Kaspersky to develop an OS for Industry

[cruelsister]

The best ideas are those based on simplicity: Prevent malware breach by "the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS".

Looks like Eugene realizes that keeping infrastructure safe is more important than power plant workers updating their BookFace page.

http://eugene.kaspersky.com/2012/10/...e-speculation/

[PJC]

"In your average company, one of the most important things is confidentiality of data,
and IT administrators are encouraged to isolate infected systems from non-infected systems to that end, among others.
Thus, for example, if on the corporate file server a Trojan is detected, the simplest thing to do is
disconnect the infected system from the network and then later start to tackle the problem."

Kaspersky Lab Developing Its Own Operating System?
We Confirm the Rumors, and End the Speculation!

Gr8 News!

[chronomatic]

I read their page about the goals of this OS and it sounds like they are simply reinventing the microkernel. If you are not familiar with microkernels, let me give you a quick low-down:

1) Reliability is better since drivers are put in userpsace and not in the kernel. This means "BSOD's" will be unheard of. The MINIX microkernel, for example, will silently restart failed drivers without the user's knowledge. This means if you have a driver failure, you probably won't even know it. Compare this to Windows today where if a driver crashes it brings the entire OS down with it.

2) Putting buggy driver code in userspace also increases security. If there's an exploit in a driver, it can't get system-level access because the driver does not have DMA (and thus cannot write to physical memory). Some devices require DMA, however, which might make such memory separation impossible unless the hardware supports something like IOMMU's. So it really depends on the device in question and whether the hardware supports IOMMU.

3) This all means that your TCB (trusted computing base) has a small footprint. That is, the kernel itself (the most trusted part of the OS) is only 5-10,000 lines of code (compared to 15-20 million like we have today). The smaller the kernel is, the more sure programmers can be that it is correct and free of bugs. It's much easier to be sure of 10,000 LOC as opposed to 15,000,000.

The biggest downside to microkernels is that the performance sucks compared to a monolithic kernel (windows, Linux, etc.). Performance has gotten better with more modern designs, however (L4 for instance).

The idea is not new at all and I doubt it catches on now. There are already several microkernels out there right now (L4, QNX, EROS, etc.) but no one uses them except in embedded systems. Hell L4 has been formally verified and claims a security level higher than EAL 7 (that's the highest possible rating in the common criteria). Microsoft has its own microkernel called Singularity, but again, it doesn't seem to be anything but a research project. And the "Qubes OS" released a few months back is basically this same design (except it uses the Xen hypervisor which acts almost identical to a microkernel).

Maybe Kaspersky has some magic touch that will make their microkernel catch on. But I doubt it.

[Mman79]

It sounds more to me like they have their eye on cashing in on the problem quite honestly. That might not be a fair statement, but I stand behind it. This is the same lab after all that keeps finding "state-sponsored malware" and has broke most of the stories about systems in Iran and other places. Eugene Kaspersky is the head guy after all.

[Hungry Man]

This is more than just a microkernel project. The reason this project would work much better than just running Minix is that it's build with very specific systems in mind. The system is designed, from day one, to do only what it needs to do - you can build your security policy around the only thing systems need to do.

This is why it's better than using OpenBSD, which is a core OS that you build off of with libraries etc and hope that the security model is extensible to the degree needed. Or minix for that matter.

[chronomatic]

Quote:

Originally Posted by Hungry Man

This is more than just a microkernel project. The reason this project would work much better than just running Minix is that it's build with very specific systems in mind. The system is designed, from day one, to do only what it needs to do - you can build your security policy around the only thing systems need to do.

You could do the same with Minix or L4 or pretty much any microkernel. Most microkernels are designed by the Principle of Least authority (POLA). That is, put as little code as possible into the privileged space and put everything else into userspace. So basically they could use any microkernel that fits these properties and then stack the SCADA software on top of it. It might still be possible to hack userspace stuff, but getting "root" would be near impossible since userspace memory cannot overlap with kernel memory (hardware enforced).

All of the above will apply to Kaspersky's OS as it will still be possible to hack userspace. That is unless they do one of the following:

1) Audit every line of userspace code and proclaim it bug free (no one in human history has ever done it for large complex software).

2) Somehow lock down userspace processes so that a compromise of one process cannot affect anything else (something like a MAC).

Since #1 is simply not possible and since #2 is already widely available, I see no reason for Kaspersky to write an OS from scratch. Microkernels are great for protecting system compromise, but I don't see much security benefit overall since userspace is still open. Where they *do* help is with reliability and stability. Since drivers are in userspace, they can't crash the OS. However, there is a trade-off since putting drivers in user-space hurts performance.

A much cheaper and effective solution is just to air-gap these critical machines. You could run Windows ME on them and it wouldn't matter unless an attacker had physical access.

Quote:

This is why it's better than using OpenBSD, which is a core OS that you build off of with libraries etc and hope that the security model is extensible to the degree needed. Or minix for that matter.

OpenBSD is just regular run of the mill BSD Unix. It is not a microkernel, but is monolithic just like Linux. The only thing special they do is audit the kernel code more than most other projects. And the reason OpenBSD can claim "no exploits in x number of years" is because it doesn't come with any software. It's pretty bare bones. Once you add userspace stuff to it (X11, Apache web-server, etc) it encounters the same security shortcomings any other *nix does. To make matters worse OpenBSD doesn't offer any Mandatory Access Control system. All it offers is the old traditional Unix DAC.

OpenBSD may have a more secure *kernel* than Linux or FreeBSD or Windows, but that is moot because the kernel by itself is useless.

[siljaline]

See also:

• http://www.securelist.com/en/analysi...Computing_Base

• http://www.securityweek.com/kaspersk...t-age-cyberwar

• http://www.h-online.com/security/new...s-1730798.html

• http://www.wired.com/threatlevel/201...rating-system/

• http://www.engadget.com/2012/10/16/k...-cyberwarfare/

[Hungry Man]

You could do it with a Microkernel but you'd end up having to rewrite code anyways because you're going to be building your security policies into it. This could be just as difficult as starting the project from scratch.

I brought up OpenBSD because I saw another user on another forum say they should just go with it.

[Mman79]

Security experts are slightly less excited:

http://www.pcworld.com/article/20127...skeptical.html

[encus]

I'm eager to find out more. Thanks for the info!

[CogitoTesting]

I'm not trying to confirm my paranoia credentials ; however, I'm smelling a trojan horse from the FSB.

Thanks.

[Mman79]

Quote:

Originally Posted by CogitoTesting

I'm not trying to confirm my paranoia credentials ; however, I'm smelling a trojan horse from the FSB.

Thanks.

Well, as I said in a previous post in the thread, Mr. Kaspersky is a rather..controversial..gentleman. However, setting aside whatever his personal intentions, history and beliefs may be, we're still talking about national infrastructure. If the U.S or any other developed nation cannot protect its own infrastructure with its own technology and effort, then a Russian company cannot either as obviously there is more than just a technical failure going on. In my own opinion, this is a risky move if gone through with..too risky. Though I must admit I don't see this happening for many reasons.