| 1 |
Hi, |
| 2 |
|
| 3 |
On Saturday 31 December 2011 19:39:23 7v5w7go9ub0o wrote: |
| 4 |
> On 12/31/11 08:43, "Tóth Attila" wrote: |
| 5 |
> > Isn't it miserable to see, that as time is passing by, more and more |
| 6 |
> > important softwares (java, python, libreoffice, firefox) conflict |
| 7 |
> > with more and more PAX restrictions? I would expect exactly the |
| 8 |
> > opposite. But it seems, that developers become less and less aware |
| 9 |
> > (or care less) about security. |
| 10 |
> > |
| 11 |
> > Nowdays I would rather run libreoffice and firefox in a jail. But I |
| 12 |
> > have no time to set up an environment and grsec policy for it. |
| 13 |
> |
| 14 |
> Heh...better yet; using VMs - with optional hardware assistance. |
| 15 |
> |
| 16 |
> Joanna Rutkowska of <http://theinvisiblethings.blogspot.com/> , who is |
| 17 |
> well-known as an effective white-hat cracker, is developing a "secure" |
| 18 |
> OS she calls Qubes <http://qubes-os.org/Home.html> |
| 19 |
|
| 20 |
While I agree that there's a lot to be done to make the security of a modern |
| 21 |
desktop system better, I'm not convinced that using a disposable VM is the |
| 22 |
right approach: |
| 23 |
|
| 24 |
1) Taking into account the use of resources (hardware), it sounds like a |
| 25 |
terrible engineering decision to throw a VM for single process just because we |
| 26 |
can, that is - because hardware is there, it's capabale enough and not that |
| 27 |
expensive. "Don't use cannon to shoot a sparrow"- as the Polish saying goes ;) |
| 28 |
It's using the wrong technology to solve the (wrong) problem. |
| 29 |
|
| 30 |
IMHO, it'd make more sense to invest into a microkernel system, say based on |
| 31 |
Minix3, add PaX features to the kernel, at least proper ASLR and W^X, and use |
| 32 |
RBAC (grsec RBAC for instance ;] ) to ensure adequate isolation between |
| 33 |
processes in the userspace. Simple. Neat. Clean. Proper engineering. ;] Sounds |
| 34 |
like a nice PhD project to me... ;) |
| 35 |
|
| 36 |
2) ...And what is there to guarantee the security of Xen hypervisor? or the |
| 37 |
guest VMs isolation? ...it's probably worth mentioning that XEN had security |
| 38 |
issues before and it was Joanna who pointed out few of them too... :) |
| 39 |
|
| 40 |
Again, I'd argue that, in general, simplicity = better security and using VMs |
| 41 |
for separate processes is an overkill. You could even argue that Qubes uses |
| 42 |
virtualisation as a RBAC mechanism - it's an interesting idea but against good |
| 43 |
design&engingeering practices, me thinks. |
| 44 |
|
| 45 |
Yes, it somehow addresses the prevalent security issues with the Linux kernel |
| 46 |
("fat and ugly" to quote Miss Rutkowska), but at the expense of additional |
| 47 |
comlexity (which doesn't help security) and bigger hardware requirements. Not |
| 48 |
to mention engineering purity... ;] |
| 49 |
|
| 50 |
> |
| 51 |
> She's presently using fedora as the Linux source distribution, but |
| 52 |
> there's been a lot of enthusiastic discussion among some of the beta |
| 53 |
> testers about changing to Gentoo |
| 54 |
> <https://groups.google.com/group/qubes-devel/browse_thread/thread/588399cdd4 |
| 55 |
> 3da28c#> and some of these guys seem poised to go for it. |
| 56 |
|
| 57 |
That might be enough to convince me enough to at least try it... ;) |
| 58 |
|
| 59 |
> |
| 60 |
> Should the switch occur, one would painlessly have hardened Gentoo VMs, |
| 61 |
> managed by a XEN bare-metal hypervisor. |
| 62 |
> |
| 63 |
|
| 64 |
...but that would still leave the initial issue of hardened firefox, libreoffice, |
| 65 |
java unsolved...and what if I only care about security of my browser? Then no |
| 66 |
matter how isolated from the rest of the system it is, I simply can't afford |
| 67 |
for it to be compromised in the first place...back to the drawing board... ;) |
| 68 |
|
| 69 |
Cheers, |
| 70 |
Radek Madej |
Archives