Dailydave mailing list archives
Considerations for a "secure" embedded system
From: "Lance M. Havok" <lmh () info-pull com>
Date: Tue, 10 Jul 2007 22:17:48 -0700
After reading and playing in the past with gems like Gentoo Embedded and Gentoo Hardened, I wonder about the current possibilities *today* for developing a portable system deploying grsecurity, PaX and friends (even SELinux since they fixed some memory footprint issues time ago, but probably still have issues with busybox and shrinking the policy to a simplified variant). Let's think about x86 first, then ARM. What options are available right now and how feasible is to use them? The requirements of buildroot for building the customized system, or the usage of Gentoo Embedded. With all the buzz on virtualization technologies, 'virtual appliances', etc, the point behind installing Unbungu Muslim/Christian Server Edition seems to be moot. There's no sense behind virtualization if you run your imapd on the same machine as the LDAP monster and get one of them compromised right away. No mention to the default configuration of vmware-server's authd, and requirement of xinetd. If you can run a uclibc-based system with a few security enhancements, and take less than 100MB for the whole thing including your target service, using a full-fledged 'distribution' does not make any sense. The next question would be: How easy is to update the system images? How about batch building them, including services dynamically from a profile. vmware-server supports scripting even. How complex is the build process itself. Can the toolchain be shared across builds for the same platform, and does the 'framework' support that? How about things like JFFS not supporting (yet) filesystem extended attributes? Just a few dumb thoughts. PS: Again, let's base this on a x86 compatible platform. It might sound cool for a geeky audience to run spender's backdoor on a ARM5 fridge and let him steal your tacos, but such a thing is not really useful except for wasting time. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Considerations for a "secure" embedded system Lance M. Havok (Jul 11)
- Re: Considerations for a "secure" embedded system Andre Gironda (Jul 12)