Genode Tails?

Norman Feske norman.feske at ...1...
Mon Jun 15 11:00:54 CEST 2015 

Hi again,

everything you write resonates very well with me. I hope that Genode
will eventually become a viable technological foundation for Qubes-like
solutions. There is still a long way to go. But with the Turmvilla
scenario, we are taking the first baby steps in this direction.

On 15.06.2015 04:17, Jookia wrote:
> On Mon, Jun 15, 2015 at 12:48:38AM +0000, Nobody III wrote:
>> Basically, it looks like Genode is about the only way to be NSA-proof. Yes,
>> the NSA will likely be able to tell that you're using Genode, but they
>> won't be as able to hack it as with Tails.
> 
> Let's not assume there's a silver bullet for security. It's all about threat
> modelling, which in turn is all about resources and data. No operating system
> will protect you against hardware implants, not even Genode.
> 
> Tails' threat model is designed to avoid unwillingly giving off distinguishing
> data about the user in communication sessions or to storage. It does this quite
> well I think. I'm not sure how Genode could help here.
> 
> If you haven't read up on Qubes, you should. It's a brilliant system that has a
> design I think Genode is suited for, and perhaps what you're looking for. Using
> that design I'd run a desktop with isolated workspaces, mostly offline. For the
> small amount of applications that I connect online with, I'd give them access to
> Tor as their only network source and a limited file system. If the applications
> are compromised, they wouldn't be able to do much aside from thrash about before
> I force them to quit.
> 
> Qubes OS separates its applications in to a number of partitioned domains which
> doesn't really seem that optimal. In the above example with Qubes I'd probably
> have all the net applications running in a single domain meaning if my web
> browser was exploited then my other applications such as my instant messenger
> and email could be compromised too. Luckily it wouldn't compromise my other
> domains containing things like my personal documents and programming projects.
> 
> I think Genode could replace the idea of partitioned domains with some kind of
> per-process resource policies, meaning I wouldn't have to decide what
> applications shouldn't share but instead what they should. In this case they'd
> all have access to the Tor daemon and their own per-process file system but not
> each other, further reducing the TCB. From a user's point of view there's still
> partitioning, but it's at the resource level rather than domain level.

This is spot-on!

Actually, even when using a full VM on top of Genode, the TCB for
keeping VMs isolated is much smaller compared to the current state of
the art. E.g., NOVA is an order of magnitude less complex than Xen.
Granted, there are resource multiplexers that are shared by different
domains (like the nitpicker GUI server or the NIC bridge). But in
contrast to a Linux-based dom0, those components are small enough for a
thorough evaluation.

> Of course if you wanted to run GNU applications you could use virtual machines
> as domains in a similar manner to what Qubes OS actually does, though you lose
> the benefits of reducing the size of your TCB to the necessary parts.  This
> would actually be a good stepping stone until Genode has more applications.

there is also the noux runtime as a middle-ground, which allows us to
use command-line-based GNU software (like Vim, GCC, make) directly on
Genode.

In your other email, you asked about the security of the Arora web
browser. To be honest, I would not trust the code of Arora + Webkit +
Qt5 to be secure. It is too complex for a realistic assessment. But
while not trusting the code, we still know that the web browser cannot
store any information to disk. It cannot even see any files of the user.
It can merely observe the user input referring to the browser window. It
cannot install any spyware. It cannot ptrace other processes. It does
not even know which other components exist on the system. Hence, even
though we cannot make any assumption about the security of the web
browser itself, we know that it can do less harm when executed as a
sandboxed Genode component. The same idea to other applications like a
media viewer (where a bug in a codec would normally pose a security
risk) or a PDF reader.

Cheers
Norman

-- 
Dr.-Ing. Norman Feske
Genode Labs

http://www.genode-labs.com · http://genode.org

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the users mailing list