical access is obtained to a system which is powered down. We add |
36 |
>>> Ruusu's loop-aes patch to the kernel so that any hard drives are |
37 |
>>> mounted |
38 |
>>> using one of the best implimentations of block cipher encryptions we |
39 |
>>> know of. During power up, Tin Hat uses GRSEC/PaX hardening to hedge |
40 |
>>> against all the usual attacks. We are now thinking about our own patch |
41 |
>>> to obfuscate data in RAM to protect against coldboot --- but to be |
42 |
>>> honest, we think we can only make it harder, not impossible. |
43 |
>>> |
44 |
>>> Tin Hat is stable. We run 6 systems persistently on clean power and |
45 |
>>> have typical up times of a couple of months. |
46 |
>>> |
47 |
>>> We never intended on releasing Tin Hat, but the students love it so |
48 |
>>> much |
49 |
>>> (the speed!) we thought of announcing it on freshmeat. I thought I'd |
50 |
>>> post to this list because of it is a successful implementation of |
51 |
>>> hardened Gentoo. |
52 |
>>> |
53 |
>>> Home page: http://opensource.dyc.edu/tinhat |
54 |
>>> Freshmeat: http://freshmeat.net/projects/tinhat |
55 |
>>> |
56 |
>> |
57 |
>> |
58 |
>> I absolutely love seeing others create things with hardened. |
59 |
>> |
60 |
>> Feel free to keep this list apprised of regular updates. |
61 |
>> |
62 |
>> |
63 |
> Thanks Ned. When there are more updates, I'll post. And, thanks to |
64 |
> whoever mentioned the project to Josh Saddler. He says he wants to |
65 |
> mention the project in the next Gentoo Monthly Newsletter. |
66 |
> |
67 |
> I'm very indebted to hardened gentoo. I use it for any project where I |
68 |
> need an operating system environment. Eg, another project on that web |
69 |
> site (tor-ramdisk) uses a micro hardened gentoo uclibc-based |
70 |
> environment. The entire portage system of gentoo let's me build it as I |
71 |
> need it, and hardened-gentoo brings in all those extra security |
72 |
> features. So, I teach about gentoo in my modern operating systems |
73 |
> course and I use hardened gentoo to teach kernel hardening in my |
74 |
> security course. The team's work is appreciated. |
75 |
> |
76 |
> Anthony G. Basile, Ph.D. |
77 |
> Chair of Information Technology |
78 |
> D'Youville College |
79 |
> Buffalo NY 14201 |
80 |
> USA |
81 |
> |
82 |
> (716) 829-8197 |
83 |
> |
84 |
> |
85 |
> |
86 |
> |
87 |
> |
88 |
> |
89 |
> |
90 |
> |