Indian Military Organization To Develop Its Own OS 466
An anonymous reader writes "Several newspapers have reported that DRDO (the defence R&D organization of the Indian military) is planning to create an OS. The need for this arose due to the cyber security concerns facing India and that all [conventional] operating systems are made outside India. About 50 professionals in Bangalore and New Delhi are expected to start work on this operating system." At least one of the linked articles says the new OS, though home-grown, would run Windows software.
Re:Confusion (Score:5, Insightful)
Mod parent insightful.
If you are going to run windows software you can bet they will start with with a Virtual Machine approach or Wine, and neither one buys them much security without diligence.
he idea that a government funded military lab would develop from the ground up and achieve something that would run windows but wasn't as vulnerable seems highly unlikely.
Budgets lapse. People Come and Go. It would be a mess.
Why not do *BSD or Linux code review and use it? (Score:5, Insightful)
Seriously, why not take a *BSD or Linux OS release and do a full source code review on it? It will take a lot less effort than creating anything from scratch, plus they can submit bug reports and code fixes back to the corresponding opensource projects. (Everybody wins!!!) Any mature OS would not be plagued by bugs that commonly occur in large new code bases. After reviewing and approving the OS, they can simply track changes of future releases in order to maintain trust.
Re:Who can be trusted? (Score:5, Insightful)
Don't use Binary Blobs, I agree, absolutely, if you care at all about your Sovereignty. Get the source tree for an already very well secured OS like, say, OpenBSD, or perhaps Linux (though OBSD is, I believe, generally developed with practices that encourage better security - less focus on feature, more on audits and exploit finding/fixing). Have your 'trusted' developers from your nation go over every line of code, to make sure no trojans/backdoors/intentional exploits were added, then build it all yourself.
Of course, there is still always the possibility you have a hacked C compiler. Man, I can't remember the name of it now, but sometime in, I think it was the 80's, someone made a pretty famous presentation/paper about putting a self-perpetuating trojan into a compiler. You could give the compiler source code, and the binary of the compiler to the 'mark', but you could completely remove the exploit from the source code, as long as the exploit was coded to compile itself into subsequent builds of the compiler; that is, the binary was infected, but the source was not, but it didn't matter since the infected binary could build a copy of itself into the next build of the compiler. The exploit could then additionally do something like whenever it built other binaries or libraries, add some exploit code to them as well.
I suppose you need your own people to do a dis-assembly of the compiler to verify that. Or, build your own assembler in machine language, then build your own compiler with your assembler. Once you've done that, if you have a trusted compiler, and verified source code, you don't really lose security by using Open Source. If anything, it'll *probably* be more secure, if it's popular enough to have a lot of devs analyzing it and fixing problems.
Re:Why not do *BSD or Linux code review and use it (Score:5, Insightful)
Re:The Wheel (Score:2, Insightful)
If it weren't for repeated reinvention of the wheel, they would still be hexagonal rocks. Reinvention is what drives technology forward. Invention is a rare treat.
Re:The Wheel (Score:5, Insightful)
HAH! 'Tired' -- good pun!
Re:Who can be trusted? (Score:5, Insightful)
Of course, there is still always the possibility you have a hacked C compiler. Man, I can't remember the name of it now, but sometime in, I think it was the 80's, someone made a pretty famous presentation/paper about putting a self-perpetuating trojan into a compiler. You could give the compiler source code, and the binary of the compiler to the 'mark', but you could completely remove the exploit from the source code, as long as the exploit was coded to compile itself into subsequent builds of the compiler; that is, the binary was infected, but the source was not, but it didn't matter since the infected binary could build a copy of itself into the next build of the compiler. The exploit could then additionally do something like whenever it built other binaries or libraries, add some exploit code to them as well.
That would be Ken Thompson. [bell-labs.com]
Re:Who can be trusted? (Score:5, Insightful)
What the fuck? A government checking the code it runs on computers with sensitive data is "national socialist"? You think the United States government doesn't do this on CIA and DOD computers? Or are you a nut against building roads?
We're talking about doing this only for government computers used for sensitive government data.
Re:Oh For Chrissakes (Score:3, Insightful)
Trusting Trust (Score:3, Insightful)
Re:Mod parent up. (Score:3, Insightful)
Security needs to be designed in from the ground up. Take a look at Windows, Linux, and MacOS. New exploits are constantly being discovered in those systems because security was not a key part of the development process when they were written.
Windows, Linux, and MacOS were all written in C which burdens the developer with safeguarding against all manner of possible security holes. In C a security hole is as likely as a bug with the exception that a bug is likely to be discovered and fixed by the developer while a security hole will go unnoticed until an attacker discovers it. If you want to build a secure OS today you should start with tools that eliminate the most common security holes. That would include automatic bounds checking which none of the aforementioned systems were built with.
If you want a secure system you make sure every action and every module of code is authenticated before it runs. The system will work a lot better if it is designed that way from the ground up. Existing operating systems would at minimum have to be modified to do this.
A secure system would be developed with best-practices that reduce the likelihood of exposing a vulnerability. For example, the potential attack vectors for shell injection attacks would go through a centralized library that safeguards against it.
All of these things are best done by writing a new system from scratch with more secure tools and practices. At the same time, the developers can look to Linux or BSD for example algorithms on how to solve common problems but make sure the actual implementation uses the aforementioned best practices.
Less Secure (Score:5, Insightful)
It seems to me that an OS developed by an org that's never made an OS before, by 50 people, that isn't examined by many people around the world in many different contexts and from many different approaches, is going to be less tested and less secure than other OS'es. Not to mention the lack of applications, and the burden of creating all the applications from scratch, and a developer community for them, and again the smallness and isolation of that community and its apps leaving security to a very few very busy people.
If I were responsible for protecting India's IT infrastructure, I might start an Indian state project to create an OS. But I'd just start with Android or Linux, and assign the people I have to investigating its open code for security holes and starting applications needed by essential Indian users. A lot less work, a lot more global partners to use (and many to omit from trust without losing everyone). Leveraging the English speaking skills of educated Indians to partner with people around the world to secure India.
Reading the press, it seems they're really talking about a component in their new line of spy and military satellites. They mention they've got orders from other countries. So probably this venture is not at all calculated on security rissk, but rather on a perceived market opportunity. In which case it is even more likely to totally fail, but not after wasting a lot of time and money better spent on actual Indian security risks.
Probably some general's nephew thinks he can sell some Linux clone to the government, and so the rest of the state and media apparatus starts talking it up.
Re:Who can be trusted? (Score:1, Insightful)
In reality, you don't need to have the whole OS trusted. You need some things trusted:
The boot path. You want a TPM-like chip that can take you from power on to login screen with a chain of custody ensuring that nothing can be tampered with without being detected. With encryption that mounts the data volumes only after the system volumes and the kernel are vetted, tampering can only deny access, nothing else.
Signed executables for stuff that matters. The signing system would require each signature actually be multiple signings, but with different algorithms. This way, if someone TWIRLS RSA into linear time for factoring, DSS will allow validation or not.
The hypervisor or jailer. You can have nontrusted stuff happily running its little malicious heart in a VM, especially if there is protection from the OS to the hardware.
Cut and paste functionality. You have levels of trust (nontrusted, classified, secret, top secret), and when you copy from one layer, you can only paste into that layer or higher security. This way, someone can copy a quote from /. and post it on an internal document while the reverse can't happen.
User presentation. You want to make sure programs cannot masquerade as system stuff. For example, Windows requiring control-alt-delete before logging in makes sure that no process can fake the login dialog.
Re:Why not do *BSD or Linux code review and use it (Score:3, Insightful)
With some 100% home grown OS, then we can be pretty sure that some large military contractor wins, at 250% of the quoted cost. Whether that results in something that's usable in war is an open question.
Re:Who can be trusted? (Score:1, Insightful)
What the fuck? A government checking the code it runs on computers with sensitive data is "national socialist"? You think the United States government doesn't do this on CIA and DOD computers? Or are you a nut against building roads?
We're talking about doing this only for government computers used for sensitive government data.
Nice conflation of multiple unrelated tangents. The shortcomings of American law enforcement and Intelligence agencies at modernizing systems is legendary. There were numerous news items out as few as five years ago about the FBI being unable to perform compound queries and unable to complete an upgrade process that had been underway for like a decade.
It absolutely would require national socialist style dedication from a populace to keep the government anywhere near up to common best practices.
Is the DoD still trying to get the Navy to sign on to MS on subs and battleships via D2? Isn't the CIA still notorious for the deals they cut with private enterprises to get what they need outside of normal acquisition and review channels?
You are overrated and seem to think that just because you are paying taxes something is being done to secure your infrastructure.
There are not bigger failures in the world of IT than the failures of the U.S. I.R.S., air traffic control, law enforcement, and intelligence attempts at deploying and maintaining tech infrastructure.
If you have a problem with that last statement please post links, I am with conventional wisdom here as ten minutes with a search engine will reveal and I can cite billions spent on completely abandoned projects for each agency listed above.
It would take a country of Nazis to even attempt a general technological segregation from the rest of the world.
Comment removed (Score:5, Insightful)
I'm in awe. (Score:5, Insightful)
Obviously, they're not going to develop any such thing. Ever. This is one of the most brilliant job security moves I've ever seen in the computer industry. Kudos!
Re:Have you ever met? (Score:5, Insightful)
Yes I have met some amazing Indian developers out there. There are also many H1B visa programmers who may be lacking in experience and are desperate to succeed in a foreign country which, lets be honest, considers them outsiders. They make half the pay in many situations and can be fired and sent home in the span of a week for any petty job disagreement.
True innovation requires the ability to make mistakes, learn from them, and try something new - which is contrary and alien to the H1B "cog developer" system. I doubt many Americans could be as disciplined and work under such pressures and situations.
Back home, India is building a truly amazing scientific pool of talent. Expect to see major challenges to American engineering & science - the population numbers game almost guarantees 3x the genius-level talent waiting to be discovered and educated.
WTF (Score:2, Insightful)
They want to develop a secure system, yet they base it on the least secure system in existence? The API was never designed with security in mind, and you cannot ever safely attach a bare Windows system to the net without it getting owned in less than a minute. Do they really believe they can wave a magic wand over the massive amount of Windows code, and make it suddenly secure? The security problems don't sit entirely in the Windows code, it also exists in the innumerable poorly written applications. If you run these apps, then you don't have any change at securing your code.
Re:Mod parent up. (Score:1, Insightful)
I'm sure a lot of people said that "metric" and honestly believed that the code they were maintaining was that bad. But how many of those rewrites actually succeeded at all -- let alone in less time then was needed to work out the old code?
It's not just about bureaucracies, it's about people seriously underestimating development effort: When you're looking at a working product, all the details and hacks and complexities are visible so it looks idiotic, but when you've only designed (but not implemented) "the new system" it's all elegant and clean and simple... That's not surprising.
Re:Why not do *BSD or Linux code review and use it (Score:3, Insightful)
But bearing in mind that a number of the participating countries introduced conscription, being a civilian at the start didn't guarantee that you wouldn't be forced to be a soldier and end up dying of chlorine poisoning.
Re:Mod parent up. (Score:3, Insightful)
And the people who came after them probably said the same...
Re:Have you ever met? (Score:3, Insightful)
The model in place now encourages people with *no* talent for software or systems development to choose that as a career path, and it shows. That doesn't mean that there are no talented people there -- just that the outsourcing craze (and corresponding promise of significantly improved lifestyle for self and family) lures a lot of people who wouldn't otherwise even consider this career. To a lesser extent, the dot-com craze caused the same problem here in the US: a lot of people who had no skill or talent for software development jumping into the business as a way to make money.
The unfortunate truth is that they get away with it - I've seen first-hand how we've evolved our expectations of offshore outsourcing companies to be little more than monkeys behind keyboards. Innovation, troubleshooting skill, and general analysis ability are not requirements at most outsourcing shops. I've even gotten in trouble at work for being 'too stringent' in my requirements. This was because I expected a senior software developer to be able to describe how a hashtable works internally; why you might want to use a hashtable. I also expect them to be able to sketch out an object model for an everyday concept like a house. And when they couldn't , I rejected them. I was told that if they can churn out code to spec we want them.
At least one of the vendors we worked with (TCS) had a habit of listening in on the phone to our interviews (even recording on a couple of occasions, though they haven't admitted it - I know what a beep every five seconds means ;), and amazingly the successive candidates got better and better at answering our basic technical questions. Now I can't say for *sure* that they were getting fed a questions list ahead of time, but I *do* know that the answer I receive from different candidates are remarkably close to identical on non-conceptual subjects. (On conceptual subjects, almost all bomb completely. Unfortunately, I'm not permitted to consider that in most cases.)
Anyway - the net result is that we have a lot of people who would function much better flipping burgers instead writing our code for us. And if our specs don't contain very very precise details (sadly some of our leads have taken to embedding code itself in the tech specs - which can then be copy-pasted, because it's just faster than getting them to fix it when they screw up), they flounder hopelessly. Similarly, they struggle mightily when trying to troubleshoot problems that I consider simple. (Hint: If you can't at least *start* to debug a problem without a log file and/or walking through a debugger, you have chosen the wrong career path.)
The most important thing here is that this isn't some deficiency or inability of any one group of people. I strongly suspect that the same ratio of talented:untalented exists in India as anywhere else in the world -- it's just obscured by the economics which makes being a poor or mediocre programmer a way to become relatively wealthy.
Re:Who can be trusted? (Score:3, Insightful)
Some secury enhancements like in se linux (or trustedbsd) would (could) be nice.
However, there is a strange effect that is "too much security". Examples: Create an password policy that is too complicated an people start to write down password on a note next to(taped under) their keyboard.
Lock down a system too much and people will find workarounds not to use that system.
Have a too complicated security policy and you need too many administrators (With god mode access) that configure the security.
Having a secure OS is one thing, designing secure way of work is a different way of thinking.
Re:Mod parent up. (Score:3, Insightful)
If you want a secure system you make sure every action and every module of code is authenticated before it runs
Absolutely not. In a secure system, none of the modules trusts that the others are bug free.
Re:Already an open source alternative to windows (Score:4, Insightful)
They don't want open source, they want their own proprietary OS. Code that they control, and isn't available for scrutiny by those that would attack them.
And I expect the comment about running Windows software in one of the articles was a mistake on the part of the journalist or the politician. Possibly a language based misunderstanding. I expect they mean windowing software. A desktop gui rather than a cli.
It just doesn't make sense to make it Windows compatible. It's a monumentally hard thing to do, as demonstrated by the timescales of WINE. And the result would be a system with many of the same vulnerabilities as Windows, and thus it would break the primary objective.
Comment removed (Score:3, Insightful)
Re:Already an open source alternative to windows (Score:3, Insightful)
So, the new Indian OS can make itself 10 times more secure than Windows with the simple expedient of not allowing users to install random shit off the internet.
Your post actually demonstrates that there IS something fundamentally wrong with Windows.
Seems like a prize worth having. And given that the existing Windows and Unix OSs were not designed with that in mind, the Indians will be off to a good start when they do have it in mind. Good luck to them I say.
Re:Already an open source alternative to windows (Score:3, Insightful)
A Unix based OS with the facilities in place to assimilate Microsoft's shoddy product isn't safe. That's rather the whole point. Microsoft didn't leave their poor design and engineering choices behind with DOS. The legacy of DOS is laziness and incompetence. The fact that it is not quite as obvious any more doesn't mean that Microsoft still isn't doing incredibly stupid things and doing them haphazardly.
Blaming the user simply doesn't cut it. Microsoft makes crap that's inherently dangerous to operate due to engineering sloppiness can't be tolerated anymore.
Re:Already an open source alternative to windows (Score:5, Insightful)
At least one of the linked articles says the new OS, though home-grown, would run Windows software.
Brilliant. If you're into security, there's one rule of thumb you can always count on. Don't develop your own. Invariably you'll overlook something obscure and subtle and will create a weakness big enough to fly a 747 through. Stick with time-proven methods that have been under the microscope for years and have withstood the test of time and had all the bugs, shortfalls, and subtle problems worked out of them. Basically, you're not smarter than all the people that have contributed to making the currently available selections as secure as they presently are.
If they're going to create an entirely new os themselves, in-house, for the sake of security, they're about to re-learn the above lesson.
And sorry, but runs Windows? The whole security problem there to begin with is its never-ending craving to run old software that just wasn't bothered to be written securely. Look at the giant headache that was the breaking of windows software when XP came out. Then when Vista came out. Then when 7 came out. This is going to be a whole new level worse. They may say it can run Windows software, but either it won't run MOST of it, or they're just going to be defeating one of the primary purposes of writing their own secure OS to jimmy it to run any sizeable portion. If they're insisting on making their own OS, they may as well expect to have to write their own software too. In for a penny, in for a pound.
Re:Already an open source alternative to windows (Score:3, Insightful)
Linux has a "keep user from doing dumb shit" button. It's called non-root access. And it works.
It's not security by obscurity, it is real security.