New Debian-based Projects: Adamantix and Bonzai Linux
[This article was contributed by Ladislav Bodnar]
Adamantix and Bonzai Linux are two recently announced Debian-based projects. Both have changed their names since launch; Adamantix used to be known as Trusted Debian, while Bonzai Linux was originally called miniwoody. Let's take a brief look at these projects to see what they are about.Adamantix http://www.adamantix.org/
The Adamantix project has set a goal to create a highly secure extension of Debian's stable branch. Because it lacks an installer, it is not a distribution which one can download and install independently; instead the project provides a small subset of Debian packages together with a set of Adamantix-specific security software that make the default Debian installation more secure and more resilient to malicious exploits. Peter Busser, who is the project's initiator and maintainer argues that while Linux security patches and features are actively being developed by several projects, the mainstream Linux distributions seem reluctant to incorporate them into their own products. Adamantix is an attempt to remedy this situation for Debian users.
Which security features can we find in Adamantix? One of the more important ones is its protection against buffer overflows. The term "buffer overflow" refers to a software bug, where a program either fails to allocate enough memory for an input string, or fails to test whether the length of the string lies within its valid range. A hacker can exploit such a weakness by submitting an extra-long input to the program, designed to overflow its allocated input buffer and modify the values of nearby variables. This can cause the program to jump to unintended places, or even replace the program's instructions by arbitrary code. Buffer overflows are possibly the most common bugs found in software written in the C language and the subject of many security advisories.
One method to prevent buffer overflow bugs from being exploited is to patch the Linux kernel with PaX. PaX has too many features to mention them all, but the most important one lies in its ability to separate data from code. This prevents the attacker from overwriting data in overflown buffers and executing them as code. Another important feature is the ability of PaX to randomize space and memory allocation, as illustrated here by a stack randomization example. Linux systems not patched with PaX will allocate the same stack address to variables every time the program is executed. A malicious attacker exploiting a buffer overflow knows the address of the stack and knows exactly what gets overwritten by the malicious input. A PaX-enabled kernel allocates the stack address randomly every time the program is executed, so the attacker can never be sure what part of the stack gets overwritten. Besides the stack, PaX applies the same randomization to the heap, shared libraries and executable programs. As long as the attacker cannot figure out the randomization scheme, the effort at exploiting the known overflow is a hit-and-miss situation with odds heavily against the success of the attacker's intent.
Another important kernel patch used by Adamantix is RSBAC. RSBAC stands for Rule Set Based Access Control and, as the name implies, it is an access control framework designed for use with current Linux kernels. Again, its features are too numerous to detail here, but in essence, the RSBAC patch implements a detailed control mechanism for access to files, pipes, network sockets, system control data, devices, users and processes. It provides users with pre-made rules (conceptually similar to iptables rules), as well as methods for creating custom rules, some of which can go as far as eliminating the concept of a superuser - and associated risks. RSBAC also includes a powerful logging system which makes intrusion attempts easily detectable. RSBAC is an open source project, currently free of any patent issues, which sometimes plague other similar efforts.
Installing Adamantix on an existing Debian system (only the current stable version is supported) is done by modifying the sources.list file and pointing its sources to one of the mirrors; in fact many Debian mirrors now carry the complete Adamantix tree. As is the case with most new projects, the documentation on the site leaves a lot to be desired, but Adamantix provides mailing lists with active discussion and information about current development. The project certainly deserves the attention of security conscious system administrators and developers.
Bonzai Linux http://developer.berlios.de/projects/bonzai/
Developed by Marcus Moeller, Bonzai Linux is a modified version of the Debian "netinst" boot CD. The "netinst" CD was introduced shortly before the release of Debian GNU/Linux 3.0 (Woody) and was meant to replace the traditional Debian boot floppies, thus making the installation process less cumbersome. After loading the necessary network kernel modules, a user could initiate a network installation and get all the components from a local network or, more commonly, from a remote FTP or HTTP source.
Bonzai Linux expands on the idea by providing a basic Debian system, including the latest stable kernel and KDE packages on the CD. It is no longer necessary to load kernel modules in the beginning; in fact, it is no longer necessary to have intimate knowledge of the hardware at hand - the "discover" utility is able to auto-detect all common hardware. This, together with a much simplified package selection menu (as opposed to the archaic and unintuitive "dselect") greatly simplifies the installation procedure. Bonzai Linux can be used both as a stand-alone Linux distribution based on Debian Woody, but with the latest KDE, and it can also be used as a more user-friendly Debian installer.
Adamantix and Bonzai Linux are specialist distributions, each suitable
for a particular task or solving a particular problem. If some day you
require a security solution for your Debian installation, take a close
look at Adamantix, and if you need an easy-to-install Debian system,
Bonzai Linux might be just the right tool for the job.