1 |
On 07/07/17 03:53, Martin Vaeth wrote: |
2 |
> R0b0t1 <r030t1@×××××.com> wrote: |
3 |
>> On Thu, Jul 6, 2017 at 1:33 AM, Martin Vaeth <martin@×××××.de> wrote: |
4 |
>>> Peter Humphrey <peter@××××××××××××.uk> wrote: |
5 |
>>>> On Tuesday 04 Jul 2017 10:14:23 Martin Vaeth wrote: |
6 |
>>>>> |
7 |
>>>>> With modern browsers and their complexity, you can expect that any |
8 |
>>>>> website (or the one who has hacked it) can do anything which the |
9 |
>>>>> user of that browser can do if he is sitting on your seat. |
10 |
>>>> |
11 |
>>>> Have you seen any reports of that kind of thing? |
12 |
>>> |
13 |
>>> Are you joking? Every CVE of the browser (or of any of its dependencies) |
14 |
>>> which eventually allows an "execution of arbitrary code" exploit is |
15 |
>>> such an example. |
16 |
>>> |
17 |
>>>> but I'd expect Linux to be less vulnerable. |
18 |
>>> |
19 |
>>> This has nothing to do with linux. It is the complexity of the |
20 |
>>> browser which is the problem. |
21 |
>> |
22 |
>> To be fair it is a bit more circuitous on Linux than it is on Windows. |
23 |
>> [...] you can't directly cause another process to start executing |
24 |
>> your code directly [...] On Windows there exists CreateRemoteThread. |
25 |
> |
26 |
> If you get your browser to do what you wish (e.g. calling |
27 |
> CreateRemoteThread on windows) you can usually let it directly execute |
28 |
> what you wish, anyway. |
29 |
> |
30 |
> So there is hardly a difference from the system. |
31 |
> |
32 |
> I agree that the number of possible exploits for the former was slightly |
33 |
> decreased if you had a correspondingly configured hardened kernel |
34 |
> (and provided, of course, that you have not other gapping security holes |
35 |
> like polkit, systemd, nepomuk/baloo, ... which all suffer from the |
36 |
> same problem than browsers due to the fact that they provide every user |
37 |
> access to a much too complex software stack.) |
38 |
|
39 |
Hmmm. OK, so I avoid systemd and nepomuk (actually all of KDE) but |
40 |
polkit? I try and run a minimized DE environment, but on a workstation, |
41 |
I'm constantly evaluating various codes, so how do I avoid polkit? |
42 |
|
43 |
# equery d polkit |
44 |
* These packages depend on polkit: |
45 |
app-emulation/libvirt-3.3.0 (policykit ? >=sys-auth/polkit-0.9) |
46 |
dev-util/sysprof-3.22.2 (gtk ? sys-auth/polkit) |
47 |
(systemd ? sys-auth/polkit) |
48 |
gnome-base/gconf-3.2.6-r4 (policykit ? sys-auth/polkit) |
49 |
gnome-base/gvfs-1.30.4 (policykit ? sys-auth/polkit) |
50 |
lxde-base/lxsession-0.5.2 (sys-auth/polkit) |
51 |
net-firewall/ufw-frontends-0.3.2-r5 (policykit ? sys-auth/polkit) |
52 |
net-print/hplip-3.16.3 (policykit ? sys-auth/polkit) |
53 |
sys-auth/consolekit-1.1.0-r1 (policykit ? >=sys-auth/polkit-0.110) |
54 |
sys-block/gparted-0.27.0 (policykit ? sys-auth/polkit) |
55 |
sys-fs/udisks-1.0.5-r1 (>=sys-auth/polkit-0.110) |
56 |
sys-fs/udisks-2.6.5 (>=sys-auth/polkit-0.110) |
57 |
skipper james # equery d udisks |
58 |
* These packages depend on udisks: |
59 |
gnome-base/gvfs-1.30.4 (udisks ? >=sys-fs/udisks-1.97:2) |
60 |
media-tv/kodi-17.3 (udisks ? sys-fs/udisks:0) |
61 |
sys-fs/udisks-glue-1.3.5 (>=sys-fs/udisks-1.0.4-r5:0) |
62 |
|
63 |
|
64 |
Take 'sysprof' for example. Sure I can remove it as nothing is dependent |
65 |
on it, but installing it does require polkit. So can you explicitly |
66 |
educate me on polkit, and some strategies to minimize any attack |
67 |
surfaces it may open? |
68 |
|
69 |
Reading and keyword searches so I can self-educate on such issues? |
70 |
|
71 |
So how do we (systematically) minimize or 'partition' such complex |
72 |
software stacks or follow alternate security strategies? |
73 |
|
74 |
Then, what is the set of pen_tools we need to run against our networks |
75 |
to see that it is indeed 'hardened' ? (workstation only atm, but |
76 |
small self-managed, static IP network in followup). |
77 |
|
78 |
'Tails' revisited might be a solution, or at least a starting point, |
79 |
as wikipedia has this to say:: |
80 |
|
81 |
"Tails[1] was first released on 23 June 2009. It is the next iteration |
82 |
of development on Incognito, a Gentoo-based Linux distribution. " |
83 |
|
84 |
|
85 |
You know our current hardened leader, blueness, had a very interesting |
86 |
approach to quick hardened installs [2]. 'Tinhat' was a secure gentoo |
87 |
that ran completely 'in-ram' but is being scrubbed out of existence. |
88 |
|
89 |
Or a gentoo centric Whonix [3]? Or a stage-4 [4]? |
90 |
A common minimized and secure and minimized install for a gentoo |
91 |
(amd64), would be welcomed by many, rather than a thousand adhoc |
92 |
threads, imho. |
93 |
|
94 |
curiously, |
95 |
James |
96 |
|
97 |
|
98 |
[1] https://en.wikipedia.org/wiki/Tails_%28operating_system%29 |
99 |
|
100 |
[2] http://releases.freeharbor.net/ |
101 |
|
102 |
https://wiki.gentoo.org/wiki/Project:Hardened_musl/Bluedragon |
103 |
|
104 |
[3] https://www.whonix.org/wiki/HardenedGentooTG |
105 |
|
106 |
https://www.deepdotweb.com/2014/06/13/simple-whonix-installation-tutorial/ |
107 |
|
108 |
|
109 |
[4] |
110 |
https://blogs.gentoo.org/gsoc2016-native-clang/2016/07/24/a-new-gentoo-stage4-musl-clang/ |