Hi,

On Saturday 31 December 2011 19:39:23 7v5w7go9ub0o wrote:
> On 12/31/11 08:43, "Tóth Attila" wrote:
> > Isn't it miserable to see, that as time is passing by, more and more
> > important softwares (java, python, libreoffice, firefox) conflict
> > with more and more PAX restrictions? I would expect exactly the
> > opposite. But it seems, that developers become less and less aware
> > (or care less) about security.
> >
> > Nowdays I would rather run libreoffice and firefox in a jail. But I
> > have no time to set up an environment and grsec policy for it.
>
> Heh...better yet; using VMs - with optional hardware assistance.
>
> Joanna Rutkowska of <http://theinvisiblethings.blogspot.com/> , who is
> well-known as an effective white-hat cracker, is developing a "secure"
> OS she calls Qubes <http://qubes-os.org/Home.html>

While I agree that there's a lot to be done to make the security of a modern
desktop system better, I'm not convinced that using a disposable VM is the
right approach:

1) Taking into account the use of resources (hardware), it sounds like a
terrible engineering decision to throw a VM for single process just because we
can, that is - because hardware is there, it's capabale enough and not that
expensive. "Don't use cannon to shoot a sparrow"- as the Polish saying goes
It's using the wrong technology to solve the (wrong) problem.

IMHO, it'd make more sense to invest into a microkernel system, say based on
Minix3, add PaX features to the kernel, at least proper ASLR and W^X, and use
RBAC (grsec RBAC for instance ;] ) to ensure adequate isolation between
processes in the userspace. Simple. Neat. Clean. Proper engineering. ;] Sounds
like a nice PhD project to me...

2) ...And what is there to guarantee the security of Xen hypervisor? or the
guest VMs isolation? ...it's probably worth mentioning that XEN had security
issues before and it was Joanna who pointed out few of them too...

Again, I'd argue that, in general, simplicity = better security and using VMs
for separate processes is an overkill. You could even argue that Qubes uses
virtualisation as a RBAC mechanism - it's an interesting idea but against good
design&engingeering practices, me thinks.

Yes, it somehow addresses the prevalent security issues with the Linux kernel
("fat and ugly" to quote Miss Rutkowska), but at the expense of additional
comlexity (which doesn't help security) and bigger hardware requirements. Not
to mention engineering purity... ;]

>
> She's presently using fedora as the Linux source distribution, but
> there's been a lot of enthusiastic discussion among some of the beta
> testers about changing to Gentoo
> <https://groups.google.com/group/qubes-devel/browse_thread/thread/588399cdd4
> 3da28c#> and some of these guys seem poised to go for it.

That might be enough to convince me enough to at least try it...

>
> Should the switch occur, one would painlessly have hardened Gentoo VMs,
> managed by a XEN bare-metal hypervisor.
>

...but that would still leave the initial issue of hardened firefox, libreoffice,
java unsolved...and what if I only care about security of my browser? Then no
matter how isolated from the rest of the system it is, I simply can't afford
for it to be compromised in the first place...back to the drawing board...

Cheers,
Radek Madej

On 01/12/2012 06:26 AM, Radek Madej wrote:

> IMHO, it'd make more sense to invest into a microkernel system, say based on
> Minix3, add PaX features to the kernel, at least proper ASLR and W^X, and use
> RBAC (grsec RBAC for instance ;] ) to ensure adequate isolation between
> processes in the userspace. Simple. Neat. Clean. Proper engineering. ;] Sounds
> like a nice PhD project to me...
>

Oh dear god, Minix! While I respect what Tanenbaum is up to with Minix
and I hope he keeps developing it, the current situation is that it has
a very tiny base and it will probably stay that way. I loved the
original Minix for teaching (although I've moved on to James Molloy's
kernel), but usability is inversely proportional to complexity. If
Minix were to span the usability spectrum of a kernel like Linux or BSD,
I've got a gut feeling it would hit many of the same insecurity issues
despite the theory of separation of subsystems.

As to the broader question of important software abusing memory, when
you have so many developers, coding in so many different ways and with
so many different philosophies, I'm amazed we can even get something
like PaX off the ground. My own approach is to keep pressure on
upstream to change their coding practice. It seems like the only
practical approach for the near future.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

On Tuesday 10 January 2012 13:32:26 Christian Apeltauer wrote:
>
> Hello hardened-list,
> I would like to point out that I am still able to run icecat-9.0.1
> without any pax feature disabled by patching the ebuild as shown by the
> attached patch. Basically I applied the patch from Bug #396275 and
> disabled both methodjit and tracejit. And now icecat (including
> addons like noscript) runs without being pax-marked.
> I am well aware of the warnings that the Javascript engine runs slower
> without methodjit (by the way, why was that USE flag dropped?). I use
> Javascript only when absolutely necessary, so I might not be the best
> judge, but I don't see any noticeable impact on performance. Neither do
> I use flash plugin or something like that, so neither can I say whether
> flash will work without pax-marking.
> May solution may not be workable for everybody. But I don't see a
> reason why not to give it a try for ones like me who want a browser with
> reasonable JS management (as provided by the noscript addon) but do not
> need all the flashy extras. It should be up to the user to decide which
> features to enable.
> Best regards
> Christian Apeltauer

Hi,

I can confirm that it does work indeed, with either firefox-9.0 or icecat-9.0.1
from portage tree - thanks for sharing!

Plugins are an issue, disabling mprotect on the 'plugin-container' binary
let's java & flash run (I've only done some a simple test though). Due to easy
JS and content-policy management in firefox I also use it as a 'secure' browser
so don't care much about the plugins which run fine for instance in chrome
which needs to be paxmarked anyway...

Wouldn't it make sense to disable jit on pax_kernels and let users decide if
they want to further pax-mark the plugin-container binary, via ebuild message
for example?

I've removed all the paxmarking from ebuild and added sth like:

if use pax_kernel; then
mozconfig_annotate ' --disable-methodjit
mozconfig_annotate ' --disable-tracejit
fi

...and now I'm a happy firefox user

Cheers,
Radek

On Mon, 23 Jan 2012 22:19:59 +0000
Radek Madej wrote:

> I've removed all the paxmarking from ebuild and added sth like:
>
> if use pax_kernel; then
> mozconfig_annotate ' --disable-methodjit
> mozconfig_annotate ' --disable-tracejit
> fi
>
> ...and now I'm a happy firefox user

I know a bug on bugzilla has been incorrectly closed ages ago so I've
tried a mail to the mozilla sec list which you can see here.

"http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/7bf8def6b73bf0e5#"


--
Kc

On Tue, 24 Jan 2012 23:05:12 +0000
Kevin Chadwick wrote:

> I know a bug on bugzilla has been incorrectly closed ages ago so I've
> tried a mail to the mozilla sec list which you can see here.
>
> "http://groups.google.com/group/mozilla.dev.security/browse_thread/thread/7bf8def6b73bf0e5#"


It would be good if people could provide any bugzilla numbers that they have to hand.

I'll try to hunt down the one that I refered to as closed ages ago.



----- Responses from Mozilla Sec Dev Mailing list -----


On Tue, 24 Jan 2012 15:33:37 -0800 (PST)
Ian Melven wrote:

>
> Hi Kevin,
>
> in a current FF 9 release I see the following prefs :
>
> javascript.options.jitprofiling.chrome;true
> javascript.options.jitprofiling.content;true
> javascript.options.methodjit.chrome;true
> javascript.options.methodjit.content;true
> javascript.options.methodjit_always;false
> javascript.options.tracejit.chrome;true
> javascript.options.tracejit.content;true
>
> does setting these options to false let Firefox run under PAX
> with RWX disabled ?
>
> (also please note that there is no more tracejit in Firefox 10 and later)
>
> thanks !
> ian
_________________________

Hi, thanks for responding.

Unfortunately not.

____________________



Hi,

sorry to hear that.

do you have the bug # for the bug that was closed ? alternately i can open
up a new bug and try to make sure it stays on track (and stays open)

thanks
ian

On Thu, 12 Jan 2012 18:55:02 -0500
"Anthony G. Basile" wrote:

> Oh dear god, Minix! While I respect what Tanenbaum is up to with Minix
> and I hope he keeps developing it, the current situation is that it has
> a very tiny base and it will probably stay that way. I loved the
> original Minix for teaching (although I've moved on to James Molloy's
> kernel), but usability is inversely proportional to complexity. If
> Minix were to span the usability spectrum of a kernel like Linux or BSD,
> I've got a gut feeling it would hit many of the same insecurity issues
> despite the theory of separation of subsystems.

Me and my brother won a playbook, out of interest, what do you think of QNX?

Everything that is interesting for the boss is interesting for us (except the "howto torture university students mechanisms teaching them microkernel based OS" :P).

Which is not of interest is asking about opinions of closed source microkernel based OS and the opinions of Theo de Raadt about if accessing the RAM memory where his passwords reside by not get cleaned are security relevant or not, since he is not a referency about security questions (well he is the only one to say that MAC and memory not cleaned/overwritten readings are not security relevant).


I will not start other discussion with you, but please stop acting as a troll.

2012/1/26 Kevin Chadwick <ma1l1ists@yahoo.co.uk>

On Thu, 12 Jan 2012 18:55:02 -0500

"Anthony G. Basile" wrote:



> Oh dear god, Minix! *While I respect what Tanenbaum is up to with Minix

> and I hope he keeps developing it, the current situation is that it has

> a very tiny base and it will probably stay that way. *I loved the

> original Minix for teaching (although I've moved on to James Molloy's

> kernel), but usability is inversely proportional to complexity. *If

> Minix were to span the usability spectrum of a kernel like Linux or BSD,

> I've got a gut feeling it would hit many of the same insecurity issues

> despite the theory of separation of subsystems.



Me and my brother won a playbook, out of interest, what do you think of QNX?

Errata: (except the "howto torture university students mechanisms teaching them microkernel based OS" :P).

is "howto torture university students teaching them microkernel based OS :P"

I think is better teach them DOS based OS, is faster, cleaner with less sufferment and with a bit of luck they will finish working to Apple. Microsoft or to... OpenBSD.... :-)




El 27 de enero de 2012 19:04, Javier Juan Martínez Cabezón <tazok.id0@gmail.com> escribió:

Everything that is interesting for the boss is interesting for us (except the "howto torture university students mechanisms teaching them microkernel based OS" :P).

Which is not of interest is asking about opinions of closed source microkernel based OS and the opinions of Theo de Raadt about if accessing the RAM memory where his passwords reside by not get cleaned are security relevant or not, since he is not a referency about security questions (well he is the only one to say that MAC and memory not cleaned/overwritten readings are not security relevant).



I will not start other discussion with you, but please stop acting as a troll.

2012/1/26 Kevin Chadwick <ma1l1ists@yahoo.co.uk>


On Thu, 12 Jan 2012 18:55:02 -0500

"Anthony G. Basile" wrote:



> Oh dear god, Minix! *While I respect what Tanenbaum is up to with Minix

> and I hope he keeps developing it, the current situation is that it has

> a very tiny base and it will probably stay that way. *I loved the

> original Minix for teaching (although I've moved on to James Molloy's

> kernel), but usability is inversely proportional to complexity. *If

> Minix were to span the usability spectrum of a kernel like Linux or BSD,

> I've got a gut feeling it would hit many of the same insecurity issues

> despite the theory of separation of subsystems.



Me and my brother won a playbook, out of interest, what do you think of QNX?