1 |
Ned Ludd wrote: |
2 |
> On Fri, 2008-08-01 at 08:24 -0400, dante wrote: |
3 |
> |
4 |
>> Hi everyone, |
5 |
>> |
6 |
>> My students and I have started a new gnome-based desktop linux distro |
7 |
>> derived from hardened Gentoo. It may be of interest to people on this |
8 |
>> list. |
9 |
>> |
10 |
>> Tin Hat is pretty much Gentoo, but it runs purely in RAM. It boots from |
11 |
>> CD or pen drive, but is not a liveCD in that it doesn't mount a file |
12 |
>> system from the boot device. Rather it copies its squashfs from CD to |
13 |
>> tmpfs in RAM. Booting is slow, it requres 4 GB of RAM or more, but it |
14 |
>> is lightening fast once up. ("emerge --sync" takes about a minute |
15 |
>> between a Tin Hat system offering portage, and one sync-ing from |
16 |
>> scratch. Firefox starts in about 1 second.) |
17 |
>> |
18 |
>> Tin Hat was started before the recent coldboot attacks. Within the |
19 |
>> limit of such attacks, Tin Hat aims at "zero information loss" if |
20 |
>> physical access is obtained to a system which is powered down. We add |
21 |
>> Ruusu's loop-aes patch to the kernel so that any hard drives are mounted |
22 |
>> using one of the best implimentations of block cipher encryptions we |
23 |
>> know of. During power up, Tin Hat uses GRSEC/PaX hardening to hedge |
24 |
>> against all the usual attacks. We are now thinking about our own patch |
25 |
>> to obfuscate data in RAM to protect against coldboot --- but to be |
26 |
>> honest, we think we can only make it harder, not impossible. |
27 |
>> |
28 |
>> Tin Hat is stable. We run 6 systems persistently on clean power and |
29 |
>> have typical up times of a couple of months. |
30 |
>> |
31 |
>> We never intended on releasing Tin Hat, but the students love it so much |
32 |
>> (the speed!) we thought of announcing it on freshmeat. I thought I'd |
33 |
>> post to this list because of it is a successful implementation of |
34 |
>> hardened Gentoo. |
35 |
>> |
36 |
>> Home page: http://opensource.dyc.edu/tinhat |
37 |
>> Freshmeat: http://freshmeat.net/projects/tinhat |
38 |
>> |
39 |
> |
40 |
> |
41 |
> I absolutely love seeing others create things with hardened. |
42 |
> |
43 |
> Feel free to keep this list apprised of regular updates. |
44 |
> |
45 |
> |
46 |
Thanks Ned. When there are more updates, I'll post. And, thanks to |
47 |
whoever mentioned the project to Josh Saddler. He says he wants to |
48 |
mention the project in the next Gentoo Monthly Newsletter. |
49 |
|
50 |
I'm very indebted to hardened gentoo. I use it for any project where I |
51 |
need an operating system environment. Eg, another project on that web |
52 |
site (tor-ramdisk) uses a micro hardened gentoo uclibc-based |
53 |
environment. The entire portage system of gentoo let's me build it as I |
54 |
need it, and hardened-gentoo brings in all those extra security |
55 |
features. So, I teach about gentoo in my modern operating systems |
56 |
course and I use hardened gentoo to teach kernel hardening in my |
57 |
security course. The team's work is appreciated. |
58 |
|
59 |
Anthony G. Basile, Ph.D. |
60 |
Chair of Information Technology |
61 |
D'Youville College |
62 |
Buffalo NY 14201 |
63 |
USA |
64 |
|
65 |
(716) 829-8197 |