Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Considerations for a "secure" embedded system

From: "Lance M. Havok" <lmh () info-pull com>
Date: Tue, 10 Jul 2007 22:17:48 -0700
After reading and playing in the past with gems like Gentoo Embedded
and Gentoo Hardened, I wonder about the current possibilities *today*
for developing a portable system deploying grsecurity, PaX and friends
(even SELinux since they fixed some memory footprint issues time ago,
but probably still have issues with busybox and shrinking the policy
to a simplified variant).

Let's think about x86 first, then ARM. What options are available
right now and how feasible is to use them?

The requirements of buildroot for building the customized system, or
the usage of Gentoo Embedded. With all the buzz on virtualization
technologies, 'virtual appliances', etc, the point behind installing
Unbungu Muslim/Christian Server Edition seems to be moot. There's no
sense behind virtualization if you run your imapd on the same machine
as the LDAP monster and get one of them compromised right away. No
mention to the default configuration of vmware-server's authd, and
requirement of xinetd.

If you can run a uclibc-based system with a few security enhancements,
and take less than 100MB for the whole thing including your target
service, using a full-fledged 'distribution' does not make any sense.

The next question would be: How easy is to update the system images?
How about batch building them, including services dynamically from a
profile. vmware-server supports scripting even. How complex is the
build process itself. Can the toolchain be shared across builds for
the same platform, and does the 'framework' support that? How about
things like JFFS not supporting (yet) filesystem extended attributes?

Just a few dumb thoughts.
PS: Again, let's base this on a x86 compatible platform. It might
sound cool for a geeky audience to run spender's backdoor on a ARM5
fridge and let him steal your tacos, but such a thing is not really
useful except for wasting time.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: