French Government Open Sources Secure Operating System
The French government’s national cybersecurity agency has released an operating system built using open source components internally over the course of more than 10 years for use by the French administration.
Dubbed CLIP OS, the operating system is based on the open source Linux kernel, but focuses on security hardening and provides partitioning mechanisms that allow the processing of both public and sensitive information in isolation on the same computer.
As expected, the project uses code from a lot of open source projects including the Linux kernel and the GNU Compiler Collection. In fact, the Gentoo Hardened Linux project serves as the base of the OS and, similar to Gentoo, there are no pre-packaged CLIP OS images. At least for now, users will have to build their own images from the source code.
CLIP OS was developed and will continue to be maintained by the National Cybersecurity Agency of France, or Agence nationale de la sécurité des systèmes d’information (ANSSI), which is also tasked with protecting the French government’s networks, systems and data.
The OS was originally created to the meet the information security needs of the French administration, but ANSSI now believes it is ready to face public scrutiny and to receive contributions from the larger open source community. That said, the agency considers the latest version of the project to be in an alpha state, so it shouldn’t be considered ready for use on production systems.
CLIP OS provides filesystem integrity protections, a system-enforced distinction between application binaries and system data and UEFI Secure Boot support. The goal is to be able to handle information at multiple confidentiality levels and to restrict administrator access on production systems so that compromised administrator accounts cannot take over systems or access user data.
According to ANSSI, CLIP OS has similarities to Google’s Chromium OS and Yocto, a project that helps developers create custom Linux-based firmware for embedded products on multiple architectures. The OS can be deployed on security gateways, as well as on workstations and laptops.
CLIP also shares some security goals with Qubes OS, an operating system that uses hardware-based virtualization to compartmentalize workflows and isolate applications and tasks. However, CLIP OS takes a different implementation route by using virtualized containers that share the same kernel (kernel-based virtualization). The kernel is hardened using a tailored Linux Security Module (LSM).
ANSSI open-sourced two versions of CLIP OS: version 4, which has documentation in French, is no longer developed and is provided as a reference for patch submission; and version 5, which has documentation in English and is actively developed.
“The public release of the CLIP OS project is part of the ‘plan for a transparent and collaborative public action‘ (in French), driven by the French DINSIC,” the project’s page reads. “Opening up the CLIP OS project source code is also a way for the ANSSI to share its work and to allow everybody to benefit from it and reuse it to build hardened Linux systems based on CLIP OS.”
WD to Finally Patch Year-Old Auth Bypass Flaw in My Cloud NAS Boxes
Western Digital confirmed that it is working on a patch for a serious vulnerability that could allow attackers to take over My Cloud NAS devices.
Researchers from Dutch security firm Securify disclosed details about the vulnerability this week, almost 1.5 years after originally reporting it to Western Digital without any response. However, it turns out that researchers from another outfit called Exploitee.rs also found it last year and even wrote a Metasploit module for it.
The flaw is located in the web-based management interface of multiple Western Digital My Cloud NAS devices and can be exploited to bypass authentication to gain administrative access. Devices with their interfaces exposed to the internet, which is not the default configuration, are at higher risk. However, the flaw can also be exploited over the local network—for example, by malware running on other devices.
Following Securify’s report, Western Digital acknowledged the vulnerability and published a security advisory that lists the affected models. The My Cloud Home drive is not impacted and the company is in the process of finalizing firmware updates for the rest of the devices, WD said on Twitter.