Building a "bulletproof" system - theoretically possible?

Hi,

I've got a rather hypothetical question here, because frankly, everyone knows that it's impossible to do it but...

"How to build a completely bulletproof OS?"

Alright, so I know that this is barely a game of thoughts, but a friend of mine brought that topic up (beer was involved) saying he'd want to build one, I said it wasn't possible and now, I can't stop finding all the problems in the process and thinking of ways to fix them effectively.
Maybe anyone else here thinks this is interesting?

From what I've researched until here, I'd consider this good ideas:
1. TOR for anything, going in or out.
1.1 PGP for all important communication to make eavesdropping even harder.
2. Build everything from previously checked sources. No propietary software, no doubtful sources (should be easy enough with Linux).
3. Of course, a professionally trained admin/user is required.
4. The usual set of security software and high-security configuration.
5. Coffee. Loads of it. So much that half of brazil's production isn't anywhere near "sufficient".
5.1 A cardiac surgeon to fix the consequences of too much coffee.
5.1.1 Penguin shaped casket in case the surgeon can't help anymore...
5.1.1.1 A graveyard allowing people to be burried in penguin shaped caskets.
5.1.1.1.1 Someone who will build a PSC (Penguin shaped casket, sorry, I'm a little exhausted after so many PSC's that I decided to make up a shortcut for it) for me.

So, I found those flaws in the theory - I'm open for more or ways to fix some:
1. Infected internet and mail servers (If they tap into the cable, they don't need to fiddle with the plug, that is). Might be solved with TOR and Encryption (SSL, PGP), but risk remains?
2. Infected Cross GCC. If I go the "LFS" way, I'd have to use a host system and a host cross compiler. If that thing's infected, the whole project's judged to fail from the start.
3. Infected Hardware. If the hardware's been tinkered with... well, see above.

Of course, as I always say: A perfect world isn't human, and a human world isn't perfect - and Windoze is just perfectly safe, unless you want to keep your privacy or have an incomfortable political/ethical view. So I guess it's a minefield for anyone...

Anyways, thanks for helping me with that - I've got some experience with Linux (I'd even say I'm quite good) and already built an LFS system once, but that didn't answer all my questions. Look forward to hearing from you!

I think you need to protect your host against all possible and known (and unknown) dangers. That will cost a lot. But there is another approach: close all the doors and windows and open only what you really need. So put your box into a cellar, make a strong wall around it and plug out every and each cable and you are done.

Quote:

Originally Posted by pan64 I think you need to protect your host against all possible and known (and unknown) dangers. That will cost a lot. But there is another approach: close all the doors and windows and open only what you really need. So put your box into a cellar, make a strong wall around it and plug out every and each cable and you are done.

+1 for this solution.

OP, I know what you're talking about, and it is only EVER going to be a thought-experiment. Unless you TOTALLY disconnect the box from EVERY incoming data source (aside from what you type in), you'll be vulnerable. Somehow, there will be some sort of exploit...for example, TOR can give you a measure of anonymity, but the pages you VISIT may not. Or may contain code that is damaging. Or a file you download will be susceptible to something. And on and on and on.

All you can really do is mitigate the risk.

interesting question. for me, i would have to know what functionality is required of the system, and, to what level can you compile? tcp-80 using custom tcp/ip stack in which the listener app only accepts a single hex char and does a math function using that hex and returns the value. could someone become root on that system remotely? probably not. i dont recall the risk equations for this, but if you add +1 on functionality the probability of exploit goes up say 1.2 times...?

this goes back to basic questions of, why are OS's built feature rich yet only small pieces of the set are actually used. why dont people use monolithic kernels? do we really need to allow mods to load and unload?

Sorry, I forgot to mention that I plan to firewall all incoming things off - but that of course won't help me if a client side script or something else in a web page is "phoning home", cracking through all my security measures.
It's a little like bulletproof glass: it keeps of bullets from a pistol or a rifle, but only until someone goes grazy and comes back with a howitzer.
Linux_Kidd: yep, and that's where LFS comes in. LFS means Linux from Scratch, which means to start off with sources and only building what you really need (In the end, you literally sit there with bash, vim, less, gcc, manpages and little else). If that makes the base, I hit two targets with one shot: All source code can be verified plus I can make sure that the system contains only what I need. Less unneccessary weight and less security holes that way.
I think it is a good approach to try and wall off everything as safe you can. Then, when someone tries, he/she is likely to reach a point where he/she gives up because there are easier targets.
A litte risk always remains - after all, even with the unhackable system we philosophize about, you'd just have to kidnap the owner / his/her wife/husband/kids/dog/cat and get the passwords out of him/her (I doubt someone would do that. I'm not a target of interest to anyone, just a crazy guy with a crazy idea).

What you need ... ... is a good .357 Magnum to use against the people who try to break in ... ... and of couse, a supply of those "penguin-shaped caskets" to bury the suckers in. And a sharp shovel and a nice, quiet hillside. (Or maybe, if you are so inclined, fava beans and a nice chianti ...)

"Chuck Norris does not have break-ins to any of his systems. The computers are too afraid of Chuck Norris to allow them in."

All kidding aside, really the biggest obstacle to "a bulletproof system" is a human one: someone has to know how to get in. Someone has to be able to do it. And, that someone (all such "someones" on the entire team ...) must never make a mistake. Never. And this just doesn't happen in real life. So, you build systems around layers of security, like they used to build castles, with a whole bunch of obstacles that (hopefully) never give the opponent an unlimited amount of time to defeat them without being observed. But even so, Troy was defeated by simple cunning. Furthermore, these days you might succeed in attacking the devices upon which your entire thoughts of security rest. Maybe they defeat them to get past them. Or, maybe they defeat them in order to use them for foul purposes. Your router can become a spam-bot. It has happened.

This came to mind when reading the the title: xkcd: Security

From a practical point of view: 100% secure (or "bulletproof") is an illusion. I think TB0ne's reply hits the nail on the head.

One word: impossible.

I recommend that the thought should never even cross your mind, lest it make you less vigilant in keeping your system patched and up-to-date. There is no such thing as a bulletproof or impenetrable system, just search slashdot or the net for clear examples that it can never be done. Instead, focus on what is possible and remain vigilant.

I've already posted about Tor in this forum. "bulletproof" should not be in the same sentence.

I think both the OP and the other participants stay too close to todays reality. The OP asked "is it theoretically" possible. So you might assume things like practically unlimited resources on [developing] time, developers, money. But not things which are theoretically impossible like unlimited processing power.

So the next statement shows a hole in security in the thought experiment, although some assumptions are made which are unusual:

• He is using a firewall
• The code of the firewall is bug free (can be achieved with practically unlimted resources on time and developers)
• A firewall allows outbound traffic by definition
• Users want to browse the internet, so they need outbound connections
• The browser is perfect and error free
• But any web page can load code which is able to phone home given the current specifications.

Now you are playing by the rules. I just wonder if phoning home is a malware issue, or is part of what the W3C specification allows.

jlinkels

"Bug free", "error free", hehehe ...

That's why I stated it's a theory: It can be in a constructed universe where the user is a godlike being that never makes a mistake, where... let's say... creative interrogation isn't existing, where any software is bug-free - the important thing is to draw a clear line and keep the theory in there - or, as said, a $5 wrench might be enough to circumvent even a perfect security measure. +1 for the comic, btw - hope I won't end up that way.
Of course, updates are one of the key points of security (See Windoze XP that will be a malware paradise in April. And who's gonna take the heat from all those botnets?!?! Us (=(Linux) sysadmins)). Since exploitation actually needs something to exploit (which are bugs/errors in the software), a bulletproof system would need to implement this if it should stay safe for more than a few days - and by bulletproof, I don't mean the admin's gonna sit around thinking "my system is bulletproof". Also, as much as possible should be automated to minimize the human factor.

Also, I think a good strategy for the start is: For every known hole to exploit, there must be a secondary measure to avoid exploitation. I forgot to mention the firewall, and seeing it now, I'm in doubt it would change anything at all (apart from being able to firewall the programs off that might be accessible from outside, but a user downloading malware can trash it all).

By "phoning home", I mean that maybe a script or program loads something from a server, revealing the "real" ip instead of the torified one. It can either be a legit program or a piece of malware - I think both are the same problem if you want to hide your real IP. Beside that, I mainly thought of TOR as "security by obscurity" - if my real IP is known to as little people as possible, it's less likely to be known to someone that actually wants (and is able to) hack the system.

Luckily enough, in reality, a hacker has as limited time, money and skill/information as I do (reducing it to its basics, I'd say someone in my age has still ~ 80 years to live). So it's probably a question of keeping those off who want to go in, and make it uninteresting for those who can go in. (Most criminals are looking for easy prey, and if you aren't easy to catch, they'll leave you alone. Much like bullies at school).

And hey, I want to be the only one with a penguin shaped casket (Hmm... should a 21 year old worry about his funeral already?)!

hm, noone is perfect (but me), therefore there can be no perfect system at all.
That (professionally trained) admin should know not only the OS but all of the installed softwares, like databases, web servers and other pieces - not only the system but those installed apps are exploitable.
(for example see mysql injection here: http://www.tizag.com/mysqlTutorial/m...-injection.php)
An app which is allowed to go outside is an exploit itself and you cannot protect it with firewall or anything else just by that app. That human factor is already installed.
Hackers need not know your ip and your system, they only need a security hole, an exploitable application. And those hackers usually know that specific application much better than the admin.

A perfect system needs no updates at all.

http://www.sewanee.edu/physics/PHYSICS101/murphy.html