OSNews interviews Alexander Tsolkas, security consultant,
Director Sales & Marketing at IÏ€sec Ltd. Germany, and creator of HSS, or High Security Server, a highly secure Linux kernel and a proprietary management Control Panel. We ask him about his product and about the state of ultra high security computing.Q: What is HSS?
A: HSS or High Security Server is the first Unix OS based on a completely new developed Linux kernel (started with Debian) with integrity protection, like a standard iPhone. It runs as well on Red Hat and Suse Linux. It has been developed by our German company called IÏ€sec Ltd., operating in Frankfurt, Hamburg and the UK. IÏ€sec has also developed the fastest file transfer protocol called RHIPP – Robust High Performance Protocol. RHIPP is seven times faster than anything else IP-based on the planet and works especially well in Cloud Computing environments, where a lot of data has to be transferred very fast from an IPC to the customer desktop, including integrity protection. IÏ€sec’s Vision is innovation and real security, specialized on Integrity protection.
Q: What is so special about the HSS? Is it something like SELinux from the NSA?
A: True, there are tons of other systems like the HSS. Here come the major ones. Apparmor e.g., has a good security, but is a bit outdated and difficult in handling. GRSecurity has a low level security and remains in the middle in terms of ease of handling. RSBAC offers the same security and handling features like GRSecurity. Systrace offers bad security and bad handling. Lids as well.
The only two competitors of the HSS are Apparmor and SELinux. The HSS follows the same principles in terms of the LSM concept in development like its two competitors, and remains on the official ethical path on how security should be implemented into Linux kernels.
Q: And what is the major difference to SELinux and Apparmor?
A: The security protection of SELinux and Apparmor only work if the system is configured appropriately. A breach or short cut of the administrator violates the whole security of these OS systems, meaning confidentiality, integrity and availability of the system. HSS offers a hardening of its kernel from the operating system start and remains compatible to its applications. SELinux and Apparmor do not offer a basic protection against vulnerabilities of the Linux kernel. Everything has to be set up manually and by tons of scripts.
One of the major tricks is that the HSS re-assigns the Unix Capabilities. They are assigned in a different way to root, other users and to a new account called the Security Officer, or SecOff, depending on the security levels chosen before booting. Root has only read (allow) on the SecOff account and its rights. A sudo or su does not work just because an admin owns root rights. Security is mandatory and a four eyes principle has been implemented.
Q: But that means in terms of operations that if a system stands due to a problem, it stands?
A: Yes, it will stop processing, but security goes on, and that is the major point. Some business processes have to be adopted when playing with the thought to implement HSS. We did not care about environments where people need to have SOX-related security compliance for executive reports and compliance reports, when we had the idea. We were focusing on high security areas, where people really have to rely on security, where reliability for security is 100%. We have implemented three security levels in the HSS.
These 3 levels can be seen as different profiles, while the HSS continues its principles in all three security levels, but will allow for some flexibility which can be customized in all three security levels. Well of course in level three, which is the highest security protection, we do not offer a lot of customization. Customers which need level three will not start to argue about it. We can e.g. configure, that in level one, where root cannot submit a “suâ€, it would be allowed. In level three the graphical user interface e.g. X11 will not work. Only the command line is to be used. Level three is the most restrictive security protection.
Q: Can’t SELinux can do the same job?
A: Yes nearly, though not everything what we have implemented in the HSS can be fulfilled as well by SELinux. But let us say for the ease of understanding, they are close in relation to security to each other when both system are customized to their highest security protection.
There is still a major difference between SELinux and the HSS. HSS is up and running and configured in 20 minutes. For customizations in levels one and two please add 40 minutes, for customizations in level three please add 15 min. For training on how to use its ControlPanel (license ware) and its special error messages please add one hour. Now you can see that it takes only 2 hours to have it up and running. And the funny thing in addition is, that it does not matter, for which type of server system you would like to use it? Fileserver, Webserver, Apps-Server? Security works for all of them out of the box. We also have a proof of concept for an Apache Webserver Integrity module.
The major difference to SELinux is time. And time is money,I have seen EDS (now HP) Gurus which required 12 man days to configure SELinux, when I was in Plano, TX while working for the security department of EDS in Germany on different projects overseas.
Q: So you’re saying that HSS has a major advantage over SELinux in setup time.
A: Yes, that is our advantage.. But we have also a lot of other facts which may convince you to choose HSS.
Q: And they are,?
A: HSS offers a Buffer Overflow Protection, including for insecure applications. Drivers cannot be loaded if the system is operated in sealed mode. Time changes are impossible. Access to process information can be restricted. Direct writing on block devices can be forbidden. Executing file without a hash can be forbidden. Loading of libraries with LD_PRELOAD can be forbidden. Setting of SUID/SGID Flags can be forbidden. PTRACE can be forbidden. It can be switched on, that only the Security Officer can modify hashes of programs and files. The kernel-internal integrity protection checks programs and libraries and directly executed scripts before execution against a whitelist (a reserved hash in the Meta directory). HSS offers a library, which can check the integrity of all kind of data before opening for processing occurs. Last but not least, this library can check the Keyed-Hash Message Authentication Codes (HMAC). During calculation of the hash a private key will be added. A program or file will only be successfully checked, if the hash is valid and the signee knows the private key. HSS avoids a persistent contamination with viruses and Trojans. Security is mandatory.
If you need speed and security, you need HSS.
Q: So you have a hybrid licensing model, with proprietary software on top of the open source base.
A: We started selling a single license for the ControlPanel, which can only control the kernel built-in security features for $6000 US. We thought that is still much cheaper and safer, than using SELinux. And we have a license model, which makes HSS very attractive up from more than 50 licenses. Support is a yearly fee of 8% of the license price.
Q: When did you launch your product?
A: End of 2007 it worked with some smaller errors and a one major error with the hashes. Since end of 2008 it is in production and in sales.
Q: Has any outside entity confirmed your security claims?
A: The star under the German security penetration companies called n.runs AG in Oberursel tested it.
Q: So why hasn’t there been more publicity about your product?
A: We wrote in 2008 in IDG Computerwoche (Computerweek) about it and three days later somebody broke into our Hamburg offices and tried to steal the source code. Fact is, we never had the source in our offices. Funny was, that there were two brand new load balancers for 40.000 Euro and 4 laptops on the tables, but the burglars left them there. That was strange. So we think, that one of the existing three-letter-code agencies on earth tried their luck. Since that time, we’ve been keeping a low profile. We have sold more than 1000 licenses, however.
Q: What comes next?
A: Scheduled is an EAL-4 certification. The problem is, that economic espionage is everywhere. If you find the wrong certification authority, it could be that somebody raises patents in countries, and you cannot even sell your little modified own products on these markets. That is why we proceed very carefully, we screen our certification company and its people very well with modern technology, before we select one. If you choose “too†German certification companies like TÃœV-it or T-Systems, it could be that the source goes at least to the German Ministry of Internal Affairs — and from there in deals, maybe also to Bad Aibling (Military Intelligence). We do not want either or both. We would like to offer Integrity. We want that people choosing and paying for high security will not be disappointed. And just because not being EAL-certified, does not necessarily mean, that it is not secure. But we are heading for this. Modern fuzzing technologies can also be used to certify a system soon without the need of having the source code. And we have that time. Also in the pipe is an army model. But before both, we are working at the moment on a new version which supports newer server hardware better. This is already running and will end in total of 70 man days.
HSS Whitepaper (German Language).
hyperbole sales pitch or technical interview, you be the judge.
What does this even mean? The star? Is that a department of n.runs or an employee or…what?
If you’re good enough to build this HSS system why would you buy load balancers for 40k? It’s not like these guys have the traffic volume of youtube for their site.
Suuuuuuure, and the pope is protestant.
It doesn’t surprise me. Unless you’ve got a decent clued up sysadmin, buying an appliance seems like a good deal.
For everyone playing along at home, HAProxy can do software load balancing at 10GbE line speed on a fairly cheap low end box, and it can do it for a hell of a lot less than €40,000
Yeah, this guy sounds like some 1337 kid that wants to sell his snake oil.
Creepy stuff … if the HSS patches for the kernel are so great that a proprietary front end can generate millions in revenue than maybe someone should take a look at the source (or tell Harald Welte if the source isn’t published)
Man, I have never seen somebody having eaten the wisdom with spoons, like you. Really. I am so impressed of all your technical knowledge you have given to your best here in this whole discussion. You did not had one real technical interest instead of blowing farts into this blog. I am sure that was developpping already, when you were still running around the Christmas Tree with a drum around your neck.
The culture I come from, works differently from your’s. I have learned during my 52 stays in the US, to keep my tongue under control, and not to talk around like it has grown, and behave differently to Americans, you know, there are these dos and donts, but “hey”, with a buddy like you, I feel like at home and probably tomorrow, all the things we wrote about affect me like a pee in the Mississippi.
God bless you, Soul(bit)bender
Actually, I feel for your frustration. It’s extremely difficult to have a positive conversation about what you are doing when there are so many cynics waiting to knock you down. Now, instead of understanding the product better, everyone will get caught up in an unproductive flame war about tangential details. Sometimes people resort to obnoxious reasoning in order to control the discussion – it is all hugely distracting.
Yes, I know, this post is ironically guilty too.
This attitude appears to be the norm everywhere as far as I know, is german culture any different?
I am interested in what you’ve done to make linux more secure (not as a customer, since I’m poor, but as a computer scientist).
Edited 2011-07-01 00:35 UTC
Normally, I’d agree with you. But that positive conversation can’t take place here. If there are kernel security experts here, they don’t have access to their product and can’t evaluate their claims. If there are not kernel security experts here, their product hasn’t earned the respect of the experts elsewhere. Its not really worth discussing the potential security benefits of an untrusted, untestable system. So, people end up focusing on the crazy claims of espionage and international three letter acronym intrigue that make this seem as shady as a back alley kidney transplant.
I’ve read white papers of products I already use and pay for that I know are full of sh*t and don’t do half the things as well as they claim. The real important information about a product comes from independent third parties that test and use the systems.
Bill Shooter of Bul,
“If there are kernel security experts here, they don’t have access to their product and can’t evaluate their claims. If there are not kernel security experts here, their product hasn’t earned the respect of the experts elsewhere.”
Sure, those are valid concerns for people interested in buying the product.
“Its not really worth discussing the potential security benefits of an untrusted, untestable system.”
I disagree, Alex may very well have some valuable insight to contribute to a discussion on linux security. I am interested in the mechanisms used to control access in the kernel and it is worth discussing regardless of whether the product is proprietary or not, IMHO.
“So, people end up focusing on the crazy claims of espionage and international three letter acronym intrigue that make this seem as shady as a back alley kidney transplant.”
Yes, I don’t think Alex was expecting this. He got off on the wrong foot.
Technical questions for Alex:
1. What kind of context does HSS consider when deciding whether to permit or deny a request?
2. When a process executes “su”, does the kernel invoke a userspace permission check through IPC? Is this somehow cached in the kernel, or repeated for every security check?
3. You indicated fewer scripts were required to use HSS, are events scriptable under HSS or do they have to follow a strict pattern engine?
4. How does HSS deal with concurrency? In particular, can the userspace portion handle parallel IPC requests (assuming there is a userspace portion) or are they serialized?
5. What is the impact to performance when the permission checks are enabled?
6. Does HSS do anything special to help debug app problems caused by restrictive permissions? How do I determine why my app is failing?
7. Does HSS work with a customized kernel?
8. Are the configuration files human read/writable or are they binary?
And I might as well ask, are you hiring english speaking devs?
Well, It was a sales pitch with minimal technical info. If they wanted to discuss the technology behind it, thats great they should have tried that instead of the sales pitch.
But for what its worth Google translate does a fair job on their whitepaper. it doesn’t make me feel any more comfortable about the product, but you might find some good discussion points
http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http~*~…
I will have translated the white paper at 10th. of July.
Cheerio
Alex
In addition to the white paper, you should also provide the source code to the modified linux kernel. Code matters more than white papers. In your zeal to sell your products you overreach with your claims ( just looking at the claims for RHiPP: Hint, its not the only file transfer protocol to ensure that the file is copied correctly). You might have a great product, but there is nothing any one can really look at to verify those high claims.
It would also be a sign of good faith to divulge your plans for the linux kernel. Are you going to try and intigrate it into the official kernel? Are you going to try and keep your patches up to date? The whitepaper refers to kernel 6.17 which is old as dirt (2006). Even RHEL 5 used a newer kernel (2.6.18) upon release.
Hi Alfman,
I will come up with the answers after the weekend.
Thank you
Alexander
Hi Alfman,
I will send you a license. Where to please?
BRegs
Alex
Nice job insulting my technical knowledge (of which you know nothing). Nowhere in my post did I insult the technical skills of you or your team. Maybe you have a great product, maybe not. There’s now way for me to tell because you provided so very little technical information and there are no sources of information.
There was little technical info provided. You mostly provided hyperbole and a sensationalist conspiracy theory as to why someone broke into your office. As I said, an interview with technical details provided by the designer would have resulted in a more technical and interesting discussion.
You don’t even know what my culture is. Hint: not american.
I wouldn’t bet on it.
You started insulting, I don’t care for your culture. And I will not anwer any replies to you anymore, nor will I send you a copy of the product.
I think I will give Dave Adams a copy, he can eval the tool then with his people of trust and write about it.
Cheerio and bye forever.
Well, while I can agree that Soulbender took a very negative tone (TypeOnegative, I lol’ed!), I’d say that generally people here on OSNews have very little patience with what they percieve as marketing fluff so you shouldn’t take it as something personal.
As for the whole culture thing, I’ve never really bought into that. AFAIK Soulbender is (like me) from Sweden and certainly don’t feel any ‘cultural bond’ with him or his views and I certainly doubt that he does towards me. Let’s leave generalizations concerning nationality out of this discussion please.
Hyperbole?
Take a look at the claims for their file transfer protocol.
http://ipisec.de/index.php?option=com_content&task=view&id=17&Itemi…
This is interesting, but it also feels like Tsolkas is pushing his product. Not that he doesn’t have a right to do that; but the whole thing looks just a little odd to me. And HSS doesn’t seem to have much of a following; Googling it turns up this article and little else.
Also, I don’t know Systrace from Adam, but considering the OpenBSD people consider it okay, I’m a bit confused by Tsolkas’ dismissal of it as providing “bad security.”
I’ll admit I’m no security guru. But doesn’t this smack a bit of scare marketing and FUD?
Edit: “Director Sales & Marketing…” Oh yeah. Duh.
Edited 2011-06-30 16:14 UTC
Didn’t you hear the man? They’re keeping a low profile because everyone wants to steal the code for their open source product. Uhm..no wait…wtf.
It’s not, as long as you use it right. It certainly has some flaws but as long as you’re aware of them and use the tool as intended it can be useful. Used wrong anything can be made to be “bad security”.
Scare mongering = sales.
Hi Soulbender, it is me, Alex.
So let me give you some answers.n.runs AG is one of the best pentesting companies here in Germany and tested it. Call them, one of the two directors is American. http://www.nruns.com/_en/impressum.php. It is DOnald Lee.
You forgot the 4 Laptops in addition to the 2 LBs.
It first has been published in IDG Computerwoche in the online blog “Security Expert Council – called Security Expertenrat”, but IDG closed that blog in 2010. Look it up in Google Cache please.
We are not afraid that somebody steels the code for the Unix OS, but for the control panel software (licenseware) which controls the security functions we have implemented. We have no intention of making people scary, we are just selling a secure OS.
Why do you argue so agressive? Be happy. Somebody invented something for good. By the way, Chief Developer was Marc Delling. Laugh, we are going to make our money with it anyhow, we already do. But just in case, that somebody spends 10 mandays in front of an SE-Linux to get it secure, we have a quicker, and well, of course a more expensive solution.
We send David a copy of the license soon, so maybe you got a chance to look at it too.
Bye for now, Alex
I figured that much but the sentence in the article is confusing.
Uh, ok? Is that fact supposed to impress me?
And why would the 3 letter agencies been interested in the control panel? It’s just a front-end to the actual functions. I’m sure any shadow agency worth it’s salt could put together a frontend of their own, if they even need one.
The answers in the interview has a pretty scare-mongering tone, especially with the “the shadow agencies of the world are out to get our stuff” spiel.
Good for you. Maybe you have a good product, maybe not, but either way you’re not doing it any favors with the hyperbole and scare-mongering tone in the interview.
Yes, we would like to sell the server more. So to bring the discussion on a levels of facts, I suppose, you may wait until I will have translated our whitepaper into English. At the moment we only have the manual in English.
Cheerio
Alex
I hope you will apply more quality to the english version of the whitepaper (really, not uninteresting!) than to the german version witch iss ful of speling erors annd, a typogreffical kattastrofe. 🙂
Really, I find your project interesting, and it deserves higher-quality representation text material. You really should invest into a person that knows German sufficiently well (and also can use proper professional typesetting tools for optimal presentation) and can also provide a well written english version. Low quality documentation should not be the reason why a good project is being laughed at.
Pages 5 and 7 are “good” examples full of spelling errors and typographical no-gos. To a professional reader, the missing quality might very well be a reason to stop reading after page 2, which would be sad as the document is quite informative, but very hard to read.
You should also pay more attention at using correct terminology; e. g. page 5 footnote 1 mentiones the IMMUTABLE flag which definitely is not limited to Linux operating systems (only).
As security experts, being precise and correct is mandatory. You see, I’m not insulting you; please see my comment as a friendly advice without any belitteling of you as a person or HSS as a project – see it as constructive criticism including stated reasons.
I have not find typos on pages 5 to 7 but some format problems in deed. Thanks, yes, will consider it. We are just in the start-up phase for marketing now, and I like contructive criticism. I will go through it again, when writing the English version.
Bye and a good weekend
Alex
Example on page 5: 1.1 item 2 missing comma after “werden”; item 4 “d.h.” missing non-variable space; item 5 supoerflous comma before “etc”; item 12 “dass” (conjunction daß) instead of “das” (article) required; footnote 1 exact opposite error.
Same page, 1.2 “sogenannten” unword according to newspeak, has to be “so genannten” now.
Superflous and missing commas, also missing hyphen in compound nouns. Also the typesetting is very bad on this page.
Those are of course not all errors on this page, there are more. I just picked those as an example to illustrate that they are definitely there. Proper proofreading will bring up many others.
Examples on page 7 contain typesetting again, there are massive “holes” in the text because of missing hyphenation. Also watch the commas.
Good idea, and honestly good luck, as properly reviewing and correcting the errors in content and form (which have to match each other if one wants a document to be taken seriously) are very important. And the project is worth it.
“Why do you argue so agressive? Be happy.”
Because it’s Soulbender’s MO
TypeOnegative
That made me laugh but I’m not entirely sure why.
Not that I think I was that negative. If you seriously suggest that CIA/GRU/MI-whatever would try to steal the source for your control panel app than you get what you deserve.
Edited 2011-07-01 15:37 UTC
Yes, unfortunately it does create some sales, but it also scares away more informed customers. The article has me curious, but highly suspicious and dubious due to scaremongering tone. There have been a lot of snake oil security companies. Without wider distribution and use, it won’t get the linux security community excited. If they get excited, then I’m excited and might consider it.
The security is obviously implemented in the closed-source administration tool!
…
yes! thanks. Control Panel = Licenseware
Hi Gullible Jones,
yes of course I do marketing for our new product, why not? IBM is doing marketing, HP does, Tesla does, and we do too. We have invested a lot of money and time in it.
Cheerio
Alex
An interview for a tech news site is the wrong venue for marketing your product. You’ll just end up alienating your audience.
I”m sure many of the people here would have been more interested in an interview with Mark Dellinger.
If you have questions related to the server, I am pleased to answer them to you. Tomorrow. But now, I am going to have a big beer and will look the rest of the game of women’s championship in soccer.
Cheerio Soulbender
Have a nice rest of the day.
Although it was obviously a sales pitch, I think he’s right that linux security is in a bit of disarray. Like he said, apparmor will do the job, but it has a lot of room for improvement.
“We wrote in 2008 in IDG Computerwoche (Computerweek) about it and three days later somebody broke into our Hamburg offices and tried to steal the source code. Fact is, we never had the source in our offices…So we think, that one of the existing three-letter-code agencies on earth tried their luck. Since that time, we’ve been keeping a low profile.”
I don’t understand this at all, isn’t the code running in the kernel open source? Is it just the control panel which is closed source? If so, then why would any agencies really care about it?
I certainly hope he’s not implying that keeping the source code secret is crucial to the security of the system. A source code leak shouldn’t compromise security in the first place.
Edit: I’m probably reading into it to much, but I just don’t understand why he’d bother to bring it up.
Edited 2011-06-30 16:55 UTC
Hi Alfman,
thank you for this objective comment.Apparmor was good, but…it is exactly how you write.
Agencies care about it, because we already sell it world wide, and there is no backdoor, there is no weak point in the server, except the one sitting in front of it.
No, I will ask where the source resides and let you all know. We do not bother to bring it up. We sold it silently the whole time. But we said, we can have more success if we make some “Rambazamba” as we say here in Germanistan.
Best Regards
Alexander
Let’s try once more:
why would agencies be interested in the configuration front-end, when it’s the GPL’ed code running in the kernel that’s interesting security-wise?
If you use the Linux kernel, doesn’t GPL require you to post sources? Am I missing something?
Hi AndrewZ,
I have to ask Marc Delling, the Chief Developer and come back with an answer soon. I am sure he did.
Bye for now
Alex
See, this is an issue for me. This site is populated with engineers and developers that understand technology to absurd levels. Your chief developer should be the one who wrote the article for this site. You sent the wrong message to the wrong audience.
Well,
I am not a marketing guy, I studied information technology, but no worries, I understand the server quite well.
GPL compliance is pretty basic, IMHO. If you can’t meet the obligations of the license, you can’t distribute your product. That’s sort of important to your business model, I would think.
Hi Bill,
yes we know and considered it. Thanks.
Alex
So what’s your conclusion after you have considered them ?
Hi, what do you mean please?
And…? If you’re selling a product based on GPL code, then you should re-distribute the same code under the same license. If you’re selling it _without_ the source code, then you’re violating the GPL.
It takes less than 5 minutes to submit a request to http://gpl-violations.org/, and afaik Germany is already a proven country for the validity of the GPL.
Where can we find the source code?
Cheers
To be fair, only those who have been given the binary are entitled to ask for the source. Any recipient of the source is welcome to release it for wider distribution for whatever cost they would like. Its not required to be provided to the general public, unless you are also distributing the binary to them.
But trying to keep GPL’d code secret is crazy. It is not a good sign that it is not generally available.
Actually, no you are not. You don’t have to provide the source code unless someone specifically asks you for it. Then you are required to provide it. And of course, nothing is stopping you from taking the source once they give it to you and publishing it for all the rest of the world to see. That would be perfectly legal.
Bill, how old are you please?
I do not divulge more personal information than is necessary on the web in unsecured channels. Its like asking me what my mothers maiden name is or the city I was born in. You shouldn’t ask those questions, and people shouldn’t answer them.
I can’t find the source of the modified kernel, does anybdy else know where to find it?
“A Highly proprietary … secure kernel.”
So its proprietary and nobody has the source to review it to confirm its “security”.
Mmmmm…..OK.
As a rule, anything that is a binary I don’t trust.
Source code I do trust as it can be peer reviewed.
That is the best security you can get, next to running a NULL kernel. (Which is what every machine runs when it is powered off.)
-Hack
Would be interesting to see if someone who makes the request receives the source code for the secured kernel. Please let us know.
Honestly I barely understood the “interview”, it is bad enough that English is not my primary language. But if you write in broken English that makes it harder to understand.
The CIA/ KGB conspiracy theory was funny though. Don’t know if that was the intention.