wiki:org/meetings/2016SummerDevMeeting/Notes/SecureOSOverview

Topic: Qubes! secure operating systems!

Qubes TAILS Subgraph Whonix

All are different, work in different ways, have different use cases.


Tails

live distribution, you don't (typically?) install it. Boot from USB instead. You can have a persistent volume too (folder of persistent data, encrypted, etc).

Aims for anonymity. Secondary operating system for when you want as much anonymity as possible. Try to not leave any traces on computer.

based on debian. All users named "amnesia"

All stuff transparently torified (!)

Apparmor rules for everything

Limit impact of remote exploits. If somebody gets an RCE in TB, they have to break through apparmor, get root, etc.

built into securedrop process.

(Discussion on wisdom of TAILS-on-vm. Virtualization support so-so.)


Subgraph

Main OS you run, designed to be installed on computer

Hardened debian. Uses hardened kernel with grsecurity packages

Ideally, kernel notices and prevents RCE attempts in processes. e Extra sandboxing over a set of applications that the subgraph devs manage. (Thunderbird, libreoffice, evince, torbrowser, etc.) Even if RCE gets through, sandbox limits impact of hack.

All traffic goes over Tor. (Tails-like in that sense)

Subgraph and tails have untrusted browsers to handle captive portals. But not so much support for sepating network contexts.

(What do Tails and subgraph use for torrifying?)


Whonix

Distributed 2 ways: as part of qubes, or as virtualbox images.

As vbox images, workstation image and net image. Workstation VM only sees network through net image.


Qubes

everyday OS, you install it on your computer

Use proxy "Net VMs" to relay user traffic through VPN/Tor/etc. VMs where app runs don't even know about real IP. Only one NetVM is allowed to see the network.

No host OS. Host OS is VM-management environment. More protection against evil USB stacks, evil wireless cards, etc.

Dom0 is Qubes host. Not network connected.

Exploit impact limited to one VM (unless they can attack the hypervisor).

AppVM can can write to /home, but not to root FS. Not every App needs network.

Template VM is base that can get cloned to make App VMs etc.

Qubes-gpg-wrapper: call out to a gpg in a separate VM.

Good GUI integration.

Dev environment -- one VM. Treat it as a computer. But when doing other stuff, use other VM. etc etc.

Disposable VMs to use for untrusted pdfs, etc.

Fresh RW homedir for each new VM.

Yubikeys do work.

What can you just not do:

  • No gaming. No 3D acceleration.
  • No sound on windows
  • No MacOS
  • Poor support for USB devices

Who can figure it out and use it?

  • Claim: not so much harder than, say, ubuntu.
  • Just so long as theyr'e not trying to use external devices much or set up a printer or whatever.

File explorer in each VM has a "copy this file to another VM" thing. Then Dom0 asks you for permission.

Copy-and-paste across VMs is possible.

Backups actually work! AND YOU CAN RESTORE!!!!!!!!!!

Last modified 12 months ago Last modified on Sep 30, 2016, 10:25:51 PM