Learn From Robert Watson Of FreeBSD And TrustedBSD

Robert Watson is a core developer for FreeBSD, and a member of the TrustedBSD project. He is one of the best people in the world to ask about FreeBSD security, and about FreeBSD development in general. Please post your questions below. We'll send 10 of the highest-moderated ones to Watson by email, and post his responses verbatim as soon as we get them back.

TrustedBSD and OpenBSD

What similarities and differences do you see between the TrustedBSD project and the type of security work undertaken by the OpenBSD team? How do their goals and philosophies differ?

TrustedBSD With VMS Features?

I was reading some documentation on VMS the other day (don't ask), and found out something really interesting. VMS has per-thread security. Thus, a multi-threaded database application could still have ridged security even though it is one process.

I'm a UNIX admin, and don't wish to admin VMS, but this blew me away. Are there any other VMS you are or are considering adding to make TrustedBSD a more solid and extendable OS?

OS X based on FreeBSD

OS X's Darwin is based on FreeBSD. How good a member of the Open Source movement has Apple been? Have they contributed anything back to the FreeBSD project (code/money/t-shirts/etc...)?

Why would you... ?

FreeBSD development is obviously a big part of your life. I have noticed that peoples reasons for using a free OS are often not simply because its better, but because of some view or stance on freedom that they have.

I am a Windows guy, only because my job says so.

What I want to know is, how would you go about convincing me, a Win2k user, to consider using a *BSD. I am interested in learning a new OS... always. But, what makes it stand out from Linux/Win2k/MacOS?

FreeBSD Distribution

Do you think FreeBSD is hurting in its distribution in comparison with Linux and commercial OSes? Not only are they available from numerous online stores, one can usually find them at simple retail outlets like Best Buy. On the contrary, FreeBSD distribution seems much more limited, with less retail and shrink-wrap options.

I have noticed, however, that linuxmall.com sells FreeBSD CDs, has the FreeBSD community recieved much support from the Linux community over distribution (such as mirrored FTP from mostly Linux servers)?

The future?

What do you see in the future for *BSD, with the huge amount of popularity that linux keeps on receiving, not to mention attention, esp. from our buddy Bill Gate$...
Do you think it will remain the strong, viable but simply less popular free OS it is now, hiding behind the limelight of linux, or will it come up in popularity, esp with the codebase for Apple's Darwin, which is all BSD based?

decent literature

instead of asking you a few questions directly, i would like to solve them on my own with the best set of tools. what publications or literature would you recommend for:

• the *bsd newbie or learner
• the *bsd uber-know-it-all-i-dont-need-any-docs

i am trying to cut the signal/noise ratio out of understanding bsd. specifically, what security documentation have you found useful day-in/out?

Question Please!

Can you explain, in some detail, the overall goals of the BSDs you particpate in?
Please try and direct your answer to people who continue to proclaim that *BSD is dying, and point at some made up marketing numbers.

Biggest problem / Best advice

Everybody knows there's no such thing as a perfect system. As such, what do you think is the most, and least perfect points regarding security in FreeBSD.

Also, in terms of security, what do you think the most common dangerous behaviours are by FreeBSD users and admins? What would you change about the FreeBSD userbase if you could?

--
"Don't trolls get tired?"

Mandatory Access controls

There seem to be a proliferating number of proposed extensions to
*NIXes with ruleset-based mandatory access controls. Is
standardisation important? What influence do you see of NSA's
recently released `security enhanced linux' having on other systems
(like that in TrustedBSD)?

what do you do for *money*??

While perusing the mailing lists for -hackers, -stable, -current, etc. etc., I often wonder what people like yourself, Mike Smith, Greg Lehey, and the other core members do to pay the bills. Unless something has changed recently with the BSDi takeover, I can't imagine that the FreeBSD project keeps the food on the table. So how about a little insight into your and the other core members "real" jobs. (As if there is such a thing as a "real" job). But anyways, thanks for all the hard work for little pay!

TrustedBSD and NSA secure linux

How does TrustedBSD compare with NSA secured linux (http://www.nsa.gov/selinux) in terms of new and or improved security features? And are there any plans to eventually integrate the rest of the TrustedBSD features back into the shared BSD source tree (the extended attributes already have been committed)? How would using TrustedBSD instead of FreeBSD impact clustering applications?

And just for my information, where did all the packages for clustering BSD go? All I can seem to find anymore is the linux stuff. And personally I don't like redhat and their rpm distribution method, all anyone wants to distribute anymore is rpms which is not near enough to standard and compatable accross the board as tar-gzip for my purposes. (One primary difference being that I can open a tar-gzip on a windows box at work during break to browse through source, and to my knowledge no one has bothered to create a "winrpm")

Openpackages?

What's your opinion on the Open Packages project? [openpackages.org] Even though I'm not currently a *BSD user, it sounds great on the surface--there's even been interest expressed in patches for Linux!--but I've got to wonder what sort of complexities need to be worked out to maintain a set of packages for FreeBSD, NetBSD, OpenBSD, Darwin...

More OS X

What is the exact relationship between the Darwin Kernel and the FreeBSD kernel? How much FreeBSD code is in Darwin and how much Darwin code is in FreeBSD?

Unified Ports Tree?

A while ago there was some hubbub in our community regarding the concept unifying the ports trees of the the different BSD flavors. It seems to me that this would be a mostly good thing, reducing duplication of work and making the ports both more plentiful and of a generally higher quality. Has there been any discussion of this in core? If so, does it look like this will ever happen?

--
SecretAsianMan (54.5% Slashdot pure)

Cross-pollination with Linux security efforts?

There's been quite a bit on Slashdot about Linux (and BSD) security. Bastille Linux is about "hardening" standard Linux installations, the NSA has their own version that they've been mucking about with internally. So, questions:

Is there a need for something like Bastille for FreeBSD? There shouldn't be a need for it with TrustedBSD, should there?

Have you looked at what the NSA did to Linux and attempted to extract from it? Are there modifications they made that apply to TrustedBSD, either in source code or in spirit?

What is next:

I've got a FreeBSD box that i want to bolt down and harden. It's a Dual PIII 800, and i want to use it for development and testing of a server program i'm writing. The server runs as nobody, so i'm not worried about that.
I've closed stuff off such that an nmap from localhost, tcp, syn, and udp shows only sshd, dhcpc, and syslog. I'm currently running the verson of openssh that comes with FreeBSD 4.2.
I'm planning on installing tripwire on the machine at some point as well. I also plan to write something that will mail me a diff of the setuid log between the current day and the previous day, as well as a similar thing for the password file. Any other suggestions?

Process?

Hi,

I'd like to thank you for all the work and effort you and your fellow developers are putting into this project. I currently use FreeBSD and have plans to try out your work on my next server configuration.

Could you give us a short overview of the process you're taking to make FreeBSD more secure? In particular, how does the TrustedBSD project compare with OpenBSD, which has been undergoing a line-by-line security audit for years? Most importantly, what are the advantages of choosing TrustedBSD over OpenBSD (besides the obvious project-loyalty factors)?

Kindest regards,
NGH

FreeBSD and X-Windows

Given that X is an inherently insecure system (though great strides have been made to rectify this), how do you see the relationship between X and FreeBSD going forward? xfree86 v3.x is nice, v4.x is nicer (though it hasn't made it to the "default" windowing system for FreeBSD, presumably because of some gaping security holes). Surely, for the mindless masses, X (or some derivative) is a necessary part of the complete OS distribution. What does the core feel is a reasonable tradeoff between security and functionality, WRT this issue, and to what extent will the core move to "correct" any serious problems (non-platform specific) with future releases of X?

How does TrustedBSD compare to Eros?

Eros [eros-os.org], unfortunately, doesn't look like it's actually going to arrive (at least not in a timely manner), but I've read several of the papers on capability-based security and they were all very interesting.

What do you think about Eros? What's your opinion (and your perception of the security community's opinion) about capability based security?

Thanks, Jeremy

What is part of FreeBSD and what is not ?

I run FreeBSD on 3 machines here. I felt in love with it.

One thing I was wondering about is how decision are taken about what goes in the real system (/usr/src) and what does not. For instance, rcp is in the base system, while rsync is in the port tree. When I started, less was not in the distribution, but now is. Why ? Will FreeBSD grow and accumulate more and more tools in /usr/src ?

Something somewhat related that bother me is that as soon as I get away of the base system, things are much less clean. Even if the port tree is wonderfull, there is no simple command that will enable me to stay in sync with non-standard stuff. I would love beeing able to do something analogous to cvsup + make world to keep an up-to-date X / gnome / mozilla installation, with a defaut window manager and configuration that make sense. Is there any work in that direction ?

Cheers,

--fred

A few important questions:

1) Do you ever plan on moving away from the slow and resource intensive method of VMS style paging for memory address resolution

2) Are there plans to rewrite the TCP/IP stack to be multi threaded

3) Will BSD ever migrate away from UFS to a more modern file system?

4) With serious POSIX compatablity issues are there plans to use code from POSIX compliant OS's to become more commercially attractive to major corporations

Changing face of security

Do you think there is ever a time when you can declare a system "secure"? Assuming you dont, do you think it is even possible to objectively rate the security of a system?

BSD hackers vs GPL hackers

I've heard it said numerous times that "Linux is more successful than BSD because of the license". The argument is that hackers prefer the GPL because their code can't be "stolen", whereas nothing stops Microsoft from using the BSD licensed code. I've even seen some Linux advocates point to Darwin as the ultimate example of exploitation.

What are your views on this from a perspective as a BSD hacker? Can free software really be stolen? Is BSD open for exploitation (in the negative sense)?

Re:Why will people continue to use FreeBSD?

Mac users still get uncontrollable giggle fits when people talk about the "User friendly Windows interface". If you need a seemless, integrated UI for total control over the presentation and creation of complex data (Graphics, sound effects, bad screenplays, etc.) you need BeOS or a Mac.

Unix in all its many splendored flavors is good for when you need stability and performance. This is why it's usually paired with the =really= sexxxy hardware you need a government grant to buy. Unix boxes are at their finest as tools, accessories. Big, expensive shared peripherals that serve a specific, tailored purpose.

In my case, I've got a Sparcstation LX running OpenBSD for a purpose: I need to host a private web forum. It has to be robust, able to cope with large loads, and dirt cheap. Including the OpenBSD CD(with stickers!), the setup cost me $50. I don't need a windowing environment...I have my MacOS Powerbook on a network with it. After the initial install, I can administrate it better sitting on my couch than I can sitting on the terminal...the Mac's tools for editing bits of text from a usercentric standpoint are second to none. Perfect for tweaking configuration files.

And you will need to tweak configuration files. By hand. Might as well start off that way rather than continually correcting what the GUI administration applications assume is what you want. This is where BSD's shine. Their systems are simple and unsophisticated, well documented with clearly written manpages and FAQs, thus shallowing the learning curve if you need to get into the nitty-gritty of networking, soft-raid, security auditing, etc. You know...the stuff Unix is =good= at.

Linux is too chaotic, the distros vary too wildly from one to the other to make low level administration and automation easy. They cram everything but the kitchen sink into your system, none of it documented very well. This is fine if your hobby is computer science and you need a toy to play with, or you need a robust workstation environment, or you want to compete with Windows to be the hottest Mac rip-off arround. Not so good if you're trying to track BBS users by IP to filter out the trolls and bots.

There just isn't a GUI front end for that sort of stuff. Fancy windowing environments soak up valuable processor cycles and RAM. If you need a robust and fast server tailored to meet a specific utility, you need *BSD.

SoupIsGood Food

Re:USB support and the future

FreeBSD has had USB support since 3.3 iirc. Go check LINT, search FreeBSD.org [freebsd.org], look at FreeBSD Diary [freebsddiary.org] and the FreeBSD Handbook [freebsd.org] for further information about setting up your FreeBSD box. I'm sure you'll see just how solid it is.

Ports Unification

A unified "Ports" tree would almost certainly be helpful to FreeBSD and NetBSD in diminishing duplicated efforts.

On the other hand, for OpenBSD and TrustedBSD, the "fuzzyness" of sharing the code base may make it more difficult to "warrant" the security of packages.

Would it be sensible/preferable to have a "fork" whereby there might be a set of Trusted Ports that would represent a (perhaps limited) set of software that undergoes more comprehensive code auditing, as well as the Unified Ports containing software that hasn't undergone such testing?

Re: A few important questions:

Only important questions if you are trolling...

1) Do you ever plan on moving away from the slow and resource intensive method of VMS style paging for memory address resolution

FreeBSD's paging code is extremely fast, which is why FreeBSD performs so well under load. It is fairly resource intensive, but the requirements for page tables etc are proportional to your RAM size, so FreeBSD will still run in low memory configurations.

2) Are there plans to rewrite the TCP/IP stack to be multi threaded

Once again, this is a buzz word issue - the TCP/IP stack performance is very good (ie can staturate whatever network you happen to plug in). But the entire kernel is being multi-threaded for 5.0, to provide fine grained SMP support.

3) Will BSD ever migrate away from UFS to a more modern file system?

The UFS file system is being continously upgraded. It has features which Linux and most other commercial FSs would love - like softupdates, and new utilities to grow filesystems (and shink them too hopefully soon). Just because Linux has had to rewrite it's FS because of poor reliability doesn't mean that the BSDs have a bad file system.

4) With serious POSIX compatablity issues are there plans to use code from POSIX compliant OS's to become more commercially attractive to major corporations

POSIX compatibility is also something which is always being improved. But I think that you're wrong about POSIX compatibility being an issue for major corporations. They are far more concerned with stable APIs, and at the moment they want stable APIs for things like windowing services. This is why people code for Windows, not POSIX compliance.

Regards,
-Jeremy

A very long, complete answer

You can find an exceptionally detailed answer at http://people.freebsd.org/~alex/libh/ [freebsd.org] which should give you a very good idea of where the FreeBSD distribution is headed, in the manner of granular, custimizable upgrades. JKH wrote a wonderful paper that covers this.

--
"Don't trolls get tired?"

Info on SMP status in FreeBSD 5.0

http://people.freebsd.org/~jasone/smp/ [freebsd.org]

Common criteria and TrustedBSD

Robert,

The common criteria [nist.gov] are far more than the old orange book [ncsc.mil] controls (B1, B2, C1, ...). Part two of ISO 15408 has many things that I'd really like to see (and I'm prepared to help, too).

Why even bother with the old style Orange book stuff, which barely work in a networked environment, when the new style CC definitions are available for free?

Also will you be providing a framework such that deployed TrustedBSD systems are ready for CC evaluation?

Lastly, any plans for a NetBSD version? Want some help?

Basis for Trusted BSD

To what extent did you borrow from the Common Criteria for your project? Which protection profiles did you use? Have you found any of the Orange Book series to be useful as well?

A biger question - to what extent are these formal, committee-design secure systems criteria relevant to securing an open source product? What is good about them? What specifically do you find flawed or totally useless? What did you have to improvise because the methodology didn't cover it?