Genode Tails?

[Jookia]

On Mon, Jun 15, 2015 at 11:00:54AM +0200, Norman Feske wrote:
> Hi again,
>
> everything you write resonates very well with me. I hope that Genode
> will eventually become a viable technological foundation for Qubes-like
> solutions. There is still a long way to go. But with the Turmvilla
> scenario, we are taking the first baby steps in this direction.

I'm so glad! One thing holding me back from going the Turmvilla route is
actually the window manager not being tiled. Maybe that's just an excuse.

> This is spot-on!
>
> Actually, even when using a full VM on top of Genode, the TCB for
> keeping VMs isolated is much smaller compared to the current state of
> the art. E.g., NOVA is an order of magnitude less complex than Xen.
> Granted, there are resource multiplexers that are shared by different
> domains (like the nitpicker GUI server or the NIC bridge). But in
> contrast to a Linux-based dom0, those components are small enough for a
> thorough evaluation.

That's quite interesting. I have a feeling somewhere down the line someone will
get Qubes running on Genode, whether as just the hypervisor or as the GUI too.

> there is also the noux runtime as a middle-ground, which allows us to
> use command-line-based GNU software (like Vim, GCC, make) directly on
> Genode.

I've heard about that which gives me a lot of hope about some kind of
transition of my standard applications which are mostly terminal-based at this
point. Unfortunately being the GTK+ fan I am, there'll be some pain there.

> In your other email, you asked about the security of the Arora web browser.

I didn't actually ask this, but I'm still interested in the discussion so I
suppose I'll weigh in.

> To be honest, I would not trust the code of Arora + Webkit +
> Qt5 to be secure. It is too complex for a realistic assessment. But
> while not trusting the code, we still know that the web browser cannot
> store any information to disk. It cannot even see any files of the user.
> It can merely observe the user input referring to the browser window. It
> cannot install any spyware. It cannot ptrace other processes. It does
> not even know which other components exist on the system. Hence, even
> though we cannot make any assumption about the security of the web
> browser itself, we know that it can do less harm when executed as a
> sandboxed Genode component. The same idea to other applications like a
> media viewer (where a bug in a codec would normally pose a security
> risk) or a PDF reader.

I'd argue browsers are fundamentally broken. I love the web, but we have to keep
in mind that browsers aren't here to empower us. They're basically sandboxed
operating systems whose sole purpose is to run nonfree code downloaded from the
Internet and execute it somewhat safely. You can't modify this code and fix it
or improve it as it's nonfree. You also can't run your own code or verify it to
have nice things like actual end-to-end encryption working securely.

Isolating browsers is a useful tool but we still end up with the problem of them
being black boxes where the user doesn't control the data inside them. This is
quite a bleak situation, I think it boils down to being cautious of monolithic
architectures.

Not all is lost though! I would love to see some hacking on a composable
browser like uzbl or surf to leverge Genode's security features. Perhaps then
the only black box we'd have would be WebKitGTK. Personally I wouldn't mind a
slightly worse engine to WebKit if it meant I could compile a browser in less
than twelve hours on ARM, but I'm quite tolerant of feature loss.

> Cheers
> Norman

Thanks,
Jookia.