Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

DARPA to Fund Open Source Security Research 108

divert writes "Just got an email on the SEC-PROG mailing list that DARPA is looking to fund security research for open source operating systems." Maybe someone should just tell them about OpenBSD, save some time and money.
This discussion has been archived. No new comments can be posted.

DARPA to Fund Open Source Security Research

Comments Filter:
  • by Anonymous Coward
    Maybe someone should just tell them about OpenBSD, save some time and money.

    This is sooo arrogant, I'm disgusted. Dude, you're talking about DARPA. They funded the development of The Internet. Were it not for them this site wouldn't exist.

  • And why exactly do you need a full featured Unix system to run a firewall?

    There are environments where you need performance and security. This is especially true of supercomputing environments where different people with different security levels all have access to the same physical machine(s).

    Just because you have a firewall, doesn't mean you aren't prone to attack. You are certainly less likely to be attacked from the outside world, but who said the attack had to come from the outside world?

    If you have a person with physical access to a machine you are trying to secure, it should still be extremely difficult for the person to gain entry into it.
  • DARPA, like anything else governmental, is inherently politcal. While they have to frame these proposals as public processes, the fact is, if you weren't working on this proposal months ago, well before it was first published, you don't have a chance. I'll guarantee you that there are already 5-10 different labs working on the problem, who have already extensively discussed the DARPA program manager's expectations (most likely with the program manager or the program manager's close colleagues).

    Yes, it's a very inbred, good-ol-boys type of process, but that's life in military research...
  • ... it is by standing on the shoulders of Giants." --Newton to Hooke, 5 Feb. 1676

    *Real* research is about incremental improvements to the existing base of knowledge.
  • by Sabalon ( 1684 ) on Wednesday February 28, 2001 @12:57PM (#394483)
    2) System configuration and administration tools and methods

    That'd help.

    Sounds like they have some pretty high goals that require a lot of cooperation between various groups. I wonder how they intend to solicit that cooperation.

  • Namely, StackGuard [immunix.org] and several of the other Immunix [immunix.org] technologies were developed under DARPA grants.

  • "Who do you think put up the money to develop BSD in the first place? DARPA, of course."

    And let's also not forget a little startup that got its start from DARPA: Sun Microsystems.

  • Check out:

    www.lids.org [lids.org]

    I am running it on a test system and I am extremely impressed. It implements capabilities allowing you to assign least priviledge so if someone gets root on the box they still can't do anything. No longer do you need to open yourself up to attack just because a program needs to bind to a low number port, for example. It's a huge boost to the security of any Linux system. This plus the standard techniques used to secure a box can really lock things down.

  • If DARPA could come up with a methodology that accelerated the pace of verification, they would be very useful to OpenBSD and other OS projects.

    I know just the methodology they need: get more people to do the code audit.

  • FYI: All the USPTO OCR stuff runs on Linux. There was a write-up a while ago in Linux Journal.
  • Actually, they can have bugs, but not in the security section (all code has bugs - 1st law of programming). However, Trusted Systems are designed to be trusted DESPITE errors / bugs.
  • At last someone who understands the difference between security and trust.

    I was at the last CHATS workshop and both OpenBSD and TrustedBSD were present, along with representatives from the Linux community and other open source projects as well as commercial vendors.

    While OpenBSD maybe secure, it is not trusted and will never meet the requirements for a highly trusted system (LSPP/the old B1). This is because Theo's customers don't want it (as I recall it).

  • It has no SMP support for one thing.

    Why does this matter? Sure doesn't matter if you're running a firewall.

  • by JoeBuck ( 7947 ) on Wednesday February 28, 2001 @01:36PM (#394493) Homepage

    Who do you think put up the money to develop BSD in the first place? DARPA, of course.

  • Maybe someone should just tell them about OpenBSD, save some time and money.

    I've seen OpenBSD folks make a lot of claims, but I've never before seen one claim that all research into secure OSes should come to a halt now that it exists.

  • Not to mention if you read the farkin' BAA, you'd realize they were talking about something a little more sophisticated than TCP wrappers...!

    OBTW, DARPA funded the development of BSD as well.
  • by xyzzy ( 10685 ) on Wednesday February 28, 2001 @01:07PM (#394496) Homepage
    I wouldn't say that's the way they "usually" work. If you are a university or a non-profit, maybe. If not, you work under contract to them. If you are a small business or individual, you can get an SBIR contract.

    It's a lot easier if you affiliate yourself with a business or academic institution that already does business w/DARPA.
  • Right, please give the correct file permissions to do this:
    a) Accesing the net is fine, but setting up a server is not allowed (helps defeating trojans).
    b) Just for safety, my Napster client may only access MP3's on my harddisk. MP3's on my harddisk and the NFS share are accessible to everybody. The Napster client may not access any other file except for its configuration, etc.
    c) user joe may not run X, only console.
  • DARPA does do some interesting stuff. A lot of it has ended up with pretty wide utility. Take, for example, the Internet. That's right. If you didn't know already, DARPA is the organization that funded the development of TCP/IP and the earliest versions of the Internet. So, in a lot of ways, this is right up DARPA's ally. I wouldn't be suprised if there is still DARPA-funded code floating around in things like telnetd, sendmail, bind, etc.
  • I think the point is to push the state of the art ahead, not fiddle with existing systems. I mean your analogy is similar to "Would you rather take a bicycle or a skateboard to fly to the moon" instead of researching how to make rockets.

  • Well clearly unix.
    But thats not the choice.
    Its unix vs. writing a new os.
    New OS wins for me.
  • Yes, thats a real nice hack. I am talking about a practical approach, not a nasty add on hack.
  • Hm, you are quite silly.
    Read it again. Stop worshipping at the altar of unix.
    It is not perfect.

    Typing from a unix system... damn , still no IE beating browsers yet!
  • Well, this is another nice hack.
    Hacks to the unix security model are nothing new,
    and are also nothing interesting.
    Posix ACLs, privilege bits, online
    tripwire style things, ptrace abusers,
    are all pretty damn skanky.
    And I would prefer an elegant unix with
    lax security that I know the limits of,
    to a clunky add on laden unix with no
    real coherent security model.

    Of course, an OS that used a capability model
    would be better...
  • Yep, this is possible - look at qmail,
    to be secure, there are lots of user accounts.
    Each bit runs under a different one.

    Unfortuanately, its just a hack. To add users
    you need root access, ie ultimate boredom for root.
    Or package management nightmares with coordinating uids. Maybe this could be solved with a better PAM plugin.
    However, if you make a new user for
    every app automatic, kernel checks go
    like this:


    user = current_program->user;

    this could be:
    looking through a set of acls on a file.
    checking a privelege bit.
    checking if the uid is 0.


    in a cap based os:


    call(cap, arg1, arg2, ....)

    kernelspace call handler:

    dest = get_dest(cap);

    (dest can be kernel or user task)



    So in a cap based os the possesion of a cap means you are allowed to do something. No funky checks.
    The checks are done in userspace (no kernel policy)
    when you are given the caps.

    so doing this in a unixy os would be drastically inefficient if it was done system wide.
  • Well, this is ok if all you are interested in
    is system security. Ie you don't want to get rooted.
    But to be honest, I don't trust most programs I run with my own files. I don't want the huge unaudited mozilla to be able to write to my thesis.
    Thats where unix can not be fixed in an efficient way. You need to fundamentally break posix, unfortunately.
  • Ok.

    You seem to have got the userspace/kernelspace split mixed up with the root/normal user split.

    The first is a difference in memory mapping. When you are running a normal program, your own memory is mapped appropriately as some of readable, writable, and executable. The kernel is always mapped non readable, non writable, and non executable. When entering the kernel ( eg system call, page fault, interrupt), the kernel memory is changed to be readable, writable, and executable.

    The second is how the kernel responds to system calls. When a system call is called, if it is a privileged operation, the kernel will perform a check to see if the program is allowed to do this.

    In old unix, this was often just a check to see if the uid in the process control structure was 0. In linux, it is usually a check of a privelege bit ( evilly called capabilities by posix and linux). So different processes can have different set of priveleges.

    So, in unix, you su to root. This doesn't make you run in kernel mode. You are still running just like a normal user. The only difference is, when you do a system call, the kernel grants you a special privelege to bypass normal security checks.

    This is wierdo special casing. Not nice.

    In a capability system, a token is passed along with any other arguments to a system call. This token proves to the kernel that you are allowed to do the call you asked for. No wierd special cases. No acl systems or even the concept of a "user" in the kernel.

    This can and is being implemented on x86. See eros - www.eros-os.org
  • by listen ( 20464 ) on Wednesday February 28, 2001 @01:06PM (#394507)
    OpenBSD is still based on the fallacy that affects unix and all clones. That you trust every program you run as much as you trust yourself. Ie security is done at a per account granularity.
    Any program you run can do anything to every file you have write access to, and can also leak information by default to anyone on the internet. Not good. This means a very large trusted code base, which is a bad thing. The set of code which need to be trusted (ie the kernel and very few programs) should be as small as possible.

    There are some approaches to improving security. Capabilty models look like the best hope for the future. This comment is too small to hold a reasonable explanation - take a look at http://www.eros-os.org [eros-os.org].

    Don't get me wrong, OpenBSD is a good firewall and general unix server platform, but its security model is limited by posix compliance.
  • by listen ( 20464 ) on Wednesday February 28, 2001 @01:25PM (#394508)
    Unfortunately, whilst unix does kick ass in many respects, there are a few deficiencies when it comes to security. Here are a few that come to mind:

    1) All programs you run are trusted with all files you have access to.

    2) All programs are also given a default set of actions they can perform, eg open random connections to the internet. This is nice for leaking information. This can be amelorated via so called posix capabilities. These are more properly called privelege bits as in VMS.

    3) Global filesystem. Everyone can see the filesystem. /tmp can leak a lot of information.
    Chroot may help. Plan 9 style namespaces are better too. Better would be to take the human namespace out of the kernel and only give it to programs that need it.

    probably lots of other things. Basically unix was designed when everything you ran on your computer was written by yourself of someone you knew and trusted. And then commercial unix just got featuritis. It would probably not be good to declare it the one true operating system.
  • As an ex-contractor at the USPTO, i can tell you, they are much more technologically on the ball than they are given credit for. 100mb to the desktop, oc-12's between buildings, multiple redundant internet connections, and with the exception of some old sun systems, they run hp-ux exclusively for their major systems. They are also doing extensive work on building a PKI system, to enable inventors to file and conduct all related transactions online. I'm not saying they are the most open-source friendly, but they DO have quite a setup.
    /. poster #104543567
  • by jcr ( 53032 )
    The submission deadline was two days ago.

    Incidentally, if we want secure OS's, it's long past time to give up on UNIX. EROS is the way to go.


  • I think that's a slightly inappropriate application of Brooks' assertion, as auditing code is a bit different from working on a team programming project.

    The former is a task easily done in parallel with little or no intra-personnel communication. The later is something which, as Brooks points out, requires more intra-personnel communication as more personnel is added, until the marginal gain in productivity turns into a loss.

  • At what point do you open that bag of bad weed?

    You sound like a Windows user who just does not have a clue about what a real operating system should be like, and YES I do realize that you are little troll who just learned just what the Internet is!!!!

    One part of trusted is that a system _MUST NOT_ have any underlying bugs. Don't forget that and just go away.
  • I'd love to know what interest DARPA had in BSD with the exception of funding a network stack for 4.2BSD.

    They wanted a UNIX. They wanted TCP/IP. They happened to use Berkeley- that's quite different from generally "funding BSD development"


  • For those of you suggesting that EROS may be the way for DARPA to go, you may be on to something.

    Note this statement on the EROS website [eros-os.org]:

    This research was
    supported by DARPA under Contracts #N66001-96-C-852, #MDA972-95-1-0013, and #DABT63-95-C-0073. Additional support was provided by the AT&T Foundation, and the Hewlett-Packard, Tandem Computer, and Intel Corporations.

    Guess that either means that DARPA's gonna funnel more money into EROS, or that EROS wasn't up to some standard, and they're looking for a replacement.

  • Yes and no. The yes part is this: if you haven't been working on your proposal for a few weeks now, you don't stand a chance in hell of getting funded. Also, DARPA is indeed something of a clique.

    The no part is that you don't have to have a months-long lead. In fact, the CHATS BAA came out only a few weeks ago. I could tell you the exact date if I weren't too lazy to check my mail logs.

    DARPA projects tend to be big, on the order of $500K per year. That means that they expect an effort that involves several people. It also means that they expect fully thought out stuff.

    (How do I know? I've participated in lots of DARPA submissions and research projects. I was involved in two potential responses to CHATS, one of which we dropped because we didn't like our own idea. I withdrew from the other because of reasons mildly related to the issue under discussion, mainly that if you get more than $50K per year from DARPA, you have to file a lot of paperwork that my college isn't set up to produce.)

  • i agree trustedbsd is probably more up their alley, maybe they will be interested in porting the trustedbsd changes to openbsd, since the method the two took towards being secure is different.
  • I love Linux just as much as anybody else (Hell, I'm the admin of more than 20 boxes where I work) but this kind of thing is just a no-brainer. Open Source software has the most vulnerable system model available

    Hold on, don't flame me yet. Open Source has the most vulnerable model available, yes. Anybody who knows how to code can put anything they want into the code. Exploits should be abundant, right?

    Of course, we all know that there are no exploits for Linux, and dozens of them for Windoze. But what does this mean? I believe that it means Linux has such a great backing in the community that people are watching over each other.

    But what happens when some malicious person decides to screw with the code? That's right. Disaster. It's on the horizon. Linux has only been around a few years, and it's long overdue for hackers to install some exploits. I admire DARPA for putting money into this boiling pot, and hope that they can defuse the problem before it gets out of hand. Because once Linux has been shown to be unstable and vulnerable (security wise) then Slashdot is no more...

    That's just the way it is

  • Why don't they just use the NSA's secure Linux?
  • Some of these things have been looked at. One reference of particular interest is McIlroy and Reeds' Ix Multilevel Secure Operating System. The papers are at Bell Labs (bottom of page).
  • Claims of Linux stability and scalability fall apart rather quickly when its #1 advocacy site is constantly failing,

    What basis do you make THIS claim?

    The 'byline' is "news for nerds, stuff that matters". Slashdot has a BSD section.

    What reasons do you have for thinking *THIS* site is the #1 advocacy site?
  • Actually, the FEMA project had more to do with using space imaging and other technology to locate areas of potential natural disasters and help people in those areas plan to avoid undue effects (ex: effect of Northridge quake in SoCal vs. effect of recent India quake).

    Dunno if they ever pursued the project further.

  • I'm sure that there are some people in DARPA who are at least as interested in developing cool new technologies as covering their asses.

    Absolutely true. I didn't mean to impugn the project managers at all. I actually reported directly to a project manager at the ISO, and he was astute at political infighting, but his overwhelming passion was the technology behind his project.

    No doubt about it - there are some very smart, very clearheaded people running projects at DARPA.

    I also agree with your analysis as to why they'd be delving into Open Source. Many of these program managers are military folks who came in through the military-industrial-govt merry-go-round, but many of them are also essentially hackers who pay attention to things like.. well.. Slashdot.

  • by Infonaut ( 96956 ) <infonaut@gmail.com> on Wednesday February 28, 2001 @02:05PM (#394523) Homepage Journal
    I used to work as a technical consultant at DARPA. No, I'm not trying to say I was some kind of wizard, I was a lowly Technical Analyst assigned to a project in the ISO (Information Systems Office).

    DARPA is interested not in current technology, or even next-generation technology. Their mandate is to fund and evaluate what they call "high-risk, high-payoff" projects. They fully expect that most of their projects will fail to achieve their goals. However, they also realize that even those projects that fail will stimulate advances in other, sometimes unforseen areas. Of course, those projects that succeed become the wonder-technologies of tomorrow.

    Another thing to keep in mind is that DARPA is a government agency, and as such has a mandate to diseminate their findings as far as possible within the federal government. I actually worked on a liason project with FEMA, where we were trying to help kick-start FEMA's web-based emergency-mitigation effort.

    The secondary effect of this mandate to spread the wealth is that it's key for an agency's survival that they be known as the originators of the wealth. That is, when DARPA comes up with something, they sure as hell make sure that every other agency knows it came from DARPA. That way when the budget axe comes along, DARPA isn't first on the chopping block.

    So DARPA's desire to fund this project probably has a lot more to do with going beyond what's already been done, and taking the credit for it, than it has to do with acknowledging what's already out there.

  • The OpenBSD fellas can then write a proposal to modify OpenBDS so that it is a trusted system. This is what DARPA projects are all about.
  • The way DARPA usually works is on a grant basis. Those people qualified should get together (or stay seperate) and write up a grant. DARPA isn't going to look for grantees. The potential grantees must go to DARPA (with a proposal).
  • What are you talking about. A bulk of the first-generation open source stuff out there was at least partially funded by DARPA. Get a clue. This is a great opportunity for those with open source experience to put forth a proposal that may fund them for a year or more.
  • by Carnage4Life ( 106069 ) on Wednesday February 28, 2001 @01:01PM (#394527) Homepage Journal
    Maybe someone should just tell them about OpenBSD, save some time and money.

    The DARPA program is called Composable High Assurance Trusted Systems (CHATS) which implies that they are interested in Trusted Systems [ncsc.mil] not systems that claim to be secure because a bunch of hackers allegedly have fixed all the buffer overflows. Being "secure" and being a trusted system are completely different things.

    Maybe micheal meant to mention TrustedBSD [boardwatch.com] which is attempting to become certified as a Trusted System?

  • Uh, actually none of these statements are true.

    Next time you actually use a *nix system please type "man chmod"

  • You should know then that UNIX systems allow you to change the read/write/execute permissions on any file on the system, and since everything is a file you can use this to control who can use what devices. You can also manipulate the user whose permissions an executable will use to run.

    Granted, systems often come with stupid default permissions, but that's hardly a reason to write a new OS.

  • I have never seen a program that needs root priveleges to run. There are many that default that way however. Take for example tcpdump: Typically it is run as root, but, this is only because it needs to be able to set the ethernet adapter to promiscuous mode (which by default can only be done by root). We can always change the permissions of eth0 to allow it to be put into promiscuous mode by another user if we want.

    The statement that there are only two levels of security is completly untrue. You can have as many levels of security as you have users and groups.

  • AtheOS [atheos.cx] (http://www.atheos.cx for the paranoid) is an open-source OS which seems to fit your requirements. While it is still under heavy development, it already supports preemptive multithreading, symetric multiprocessing, protected memory, and, most importantly for you, a band-new, fully integrated GUI with a companion BeOS-like C++ toolkit. It's hardly ready for prime time, but if you've got the skills, check it out and see what you can do to help.
  • The tools are available! RSRE Malvern now part of DERA (UK DARPA) released them some years ago as an open standard for static testing which is used world wide to verify critical systems. I assume it is on the Net but I can't find the URL.
  • You remark:
    Maybe someone should just tell them about OpenBSD, save some time and money.

    Remember that DARPA resources can promote development an improvements in operating systems. After all that is in part how BSD came into existence in the first place!

    Much of the OpenBSD code came about as a direct or indirect result from DARPA efforts (via CSRG and friends). A fair amount BSD code DARPA helped fund found its was into the GNU and Linux efforts as well. If DARPA wants to fund more research and development let them!

  • If the research was Open Source, then the final product will not end up in the public domain.
    This is dead wrong. There is not, nor has there ever been, a conflict between public domain and open source. You are probably confusing it with the GNU (Lesser) Public License, which places the additional requirent of passing on source along with any binaries (or ensuring the availability and knowledge of the source).
  • i know this would be a hack, and not quite (understatement) as secure as a ground-up reimplementation, but:

    how much of a difference would it make to assign each executable its own "user" space - ie, executables have access to whatever the user has access to, so implement an interface framework to always run executables as their own user (unless directed otherwise by trusted real user)? this would seem to define another layer of security, with all the security checks already in place for users.

    next implement interface for users to run apps...

    could then a simple(?) tmp redirect to "user-app" space take care of the global tmp access problem as well?

    does any of this make sense?

  • Hah, I'd say it's pretty far from "Microsoft Works".

    Regards, Tommy
  • Government involvement in an open source development project would certainly do a lot to validate the license as a viable alternative to close source projects. DARPA is a pretty interesting group, though. After all, these are the guys who want to bring enhancing exo-armor to the military in a decade or so. Will other, more banal, branches of the government adopt open source soon? Will we see the IRS running their own financial oriented flavor of BSD or even more ironically, the USPTO running an opened source setup. Or are other sectors of the Federale already using open source?
  • You've got some good (but cynical) points about the overall structure of the agency, but you've left out one major piece. The program managers themselves have a responsibility to find new and interesting projects in their expertise that fulfill this "high-risk, high-payoff" goal. The desire to take credit is quite possibly the motivation of the political appointees at the top of the agency, and the reason why the program was approved and given funds. The proposal for the program itself probably came from some technically competent program manager who has intrest in and knowledge of open source, and a desire to see what defense applications can come out of it.

    I'm sure that there are some people in DARPA who are at least as interested in developing cool new technologies as covering their asses.

    In the document itself, they even say that the primary goal of the program is to achieve "Revolutionary advances in the state-of-the-art [...] improving the security functionality, services, and assurance of existing open source operating systems." The question is whether the tens of millions of dollars that DARPA is going to spend will do as much good as the millions they spent trying to realize "distributed networking" did for what is now the internet. It probably won't, but it can't be a bad thing for the community, because it's not like they can buy open source and control the means of production of Free Software.

    One other thing that might be motivating this study is the increased worrying in the Pentagon about information warfare. They look around and realize that they don't have a fraction of the best hackers. If it comes down to a real war where the existence of the US is threatened, what are they going to do? They can't draft them and expect them to work, and they probably don't have the resources (human or legal -- as a government agency, the DoD is somewhat limited in what they can pay people) to go on an all-out recruiting binge. So how do you use some of the talent that is out there? Maybe you can get some help from what the best are doing for themselves.

    Care for a Spin?
  • That's a fault with the underlying hardware, not Unix itself.

    No, it's a problem with Unix. In Unix, root is god; he has complete control over the system. If root wants to read Joe Shmoe's files, bcc: all incoming and outgoing email to a computer in China, or rm -rf /, then that's what's going to happen. Any exploitable bug- not just buffer overruns but any other kind of problem like a tempfile that depends on user provided information- in a program that's running SUID will let an attacker turn himself into root (and then do anything he wants). This is a problem with the Unix security model, not with the processor architecture.

    With a more sophisticated priviledge model- one that gave priviledged programs only enough power to do what they need to do- a broken program would only allow the user to do the same kinds of things that the broken program did. A broken mail program would only let a user do things relevant to moving mail, and not read all the files in /home/jshmoe/private. A broken PPP program would only let you do things about ppp, not rewrite /etc/shadow. There would still be a few programs (like login authentication) truly critical to system security, and a bad program could still cause problems, but the situation wouldn't be as critical.

  • The set of code which need to be trusted (ie the kernel and very few programs) should be as small as possible.

    There are some approaches to improving security. Capabilty models look like the best hope for the future.

    I'm not sure that I'd agree that capabilities are necessarily the best hope for the future. At the very least they have to overcome the obstacle that they require a substantial reorientation of people's views toward the way that operating systems behave. I'm not saying that we don't ultimately need to do so, just that it's a substantial obstacle.

    The real problem with the Unix model is that it utterly fails to implement any real least priviledge system. Every program that needs any priviledges not available to an ordinary user gets full root priviledge, so that a single security crack in any SUID root program opens up the whole system. That's worse than just account level granularity. There's literally only two levels of operation, peon and god. It's a terrible security model, and only an outrageous level of code auditing has any hope of preserving anything like real world data security. That people have been willing to go as far as they have in auditing the code is commendable (and, of course, any system can benefit from the level of auditing that OBSD has instituted) but it's not a reliable route to high grade security.

  • Yes, I've often wondered what would make the perfect OS. Anyone have experiences with other non-Unix/non-ms OS's which have good features or concepts? For instance, there are many neat features in OS/400 (IBM's OS for AS/400 systems). Many people have a love/hate relationship with OS/400, but it has some nice ideas, like everything is an object, which can have permissions, properties, etc. And the interface is actually quite good despite being text-only -- you enter a command, and if you can't remember the switches and options, just hit F4 and they are all listed for you, and you can tab through them and change the ones you want. This would be a cool feature in Bash!!


  • Well, saying that DARPA "invented the Internet" is a bit like saying that Thomas Edison invented the Las Vegas strip. Sure, they funded the techies who built the first part of the network that was to become the Internet, but that's now a miniscule fraction of what people today call "The Net". They had nothing at all to do with the web, for example.
  • The article, to me, isn't very clear on what they're doing. It says they're "developing operating system technologies". Does this mean they're working on security modifications to Linux/BSD, or coming up with an entirely new OS?

    Personally, I think it would be rediculous for them to write their own OS, since Linux/BSD, while they have their flaws, are already pretty well suited to what they're trying to do... the only reason I can see them writing they're own is if they don't want anyone to have the code.

  • It's obviously not THE operating system, but given a choice between say Win2k and BSD for our own DoD, what would you pick?

  • This is what caught my eye in the solicitation:
    Proposers must submit an original and 4 copies of the full proposal and 8 electronic copies (i.e., 8 separate disks) of the full proposal (in Microsoft Word ?97 for IBM-compatible, PDF, Postscript, or ASCII format on one 3.5-inch floppy disk or one 100 MB Iomega Zip disk).
    I guess I now understand why these people talk about "removing information" when somebody copies it. I suppose the only way to get some information is by taking the physical media.

    Also notice the Microsoft character [fourmilab.ch] for apostrophe (looks like a question mark on my screen).

    Slashdot won't let me post that char literally (nice job), so I replaced it with a litaral question mark.

  • BSD's not nearly as snappy an acronym as "CHATS," and the government loooooooooooooves snappy acronyms for their toys. ;)
  • They obviously didn't NAME it... ;)
  • Open Source has the most vulnerable model available, yes. Anybody who knows how to code can put anything they want into the code. Exploits should be abundant, right?

    Sorry to diagree, but I don't think this guy deserves to be modded back up. He is apparantly one of these guys that thinks open source means a guy like myself can go change the official linux code, and no one will know. His post should be ignored and everyone should move along.

  • by LaNMaN2000 ( 173615 ) on Wednesday February 28, 2001 @12:57PM (#394549) Homepage
    The problem with OpenBSD is that it takes years to verify the security of new software releases and integrate them into the distro. Consequently, many of the included packages are old versions that have since been replaced. If DARPA could come up with a methodology that accelerated the pace of verification, they would be very useful to OpenBSD and other OS projects.
  • Problem 1:

    We can always change the permissions of eth0 to allow it to be put into promiscuous mode by another user if we want.

    Letting any user put the NIC into promisc mode isn't a security hazard?

    Problem 2:

    The statement that there are only two levels of security is completly untrue. You can have as many levels of security as you have users and groups.

    This is just wrong. Read up on ACLs, Capabilities, Mandatory Access Control, Auditing.

    Traditional UNIX environments have provided extremely limited expressiveness in file system permissions, limited to a single user (owner), a system administrator-defined group, and a set of rights defined for the remainder of users on the system. Access control lists allow for the fine-grained expression of discretionary rights associated with files and other system objects.

    (From trustedbsd.org [trustedbsd.org]).

    Here is a good intro to capabilities [eros-os.org].

    In a hundred-mile march,

  • by cheshire_cqx ( 175259 ) on Thursday March 01, 2001 @12:29AM (#394551) Homepage

    This is not the point. You basically have two permissions on Unix systems--users and root. In order to get certain things done, programs often need root privileges, which means they can do *anything*. It also means you can't have an 'audit' user who can monitor the system reliably. A bad admin who is root can cover her tracks because root can do anything. (I don't think a tripwire-type solution will work here.)

    All the files for one user are the same permission-wise. That means you can't jail certain progs to protect things. Groups don't help too much with this, and don't scale well.

    Bottom line--Unix has some great applications, especially with its network services. But it was *never* designed as a secure OS. Basically, some guys in a lab and some guys at universities built an OS to do things they wanted to do, working with other guys they trusted. Later some rudimentary security got added in, but this was not a basic element.

    Maybe, in fact, this is *why* Unix was/is popular--OS's with massive security models tend to suck to use because all that security has a usability tradeoff. Basically, you could get stuff done on Unix, and from time to time you'd figure out how to keep people from messing with the stuff you were working on after something bad happened.

    In a hundred-mile march,

  • Maybe someone should just tell them about OpenBSD, save some time and money.

    There's never too much research.

  • Darpa has been funding OS research since the early 1970s. That's not the point of the article. The point, the interesting new thing, is that now some of the money might go to Open Source projects. Earlier funding lead to technology that ended up in the public domain and was available for companies to take and incorporate into proprietary products (a process that Jim Allicin of Microsoft hopes will continue). If the research was Open Source, then the final product will not end up in the public domain. (This seems likely to provoke a court battle. Why should tax payer funded research not end up in the public domain? What right does the government have to keep the copyright?)

    Ted Goranson, who has done research under Darpa grants, often laments that there has been amazing little development in operating systems since the 1970s. The files systems of most of todays operating systems remain primitive and little changed from 30 years ago.

    Much research has been done and it has lead to many good experimental technologies (file systems that work as databases,instead of being flat). However, these technologies are slow to be incorporated into commercial products, partly because those products labor under the need for backwards compatibility.

    Goranson remarked that some of the Darpa funded research on OSs was incorporated into the latest OS from Apple, but I'm not sure of the details.

  • If something is in the public domain then its not Open Source. Open Source operates under some license, either GPL or GNU or any of a hundred other Open Source licenses that are floating around. Open Source software is copyrighted. Public domain is the opposite, it means no one owns the copyright. Open Source is the exact opposite of the public domain. To say otherwise is to render the phrase meaningless. Think about it. The phrase "Open Source" means the source remains open. If something is in the public domain and I take it and change it then my new version can be proprietary, I can charge money for it. It is not open, nor am I under any obligation to make it open. If Linux was in the public domain, rather than Open Source, then Microsoft could take it and sell their own version of it. They can't do that to Linux because Linux is not in the public domain, rather, someone owns the copyright.
  • So this is exactly the sort of thing Allchin had in mind when he was ranting about how Free software is unAmerican. In fact, he may have even gotten advance wind of this or parts of it. Thankfully he came out looking like a jackass ahead of time.
  • Good points. If this bothers you, you may find SUBTERFUGUE [subterfugue.org] interesting. It provides a means for you not to have to totally trust every program you run.

    (It runs under vanilla Linux 2.4 and a Debian package is available, but it is kind of slow and alpha.)


  • Didn't you ever read The Mythical Man Month? Adding more people to a project does not necessarily speed it up. Sometimes it even slows it down. Yes, more people doing code audits could audit more packages separately, but you have to take the time to train them all too.
  • "The DoD needs to develop focused technologies that support continued system operation in the presence of successful attacks, particularly addressing vulnerabilities and issues, which might arise in DoD's emerging network-centric warfare vision."

    This'll definitely be the wave of the future, I can hear it now:

    "Hello ladies and gentlemen and welcome to CounterStrike 2002: Judgement Day. I'm Al Micheals along with my lovely co-host Killcreek, who knows a thing or two about pointy weapons, err, I mean "pointing" weapons at people.
    Tonight's matchup will be Iraq, headed by the "Multikill" master Saddam Hussein versus that tenacious Colt weilding mastermind George W. Bush, who currently leads the United States in terrorist headshots. It's gonna be a winner take all brawl of the century!"

    Godlike killing spree's: The Linux Pimp [thelinuxpimp.com]

  • I want the sources of your Open Source OS. URL please!
  • AFAIK, most supercomputing enviroments have user accounts and they just excuete the programs that they make, its not like there is much data stored on one, is usually just data to run whatever application that is slotted at the time. Plus most don't have internet access so even if you could gain root access you could fuck stuff up, and that would be easily traceable to you.
  • Nice try clown. DARPA invented the internet (it used to be ARPAnet).

  • If you have a credible record of publications and talks in security, cryptography, OS design, or related fields and you write a good proposal, I think there is a good chance that you will get funded. Of course, if you have any of that, you probably know the people funding and/or reviewing the DARPA proposals already, since DARPA tries to stay in touch with researchers in the fields they are interested in.

    Many people do research on reliability and repair costs before buying a new car and will be reluctant to buy a car from a company with no track record. Even VCs give money preferentially to people with track records (most of them won't even talk to you unless you have been referred--it isn't worth their time). If anything, DARPA seems a bit more open to new ideas and new people.

  • by q000921 ( 235076 ) on Wednesday February 28, 2001 @01:22PM (#394563)
    Incrementally improving an existing system that, one way or another is perhaps more secure than the rest of the open source systems, isn't "research". Research is about inventing new principles and finding better ways of doing things.

    Perhaps some of this research will be done on top of one of the BSD platforms. Perhaps it will be done on Linux. Perhaps some of it will be completely platform independent. But no matter what it will be done on, there are more interesting research questions to ask about open source, secure operating systems, and heterogeneous environments than whether we can fix a few more bugs in BSD or Linux.

  • Of course, we all know that there are no exploits for Linux,

    I think that this is a bit of exaggeration.

  • Someone should most definatelly inform them about openbsd, linux, beos, macintosh, plan 9, TRS-80, anything is better than what they ahve now...

    According to Netcraft [netcraft.com] that site is running IIS [netcraft.com]

  • Hmmm... I was not aware of this guy!

    This is neat stuff, and he looks like he is really onto something. The real trick is going to getting enough 'market saturation' so that drivers and apps are ported to this.

    Star Office and Mozilla, being OS, are givens. The real trick, far down the line, is getting Adobe to do ports for their 'industry standard' (*sigh*) software to AtheOS. They *almost* committed for BeOS.
  • by Bonker ( 243350 ) on Wednesday February 28, 2001 @01:13PM (#394567)
    While the various *nix's and BSD's are most likely going to be the major targets of this research, what I'd really love to see come out of this is a new Open Source OS, ala BeOS, that was built on a GUI base and had shell functionality rather than the other way 'round. Not a lot of difference, you say? Sit Granny down in front of BeOS and and a shell prompt and see which one she prefers. Gnome and GTK are a little better, but to make any real changes to the OS, you still have to drop down to shell-level controls. As a graphic artist, this is bit of a dream of mine.... *sigh*... Of course, the problems here are that DARPA is going to be a lot more concerned with things like number-cruching, DB manipulation, and cryptography rather than pixel-pushing or artistic representation. There's also the fact that vast majority of developers who are even moderately going to be interested in this project are going to be *nix hackers. Artistic skill and coding skill are often found in hackers, but for some reason, you seldom see them combined.
  • If anything the Open Source development model is more secure... any code to modify the official kernel and tools has to pass many different eyes and can be viewed by even more, almost any backdoor would be easily noticed before it was added to the development tree. In a closed source enviroment much fewer people need to see the code and, as proven with the "Netscape engineers are Weenies" backdoor for IIS, therefore delibrate backdoors can be placed easily into the code. This response is to what i THINK the poster is talking about, because by speaking about "installing exploits" im assuming he means backdoors in the code. The only other issue would be modifications to a system already in use and since this can only be done as root its not really a big issue as to whether the system is open or closed. The truth of the matter is you cant trust software unless you can see the code, and even that should not be enough, precotions always must be taken but DARPA is on the right track... if they want security the only way they will ever truely have it is if they stick to open source software.
  • EVERYONE knows that security though obscurity is the best way to go... Hopefully if Microsoft gets it way, this silly waste of tax payers money will soon be illegal, so that they can, err, waste money on XP...
  • "U.S. Department of Defense (DoD) computer systems and networks are constantly under attack. Such attacks might potentially make systems unusable, degrade performance, lead commanders to make poor decisions due to faulty data, leak valuable secrets, or even leave behind code that could provide continuing back-door access or be activated on a predetermined event to take obstructive action."

    I'm sure on some level this is pretty obvious. However, I guess I've always considered script kiddies as pranksters rather than a threat to national security. Does this scare anyone else?

    "Sir, I'm scared."

  • Anyone that's played Metal Gear Solid knows that DARPA is in the leadership of someone evil... hehe
  • Instead of Flaming you, like a certain moderator would like to see, I'm going to give you a fair chance to run a quick logical exercise, kay?

    Intial Premise:
    I write a firewall that requires you to specify which ports should be open initially and how often to rotate them. It also allows you block access of information, in-going and out-going, or IP's you don't specify. Then, I allow to decide the level of access each net-accessing application and external IP may have to your system.*
    This is all done Raymond style, i.e. open source. Any script-kiddie and his uncle can stare at the source. By your conception, allowing this makes my firewall weak.
    Now, naturally, only a person with root priveleges can make alterations to the entailment of the firewall, unless otherwise specified, right? That's obviously yes if you have ever used any firewall worth it's weight in electrons.
    On top of that, we'll assume you were smart enough to download from MY site, not some third party site, which would put you at risk. You know that already, like most of us, and that's why you're at MY site.
    Nothing mentioned so far is abnormal, or even sufficiently outside the realm of what's expected of a super user, i.e. the ability to think.
    The script-kiddie knows of some really stupid flaw that I didn't think of, oy, well, that happens***. He/She will assume you will initialize ICQ/ICU on its normal port****. Why do you do that? Same reason you wrote this post to begin with. Anywho, they create a portal string through ICQ/ICU. You're not tracking the IP movement because of the pre-mentioned reason. Ditto for why you don't cut&rotate for additional IP-links. Now, how's this script-kiddie going to affect the firewall? He doesn't have the localhost IP or root priveleges.
    You're thinking, "But he got inside, he can do stuff!" NO HE CAN'T!!! Where have you been!? He doesn't have root priveleges! He has NO user priveleges! THIS IS LINUX!**
    Well written, open-source software is more than secure enough*, especially on the right system**. Even if the software has a flaw***, a capable user can take extra precautions to increase it's ability****.
    Hack your own box, but, whatever happens to you will nolonger be my fault:P

    I will avoid saying, "Class dismissed," only because it's used ATLEAST once a week on Slashdot.

    Besides, I now have lots of time, because I'm on strike due to an anti-semetic comment in, I think, The Mandrake article. As long as that's up, I have all sorts of extra time to kvetch an jibber. Actually, I'm thinking about making "Dotslash: The Crossfire of the Geeks" text adventure...well, slashdot-facade, but that's all; it'll be like that old commodore 64 game "Portal" but less plot and more "Nonsense", see Jon's Humorix Toys at i-want-a-website.com/about-linux and yes, Jon likes dashes very much.

    Hmm, I guess I will now be intergrating Nonsense; feh, now Jon will want a copy before I release it.

    I hope this was informative to you "Open Source Isn't Secure" types. In fact, just to mention about BSD for a moment: The reason why it seems constantly out of date is because it is constantly being tested for those "flaws" and insecurities. I compliment the effort, but it does cause the appearance of antiquation. Sure, their 3.0 compiler is more stable than your 4.0, but it lacks features and advancement. Their 4.6 firewall is more powerful than your 6.2, but it's not as customizable or as scalable. However, if you would consider OpenBSD, or any for that matter, you would have little in the ways of worries and only the occasional woe. And, every once in awhile...you can get an impressive application that makes us GNU-ists stop and say, "Woah!"


    Now...about that anti-semetic AnonCow, could someone do something...NOW-ish?
  • ..."This program will fundamentally change the existing approach to development and acquisition of high assurance trusted operating systems technology by advancing the security functionality, security services, and the state of assurance in current open-source operating systems and developing a long-term architectural framework for future trusted operating systems."

    Can you see it? Someday, all transactions on digital networks will require secure p2p operation such as this would provide. Meaning, that companis would only do business with you if they can be assured you won't take advantage of them.
    This would be a very marketable product in the future. Wouldn't the MPAA love it when all television sets in the future run this future OS? It would assure them that your TV is who it says it is, and would make sure those silly kids aren't trying to record a TV shows... God forbid.
  • Much as we should all be grateful to DARPA for inventing the internet and funding it through the early years, I am not sure if having the government involved in open source development will work in the real world. The issue is one of control.

    One reason that commercial companies are reluctant to use OSS is that they do not like to relinquish control to unknown elements. We all know the standard rebuttals to this point, but the military could be worse.

    The military and security agencies are incompatibvle in terms of ethos with the OSS atmosphere. Will they give outside developers, like Joe Bloggs from Birmingham, UK, or Pu Kong Yon from Bangkok, the same access to internal information and the same time of day as external developers?

    I fear , very much, that there could be difficult times ahead in this project. I am hedging my bets as to the outcome.

    You know exactly what to do-
    Your kiss, your fingers on my thigh-

  • by ChrisCampbell1 ( 309018 ) on Wednesday February 28, 2001 @01:35PM (#394577)

    Maybe someone should just tell them about OpenBSD, save some time and money.

    Maybe someone shuld just tell Michael about EROS [eros-os.org], a GPL'd x86 capabilities OS currently under development.

    Read more on capabilities [eros-os.org] and why they're important to OS security. A capabilities system is relatively resistant to a lot of the big security issues that plague other types of systems. For example, even if buffer overruns do occur, the damage that can be done is very limited. This is a really cool project.

  • Sounds like they have so
    me pretty high goals that require a lot of cooperation between various groups. I wonder how they intend to solicit that cooperation.

    Dare to dream... :-)

  • by Billygoat Gruff ( 321042 ) on Wednesday February 28, 2001 @01:29PM (#394584)
    Darpa should keep it's nose out of the internet business. The internet is a creation of the free market and they are trying to coopt it for the gumint.

    Too bad that DARPA INVENTED the Internet! Back when they were still ARPA (Advanced Research Projects Agency). Now they've become DARPA by throwing a Defense in front of the ARPA.

    So as Mr. T would say, "Cut that jibba-jabba, fool! Internet wuzn't no creation of the free-market!"

  • Don't beat up the good guys. DARPA funded all of the early Internet work and a good chuck of BSD work as well. So, indirectly, DARPA has already provided funding to OpenBSD. And it's nonsense that the U.S. government is actively opposed to open source - for example, NSA just released a Security Enhanced version of Linux [nsa.gov].

    DARPA is trying to advance what's already available - and advances in security would be great. I suspect they will be able to make advances, since they're planning to spend $10 million on the winning proposals. As has been noted, OpenBSD is not a perfect solution - its packages are often quite old and it has many functionality limits (e.g., no support for SMP). It also doesn't meet the principle of "least privilege" - root is still all-powerful, programs can do anything their owners can, etc.

    The deadline is soon for those interested in submitting a proposal. The full proposal (all copies) must be submitted in time to reach DARPA by 4:00 PM (U.S. Eastern Time) Monday, March 5, 2001, in order to be considered; it CANNOT be sent by email or fax (they REQUIRE PHYSICAL COPIES).

    People interested in submitting a proposal should also read the Proposer Information Pamphlet (PIP) [darpa.mil], which isn't easy to find unless you know where it is.

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"