Tor, an anonymity network, is used to get around NSA spying and the like. Unfortunately, The NSA has been using a workaround: hack the computers that try using Tor by exploiting vulnerabilities in Tor Browser, a slightly modified version of Firefox. Tails is a Linux distribution that uses Tor for all its network communications. It seems like Genode would be better-suited for protecting anonymity than Tails. A Tails equivalent seems like a very useful, relatively simple yet incredibly practical use of Genode. Anyone else want to pursue this? Also, how secure is the current Arora browser on Genode?
Hi!
I use Tor as part of my threat model on my machine, and I think Genode could certainly help me manage things like this. I'm very interested in working towards a Genode parallel of Qubes which could be used for such a thing like Whonix where routing is transparent to an extent.
However, I would hesitate to say we could make a Tails equivalent. Like with Tor, everyone needs to be using the same tools to avoid fingerprinting. No matter what you do, it's going to be obvious you're running Genode instead of Tails. Perhaps sitting a Tails virtual machine inside Genode would be a better idea given that if it's compromised it'd appear to just be Tails.
For better integration, perhaps a block of memory could be established to share a shell and X11 windows, and have the virtual machine read to this. Such a block of memory could be enabled by default meaning there'd be no way to know it was actually used. Of course this would also be useful for hardware exploits, but I don't think that's part of Tails' threat model.
Cheers, Jookia.
Basically, it looks like Genode is about the only way to be NSA-proof. Yes, the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails. On Jun 14, 2015 6:01 PM, "Jookia" <166291@...9...> wrote:
Hi!
I use Tor as part of my threat model on my machine, and I think Genode could certainly help me manage things like this. I'm very interested in working towards a Genode parallel of Qubes which could be used for such a thing like Whonix where routing is transparent to an extent.
However, I would hesitate to say we could make a Tails equivalent. Like with Tor, everyone needs to be using the same tools to avoid fingerprinting. No matter what you do, it's going to be obvious you're running Genode instead of Tails. Perhaps sitting a Tails virtual machine inside Genode would be a better idea given that if it's compromised it'd appear to just be Tails.
For better integration, perhaps a block of memory could be established to share a shell and X11 windows, and have the virtual machine read to this. Such a block of memory could be enabled by default meaning there'd be no way to know it was actually used. Of course this would also be useful for hardware exploits, but I don't think that's part of Tails' threat model.
Cheers, Jookia.
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
Basically, it looks like Genode is about the only way to be NSA-proof. Yes, the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails.
Let's not assume there's a silver bullet for security. It's all about threat modelling, which in turn is all about resources and data. No operating system will protect you against hardware implants, not even Genode.
Tails' threat model is designed to avoid unwillingly giving off distinguishing data about the user in communication sessions or to storage. It does this quite well I think. I'm not sure how Genode could help here.
If you haven't read up on Qubes, you should. It's a brilliant system that has a design I think Genode is suited for, and perhaps what you're looking for. Using that design I'd run a desktop with isolated workspaces, mostly offline. For the small amount of applications that I connect online with, I'd give them access to Tor as their only network source and a limited file system. If the applications are compromised, they wouldn't be able to do much aside from thrash about before I force them to quit.
Qubes OS separates its applications in to a number of partitioned domains which doesn't really seem that optimal. In the above example with Qubes I'd probably have all the net applications running in a single domain meaning if my web browser was exploited then my other applications such as my instant messenger and email could be compromised too. Luckily it wouldn't compromise my other domains containing things like my personal documents and programming projects.
I think Genode could replace the idea of partitioned domains with some kind of per-process resource policies, meaning I wouldn't have to decide what applications shouldn't share but instead what they should. In this case they'd all have access to the Tor daemon and their own per-process file system but not each other, further reducing the TCB. From a user's point of view there's still partitioning, but it's at the resource level rather than domain level.
Of course if you wanted to run GNU applications you could use virtual machines as domains in a similar manner to what Qubes OS actually does, though you lose the benefits of reducing the size of your TCB to the necessary parts. This would actually be a good stepping stone until Genode has more applications.
Well, as far as I can tell, I shouldn't have any hardware implants, but my computer may very well be compromised by the NSA. Basically, if the Tor browser is compromised and sending data to the NSA, it isn't protecting your privacy. On Jun 14, 2015 8:19 PM, "Jookia" <166291@...9...> wrote:
On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
Basically, it looks like Genode is about the only way to be NSA-proof.
Yes,
the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails.
Let's not assume there's a silver bullet for security. It's all about threat modelling, which in turn is all about resources and data. No operating system will protect you against hardware implants, not even Genode.
Tails' threat model is designed to avoid unwillingly giving off distinguishing data about the user in communication sessions or to storage. It does this quite well I think. I'm not sure how Genode could help here.
If you haven't read up on Qubes, you should. It's a brilliant system that has a design I think Genode is suited for, and perhaps what you're looking for. Using that design I'd run a desktop with isolated workspaces, mostly offline. For the small amount of applications that I connect online with, I'd give them access to Tor as their only network source and a limited file system. If the applications are compromised, they wouldn't be able to do much aside from thrash about before I force them to quit.
Qubes OS separates its applications in to a number of partitioned domains which doesn't really seem that optimal. In the above example with Qubes I'd probably have all the net applications running in a single domain meaning if my web browser was exploited then my other applications such as my instant messenger and email could be compromised too. Luckily it wouldn't compromise my other domains containing things like my personal documents and programming projects.
I think Genode could replace the idea of partitioned domains with some kind of per-process resource policies, meaning I wouldn't have to decide what applications shouldn't share but instead what they should. In this case they'd all have access to the Tor daemon and their own per-process file system but not each other, further reducing the TCB. From a user's point of view there's still partitioning, but it's at the resource level rather than domain level.
Of course if you wanted to run GNU applications you could use virtual machines as domains in a similar manner to what Qubes OS actually does, though you lose the benefits of reducing the size of your TCB to the necessary parts. This would actually be a good stepping stone until Genode has more applications.
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
On Mon, Jun 15, 2015 at 02:59:12AM +0000, Nobody III wrote:
Well, as far as I can tell, I shouldn't have any hardware implants, but my computer may very well be compromised by the NSA. Basically, if the Tor browser is compromised and sending data to the NSA, it isn't protecting your privacy.
I'm not seeing exactly what benefits Genode would bring in this scenario, maybe I'm misuderstanding. Could you elaborate please?
Genode eliminates attack surface by making the operating system itself hard to target, and the web browser would follow Genode security principles to protect itself from attacks. Arora may not do this yet, but I expect that this will be fixed by writing a new web browser, modifying Arora, or porting and modifying Chromium. On Jun 14, 2015 9:58 PM, "Jookia" <166291@...9...> wrote:
On Mon, Jun 15, 2015 at 02:59:12AM +0000, Nobody III wrote:
Well, as far as I can tell, I shouldn't have any hardware implants, but
my
computer may very well be compromised by the NSA. Basically, if the Tor browser is compromised and sending data to the NSA, it isn't protecting your privacy.
I'm not seeing exactly what benefits Genode would bring in this scenario, maybe I'm misuderstanding. Could you elaborate please?
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Tor is not secure. Neither is genode. If You wan't security disconnect all devices from network, only usw them in rooms without windows.
If You habe enough nodes you Can easily deanomize users. This was done most part of last year as the Tor team announced that nodes where removed. Also you cannot say if other nodes are contaminated.
In genode you can use the fact that there are a dort of shared components to send messages between programs without really having any token for a communication between them.
Tor could just be another software to create an additional security hole.
Where there is a software there are bugs, workarounds etc.pp.
----- Ursprüngliche Nachricht ----- Von: "Nobody III" <hungryninja101@...9...> Gesendet: 15.06.2015 00:41 An: "Genode OS Framework Mailing List" genode-main@lists.sourceforge.net Betreff: Genode Tails?
Tor, an anonymity network, is used to get around NSA spying and the like. Unfortunately, The NSA has been using a workaround: hack the computers that try using Tor by exploiting vulnerabilities in Tor Browser, a slightly modified version of Firefox. Tails is a Linux distribution that uses Tor for all its network communications. It seems like Genode would be better-suited for protecting anonymity than Tails. A Tails equivalent seems like a very useful, relatively simple yet incredibly practical use of Genode. Anyone else want to pursue this? Also, how secure is the current Arora browser on Genode?
Hi again,
everything you write resonates very well with me. I hope that Genode will eventually become a viable technological foundation for Qubes-like solutions. There is still a long way to go. But with the Turmvilla scenario, we are taking the first baby steps in this direction.
On 15.06.2015 04:17, Jookia wrote:
On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
Basically, it looks like Genode is about the only way to be NSA-proof. Yes, the NSA will likely be able to tell that you're using Genode, but they won't be as able to hack it as with Tails.
Let's not assume there's a silver bullet for security. It's all about threat modelling, which in turn is all about resources and data. No operating system will protect you against hardware implants, not even Genode.
Tails' threat model is designed to avoid unwillingly giving off distinguishing data about the user in communication sessions or to storage. It does this quite well I think. I'm not sure how Genode could help here.
If you haven't read up on Qubes, you should. It's a brilliant system that has a design I think Genode is suited for, and perhaps what you're looking for. Using that design I'd run a desktop with isolated workspaces, mostly offline. For the small amount of applications that I connect online with, I'd give them access to Tor as their only network source and a limited file system. If the applications are compromised, they wouldn't be able to do much aside from thrash about before I force them to quit.
Qubes OS separates its applications in to a number of partitioned domains which doesn't really seem that optimal. In the above example with Qubes I'd probably have all the net applications running in a single domain meaning if my web browser was exploited then my other applications such as my instant messenger and email could be compromised too. Luckily it wouldn't compromise my other domains containing things like my personal documents and programming projects.
I think Genode could replace the idea of partitioned domains with some kind of per-process resource policies, meaning I wouldn't have to decide what applications shouldn't share but instead what they should. In this case they'd all have access to the Tor daemon and their own per-process file system but not each other, further reducing the TCB. From a user's point of view there's still partitioning, but it's at the resource level rather than domain level.
This is spot-on!
Actually, even when using a full VM on top of Genode, the TCB for keeping VMs isolated is much smaller compared to the current state of the art. E.g., NOVA is an order of magnitude less complex than Xen. Granted, there are resource multiplexers that are shared by different domains (like the nitpicker GUI server or the NIC bridge). But in contrast to a Linux-based dom0, those components are small enough for a thorough evaluation.
Of course if you wanted to run GNU applications you could use virtual machines as domains in a similar manner to what Qubes OS actually does, though you lose the benefits of reducing the size of your TCB to the necessary parts. This would actually be a good stepping stone until Genode has more applications.
there is also the noux runtime as a middle-ground, which allows us to use command-line-based GNU software (like Vim, GCC, make) directly on Genode.
In your other email, you asked about the security of the Arora web browser. To be honest, I would not trust the code of Arora + Webkit + Qt5 to be secure. It is too complex for a realistic assessment. But while not trusting the code, we still know that the web browser cannot store any information to disk. It cannot even see any files of the user. It can merely observe the user input referring to the browser window. It cannot install any spyware. It cannot ptrace other processes. It does not even know which other components exist on the system. Hence, even though we cannot make any assumption about the security of the web browser itself, we know that it can do less harm when executed as a sandboxed Genode component. The same idea to other applications like a media viewer (where a bug in a codec would normally pose a security risk) or a PDF reader.
Cheers Norman
On Mon, Jun 15, 2015 at 11:00:54AM +0200, Norman Feske wrote:
Hi again,
everything you write resonates very well with me. I hope that Genode will eventually become a viable technological foundation for Qubes-like solutions. There is still a long way to go. But with the Turmvilla scenario, we are taking the first baby steps in this direction.
I'm so glad! One thing holding me back from going the Turmvilla route is actually the window manager not being tiled. Maybe that's just an excuse.
This is spot-on!
Actually, even when using a full VM on top of Genode, the TCB for keeping VMs isolated is much smaller compared to the current state of the art. E.g., NOVA is an order of magnitude less complex than Xen. Granted, there are resource multiplexers that are shared by different domains (like the nitpicker GUI server or the NIC bridge). But in contrast to a Linux-based dom0, those components are small enough for a thorough evaluation.
That's quite interesting. I have a feeling somewhere down the line someone will get Qubes running on Genode, whether as just the hypervisor or as the GUI too.
there is also the noux runtime as a middle-ground, which allows us to use command-line-based GNU software (like Vim, GCC, make) directly on Genode.
I've heard about that which gives me a lot of hope about some kind of transition of my standard applications which are mostly terminal-based at this point. Unfortunately being the GTK+ fan I am, there'll be some pain there.
In your other email, you asked about the security of the Arora web browser.
I didn't actually ask this, but I'm still interested in the discussion so I suppose I'll weigh in.
To be honest, I would not trust the code of Arora + Webkit + Qt5 to be secure. It is too complex for a realistic assessment. But while not trusting the code, we still know that the web browser cannot store any information to disk. It cannot even see any files of the user. It can merely observe the user input referring to the browser window. It cannot install any spyware. It cannot ptrace other processes. It does not even know which other components exist on the system. Hence, even though we cannot make any assumption about the security of the web browser itself, we know that it can do less harm when executed as a sandboxed Genode component. The same idea to other applications like a media viewer (where a bug in a codec would normally pose a security risk) or a PDF reader.
I'd argue browsers are fundamentally broken. I love the web, but we have to keep in mind that browsers aren't here to empower us. They're basically sandboxed operating systems whose sole purpose is to run nonfree code downloaded from the Internet and execute it somewhat safely. You can't modify this code and fix it or improve it as it's nonfree. You also can't run your own code or verify it to have nice things like actual end-to-end encryption working securely.
Isolating browsers is a useful tool but we still end up with the problem of them being black boxes where the user doesn't control the data inside them. This is quite a bleak situation, I think it boils down to being cautious of monolithic architectures.
Not all is lost though! I would love to see some hacking on a composable browser like uzbl or surf to leverge Genode's security features. Perhaps then the only black box we'd have would be WebKitGTK. Personally I wouldn't mind a slightly worse engine to WebKit if it meant I could compile a browser in less than twelve hours on ARM, but I'm quite tolerant of feature loss.
Cheers Norman
Thanks, Jookia.
I would love to see a web browser that uses Genode's security features and is much more feasible to audit than Chrome, Firefox, etc.
On Mon, Jun 15, 2015 at 12:42 PM, Jookia <166291@...9...> wrote:
On Mon, Jun 15, 2015 at 11:00:54AM +0200, Norman Feske wrote:
Hi again,
everything you write resonates very well with me. I hope that Genode will eventually become a viable technological foundation for Qubes-like solutions. There is still a long way to go. But with the Turmvilla scenario, we are taking the first baby steps in this direction.
I'm so glad! One thing holding me back from going the Turmvilla route is actually the window manager not being tiled. Maybe that's just an excuse.
This is spot-on!
Actually, even when using a full VM on top of Genode, the TCB for keeping VMs isolated is much smaller compared to the current state of the art. E.g., NOVA is an order of magnitude less complex than Xen. Granted, there are resource multiplexers that are shared by different domains (like the nitpicker GUI server or the NIC bridge). But in contrast to a Linux-based dom0, those components are small enough for a thorough evaluation.
That's quite interesting. I have a feeling somewhere down the line someone will get Qubes running on Genode, whether as just the hypervisor or as the GUI too.
there is also the noux runtime as a middle-ground, which allows us to use command-line-based GNU software (like Vim, GCC, make) directly on Genode.
I've heard about that which gives me a lot of hope about some kind of transition of my standard applications which are mostly terminal-based at this point. Unfortunately being the GTK+ fan I am, there'll be some pain there.
In your other email, you asked about the security of the Arora web
browser.
I didn't actually ask this, but I'm still interested in the discussion so I suppose I'll weigh in.
To be honest, I would not trust the code of Arora + Webkit + Qt5 to be secure. It is too complex for a realistic assessment. But while not trusting the code, we still know that the web browser cannot store any information to disk. It cannot even see any files of the user. It can merely observe the user input referring to the browser window. It cannot install any spyware. It cannot ptrace other processes. It does not even know which other components exist on the system. Hence, even though we cannot make any assumption about the security of the web browser itself, we know that it can do less harm when executed as a sandboxed Genode component. The same idea to other applications like a media viewer (where a bug in a codec would normally pose a security risk) or a PDF reader.
I'd argue browsers are fundamentally broken. I love the web, but we have to keep in mind that browsers aren't here to empower us. They're basically sandboxed operating systems whose sole purpose is to run nonfree code downloaded from the Internet and execute it somewhat safely. You can't modify this code and fix it or improve it as it's nonfree. You also can't run your own code or verify it to have nice things like actual end-to-end encryption working securely.
Isolating browsers is a useful tool but we still end up with the problem of them being black boxes where the user doesn't control the data inside them. This is quite a bleak situation, I think it boils down to being cautious of monolithic architectures.
Not all is lost though! I would love to see some hacking on a composable browser like uzbl or surf to leverge Genode's security features. Perhaps then the only black box we'd have would be WebKitGTK. Personally I wouldn't mind a slightly worse engine to WebKit if it meant I could compile a browser in less than twelve hours on ARM, but I'm quite tolerant of feature loss.
Cheers Norman
Thanks, Jookia.
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Hi Ben,
On 15.06.2015 18:15, Nobody III wrote:
I would love to see a web browser that uses Genode's security features and is much more feasible to audit than Chrome, Firefox, etc.
Don't hold yourself back. Sounds like a cool project and I think others would appreciate your work as well.
Cheers, Martin
I've started looking into it—I just don't feel like I know enough to ensure great security. Maybe I could get it started and others could contribute. On Jun 15, 2015 2:17 PM, "Martin Stein" <martin.stein@...1...> wrote:
Hi Ben,
On 15.06.2015 18:15, Nobody III wrote:
I would love to see a web browser that uses Genode's security features and is much more feasible to audit than Chrome, Firefox, etc.
Don't hold yourself back. Sounds like a cool project and I think others would appreciate your work as well.
Cheers, Martin
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
I've been thinking about this more, and I'm wondering how much I should fragment the browser into different processes. I'm thinking about using one main process, plus two processes per tab that are restarted each time the user navigates to a new page--one for the rendering, and one for the HTTP requests. Is this good, or is it going to be too slow? How much overhead is there per process and per thread on Genode?
On Tue, Jun 16, 2015 at 2:25 AM, Nobody III <hungryninja101@...9...> wrote:
I've started looking into it—I just don't feel like I know enough to ensure great security. Maybe I could get it started and others could contribute. On Jun 15, 2015 2:17 PM, "Martin Stein" <martin.stein@...1...> wrote:
Hi Ben,
On 15.06.2015 18:15, Nobody III wrote:
I would love to see a web browser that uses Genode's security features and is much more feasible to audit than Chrome, Firefox, etc.
Don't hold yourself back. Sounds like a cool project and I think others would appreciate your work as well.
Cheers, Martin
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
-
Jookia -
Martin Stein -
Nobody III -
Norman Feske -
Wolfgang Schmidt