HYDRA Server

[catch]

I was very surprised to see that my post in the bookmarks thread was the only to show under a search for "Bodacion."

http://www.bodacion.com/

This web appliance is likely the most secure single level server on the market. It is immune from all remote server level attacks including cracker, viruses, and worms.

The system runs Java web applications, utilizes domain based access controls or "compartments", effectively has a read only operating system with no command interface.

Its encryption technology is interesting, but my knowledge on such things is limited to the bare minimum to not bomb that CBK on the CISSP.

The site makes a lot of bold claims, but the majority of them are completely true, a few of the claims have a smidge of spin. For example the server cannot effectively protect objects from subjects in the same compartment even if the subject does not have explicit rights over the object. (multi-user web hosting for a simple example)

The true benefits of this system is the fact that it has essentially no administration requirements. Essentially no security configuration, no patching, no unusual access controls, no complicated rules files... I would guess that anyone who was familiar enough with computers to use MS Office could effectively run a secure and stable HYDRA server.

Anyhow I figured this would be of interest to some of you perhaps.

catch

[j3r]

This looks a lot like a planted ad to me. No patching? So I assume the code is all perfect, then? A fully-integrated solution! Yay, that looks like its defenses have a lot of depth. Granted, I'm not saying it's horrible, but I have difficulty believing that it lives up to its claims.

Oh, and it's "FIPS-approved" crypto is either 3DES or AES. Nothing exotic (that's a good thing, BTW). But, you know, they're totally abusing the term "biomorphic."

Most of the crap in the "reliability" section is just them using different words so as to appear more reliable. They say no OS failures, as they don't have an OS. I say *every* failure is an OS failure, as their entire codebase is the OS.

[catch]

Yeah, a planted ad... that would make sense for me to complain about it being single leveled.

No patching? So I assume the code is all perfect, then?

This is just daft.

1. Perfect systems do exist.
2. the system doesn't need to be perfect to have no patching required. It merely needs to be designed so that bugs cannot effect security related functionality. (it would not be the first system like this, not by a long shot.)

This system doesn't need depth of security, all it needs to do is isolate the web service from the rest of the system, which it does. The system lacks depth in functionality so depth in security would be anti-thematic at best.

The system has an OS obviously (nano-kernel their marketing deptmant has apparently dubbed it), it doesn't have a command interface and the OS may not be reached from the web service compartment. The reliability is very good as you'd expect with a system this simple.

"so reliable it has earned FAA and Department of Defense certifications to operate in flight control systems and other life-sustaining and critical environments."

It is by no means a perfect solution, but i wonder if we won't be seeing more of this type of least privilege extended to the entire box in the future.

The encryption system uses 3DES and their use of biomorphic is proper. the use it too seed data and in internal/transfer integrity checks. (but all of this information is on the site.)

Your entire post is argumentative, any reason for that?

catch

[IchNiSan]

Looks interesting, however....

If they are hosting their website on their own device(perhaps???) it doesn't like opera very much. Loads fine in EI 6, but opera takes for ever to load the page(some images don't load).

Netcraft doesnt seem to have a very good idea what they are running, so, maybe they are running their own appliance.

Edit:

I take it back, their site just doesnt seem to like me for some reason. Now it is having trouble from both IE, and opera. But when I browse to it while terminaled into an office in another location, it is fine.

[j3r]

Your entire post is argumentative, any reason for that?

Because it was a rebuttal to your breathless adoration.

You claim that perfect systems do exist. I can accept that. You offer no evidence that their system is perfect. Isolation and least privilege are great. I like them. But they don't mean jack if there's a bug in their TCP code. Anyone can ramble on and on about Java this and least privilege that, but they're just blowing smoke if the low-level implementation is flawed. Take a look at Marc Schoenefeld's recent post to bugtraq. Ohh, a way to work around one of Java's compartmentalization systems. Perhaps Bodacion's system is not subject to this type of attack, but perhaps it is.

I am not saying that they do not have good technology. I am saying that their marketing is completely wrong-headed. If you really do not patch the system, and there is ever a serious bug, you have a very expensive dorrstop/wAr3z server/DDOS zombie. If patching is automatic, and someone compromises their patch server, then you have a very expensive dorrstop/wAr3z server/DDOS zombie. If you have to manually patch, then they're lying.

Looking over their web site, they have implemented lots of other people's good ideas. That is a good thing. However, good ideas are not a magic bullet. They present their system as being a magic bullet. I do not believe them.

What they are offering is a system that is largely different from > 99.9% of the web servers out there, and is clearly not designed by idiots. This assures you a lot of obscurity and a non-stupid implementation. This protects you effectively from all the script kiddies out there. This is nothing to sneeze at. That is a long way from a perfect system, though.

[Maestr0]

Perfect systems do exist.

Gödel is rolling in his grave over that one.


-Maestr0

[j3r]

Gödel is rolling in his grave over that one.

:-) Yeah, I think s/he meant that perfect subsystems do exist.

[catch]

Because it was a rebuttal to your breathless adoration.

Maybe this is a language issue, because you could not have possibly been reading my post. The only place I say anything nice about it's security is that it is _likely_ the most secure system of a very insecure set of systems. (single level)
Then I went on to focus on a one of the system's theoretical issues. The only real plus I focused on was the lack of administration needed as you have effectively taken what would be a subsystem on a general purpose operating system and made it stand alone.

But they don't mean jack if there's a bug in their TCP code. Anyone can ramble on and on about Java this and least privilege that, but they're just blowing smoke if the low-level implementation is flawed.

You clearly have no understanding of how this system works. You keep needing to place it in the context of a normal operating system. Even if the TCP implementation is flawed... what are you gonna do with it? You've got no access to syscalls that can violate system confidentiality or integrity, so what have you got? A fat goose egg.
Perhaps you should go back and read the documentation more carefully (or perhaps at all) and you will see that the only effective way to compromise data on the system would be via user supplied web applications, but even those cannot effect the system, only other objects within the same compartment. And even then it gets kinda iffy as to what exact access would be allocated to such a rouge process.

That is a long way from a perfect system, though.

I never said it was a perfect system, I said it offered high security for a low security type system and that it was easy to administer. In fact, not only did I not say it was perfect:

It is by no means a perfect solution

Learn to read before you try and show everyone how clever you are.

Yeah, I think s/he meant that perfect subsystems do exist.

No, I meant perfect systems. They are merely the result of extensive formal methods and of course tremendous costs. Is this system in question perfect? Read above. It falls under #2 in that it is possible to design the system in a manner that it needn't be perfect to be immune security wise.
The benefits of high level trusted systems (to which this has taken a few aspects to extreme) is that you don't need to worry about patching because the model and security kernel are verified and user level software like the web server or like the IP stack CANNOT effect the overall system security. This concept has been around since the mid 70's, I am amazed you are not familiar.

They have done this in a rather standard way, that is to minimize the system so much that there is essentially nothing for an attacker to leverage. Nothing new, nothing creative... just the first time I'd seen it offered at the commercial level. Cobalt systems for example still have a general purpose OS on them.

catch

[Lansing_Banda]

That is a very smart move. In fact that is the best security I have ever heard of. Instead of pumping out this huge arse firewall/killem all app, just give them nothing to work with. Funny. *Skript kiddie sit dumb founded*

[xmaddness]

We actually have discussed this before here. When the system was introduced they were offering to give the person who could predict the next "bodacion" in a series and brand new ferari. Or was it a million dollars? One of the two.

They gave you a file that contained 99 sequential "bodacions", and you were to predict the next one.

Many of us here worked on it, some seriously, some not (like me). It seems to me though that eventually their pattern will be found. Its only a matter of time.