Genode Tails?

Mon Jun 15 04:17:39 CEST 2015

On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
> Basically, it looks like Genode is about the only way to be NSA-proof. Yes,
> the NSA will likely be able to tell that you're using Genode, but they
> won't be as able to hack it as with Tails.

Let's not assume there's a silver bullet for security. It's all about threat
modelling, which in turn is all about resources and data. No operating system
will protect you against hardware implants, not even Genode.

Tails' threat model is designed to avoid unwillingly giving off distinguishing
data about the user in communication sessions or to storage. It does this quite
well I think. I'm not sure how Genode could help here.

If you haven't read up on Qubes, you should. It's a brilliant system that has a
design I think Genode is suited for, and perhaps what you're looking for. Using
that design I'd run a desktop with isolated workspaces, mostly offline. For the
small amount of applications that I connect online with, I'd give them access to
Tor as their only network source and a limited file system. If the applications
are compromised, they wouldn't be able to do much aside from thrash about before
I force them to quit.

Qubes OS separates its applications in to a number of partitioned domains which
doesn't really seem that optimal. In the above example with Qubes I'd probably
have all the net applications running in a single domain meaning if my web
browser was exploited then my other applications such as my instant messenger
and email could be compromised too. Luckily it wouldn't compromise my other
domains containing things like my personal documents and programming projects.

I think Genode could replace the idea of partitioned domains with some kind of
per-process resource policies, meaning I wouldn't have to decide what
applications shouldn't share but instead what they should. In this case they'd
all have access to the Tor daemon and their own per-process file system but not
each other, further reducing the TCB. From a user's point of view there's still
partitioning, but it's at the resource level rather than domain level.

Of course if you wanted to run GNU applications you could use virtual machines
as domains in a similar manner to what Qubes OS actually does, though you lose
the benefits of reducing the size of your TCB to the necessary parts.  This
would actually be a good stepping stone until Genode has more applications.