Wrap Tails inside a VM, where the outer VM runs Tor and handles the network

Bryan Ford's research group has been working on "Winon", a bootable usb ubuntu system that runs another VM inside itself, such that the inner VM has the sketchy applications (including Flash), and the outside has the iptables rules, anonymizing proxies, Tor controller interface, etc. The goal is to limit what the inside VM can reach.

I'm encouraging them to redo it as a fork of Tails, since like most research groups I expect they'll lose interest when it comes to maintaining their image over time. Maybe if they do it well enough, it will become a feature that Tails adopts.

(I'm putting this as a trac ticket in Tor's trac because it's a child of #7680 (moved). Feel free to reference us to tickets in other bugtrackers, e.g. if this ticket overlaps with something Tails is already working on.)

added component::applications/tor bundles/installation needs-triage parent::7680 priority::medium resolution::invalid severity::normal status::closed type::defect labels

Trac:
Owner: erinn to N/A
Status: new to assigned

Trac:
Status: assigned to new

For the record, Tails has had "Two-layered virtualized system" as a wishlist item for some years now. Stuff on our wishlist are, according to our nomenclature, essentially todo items that have very little hope of being implemented by us Tails developers for various reasons. Hence your plan seems very fitting to us.

An additional complexity for the team compared to their project (links, btw?) is that we would want this as an optional feature. There must exist a fallback mode where Tails would operate as it does now, without any virtualization involed, so Tails still can be run on weak hardware. There are also various tricky things needed to be solved to make our persistence system work with this smoothly. Etc. I think the team should be aware of this so they can make an informed decision.

See also http://sourceforge.net/projects/whonix/

Sorry to take so long to follow up on this. BTW, David Wolinsky isaac.wolinsky@gmail.com, the primary author of Winon, should probably be added to the CC list above but I can't see a way to do it myself (presumably because I'm not the owner of this trac item).

anonym, I agree that USB-bootability and the VM-based structure are conceptually orthogonal though potentially complementary design features. Ideally we would like to be able to have either without the other: e.g., a USB-bootable Tails or similar distribution that can be run with the VM-based features on more powerful hardware or without on weaker hardware. Similarly, while running the VM-based browsing setup off a Tails USB stick might be the most secure in extreme situations, many users may also wish to run the anonymous-browser-in-a-VM config directly on top of their usual hard-disk-installed Linux (or other OS) distro, assuming they trust it's uncompromised. We're working on incorporating some additional experimental features into the VM construction, such as a way to transfer files between anonymous and non-anonymous contexts via a "quarantine box" designed to help the user avoid giving away his/her anonymity, e.g., by detecting and optionally stripping EXIF data from JPEGs the user might want to post anonymously.

So with these considerations in mind, perhaps the right kind of packaging model to work toward here would be for the browser-in-a-VM WiNon architecture to become (say) a more generic set of software and scripts that could be worked into both Tails and other more conventional distributions (e.g., Ubuntu) as appropriate package sets. In the Tails case, there might eventually be some point during the startup process where the user has the opportunity to choose one of several "browsing modes/options", one of which could be a choice between the more powerful but expensive VM-based mode and the cheaper and more basic non-VM mode. I understand it's likely that Tails will have to evolve to offer users other similar choices on startup as well, such as whether to try to connect to the Tor network "automagically" while risking giving away the fact that you're using Tor, or to hold off any attempt to connect until the user has a chance to choose a stego-bridge mode or something like that.

In any case, WiNon is still a very early experimental research prototype, but we'll certainly keep in touch as it develops, and let's continue to explore the right way to transition whatever useful stuff comes out of it into a form that can be maintained in the long term.

Trac:
Username: ford

Replying to ford:

We're working on incorporating some additional experimental features into the VM construction, such as a way to transfer files between anonymous and non-anonymous contexts via a "quarantine box" designed to help the user avoid giving away his/her anonymity, e.g., by detecting and optionally stripping EXIF data from JPEGs the user might want to post anonymously.

Interesting idea. You may want to look at the MAT to deal with this specific problem: https://mat.boum.org/.

In any case, WiNon is still a very early experimental research prototype, but we'll certainly keep in touch as it develops, and let's continue to explore the right way to transition whatever useful stuff comes out of it into a form that can be maintained in the long term.

I'm glad to read this.

Replying to ford:

BTW, David Wolinsky isaac.wolinsky@gmail.com, the primary author of Winon, should probably be added to the CC list above but I can't see a way to do it myself (presumably because I'm not the owner of this trac item).

Only trac admins can add other people than themselves to cc.

Trac:
Cc: bryan.ford@yale.edu, anonym, intrigeri to bryan.ford@yale.edu, anonym, intrigeri, adrelanos@riseup.net

Replying to arma:

See also http://sourceforge.net/projects/whonix/

Speaking as am maintainer of Whonix. As a two VM system (can also run without any VMs), it can already run Flash without leaking IP. See Screenshot 1 or alternatively Screenshot 2. It works overall very reliable.

I am not sure, of what you are aiming for in this ticket, but I think Whonix might already do a big part of it and for any other "confine flash inside a VM" or "build anonymous VM" questions, I can help out as well.

Is this "boot USB, run some Linux as host, run something as VM to let it run unsafe applications" approach really what you want? It may also not be the solution for the frequently requested "Flash over Tor" feature. If most users were willing to leave their main operating system, they could use Tails on CD or Tails on USB. In that case you would tell them, "use Tails" and deprecate TBB, but you didn't and as far I know, don't plan on doing so. - If you want this or not, I plan to create an USB installer for Whonix and help is welcome.

Maybe what you want from user perspective is rather "some magic box, which runs Tor Browser and Flash, which can be started on any major operating system"? Whonix could be tweaked to do that as well. (Take Whonix virtual machine images; enable automatic apt updates; Visually hide the Gateway; use portable Virtual Box or other portable virtualizer; Reduce Virtual Box user interface to one big start and stop button) - Whonix would be also a good platform to start with. I am certainly interested.

As for the Winon, I'd appreciate more information, source code etc. Since Whonix and Winon share concepts and goals, it would be a good to avoid duplicate effort.

Trac:
Keywords: N/A deleted, needs-triage added

What should we do with this ticket? Leave it here? Assign to Tor VM (what is that?)?

Tails ticket are tracked elsewhere: https://labs.riseup.net/code/projects/tails/issues => closing.

Trac:
Severity: N/A to Normal
Status: new to closed
Reviewer: N/A to N/A
Sponsor: N/A to N/A
Resolution: N/A to invalid

closed

mentioned in issue tpo/applications/tor-browser#7680 (closed)