Re: [Qemu-devel] building a virus-proof PC with Qemu

[Karl Magdsick]

> sorry, but why don't you use/recommend Trusted Solaris (SPARC and i386)
> http://wwws.sun.com/software/solaris/trustedsolaris/   ?
> I hardly doubt that it will be too easy for anyone to clone the security
> mechanisms it provides.

I agree that making the operating system role-aware seems like a much
more tractable solution than trying to externally trace data flows. 
An external system would have to be extremely intelligent in order to
work out the Pi calculus from observing data and low-level CPU
operations. It is even more difficult to determine which information
flows are technically compromising information, but are generally
accepted as "safe". Classified processes will often block on file
descriptors, which will lead to a thread yielding, and a context
switch, perhaps to a non-classified process.  This represents a
leakage of information, but one that is generally considered
acceptable.  On the other extreme, a simple scan through memory will
not detect passwords being sent over an SSL connection.  A simple scan
also will not detect SHA-256 sums of passwords being transferred to
untrusted processes via shared memory.  It's a VERY complicated
problem.

That being said, a system capable of tracking data flows throughout a
system could be useful as a backup to secure operating systems.  For
instance, before Trusted Solaris was realeased a third party made a
hardware firewall product based on x86 Solaris with third-party kernel
modifications very similar to Trusted Solaris.  The Last Stage of
Dementia people were able to leverage a Solaris kernel vulnerability
that allowed arbitrary users to install arbitrary call gates.  Very
skilled coding allowed them to leverage this vulnerability to
completely bypass all OS security measures by modifying kernel data
structures related to tracking permissions (and win a large cash prize
the vendor offered in an attempt to gain publicity for the firewall's
"unbreakable" security).

There are other products that are very similar to Trusted Solaris. 
Security Enhanced Linux (SELinux), developed by the US National
Security Agency.  It also implements role-based mandatory access
security.  There's a neat demo where they run a vulnerable version of 
Apache as root and watch people break in to the machine, but the
attackers aren't able to do anything b/c the role being used doesn't
even allow outgoing TCP connections or reading files outside of the
Apache directory.

TrustedBSD works similarly to SELinux and Trusted Solaris.  I think
TrustedBSD is based on FreeBSD, however my only knowledge of
TrustedBSD comes from the SELinux mailing list.

The Common Criteria certified version of Trusted Solaris used to cost
an arm and a leg.  I'm not sure how much it costs now.  The main
reason to use Trusted Solaris is that you are doing work under a
government contract that requires a given level of Common Criteria
certification.  If you're only looking for role-based mandatory access
controls, you probably want to look at SELinux and TrustedBSD.


-Karl