Hi,
I would like some help understanding the below described scenario.
An L4Linux/Genode/Fiasco.OC is used as the secure environment. If a malware is executed on a process thread on the L4Linux layer, say to scrape the L4Linux to do memory dumps or to access the filesystem for crypto key files, how will the above setup protect against a malicious process thread ? An example being a PGP email crypto program running on a process thread with another process thread infected by a malware.
Thanks & Regards, Thoth.
For security purposes, you should keep L4Linux from being able to access sensitive data or otherwise cause problems. The sensitive stuff (e.g. crypto) should be running on Genode instead of in L4Linux, or at least in a separate L4Linux system. For security purposes, think of L4Linux as a fast virtual machine.
On Sun, Jul 26, 2015 at 4:44 AM, Thotheolh Tay <twzgerald@...9...> wrote:
Hi,
I would like some help understanding the below described scenario.
An L4Linux/Genode/Fiasco.OC is used as the secure environment. If a malware is executed on a process thread on the L4Linux layer, say to scrape the L4Linux to do memory dumps or to access the filesystem for crypto key files, how will the above setup protect against a malicious process thread ? An example being a PGP email crypto program running on a process thread with another process thread infected by a malware.
Thanks & Regards, Thoth.
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Hi, If both processes (malware and secured process) are running in same linux instance there will ne no additional protection. If You habe different, totally seperated (*) instances, the attack room is smaller. If the attack vector of the malware is independend of processes it still can so harm. Lets construct an example. 2013 Shamir showed a Side Chanel where a Smartphone listening to CPU sounds could reconstruct a GnuPG key by noices. Take a Computer with attached microphone ( or integrated like tablet, Laptop, ...) and let the malware be running in an environment accessing the microphone a similiar scenario can be used directly in the device. As a thought: You can also use a timer to see how active the generic scheduler of genode is. With a high accuracy timer you can see how mich time your process takes and therefore recompute how the cpu is utilized.
Best regards Wolfgang
* you will never have totally separated processes as you will always have some genode components which can be seen as shared ressource. You will also not have a bug free system.
----- Ursprüngliche Nachricht ----- Von: "Thotheolh Tay" <twzgerald@...9...> Gesendet: 26.07.2015 06:44 An: "genode-main@lists.sourceforge.net" genode-main@lists.sourceforge.net Betreff: Security compartmentalisation
Hi,
I would like some help understanding the below described scenario.
An L4Linux/Genode/Fiasco.OC is used as the secure environment. If a malware is executed on a process thread on the L4Linux layer, say to scrape the L4Linux to do memory dumps or to access the filesystem for crypto key files, how will the above setup protect against a malicious process thread ? An example being a PGP email crypto program running on a process thread with another process thread infected by a malware.
Thanks & Regards, Thoth.
Hi,
Thanks for the detailed replies. From the inputs you guys gave, the instances must be sandboxed via calling different instances.
I have successfully compiled a L4Linux/Fiasco.OC and got the ISO running on bare metal. If I want to achieve the isolation of programs in different multiple L4Linux instances, are there any options to execute from the bare metal L4Linux/Fiasco.OC to spawn multiple instances at the same time and switch between them ?
An example is to run a crypto server on one L4Linux instance that have access to sensitive key materials while exposing e.g. port 11111 on loopback network so that instance #2 will only be able to call instance #1 for crypto to protect from infection by malwares accessing memory spaces and sensitive files with a particular instance ?
Thanks & Regards, Thoth. On 26 Jul 2015 14:30, "Wolfgang Schmidt" <w_schmidt@...181...> wrote:
Hi, If both processes (malware and secured process) are running in same linux instance there will ne no additional protection. If You habe different, totally seperated (*) instances, the attack room is smaller. If the attack vector of the malware is independend of processes it still can so harm. Lets construct an example. 2013 Shamir showed a Side Chanel where a Smartphone listening to CPU sounds could reconstruct a GnuPG key by noices. Take a Computer with attached microphone ( or integrated like tablet, Laptop, ...) and let the malware be running in an environment accessing the microphone a similiar scenario can be used directly in the device. As a thought: You can also use a timer to see how active the generic scheduler of genode is. With a high accuracy timer you can see how mich time your process takes and therefore recompute how the cpu is utilized.
Best regards Wolfgang
- you will never have totally separated processes as you will always have
some genode components which can be seen as shared ressource. You will also not have a bug free system.
Von: Thotheolh Tay <twzgerald@...9...> Gesendet: 26.07.2015 06:44 An: genode-main@lists.sourceforge.net Betreff: Security compartmentalisation
Hi,
I would like some help understanding the below described scenario.
An L4Linux/Genode/Fiasco.OC is used as the secure environment. If a malware is executed on a process thread on the L4Linux layer, say to scrape the L4Linux to do memory dumps or to access the filesystem for crypto key files, how will the above setup protect against a malicious process thread ? An example being a PGP email crypto program running on a process thread with another process thread infected by a malware.
Thanks & Regards, Thoth.
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
-
Nobody III -
Thotheolh Tay -
Wolfgang Schmidt