Language Selection

English French German Italian Portuguese Spanish

Compartmentalized computing with CLIP OS

Filed under
OS
Gentoo

The design of CLIP OS 5 includes three elements: a bootloader, a core system, and the cages. The system uses secure boot with signed binaries. Only the x86 architecture was supported in the previous versions, and there are no other architectures in the plan for now. The core system is based on Hardened Gentoo. Finally, the cages provide user sessions, with applications and documents.

Processes running in separate cages cannot communicate directly. Instead, they must pass messages using special services on the core system; these services are unprivileged and confined on the cage system, but privileged on the core. These communication paths are shown in this architecture diagram from the documentation. Cages are also isolated from the core system itself — all interactions (system calls, for example) are checked and go through mediation services. The isolation between applications will be using containers, and the team plans to use the Flatpak format. The details of the CLIP OS 5 implementation are not available yet, as this feature is planned for the stable release.

A specific Linux security module (LSM) inspired from Linux-VServer will be used to add additional isolation between the cages, and between the cages and the core system. Linux-VServer is a virtual private server implementation designed for web hosting. It implements partitioning of a computer system in terms of CPU time, memory, the filesystem, and network addressing into security contexts. Starting and stopping a new virtual server corresponds to setting up and tearing down a security context.

Read more

More in Tux Machines

Security: Updates, Ransomware, and DNS Blame Misplaced

  • Security updates for Tuesday
  • Ransomware still dominates the global threat landscape
     

    Ransomware attacks continues as the main world’s main security threat and the most profitable form of malware, but a new global report indicates that despite “copious” numbers of infections daily there’s emerging signs the threat is no longer growing.  

  • Someone messed with Linux.org's DNS to deface the website's homepage [Ed: That's not "deface"' but more like redirect and it's not the site's DNS system but something upstream, another company that's at fault]
    SO IMAGINE YOU REALLY LOVE OPEN SOURCE; you've poured yourself a glass of claret from a wine box and have settled into a night of perusing Linux.org. You feel a tingle of excitement as you type in the URL - you're old skool - but that sours to despair as you see a defaced website greet your eyes. Yep, it looks like someone managed to get into the Linux.org website's domain name service (DNS) settings and point the domain to another server that served up a defaced webpage, which depending on when you may have accessed it, greeted visitors with racial slurs, an obscene picture and a protest against the revised Linux kernel developer code of conduct.

Tails 3.11 and Tor Transparency (Financials)

The Year 2018 in Open Hardware and MIT's 3D Printer

  • The Year 2018 in Open Hardware
    2018 saw several open hardware projects reach fruition. Where the open hardware movement goes from here, remains to be seen. 2018 was not “The Year of Open Hardware,” any more than it was the fabled “Year of the Linux Desktop.” All the same, 2018 was a year in which open hardware projects started to move from fundraising and project development to product releases. Many of these open products were traditional hardware, but 2018 also saw the release of innovative tech in the form of new and useful gadgets. In the background, open hardware hangs on to traditional niches. These niches occur at the intersection of altruism, hobbyists, academia, and the market, to say nothing of crowdfunding and the relative affordability of 3D printing. A prime example of this intersection is the development of prosthetics. Much of the modern work in open hardware began almost a decade ago with the Yale OpenHand project. At the same time, sites like Hackaday.io offer kits and specifications for hobbyists, while the e-NABLE site has become a place for exchanging ideas for everyone from tinkerers to working professionals in the field. As a result, open hardware technology in the field of prosthetics has grown to rival traditional manufacturers in a handful of years. This niche is a natural one for open hardware not only because of the freely available resources, but for simple economics. Traditionally manufactured prosthetic hands begin at about $30,000, far beyond the budgets of many potential customers. By contrast, an open hardware-based company like the UK based Open Bionics can design a cosmetically-pleasing hand for $200, which is still a large sum in impoverished areas, but far more obtainable. A non-profit called Social Hardware estimates that a need for prosthetic hands in India alone numbers 26,000 and hopes to help meet the demand by offering a development kit on which enthusiasts can learn and later donate their results to those who need them.
  • This MIT Developed 3D Printer Is 10 Times Faster Than Modern 3D Printers
    3D printers have become more and more useful in the mass production of complex products that are cheaper and stronger. However, the only issue with 3D printing is its slow speed. These desktop 3D printers can print only one product at a time and only one thin layer at a making.
  • Accelerating 3-D printing
    Imagine a world in which objects could be fabricated in minutes and customized to the task at hand. An inventor with an idea for a new product could develop a prototype for testing while on a coffee break. A company could mass-produce parts and products, even complex ones, without being tied down to part-specific tooling and machines that can’t be moved. A surgeon could get a bespoke replacement knee for a patient without leaving the operating theater. And a repair person could identify a faulty part and fabricate a new one on site — no need to go to a warehouse to get something out of inventory.

FreeBSD 12.0, FreeNAS 11.2 and DNSSEC enabled in default unbound(8) configuration