My OS Security Path: From Pit to Entry

Author | Zhang Tianjia

Planning | Ling Min

Looking back on my experience of participating in programming, it has been more than a decade since I was able to participate in and contribute to the basic software community from the initial blind toss. Unfortunately, most of this experience has been in the wrong direction, at least for now. There is really no wonderful story, take the opportunity to share with friends in the dragon lizard community, look at the official power and look at it as a lesson, as eating other people's grain, and grow your own wisdom.

Program from scratch

When I was in school, my main direction of work was not software engineering, nor computers, nor did I study any topics, but electronic science, which felt very unpromising at the time, and now I only vaguely remember the names of those courses, and as for what the specific content is, it has been blurred. This led to me having a lot of time to play games, it was still very popular to team up to play Interstellar and Warcraft, many tools and software had to go online to find cracked versions, and the computer needed to constantly keep healthy through full anti-virus, but at that time I didn't know what Linux was used for.

At that time, the hackers who could crack the software and write tools were really envious, perhaps out of interest, intentionally or unintentionally. Seeing from the Internet and forums that they often used a strange language, I later learned that it was assembly language, and without a computer foundation or guidance, I embarked on this path that now seems obviously wrong, and I am glad that I have not given up.

Later, I found some books and materials to imitate and write some window programs using the win32 API under Windows, and it felt good at that time. Because of the school's C language course, the teacher will only talk about some grammar and the content of the exam, in addition to the second level does not know what else can be used, so a comparison window program is obviously more like a real program, although simple but can make people interested and closer to engineering practical.

In this way, I have basically mastered the main APIs of x86 assembly and Win32 for several years on and off, and I have a certain understanding of the system basics. Because of his own cognitive blind spots, he mistakenly chose the introductory development language and development environment, resulting in detours for many years.

Fortunately, after graduation, there was no unemployment, nor did I work in the class, with the rich programming experience of self-study, I finally mixed into the host security industry that now seems to be too traditional to be traditional, and the main work content is also the real-time monitoring required for the development of antivirus software, as well as some malware analysis work.

It was 2010, it was the era of PC hot, there was no mobile Internet, the antivirus software at that time was still a must-have, popular track, there were many companies competing in it, no less than the current community group purchase. How popular is it, at that time, 360 can still compete with Tencent, and can also get general support on the Internet, which can be compared with the present ten years later.

Back to the main topic, because the work involves system development, with a very reluctant state to start using the C language, perhaps there is a compilation foundation, C language learning is much smoother, for many people to criticize the pointer does not seem to be so complicated. In fact, at that time, the mainstream of the industry used the C++ language, but it has not been learned, and until now it is half-understood.

In the more than six years of this muddy situation, I have analyzed CVEs, written POCs, kernel monitoring, various HOOKs, and the development language is mainly concentrated in C, lua and assembly. However, basically did not do a decent project, with the operating system itself in recent years to improve the security of the operating system and software distribution control, the operating system to install a special host security software is becoming less and less necessary.

Security issues in the field of basic software

Perhaps because of the security background, two years ago, by chance mixed into the operating system OS security, the security direction of the basic software is still quite different from the traditional host security.

Traditional security is keen on attack and defense, the magic is one foot high, the magic is higher, and such an infinite cycle seems to never reach the end of safety, nor can it be 100% safe.

For example, the now very popular ransomware, which is a simple and crude malware born with cryptocurrencies, Bitcoin was born in 2009, it was still an era of universal use of Nokia, Alibaba Cloud was only started at that time, iPhone has just debuted, this decade of cloud computing and mobile Internet changes to people's lives, the social value is obvious to all.

However, a cryptocurrency that has been born for more than a decade does not seem to have brought any changes to society except for the emergence of some industries that cannot live in the sun, of course, blockchain is another matter, so that many people now feel that cryptocurrencies are a new thing. Ransomware still doesn't have a good solution on the host side at the moment, and we can only avoid such a situation, and perhaps really rely on the natural demise of cryptocurrencies to solve the ransomware.

Another problem brought about by this attack and defense is that it cannot be standardized, your spear has been upgraded, my shield must be updated, the attacking side should hide its attack method as much as possible, and the defender must also keep its defensive details secret. The marginal value of such a security scheme is diminishing over time.

From the basic software level to consider the security issues are very different, such as digital signatures, encryption algorithms, TLS protocols and HTTPS, which are currently the security cornerstone of computers and the Internet, but also fundamentally solve security problems, is a more thorough solution, but also easier to become an international common solution, followed by the solution specification is public, will fully expose the design defects, help to gradually improve the security capabilities.

After that, just in time for the establishment of the Dragon Lizard operating system community, when the country was facing external trade conflicts and technical blockades, as well as domestic data security issues, we decided to make the national secret of the whole software stack bigger and stronger, relying on the operating system to support it. Our work in the Dragon Lizard community can refer to the "Secret Software Stack SIG", which records our weekly reports, monthly reports and some best practice cases, which are described in more detail.

The Dragon Lizard community is a more open platform, with a platform that can be exported to the outside world, my work can be operated in a community manner, and the progress will be faster, and I can work with partners who have the same interests in the community, and also bring our work results to community users and developers at the first time.

I love the saying inside our company that "get things right all at once." Take the national secret, from the beginning of the algorithm standard to the present there is more than ten years of time, there is still no wide use is the reason, the fragmentation of the project is a very important point, this is also the principle we insisted on at the beginning, the national secret of the dragon lizard is not to do another fragment of the national secret realization, but to unify the national secret project to the basic software used in daily use, to avoid a large number of domestic resources and manpower repeated investment in the future, one time to do this thing well.

With the successful experience of the kernel SM2 algorithm, we have become more motivated, and have successively supported domestic commercial cryptography algorithms in basic software or cryptographic algorithm scenarios such as libgcrypt, OpenSSL, coreutils, IMA, and even Rust ecological RustCrypto, and supported instruction set optimization of x86 and Arm64 platforms for SM3/4 algorithms, as well as support for KTLS state-secret algorithms.

At present, our development work in Shangmi Ecology for many years has been fully returned to the community, most of which has been contributed to the upstream of mainstream open source projects, with a total code volume of more than 10,000 lines. For example, we have optimized the NEON and Crypto Extensions instruction set under the Arm64 architecture, and the performance has taken a qualitative leap.

Thank you very much for the support of the community partners, as well as the hard work of the community staff, after more than a year of hard work, we have basically built the basic software facilities of The Secret, not only to solve the problem from scratch, but also to improve the performance of the Secret to the extent that it can be industrialized, and also rely on the Dragon Lizard Operating System (Anolis OS) to release the Anolis Secret Version OS that supports full-stack commercial passwords, of course, this ecology has a lot of work to do, whether horizontal or vertical, More internal and external developers are needed to get involved in building together, and we welcome you to work with you.

(Developer Summit Presentation)

The world of programming languages has always had a dispute between the jianghu sects, and the text inevitably involves personal subjective judgments, but only represents personal ideas and opinions, and is only for everyone's reference.

The following is our team's secret software stack SIG on the Dragon Lizard community, and we welcome interested developers to participate in contributing to China's basic software security.

SIG Address: https://openanolis.cn/sig/crypto

Code base: https://codeup.openanolis.cn/codeup/crypto

About the Author:

Zhang Tianjia, SIG Maintainer, security technology development, focuses on the technology development and promotion of domestic commercial cryptography.