[vox-tech] Security in Space!! [was digest post reply]
Brian Lavender
brian at brie.com
Mon Dec 20 09:32:49 PST 2010
On Mon, Dec 20, 2010 at 09:02:01AM -0800, Nicole Carlson wrote:
> On Fri, Dec 17, 2010 at 12:00 PM, <vox-tech-request at lists.lugod.org> wrote:
> > Message: 2
> > Date: Fri, 17 Dec 2010 11:28:04 -0800
> > From: Bill Broadley <bill at broadley.org>
> > Subject: Re: [vox-tech] Secure kernel panic
> > To: vox-tech at lists.lugod.org
> > Message-ID: <4D0BB9C4.7090209 at broadley.org>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > On 12/17/2010 09:39 AM, Nicole Carlson wrote:
> >> Hello, beautiful people! How I have missed you.
> >>
> >> A question for your enormous brains. Suppose that the kernel panics.
> >> Further suppose that I do NOT want it to dump core.
> >
> > I don't believe it's the default. Are you worried about it dumping core
> > without you asking? Or are you worried that someone with physical access to
> > the machine could force it to dump core?
>
> Not physical access--it's hanging out 25,000 miles up in the air--so
> much as information leakage. The threat has to do with possibly
> classified information leaking out. Suppose that our hypothetical
> Linux-running satellite processes classified information. Now suppose
> that something makes its kernel panic. My understanding is that when
> the core is dumped, including whatever possibly sensitive information
> is in memory at the time, it becomes readable to anyone who can snarf
> the coredump file and apply kernel debugging tools to it. This would
> be bad. The easiest way I can think of to stop this would be to stop
> the kernel from dumping core.
Uhm, you have to have a key in memory to read the data or in some register
and a decryption device. Say your device kernel panics. The network
stack will go away, correct? And then you won't have to worry? I assume
that the issue of physical security is not a big issue, correct? Not
too many people doing space walks or are there? ;-) Or, is there
an adversary with a robotic arm somehwere?
Perhaps you could use SPARK/ADA and develop a fully verified correct
system that has full a <-> b relationship where b is always a secure
state and a is your functionality set, and not a -> b, such that you
implied. SPARK has a full system verification process and a built in
prover using Prolog to aid in verification based upon annotations and
architectural limitations that you provide.
http://libre.adacore.com/libre/tools/spark-gpl-edition/
The Lego Mindstorm looks like an interesting project that could
provide the foundation you need.
http://libre.adacore.com/libre/tools/mindstorms/
Or, you can use TPM with Linux where security is built into the hardware,
still be secure, and still take advantage of the versatility GNU/Linux
tools have to offer, yet I believe will encrypt all data. Now, all
you have to do is worry about managing is you key. I haven't used TPM,
but as I understand, encryption is built into the bus, or somewhere
in the underlying hardware, giving you security at the base level.
https://www.grounation.org/index.php?post/2008/07/04/8-how-to-use-a-tpm-with-linux
brian
--
Brian Lavender
http://www.brie.com/brian/
"Program testing can be used to show the presence of bugs, but never to
show their absence!"
Professor Edsger Dijkstra
1972 Turing award recipient
More information about the vox-tech
mailing list