Friday, January 20, 2006

Project Eva

I've began work on "Project Eva," a personal project to design a new, secure Linux distribution. This is not a typical distribution; it will base neither on Red Hat, Gentoo, or Debian GNU/Linux. Instead, I will be building from the ground up, using a package manager I'm designing and coding myself in a project called "Project Coon Fox."

Project Eva will not be a simple hack-up job of packaging up the Hardened Gentoo or Adamantix efforts in another form and shipping them out. Instead, Project Eva will use a kernel designed and built specifically for Project Eva.

New kernel modifications will be designed from scratch based on the documentation, code, and conceptual efforts that manifest as PaX, GrSecurity, OpenBSD, and Red Hat. The most useful, most secure designs possible will be implemented based on the existing efforts. These new implementations will tightly integrate with the kernel, and will target mainline inclusion.

Our integration scheme is to treat program execution without enhancements such as address space layout randomization or data/code separation as privileged, and grant that privilege system-wide. Various systems to restrict or decline these "privileges" will be put in place, including robust LSM hooks and SELinux policy enhancements. Further, various levels of restriction will be allowed, giving fine-grained control over things some programs are tempermental over, such as the amount of entropy in and general layout of a randomized address space.

Project Eva will be based around the output of Project Coon Fox, my packager project. Project Coon Fox uses its own install scripts on an extensible scripting engine, allowing a complete audit of all actions to be generated before any system changes are made. Simple heuristics can allow for targeting of dangerous operations, such as changes to file associations; SUID and SGID bits; SELinux policies that grant permissions outside the default system policy; or changes to start-up scripts.

The heuristics in Project Coon Fox can also be designed to hard-deny certain operations, such as granting modification access to /bin or allowing alteration of security policies, things only the package manager should control. By properly utilizing these types of controls, installed trojan programs (viruses, spyware) can be easily uninstalled without potential to replicate across the system; infections can only affect users who ran the installed trojans.

Project Coon Fox also dissociates package-for-package dependency and conflict schemes, similar to autopackage, using a more robust system to allow easier download-and-install options from foreign sources. With proper security policies, this becomes somewhat safe; with basic use of the simplified auditing interfaces, this becomes mostly safe. Installation of spyware becomes easily recognizable, i.e. random added security policy privileges and SUID bits; and stripping of these privileges can be undone if the program fails to work properly and can be confirmed safe (by a quick Google).

The founding principles of Project Eva are as follows: Security increases productivity; C is secure; and security is cheap to implement. Today's so-called security experts will immediately choke on any of these and begin a long and pointless speech about how every one of these conflicts with everything we know; I have to do this, because nobody else can.

See you in a few years, with the finished product.