| 1 |
On 07/07/17 03:53, Martin Vaeth wrote: |
| 2 |
> R0b0t1 <r030t1@×××××.com> wrote: |
| 3 |
>> On Thu, Jul 6, 2017 at 1:33 AM, Martin Vaeth <martin@×××××.de> wrote: |
| 4 |
>>> Peter Humphrey <peter@××××××××××××.uk> wrote: |
| 5 |
>>>> On Tuesday 04 Jul 2017 10:14:23 Martin Vaeth wrote: |
| 6 |
>>>>> |
| 7 |
>>>>> With modern browsers and their complexity, you can expect that any |
| 8 |
>>>>> website (or the one who has hacked it) can do anything which the |
| 9 |
>>>>> user of that browser can do if he is sitting on your seat. |
| 10 |
>>>> |
| 11 |
>>>> Have you seen any reports of that kind of thing? |
| 12 |
>>> |
| 13 |
>>> Are you joking? Every CVE of the browser (or of any of its dependencies) |
| 14 |
>>> which eventually allows an "execution of arbitrary code" exploit is |
| 15 |
>>> such an example. |
| 16 |
>>> |
| 17 |
>>>> but I'd expect Linux to be less vulnerable. |
| 18 |
>>> |
| 19 |
>>> This has nothing to do with linux. It is the complexity of the |
| 20 |
>>> browser which is the problem. |
| 21 |
>> |
| 22 |
>> To be fair it is a bit more circuitous on Linux than it is on Windows. |
| 23 |
>> [...] you can't directly cause another process to start executing |
| 24 |
>> your code directly [...] On Windows there exists CreateRemoteThread. |
| 25 |
> |
| 26 |
> If you get your browser to do what you wish (e.g. calling |
| 27 |
> CreateRemoteThread on windows) you can usually let it directly execute |
| 28 |
> what you wish, anyway. |
| 29 |
> |
| 30 |
> So there is hardly a difference from the system. |
| 31 |
> |
| 32 |
> I agree that the number of possible exploits for the former was slightly |
| 33 |
> decreased if you had a correspondingly configured hardened kernel |
| 34 |
> (and provided, of course, that you have not other gapping security holes |
| 35 |
> like polkit, systemd, nepomuk/baloo, ... which all suffer from the |
| 36 |
> same problem than browsers due to the fact that they provide every user |
| 37 |
> access to a much too complex software stack.) |
| 38 |
|
| 39 |
Hmmm. OK, so I avoid systemd and nepomuk (actually all of KDE) but |
| 40 |
polkit? I try and run a minimized DE environment, but on a workstation, |
| 41 |
I'm constantly evaluating various codes, so how do I avoid polkit? |
| 42 |
|
| 43 |
# equery d polkit |
| 44 |
* These packages depend on polkit: |
| 45 |
app-emulation/libvirt-3.3.0 (policykit ? >=sys-auth/polkit-0.9) |
| 46 |
dev-util/sysprof-3.22.2 (gtk ? sys-auth/polkit) |
| 47 |
(systemd ? sys-auth/polkit) |
| 48 |
gnome-base/gconf-3.2.6-r4 (policykit ? sys-auth/polkit) |
| 49 |
gnome-base/gvfs-1.30.4 (policykit ? sys-auth/polkit) |
| 50 |
lxde-base/lxsession-0.5.2 (sys-auth/polkit) |
| 51 |
net-firewall/ufw-frontends-0.3.2-r5 (policykit ? sys-auth/polkit) |
| 52 |
net-print/hplip-3.16.3 (policykit ? sys-auth/polkit) |
| 53 |
sys-auth/consolekit-1.1.0-r1 (policykit ? >=sys-auth/polkit-0.110) |
| 54 |
sys-block/gparted-0.27.0 (policykit ? sys-auth/polkit) |
| 55 |
sys-fs/udisks-1.0.5-r1 (>=sys-auth/polkit-0.110) |
| 56 |
sys-fs/udisks-2.6.5 (>=sys-auth/polkit-0.110) |
| 57 |
skipper james # equery d udisks |
| 58 |
* These packages depend on udisks: |
| 59 |
gnome-base/gvfs-1.30.4 (udisks ? >=sys-fs/udisks-1.97:2) |
| 60 |
media-tv/kodi-17.3 (udisks ? sys-fs/udisks:0) |
| 61 |
sys-fs/udisks-glue-1.3.5 (>=sys-fs/udisks-1.0.4-r5:0) |
| 62 |
|
| 63 |
|
| 64 |
Take 'sysprof' for example. Sure I can remove it as nothing is dependent |
| 65 |
on it, but installing it does require polkit. So can you explicitly |
| 66 |
educate me on polkit, and some strategies to minimize any attack |
| 67 |
surfaces it may open? |
| 68 |
|
| 69 |
Reading and keyword searches so I can self-educate on such issues? |
| 70 |
|
| 71 |
So how do we (systematically) minimize or 'partition' such complex |
| 72 |
software stacks or follow alternate security strategies? |
| 73 |
|
| 74 |
Then, what is the set of pen_tools we need to run against our networks |
| 75 |
to see that it is indeed 'hardened' ? (workstation only atm, but |
| 76 |
small self-managed, static IP network in followup). |
| 77 |
|
| 78 |
'Tails' revisited might be a solution, or at least a starting point, |
| 79 |
as wikipedia has this to say:: |
| 80 |
|
| 81 |
"Tails[1] was first released on 23 June 2009. It is the next iteration |
| 82 |
of development on Incognito, a Gentoo-based Linux distribution. " |
| 83 |
|
| 84 |
|
| 85 |
You know our current hardened leader, blueness, had a very interesting |
| 86 |
approach to quick hardened installs [2]. 'Tinhat' was a secure gentoo |
| 87 |
that ran completely 'in-ram' but is being scrubbed out of existence. |
| 88 |
|
| 89 |
Or a gentoo centric Whonix [3]? Or a stage-4 [4]? |
| 90 |
A common minimized and secure and minimized install for a gentoo |
| 91 |
(amd64), would be welcomed by many, rather than a thousand adhoc |
| 92 |
threads, imho. |
| 93 |
|
| 94 |
curiously, |
| 95 |
James |
| 96 |
|
| 97 |
|
| 98 |
[1] https://en.wikipedia.org/wiki/Tails_%28operating_system%29 |
| 99 |
|
| 100 |
[2] http://releases.freeharbor.net/ |
| 101 |
|
| 102 |
https://wiki.gentoo.org/wiki/Project:Hardened_musl/Bluedragon |
| 103 |
|
| 104 |
[3] https://www.whonix.org/wiki/HardenedGentooTG |
| 105 |
|
| 106 |
https://www.deepdotweb.com/2014/06/13/simple-whonix-installation-tutorial/ |
| 107 |
|
| 108 |
|
| 109 |
[4] |
| 110 |
https://blogs.gentoo.org/gsoc2016-native-clang/2016/07/24/a-new-gentoo-stage4-musl-clang/ |
Archives