general improvements for Sculpt

Edoardo Mantovani mantovani.edoardo18 at gmail.com
Fri Jan 22 12:26:52 CET 2021


Hello for everyone,

Some days ago I've used your os (Sculpt v.20.08) from bootable usb and
I remained genuinely impressed regarding its style and its security
base idea, after having read some informations on it, I was able to
develop some tips which I would like to share with the community:

=======================
Language Compatibility
=======================

*) there is no support for Italian keyboard, I was able to find only
german, french and english         .chargen files, for a next update
would be great to add other charger files.

*) I can give my full support for translating document pages in
Italian, this could (apparently)
 be great for increasing the possible audience, but Honestly I doubt
that an Italian community could be created
(we are quite far in the security-technological field, No comment on
that, please).

=======================
BEGINNER FRIENDLY OS?
=======================

*) I know that this operating system is not developed to be user
friendly, but it could be great to put some helps for beginners, like
a graphical  instruction box when clicking on certain things in
Leitzentrale, a graphical example could be the following:

|------------|
               |-------|
|  depot   | (when clicking on it appears an info box) --> | info  |
|_______|
          |-------|

(sorry for the bad ASCII image)

=======================
GRAPHICS
=======================

*) Probably the best point for your os consists on its graph graphics,
the idea of Leitzentrale is
innovative if we confront it to Windows os or similar, a small hint
could be to create the same style for the "file" part, so something
which could be similar to graphviz2 output instead of
"block representation".

{

direct link to my idea: https://graphviz-perl.github.io/

see the graph under the "Input file # 17 - t/gen.parse.stt.t" example,

s/other_names/folder_names/g

}

*) small consideration: I find some graphical glitch in the "motif
decoration" 's   node in Leitzentrale (it flew up and down without any
input) [Still studying this..]

========================
DOCUMENTATIONS
========================

*)Your site is pretty cool and interesting, documentation is great but
I haven't seen anything on
Sculpt, could be great to add like UNIX's manpages system.

=========================
WIRELESS SUBSYSTEM
=========================

*) I asked for the documentation on it before speaking (Thanks
Alexander), it is extremely similar to Linux wireless subsystem,
except for a modified libnl support for user space, could I have the
source code for it? I would like to study the modification you've
apported for libnl.
I am pretty fascinated by those modified subsystems.

*) It would be great to extend the range for other devices, I saw you
implemented only the iwlwifi driver, would be great to implement also
brcmf (both HardMac and SoftMac) and even Qualcomm's wireless card, I
can give my full support for that.

/*
*) I have some ideas for controlling the iwlwifi blob, for now I would
like to test it on my own, in general it would be great to
""customize"" the "blob loading".
*/

========================
Custom Patching system
========================

*) I've seen the potential of the software based hardware management,
my biggest hint should be to implement a security patching system with
a similar interface to Depot
(something like: choose customization part, insert code patch [like
linux's kernel system] and process it)
 |
V
could be a dangerous door for local-cyber-attacks

========================
TERMINAL DOWNSIDE
========================

*) Using the inspect shell I wasn't able to scroll up, do you know if
it's implemented?
It should be better to have a scroll bar,

=======================
DEPOT SYSTEM
=======================

As I understood, depot is like a package manager and the various
repositories contains various applications, Here I'll insert my ideas
on it:

*) Many of those repos are inaccessible even if I am connected to the
wireless network:

{
  I am not able to download/fetch the following repos:
  [-] ehmry
  [-] blarson
  [-] rite
 }

*) in general there isn't much variety in the repos, many packages are
the same, it would be great to extend the "candidates" list, I can
contribute to the development of several CLI apps.

*) I can work for inserting some scripting languages interpreter
packages inside Genode

{
    [-] Minised
    [-] lightweight Perl languages (microperl, miniperl or my
customized languages)
}
and maybe adapt them for the OS needs and tasks.

*) A quite interesting idea would be to add local depots, In general:

  -->) We have 2 devices, (featured phones or similar)
       -->) The first is the client, the second is the depot server
 -->) through Bluetooth, BLE or even other standards (nfc??) could be
cool to use the repository stored in the second phone into the first.

[
Obviously this is extremely complex to do: we should  set a correct
cryptographic key exchange and set an authentication rule, this could
lead an ∞ of problems:

*) Hijacking or other Bluetooth attacks are possible, the worst case
scenario is that an untrusted depot server can inject the device,
bypassing the security authentication restriction.
If this will be implemented, it MUST be well structured.

*) Not every device has the same bluetooth version, with some works it
could be implemented a workaround which act like a switch statement:

{
example:
switch(bluetooth_version){
  case (version == 5.0 ) {do this}
  case (version == 4.1 ) {do that}
}
  }

*) Obviously it must be implemented a tiny bluetooth subsystem, I
suggest using Linux's one.
(I have also the 2008-2009 documentation on it).


*) This idea could be a great topic for your blog, I can help with the
formal verifications
(pi calculus?) exposition and  with other implementation details.

]

I have many other ideas,
These are some "fast" considerations for improve the OS quality,
my "knowledge CV" is here: (https://github.com/Baseband-processor)

Let me know if you have some doubt,
Regards and Thanks for you work,

Edoardo Mantovani, 2021
-- 

Edoardo Mantovani
Independent security researcher
email: Baseband at cpan.org
Urbino, Italy



More information about the users mailing list