1 |
Hi, |
2 |
|
3 |
On Saturday 31 December 2011 19:39:23 7v5w7go9ub0o wrote: |
4 |
> On 12/31/11 08:43, "Tóth Attila" wrote: |
5 |
> > Isn't it miserable to see, that as time is passing by, more and more |
6 |
> > important softwares (java, python, libreoffice, firefox) conflict |
7 |
> > with more and more PAX restrictions? I would expect exactly the |
8 |
> > opposite. But it seems, that developers become less and less aware |
9 |
> > (or care less) about security. |
10 |
> > |
11 |
> > Nowdays I would rather run libreoffice and firefox in a jail. But I |
12 |
> > have no time to set up an environment and grsec policy for it. |
13 |
> |
14 |
> Heh...better yet; using VMs - with optional hardware assistance. |
15 |
> |
16 |
> Joanna Rutkowska of <http://theinvisiblethings.blogspot.com/> , who is |
17 |
> well-known as an effective white-hat cracker, is developing a "secure" |
18 |
> OS she calls Qubes <http://qubes-os.org/Home.html> |
19 |
|
20 |
While I agree that there's a lot to be done to make the security of a modern |
21 |
desktop system better, I'm not convinced that using a disposable VM is the |
22 |
right approach: |
23 |
|
24 |
1) Taking into account the use of resources (hardware), it sounds like a |
25 |
terrible engineering decision to throw a VM for single process just because we |
26 |
can, that is - because hardware is there, it's capabale enough and not that |
27 |
expensive. "Don't use cannon to shoot a sparrow"- as the Polish saying goes ;) |
28 |
It's using the wrong technology to solve the (wrong) problem. |
29 |
|
30 |
IMHO, it'd make more sense to invest into a microkernel system, say based on |
31 |
Minix3, add PaX features to the kernel, at least proper ASLR and W^X, and use |
32 |
RBAC (grsec RBAC for instance ;] ) to ensure adequate isolation between |
33 |
processes in the userspace. Simple. Neat. Clean. Proper engineering. ;] Sounds |
34 |
like a nice PhD project to me... ;) |
35 |
|
36 |
2) ...And what is there to guarantee the security of Xen hypervisor? or the |
37 |
guest VMs isolation? ...it's probably worth mentioning that XEN had security |
38 |
issues before and it was Joanna who pointed out few of them too... :) |
39 |
|
40 |
Again, I'd argue that, in general, simplicity = better security and using VMs |
41 |
for separate processes is an overkill. You could even argue that Qubes uses |
42 |
virtualisation as a RBAC mechanism - it's an interesting idea but against good |
43 |
design&engingeering practices, me thinks. |
44 |
|
45 |
Yes, it somehow addresses the prevalent security issues with the Linux kernel |
46 |
("fat and ugly" to quote Miss Rutkowska), but at the expense of additional |
47 |
comlexity (which doesn't help security) and bigger hardware requirements. Not |
48 |
to mention engineering purity... ;] |
49 |
|
50 |
> |
51 |
> She's presently using fedora as the Linux source distribution, but |
52 |
> there's been a lot of enthusiastic discussion among some of the beta |
53 |
> testers about changing to Gentoo |
54 |
> <https://groups.google.com/group/qubes-devel/browse_thread/thread/588399cdd4 |
55 |
> 3da28c#> and some of these guys seem poised to go for it. |
56 |
|
57 |
That might be enough to convince me enough to at least try it... ;) |
58 |
|
59 |
> |
60 |
> Should the switch occur, one would painlessly have hardened Gentoo VMs, |
61 |
> managed by a XEN bare-metal hypervisor. |
62 |
> |
63 |
|
64 |
...but that would still leave the initial issue of hardened firefox, libreoffice, |
65 |
java unsolved...and what if I only care about security of my browser? Then no |
66 |
matter how isolated from the rest of the system it is, I simply can't afford |
67 |
for it to be compromised in the first place...back to the drawing board... ;) |
68 |
|
69 |
Cheers, |
70 |
Radek Madej |