[cryptography] Quick review of US Air Force (!) "Lightweight Portable *Security*" Linux Distribution

Solar Designer solar at openwall.com
Sat Jun 11 22:02:50 EDT 2011


On Fri, Jun 10, 2011 at 11:55:10AM -0400, Thierry Moreau wrote:
> - Anybody has examples of source code distribution practical 
> arrangements for other specialized Linux distributions?

I don't quite see a problem with distributing source code for a
specialized Linux distribution.  For example, we do it for Owl:

http://www.openwall.com/Owl/

In fact, our live CDs include the full source code and build environment.
(It is even possible to rebuild the system from source while CD-booted.)

As to integrity checking, we distribute *.mtree files and detached GPG
signatures for those.  These cover both the ISOs and source code trees
available separately.  mtree and gpg are part of Owl, so it is possible
to verify downloads of updates, both binary and source.

> - Anyone else sees the relevance of the LPS basic ideas? If not, how do 
> I make sure my SSH connection to my secure server is not hacked locally 
> on my laptop given that my children could have had root access to it at 
> least on one occasion? (OK, I could trust them more than the Air Force, 
> but you should see the point.)

It is definitely useful to be able to use a trusted copy of the OS,
although at least in theory you need to consider firmware backdoors as
well:

http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf
http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf

Alexander



More information about the cryptography mailing list