
CLIP OS – France’s cybersecurity agency’s open source, secured operating system - brmgb
https://www.ssi.gouv.fr/en/actualite/clip-os-open-source-secured-operating-system/
======
comboy
> It also provides partitioning mechanisms that make it possible to
> simultaneously process public and sensitive information on the same
> computer, within two completely isolated software environments, in order to
> avoid the risk of sensitive information leaking onto the public network.

Just don't. Please don't. You can have the most sane architecture, but there's
a whole pile of s..tack underneath. You can't even trust a modern CPU.

~~~
michrassena
I don't understand why it's deemed necessary to work with both public and
sensitive information on the same device. This might have made sense when
computers were much more expensive. Today, why not buy two computers and keep
them physically isolated?

~~~
duxup
Yeah physical separation... seems like a large and ultimately good step. All
the other efforts to logically separate things often have some sort of
downside.

I posted a while ago that there was a customer (tied to the military) that
forbid ANY outside electronics of any type to enter their facility (main gate
where you parked was ok, but you still turned everything over) without
approval, and no electronics could ever leave. They went so far as to keep and
presumably destroy anything that entered... bring a laptop, it's gone, be
stupid and carry a phone, gone (nobody actually did the phone thing as you
were warned plenty of times).

Granted they paid a ton for it (for a laptop many times sometimes (other times
they gave you one)) and it is mostly a policy only the military can be strict
about.

But having said that this was before smartphones and etc, and honestly now a
days that seems like what was an extreme policy, is actually a good policy for
many such places. We're already at the point where we know we can't be sure
about declaring any equipment "clean".

I was a little shocked to hear the White House was talking about banning smart
phones in some places.... like how the hell haven't they done that already? A
mic and camera on each person that wanders all over the world connecting to
random cell towers and wi-fi and OMG, what a great attack vector!

~~~
mavhc
What happens now people have wireless devices keeping them alive, heart
controllers etc?

~~~
duxup
I don't recall anything in the policy that spoke to that. That's not a good
answer, but it is all that I got. This wasn't a situation where you asked
questions / got to.

------
lawnchair_larry
There is no point in debating whether or not this is secure. The inclusion of
that word in the title is going to derail all of the comments here. They are
using secure from the point of a layman. We know nothing is secure, the folks
working on the project know nothing is secure. The government folks and media
outlets don’t understand security and their use of the word “secure” should be
disregarded.

It would be better (and create more interesting discussion) to pretend that
one is reading a title that says “security enhanced” operating system, and
evaluate the merits of incremental improvements offered, and not debate
whether or not anything can be truly secure.

~~~
renaudg
This is actually a mistranslation.

The original French text ([https://clip-os.org/fr/](https://clip-os.org/fr/))
says "système d’exploitation durci" ( _hardened_ operating system) and this
has been translated as "secure" in the English version of that same page.

------
KenanSulayman
Fascinating! It seems like a cross-over concept of CoreOS and FreeBSD jails.

It seems as if it is just the base system for now (and a bit complex), but I
think this kind of architecture is great for “IoT” use-cases when the source
of the sensor data should be protected from the containers who are processing
the data (i.e. in sealed environments). Can't wait to try this.

~~~
chupasaurus
That's based on just a Linux namespaces.

------
transpute
_> Hardware-based mechanisms and isolation are assumed trusted, properly
functional and configured. Here is a non-exhaustive list of hardware-based
security and isolation mechanisms: UEFI firmware, Secure Boot ..._

Is firmware a "hardware-based mechanism" with comparable isolation claims to a
TPM, MMU or IOMMU?

See the talk "Firmware is the new Software", on attack/defense of UEFI
firmware vs auditable open-source firmware like LinuxBoot,
[https://www.platformsecuritysummit.com/2018/speaker/hudson/](https://www.platformsecuritysummit.com/2018/speaker/hudson/)

------
Yoric
If someone has already looked at the source, would it be possible to get a
high-level overview of what's special to this OS? Apparently, authorizations
and isolation are not vanilla Linux, but that's all I manage to gather from
the description.

 _edit_ Oh, I hadn't seen that document: [https://docs.clip-
os.org/clipos/architecture.html](https://docs.clip-
os.org/clipos/architecture.html)

So, container-based isolation between applications & users. I don't see
anything about authorizations, though.

~~~
chrisper
I am surprised that document isn't in French only...

~~~
kwhitefoot
French academics, researchers, and software developers publish a lot in
English. You might be exhibiting an out of date stereotype. :-)

~~~
Tehnix
It is most definitely not an out of date stereo type that (a looot of) French
people are not particularly fond of English. Go to any university and you’d be
surprised about the amount of students that don’t speak English, or can just
muster a couple of words. It ingrained in the culture, from dubbing movies and
series, having previously been the lingua franca of academics, culture etc,
having a large part of the country in rural places, and (in some places) being
seen as arrogant of you speak English or say English phrases.

Source: French girlfriend, French friends and having been there a lot.

~~~
marmaduke
Hi, source I’m an uni engineer in France, everyone in my 100+ lab speaks
English.

What’s more is there’s a funny reversal occurring where people insert English
phrases to be hip, eg in the middle of a French sentence, you hear a “yes” or
a “let’s go” or a “in z pocket” (I never understood that last one)

~~~
etiennemarcel
"in the pocket"? as in the literal translation of "c'est dans la poche"
(meaning "I got this, it's easy")

------
bcaa7f3a8bbc
It seems that ANSSI has sponsored many open-source researches and development
efforts. One day I was surprised that the most complete free and open source
implementation of OpenPGP Card firmware on JavaCard was published by ANSSI on
GitHub.

------
djsumdog
Hmm, they says it's Linux based. I was kinda expecting/hoping for something
more similar to BAE's STOP, which is a non-open/proprietary OS that originally
sacrificed performance/speed for security.

------
close04
The concept also feels similar to Qubes OS.

~~~
niutech
According to [https://clip-os.org/en/](https://clip-os.org/en/) the
differences with Qubes OS are:

1\. The main mechanism for environment isolation is different:

a) CLIP OS leverages Linux kernel primitives to create containers with the
help of additional features brought by Vserver, Linux kernel hardening
(grsecurity for version 4) and a tailored Linux Security Module (LSM). This
approach allows a fine-grained control on the data exchanges between isolated
environments (e.g., handling a notion of files, processes and sockets) and
permissions (e.g., restriction to ring 3 features for malicious code,
limitation on the allowed system calls).

b) Qubes OS leverages hardware based virtualization with an hypervisor (Xen),
and a main virtual machine (dom0) which is a GNU/Linux system with services
handling data exchange between virtual machines.

2\. Administrators have different roles and power:

a) Administrators on a CLIP OS system are not able to compromise system
integrity nor access user data. They can only access a restricted set of
configuration options.

b) On Qubes OS systems, the main user of each virtual machine is also the
administrator of its own environment. The system administrator of the main
domain (dom0) can change all the configuration options and may access all user
data without any restriction.

~~~
mtgx
So it seems closer to Subgraph OS (except for the Tor usage):

[https://subgraph.com/sgos/](https://subgraph.com/sgos/)

------
ankka
The most unexpected part was seeing "Gentoo Hardened" as a part of state-level
official documentation.

~~~
snaky
France is rather open-minded recently. "Matrix and Riot Confirmed as the Basis
for France’s Secure Instant Messenger App"
[https://news.ycombinator.com/item?id=16933736](https://news.ycombinator.com/item?id=16933736)

------
snvzz
>Based on a Linux kernel

Way to disappoint me. I was expecting some cool pure microkernel goodness,
perhaps based on seL4.

~~~
msla
Hypervisors are both older than microkernels and more secure.

(The people who insist hypervisors _are_ microkernels are ignorant of both
technology and history.)

~~~
wahern
Common hypervisors like ESX and Xen definitely aren't like microkernels,
though they'd be more secure _if_ they actually were.

ESX and Xen are more like monolithic kernels. The problem is that in
_practice_ they've become mini-kernels with their own driver systems and
increasingly large code surfaces, recapitulating the mistake of monolithic
kernels.

seL4 actually can act as a hypervisor, and their build framework comes with
support for building Linux guests into the bootable system image. I don't know
if there are proofs of security wrt to the hypervisor, nor what the worth
would be considering how complex the CPUs are these days, but I'd have much
more trust in seL4 as a hypervisor and driver framework than in something
using FreeBSD or Linux as the critical guarantor of system security.

If you're stuck with commodity x86 or ARM hardware and really want a strong
architecture, seL4 is the best option unless you want to build from scratch.
Apple uses another L4 derivative as the OS for its security chips; an in-house
derivative that predates the seL4 project.[1][2]

[1] [https://microkerneldude.wordpress.com/2016/04/14/so-the-
fbi-...](https://microkerneldude.wordpress.com/2016/04/14/so-the-fbi-cracked-
the-iphone-with-a-zero-day-and-hardware/)

[2] [https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-
De...](https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-
The-Secure-Enclave-Processor.pdf)

------
rofo1
GitHub link: [https://github.com/CLIPOS](https://github.com/CLIPOS)

------
baybal2
It is a linux distro, not a new os

~~~
AnIdiotOnTheNet
The terminology is confusing because for a lot of purposes every Linux distro
can be considered a separate platform, so it may as well be a separate OS even
though it uses the same kernel (and often the same everything, just arranged
and configured differently enough to cause headaches).

That said, I am also disappointed that everyone who cobbles together a Linux
distro these days insists on referring to it as a new OS, because I remember
the days when people actually announced new OSs like Syllable, AROS, SkyOS,
and Haiku.

Lately I've seen the term "Operating Environment" emerging as a way to further
delineate an actual "new OS" from something that just sits on top of an
existing kernel but is more different than just a new Linux distribution.

------
jcwayne
Trusting an OS from any government seems, to me, a foolish thing to do.

~~~
icc97
You don't have to, it's for French government employees who have no other
choice. However it's easier to trust an open source government OS than a
closed source one.

------
nwmcsween
It uses gentoi hardened? Get ready for tons of breakage.

~~~
snaky
Google uses Gentoo as a base for ChromeOS IIRC.

------
presscast
Is there a design whitepaper somewhere? (Or similar)

