LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Tin Hat: secured by running from RAM

March 18, 2009

This article was contributed by Bruce Byfield

Security measures generally fall into one of two categories. Either they are reactive like anti-virus software and respond to intrusions as they arise, or they are architectural like file permissions, and built to prevent intrusions in the first place. Tin Hat Linux, a project undertaken by D'Youville College in Buffalo, New York, falls firmly into the architectural category. By running a security-hardened operating system entirely in RAM — preferably while using encrypted drives for storage — Tin Hat attempts to deter attackers even if they have physical access to the system. The result is a distribution that trades off a challenging install and a slow system boot in favor of high security and fast applications, a mixture of weaknesses and strengths that may put off as many users as it attracts.

Anthony G. Basile, Chair of Information Technology at D'Youville College, says, "Tin Hat was started during a modern operating system course I taught. We started looking at security issues regarding the kernel and then worked outward. Eventually we came up with the idea of building our own distro to include these ideas."

Basile explains, "This is how we picture someone using Tin Hat. They boot off the CD (or pen drive). Then use a key file from a pen drive, plus passphrase, to unencrypt their drives. They do their work and then shutdown."

Preparing to use Tin Hat

Before you use Tin Hat, ideally you should have a working familiarity with Gentoo Linux — or, more specifically, with the Hardened Gentoo project, which Tin Hat is specifically based upon. Without this background knowledge, you may find yourself scrambling to understand some aspects of Tin Hat, particularly the instructions for encrypting drives. You also need a machine with at least four gigabytes of RAM, and preferably eight, since 3GB will be taken up by the operating system.

Understand, too, that the x86 and AMD64 images on the site are not live CDs; instead they are what the project refers to as "prebuild images." That is, they are not usable versions of the distribution in themselves, but the tools that you use to create the ISO image you will boot.

This installation process is very hands-on, and has little similarity to that of any modern major distribution. For this reason, you should also read the project's thorough but slightly chatty Quick Start documentation. Much, if not all of the documentation, is available after a prebuild image loads, but you should understand what you are undertaking before you start, and possibly research any concepts with which you are unfamiliar.

In fact, you may want to print out the Quick Start, or display it on another computer to assist you while you work, particularly if you are not at least vaguely familiar with basic administrative commands like ifconfig or common configuration files like xorg.conf. Some familiarity with filesystem encryption won't hurt, either.

Building and installing an image

The purpose of the prebuild CDs is to create a workable image customized for a specific machine. To use a prebuild, burn a CD from an image downloaded from the project site, then use it to start the system on which you plan to use Tin Hat. Either the CD will open a GNOME desktop or else you will have to enable video from the shell prompt, an option that seems most likely if you are using a large widescreen monitor.

Assuming you have some knowledge of GNU/Linux systems, you should have few problems building a custom image if you follow the steps in the Quick Start. The process consists of ten steps, the first five of which are basic configuration: Changing the default passwords that come with the prebuild CDs, and setting up video, networking, sound, and printing. Much of this hardware should be detected by default, but, if any is not, the Quick Start gives you detailed instructions on the steps you should take, as well as some basic suggestions for troubleshooting.

With the sixth step, the process becomes more esoteric. Since RAM is in short supply, you need to be sure that the amount of memory allotted to tmpfs, the RAM-based filesystem, still leaves you with at least a gigabyte or so to run programs. More, of course, is desirable.

In the next two steps, you have the option of installing and upgrading applications, and configuring a new kernel. These steps ensure that the image is current, but, between the two of them, can take well over an hour — likely more — to complete.

These steps are followed by the optional preparation of an encrypted filesystem on either a hard drive or a flash drive that you can use to store your personal files when using Tin Hat. As the Quick Start explains, because the entire operating system is loaded into RAM, you can encrypt an entire device, and have no need for an unencrypted /boot partition. "Encrypting the entire block device this way," the Quick Start suggests, "makes it difficult for an attacker to know whether he is looking at encrypted data or random noise" — although in practice, a competent cracker would probably assume encryption.

Tin Hat favors the use of loop-aes, but also supports the use of dm-crypt, although, presumably because of dm-crypt's emphasis on external drives, its use is not recommended for hard drives. The Quick Start, however, does suggest using dm-crypt's cryptsetup to prepare a flash drive before encrypting it. Fortunately, the detailed instructions are enough to guide even relative newcomers to cryptography through the necessary steps.

The final step is to build the ISO. In this step, you use shell scripts stored in /home/thuser/SAVE to remove entries from system logs, and build the image so that you can either burn it or install it on a flash drive.

Booting into Tin Hat

Because Tin Hat does not run from a hard drive, its boot time is about twice that of most distributions if you are booting from a flash drive. If you are booting from CD, the time can be up to four times slower than a distribution on a hard drive, depending on the speed of your CD drive. Most of this boot time is required to uncompress the squashfs filesystem of the image and copy it into RAM memory.

However, when Tin Hat finally loads, you are compensated for the slow boot time. True, Tin Hat's lightly branded GNOME desktop is unremarkable, and there is little to say about the software except that the selection and the currency is what you chose to make it when you created the image you are using. But, because applications run from RAM rather than the hard drive, they open and close at fractions of the usual speeds. For some, this speed may be almost as important a reason for running Tin Hat as security.

Running in RAM also has the advantage of reducing the inconvenience of at least one security feature. Although Tin Hat includes almost twenty services, only a third are started at boot time, in keeping with the basic security premise of minimizing them. On a system running from a hard drive, starting each additional service would generally involve a small but noticeable delay. However, because Tin Hat runs from RAM, the delay is no longer noticeable — even though you do still have to manually start most services.

But running in RAM also creates other problems. If you find that you neglected to include essential software in the image, you must either create and burn another image or install the extra software each time you boot into Tin Hat. You must remember, too, to save your work to a hard drive or removable device, or else you lose it. For full security, you should save to an encrypted filesystem, although the choice is yours

Even more significantly, if you are running the minimum 4 gigabytes, you are more or less confined to basic productivity and Internet use; Tin Hat itself uses three of those gigabytes, and does not use a swap file, simply killing programs when it runs out of memory. While for many people, this functionality is probably enough, some might find these limitations too high a price to pay for a system that disappears when you turn it off. But, if the system gets infected, you can do a completely clean reboot.

The limits of Tin Hat

Tin Hat is unquestionably more secure than the average distribution, although its installation is rough and ready by modern standards. However, as the project itself admits, Tin Hat is only a "baby step" towards a completely secure system. In fact, the project site suggests that a completely secure system is likely impossible.

For one thing, some compromises in security are necessary just to allow the X Windows System and GNOME to run. More importantly, Tin Hat has yet to provide protection against cold boot attacks, in which data in RAM is recovered even after rebooting, or msramdmp, an application that can recover the tmpfs root file system. Nor can any security measures, no matter how ingenious, protect against social engineering attacks or simple human carelessness, such as leaving a system unattended.

Still, within these limitations, Tin Hat remains an intriguing possibility for the security-conscious. For others, the usefulness of Tin Hat depends on whether they are willing to endure the assorted inconveniences in return for greater peace of mind. Many, I suspect, are not.

Comments (1 posted)

New vulnerabilities

avahi: denial of service

Package(s):avahi CVE #(s):CVE-2009-0758
Created:March 16, 2009 Updated:September 29, 2010
Description:

From the Mandriva advisory:

A security vulnerability has been identified and fixed in avahi which could allow remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet (CVE-2009-0758).

Alerts:
Ubuntu USN-992-1 2010-09-29
Debian DSA-2086-1 2010-08-04
CentOS CESA-2010:0528 2010-07-14
Red Hat RHSA-2010:0528-01 2010-07-13
SuSE SUSE-SR:2010:002 2010-02-01
Gentoo 200904-10 2009-04-08
Mandriva MDVSA-2009:076 2009-03-13

Comments (none posted)

evolution-data-server: multiple vulnerabilities

Package(s):evolution-data-server CVE #(s):CVE-2009-0547 CVE-2009-0582 CVE-2009-0587
Created:March 16, 2009 Updated:May 25, 2010
Description:

From the Red Hat advisory:

Evolution Data Server did not properly check the Secure/Multipurpose Internet Mail Extensions (S/MIME) signatures used for public key encryption and signing of e-mail messages. An attacker could use this flaw to spoof a signature by modifying the text of the e-mail message displayed to the user. (CVE-2009-0547)

It was discovered that Evolution Data Server did not properly validate NTLM (NT LAN Manager) authentication challenge packets. A malicious server using NTLM authentication could cause an application using Evolution Data Server to disclose portions of its memory or crash during user authentication. (CVE-2009-0582)

Multiple integer overflow flaws which could cause heap-based buffer overflows were found in the Base64 encoding routines used by Evolution Data Server. This could cause an application using Evolution Data Server to crash, or, possibly, execute an arbitrary code when large untrusted data blocks were Base64-encoded. (CVE-2009-0587)

Alerts:
SuSE SUSE-SR:2010:012 2010-05-25
SuSE SUSE-SR:2010:011 2010-05-10
SuSE SUSE-SR:2010:006 2010-03-15
Debian DSA-1813-1 2009-06-08
SuSE SUSE-SR:2009:010 2009-05-12
Mandriva MDVSA-2009:078 2009-03-23
Fedora FEDORA-2009-2784 2009-03-18
Fedora FEDORA-2009-2792 2009-03-18
CentOS CESA-2009:0355 2009-03-18
CentOS CESA-2009:0354 2009-03-18
Ubuntu USN-733-1 2009-03-16
CentOS CESA-2009:0358 2009-03-17
Red Hat RHSA-2009:0358-01 2009-03-16
Red Hat RHSA-2009:0355-01 2009-03-16
Red Hat RHSA-2009:0354-01 2009-03-16

Comments (none posted)

ffmpeg: several vulnerabilities

Package(s):ffmpeg, ffmpeg-debian CVE #(s):CVE-2008-4610 CVE-2009-0385
Created:March 17, 2009 Updated:December 17, 2009
Description: From the Ubuntu advisory:

It was discovered that FFmpeg did not correctly handle certain malformed Ogg Media (OGM) files. If a user were tricked into opening a crafted Ogg Media file, an attacker could cause the application using FFmpeg to crash, leading to a denial of service.

It was discovered that FFmpeg did not correctly handle certain malformed 4X movie (4xm) files. If a user were tricked into opening a crafted 4xm file, an attacker could execute arbitrary code with the privileges of the user invoking the program.

Alerts:
Mandriva MDVSA-2009:335 2009-12-17
Mandriva MDVSA-2009:319 2009-12-05
Mandriva MDVSA-2009:297-1 2009-12-05
Mandriva MDVSA-2009:297 2009-11-13
Mandriva MDVSA-2009:298 2009-11-13
Mandriva MDVSA-2009:299 2009-11-13
Debian DSA-1782-1 2009-04-29
Debian DSA-1781-1 2009-04-29
Fedora FEDORA-2009-3433 2009-04-09
Fedora FEDORA-2009-3428 2009-04-09
Slackware SSA:2009-098-03 2009-04-08
Gentoo 200903-33 2009-03-19
Ubuntu USN-734-1 2009-03-16

Comments (none posted)

glib: attacker-supplied code execution

Package(s):glib CVE #(s):CVE-2008-4316
Created:March 13, 2009 Updated:April 24, 2009
Description: From the rPath advisory: Previous versions of glib contain a vulnerability in the base64 encode and decode functions which may result in executing attacker-supplied code when processing large strings. This vulnerability is present only through applications that accept user-supplied strings and process them with the base64 encode or decode functionality of glib.
Alerts:
Gentoo 200904-02 2009-04-03
Mandriva MDVSA-2009:085 2009-04-02
Fedora FEDORA-2009-2688 2009-03-13
Slackware SSA:2009-086-02 2009-03-30
Mandriva MDVSA-2009:080 2009-03-26
Red Hat RHSA-2009:0336-01 2009-03-24
Debian DSA-1747-1 2009-03-20
Ubuntu USN-738-1 2009-03-16
rPath rPSA-2009-0045-1 2009-03-12
Fedora FEDORA-2009-2657 2009-03-13
SuSE SUSE-SA:2009:026 2009-04-24

Comments (none posted)

gst-plugins-base: arbitrary code execution

Package(s):gst-plugins-base0.10 CVE #(s):CVE-2009-0586
Created:March 17, 2009 Updated:July 13, 2009
Description: From the Ubuntu advisory: It was discovered that the Base64 decoding functions in GStreamer Base Plugins did not properly handle large images in Vorbis file tags. If a user were tricked into opening a specially crafted Vorbis file, an attacker could possibly execute arbitrary code with user privileges.
Alerts:
Gentoo 200907-11 2009-07-12
SuSE SUSE-SR:2009:009 2009-04-21
CentOS CESA-2009:0352 2009-04-08
Red Hat RHSA-2009:0352-01 2009-04-06
Mandriva MDVSA-2009:085 2009-04-02
Ubuntu USN-735-1 2009-03-16

Comments (none posted)

icu: content protection mechanism bypass

Package(s):icu CVE #(s):CVE-2008-1036
Created:March 12, 2009 Updated:April 17, 2009
Description: ICU has a content protection mechanism bypass vulnerability. From the Red Hat alert:

A flaw was found in the way ICU processed certain, invalid, encoded data. If an application used ICU to decode malformed, multibyte, character data, it may have been possible to bypass certain content protection mechanisms, or display information in a manner misleading to the user. (CVE-2008-1036)

Alerts:
Debian DSA-1762-1 2009-04-02
Ubuntu USN-747-1 2009-03-26
Red Hat RHSA-2009:0296-01 2009-03-12
rPath rPSA-2009-0064-1 2009-04-17

Comments (none posted)

libpng: memory leak

Package(s):libpng CVE #(s):CVE-2008-6218
Created:March 13, 2009 Updated:August 17, 2011
Description: From the CVE entry: Memory leak in the png_handle_tEXt function in pngrutil.c in libpng before 1.2.33 rc02 and 1.4.0 beta36 allows context-dependent attackers to cause a denial of service (memory exhaustion) via a crafted PNG file.
Alerts:
openSUSE openSUSE-SU-2011:0915-1 2011-08-17
Mandriva MDVSA-2010:133 2010-07-15
Debian DSA-1750-1 2009-03-22
Gentoo 200903-28 2009-03-15
rPath rPSA-2009-0046-1 2009-03-12

Comments (none posted)

libsoup: arbitrary code execution

Package(s):libsoup CVE #(s):CVE-2009-0585
Created:March 16, 2009 Updated:May 13, 2009
Description:

From the Red Hat advisory:

An integer overflow flaw which caused a heap-based buffer overflow was discovered in libsoup's Base64 encoding routine. An attacker could use this flaw to crash, or, possibly, execute arbitrary code. This arbitrary code would execute with the privileges of the application using libsoup's Base64 routine to encode large, untrusted inputs. (CVE-2009-0585)

Alerts:
SuSE SUSE-SR:2009:010 2009-05-12
Mandriva MDVSA-2009:081 2009-03-27
Debian DSA-1748-1 2009-03-20
CentOS CESA-2009:0344 2009-03-17
Ubuntu USN-737-1 2009-03-16
Red Hat RHSA-2009:0344-01 2009-03-16

Comments (none posted)

mldonkey: path traversal

Package(s):mldonkey CVE #(s):CVE-2009-0753
Created:March 13, 2009 Updated:March 24, 2009
Description: From the Debian advisory: It has been discovered that mldonkey, a client for several P2P networks, allows attackers to download arbitrary files using crafted requests to the HTTP console.
Alerts:
Gentoo 200903-36 2009-03-23
Fedora FEDORA-2009-2758 2009-03-16
Fedora FEDORA-2009-2703 2009-03-16
Debian DSA-1739-1 2009-03-13

Comments (none posted)

mod_security: denial of service

Package(s):mod_security CVE #(s):
Created:March 13, 2009 Updated:March 18, 2009
Description: From the Fedora advisory: Security fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. See the release announcement for more details.
Alerts:
Fedora FEDORA-2009-2654 2009-03-13
Fedora FEDORA-2009-2686 2009-03-13

Comments (none posted)

Opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2008-5178 CVE-2008-5679 CVE-2008-5680 CVE-2008-5681 CVE-2008-5682 CVE-2008-5683
Created:March 17, 2009 Updated:March 18, 2009
Description: From the Gentoo advisory: Multiple vulnerabilities were discovered in Opera:

* Vitaly McLain reported a heap-based buffer overflow when processing host names in file:// URLs (CVE-2008-5178).

* Alexios Fakos reported a vulnerability in the HTML parsing engine when processing web pages that trigger an invalid pointer calculation and heap corruption (CVE-2008-5679).

* Red XIII reported that certain text-area contents can be manipulated to cause a buffer overflow (CVE-2008-5680).

* David Bloom discovered that unspecified "scripted URLs" are not blocked during the feed preview (CVE-2008-5681).

* Robert Swiecki of the Google Security Team reported a Cross-site scripting vulnerability (CVE-2008-5682).

* An unspecified vulnerability reveals random data (CVE-2008-5683).

* Tavis Ormandy of the Google Security Team reported a vulnerability when processing JPEG images that may corrupt memory (CVE pending).

Alerts:
Gentoo 200903-30 2009-03-16

Comments (none posted)

perl-MDK-Common: privilege escalation

Package(s):perl-MDK-Common CVE #(s):
Created:March 13, 2009 Updated:March 18, 2009
Description: perl-MDK-Common has a privilege escalation vulnerability. From the Mandriva alert:

The functions used to write strings into shell like configuration files by Mandriva tools were not taking care of some special characters. This could lead to some bugs (like wireless keys containing certain characters not working), and privilege escalation. This update fixes that issue by ensuring proper protection of strings.

Alerts:
Mandriva MDVSA-2009:072 2009-03-10

Comments (none posted)

TMSNC: arbitrary code execution

Package(s):TMSNC CVE #(s):CVE-2008-2828
Created:March 12, 2009 Updated:March 18, 2009
Description: TMSNC, a Text-based client for the MSN instant messaging protocol, has a buffer overflow vulnerability that can possibly used for the execution of arbitrary code when processing an instant message.
Alerts:
Gentoo 200903-26 2009-03-12

Comments (none posted)

weechat: denial of service

Package(s):weechat CVE #(s):CVE-2009-0661
Created:March 18, 2009 Updated:April 6, 2009
Description: The weechat IRC client has a bug in its color-handling code which can cause an out-of-bounds read and subsequent crash.
Alerts:
Gentoo 200904-04 2009-04-04
Fedora FEDORA-2009-2859 2009-03-20
Fedora FEDORA-2009-2861 2009-03-20
Debian DSA-1744-1 2009-03-18

Comments (none posted)

wesnoth: multiple vulnerabilities

Package(s):wesnoth CVE #(s):CVE-2009-0366 CVE-2009-0367
Created:March 12, 2009 Updated:March 18, 2009
Description: The game wesnoth has multiple vulnerabilities. From the Debian alert:

CVE-2009-0366 Daniel Franke discovered that the wesnoth server is prone to a denial of service attack when receiving special crafted compressed data.

CVE-2009-0367 Daniel Franke discovered that the sandbox implementation for the python AIs can be used to execute arbitrary python code on wesnoth clients. In order to prevent this issue, the python support has been disabled. A compatibility patch was included, so that the affected campagne is still working properly.

Alerts:
Debian DSA-1737-1 2009-03-11

Comments (none posted)

yaws: denial of service

Package(s):yaws CVE #(s):CVE-2009-0751
Created:March 16, 2009 Updated:March 18, 2009
Description:

From the Debian advisory:

It was discovered that yaws, a high performance HTTP 1.1 webserver, is prone to a denial of service attack via a request with a large HTTP header.

Alerts:
Debian DSA-1740-1 2009-03-14

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds