The CLIP OS project is an open source project maintained by the National Cybersecurity Agency of France (ANSSI) that aims to build a hardened, multi-level operating system, based on the Linux kernel and a lot of free and open source software.

History

Initially developed to answer the security requirements of French administrations, the previous versions of CLIP OS were not publicly available.

Since September 2018, the project sources are published and the project is open to contributions. Here is the list of the elements published:

The source code and documentation (in French) of CLIP OS version 4. This source archive is made available as a reference for upstream patches contribution and future developments. For more information, see the page for the version 4.

The source code and documentation (in English) of CLIP OS version 5. This is the current and actively developed version of the project which is considered to be in beta status. For more information, see the page for the version 5.

CLIP OS version 4

We are publishing the version 4 of the project as a non-working reference source archive. This version is the result of more than ten years of internal development at ANSSI and includes the implementation of various security features to harden a Linux based operating system.

Along with the source code archive, we have declassified the project documentation (in French) with the description of security features implemented in CLIP OS version 4.

For more information, see the page for the version 4.

CLIP OS version 5

The version 5 is the currently developed version of the CLIP OS project. This version is still in the beta stage, but already includes interesting security properties:

system-wide enforced filesystem integrity protections;

system-wide enforced distinction between applications binaries and system data;

UEFI Secure Boot support.

The development is now realized publicly and the project is open to discussions, contributions and suggestions from the community.

For more information, see the page for the version 5.

Contributing

Please refer the instructions on the page for the version 5.

Why is ANSSI opening up the source code of CLIP OS?

The public release of the CLIP OS project is part of the “plan for a transparent and collaborative public action” (in French), driven by the French DINSIC.

Opening up the CLIP OS project source code is also a way for ANSSI to share its work and to enable everybody to benefit from it and reuse it to build hardened Linux systems based on CLIP OS.

Will the CLIP OS project be maintained by ANSSI?

Yes. The project is currently in beta status and is under active development. The CLIP OS development team at ANSSI will progressively add missing functionalities and security features. The first stable version will be released once the project is considered mature enough for production and end-user handling.

Is this a “government made” operating system?

No. The CLIP OS project is lead and maintained by developers from ANSSI but most of the source code resulting in the final CLIP OS system image comes from popular open source projects (the Linux kernel, the GNU Compiler Collection, etc.).

The project is based on Gentoo Hardened and has many similarities with Chromium OS or the Yocto project.

Licenses used for the published source code

This project is based on a lot of publicly developed open source software. The parts of the code that are specific to the project are available under an open source license (mainly LGPL 2.1+).

Expected security features and major differences from other operating systems

The CLIP OS project is based on more than ten years of internal development at ANSSI to build a hardened operating system.

Here is a list of security properties that are not easy to obtain in currently available operating systems:

Multi-level support to handle information at multiple confidentiality levels.

Restricted administrator access in production: an administrator should not be able to compromise a system deployed in production nor access user data.

Fully automated and unattended builds from source of the system images.

Deep environment integration opportunities.

The complete list of available features is included in the documentation for each version (see links on the page for the version 4 and version 5).

What are the differences with Qubes OS?

Even though the CLIP OS and Qubes OS projects have a lot of similar objectives, they differ in practice on several topics:

The main mechanism for environment isolation is different: CLIP OS leverages Linux kernel primitives to create containers with the help of additional features brought by Vserver, Linux kernel hardening (grsecurity for version 4) and a tailored Linux Security Module (LSM). This approach enables a fine-grained control on the data exchanges between isolated environments (e.g., handling a notion of files, processes and sockets) and permissions (e.g., restriction to ring 3 features for malicious code, limitation on the allowed system calls). Qubes OS leverages hardware based virtualization with a hypervisor (Xen), and a main virtual machine (dom0) which is a GNU/Linux system with services handling data exchange between virtual machines.

Administrators have different roles and powers: Administrators on a CLIP OS system are not able to compromise system integrity or access user data. They can only access a restricted set of configuration options. On Qubes OS systems, the main user of each virtual machine is also the administrator of its own environment. The system administrator of the main domain (dom0) can change all the configuration options and may access all user data without any restriction.



Just like the Gentoo project, CLIP OS is mostly available as source code that you need to process to create a system image. For now, there are no pre-packaged version of CLIP OS 5 made available. The documentation contains all the instructions to enable you to build your own version of CLIP OS 5.

Is this project related to CLIP (Certifiable Linux Integration Platform)?

No. This is a different project with no relation with the CLIP OS project. The name similarity is a coincidence.

There are a lot of reference to the shorter name “CLIP” in the source code of the CLIP OS version 4 as it was the historic name of the project.

The current official and only name of the project is “CLIP OS”.

About ANSSI

The National Cybersecurity Agency of France (ANSSI) is the French authority in the area of cyberdefence and network and information security (NIS). To fulfill its missions, ANSSI deploys a broad range of regulatory and operational activities, from issuing regulations and verifying their application, to monitoring, alert and rapid response – particularly on government networks.

What we seek to promote

ANSSI provides its expertise and technical assistance to government departments and businesses and plays an enhanced role in supporting operators of vital importance.

It is responsible for promoting technologies, trustworthy products and services, systems and know-how both to experts and to the general public. It therefore plays a role in developing trust in the use of digital technologies.

If you would like to know more, please read: Our audiences and our activities.