 Okay, I'm sorry for the dark road check for But I will tell everything what I have written down so Even if you can cannot read it very good, I will tell you The idea of my talk or of the tool I have written is to Make a typical desktop Linux desktop more secure without making it difficult to use Security is always a thing that makes other things difficult and I try to To avoid that okay and The motivation is that we have some programs on our desktop that have to process untrusted data or data from untrusted sources and Every piece of software has bugs and it Gives some attack vector to To your desktop the program I am concentrating on is Browser the internet browser or the web browser and it's helper applications Not every helper application is In danger for instance if you have a PDF fewer and use it for fewer in your own PDFs and it's it's not a problem, but if you use it as a help application in the internet browser it will start process data from such untrusted sources and if you are there's a bug in the PDF viewers and it becomes dangerous The same is valid for the email client and it's help applications and similar software, but I'm concentrating here on the Firefox browser or the ice weasel browser We have already some easy to use tools to get more privileges like sudo. It's nice easy to use But we have don't have any anti-sudo a tool that just Decreases any privileges on our system and that's what the immunity is good for it just decreases the Privileges, I will start with a small demonstration First I will show immunity how it looks like to the usual user an entry in the start menu and It just Starts another instance of ice weasel. Please ignore the error message. It's something that's new on this Laptop, and I didn't found the error yet It's probably fixed in the next release So it's just a web browser It can do everything what you expect from a web browser Like opening the deptcon page All the plug-ins and helper applications will work at least This kind of help application that have tested so far, but there are some differences if you're trying to open a file You see it's the home director is empty and the reason for that is it's a different home directory in in Valib and if you Just look around a little bit in our file system from the browser You will see that you have an error file system. Oh, it's difficult to see You don't even have the slash home directory or slash S bin and such things and If you look at the device files you see you have definitely and say also devices So that's how it looks like from the normal for the normal user if you Look at it in more detail I'm afraid that will become a little bit more difficult to read the command is just immunity and you can like in Zudo just At any commands that you want to execute like LS or you can even add options So quite easy to use if you don't add any command line arguments, it will just start a shell and What you can see is that you have a new user ID. It's not to learn also, but Another user and another group and you don't have any supplementary groups anymore that's What do you see the first? If you check have a look at our file system you see is that we have Only a few the top level directories that some of them belong to the to our shadow user and to the group We have our own temp directory Any temp file vulnerabilities won't Be a big problem here Yeah, I already showed some Um device files Difficult to read when they are some of them and same what's interesting is that All the devices belong to the user, so we don't need any supplementary groups to access all the devices It's just a little bit easier and what There are some other interesting things that don't work anymore like a thing And there are two reasons why it does not work anymore. The first reason is that pink needs a Certain capability to work, but all capabilities are locked down in In the in the new process so you cannot reacquire such capabilities. There's no way That's why pink does not work, but it would still be a set user ID route binary and if pink has a bug we could Get access to any Files that belong to root only That's why the file system gets remounted with the no suid and no s Gid option. So even the user ID route binaries won't change the user ID Anymore that are two reasons why pink doesn't work It's no that user ID route binary anymore and capabilities are locked down What's interesting we can check our mounts It's quite a long list What we can see in the In the third line that Attempt file system is mounted at the root file system and all the Several files and directly gets bind mounted from our from our Normal system. Okay, so if I make the same in the outside the container I see only a few of a few file systems and in our container I have Even less file systems, but a lot of bind mounts and there's another difference The proc the proc file the proc file system is read only mounted Strictly speaking Firefox does not need the proc file system. So we could just You mount it, but some other tools like the non-free flash plug in just crushes without the proc file system So we need it at least as a read only mount here If you want to support such Programs and plugins Okay, so it was short Demonstration Yeah, yeah, we have a narrowed file system. Yeah, it's not a change route environment That's important We call change route in the process of setting up the container, but it's not a change route environment So I want a more normal environment. So if you keep your System up to date with security fixes and the container is secure too. So don't have a second system Almost every file system is That is still available every label is mounted to read only no that user ID route no set user ID and group ID and no def mount and The capabilities are locked down. You cannot Get any capabilities and anymore it is still in Very early stage as I would call it a research tool, but it can be used for for real work or in real life So we can use it for using a browser That works there might be some bugs, of course, but It's already usable Yeah, you can download it from Google code. The link Should be available in the schedule Some features I already mentioned is a shadow user and an own shadow and an own another group Shadow user belongs to The name of the shadow user in this case is that it's the normal user gets prefixed by immunity minors Yes Yes The advantage is that no inter-processing communications to your trusted processes are possible anymore So you cannot kill or send signals to your trusted processes The communication Via the X11 protocol is still possible, of course. I don't use X11 security. I have tried that but The advantage of X11 security is that key lockers wouldn't work anymore and screenshotting wouldn't work anymore But copy and paste does not work between trusted and untrusted processes and That's difficult. It's not easy to use if you cannot copy paste between trusted untrusted processes One could maybe I will fight a helper tool like in KDE is a clip or tool that Can copy and paste even in to a in an X11 secure security environment But currently such a tool does not exist You can set up some network restriction if you want using IP tables Netfilter module that matches either the user or the group So what would be possible? Set your browser can access the internet, but maybe not your local internet if you have such things and Vice versa any trusted process should not access the internet, but maybe your local internet so you can even Set up a network separation In your environment How does it work? It employs the kernel namespaces feature That comes from the Linux containers project Which is available from source forge It does not need any kernel patches at least with the linear kernel It's not necessary anymore and thanks to the kernel team the necessary configuration options are set in Debian So you can use it directly without any Different kernel and you don't need any unusual tools except for the immunity tools that itself and Python Yeah, some more details you can create other access restrictions via POSIX access control list for instance you can Set up your shadow home directory in a way is that Normal trusted user can access with home directory read write if you want such A feature for instance to upload files somewhere you need write access to the home directory As I already told we have only a few device files so The the path to the kernel is smaller or to And said user ID is that group ID binaries don't work anymore and Support log file system is read only It is a bit difficult to find out Which file system or network access is done by your programs? I have Debugged such such access using the audit demon Which is a bit awkward to use but It works so you can find out which file system access happens in your browser and which You can find out that Which files in the proc file systems are accessed by the flash plug in so It's implemented in Python with the extension Which is quite small just to use things like you mount Directly in In Python it uses capabilities a lot so it starts with a Certain capability set I think of four or five capabilities and it drops capabilities until it's a full container is set up and and It executes your browser or your shell after every capability has been dropped It's not a mandatory access control system Like the security enhanced Linux system was Mac for all the eyes Be easy system. It's just a usual Linux system without any special modification Now I want to talk a little bit about Alternatives we would it would be possible We could think of to Separate trusted and untrusted processes one alternative would be using a separate computer for Untrusted processes, of course, I have just two computers one for the trusted stuff and one for the internet That's okay more hardware and setup costs. You have to maintain more systems Especially if you think about if you have hundreds or thousands of users and you have to Care of twice as much computers It's more work And you can still Exchange media via some external storage medium a Second alternative would be using a terminal server for your internet access or for your untrusted process. That's quite a nice idea but Secure configuration is not as easy and it would be an extra talk to Explain what you have to do to set up a secure terminal server And it has several limitations in practice like multimedia streaming file uploads and such things Are either not possible or the whole thing is not really secure. So you can choose between security or functionality The third alternative would be a short environment a change route environment. The security is quite limited Because you can still make inter-process communications. You can send signals to your trusted processes It's not as useful as it might sound. It's difficult to configure to You have to do it manually And you have still twice as much systems to maintain because you have to maintain your Shrewd environment to have a second system installed So next to alternatives in our mandatory access control systems Like the RS BAC, it's quite a good technology, but it's not integrated in the Linux kernel We need a separate patch and it's not integrated into Debian And the documentation is Almost non-existent So it becomes difficult to use if you don't have any experience with it a second alternate alternative for Mac is security and hence Linux Unfortunately, there's no usable policy for such scenario And setting up your own policy is quite difficult. So it's not an option either Now I come back to Linux audit I've already told this a little bit awkward to use but it's You need it if you make a narrow file system few you need some way to debug which What your programs or processes are accessing which network? The quads they are opening and such things my found that audit Linux audit is is usable but No, that's easy as you wish. They'll use the typical tools like audit control Audit search and order port to to look what your processes are doing. I just skipped the demonstration because It's not that interesting Yeah, I've already told you that I'm using a lot of capability I Post-ex capabilities to Set up the container New Linux kernels provide a feature called post-ex file capabilities. This is interesting features It's interesting feature because you can give some binaries Certain capabilities during startup Unfortunately, the whole feature does not work for any scripts even especially I'm not for Python scripts so it's Unusable for any Python script. So I couldn't use that feature It did work interestingly in the two six twenty four corner It did work in the two six twenty four corner was which was I think the first Colonel that introduced project five capabilities, but it definitely does not work anymore in the landing Colonel or in your colonels That is why the immunity tool needs another way to get capabilities and It needs a zoo to help her for that. So I've found it's the most easy way to get capabilities to amount or remount stuff To change the namespace and things now a zoo to help her it really use a zoo to help her to get With a good little help it gets all capabilities then it changes the user and the group and drops the capabilities that are not needed So it's quite a safe way to to use Udo in that case One problem is that the cable the process capabilities do not survive the exec system call that means we cannot Execute another binary like mount or IP tables or other things because we would just lose the process capabilities That are necessary for for any privileged operations everything we have to do have we have to do in Python directly on the z-extensions that gets loaded into the Python enterprise on that's a bit tricky, but It's doable The advantage is that we only have one process setting up the whole container and in the end of the process it executes your browser or The shell or whatever you want to execute What plans I do for the future one is to make it more usable for the end user And less a research tool only One thing is that Providing a configuration file currently everything is now done program etiquette in the Python script So if you want to bind mount more files or directory you have to change the Python script It is not very practical for the end user I probably introduce some command line parameters like using Secure x11 or not using secure x11 so you can decide for yourself if you want it or not It might be useful to make the shadow user optional and Don't use don't switch to a different user Maybe a helper tool for easy the usage of the audit team and would be quite good So you can easily got the bug for all processes Uploading it to devian if there's enough interest in the tool would be a plan and I have two ideas that could be useful Adding these two ideas are adding to another namespaces and you net and And its own network namespace and its own process namespace process table I Will show that in a small Demonstration so I hope I Start with the network namespace. It's currently not really implemented. I have only have to see fires it for testing purposes But it's it's already interesting the network namespace X I've tried to explain the source code what it does. It's just call the answer this call. It's a new net namespace Ansher is a quite a new System call it does almost the same as clone except it does not clone anything. It just changes it just uses the flex in the currently In the current process in this case, it just creates a new namespace in the current process and after that it's just executes a shell So I show it Okay The answer this call sometimes need capabilities like in this case if you if you create new namespaces You need certain capabilities. That is why I just use pseudo in this case to execute this program So we just have a wheelchair now in the new with a new namespace And if I call I have config I see that I only have one Network device the loopback device is not even configured if I can compare it to my System here I have three or four network devices and loopback is Is configured, of course So I have effective effect effectively now Container, which is offline does not have a network access it has its own network devices its own routing tables its own net filter rules Currently it's offline which is not very useful to run a browser in it, but We could the idea is to create a proxy like a socks proxy like SSH minus D there That would enable some network access to the container but This is left to be implemented Now, but I think it's a quiescent quite a nice idea to have a separated network namespace Network namespace and another interesting idea is A Separated process namespace I tried to explain it in the In the code the Z code In this case we cannot use Unshare anymore because it's not possible to create a new a new process namespace in the same process You always have to create a new process to create and attach a new namespace to it That's why we need to call clone in this Case we have to set up a stack called clone with a new process ID Option and the new namespace option And we print in this case just for debugging purposes. I print the process ID of the child as seen in the parent process and The function That's executed in the child Prince its own process ID How is seen from the child? it In our case we are you mounting the proc file system Because but because it's in use we have to it's a mount detach option And we mount it again, so we get a new Proc file system mount in the in the child and in the end we are Executing the X terminal emulator. We cannot execute a bash In this case, but it's difficult to explain just executing the X terminal emulator And let's try that we need Zudo 2 for this test so First we see the process ID from the as seen from the parent is 2784 and the property in the child is the one so we have a new protest table with a new process one and I will just Sorry Make it easier to see Okay, so that's the child process And We look at our process here. We see we have only three processes Process number one is our X terminal emulator Which is more than 2000 as a process ID in the in the usual system Our shell is process number three and interestingly our first interactive program is process number 31 So we need more 30 30 processes just to execute PS and this is a normal or a usual installed linear system. So we have quite a number of Forks in the during startup of a bash in in Debian The advantage is that From this child process, you cannot kill or then signals to any to any process outside the container so you already have a separation of the processes and This might Be possible to to Skip the creation of a shadow user Because you already have we already have a separate process table, but it's currently not usable in immunity itself Yeah, it's probably not very difficult to implement, but it's not implemented yet Yeah, yeah, it's all told it would make the shadow user probably optional Okay, I'm as the end of my talk Do you have any questions Yes, as long as the switch is X 11 security is switched off it would be possible to to install a keyboard locker via any bug in the browser Yeah Online banking via Disaster because it's still in the ice or whatever but Definitely this information and ideas. They shouldn't be mixed up with information enter and some other YouTube website or whatever Yeah, can't that work or can I set up more than one user or? Yeah, currently not That it's probably a good idea to set up multiple users or multiple home directories It's currently not implemented. Yes but that would be probably one of the Command line arguments to specify another user and just use a default user if you don't specify anything Yes That's a good idea Okay well Just a very quick comment your list of alternative approaches you didn't mention using a virtual machine and So, you know, I mean caveman might be useful. Yeah Yes, that's another idea. Yeah, I have skipped that here, but you have still Maintain another system But it's quite easy to set up that's true. So it has advantages and it's disadvantages But it's not as easy to set up then just call immunity browser the idea was To create a tool that is really easy to use for the end user and has some More it's more secure than not using it, right? I've got a lot of questions. I'll try to keep it short The first thing that comes to mind for me is You also have problems with the acts not only if you close the keyboard snooping type of holes But you can also spoof things that look like authentication dialogues on these trust it on the trusted side of the system And that's gonna be really hard to block unless you put it in something like X nest or something like that Which I guess would slow down YouTube videos, so I don't know what Yeah Another thing that came to mind is With this system if a user downloads a file from the web and then wants to edit it in a word processor On their trusted side They're going to have to go dig around to find the file and they probably won't be able to write to it once they once they find it So if you thought about how to deal with that and also how to get files back in Demand make it easy for say my mom to do Yeah In that case either you skip the shadow user Entirely and use the normal user process and fight the file in your home directory or Use some help applications Maybe Yeah, I don't know or trust great a zoom link in your home directory to the to the home directory of the federal user Yeah Well, if you've got personal groups like you're having Debbie and you could put your real user in the immunity users personal group And then your real user couldn't read write all their files And be you know a trip by sending exploits and everything Yeah, and one more thing you I saw that you gave the browser access to the audio device So the browser will be able to also listen to your mic, right? Yeah, sure Okay, I don't think it's such a big security bug Okay, thank you for your interest