DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other OS

Other OS Any other OS such as Microsoft Windows, BeOS, Plan9, Syllable, and whatnot.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th April 2010
guitarscn guitarscn is offline
Package Pilot
 
Join Date: Oct 2008
Posts: 166
Thanked 1 Time in 1 Post
Default Qubes?

http://threatpost.com/en_us/blogs/re...ened-os-040710

What do you all think of this? (Especially OBSD users...)
Reply With Quote
  #2   (View Single Post)  
Old 12th April 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Complete isolation via virtualization is not possible, even on systems where hardware components of the underlying guests are dedicated. DoS is the most common problem, where one guest impacts another. I've had many systems where a reboot of the hypervisor is required to fix a problem with one guest, affecting all. Including systems with dedicated processors and memory boards.

There are, and continue to be, bugs in virtualization software/firmware.

In addition, the solution described in the link uses X -- X requires userland code to have direct access to memory (the aperture sysctl that is disabled by default in OBSD), which is another vector where one guest may possibly find a way to scribble in another guest's RAM.
Reply With Quote
  #3   (View Single Post)  
Old 12th April 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Nothing new, just a copy of the design principles of VM/CMS operating system for IBM mainframes. From http://en.wikipedia.org/wiki/VM_%28operating_system%29
Quote:
The heart of the VM architecture is a control program or hypervisor called VM-CP (usually: CP; sometimes, ambiguously: VM). It runs on the physical hardware, and creates the virtual machine environment. VM-CP provides full virtualization of the physical machine – including all I/O and other privileged operations. It performs the system's resource-sharing, including device management, dispatching, virtual storage management, and other traditional operating system tasks. Each VM user is provided with a separate virtual machine having its own address space, virtual devices, etc., and which is capable of running any software that could be run on a stand-alone machine.
......
Running within each virtual machine is another, "guest" operating system. This might be:
  • CMS ("Conversational Monitor System", renamed from the "Cambridge Monitor System" of CP/CMS). Its official name is VM-CMS (confusing, since VM is commonly called VM/CMS). Most virtual machines run CMS, a lightweight, single-user operating system. Its interactive environment is comparable to that of a single-user PC, including a file system, programming services, device access, and command-line processing. (While an earlier version of CMS was uncharitably described as "CP/M on a mainframe", the comparison is an anachronism; the author of CP/M, Gary Kildall, was an experienced CMS user.)
  • A mainstream operating system. IBM's mainstream operating systems (i.e. the OS or DOS families) can be loaded and run without modification. The VM hypervisor treats guest operating systems as application programs with exceptional privileges - it prevents them from using privileged instructions (those which would let applications take over the whole system or significant parts of it), but simulates privileged instructions on their behalf. Most mainframe operating systems terminate a normal application which tries to usurp the operating system's privileges.

  • Another copy of VM. A "second level" instance of VM can be fully-virtualized inside a virtual machine. This is how VM development and testing is done. (A "second-level" VM can potentially implement a different virtualization of the hardware. This technique was used to develop S/370 software before S/370 hardware was available, and it has continued to play a role in new hardware development at IBM. The literature cites practical examples of virtualization five levels deep.) Levels of VM below the top are also treated as applications but with exceptional privileges.
  • A copy of the mainframe version of AIX or Linux. In the mainframe environment, these operating systems often run under VM, and are handled like other guest operating systems. (They can also run as 'native' operating systems on the bare hardware.)
RE: OBSD
Theo de Raadt has expressed the view that he does not understand how people can believe that whole armies of programmers, who have been struggling to write secure operating systems and applications for decades, suddenly are capable of writing secure virtualization software.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 12th April 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by guitarscn View Post
What do you all think of this?
As another perspective, not much.

All software has bugs, & all bugs are not equal. Easy bugs can be identified & resolved relatively quickly. Harder & more subtle bugs take more time to surface, identify, & fix irregardless of how astute the development team. One of the reasons the *BSD family is reasonably stable is due to so many people having put the software into real-world situations where hard problems have been found & ultimately resolved.

The paint hasn't even dried on the codebase questioned, & it certainly hasn't undergone the test of real-world production environments.

Not that this project doesn't have merit, but it appears to be yet another virtualization flavor of the week. Writing virtualization software is difficult & even harder to test. Complicated projects simply take time to settle into some level of stability, & most virtualization implementations available today are still in their infancy irregardless of what their marketing departments want you to believe.
Reply With Quote
  #5   (View Single Post)  
Old 12th April 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

I think this announcement is perfectly timely: http://www.daemonforums.org/showthread.php?t=4605
Reply With Quote
  #6   (View Single Post)  
Old 13th April 2010
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 776
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by guitarscn View Post
http://threatpost.com/en_us/blogs/re...ened-os-040710

What do you all think of this? (Especially OBSD users...)
You can not have secure operating system running on insecure hardware i.e.
386 crap. Computer code can never compensate for deficiencies of hardware. It is as simple as that. That is about spot on which you can stop reading. Since I had
some time I actually read the whole article. Looks like another nonsense from the
church of MAC (mandatory access control) this time brilliantly applied to another
hit ultra secure product called virtual machine.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:37 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick