Technical Considerations

Compiler Issues:
  • All binaries are statically linked against uClibc which is better suited for embedded Linux systems than glibc. In particular, the binaries are much smaller and statically linking busybox and tor doesn't break DNS as it does when statically linking against glibc which requires NSS support.
  • All binaries were strip of their symbols for size.
  • Kernel Issues:
  • A monolithic GRSEC hardened kernel is used to frustrate the insertion malicious code into kernelspace
  • PAX hardening is enabled to frustrate buffer overflows against busybox, openntp or tor
  • Kernel support for all 100 MB and 1 GB ethernet cards is enabled, but almost all other features are turned off for size. 10 GB cards are not supported in 20080606 but are in later releases.
  • Minimal logging to dmesg for privacy. dmesg is enabled in 20080606 but disabled in later releases.
  • Busybox Issues:
  • No console, debian, ext2, linux module, system logging, runnit or printing utils. In particular, no system logging utils for privacy
  • Archives: gunzip to read /proc/config.gz. gzip/gunzip are enabled in 20080606 but disabled in later releases.
  • Coreutils: cat/chmod/chown/df/echo/stty for setup script. Other options enabled in 20080606 are disabled in later releases.
  • Editors: awk/vi for setup
  • Find: grep for setup
  • Init: inittab, poweroff, halt, and reboot support. Controlling tty support for ash shells, which will be removed when ash is removed.
  • Login/Password Management: shadow with internal access, su to start tor under tor UID. Other options enabled in 20080606 are disabled in later releases.
  • Linux System Utils: more/mount. Other options enabled in 20080606 are disabled in later releases.
  • Miscellaneous: bbconfig to get busybox configuration
  • Network Utils: ftpget/ftpput/ifconfig/netstat/nslookup/ping/route for setup. nc is enabled in 20080606 as an alternative way of importing/exporting, but is disabled in later versions.
  • Process Utilities: free/killall/nmeter/ps for setup. sysctl/uptime are enabled in 200806060 but disabled in the later versions.
  • Shells: fully loaded ash, which will be removed in future releases.
  • Tor Issues:
  • Statically linked against uClibc, stripped.
  • Only the tor binary is included, no tor utilities like tor-resolve are included.
  • OpenNTP Issues:
  • Time synchronization added to prevent time skews that cause tor to assume established circuits no longer work
  • Statically linked against uClibc, stripped.