 I didn't intend to make any slides at all because I intended to have some small brain storming session. With a few interesting people, I want to talk about how secure is our Damian desktop. This means for users who are using day-to-day applications on their, for example, the desktop issue. I want to outline my security budget for what I'm intending to solve, or what's the problem that we're being conflicted. I see that we're conflicted. First of all, from time to time, we all have to, or in the past, have incomes to occasion where you have to run 100% software like, do you really just activate this Adobe reader? You are perhaps aware that it is, by default, able to run JavaScript and connect other websites to the internet, but there are use cases where you really have to use that, for example, like filling out formulas, and you can imagine various other applications where you really need to run proprietary applications where you don't know the source code, you don't know exactly what it is, and you run it anyway in one environment or the other one. Or even if you restrict us to use just free software, I think we all have used ICWISL or Firefox at some point, and if you look at the security history, it's not really a secure software, but we still use it. We know that there are malicious websites doing all kinds of weird things with JavaScript, so many people prefer to just turn off JavaScript, but seriously, does it work for day-to-day use? I think not. Or think about buffer overflows in, for example, media players. You still want to watch video from somewhere, and you still run unsecured media players. Of course they are unsecured, but you live with that. What are the problems with running unsecured? Well, malicious code running on your desktop can, for example, delete or manipulate your files, or think about confidential data like you store bank accounts in your own directory or a credential for bank accounts or your GPG key. If you run Firefox on your laptop, you essentially grant Firefox the right to access, transmit, delete, whatever the GPG key. Think about that. I think that's a serious problem. Generally, nothing happens because Firefox generally won't open your GPG key, but potentially it has the right to do this. And I think this is potentials dangerous. Now I want to move your view to other operating systems which are more popular, which are quite popular. There we have softwares used of all various kinds. They call it personal firewalls, where you can restrict the software to, where you can intercept the software when it calls to the Internet, then you get some sort of pop-up or other notification. In application called Microsoft Internet Explorer is trying to access the Internet to this or that website. Do you want to disallow this? There are other kinds of sandboxes softwares used available on Windows. There are various kinds of virus and trojan scanners and other auditing tools for Windows. Now let's shift back to Debian. What do we have here? There are some commercial products like this Panda Antivirus on firewall. Have you seen that before? Well, that works. That's quite similar to the personal firewall which I explained to you. So if you get notifications like I do, you'll be really trying to call home to this appearance, but it's commercial. There are really various all kinds of other virus scanners available for Windows and Debian. Therefore, I think I don't need to count them. There is some free software in this area of interest which I'm talking about, like a ClamAV. I think there are other virus scanners besides the most popular ones. I'm not sure if there's any software for sandboxing or free software for this personal firewall. Does anyone know here some software which can be used for sandboxes? Well, I think that the most common way to sandbox application is to virtualize. So if you install a Debian in a human environment and run only entrusted software there, then I think you can reach some kind of... You can be quite confident that nothing bad will happen to you for some new GBGQ or something. You can also run V-Service. Sorry? You can run V-Service. V-Service? That's another kind. That's not virtualization, that's isolation, but it comes to the same point, right? It depends on the home. You also just basically run your potentially malicious software in a user account. Yes, you can separate with different user accounts. Yes, but that's also a pain in the ass. You can't really say that to users. It could be, it could be difficult to have a separate user account and it's kind of so... You just find it easy to do, but I don't think it will work. It's nice to stay home. I think that's an approach Microsoft is doing with this, running Internet Explorer in an alpha less privileged security context. Are you trying to remove all the... Everyone having to be administrators and do everything? Yes. For example, yes. Right, so virtualization could be one approach, but I think we all agree that's not really what we want here. What... And you mentioned Sea Linux before. Yes, there are a couple of security frameworks in the... You already mentioned Sea Linux. It's a very intensive and broad approach. It requires you to label your complete file system to have this time rule enforcement depending on the role you are and depending on which label, the binary you have to execute. The policy itself in Sea Linux is implemented by the reference policy and... Well, it's too much to explain Sea Linux in detail in this talk. I just want to mention Sea Linux exists there. We have heard a talk with Manoj at the beginning of this week. I hope you will hear that. And alternative or another way approach to do this is Armour. Armour wants to compete with Sea Linux without having to relabel your complete file system because they rely on file system locations. So they say, okay, you want to run the binary user bin Firefox, so it has this set of rules applied to them. I just looked up before the comparison of Sea Linux and Armour on novel.com. Obviously, by us. And I just copied all these signs with usability in mind. Well, sure, they make different constraints and assumptions more easy so they can have easier rules. What you cannot do with Armour, for example, is to have the same binary running in different security contexts so you can't have a Firefox which is able to access your more secure cookies than another one. It's not possible with Armour. There are also some other less known security frameworks. Who of you knows SysTrace? And everyone on that? It's very common in open BST because it has been properly integrated in the system. You can think about it like a fireball for system calls. You start an application in a SysTrace environment where you apply a set of rules which system calls are allowed with which parameters. For example, you can apply a policy to the open system call and then match a regular expression to see what kinds of files the application is able to open with which mode and whatever. This is SysTrace. It's VAR but I think it matches a bit with SysTrace, right? Yeah. It seems like a Kluge system to me. So it always seems like kind of a Kluge system to me when we're trying to do a secure case of filing, matching and bargaining, matching. Well, it's not only a file name. It's just that you can also apply security policies towards them to the connect system call which allows you to implement... Right. Or if you apply it to everything, you can have something like a personal fireball. If applied correctly. And has anyone heard before of RSVAC? Anyone? Interesting because from what I've seen from the virtual, it seems to be an impressive project but it's rather just a framework and not a relative solution. They provide you to install your system, modules they call ADF, get the proper decision for the team and access control enforcement facilities. You can install several of these decision fallacies in various places of the Linux panel which end things, all kinds of things like ACC, file access, network access, whatever. And with this you can also implement different security policies. And I wanted this to be a brainstorming both. These are four security frameworks which we would be able to use. I explained to you the problems, what we currently have and I think we all agree that they are real problems which we really should find some way to deal with them. And I'm open for suggestions on how one of these four or maybe someone gets up with another idea I think a public can see perhaps a road mesh to approach how to solve this problem. That was my last slide for you. I think what we were thinking about, Stefan, you and me, we are currently developing some top-down approach by thinking what we understand with a security policy and the next steps to map our understanding of a security policy to one or more of these frameworks. Currently it looks like it was down to sisterage people for a reason that are not so interesting here. But we wanted to hear your opinions. Do you think these security facilities are, or which of these security facilities are usable to solve the problems that we currently have on the desktop at all? I can't think that in five years' time, or maybe two, we could leave without something like, I have ACNUs in mind or anybody which enforce security based in the context of what the application is doing. I guess everybody is more or less aware of ACNUs and also have to learn some stuff that also can detect some kind of malware or call it virus or whatever, because it really works. No, not to the same, it's as an extra, I don't like the engineer's work, it's not meaningful, but some stuff that can detect that you have done it in something which is not, it's probably going to have a strange behavior. ACNUs, to me, are probably one of the best in the world. This trace is, ACNUs, cheaper way to implement ACNUs stuff, it may be easier to improve our system and we can modify it. I'll say ACNUs, don't really use them much. We're the ones here. We need to use it and so we can improve the policies. Probably ACNUs is, of course, it is very complex to get an ACNU that works for the new one. So, would you think that it's feasible to just leave most things running and not just the web browser and some serious special applications that we can strengthen by ACNUs? This is a valid approach for the beginning part. This is just a slightly harder process. In fact, this is the approach the reference policy is doing and the reference policy is basically the only really usable, in fact, usable policy for CELINOS, which, that's why the reference policy is targeted, that's the full name. Yeah, but it's only for the system services and not for the process. But different users put different violence for web browser and ACNU, which have different policies for the different users. So, I think that's a quite complex task to consider. There's no easy way currently to switch between things. I don't think there's no other problems, but it's also, obviously, a security issue. If it's easy to switch between them, then they're not secure. Switch between what you say? What you're allowing it to do. Applying new policies. Applying new policies to and running or to a new process. Yeah, basically, currently, you have to be big. With CELINOS, you can install new policy modules, the reference policies module, and you can load and unload security modules, which are part of the policy you're implementing at runtime, just like you can do with parameter modules. The problem with this is that with CELINOS, this is a privileged operation, so you have to be moved to install a new security and policy in the current. What could be really slick was if the user would be able to constrain himself from saying, I'm starting actuary now, and I want this particular instance of actuary to be not able to contact any network, because for UNO PDF installation, you're able to contact some network. Yeah, so when you're about to start programming, you can expect that you want to make it, say, more enforced than normal. It's probably an interesting way to do it, rather than you go, I want this to be in the open, because then that would be whatever project virus, et cetera, would do, if it managed to get onto the machine to be able to talk back or install things. This is an interesting thing I've made around, just get it restricted in some way. Right. You can also have it checked. And this is in fact doable with CIS3s. Surprisingly, yes, it is, because a user can... No, you cannot run CIS3s with an CIS3s. That was a limitation, right? So if you have to compute this, don't run it with an CIS3s, you cannot run... You have to compare them. You need to have a worker. Yes, you. Which then would apply some constraints. Right. You can perhaps track the CIS3 system, compare the new rules with the older rules, define some metric which is more... Which defines, is this rule more or less strict? And if it is less strict, then I know it. Otherwise, deny it. Yeah, I will. And I did some research on CIS3s on them, and they used to be a package called Carbon Patch CIS3s along with the CIS3 tools. It has been removed since some time from there, because the old maintain a lost interest in it, and just often it had it removed from the labian archive. There is one upstream guy who still parts it to Linux, so it's waiting to be packaged by someone who actually uses it, so it could be really an auction, but we need to package it. There are packages ready to use, packages for sale drawings, but made by Linux. I think there are more packages for Debian, and I know that a lot of guys are working one-up armor, so that should be easy to get this into Debian, if it isn't already. CIS3 needs to be packaged. There is a C in the upstream guys of providing some Debian packages, but it seems nobody has used it so far. And I really hope that we had someone who could tell me about that, but it seems to be no one here. I think it is the desktop, and I think it's possible. I think we're going to be really reckless and stuff like this. I think we can play the game, it's like the same thing, but worse, I think it's interesting, it's like web browser, like E-mail and streaming, it's just good defaults to not let the web browser go to GPG and stuff like that. Yes, we're doing the same things, and yes, this is basically what we are trying to solve for the power. It should be default, it should be a choice, or we should have to opt out of it. It's quite a problem we should do. Because it's a problem that people would want to turn it off. I think, to answer your question, I think we can't expect to have a serious strict policy in the next few years. So we must get through what we call targeted, as we do today, this statement can do this, and this section, and maybe extend this to user... Which is the same section, but you would want... What would the user want to do? And so, firefox, just don't go to password file and do this one, it would be better to say it can go into this, rather than you having to divide it into... Yeah, you're right. But the idea of targeted is to have a transition and say, we can't do strict today, so we'll just firefox. It's better, and just gradually out. Because people are going to get upset, they can't say a formal anywhere they want. So it's better to be patient. But some of that compromises that you just get used to. As long as you can see that there's this benefit and so, you move the file afterwards, but you're much more secure. So the basic idea is to start with a small set of rules, which are supposed to not break too much, and then gradually improve the rules. I get it. Is that works? You had in mind before? Yeah. There's only one question, and it's only working to get somebody to restrict a police enforcement. I think the best thing is if people run it and then they can see what actions they're not going to want to do and allow it, hopefully all normal things people want to do will be allowed. Then one of the problems with things like SELX is everyone's half thinking, well this is really complicated and there are major problems at the moment, I can live with evidence. So there's partly a PR science to think of this. And going look, it's easy to install, it doesn't cause you any problems, just do this. In fact security frameworks are designed to cause problems because you want to restrict. So this is... That's part of the problem. It's not necessary people do what they don't want to do anyway. It's not a problem. Many applications have access to SELX and they don't really need or it will always be positive points or real problems. I'm just an adult and I'm studying migration to Linux or my company. And then security has actually been one of the issues we've looked at obviously. And then we were a little, I won't say surprised, but most people will know the windows style group of stuff. We've built an active directory environment. Does anybody know some sort of equivalent for Linux or Linux systems? For Linux or Linux systems? I mean some central management because I completely agree that something you want to have on a desktop should be as easy as possible for the end user. However you may come across some situations in which management should be done centrally. And basically that was one of the things you didn't really find stuff like that. I think you have a very good point here. Can you please elaborate on the requirements you have. Are you centralized now? What other requirements are there? What do you want to restrict? What do you understand here on security policy? I think between those you've got very fine-grained control of things on your desktop. Absolutely. It's slightly different. It's not entirely there's two things about those group policy things. One part is more configuration based than switch of items and stuff. Some other parts is also security related and it's actually for the security related bits. Okay. Like running programs or you need to do that. What we're doing now is giving through such policies access to particular all of the workstations. Which has changed from historical what they were doing, you can run it. It's basically you have to get away from the single machine where you can administrate the social. So these policy you said we're not going to restrict programs from doing certain actions but they restrict the user from doing any applications. So we could do something with groups. That's a difference. Basically we would like to go in much more detail. Like some central simply managed AC Linux which we can really go more fainter say like this program can access this file in this situation. So basically you would like to see Linux but have it managed centrally. Did you have to write it yourself? Did you have to write it yourself? You could do it without that. Have you heard about CFMG? Yes. Some people use FAI or Puppet, I don't know this one. Which allow you to centrally manage your and push whatever you want to all your distributed computers. And the certain ones as well. You don't have to apply it. Yeah, you've got to have some questions. So that would be a way to go. One, CFMG is a tool to distribute a configuration policy whatever that means. You still have to decide on the policy and ways of actually implementing the policy. And it's basically system configuration. It again doesn't allow you to restrict programs from doing certain things. You could have, if you used ACLs, you could do it for user's or likes to running the programs. But that's maybe a bit complicated. This goes to this window's approach that you have one centralized service which sets basic unix file permissions to restrict users or groups to things. To see a engine allow you to use ACLs or just basic file permissions. So, you could presumably use it to deploy an ACL with policy as well. That would continue. Yes. Since you are allowed to execute check commands and your parse files and edit files, you're basically allowed to do anything including it. So you need a special policy for the engine to only have some rules. I know there is a security framework or being in place or being hacked on can you give me a small overview what this is useful for today? Of course, it's not usable for anything because it's just a framework. The basic architecture is structured based on the ACLs where you have high policy and you respect access to resources within the X-server. The default access control in the X-server is what you need to get at everything in order to know inter-process restrictions whatsoever. The X-ACE security framework allows you to implement ACLs by policies inside the X-server to restrict access to various properties so you can restrict the ability to cut between applications and restrict the visibility of other applications from what you know. Essentially, the partition works in your work environment so you can see the logical sets. A set of applications that have created additional privileges like the window manager has really immediately all of the windows on the screen. This grows out of the ST Linux work and the historical X-security framework which I have fairly sophisticated policy and fairly sophisticated access control of other policies. And how does it relate to the ST Linux? Does it use the same syntax and the same mechanisms or is it completely different? It uses the same semantics. I'm not exactly because the objects are different it can't really show the different types of the same files or anything but the basic concepts are very similar. I'm not exactly sure how the where the policy is stored but it's only visible to me in terms of access restrictions that are actually quite easy to use. And it's being done by Amy Wall she said at NSA. What stage is this? I don't know. He worked on it before he got his security clearance at NSA quite heavily for a year and a half or so and he went off and disappeared for a couple of years right back doing more work on it. I don't know what the stage is. I don't know if it's a usable work that's very, very useful for intellectual work. I don't think that's the way to see where it is stored. So it's mainly developed by the industry? Yeah. There is a public see-away framework but no policy like the reference policy? Yeah, I don't think he has a policy. Yeah, it provides some level of security. Very interesting to try to try to answer that. But I'm not sure at this point because a lot of inter-process communication happened outside of the X environment. I'm not sure what the added security to the X issue at this point. A lot of the communication has to do with security. And so that certainly knows. Unfortunately, because these frameworks don't talk about D-Bus security, how do we integrate these? D-Bus has its own security framework. We have particular processes that users are allowed to access different resources in the system. So how does all these different services which now have this wide variety of different security frameworks in place, how do we manage them and provide unified information about what your current security policy is? A bunch of disparate mechanisms. None of this stuff talks about what we do with X or D-Bus or how information will access to devices. All this kind of stuff. It's a few months ago now, but I remember reading a scientific paper from the NSA talking about how to lie sediments to something as weird as the GCon database. I think you've read the paper as well? No, I've read it. He is explaining and describing how to design and implement user space object manager, I think he calls it. Great. And he's applying the concepts with the type and role and subject to object to GCon. And he's labeling the GCon keys by duplicating the complete GCon tree to sub-tree prefix by Cliners and then the he stores the security labels. Yep. And then each time an application in order to access the GCon you have to use a well-defined interface. But there's not a database ending behind the enforcement policy. Right. And the paper therefore proposes because currently GCon is commonly used with orbit with a corba interface. And in the paper he proposes to drop that and just switch to D-Bus because from the D-Bus side he can implement this user space object manager more easily to enforce Cliners' rules on access to the database. And that's what the paper is basically about. So it seems to be at least in theory solved somehow. Well, I mean the database seems to be focusing on getting to being able to use SClinics file access control for all these different databases. It seems like good. It sounds like you will be able to give us this information. But it seems like it's pushing the way for these other alternative frameworks. Because it seems more the concepts in SClinics seem more generally applicable across a wide domain of different databases. But we had an old access control mechanism in X that was just to do that here. So it was actually compartmented both workstations. We had basically two domains. We had the secure trusted application and the trusted applications. The trusted applications could do anything. The untrusted applications wouldn't really be there. If you remember the invention at this age could they turn that on? What? Put it yourself? Yeah. This sounds quite similar to what we're using currently in Unix which is operating a root account which can do anything and use our account which can do a certain set of actions. Yeah, except because everybody had run a root for so long there was a bunch of extensions and the system wouldn't be engaged in the security framework. And so all of a sudden half of your extensions no longer worked for the sysh access applications because it made anything coming in over as sysh was later untrusted. So the render extensions stopped working. Pre-booking. Does the audience or how do you feel now what can we do from the Damian side or which approach should be most feasible to have a secure desktop as I defined it in my talk before. Which framework or which way would you suggest to be the most popular? I think the other distributions are already showing that sysh access is the direction we're pushing things in because it does provide enough semantics and flexibility to encode a really wide range of systems. It doesn't seem like there just isn't any community support about these other mechanisms they have shown themselves to be significantly more confident in what we see in the configuring. Other opinions? Okay. I wanted to hear. Because Jaxon seems to object quite strongly to as you know for being a framework which introduces a very complex set of rules on something which should be simple. But if it's too simple then I don't think it's perfect. I don't agree with them, I just say I don't think his argument is wrong though. SC limits is for all intents and purposes today possible for the user every year. And to say that we should policy frameworks SC limits and that just seems crazy. But we haven't come up with a better mechanism yet. The United States is simpler. Either simpler or just perlating it so it works. Well, if the user can't understand how it's configured then they're going to know that it's secure. And they'll act like accident configuration changes will be gain and secure again. And how the SC limits community is addressing a particular issue. It makes some sense in the server environment where you can expect there to be a confident in knowledge versus in the desktop. It seems like we have a long way to go for SC limits to be understood and configured by a younger user. Well, there's the two parts there. There's the desktop and then there's all these sorts of things. There are very good desktops. They're very difficult to separate. There's a corporate desktop at this point that's mutated randomly by the corporate user. As much as corporations would like to watch out for desktops, users can manage to work around these restrictions on a regular basis. It obviously depends as they've got the rest of the machine which can install effects off. But if you can physically touch the machine that's the key. Yeah, pitch. What? Essentially. But then if someone's actually putting off a removable media and stuff and pulling the bias battery out you can then take policy but workplace policy depends rather than future policy against them at that point. They're obviously violating things that could mean that. Right. In the computer pool it's needed the users have physically access to the machines but they are told to not switch it off, to not remove it because it has a password and what effect users could just take it offline into various things about it but we have cameras and we stick with people doing that. Yeah, or if you have security cables through the machines meaning that you have to actually use enough deterrent, I would say, for most things. Yeah, well I've been in a cop in a student department that works quite well in any case if the user doesn't understand the policy independently whether they're intentionally they don't know what they are secure against them so they don't know what the system is violating. In the worst case you just frustrate them. But even in that case they're just frustrated with the system to survive and we want to encourage them to deal. What problems I see with SD-Linux is at this point I don't see how SD-Linux is able to help me with implementing some sort of person firewall. This means to supervise implications of what they are actually doing and asking me what they are also doing. What does SD-Linux not provide a mechanism for redirecting requests to get a connect request to it? If you have an application trying to make a network access SD-Linux doesn't really seem to provide any ways to say either you can either say yes or no it doesn't seem to provide a mechanism for saying wait let me check. I haven't seen that before but that would be very helpful in this case. Yeah I think that's although then again we have the endless pop-ups of windows. Yeah I think I heard that we got into an effort of such kind of some guy who actually made which works with IP tables and with GUI we just asked what pandas pandas providing this? Nooo Ah there's also I think phytosol is equal to GPL yes I think there's another GPL implementation not what you say but How does that allow you to pause the connection? Maybe to answer I think there's an IP tables user space project where you can redirect a packet to user space and then let a user space privilege even contact the user session debuffs and make it pop-ups and things I think there is a GPL application for that but in there it's really restricted to network connections which is a good thing but I was rather looking for more I think there are the two distinct things there's network and there's phytos I'm not sure if there's anything, there's an easy way of actually tying those two together apart from just having a program that does two different things What I would like to do is if really in long term if we want to secure the desktop I don't think we can rely on any user interaction to enforce security because we know how users are the first time they're being asked what's the problem as soon as they understand they might give a sensible answer the fifth time they just don't give up and say what's the key point yes and the problem is really that they don't probably it's very difficult to get them to really understand what's about someone going to this application wants to get to the network and why should I why shouldn't it and if you can answer whether this application if you can document why this application should go on the network you probably actually can build a policy to enforce you shouldn't be tasked with that point well I think there are two distinct use cases the one is yes, a half time one thing is to secure a general to work workflow day-to-day applications that you probably don't need these interactive pop-ups to ask you what to do but I think there is also another use case where you are running a potentially untrusted application you want to supervise it and therefore these pop-ups can be very useful if you actively want to supervise them sort of training programs you are running for studies maybe and you are seeing what it's doing but whether you have any user really wants to be doing that end user might end user might they get into the conference maybe not at conf but sometimes they have a very interesting conference and they are being given some stuff on it and of course it's something they have to learn because that's how it's done in windows world and so they plug in the software and if they have been sensed how is it going to be done they might want to say I want to okay I have to run the software but I want to run it as being unsecure and then having those kind of pop-ups you can do that and this would be interesting and that would probably more apply to software that you are downloading yourself rather than the system in software but generally that should be tested yes maybe but not always not always but it's a more likely situation and you have to admit that's a common use case more idea, more inputs time is up but thanks you for attending the session I think we have written down some interesting points are we allowed to say what we are doing making choices to get past all the stuff no, the website is supposed to be go online so we are working we work on such a project to get some environment to design place we are currently evaluating different security frameworks and we want to hear from just requirements common use cases which I think we have written down some interesting points here to make a centralized approach like you are demanding I think we can call the name it would be the Nubius project website is going to be on as soon as possible well, we actually want to work in that direction was this kind of interesting application thank you thanks for coming thank you thank you thank you for operating the camera you are welcome