Hi again,
everything you write resonates very well with me. I hope that Genode will eventually become a viable technological foundation for Qubes-like solutions. There is still a long way to go. But with the Turmvilla scenario, we are taking the first baby steps in this direction.
On 15.06.2015 04:17, Jookia wrote:
On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
Basically, it looks like Genode is about the only way to be NSA-proof. Yes, the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails.
Let's not assume there's a silver bullet for security. It's all about threat modelling, which in turn is all about resources and data. No operating system will protect you against hardware implants, not even Genode.
Tails' threat model is designed to avoid unwillingly giving off distinguishing data about the user in communication sessions or to storage. It does this quite well I think. I'm not sure how Genode could help here.
If you haven't read up on Qubes, you should. It's a brilliant system that has a design I think Genode is suited for, and perhaps what you're looking for. Using that design I'd run a desktop with isolated workspaces, mostly offline. For the small amount of applications that I connect online with, I'd give them access to Tor as their only network source and a limited file system. If the applications are compromised, they wouldn't be able to do much aside from thrash about before I force them to quit.
Qubes OS separates its applications in to a number of partitioned domains which doesn't really seem that optimal. In the above example with Qubes I'd probably have all the net applications running in a single domain meaning if my web browser was exploited then my other applications such as my instant messenger and email could be compromised too. Luckily it wouldn't compromise my other domains containing things like my personal documents and programming projects.
I think Genode could replace the idea of partitioned domains with some kind of per-process resource policies, meaning I wouldn't have to decide what applications shouldn't share but instead what they should. In this case they'd all have access to the Tor daemon and their own per-process file system but not each other, further reducing the TCB. From a user's point of view there's still partitioning, but it's at the resource level rather than domain level.
This is spot-on!
Actually, even when using a full VM on top of Genode, the TCB for keeping VMs isolated is much smaller compared to the current state of the art. E.g., NOVA is an order of magnitude less complex than Xen. Granted, there are resource multiplexers that are shared by different domains (like the nitpicker GUI server or the NIC bridge). But in contrast to a Linux-based dom0, those components are small enough for a thorough evaluation.
Of course if you wanted to run GNU applications you could use virtual machines as domains in a similar manner to what Qubes OS actually does, though you lose the benefits of reducing the size of your TCB to the necessary parts. This would actually be a good stepping stone until Genode has more applications.
there is also the noux runtime as a middle-ground, which allows us to use command-line-based GNU software (like Vim, GCC, make) directly on Genode.
In your other email, you asked about the security of the Arora web browser. To be honest, I would not trust the code of Arora + Webkit + Qt5 to be secure. It is too complex for a realistic assessment. But while not trusting the code, we still know that the web browser cannot store any information to disk. It cannot even see any files of the user. It can merely observe the user input referring to the browser window. It cannot install any spyware. It cannot ptrace other processes. It does not even know which other components exist on the system. Hence, even though we cannot make any assumption about the security of the web browser itself, we know that it can do less harm when executed as a sandboxed Genode component. The same idea to other applications like a media viewer (where a bug in a codec would normally pose a security risk) or a PDF reader.
Cheers Norman