On Mon, Jun 15, 2015 at 11:00:54AM +0200, Norman Feske wrote:
Hi again,
everything you write resonates very well with me. I hope that Genode will eventually become a viable technological foundation for Qubes-like solutions. There is still a long way to go. But with the Turmvilla scenario, we are taking the first baby steps in this direction.
I'm so glad! One thing holding me back from going the Turmvilla route is actually the window manager not being tiled. Maybe that's just an excuse.
This is spot-on!
Actually, even when using a full VM on top of Genode, the TCB for keeping VMs isolated is much smaller compared to the current state of the art. E.g., NOVA is an order of magnitude less complex than Xen. Granted, there are resource multiplexers that are shared by different domains (like the nitpicker GUI server or the NIC bridge). But in contrast to a Linux-based dom0, those components are small enough for a thorough evaluation.
That's quite interesting. I have a feeling somewhere down the line someone will get Qubes running on Genode, whether as just the hypervisor or as the GUI too.
there is also the noux runtime as a middle-ground, which allows us to use command-line-based GNU software (like Vim, GCC, make) directly on Genode.
I've heard about that which gives me a lot of hope about some kind of transition of my standard applications which are mostly terminal-based at this point. Unfortunately being the GTK+ fan I am, there'll be some pain there.
In your other email, you asked about the security of the Arora web browser.
I didn't actually ask this, but I'm still interested in the discussion so I suppose I'll weigh in.
To be honest, I would not trust the code of Arora + Webkit + Qt5 to be secure. It is too complex for a realistic assessment. But while not trusting the code, we still know that the web browser cannot store any information to disk. It cannot even see any files of the user. It can merely observe the user input referring to the browser window. It cannot install any spyware. It cannot ptrace other processes. It does not even know which other components exist on the system. Hence, even though we cannot make any assumption about the security of the web browser itself, we know that it can do less harm when executed as a sandboxed Genode component. The same idea to other applications like a media viewer (where a bug in a codec would normally pose a security risk) or a PDF reader.
I'd argue browsers are fundamentally broken. I love the web, but we have to keep in mind that browsers aren't here to empower us. They're basically sandboxed operating systems whose sole purpose is to run nonfree code downloaded from the Internet and execute it somewhat safely. You can't modify this code and fix it or improve it as it's nonfree. You also can't run your own code or verify it to have nice things like actual end-to-end encryption working securely.
Isolating browsers is a useful tool but we still end up with the problem of them being black boxes where the user doesn't control the data inside them. This is quite a bleak situation, I think it boils down to being cautious of monolithic architectures.
Not all is lost though! I would love to see some hacking on a composable browser like uzbl or surf to leverge Genode's security features. Perhaps then the only black box we'd have would be WebKitGTK. Personally I wouldn't mind a slightly worse engine to WebKit if it meant I could compile a browser in less than twelve hours on ARM, but I'm quite tolerant of feature loss.
Cheers Norman
Thanks, Jookia.