~Toughbooktalk~ Rob - 630-300-8877

The largest Toughbook discussion site on the net!
It is currently Sun Dec 10, 2017 10:07 pm

All times are UTC-06:00




Post new topic  Reply to topic  [ 23 posts ]  Go to page Previous 1 2 3 Next
Author Message
PostPosted: Tue Nov 29, 2016 3:00 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Contents
This is a long one, containing detailed ramblings regarding
- my Qubes experience
- - bugs and maturity issues
- - my preliminary opinion
- security philosophies
- - "capabilities" and RedHat
- - "just add another operating system" security
- - security-vs-reliability-vs-performance
- - on merging security philosophies
- - - Attack surface
- - - Outlook (Qubes and Genode on seL4)


bugs and maturity issues
I didn't try 3.1 yet, but played around some more with 3.2 yesterday.

I have to correct my wifi statement:
WiFi was only available as wlp0s0 within NET vm for the first two bootups.
I was able to manage the wifi card via Dom0 XFCE toolbar after the third reboot (the icon didn't appear before that).
The XFCE Network settings dialog within the menu continiued to provide no functionality at all.

Disposable VM Shortcuts did not work for me.
I was able to start firefox via "untrusted" domain shortcut, but was not able to play any sounds.
Shutdown untrusted vm, attached audio hardware, restartet untrusted vm ... networking somehow broke down during that process... as in firefox couldnt resolve/reach any sites.

These experiences reinforce my initial "wait till version number doubles" impression.



my preliminary opinion
I conclude (for me) that Qubes' virtualization approach is rather novel
and might evolve into quite the game changer for endpoint security, which currently is in a very sad state.

I hope that this Qubes project continiues to soar, integrate additional security layers (defense in depth),
and maybe someday also tackle design issues like code bloat and software selection
(which have been summarized in the capabilities/redhat section below).

I'm looking forward to see what Qubes v6.4 will be like - see last topic "Outlook (Qubes and Genode on seL4)".



security philosophies
droppointalpha wrote:
Karl Klammer wrote:
2-3) systemd and fedora
okay, methodology seems rather odd from my minimalistic "every line of code has a potential bug" point of view,
but I can understand that one uses the path of least resistance when trying to get a project off the ground
Just to clarify: Fedora with Systemd and X11 runs as Dom0 - correct?

I certainly understand the approach of less complexity, less vulnerability.
Perhaps we are taking a side trail to theory land but I believe we are hitting a point where complexity-related bug/exploit issues are unavoidable and system strategies should focus more on mitigation, rather than employing only solid, thoroughly debugged software. Of course, debugging and patching carries on but solid software build simply advances too slowly, with (it seems) only Red Hat putting up the money and manpower to significantly advance Linux capabilities. I suppose it is telling that many of the security-conscious gov't agencies are dealing with RH more and more rather than Microsoft for secure systems (and cheaper I hear to boot).

Any technical security evaluation between a non-braindead open-source Unix and a Windows is bound to favor the Unix,
as long as the required applications (e.g. oracle, java) run on both systems.
The only exceptions - that I am currently aware of - revolve around centralized organisational security demands aka Active Directory.
(group policies, password policies, antivirus/endpoint settings, software/patch rollout)

BTW: Fedora+SystemD+X11 run indeed in Dom0, just checked.



"capabilities" and RedHat
Yes, it is mostly Redhat who designs and pushes "capabilities" like systemd, pulseaudio, avahi, dbus and gnome down our throats.
I am not sure if this is really such a good thing, considering these two Linus quotes from https://igurublog.wordpress.com/2014/04 ... t-systemd/
Linus Torvalds wrote:
…a lot of the fear and uncertainty over systemd may not be so much about systemd, but the fear and loathing over radical changes that have been coming down the pike over the past few years, many of which have been not well documented, and worse, had some truly catastrophic design flaws that were extremely hard to fix.

Linus Torvalds wrote:
…Kay Sievers and Lennart Poettering often have the same response style to criticisms as the GNOME developers [read other Red Hat developers] — go away, you’re clueless, we know better than you, and besides, we have commit privs and you don’t, so go away.




"just add another operating system" security
This is kinda tongue-in-cheek, as I just can't resist trolling the "just add another operating system" approach with a famous Theo quote from 2007.
Theo de Raadt wrote:
x86 virtualization is about basically placing another nearly full kernel, full of new bugs,
on top of a nasty x86 architecture which barely has correct page protection.
Then running your operating system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers
who can't write operating systems or applications without security holes,
can then turn around and suddenly write virtualization layers without security holes.

There was a Xen exploit in June 2016 that allowed an untrusted VM to takeover Qubes, which demonstrates why defense in depth is a good idea,
as opposed to the current "just trust Xen" approach of "vanilla" kernel without grsecurity, passwordless sudo and huge fedora userland in dom0.
https://tech.slashdot.org/story/16/07/3 ... n-the-host

To soften the blow: OpenBSD is currently working on their own x86 virtualization software (vmm), so .... yeah.



security-vs-reliability-vs-performance
droppointalpha wrote:
The only real chance there is to double down and truly hone anything to a razor edge of reliability and security is for performance demand to flat-line, redirecting monetary drivers away from increasing features/capabilities/power and towards resolving issues of stability and security.

1) security and reliability go hand-in-hand (can't be reliable if its easily hacked)
2) most real-world performance issues I have encountered are caused by stupid application design,
which no operating system can fix, e.g. sizeOfArray(select * from table) to display a counter
3) security will allways impact performance, but the penality is often less than one might assume
Virtual Machine penality is 10-20%; L4 micro kernels penality is 5-20%; OpenBSD runs on 30+ years old hardware like VAX
4) Moores law seems to hold up for processor and memory (but not disks).
Thus the easiest way to get that 10-20% performance penality back is to just magically wait for 3 to 6 months. (12-25%)
Maybe write some more testcases during that time...


on merging security philosophies
The design principles of Qubes (container,endpoint,end user) and OpenBSD (small,audit,privsep) will eventually integrate and we can shift focus to the hardware side ... one can dream, right?

Example: vs-top
The "vs-top" and "cyber-top" government laptops sold by GeNUA are promising attempts of such a combined design.
https://www.genua.de/fileadmin/download ... atures.pdf
They basically use a L4 microkernel (Fiasco.OC) to
- run three operating systems (e.g. l4-"secure windows", l4-"insecure windows", l4-"fw/vpn openbsd")
- and also to pass messages between the systems and hardware (e.g. mouse-l4-win-l4-bsd-l4-wlan).
2011 bachelor thesis on porting openbsd to l4 fiasco.oc: https://www.isti.tu-berlin.de/fileadmin ... Fiasco.pdf
2011 correspoinding codebase of openbsd l4 port: https://github.com/chrissicool/l4openbsd



Attack surface
Fiasco.OC has 30-40k LOC (lines of code), which is
one order of magnitude (x15) smaller than systemd(550k LOC as of May 2014),
two orders of magnitude (x500) smaller than Linux kernel (20,000k LOC) and thus most likely about
three to four orders of magnitude smaller than all the Fedora stuff running inside Qubes' "trusted" dom0.
I am not really sure about Xen, as I have found different numbers ranging from 60k to 300k LOC.
Translation: There are thousands of Qubes bugs for each Fiasco.OC bug, when also accounting for Fedora/dom0, which may or may not be fair.

The seL4 microkernel for ARM and x86 is even more interesting than Fiasco.OC, as it only measures 10k LOC (x2,000 smaller than Linux kernel)
AND is mathematically proofen to be correct. (meet spec, be realtime, no side effects, no buffer overflows, ...)
The mathematical proof contains 180k LOC, that is 18 lines "badass Unit Test" for each line of code.
seL4 was open-sourced late in 2014 and is currently only fully verified/proofen on ARM;
as x86 code/proof for SMP and 64bit is marked as experimental.

See also: L4 Microkernels: The Lessons from 20 Years of Research and Deployment (2016-04), focusing on Fiasco.OC and seL4.



Outlook (Qubes and Genode on seL4)
Joanna of Qubes and Gerwin of L4.verified had an interesting discussion on utilizing Xen vs seL4 back in May 2010:
http://theinvisiblethings.blogspot.de/2 ... s-and.html

Some academic efforts for porting Qubes to seL4 are already underway:
https://my.cse.unsw.edu.au/thesis/thesi ... hp?ID=3289
https://www.mail-archive.com/devel@sel4 ... 00752.html
http://sel4.systems/pipermail/devel/201 ... 00312.html

Genode seems to be the more purer/smaller/fine-graineder/securer attempt at seL4 enduser compartmentalisation, and thus might take more time to market than Qubes+seL4.


Cheers,
Karl

FYI: Edited multiple times from Monday till Saturday, as I continued to follow down the MicroKernel rabbit hole.


Last edited by Karl Klammer on Sun Dec 04, 2016 5:32 am, edited 17 times in total.

Top
   
PostPosted: Sat Dec 03, 2016 5:34 pm 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Please continue to post, I am currently feeling a bit like I'm just talking to myself via a web browser ;-)


Top
   
PostPosted: Sat Dec 03, 2016 8:42 pm 
Offline
User avatar

Joined: Fri Jan 18, 2013 11:35 am
Posts: 2866
hello Karl.

Don't want you to feel lonely.

_________________
Life will beat you into submission.


Top
   
PostPosted: Sun Dec 04, 2016 4:15 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Hi Shawn, thanks for the empathy, I appreciate it :3some:
Do you have any opinions regarding the topics of the previous 10 posts? :read:


Top
   
PostPosted: Sun Dec 04, 2016 7:18 am 
Offline
User avatar

Joined: Fri Jan 18, 2013 11:35 am
Posts: 2866
Most of this is above me as I am a hardware guy. But here is my 2 cents worth.
Remember that I really like the idea of Linux. The real world Linux leaves a lot to be desired for me.
I WANT to like and use Linux, but I just can't. It's for the most part unfinished and unsupported for the average Joe.
After my stroke anxiety is a real issue for me. Linux does not go well with that.
Generally Linux does not have very high points in the ease of use category.
Until they get it so I don't NEED terminal every time I want to install software or hardware, Linux will be "also ran"
---------------------------------------------
security-vs-reliability-vs-performance

That's what it is all about in the end. Well throw ease of use in there somewhere.
-------------------------------------------------------------------------
This sounds very interesting

The "vs-top" and "cyber-top" government laptops sold by GeNUA are promising attempts of such a combined design.
https://www.genua.de/fileadmin/download ... atures.pdf
They basically use a L4 microkernel (Fiasco.OC) to
- run three operating systems (e.g. l4-"secure windows", l4-"insecure windows", l4-"fw/vpn openbsd")
- and also to pass messages between the systems and hardware (e.g. mouse-l4-win-l4-bsd-l4-wlan)
------------------------------------------------------
RE: WTF were they drinking....Ha Ha Ha

Sadly this sums up my thoughts and experiences with 80% of Linux based stuff. (percentage made up on the spot)
It seems to be all developed and supported by Attention Deficit Disordered genius's.
They get a portion 3/4 of the way done and then "Oh look a squirrel" They are off to something else.
The interested "outsiders" lurk about and ask for help and are treated with arrogance such as "If you don't understand, it must be above your abilities"

I mean really..in today's day and age to release an OS that all the networking is not finished and easily accessible? 20 minutes for WLAN? I will pass on that. That is an OS that is not ready for prime time or release in my opinion..

_________________
Life will beat you into submission.


Top
   
PostPosted: Mon Dec 05, 2016 1:57 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
Shawn wrote:
Generally Linux does not have very high points in the ease of use category.
Until they get it so I don't NEED terminal every time I want to install software or hardware, Linux will be "also ran".
Ubuntu, SuSE, Redhat score quite well in this category.
They all have some GUI for managing software (synaptic, yast2, pirut respectively)
Hardware mostly just works straight out of the box, especially on those three.
Compare that to all the hoops you have to jump through in order to install panasonic drivers on windows...

Shawn wrote:
It seems to be all developed and supported by Attention Deficit Disordered genius's.
They get a portion 3/4 of the way done and then "Oh look a squirrel" They are off to something else.
hilarious, love it :pbjt:

Shawn wrote:
20 minutes for WLAN? I will pass on that.That is an OS that is not ready for prime time or release in my opinion..
Yes, I also feel that Qubes is not yet ready for prime time.
To be fair: It doesn't have to take 20 minutes for wlan ... just took me three reboots till the wlan toolbar icon appeared (guess nm-applet), which then worked quite well.


Top
   
PostPosted: Mon Dec 05, 2016 5:34 am 
Offline
User avatar

Joined: Fri Jan 18, 2013 11:35 am
Posts: 2866
Very true with Panasonic on Windows. The driver bundles make it easier "MOST" of the time.
I do feel the driver problems are caused by Panasonic and not Windows.

_________________
Life will beat you into submission.


Top
   
PostPosted: Mon Dec 05, 2016 9:10 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
From what I can tell from the sidelines of this conversation, Qubes seems like an entirely different beast. I wouldn't put it on the same level as mainstream distros.

Anyway, I haven't looked at it myself. I might be tempted whenever the "version number doubles" but I generally don't have the time to play around with everything that comes out on distrowatch.com

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Tue Dec 06, 2016 1:33 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
kode-niner wrote:
From what I can tell from the sidelines of this conversation, Qubes seems like an entirely different beast. I wouldn't put it on the same level as mainstream distros.
You are spot on. :salute: I see Qubes as a compartmentalization framework for applications with message passing and an admin interface.
It's probably just a "pragmatic coincidence" that most VMs incl. the dom0 admin VM make use of Linux distributions.

It's currently based on Xen / Qubes-messaging / Fedora-based admin VM,
but might one day evolve into the first (afaik) free open-source general-purpose high-assurance (EAL5+ and beyond) environment,
once it learns to leverage seL4 / Qubes-messaging / Genode-based admin VM.
I'm excited :blob: to see that work on integrating both seL4 and Genode has started. (see links in the long post at top of page)

*humming https://ftp.openbsd.org/pub/OpenBSD/songs/song60a.mp3 while typing* :D


Top
   
PostPosted: Mon Dec 12, 2016 1:33 am 
Offline
User avatar

Joined: Tue Oct 13, 2015 3:19 am
Posts: 193
Location: Old Europe
see also Guide to Qubes 3.2 on Toughbook 19 mk6


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 23 posts ]  Go to page Previous 1 2 3 Next

All times are UTC-06:00


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited