
Kaspersky OS - itiman
https://eugene.kaspersky.com/2016/11/15/finally-our-own-os-oh-yes/
======
kriro
No word on if this is FLOSS or not in the article so I'm assuming it'll be
something closed. Which essentially renders the entire exercise moot form my
POV. I also don't like how they mentioned Linux. They make it sound as if

(a) Linux is very insecure...I'm no expert but I'd like to see them prove
their system is more secure than a Linux distro dedicated to security.

(b) Linux is the only viable option. There's plenty of other operating
systems, some even focus on security (starting with the list of existing
microkernels).

~~~
IshKebab
Linux _is_ very insecure. Maybe you have not been following the news lately.

~~~
at-fates-hands
But comparatively speaking is still _more_ secure than Windows or OS X?

~~~
Aldo_MX
Depends on who you ask, for example, taking the top 50 products with new
vulnerabilities discovered in 2016[1], Windows 10 got less vulnerabilities
than the Linux Kernel and OS X.

This could either mean that Windows 10 has become more secure than its most
popular competitors, or that researchers hadn't invested enough resources to
audit Windows 10 properly.

Taking into account the results from previous years and previous versions
(like 8.1), my personal conclusion is that Windows has actually become more
secure.

[1]
[https://www.cvedetails.com/top-50-products.php?year=2016](https://www.cvedetails.com/top-50-products.php?year=2016)

~~~
Vendan
Well, there's also how serious the vulnerabilities are. Linux kernel had 4
code execution vulns, Windows 10 had 44. Linux had 44 gain privilege vulns,
Windows 10 had 79. Linux seemed to have mostly DoS vulns, which is admittedly
not great, but I'd rather a server go down then get compromised and used to
take over the rest of the network. Then there's the fun stuff, like mimikatz,
that's been around since windows XP and still can pull passwords from windows
10...

~~~
Aldo_MX
It is expected that the smallest attack surface will have less critical
vulnerabilities, comparing an entire distro gives you a different picture,
since categories like code execution get similar results.

The stark contrast is in the privilege escalation vulnerabilities from the
Windows side vs the other categories on the Linux side.

I would assume that many persons prefer a server to go down, corrupt its data
and leak it, rather than get compromised. The fine print is that the leaked
data may contain information to compromise the server[1].

[1]
[https://en.wikipedia.org/wiki/Heartbleed](https://en.wikipedia.org/wiki/Heartbleed)

~~~
Vendan
Yeah, but now you swung in the opposite direction. Look at Debian Linux's 2016
code exec vulns and you'll see it's got a like Firefox and Chrome and Drupal
and Mercurial... not exactly OS components... whereas the windows 10 vulns are
are windows OS components. I'd personally be curious if any of those "debian
vulns" would be equally applicable to the same software installed on windows.

------
krylon
It sounds very interesting, for sure, but the announcement is a little thin on
details. The OS is apparently based around a microkernel. Which sounds good,
but AFAIK, microkernels are comparatively popular in the embedded space (think
QNX, L4) - so that choice is not in itself revolutionary.

They mention signatures, and it kind of sounds as if the OS will refuse to
execute any non-signed code. Again, sounds like a good idea in principle, but
remember how Stuxnet came with - IIRC - _two_ valid signatures created with
stolen keys. It might be better than nothing, but to an attacker with
sufficiently deep pockets, no quantum computers are needed.

Of course, those are just random thoughts popping into my head. I should wait
for more details before passing judgment. A (verifiably?) secure OS for
embedded and "IoT" devices would be very desirable, that much is certain.

~~~
pawadu
L4 is popular in embedded space? Can you provide some examples?

~~~
qznc
[https://en.wikipedia.org/wiki/L4_microkernel_family#Commerci...](https://en.wikipedia.org/wiki/L4_microkernel_family#Commercial_deployment)

> OKL4 shipments exceeded 1.5 billion in early 2012, mostly on Qualcomm
> wireless modem chips. Other deployments include automotive infotainment
> systems.

> Apple mobile application processors beginning with the A7 contain a Secure
> Enclave coprocessor running an L4 operating system. This implies that L4 is
> now shipping on all iOS devices, the total shipment of which is estimated at
> 310 million for the year 2015.

~~~
pawadu
So we have 2-3 very niche deployments. Does it really make L4 popular in
embedded systems?

Also, OKL4, specially the version claimed to run on qualcomm is very different
from the original L4 (I say claimed since multiple attempts to reverse
engineer qualcomm baseband firmware showed no traces of OKL4)

 _edit: if you think this is incorrect please provide a valid counterpoint.
downvoting a post this way to hide its presence is not a valid response._

~~~
justin66
It runs on billions of baseband processors. It's popular by any sane
definition of the word.

~~~
monocasa
Following that logic, iOS is also popular in the embedded space.

~~~
PeCaN
That's not the embedded space; an iPhone is a full (small) computer.

iOS _is_ quite popular, but embedded ≠ “runs on ARM”.

~~~
qznc
Things like a cash register or a media player are also considered "embedded
systems", even if they use x86 CPUs. Embedded ≠ incomplete computer.

------
ramblenode
Just a few days ago I became aware of CertiKOS, which is apparently a formally
verified kernel [0] [1]. I think these two aspects--formal verifiability and
being open source--are key for a truly secure OS of the future.

[0] [http://news.yale.edu/2016/11/14/certikos-breakthrough-
toward...](http://news.yale.edu/2016/11/14/certikos-breakthrough-toward-
hacker-resistant-operating-systems)

[1] [https://www.usenix.org/conference/osdi16/technical-
sessions/...](https://www.usenix.org/conference/osdi16/technical-
sessions/presentation/gu)

------
sjellis
My suspicion is that most attempts to create a better OS for IoT will fail for
political reasons. AFIAKT, one really important characteristic of Linux (and
JavaScript also) for large tech companies is that they can control their own
stacks, without having to license tech from another corporation, but still
have the benefit of network effects. Samsung have Tizen, Google have ChromeOS
etc. etc.

At the component level, Linux also empowers the chip vendors to build what
they want on their own timescales and then address a large market. Even open
Linux drivers are sometimes loaders for proprietary firmware, so they aren't
really giving up the ability to ship code in a black box.

I don't see any of them willingly cooperating with a company that wants to
manage and deliver the whole OS from the the kernel up. TLDR: The industry
probably does not want a Microsoft for IoT.

~~~
mmalone
Linux doesn't scale down very well though. I really don't need the full Linux
API for a lightbulb. Most embedded OSs are microkernels for this reason. If
any mega-trend has a chance of unseating Linux and generally disrupting the OS
space it's IoT.

~~~
bonzini
A lightbulb will have an RTOS, not a microkernel. While microkernels provide
utmost isolation between processes and well-defined primitives for
communications, a lightbulb might not even have separate supervisor and user
modes.

~~~
nickpsecurity
A lightbulb won't even have a RTOS. It will be a state machine or series of
them in C language on cheapest MCU imaginable. Probably 8- or 16-bit. That
keeps the cost at nickles or dimes.

------
metafex
> All the popular operating systems aren’t designed with security in mind

Kaspy OS runs on a switch, and they're talking about popular operating
systems, so in the same vein, OpenBSD wouldn't be a popular secure OS for e.g.
routers?

But hey, I'd be really happy if they based it on seL4 and formally verified
their security concepts. That would be a real game-changer. OTOH I'm really
sceptical until they provide any relevant details.

~~~
krylon
Also, in a microkernel-based system, verifying the kernel itself is but a
start.

To make a verifiably secure system for network infrastructure and IoT-devices,
you need, at the very least, a provably correct IP stack. Want a nice web
interface? Now you need to verify the HTTP server, too. Want to talk to other
devices? You probably want a DNS resolver. And so forth...

Simply signing code and having the OS refuse to execute code without valid
signatures is not going to be sufficient to convince a lot of people that it's
a significant improvement security-wise.

(If, on the other hand, they make it open source _and_ provide proofs of
correctness for all these components, that would indeed be a significant step
forward.)

~~~
petra
But isn't an isolation kernel enables you to limit spread of malware between
modules and to detect when a module was compromised and reset it ? Isn't that
a big improvement ?

~~~
krylon
It certainly is an improvement.

But my point was that it still leaves a whole lot of attack surface. If you
want a provably secure system, you basically need to verify much more than
"just" the kernel.

On the upside, if one did so, it would have benefits beyond security.

------
EugeneOZ
Only use it if you want to send all of your information to FSB (modern KGB).
Evgeniy Kasperskiy has friends in government, police and FSB. He also is
apologet of state surveillance.

~~~
Dolores12
I prefer the FSB to have access to my files than NSA. What FSB can do to me?
Send to Guantanamo?

~~~
SEJeff
May I present you with exhibit a)
[https://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvine...](https://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko)

~~~
Dolores12
How does it relate to my porn collection?

~~~
roywiggins
Blackmail?

------
f_allwein
Will this be open source, or will we have to trust Kapersky that it is secure?

~~~
yug
I guess you'll have to trust him and his friends from the FSB (former KGB) :)

~~~
antocv
Do you make the same remarks when Google, Microsoft, Apple or Palantir
releases software?

~~~
yoz-y
I have the impression that ever since Snowden happened, yes. Any mention of a
non open source OS gets accompanied by remarks about NSA, FBI and co.

~~~
erikbye
Open source projects are not shielded from this either. Plenty of paranoia,
justified or not, going around these days.

[https://igurublog.wordpress.com/2014/04/08/julian-assange-
de...](https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-
owned-by-the-nsa/)

[http://www.theverge.com/2013/12/20/5231006/nsa-
paid-10-milli...](http://www.theverge.com/2013/12/20/5231006/nsa-
paid-10-million-for-a-back-door-into-rsa-encryption-according-to)

[https://www.quora.com/Is-there-any-backdoor-left-in-Unix-
or-...](https://www.quora.com/Is-there-any-backdoor-left-in-Unix-or-Linux-
intentionally)

[https://blog.cloudflare.com/how-the-nsa-may-have-put-a-
backd...](https://blog.cloudflare.com/how-the-nsa-may-have-put-a-backdoor-in-
rsas-cryptography-a-technical-primer/)

On one hand, we've been privy to some of NSA's operations, on the other, there
is still a lot left to be disclosed, most will of course, never be out in the
open.

~~~
this-dang-guy
Let's not forget the great OpenBSD code audit caused when someone from the FBI
claimed to have planted a backdoor. [http://arstechnica.com/information-
technology/2010/12/openbs...](http://arstechnica.com/information-
technology/2010/12/openbsd-code-audit-uncovers-bugs-but-no-evidence-of-
backdoor/)

------
lifeisstillgood
This is _interesting_ , yes, but secure is not secure because we had a nice
architectural idea. It's a long term process of review and improvement.

If they release this as open source I would be interested in looking and
learning more and in a year or two, if the community develops maybe it's
something worth deploying to production

But a completely new OS? Not on day one I think

------
mablap
There are no real details about the OS in the article. Did anybody here work
on the project?

~~~
alexandr451
From what I heard from people that work there, this company mistreats
employees and has huge problems with management. I could provide a proof link,
but it's in Russian.

~~~
minipci1321
It is preferable to even outright include the link in the original post when
making that sort of statements.

Without specific details, it sounds pretty much like any random Glassdoor
report from un unhappy employee.

~~~
alexandr451
And one more [http://pravda-sotrudnikov.ru/company/laboratoriya-
kasperskog...](http://pravda-sotrudnikov.ru/company/laboratoriya-kasperskogo)

------
ungzd
One of their developers said they're using C code generators in Haskell in
this OS:

[https://youtu.be/f6TmB6Zw8MQ?t=1860](https://youtu.be/f6TmB6Zw8MQ?t=1860)

------
allendoerfer
> Meanwhile, all around this alchemy folks were fairly astonished: just what
> were we thinking? We’d decided to make an unhackable platform and ruin our
> other security business model?!

If a business wants to survive in the long term, it should always answer this
question with: Would it be better if we would build it or others would do it?
Because someone will eventually do it.

------
ktamiola
Haha! I am curious how long will it take to have it completely cracked.

~~~
setq
On the basis that the grander the announcement, the greater the motivation to
break it, I reckon about 20 minutes.

~~~
ktamiola
Correct! Kaspersky has just placed a MASSIVE TARGET on his back.

Understandably, investors do want catchy stories and media buzz... :)

------
frandroid
I want to highlight how their "sign up to our newsletter" pop-up only popped
up when I scrolled to the bottom of the article, and how it had a prominent
"No thanks" button. So much better UI than all those pop-on-load-before-I've-
read-anything ones out there.

------
Animats
Somebody finally did this. Good for them. Unbreakable boxes for DNS, BGP, and
routers will be a good start. Those boxes don't need to do anything else, and
contain no user data.

Looking forward to hearing more about their OS.

~~~
woof
Unbreakable?

From a company based in Russia?

Really?

~~~
antocv
Does Russia make backdoored hardware and software? Do you have proof of that?

But we do have proof USA does that. See Snowden leaks.

~~~
jpatokal
Recent Russian legislation mandates backdoors:

[http://arstechnica.com/tech-policy/2016/06/russias-new-
spy-l...](http://arstechnica.com/tech-policy/2016/06/russias-new-spy-law-
calls-for-metadata-and-content-to-be-stored-plus-crypto-backdoors/)

------
quinndupont
Quite literally the opposite of any reasonable definition of security.
"Security" isn't magic fairy dust, or a tagline, it is a social property that
arises only _after_ many years of use and adaptation > "everything has been
built from scratch... it’s simpler and safer to start from the ground up and
do everything correctly. Which is just what we did."

------
madshiva
"In order to hack this platform a cyber-baddie would need to break the digital
signature, which – any time before the introduction of quantum computers –
would be exorbitantly expensive." I loled

~~~
this-dang-guy
Very "Secrets from the future" of him :D

------
floatboth
A lot of OpenBSD mentions here, but what about MINIX 3? It's so underrated and
ignored :( They made a nice microkernel-based UNIX-like system with a NetBSD
userspace.

Also, Redox is switching to a microkernel architecture...

~~~
nickpsecurity
re MINIX 3. It's not made for high-security. It's about high-reliability.
Safety is usually a precursor to security but security can take a lot more.
The core has to be designed for it like Genode is doing.

re Redox. It's a nice project I've praised before. It's an alpha work-in-
progress, changing rapidly, and unclear how much of its design is truly for
security. A trimmed OpenBSD is probably a safer bet than it so far given the
staggering amount of review that went into it. Rust's features and a
microkernel only prevent so many kinds of problems.

~~~
Recoveringhobo
For the uninformed, what problems would Rust's features and microkernel not
protect against?

~~~
nickpsecurity
I can't even remember for Rust. I just know Rust team here admitted there was
a cut-off point in terms of safety features it provides like any other
language. For microkernels, all they do is memory isolation plus limit kernel-
mode damage. Past that, you have to design extra capabilities into the
microkernel, trusted code, or apps. You can even have concurrency errors in
your apps with those if there's a shared-memory space allowed.

------
n3mes1s
some interesting finding:

\-
[https://twitter.com/gN3mes1s/status/798992790436933632](https://twitter.com/gN3mes1s/status/798992790436933632)

\- RU slides
[http://osday.ru/presentations/duhvalov/9jun.rifinnopolis16-1...](http://osday.ru/presentations/duhvalov/9jun.rifinnopolis16-17-30-19-00
--dyhvalov.pdf)

\- RU presentation
[https://www.youtube.com/watch?v=_iEaY_CGcy8](https://www.youtube.com/watch?v=_iEaY_CGcy8)

------
jeffcox
How is this more secure than any other L3 switch with an out of band (or
otherwise hardened) management interface?

I'm not going to say no one is attacking switches, but that's definitely not
where I'd start.

------
JetSpiegel
> Third, everything has been built from scratch. Anticipating your questions:
> not even the slightest smell of Linux.

Built from scratch and secure, no Linux input. It's the Holy grail, move over
Theo.

------
mda
Closed source OS from an anti virus company with a dodgy history? I will pass.

~~~
agopaul
Could you expand on the "dodgy history"? I always thought that Kaspersky was
one of the "good guys"

~~~
golergka
Kaspersky had a history of working with Russian security agencies, has a lot
of buddies there and a lot of people have throughout their careers moved from
Kaspersky to these agencies and vice versa. If Russia will need somerhing from
Kaspersky, government won't even need a warrant - he'll be happy to help.

~~~
linkregister
Are there any news articles to substantiate the claim that Kaspersky readily
gives information to the Russian government?

~~~
golergka
Don't have links at hand because for me personally it's firsthand knowlesge
from friends and classmates working there. It's not a big secret though.

------
qznc
No mention of verification like seL4 or CertiKOS?

~~~
minipci1321
I understand CertiKOS used Coq so the verification was at least half-
automated? How L4 was certified -- what were the tools available at the time?
Verification still remains huge work but sounds less heroic nowadays.

Now that we have tools and methodologies for verification, the announce of yet
another secure OS suddenly sounds much less impressive.

~~~
sanxiyn
Here is seL4 proof: [https://github.com/seL4/l4v](https://github.com/seL4/l4v)

To quote, "Most proofs in this repository are conducted in the interactive
proof assistant Isabelle/HOL".

------
jwildeboer
Security through obscurity. I thought we all have learned that it doesn't
work. Well, good riddance, KasperskyOS!

"And then there are some details that will remain for certain customers’ eyes
only forever, to ward off cyber-terrorist abuses."

[https://eugene.kaspersky.com/2012/10/16/kl-developing-its-
ow...](https://eugene.kaspersky.com/2012/10/16/kl-developing-its-own-
operating-system-we-confirm-the-rumors-and-end-the-speculation/)

~~~
wjnc
I agree. What I find interesting is that real world security is also a
function of popularity. You won't get many outside hackers to attack a
platform, if it's hardly used.

So any new platform would first need broad adoption, then a few years of
maturity in able for the outside world to assess if it's more secure than
current systems.

Obviously, security centric design helps a lot, but on the other hand
Kaspersky is a relatively small player in comparison with the other OS-
movements (whether capitalist or FOSS).

~~~
bigato
Popularity is not exactly what attracts most hackers nowadays; it's profit.

Yes, in the common case, the more popular the system, the more profit can be
made by hacking it. But if a system is running on a few, but very strategic
places, it will be an interesting target and thus attract a lot of effort.

------
amazing_jose
What about Firebrick? the company that manufactures it says that it an in-
house TCP/IP stack (I don't know if they run their own OS).
[http://www.firebrick.co.uk/](http://www.firebrick.co.uk/)

------
mrmondo
My thoughts went as follows - Interesting..., Hmmm Not much real
information..., hope its open source..., is this for network appliances or for
general use..., again if isn't open source I really don't care.

------
nateguchi
> not even the slightest smell of Linux

Interesting to see if this catches on in the embedded / IoT space, I guess
it's a bit of a leap writing drivers / software for a different OS

------
thiagowfx
Since this is an OS designed with security in mind, and since they even
mentioned Linux (albeit not too nicely), I missed a comparison with or mention
of OpenBSD.

------
minipci1321
"not even the slightest smell of Linux."

So me too I have a dream. In my dream, every shop that needs two threads
running and one semaphore synchronizing, will cease porting Linux and instead
will roll up the sleeves, writes their own kernel 100% matching their need,
prove its validity via formal verification and then use it.

In the world where this is possible, why would one go for a non-generic OS
from a third party? Does look to me like Kaspersky might have that same vision
for the future and tries to leverage their assets while it is not too late.

But security-by-brand-name is not really better than security-by-verification,
isn't it?

~~~
pjc50
> writes their own kernel 100% matching their need, prove its validity via
> formal verification

It's hard enough for _one_ organisation to do this, given the fairly
specialised set of skills it requires. Let alone every IoT vendor. There's no
reason to massively replicate this kind of work. People would be better off
building an ecosystem around sel4.

~~~
minipci1321
Agree, I'd like exactly to look closer inside "hard enough".

First, it depends on each specification -- what if the hardware is much-much
smaller (IoT) and task to perform is well defined? It is hard today primarily
because the required skill set becomes less and less current, but it is all
demand-driven, it was not so some time ago.

Secondly, it could be replicated to some extent only -- for example, verified
libraries for each device could come from each HW IP provider, instead of
coming from the SoC vendor who integrated them. Say, Synopsis would provide a
verified lib for the GbE controller -- to use with all SoCs that integrate it,
etc. And the final integrator would take care of verifying the final
integration, including his very small, fast, low-power-consuming and
maintainable and 100%-dedicated kernel.

But my main argument is that the alternative is not so good-looking either.
Porting and validation of the Linux kernel is performed mostly by engineers
who have not the required skillset (managerial decision to spare on hires
since "we have Linux") -- this is also something that I wish wasn't replicated
among product makers but is, unfortunately.

~~~
pjc50
> what if the hardware is much-much smaller (IoT) and task to perform is well
> defined?

Anything IoT needs a full network stack at least, and usually a set of radio
drivers for WiFi, 6lowpan, Zigbee, Bluetooth or whatever. That usually amounts
to quite a lot of software, which in the case of the radio stuff is often
proprietary and patent-encumbered.

Asking the hardware vendors is a dead end. You might as well ask for a pony
while you're at it, you're not going to get it either.

"Verified libraries" would necessarily be written against a particular OS
interface and its guarantees. I'm not even sure how this process would work in
terms of formal verification; even sel4 is forced to make assumptions about
hardware.

The reason why you get bad Linux ports with no source and universal default
passwords is simply cost. Customers do not incorporate security into their
purchasing decisions - or they wouldn't buy these things - so this is what we
get.

~~~
minipci1321
In other words, you believe that Kaspersky OS has its place and future market?

> Anything IoT needs a full network stack at least ...

My point really is, every IoT device would need only its part of the full
network stack, not all the protocols currently implemented in, say, Linux, and
chances are, some device will require extremely reduced subset of the network
stack, especially at the lower layers and with respect to kernel interaction.

I am not a verification expert, but verifying a very reduced subset of a well-
defined specs seems at least feasible -- how would we verify something open-
ended? Those pesky little theorems would become much more general and would
come in even greater numbers?

Verifying a generic OS, good for all devices and all application, if at all
doable from theoretical standpoint, looks too much of work for no particular
profit for the verifier (very similar to the validation of the Linux kernel
which is relayed on to the distro builders).

I wouldn't be as pessimistic either about the hardware vendors. After all,
(some of them) already use formal verification in (some of) the silicon
design, and verifying closer to the silicon seems simpler -- the closer to the
metal the less genericity (assuming the verified silicon underneath).

------
johndoe90
Given that there's not only software bugs, but the hardware ones, I wonder how
secure it would be. I personally hate their software, but still, it would be
nice to know.

P.S. Security without open-sourcing is impossible. Although, dunno how for
other countries, but here in Russia some people have a different point of
view.

Some people believe that “opensource is insecure by design, because everyone
can see the code”. Probably Kaspersky has the same point.

~~~
mfukar
> Security without open-sourcing is impossible

is just as documented an assertion as

> opensource is insecure by design

The two are completely orthogonal.

~~~
johndoe90
Those were two different opinions. First is mine, the second is my
interviewer's.

------
anta40
Somehow this reminds me to John Draper's CrunchBox. Of course, it ran OpenBSD,
an open source OS.

------
dewiz
>"All the popular operating systems aren’t designed with security in mind"

I really disagree.

------
andrewmine
Anybody know which microkernel they are using? I was not able to find it

------
wildchild
I would stay away from every snake oil product this KGB agent sells.

------
akourman
I think after Microsoft is part of Linux foundation now, and now your telling
us that you have a powerful and secure CLOSE source OS !!! .. I think Open
Source already won the war!! and your somewhat 14 years late...

------
known
I think
[https://en.wikipedia.org/wiki/OpenBSD_security_features](https://en.wikipedia.org/wiki/OpenBSD_security_features)
has good security features

------
deavmi
Russia. Ha. No my friend. Kaspersky. Ha. No my friend. Closed source. Ha no,
and you ain't ma friend.

~~~
dang
Please stop posting unsubstantive comments.

------
itazula
Happy Pocky Day! (11-11)

~~~
itazula
Alas, the allusion was lost on some.

------
seesomesense
The marketing makes it sound a bit like SeL4.
[https://sel4.systems/](https://sel4.systems/)

------
partycoder
Should probably be named "Unbreakable Linux"... oh wait, that name is already
taken by Oracle.

