Dailydave mailing list archives
Re: Considerations for a "secure" embedded system
From: "Andre Gironda" <andre () operations net>
Date: Wed, 11 Jul 2007 23:07:11 -0500
Only ARM v6 supports XN. Programmers don't like using it though because they can spend their memory on more important things. Memory is expensive for embedded devices still. Basically, you could get it to work but then you couldn't get it to run anything interesting. Are there any other good grsecurity distro's besides Gentoo Hardened? Devil-linux and the others listed on distrowatch are lacking, but might be interesting for your project. dre On 7/11/07, Lance M. Havok <lmh () info-pull com> wrote:
After reading and playing in the past with gems like Gentoo Embedded and Gentoo Hardened, I wonder about the current possibilities *today* for developing a portable system deploying grsecurity, PaX and friends (even SELinux since they fixed some memory footprint issues time ago, but probably still have issues with busybox and shrinking the policy to a simplified variant). Let's think about x86 first, then ARM. What options are available right now and how feasible is to use them? The requirements of buildroot for building the customized system, or the usage of Gentoo Embedded. With all the buzz on virtualization technologies, 'virtual appliances', etc, the point behind installing Unbungu Muslim/Christian Server Edition seems to be moot. There's no sense behind virtualization if you run your imapd on the same machine as the LDAP monster and get one of them compromised right away. No mention to the default configuration of vmware-server's authd, and requirement of xinetd. If you can run a uclibc-based system with a few security enhancements, and take less than 100MB for the whole thing including your target service, using a full-fledged 'distribution' does not make any sense. The next question would be: How easy is to update the system images? How about batch building them, including services dynamically from a profile. vmware-server supports scripting even. How complex is the build process itself. Can the toolchain be shared across builds for the same platform, and does the 'framework' support that? How about things like JFFS not supporting (yet) filesystem extended attributes? Just a few dumb thoughts. PS: Again, let's base this on a x86 compatible platform. It might sound cool for a geeky audience to run spender's backdoor on a ARM5 fridge and let him steal your tacos, but such a thing is not really useful except for wasting time. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Considerations for a "secure" embedded system Lance M. Havok (Jul 11)
- Re: Considerations for a "secure" embedded system Andre Gironda (Jul 12)