Lightweight Portable Security
There are any number of organizations that have a need for a security-oriented OS that can be freely used on computers at coffee shops, hotels, and the like. The US Department of Defense (DoD) is one such organization and it has put together Lightweight Portable Security (LPS), a live CD (or USB stick) Linux distribution, for use by its employees to access the web—or their desktop remotely. While the technology behind LPS is not particularly noteworthy, though it does have some interesting features, it is noteworthy that DoD chose Linux to deliver this kind of solution. Perhaps that shouldn't be surprising either, though, as the proprietary OS vendors don't really offer any way to customize their systems to anywhere near the extent that Linux does.
LPS was developed as part of the DoD's Software Protection Initiative (SPI),
which is run by the Air Force Research Laboratory (AFRL). SPI's mission is to
"marginalize a nation-state class threat's ability to steal and
exploit critical DoD intellectual property found in application software
(executables, source, and associated data).
" While LPS will
certainly help with that mission, it doesn't seem anywhere near hardened
enough to fend off nation-state class threats.
The distribution is available as ISO files in either of two "public" editions: standard or deluxe. The deluxe edition simply adds OpenOffice.org and roughly doubles the size of the release. The existence of a public version would seem to imply that there are less-public versions of LPS—one of those may be the LPS Remote Access Edition, which doesn't come with download links and instead has a way to request custom versions.
Version 1.1.1 of LPS was released on November 15 and can be burned onto a CD directly. In addition, bootable USB sticks can be created, but only (easily) under Windows.
When booting into LPS, one is greeted by a screen with badges for the three organizations responsible and a progress bar. After that, a window pops up that gives three choices: read the user agreement, agree to it and continue, or reject it and reboot. The agreement itself notes that the software is governed by the GPL and disclaims any warranty. While it is not unheard of for Linux distributions to have a click-through license, it is a bit strange.
Once the agreement has been accepted, LPS loads an IceWM desktop, which prominently features those three badges again, along with icons for a number of applications (e.g. Firefox, OpenOffice.org, Documentation, Xterm). The layout is fairly Windows-like, presumably so that it doesn't scare off the target users. There are also menu entries for things like SSH, Citrix, and Microsoft remote desktop clients.
Once you start poking around in LPS, though, some questionable things jump out. Starting the Xterm gives a root BusyBox shell for example, and a simple ps shows that everything runs as root. That includes Firefox, IceWM, the wicd network manager, and so on. One of the features of LPS is that it doesn't mount the local disks of the system, but that is trivial to work around with mount.
If LPS is started from CD, making persistent changes to it is not possible, but part of the idea is to isolate the data on the local disks from internet-based attacks. For public computers in hotels or elsewhere, there may not be anything of interest on the local disks, but if users are booting LPS on their home systems or laptops, that assumption may not have much merit. Given that everything runs as root, and the local disks are accessible, whatever OS is installed locally could be subverted.
For USB-based LPS systems, the situation is even worse. Though the USB stick isn't mounted by default after LPS boots, it certainly can be. The LPS user's guide [PDF] notes that removing and re-inserting the USB stick will mount it, though malware could also mount it directly. That would allow LPS itself to be persistently modified.
There are some warnings that might alleviate some of these problems. It is
recommended that a separate USB stick be used for data, for example. In
addition, there are suggestions that LPS be rebooted before making any
"sensitive
" transactions—and after after visiting dodgy web
sites. It seems a little unlikely that users will actually follow those
instructions, either because they forget or due to the annoyance of a
fairly lengthy boot time.
It is a fairly old kernel that LPS uses (2.6.27), but it has been updated to one of the more recent—but not the most recent as of November 15—stable versions (2.6.27.53) based on the uname string. Whether there have been any patches applied on top of that kernel is difficult to determine as there is no source code provided—at least in any obvious location.
A query about the source location was answered by Rich Kutter of the AFRL who said that LPS is based on Thinstation 2.2.2 with only minimal modifications. A change to the OpenSC smart card libraries/utilities to better support the DoD Common Access Card (CAC) is the only substantive change. He said that the code for that change will be placed in the ISO image for the next release due later in December. But that doesn't satisfy the GPL requirements, as the full source needs to be made available, which is something they are planning to do, he said.
It would seem that SELinux has not been enabled for LPS, which may not be a huge surprise for a, supposedly, read-only system. It is, however, another US government security solution for Linux, and could have been used to sandbox Firefox and its Flash plugin for example (though just running them as non-root would be a good start). Overall, one gets the feeling that the folks behind LPS may be working in something of a vacuum, and not fully considering all of the threats that LPS might face. Perhaps part of the reason there is a public version is to get that kind of feedback.
There are some specific additions to LPS for DoD users, including support for CAC and Personal Identity Verification smart cards. Evidently, there are some web sites that are only available to folks that have those cards and an available USB smart card reader, so Firefox has been configured to do that kind of verification.
There is also an Encryption Wizard that allows for Advanced Encryption Standard (AES) encryption and decryption of files. The Java-based wizard has also been turned into a Firefox plugin so that web-based email (e.g. Yahoo, Gmail, Outlook Web Access) can be encrypted.
Overall, LPS is perfectly usable—if painfully slow for unknown reasons on a not underpowered laptop—for web surfing and document creation. It has a very limited set of applications, presumably by design, and no way to add any new ones. If you need GIMP or Thunderbird, it would seem that you are simply out of luck. Once the source code for building the distribution is available, one could presumably build their own derivative with additional applications, but that is difficult to do at the moment.
While it seems dubious that LPS would thwart a targeted attack from a
nation-state-sized attacker, that is probably also true of most or all Linux
distributions. But there is clearly more that could be done to harden LPS
against less targeted, or less deep-pocketed, attackers. LPS may give the
impression of being more secure than it actually is because of where it
comes from, and that is a bit worrisome. Given that there are entities
actively trying to access classified information—either for espionage
or posting on Wikileaks—LPS only provides a partial solution to
those problems.
| Index entries for this article | |
|---|---|
| Security | Distributions |