Open Source Security
Welcome at » 2007 » December

The Trusted Computing Group has launched a new group blog. The actual bloggers haven’t yet been announced, but presuming that they will include some people who are already actively writing about Trusted Computing (say Steve Hanna, Marion Weber, Dave Challener, perhaps) it will be a blog worthy of attention.

When my daughter saw the OLPC, her face lit up. “What is that?” She immediately wanted to play with it. At 3.25 years old, she is well below the targeted age range, but she still loved the look and feel of it. She enjoyed the paint program although it is a little challenging still. She really got into the picture books at the OLPC library. And she was totally thrilled by the Recorder. I got a great clip of her singing her ABCs. She also really got into TamTamMini and had great fun making noise. She is a great stress tester because her approach is to hit all of the buttons and see what happens. This has caused some interesting desktop configurations under KDE and Gnome. For the most part, Sugar took everything she threw at it and shrugged it off, but she was able to crash TamTamMini by typing random characters in the Activity name field. It didn’t actually crash, it just stopped making music (noise).

It looks like there are enough activities to sustain her interest for quite some time to come.

Yay! The OLPC XO laptop arrived today. My husband called me at work to let me know that it is here. It is awesome, of course.

OLPC XO Laptop

I added a page with more pictures of it than anyone could possibly want to see: OLPC pics.

Initial impressions – very small box that FedEx somehow managed to poke a hole in. Inside, very little extra packaging. It come in 3 pieces – the laptop itself, the battery and the power cord. There are 2 plastic bags and 2 stabilizers that look like they are made out of recycled paper/cardboard. It seems very rugged, but not rubbery as I was expecting. Under normal use by kids, I expect that the white will very quickly become dirty, but the thing looks awesome out of the box. As I’ve heard is common in adults, I didn’t initially get how to open it. As soon as I got it, it seems obvious. The display’s ability to completely swivel is cool. The fact that the USB, microphone, and headphone ports are covered by the antenna ears when closed is a sweet design point. It seems odd that the power port isn’t similarly protected. The keyboard is small and rubbery. People who like the old IBM clackety keyboards are destined to be disappointed – it is much like a normal laptop keyboard, only smaller, solid (protected from spills), rubbery, and green.

The software is neat. The extra keys on the keyboard really improve the software experience over trying the live ISO image or using a virtual machine image. They make switching between programs much easier and faster. The links back into the OLPC library allow the kids to listen to a couple of music samples, read nine picture books online (in English, Spanish, Portuguese, Farsi, and Croatian), and browse Wikipedia. The picture book interface is top notch and I hope they are able to populate the library with a few more books (initially you only see two, but once you start reading one, you can access another seven). I could really envision children as young as mine delving into this activity. I would have liked to see a link to Project Gutenberg. The science section starts off with only biology listings. I expect the OLPC library will grow dramatically over time.

The browser doesn’t automatically start Flash animations, but rather shows an outline with the designation: “Flash [[Click to play]]”. I tried a few of the Flash games on Noggin and gnash seems to not be able to really deal with most of them. For some, the screen gets so cluttered that the game becomes unplayable (which is a problem with Noggin’s site design rather than with the laptop) and others render but very slowly and seem to get stuck unable to accept input.

Pippy is a neat, small IDE preloaded with code snippets interesting enough to get older children motivated to try it. It takes me back to my early days of Basic programs generating annoying beeps. There is a cool distance measuring program (Acoustic Tape Measure) that requires two laptops to share the activity and then reports the distance between them.

OLPC XO Laptop Terminal

On the security side, the SELinux tools and libraries are installed, but getenforce says that SELinux is disabled. I was prompted for my name when the machine booted for the first time and I selected an XO image with custom colors, but the second time I booted, neither were required. I haven’t quite figured out yet how to turn the microphone off and the microphone indicator has been lit for quite a while.

I’ve played with it for a couple of hours and barely scratched the surface. It is very fun. It will be interesting to see what my children make of it.

If you have read all the way to this point, you are an OLPC fanatic, so I highly recommend that you read the following two reviews. The first is by a 12 year old and is very well written. It talks about some of the more interesting activities that I haven’t had a chance to try yet, like Etoys and TamTamJam: http://www.freedom-to-tinker.com/?p=1206
The second review is by the father of a 9 year old: http://news.bbc.co.uk/2/hi/technology/7140443.stm

Also extremely cool, is the interview with the guy (Don Hopkins) who ported the original SimCity to the OLPC and is now releasing it under the GPL as Micropolis. I can still remember staying up all night in college playing SimCity in the 24 hour lab when I should have been sleeping (or working): http://www.linuxworld.com/news/2007/121107-simcity.html Head’s up – he says that there are cheat codes documented in the source. 😉 What a great way to get kids to read the source code. This will definitely be one of the first things that I load.

There is still a little time left to get one. I highly recommend it, it is a sweet little machine. But even more, as the letter confirming the expected arrival date of the laptop said: “You are part of something big. As a participant in Give One Get One, you have become a member of an international educational movement.” And that alone is worth every penny. http://www.laptopgiving.org/en/index.php

Current and former co-workers, Kent Yoder, Dave Challener, Ryan Catherman, Dave Safford, and Leedert van Doorn have written a book called A Practical Guide to Trusted Computing. It’s now available for pre-order on Amazon and will available on Jan. 7, 2008. The authors have been instrumental in the creation of the TCG specs and key open source software, for example, Dave led the TSS Working Group for years and Leendert was on the Board of Directors. I reviewed an early copy of the book almost exactly a year ago. My favorite parts of the version that I read were the chapters on TSS along with the sample code for how to use the TSS API and the chapter on use cases for Trusted Computing (for the sheer fun of it). I think that it definitely lives up to its billing as a practical guide and it provides a complete grounding in the concepts of trust, attestation, measurement, etc. that are foundational to Trusted Computing. It is very readable and is a faster read and shorter than it seems because of the reference information included. I haven’t yet seen the ultimate version of the book, but I’m eagerly awaiting my copy from Amazon. Congratulations to the authors for sticking through the long haul and providing such a useful book!

My co-worker, Serge Hallyn was in town the other day, so he popped by to tell us about file capabilities. I think that file capabilities are the missing link for making capabilities useful and I’m tremendously excited that they will soon be generally available. File capabilities are a feature that allow a system administrator to add specific capabilities to an executable (stored in extended attributes, set using setfcaps or setcap). This in turn means that if the necessary capabilities exist then executables no longer have to be setuid root. Rather than having daemons start as root and drop privileges, if the proper file capabilities are set, they can just start as their regular user. The canonical example is ping. It is currently setuid root but it only needs the cap_net_raw capability. Using file capabilities, you can remove the setuid bit, add the cap_net_raw bit and you decrease the chance that ping can be used to subvert your system. Chris Friedhoff has an excellent page[1] which describes how to use file capabilities in more interesting ways, for example on X and Samba.

Here are the notes that I took from Serge’s discussion:

3 sets of capabilities
I – inheritable (have after exec)
P – permitted set
E – effective set (right now)

capset()
can remove from inherited set but can only put them in if you have CAP_SETPCAP
can remove from effective set and can put them back in if in permitted set
can remove from permitted set but can’t put them back in

pI’ = pI
pP’ = union(intersection(pI,fI), fP)
pE’ = fE ? pP’ : empty set

The capabilities in the file’s permitted set (fP) are known as the ‘forced set’ because the process will wind up with the capability regardless.
64 bit capability set now in -mm. This will make it easier to add new capabilities to hopefully further reduce the need for setuid programs.

Capabilities stack with SELinux and AppArmor implements capabilities directly in their LSM (hopefully they will pick up file capabilities), so you are not faced with an either/or decision about using capabilities. Capabilities allow you to grant additional privilege where LSMs can only further restrict privilege.

So if you want to experiment with it, grab the latest 2.6.24 release candidate. If you are a Fedora user, you can enable the rawhide repository and install the rawhide kernel. You will still have to install your chosen user space package manually, either from kernel.org[2] or from KaiGai Kohei who has updated libcap[3] to add setfscaps. He is now pointing off to a Google site which is inaccessible to me but his old packages still seem to work.

If you are interested in this topic, I highly recommend Serge’s excellent article on developerWorks: POSIX file capabilities: Parceling the power of root[4]

UPDATE: libcap2 supports the 64 bit capabilities that are now in the -mm tree. For the vanilla 2.6.24-* tree, use libcap1 from http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap1/

UPDATE 2: libcap 2.03 supports both 32 and 64 bit capabilities.

[1] http://friedhoff.org/fscaps.html
[2] http://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
[3] http://www.kaigai.gr.jp/
[4] http://www.ibm.com/developerworks/linux/library/l-posixcap.html

If you want to try out some of the Trusted Computing features but don’t want to add them to your running system, check out this version of Knoppix that Japan’s National Institute of Advanced Industrial Science and Technology (AIST) produced with IBM Tokyo Research Lab. It includes Grub-IMA, Linux-IMA, TrouSerS, tpm-tools and TPM Manager(by rub.de). More features are still being developed. Thanks to Seiji Munetoh for pointing this out to me. I downloaded it and tried it on my T42p and it is very clean and slick.

It’s available from http://unit.aist.go.jp/itri/knoppix/index-en.html

The NSA has published their Guide to the Secure Configuration of Red Hat Enterprise Linux 5[1]. This is an excellent document that describes best practices for securing a Linux system – tailored to Red Hat Enterprise Linux 5. It starts with best practices, such as, encrypt transmitted data and minimize installed software. It then follows up with exact configuration recommendations, for example, the exact configuration option to prevent root from logging in directly via ssh (Section 3.5.2.6). They do a pretty good job describing the rationale for making the changes that they recommend (“The root user should never be allowed to login directly over a network, as this both reduces auditable information about who ran privileged commands on the system and allows direct attack attempts on root’s password.”). If you are responsible for the security of any Linux system (whether as a developer or an administrator), I highly recommend taking a look at this document and thinking twice about any decision that you make that runs counter to these recommendations.

[1] http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1

EDIT 4/21/2009: updated a corruption that rendered the ‘ in the word root’s incorrect
The new location for the guide is http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Steve Hanna has written an excellent introductory article[1] on Network Access Control (NAC) discussing the motivations for implementing NAC and how Trusted Computing can help further secure NAC. Trusted Computing works well here because while the endpoint can still lie, it gets noticed that the endpoint is lying even if the exact lie is not known. The lie is detected because the measurement log no longer matches the signed quote of the PCR values. IBM Research wrote an excellent paper in 2004 describing attestation in detail as implemented on a Linux system: The Role of TPM in Enterprise Security[2].

[1] http://www.esj.com/news/print.aspx?editorialsId=2904
[2] https://www.trustedcomputinggroup.org/press/news_articles/rc23363.pdf