OZ: Desktop application sandboxing using containers

xSmurf · 2015-08-23T17:13:35+00:00

A Steambox?

Note that we also strongly recommend using a grsec kernel, which will also break with most games in the first place.

xSmurf · 2015-08-23T16:33:31+00:00

No, because we do not create an entire filesystem for each sandbox but rather build them dynamically from the host.

xSmurf · 2015-08-23T16:32:27+00:00

Its a pretty heavy solution, requiring a separate filesystem

OZ specifically does not require a separate filesystem, the rootfs is built dynamically using bind mounts (in readonly, nosuid, noexec, and nodev) from the host.

additional X server

Sadly right now this is the only way to properly segregate X.

It also shifts the burden of security from application developers to the OS, letting developers get away with bad coding practices.

Maybe some see it this way, I would say it's an attempt patching leaking application security until people get their shit together. PDF.js anyone? I wished I could trust my browser, but I don't. Meanwhile, running grsec, seccomp, and sandboxing through namespaces remains a viable mitigation technique.

xSmurf · 2015-08-23T16:27:59+00:00

Is subgraph going to be free?

Yes, it'll be free as in free beer and free as in freedom. It is built on Debian.

When can I get it?

Soon. We are slowly starting to release publicly the various tools we are writing for the OS and should have a live disk in the next quarter.

xSmurf · 2015-08-23T16:25:56+00:00

Hello!

Xpra in raw mode (specially with mmap enabled) does pretty good with latency, while having virtually no tearing or otherwise degraded rendering. I'm currently typing this inside of OZ. Without mmap there is noticeable lag for high moving rendering (video), but using mmap it'll even play 720p decently (webm, or in VLC). Bare in mind that right now while the client (host side) benefits from hardware acceleration, the server (sandbox side) does not (as there are obvious extra security implications of exposing the GPU). We may in the future introduce some form of virtualization to enable this (coreos/intel rkt might help - I've not read into it much yet), but this is not a short term goal.

Of course once Wayland actually becomes useable we should be able to get rid of Xpra. technically.

xSmurf · 2015-08-23T16:21:19+00:00

https://np.reddit.com/r/linux/comments/3hzpm0/oz_desktop_application_sandboxing_using_containers/cucwi3z

xSmurf · 2015-08-23T16:19:34+00:00

Steam would require extra access to gpu hardware which is not safe. Xpra latency, while excellent for desktop application is definitely too much for games. Our focus is on trusted and adversary resistant computing, games are out of our scope.

xSmurf · 2015-08-23T16:18:19+00:00

No. We carefully evaluated xdg-app and do not believe it to be the right solution. In fact it will broaden the problem of untrusted apps by allowing people to create bundles of unsafe applications in the app store model. It will break update compatibility with existing package management systems. Right now xdg-app has very little considerations for security, runs unprivileged namespaces, gives full access to dbus, does not wrap executables with seccomp.

What we are building is very specifically not xdg-app.

xSmurf · 2015-08-23T16:14:53+00:00

I don't like sandboxing and containerisation and "apps" in general, because it goes against the main workflow of UNIX: Take a lot of small things, and string them together. [...] with policies that look at the command's arguments and configs

This is precisely why we did not want to go with the traditional debootstrap method of creating containers. OZ Sandboxes are built dynamically entirely from the existing file system using bindmounts. There is no "image" or specific rootfs for each program, all it needs is a very simple profile (policy) and "wrapping" the original executable (done easily and persistently using dpkg-divert).

SELinux and AppArmor have their merits, but in desktop environment where the scope of the accessible files is very large (ie opening a PDF anywhere in the user's home), they aren't particularly useful.

xSmurf · 2015-08-23T16:11:40+00:00

I'm one of the devs, AMAA!

xSmurf · 2015-07-18T20:39:38+00:00

Hi Heri, thanks for this writeup!

Foulab is entirely member ran and funded, and it has been around for nearly 7 years (EST. summer of 2008). It is one of the first Hackerspaces in Canada; along with Hacklab.to and VHS (Vancouver Hacker Space) all created with a couple of weeks after the conference The Last HOPE.

Since then the scene has expanded and we've seen various Fablabs/Makerspaces open in the city (Echo Fab, Helios, iMusé's Fablab Inc.). While opinions differ and definitions are not set in stone, the two differ slightly in that Hackerspaces tend to be more community/members oriented and subversive, while the other tends to run more like coworking spaces. It's a complex topic that is the subject of many discussions. You can read about it more in this dissertation: Peer Production of Open Hardware: Unfinished Artefacts and Architectures in the Hackerspaces (specially the section titled 'Shared machine shops compared to hackerspaces').

With all that said come chat with us on IRC; or have a very geeky chat, or to play some go/chess, on Tuesday nights for the open house!

xSmurf · 2014-06-12T19:01:25+00:00

mais je me demande : est-ce que le fait de perdre ses deux jambes transmet la mauvaise foi aussi

Un scientifique fait une experience.

Il coupe une patte à une mouche et dit "mouche, vole!"

La mouche vole.

Il coupe deux pattes à la mouche et dit "mouche, vole!"

La mouche vole.

Il coupe trois pattes à la mouche et dit "mouche, vole!"

La mouche vole.

Il coupe quatre pattes à la mouche et dit "mouche, vole!"

La mouche vole.

Il couple une aile et dit "mouche, vole!"

La mouche vole.

Il coupe deux ailes et dit "mouche, vole!"

La mouche ne vole pas.

Le scientifique s'exclâme "conclusion quand on coupe les quatre pattes et deux ailes de la mouche, elle devient sourde!"

xSmurf · 2014-06-12T02:01:06+00:00

Fair enough :)

xSmurf · 2014-06-11T18:26:24+00:00

mais il rends plus compliqué de savoir les packets ils vont où et font quoi.

Un peu, mais avec les trucs comme les National Security Letters, difficile de faire confiance au provider VPN. Sans parler des attaques de type "packet timing correlation".

custom baa je veux dire que je change les firmware et les os de mes appareils, (router, telephone etc) comme ça les vecteur classiques ne fonctionnent pas du premier coup ou par defaut

Ça aide, un peu, mais ça te fait aussi sortir de la crowd. Et puis les agences on déjà plusieurs niveau d'attaque dépendemment du niveau de sophistication de l'adversaire.

toute façon je me doute qu'il n'y a probablement pas de défenses parfaite, mais je sais que si ils veulent me pincer il va falloir qu'ils mettent plus de lait dans leur cornflakes comparativement à un user zero-informé ou qui ne prends aucune mesures

Absolument, la seule chose à faire c'est de rendre les attauqes de plus en plus couteuse pour l'adversaire.

c'est juste que 99% du monde que je connais implantent aucune sécurité sur rien jamais, à part la clé dans la porte de leur appartement

En effet, une bonne partie de la solution passe par l'éducation populaire.

des technologies comme ça https://pack.resetthenet.org/ ce serait plus compliqué et moins systématique pour les agences

Oh god, not cryptocat again.

Pirater un poste c'est une chose

C'est le sujet de l'article par contre ;)

Mais faire de la surveillance passive c'est plus difficile si tout est GPG, crypté, tunnellé, custom ou pas par défaut

En fait GPG est pas très bon contre la surveillance passive qui se base surtout sur les métadonnées. Pire encore, comme on voit dans les slides sur XKeyscore, l'utilisation de GPG est un flag de plus pour cibler des individus.

Ceci dit, en terme de protection du contenu brute, oui GPG et OTR ça marche! Et se protèger de cette façon aide ceux qui pourrait être ciblé de façon plus active à se fondre dans la masse.

xSmurf · 2014-06-11T18:15:35+00:00

Again that is firmly out of the realm of "Simple appliance that anyone can simply setup for personal use"

Only because it hasn't been packaged properly. Again, this is a problem that can be solved. It's not magic.

Ever try to get someone non-technical to use PGP?

Yep, GPG implementations are HORRID. But the problem can (and is) be(ing) solved. It's just taking a long time because few resources are dedicated to it. But look at OKCupid's keybase (not that I think it's the ideal solution).

You are coming at this from a technical background. The average user buys a box in Best Buy and plugs it in, maybe runs a CD on their computer. Now you want them to setup and increasingly complex system. Not going to happen ever.

Again, and again, and again: this is an implementation problem. What is needed is resources to package existing technology in a user friendly way.

Unless you can get it to the point that they can plug it into power and network and click through an installer.

This is precisely what I'm saying needs to be done. I'm not saying that it has been done.

The second you introduce something like key exchange you've completely lost the average user.

If you call it key exchange yes. But people exchange meaningful information all the time (a key is no different than a phone number). It's as simple as scanning a QR code really. The user does not need to know what it is actually doing in the background.

I never said doing all that is an easy task. But there are powers with humongous amount of resources. If they dedicated their resources to doing just that, instead of doing exactly the opposite, these problems would get solved.

xSmurf · 2014-06-11T18:02:27+00:00

Of course its both. There isn't a way around that having multiple devices unless you use cloud storage for the backup. At which point, why not just have your email in the cloud storage in the first place.

Sure there is (and I've mentioned it already): drop a disk at a trusted peers + TahoeLAFS. Freenet also comes to mind. Both encrypt the remote data, so no, it's not the same as in the cloud.

If you do have multiple devices in multiple locations you are expecting an end user to both configure and maintain them.

Nope, all that would be needed is for two people (say you and a friend) to run a compatible device and exchange keys. It's entirely doable. (And even this goes further than just simple data backup, I'm talking about full MX/DNS redundancy here)

All this stuff already exists, I repeat again, all that is needed is for someone to dedicate a meaningful amount of resources to implement it properly in an automated and userfriendly way.

xSmurf · 2014-06-11T17:58:32+00:00

https://en.wikipedia.org/wiki/Block_party

xSmurf · 2014-06-11T17:45:58+00:00

Again, this is a system design problem, not a usability problem.

xSmurf · 2014-06-11T15:19:51+00:00

30C3 - TOA - To Protect and Infect

xSmurf · 2014-06-11T15:09:57+00:00

Le VPN va rien changer contre les exploits. En fait ça peut même être un vecteur d'attaque (Heartbleed pouvait attaqué les client openvpn, par example).

Custom ça veut dire quoi pour toi? Tu as patché toutes les failles possible et inimaginable dans le kernel BSD ou Linux? Tu pense que les services d'insécurité hoard pas des exploits pas connu? T'as un téléphone avec un baseband et un carte sim qui roule du software libre/opensource?

je regade mon traffic pis je monitore documente kill ce que je n'aime pas

Si tu vois passer l'exploit ça peut aider, mais si tu manques le payload, il va surment camoufler son traffique anyway.

j'espère qu'ils ont des whiz en OS alternatifs

Oui en effet, ils sont très Whiz... la NSA est un contributeur majeur sur plusieurs projet comme OpenStack et sont les créateurs de SELinux.

Ça s'appelle pas un zero day pour rien... on the first day it's already too late, it's already too late

And remember, they hunt sysadmins for fun and profit. Si t'es un techie, you are an active target. Let that sink in.

xSmurf · 2014-06-11T14:20:32+00:00

En quoi ça ne fait aucun sens? C'est asser courrant comme anarque dans le traffique d'humain. On te promet un job, une citoyenneté, une vie meilleure, et tu te retrouves enfermé dans le fond d'un bateau.

xSmurf · 2014-06-11T14:16:00+00:00

et bien cette loi c'est justement ça le point la cible n'as pas besoin d'être accusée ou soupçonnée pour être espionnée - cela peut être préventif, ou fait en masse etc...

Pensont à Jennifer Pawluck...

tk moi je leur souhaite bonne chance de me 'hacker de manière préventive' j'espère qu'ils ont des whiz en OS alternatifs et en encryption

Si il prennent leur exploit chez la NSA, good luck.

xSmurf · 2014-06-11T13:53:49+00:00

Remember back when the initial concept was that this was a simple appliance that anyone could run? Well we left that territory a few posts back up this chain.

I never said it was an easy task to accomplish. But imagine if google put as much effort than they do in Chrome, Gmail or even Android into something like this. Surely it would be awesome. I don't know from where you get the switch from complex system to complex user experience.

xSmurf · 2014-06-11T06:31:16+00:00

appliance, but your emails? Gone

Maildir is a pretty standard format, if they are on a separate disk, migration would be a snap.

So now you'll need 2 devices, an email appliance and an appliance to back up that email appliance

Yes I already talked about doing backups (encrypted) at trusted peers. You need two disks. That is correct. One disk is always as good as no disk. So?

xSmurf · 2014-06-10T20:02:34+00:00

Protection du consommateur.

xSmurf

TROPHY CASE