Sun Aug 14 12:11:58 EDT 2016

The Unit Machine

- Platform

Limited to Debian Linux, ideally synchronized to run the same versions
on all hosts to reduce complexity.  This can be relaxed when
interfaces allow it and it is needed for other reasons, e.g. to use
OpenWRT or uC RTOS, or mix Debian stable and testing/experimental for
security and stability reasons.

- Access control / attack surface

The system is split into an inside and an outside.  The idea is that
if one internal node is compromised, all nodes will be compromised.
Local users are trusted.

The external internet attack surface consists of SSH with pubkey
authentication.  This is unlikely to be a problem.

Takeover is most likely to happen through trojan or malicious external
web services, followed by local privilege escalation.  The risk for
this seems acceptable, and similar to single-host operation.

Node interconnect is done over OpenVPN with shared keys.  This allows
to distinguish between possibly malicious IoT devices and the unit

Where access is made to the outside world, care is taken to use "dumb"
protocols, client-originated requests, and high level language
protocol parsers.

- Trusted internal network

The internal network inside the OpenVPN space has relaxed constraints,
and uses NFS for file sharing, Erlang distribution protocol for
connecting host control software, and pubkey ssh access for remote
command execution.

Internal protocols still have security mechanisms that protect against
bugs and unsophisticated malicious users that can not perform a
service takeover followed by a local escalation attack.

Basically, I spent a lot of time being paranoid and trying to
understand the trust structure but the main point is that this seems
reasonable to the point of not needing more attention.