From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Don A. Bailey" <don.bailey@gmail.com>
Content-Type: multipart/alternative;
	boundary=Apple-Mail-A0D0F983-318F-449C-BC7B-889673196E1E
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Tue, 20 Aug 2019 09:28:20 -0400
Message-Id: <02669859-3065-478A-AC9E-2C921976A745@gmail.com>
References: <CALj3Nd01anO_ixbZd1JBm0qTLw4xH9UusgJY7A1grLszFpsrow@mail.gmail.com>
	<CAOw7k5h5SE1XweOp4naQzswek4oHXy9JK-oRkyQLLg2zEigZkw@mail.gmail.com>
	<40745EA5-3815-4E4F-9FE0-8F83697E74BA@bitblocks.com>
	<CAOw7k5icSZpFGnHqsU8P5Q5t6XEEV-ZZ9rPNoaqKiab7O_cceQ@mail.gmail.com>
	<CAOw7k5jc29g4K3H16NR7S4_LMsRKSM46P+vhCdZt3SxqsAsG8Q@mail.gmail.com>
	<CAOw7k5i10arTZr3ovMvk8v1i5zodiPOKSHwS0CYNtY7R4jm35A@mail.gmail.com>
	<CAJSxfmLunMNTa55t_Ouv-08z+PV=FXNxxbAbdg42HWAqGLsMQA@mail.gmail.com>
	<CALj3Nd2ZFPvSZREhfj7yZa-_eA6cfBH2Dw4EvqpRAoyspThe=w@mail.gmail.com>
	<CAOw7k5jzNpyhKy9g1MnHDxT7ovX_y-Wyg=rbdwOekhgjRdVnCg@mail.gmail.com>
	<CAOw7k5heq-9=ZXw8Xde1k4mHq2a6H2GMe0WBjEc9no5PQvuvhA@mail.gmail.com>
	<CALj3Nd3E5YOupxRXi3YMNkV4n-RXRgGVakremXWSj8cvvqbebw@mail.gmail.com>
	<1e801ae2-0d18-4df9-a9a7-ec6480b9b6aa@www.fastmail.com>
	<CALj3Nd0nauMxLiUpioOB=7+j_Jt_u0Sn+_WTfBC=fzyHwBogAw@mail.gmail.com>
In-Reply-To: <CALj3Nd0nauMxLiUpioOB=7+j_Jt_u0Sn+_WTfBC=fzyHwBogAw@mail.gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] Plan 9 security
Topicbox-Message-UUID: 059109be-eada-11e9-9d60-3106f5b1d025


--Apple-Mail-A0D0F983-318F-449C-BC7B-889673196E1E
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Fwiw Plan 9=E2=80=99s code vase has indeed been audited. By me. Several expl=
oitable bugs were found including a kernel exploit due to the env driver. I w=
rote a working PoC for it which is somewhere on the internet, but it=E2=80=99=
s quite old.

Much of the code hasn=E2=80=99t changed, and, I would suspect, is largely se=
cure.

But you=E2=80=99re talking implementation security versus architectural secu=
rity. In the case of IoT, Plan 9 does exceptional things to close the gaps t=
hat embedded systems supply its users, but it is nowhere near complete.

Notably, a trusted root environment needs to be added - which Plan 9 only sl=
ightly addresses.=20

Best,
D

> On Aug 20, 2019, at 9:13 AM, Cyber Fonic <cyberfonic@gmail.com> wrote:
>=20
> I don't think OpenBSD will run on an ESP-32.  That is part of the problem w=
ith IoT, the nodes are made on the cheap and thus use the cheapest viable ne=
twork capable device.
>=20
>> On Tue, 20 Aug 2019 at 00:54, Ethan Gardener <eekee57@fastmail.fm> wrote:=

>> On Mon, Aug 19, 2019, at 12:53 PM, Cyber Fonic wrote:
>> >=20
>> > It has been said : "The 'S' in IoT stands for security". If Plan9 can a=
ddress that deficiency of the current state of the art for IoT devices, then=
 it would be a worthwhile exercise.
>>=20
>> Plan 9 may have a decent security model, but it's never been audited.  Au=
diting a codebase, even one as small as Plan 9's, is a lot of work.  Are you=
 willing to make a start on it?
>>=20
>> If you want something free and already audited, with more security featur=
es, (but perhaps not quite the same convenience,) look into OpenBSD.
>>=20
>> --=20
>> I love that *Open*BSD is so *security*-focused!
>>=20

--Apple-Mail-A0D0F983-318F-449C-BC7B-889673196E1E
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div dir=3D"ltr"></div><div dir=3D"ltr">Fwi=
w Plan 9=E2=80=99s code vase has indeed been audited. By me. Several exploit=
able bugs were found including a kernel exploit due to the env driver. I wro=
te a working PoC for it which is somewhere on the internet, but it=E2=80=99s=
 quite old.</div><div dir=3D"ltr"><br></div><div dir=3D"ltr">Much of the cod=
e hasn=E2=80=99t changed, and, I would suspect, is largely secure.</div><div=
 dir=3D"ltr"><br></div><div dir=3D"ltr">But you=E2=80=99re talking implement=
ation security versus architectural security. In the case of IoT, Plan 9 doe=
s exceptional things to close the gaps that embedded systems supply its user=
s, but it is nowhere near complete.</div><div dir=3D"ltr"><br></div><div dir=
=3D"ltr">Notably, a trusted root environment needs to be added - which Plan 9=
 only slightly addresses.&nbsp;</div><div dir=3D"ltr"><br></div><div dir=3D"=
ltr">Best,</div><div dir=3D"ltr">D</div><div dir=3D"ltr"><br>On Aug 20, 2019=
, at 9:13 AM, Cyber Fonic &lt;<a href=3D"mailto:cyberfonic@gmail.com">cyberf=
onic@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=3D"cite"><div di=
r=3D"ltr"><div dir=3D"ltr">I don't think OpenBSD will run on an ESP-32.&nbsp=
; That is part of the problem with IoT, the nodes are made on the cheap and t=
hus use the cheapest viable network capable device.</div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 20 Aug 2019 at 00:=
54, Ethan Gardener &lt;<a href=3D"mailto:eekee57@fastmail.fm">eekee57@fastma=
il.fm</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1e=
x">On Mon, Aug 19, 2019, at 12:53 PM, Cyber Fonic wrote:<br>
&gt; <br>
&gt; It has been said : "The 'S' in IoT stands for security". If Plan9 can a=
ddress that deficiency of the current state of the art for IoT devices, then=
 it would be a worthwhile exercise.<br>
<br>
Plan 9 may have a decent security model, but it's never been audited.&nbsp; A=
uditing a codebase, even one as small as Plan 9's, is a lot of work.&nbsp; A=
re you willing to make a start on it?<br>
<br>
If you want something free and already audited, with more security features,=
 (but perhaps not quite the same convenience,) look into OpenBSD.<br>
<br>
-- <br>
I love that *Open*BSD is so *security*-focused!<br>
<br>
</blockquote></div>
</div></blockquote></body></html>=

--Apple-Mail-A0D0F983-318F-449C-BC7B-889673196E1E--