I tried to use Qubes OS, it was bit overwhelming. I mean its a great os but I spent last 2 days to upgrade Fedora 29 to 31. I am currently using Debian based distro. Could the idea of isolation be achieved in other OS with some tweaks (Docker may be).
I’d look into Docker.
Docker should not be treated as a security boundary unless you do a lot of prep work and upkeep in terms of orchestration and planning.
Honestly, most people I know looking for defensive isolation of that magnitude just use a lightweight VM (something like Arch with a tiling window system to reduce footprint if it’s just for a few apps).
In reality, what’s the threat model here? Chrome, for example, has pretty good sandboxing natively for each tab process. Until you start hitting a certain severity of threat model it’s going to probably cause more headaches than the benefits, and with headaches comes complacency and with complacency loss of true isolation for whatever was being done.
-Jim
@srini under all POSIX systems one has chroot jails which segment off files and processes. Yes docker/LXC being the latest in that line of tooling of that which includes the use of cgroups, union filesystems, selinux, acl, and several other methods and layers of isolation mechanisms for both processes, syscalls, resource space (cpu, network, memory, filesystem usage), access control, and file system storage segmentation.
For “other OS” I’m assuming one is meaning Windows? If that’s the case good luck. There has been efforts since Windows 7 to do something internally but the average user would just see it as the usual user account control. But usually that’s just to hide away select system calls deemed “insecure” to prevent older malware attacks.
However Docker desktop/windows subsystem for linux is the more modern version for Windows pro but those are just hyper-v hacks. Doing the XP days I use to use Sandboxie to jail system calls and segment the filesystem while testing new software. So in a way sandboxie could be what one is looking for on windows.
However just by your thread’s title, I’d suggest getting away from ‘x over used’ linux distro and use a Docker or LXC base one like CoreOS then build one’s own container images from there following proper guidelines on security as outline below.
Also don’t forget to read the NIST Container security Guidelines:
https://coreos.com/blog/coreos-welcomes-nist-container-security-guidelines
After that have a damn good IDS, edge security, and transport layer encryption.
Thing to keep in mind though; one’s never going to have 100% security but one can mitigate the risk of improper security.
Thanks @hon1nbo, @denzuko, @motopilot for your replies.
Don’t we have anything like Anaconda or firejail to spin up an environment/app with configurable jailing (based on threat model). My attack surfaces are
- Flash Drive
- Browsing
- Mails (IMAP/POP3)
Attack surfaces are different from a threat model; I’d start with a threat model to see what level of defense is actually reasonable.
The average Joe doesn’t have a threat model worth going beyond using a browser with sandboxing and basic execution controls (like the Linux defaults when using a browser such as chromium), or windows with an adequate AV (run of the mill malware will get caught by most of them assuming you are running an up to date version of 10).
When you start getting into targeted attacks things get interesting. When evasive tactics are in play AV/EDR is basically useless and isolation becomes important. However you won’t see that on random drive by downloads etc. Targeted attacks will generally only be seen used by a motivated attacker, when you have something worth the time. For example in my consulting work we have assets worth the manual investment, so we have tons of serious controls. The average home user doesn’t have to worry about that.
In terms of USB, if you don’t know the source of the USB it’s always an issue but you can place it in a controlled context like a VM.
Anaconda? really?! why not use packer to build a trusted ISO or as pointed out CoreOS then run 99.98% of your software stack inside containers.
Also, Firejail is doing the same damn thing that SELinux, AppArmor, and docker/lxc is using. Cgroups and process namespaces(ie selinux). SELinux has been around for longer and been proven to work. Plus its not another muther f’ng root SUID binary.
Look into how Containers actually work instead of some sexy remake from x blog.
Now…
- Flash Drive
- Browsing
- Mails (IMAP/POP3)
-
flash drive, as in a badusb/rubber ducky? Run linux and make sure all trusted users has to enter a password for sudo, also lock down sudo to only select commands (
sudo sushould not be allowed ever). Keyloggers are a completely different matter. One plugged into the computer can be physically detected and if someone has physical access its game over for trusting the environment anyways. But anything software based needs root anyways so that’s another game over situation. -
Browsing. DON’T RUN JAVASCRIPT. Don’t run binaries one cannot trust. Done. Anything else is edge security. (pi-hole, anti-virus, [hn]ids, etc.)
-
Email. Same as 2. In fact just use fetchmail, procmail, and mutt. email is just text files anyways and even if they’re with html/js/images if the email client doesn’t ever parses html/js then it’s never going to be an attack vector unless one executes untrusted javascript and binaries.
-
IM. including this as a bonus freebie; it’s the same as 2 and 3.
This isn’t a feasible answer with the current state of the web; in practice browser exploitation isn’t very common nowadays, and most are using drive by downloads to try and convince users to open things, clickjacking, and phishing. None of those are JS dependent.
This is still assuming no privesc exists, however we still don’t know the threat model here. Besides sudo password there isn’t much USB wise one can do on Linux due to execution handling, though on windows there are controls that can be used but mostly for limiting HID or disabling unknown block storage devices
RCEs for mail are very rare, but the way I would rephrase this is to put the client in text mode or just use the Webmail interfaces (again, chromium already has fairly good native sandboxing). Saying to use some very convoluted method of pulling mail doesn’t help provide meaningful defense, just additional attack surface area and complication.
This is incredibly misleading, as most of the major IM protocols don’t actually have a meaningful way to exploit things Against an individual user remotely via the protocol itself; the attack vectors that have been exploited in recent years are in client side parsing of text itself. Things like JavaScript settings etc basically don’t even exist in common IM systems.
This is flat out not accurate; namespaces aren’t what selinux is using. They can be used together, but selinux is a Mandatory Access Control (MAC) implementation where each process/application/inode/etc has a context which defines what it is allowed to do. This applies across the entirety of the host, and all namespaces would inherit it since they are bound by the host machine. Context setup is critical in deploying selinux with any reasonable impact as it’s policies are not universal for all programs and machine usage.
AppArmor works at the file level, rather than the inode level, which means it actually is bypassed by all hard linking and other means.
Cgroups and namespaces still require seccomp to be effective due to inherent problems with user-level namespaces, and seccomp basically precludes most container orchestration frameworks and management suites unless you want a lot of headaches.
I’m going to reiterate most of this is moot of you don’t have an actual threat model that makes these things a realistic concern. I for example just have a dirty VM for when I’m on things I know will cause trouble, but in reality security for most people starts with the user and no level of isolation will make a difference if the user just runs anything wherever anyway. Binaries don’t execute themselves in drive by downloads.
As a red teamer, want to know what currently is the biggest killer in our success rates? It’s a fully up to date version of Windows 10, running credential guard+device guard+windows defender
(and App Guard makes it basically God tier if you can stomach that). The only way we get around that is users not being aware and tricking them into executing things.
As a red teamer, want to know what currently is the biggest killer in our success rates? It’s a fully up to date version of Windows 10, running credential guard+device guard+windows defender
(and App Guard makes it basically God tier if you can stomach that).
And for the casual reader of this thread: