On Saturday 31 December 2011 19:39:23 7v5w7go9ub0o wrote:
> On 12/31/11 08:43, "Tóth Attila" wrote:
> > Isn't it miserable to see, that as time is passing by, more and more
> > important softwares (java, python, libreoffice, firefox) conflict
> > with more and more PAX restrictions? I would expect exactly the
> > opposite. But it seems, that developers become less and less aware
> > (or care less) about security.
> > Nowdays I would rather run libreoffice and firefox in a jail. But I
> > have no time to set up an environment and grsec policy for it.
> Heh...better yet; using VMs - with optional hardware assistance.
> Joanna Rutkowska of <http://theinvisiblethings.blogspot.com/> , who is
> well-known as an effective white-hat cracker, is developing a "secure"
> OS she calls Qubes <http://qubes-os.org/Home.html>
While I agree that there's a lot to be done to make the security of a modern
desktop system better, I'm not convinced that using a disposable VM is the
1) Taking into account the use of resources (hardware), it sounds like a
terrible engineering decision to throw a VM for single process just because we
can, that is - because hardware is there, it's capabale enough and not that
expensive. "Don't use cannon to shoot a sparrow"- as the Polish saying goes
It's using the wrong technology to solve the (wrong) problem.
IMHO, it'd make more sense to invest into a microkernel system, say based on
Minix3, add PaX features to the kernel, at least proper ASLR and W^X, and use
RBAC (grsec RBAC for instance ;] ) to ensure adequate isolation between
processes in the userspace. Simple. Neat. Clean. Proper engineering. ;] Sounds
like a nice PhD project to me...
2) ...And what is there to guarantee the security of Xen hypervisor? or the
guest VMs isolation? ...it's probably worth mentioning that XEN had security
issues before and it was Joanna who pointed out few of them too...
Again, I'd argue that, in general, simplicity = better security and using VMs
for separate processes is an overkill. You could even argue that Qubes uses
virtualisation as a RBAC mechanism - it's an interesting idea but against good
design&engingeering practices, me thinks.
Yes, it somehow addresses the prevalent security issues with the Linux kernel
("fat and ugly" to quote Miss Rutkowska), but at the expense of additional
comlexity (which doesn't help security) and bigger hardware requirements. Not
to mention engineering purity... ;]
> She's presently using fedora as the Linux source distribution, but
> there's been a lot of enthusiastic discussion among some of the beta
> testers about changing to Gentoo
> 3da28c#> and some of these guys seem poised to go for it.
That might be enough to convince me enough to at least try it...
> Should the switch occur, one would painlessly have hardened Gentoo VMs,
> managed by a XEN bare-metal hypervisor.
...but that would still leave the initial issue of hardened firefox, libreoffice,
java unsolved...and what if I only care about security of my browser? Then no
matter how isolated from the rest of the system it is, I simply can't afford
for it to be compromised in the first place...back to the drawing board...