GNU bug report logs - #43770
Geeks think securely: VM per Package (trustless state to devs and their apps)

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 43770 in the body.
You can then email your comments to 43770 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: bo0od <bo0od <at> riseup.net>
To: bug-guix <at> gnu.org
Subject: Geeks think securely: VM per Package (trustless state to devs and
 their apps)
Date: Fri, 2 Oct 2020 18:01:18 +0000

Hi There,

If we look at current state of packages running inside GNU distros they 
are in very insecure shape which is either they are installed without 
sandboxing because the distro doesnt even provide that or no profiles 
exist for the sandboxing feature and has issues e.g:

- Sandboxing can be made through MAC (apparmor,selinux) or Using 
Namespaces (firejail,bubblewrap) But the problem with using these 
features it needs a defined/preconfigured profile for each package in 
order to use them thus making almost impossible case to be applied on 
every package in real bases. (unless a policy which saying no package is 
allowed without coming with its own MAC profile, but thats as well has 
another issue when using third party packages...)

- Containers are like OS, and to use it within another OS is like OS in 
OS i find it crazy and not just that the way that the package gets 
upgraded is not reliable to be secure so this wont solve our issue as well.

To solve this mess, is to use virtualization method and to make that 
happen is to put each package in a VM by itself means the package gonna 
use the system resources without being able maliciously gain 
anything.This provide less trust to developers and their code running 
within the system.

one of the greatest design made in our time towards security is 
GNU/Linux Qubes OS, it uses OS per VM and has VM to VM 
communication...etc i highly recommend reading their design to take some 
ideas from it:

https://www.qubes-os.org/doc/

Useful refer:

https://wiki.debian.org/UntrustedDebs
https://blog.invisiblethings.org/papers/2015/state_harmful.pdf

ThX!

Message #8 received at 43770 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: bo0od <bo0od <at> riseup.net>
Cc: 43770 <at> debbugs.gnu.org
Subject: Re: bug#43770: Geeks think securely: VM per Package (trustless
 state to devs and their apps)
Date: Fri, 02 Oct 2020 21:44:58 +0200

Hi,

this does not look like an actionable bug report.  What is it exactly
that ought to be done in your opinion?

-- 
Ricardo

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: raingloom <raingloom <at> riseup.net>
To: bug-guix <at> gnu.org
Subject: Re: bug#43770: Geeks think securely: VM per Package (trustless
 state to devs and their apps)
Date: Fri, 2 Oct 2020 21:45:14 +0200

On Fri, 2 Oct 2020 18:01:18 +0000
bo0od <bo0od <at> riseup.net> wrote:

> Hi There,
> 
> If we look at current state of packages running inside GNU distros
> they are in very insecure shape which is either they are installed
> without sandboxing because the distro doesnt even provide that or no
> profiles exist for the sandboxing feature and has issues e.g:
> 
> - Sandboxing can be made through MAC (apparmor,selinux) or Using 
> Namespaces (firejail,bubblewrap) But the problem with using these 
> features it needs a defined/preconfigured profile for each package in 
> order to use them thus making almost impossible case to be applied on 
> every package in real bases. (unless a policy which saying no package
> is allowed without coming with its own MAC profile, but thats as well
> has another issue when using third party packages...)
> 
> - Containers are like OS, and to use it within another OS is like OS
> in OS i find it crazy and not just that the way that the package gets 
> upgraded is not reliable to be secure so this wont solve our issue as
> well.
> 
> To solve this mess, is to use virtualization method and to make that 
> happen is to put each package in a VM by itself means the package
> gonna use the system resources without being able maliciously gain 
> anything.This provide less trust to developers and their code running 
> within the system.
> 
> one of the greatest design made in our time towards security is 
> GNU/Linux Qubes OS, it uses OS per VM and has VM to VM 
> communication...etc i highly recommend reading their design to take
> some ideas from it:
> 
> https://www.qubes-os.org/doc/

There is an even more relevant project being developed in NixOS, but I
can't remember its name off the top of my head.

My 2 cents is that I'd rather have the option to use packages that are
closer to Alpine than having to pay the performance penalty of Qubes.
Fewer lines of code => fewer bugs => fewer security holes.

> Useful refer:
> 
> https://wiki.debian.org/UntrustedDebs
> https://blog.invisiblethings.org/papers/2015/state_harmful.pdf
> 
> ThX!
> 
> 
> 

Message #14 received at 43770 <at> debbugs.gnu.org (full text, mbox):

From: bo0od <bo0od <at> riseup.net>
To: Ricardo Wurmus <rekado <at> elephly.net>
Cc: 43770 <at> debbugs.gnu.org
Subject: Re: bug#43770: Geeks think securely: VM per Package (trustless state
 to devs and their apps)
Date: Fri, 2 Oct 2020 22:18:24 +0000

Hey,

Actually what i wanted to say but seems i missed it, This security 
design can be engineered and implemented when Guixsd released based on 
GNU-Hurd Kernel. Because its going to be totally new kernel and having 
this feature is without question the best security feature for the 
future of security within operating systems.

Otherwise we gonna fall into the same cycle of trust to outside package 
developers and their codes without preventive mechanism against if its 
malicious one.

If you mean the bug report is not the place for this request, then i 
dont know where because i already discussed it in the IRC channel.(if 
there is somewhere else i can report this just tell me)

ThX!

Ricardo Wurmus:
> 
> Hi,
> 
> this does not look like an actionable bug report.  What is it exactly
> that ought to be done in your opinion?
> 

Message #19 received at 43770-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bo0od <bo0od <at> riseup.net>
Cc: Ricardo Wurmus <rekado <at> elephly.net>, 43770-done <at> debbugs.gnu.org
Subject: Re: bug#43770: Geeks think securely: VM per Package (trustless
 state to devs and their apps)
Date: Mon, 05 Oct 2020 16:00:55 +0200

Hi,

bo0od <bo0od <at> riseup.net> skribis:

> Actually what i wanted to say but seems i missed it, This security
> design can be engineered and implemented when Guixsd released based on 
> GNU-Hurd Kernel. Because its going to be totally new kernel and having
> this feature is without question the best security feature for the 
> future of security within operating systems.
>
> Otherwise we gonna fall into the same cycle of trust to outside
> package developers and their codes without preventive mechanism
> against if its malicious one.
>
> If you mean the bug report is not the place for this request, then i
> dont know where because i already discussed it in the IRC channel.(if 
> there is somewhere else i can report this just tell me)

It’s great to share your views of what you think should be done from a
security standpoint.  There’s little more we contributors can say other
than: yes, we agree, we’re working in this direction, and it’s going to
be a long journey.

What could help though is if people like you come and join us on that
journey.  I very much encourage you to play with Guix System and in
particular with the “childhurd” service that has recently landed and
should be of interest to you.

For now I’m closing the bug because as Ricardo wrote, it’s not a bug
report per se.

Thank you,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.