L4Linux under Fiasco.oc compared to grsecurity

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

L4Linux under Fiasco.oc compared to grsecurity

Postby konst » Thu Jan 13, 2011 5:14 am

Although I haven't installed or tried it yet compiling L4Linux/Fiasco.oc microkernel based OS, what do you think of the security of it? Does grsec work on it? I assume it's obviously needed for the l4linux paravirtualized kernel. But beyond thet paravirtualized kernel environment, in the fiasco.oc OS proper is the security comparable to grsec on the linux/environment?

Monolithic kernels are so last century.

Some more info on L4Linux and Fiasco.oc
L4Linux running on top of the Fiasco.oc (L4) microkernel http://os.inf.tu-dresden.de/L4/LinuxOnL4

The Fiasco.oc microkernel http://os.inf.tu-dresden.de/fiasco

And here is a formally verified secure microkernel http://ertos.org/research/sel4
konst
 
Posts: 21
Joined: Fri Jul 10, 2009 8:23 am

Re: L4Linux under Fiasco.oc compared to grsecurity

Postby spender » Thu Jan 13, 2011 10:47 am

Last time it was GNU Hurd ;) Why don't you try it out and report back with a writeup about the experience?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: L4Linux under Fiasco.oc compared to grsecurity

Postby konst » Thu Jan 13, 2011 6:34 pm

spender wrote:Last time it was GNU Hurd ;) Why don't you try it out and report back with a writeup about the experience?

-Brad


I will when I have time. I found that you do need grsecurity within the virtualized L4Linux environment.

Furthermore the NOVA microhypervisor seems to be the way to go for a more secure system (pdf file) http://os.inf.tu-dresden.de/papers_ps/steinberg_eurosys2010.pdf
(from this page with good info on those microkernels and microhypervisors http://www.inf.tu-dresden.de/index.php?node_id=1429&ln=en )

The problem is I'm not a security expert (just a novice) so I was wondering if you have an opinion on how secure that approach is?
Within the virtualized L4Linux with grsecurity it should be the same as normal linux with grsecurity but what about the system outside that, i.e. the system running on top of the microkernel?
konst
 
Posts: 21
Joined: Fri Jul 10, 2009 8:23 am


Return to grsecurity development

cron