There are any number of organizations that have a need for a
security-oriented OS that can be freely used on computers at coffee shops,
hotels, and the like. The US Department of Defense (DoD) is one such
and it has put together Lightweight
Portable Security (LPS), a live CD (or USB stick) Linux distribution,
for use by its employees to access the web—or their desktop
remotely. While the technology behind LPS is not particularly noteworthy,
though it does have some interesting features, it is noteworthy that DoD
chose Linux to deliver this kind of solution. Perhaps that shouldn't be
surprising either, though, as the proprietary OS vendors don't really offer
any way to customize their systems to anywhere near the extent that Linux does.
LPS was developed as part of the DoD's Software Protection Initiative (SPI),
which is run by the Air Force Research Laboratory (AFRL). SPI's mission is to
"marginalize a nation-state class threat's ability to steal and
exploit critical DoD intellectual property found in application software
(executables, source, and associated data)." While LPS will
certainly help with that mission, it doesn't seem anywhere near hardened
enough to fend off nation-state class threats.
The distribution is available as ISO files in either of two "public"
editions: standard or deluxe. The deluxe edition simply adds OpenOffice.org
and roughly doubles the size of the release. The existence of a public
version would seem to imply that there are less-public versions of
LPS—one of those may be the LPS Remote Access
Edition, which doesn't come with download links and instead has a way
to request custom versions.
Version 1.1.1 of LPS was released on November 15 and can be burned onto a
CD directly. In addition, bootable USB sticks can be created, but only (easily)
When booting into LPS, one is greeted by a screen with badges for the three
organizations responsible and a progress bar. After that, a window pops up
that gives three choices: read the user agreement, agree to it and
continue, or reject it and reboot. The agreement itself notes that the
software is governed by the GPL and disclaims any
warranty. While it is not unheard of for Linux distributions to have a
click-through license, it is a bit strange.
Once the agreement has been accepted, LPS loads an IceWM desktop,
which prominently features those three badges again, along with icons for a
number of applications (e.g. Firefox, OpenOffice.org, Documentation,
Xterm). The layout is fairly Windows-like, presumably so that it doesn't
scare off the target users. There are also menu entries for things like
SSH, Citrix, and Microsoft remote desktop clients.
Once you start poking around in LPS, though, some questionable things jump
out. Starting the Xterm gives a root BusyBox shell for example, and a
simple ps shows that everything runs as root. That includes
Firefox, IceWM, the wicd network manager, and so on. One of the features
of LPS is that it doesn't mount the local disks of the system, but that is
trivial to work around with mount.
If LPS is started from CD, making persistent changes to it is not possible,
but part of the idea is to isolate the data on the local disks from
attacks. For public computers in hotels or elsewhere, there may not be
anything of interest on the local disks, but if users are booting LPS on
their home systems or laptops, that assumption may not have much merit.
Given that everything runs as root, and the local disks are accessible,
whatever OS is installed locally could be subverted.
For USB-based LPS systems, the situation is even worse. Though the USB
stick isn't mounted by default after LPS boots, it certainly can be. The
LPS user's guide [PDF]
notes that removing and re-inserting the USB stick will mount it, though
malware could also mount it directly. That would allow LPS itself
to be persistently modified.
There are some warnings that might alleviate some of these problems. It is
recommended that a separate USB stick be used for data, for example. In
addition, there are suggestions that LPS be rebooted before making any
"sensitive" transactions—and after after visiting dodgy web
sites. It seems a little unlikely that users will actually follow those
instructions, either because they forget or due to the annoyance of a
fairly lengthy boot time.
It is a fairly old kernel that LPS uses (2.6.27), but it has been updated
to one of the more recent—but not the most recent as of November
15—stable versions (184.108.40.206)
based on the
uname string. Whether there have been any patches applied on top
of that kernel is difficult to determine as there is no source code
provided—at least in any obvious location.
A query about the source location was answered by Rich Kutter of the AFRL
who said that LPS is based on Thinstation 2.2.2 with only minimal
modifications. A change to the OpenSC smart card
libraries/utilities to better support the DoD
Common Access Card (CAC) is the only substantive change. He said
that the code for that change will be placed in the ISO image for the
next release due later in December. But that doesn't satisfy the GPL
requirements, as the full source needs to be made available, which is
something they are planning to do, he said.
It would seem that SELinux has not been enabled for LPS, which may not be a
huge surprise for a, supposedly, read-only system. It is, however, another
US government security solution for Linux, and could have been used
to sandbox Firefox and its Flash plugin for example (though just running
them as non-root would be a good start). Overall, one gets the
feeling that the folks behind LPS may be working in something of a vacuum,
and not fully considering all of the threats that LPS might face. Perhaps
the reason there is a public version is to get that kind of feedback.
There are some specific additions to LPS for DoD users, including support
for CAC and Personal
Identity Verification smart cards. Evidently, there are some web sites
that are only available to folks that have those cards and an available USB
smart card reader, so Firefox has been configured to do that kind of
There is also an Encryption
Wizard that allows for Advanced Encryption Standard (AES) encryption
and decryption of files. The Java-based wizard has also been turned into a
Firefox plugin so that web-based email (e.g. Yahoo, Gmail, Outlook Web
Access) can be encrypted.
Overall, LPS is perfectly usable—if painfully slow for unknown
reasons on a not underpowered laptop—for web surfing and document
creation. It has a very limited set of applications, presumably by design,
and no way to add any new ones. If you need GIMP or Thunderbird, it would
seem that you are simply out of luck. Once the source code for building
the distribution is available, one could presumably build their own
derivative with additional applications, but that is difficult to do at the
While it seems dubious that LPS would thwart a targeted attack from a
nation-state-sized attacker, that is probably also true of most or all Linux
distributions. But there is clearly more that could be done to harden LPS
against less targeted, or less deep-pocketed, attackers. LPS may give the
impression of being more secure than it actually is because of where it
comes from, and that is a bit worrisome. Given that there are entities
actively trying to access classified information—either for espionage
or posting on Wikileaks—LPS only provides a partial solution to
to post comments)