alcinnz

alcinnz, 5 hours ago

On the clientside we can have the Filesystem & Linker components validate those signatures, by comparing the file's hash (computed by our Arithmetic Core) against the assymetrically-decrypted (by our FPMA) signature.

To ensure noone has nullified this check we'd need to validate these components (first things to boot past the firmware!) we'd to check that they're signed too. If we ensure not even we (the vendor) can overwrite the firmware undermining its security guarantees, no more to do!
3/4

alcinnz, 5 hours ago

Except... I'm a bit queasy about limiting the control others have over their devices, so how does this differ from Microsoft's, Apple's, or Nintendo's "Secure Boot"?

1st off I'd minimize how much I'd rely on these defences, minimize the constraints it puts upon you to a level most everyone should be comfortable with. Instead I'm mainly relying on hardware/firmware-level sandboxing!

2nd if you configure authenticated boot I'd let you use those creds to loosen (or tighten) these checks.

4/4.5!

alcinnz, 5 hours ago

The authenticators used to bypass our Secure Boot would have to be ones we (the vendor) approve of, if this check is to be meaningful at all. But it'd let you overwrite all the other software on your device!

With asymmetric cryptography these credentials don't even need to live on the device itself, which could be useful for work machines. Though I'd want to use our control over the authenticators to inform their employees that this is a work machine!

5/5 Fin!

alcinnz, 5 hours ago

To indicate that we approve of a certain component accessing sensitive I/O & data we'd cryptographically sign (encrypt a hash of the program) it before offering it for download. Ideally (especially as our userbase grows) we'd do this on a machine disconnected from the internet running a bare-bones OS, since any viruses here could infect all our users!

This would make the process for publishing updates to certain components a bit more cumbersome, but that should be rarely needed.

2/4?

alcinnz, 6 hours ago

Throughout elflint outputs any validation errors.

For ELF archives it instead finalizes a prefix/suffix for error lines, iterates over each file in this archive, & recurses into each of those.

---

After initializing internationalization & parsing commandline flags findtextrel iterates over remaining commandline flags (handling a singular arg specially) aggregating error codes.

For each it opens the ELF file, gets its header validating its dynamic, & iterates over sections.

2/5?

alcinnz, 6 hours ago

For each section findtextrel retrieves the header & branches over whether its dynamic. If it is it iterates over each entry there-in to flag whether we've found a TEXTREL one. If its a symtable it saves the index of the last one.

Afterwhich it errors out having not found a textrel. Or it allocates a segments array (initially 10 slots) & iterates over the P headers for each actually-existing P headers of type PT_LOAD & not flagged PF_W it appends to the array.

3/5?

alcinnz, 6 hours ago

If we've gathered any segments we initialize the DWARF iterator, possibly opens a debug info file, & iterates over the sections a final time. For each findtextrel double checks we actually have section data, & iterates over its entries (handled according to REL/RELA subtype) to exhaustively check against expected values.

Regardless we clean up.

3.5/3.5 Fin for today!

alcinnz, 3 hours ago (edited 2 hours ago)

So my question: Once I've published these threads, what do I tackle next? Whether I choose to extend this hardware/OS to new usecases or design new hardware?

I've heard interest in expanding my XMPP discussion beyond the basics.

I haven't said much about authentication & multi-user devices.

Mapping could be a useful feature!

So far I've leaned towards serving audiences in my design, I'd love to explore creative tools more!

Anything else? Specifics?

Please vote, please please discuss!

alcinnz, 3 hours ago

@annika Hmmmm, if they're dedicated to solving tangible problems I wouldn't complain...

But as long as the focus is on the tool not the problem, I can't trust such statements!

alcinnz, 1 day ago

@lanodan Stage 4: Here's how I'd build my own hardware for my own OS!

I'm aware I'm not the only one...

alcinnz, 1 day ago

@lanodan I don't think anyone has yet managed to turn Stage 4 into practice...

alcinnz, 1 day ago

If our project gets big enough a may define a variant of the AutoMerge format which supports Git-style branches, & if it gets even bigger we may store everything on the server behind-the-scenes (wouldn't be presented this way) inside a giant singular repo. All to cut down on storing duplicate data!

We may offer mailing lists (already discussed as they're part of the earliest email standards), possibly with a web UI (rendered via logging) presented it as a forum. As well as an XMPP chatroom.
2/5

alcinnz, 1 day ago

We could offer to host static websites out of an AutoMerge document, with format autoconversion as requested by the clients. Maybe we'd offer a full static-site generator, since we'd have already (trivially) implemented a templating language for the sake of these other webservices!

As well as offering some compute (for any testrunners, profilers, & fuzzers) upon every uploaded AutoMerge document, heavily firmware/hardware sandboxed to avoid abuse & exploits.

3/6?

alcinnz, 1 day ago

Only providing these scripts the read-only repo & any of its dependencies as input, with only a couple bytes as output (the code can be rerun locally where desired) should prevent it from exploiting vulnerabilities or being used for however next we'll monetise computation! These would be run both before & after merging any changes, implemented as part of the repo viewer.

Finally we'd want to build a catalog of all these subprojects!

4/6?

alcinnz, 1 day ago

This catalog would list all repos, issue tracker(s), mailing lists, chatrooms, websites, etc for each subproject. Though I wouldn't want to mandate that subprojects use our services. The repos may be processed to extract the permissions each component requires.

This catalogue would be useful for performing analysis over the entire project!

We can index the input formats each program supports, so our devices can download it & offer to install software for new file formats it encounters.

5/6?

alcinnz, 1 day ago

That index would operate upon a (more) curated subset(s) of the catalogue, probably organized into "tools" & "viewers".

Another analysis pass can keep an eye on who's using particularly sensitive privileges, storing exceptions we've made & their justifications.

5.5/5.5 Fin for today! Tomorrow: Tighten the security a bit more...

alcinnz, 1 day ago

For each section it retrieves an index & header & name, compares name against expected pattern followed if successful by section type outputting a status message, if the name matches but types don't it also tweaks names as appropriate, validates there aren't duplicately-named symboltables, & considers updating some indices with what it found.

After a bit more validation & adjustments it restarts the ELF file copying over the E Eheader then P header, & iterates over sections again!

2/5?

alcinnz, 1 day ago

For each section (round 2) it retrieves various properties upon successfully retrieving the section whilst applying any requested compression, creates a new section in the output ELF file, & copies the various data over to it with minor tweaks (and more compression!).

It finishes by possibly finalizing various global names possibly adding compression, retrieves the updated E header, retrieves S header string index, possibly iterates over those names, updates layout info & tidies up!

3/5?

alcinnz, 1 day ago

For each section name elfcompress retrieves the index & S header, possibly computes some layout info, writes the S header, & checks if we're at the desired entry. If we have it retrieves various layout info & possibly adds compression!

There's a handful of helper wrapper functions dealing with additional details of how ELF files are laid out.

3.5/3.5! Fin for today! I don't want to get started on another command at this point...