Hi everyone, I'm very new to Genode (discovered last week with seL4), so please forgive my lack of experience.
I just wanted to bring you some information that might interest you, may be not today but soon (I hope). I stumble accross CHAINIAC <https://eprint.iacr.org/2017/648.pdf> (Usenix presentation video <https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/nikitin>), a system to distribute software with many nice properties, that might be used for Debian packages one day. I copy-past Bryan Ford (co-author) description emailed at IEFT <https://www.ietf.org/mail-archive/web/suit/current/msg00154.html> : Abstract: Software-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides efficient verifiability of integrity and authenticity for software-release processes. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release is accepted by clients before being widely disclosed and validated. The release log embodies a skipchain, a novel data structure, enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys. Evaluation of our CHAINIAC prototype on reproducible Debian packages shows that the automated update process takes the average of 5 minutes per release for individual packages, and only 20 seconds for the aggregate timeline. We further evaluate the framework using real-world data from the PyPI package repository and show that it offers clients security comparable to verifying every single update themselves while consuming only one-fifth of the bandwidth and having a minimal computational overhead. It uses blockchain, but it is an optional feature (as discussed in the Q&A at the end of the Usenix Conference <https://youtu.be/xpT6L8htINU?t=24m18s>) as long as you can check servers of the Cothority (if I have understood it well). It is written in Go (github repo <https://github.com/dedis/paper_chainiac>). On the subject of application portability/deployment, I know there is a lot of initiatives trying to normalize application packaging in a Linux kernel context, like OCI <https://www.opencontainers.org/>, Habitat <https://www.habitat.sh/>, Flatpak <https://flatpak.org/>, each targetting a different audience (cloud/desktop). It might be an interesting combination with Chainiac... I don't know. That was my $2 contribution. Hope it was not spam for you. I really want to help. I can start a wiki page if you want? But I will not be able to maintain it. Disclaimer : I'm absolutely not an expert neither about kernel/OS development, software distribution/package management, cyber security or any technology of this topic. But, until recently I've tryed to develop a generic desktop secure OS that isolate every process into a sandbox (using a Linux kernel, tools like firejail/bubblewrap/minijail providing linux-namespace and secomp-bpf, and inspiration from OpenWall for least priviledge policy. I've a prototype runing and working well but really too hacky. I've stopped because of not enought time and resources. Genode is an obviously much better approach! Congrats :-) I cannot wait to see my workstation runing a port of Qubes/SubGraph on Genode+seL4... Best wishes and happy new year. Michael Bideau, from France.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
