On 07/07/17 03:53, Martin Vaeth wrote:
> R0b0t1 <r03...@gmail.com> wrote:
>> On Thu, Jul 6, 2017 at 1:33 AM, Martin Vaeth <mar...@mvath.de> wrote:
>>> Peter Humphrey <pe...@prh.myzen.co.uk> wrote:
>>>> On Tuesday 04 Jul 2017 10:14:23 Martin Vaeth wrote:
>>>>>
>>>>> With modern browsers and their complexity, you can expect that any
>>>>> website (or the one who has hacked it) can do anything which the
>>>>> user of that browser can do if he is sitting on your seat.
>>>>
>>>> Have you seen any reports of that kind of thing?
>>>
>>> Are you joking? Every CVE of the browser (or of any of its dependencies)
>>> which eventually allows an "execution of arbitrary code" exploit is
>>> such an example.
>>>
>>>> but I'd expect Linux to be less vulnerable.
>>>
>>> This has nothing to do with linux. It is the complexity of the
>>> browser which is the problem.
>>
>> To be fair it is a bit more circuitous on Linux than it is on Windows.
>> [...] you can't directly cause another process to start executing
>> your code directly [...] On Windows there exists CreateRemoteThread.
>
> If you get your browser to do what you wish (e.g. calling
> CreateRemoteThread on windows) you can usually let it directly execute
> what you wish, anyway.
>
> So there is hardly a difference from the system.
>
> I agree that the number of possible exploits for the former was slightly
> decreased if you had a correspondingly configured hardened kernel
> (and provided, of course, that you have not other gapping security holes
> like polkit, systemd, nepomuk/baloo, ... which all suffer from the
> same problem than browsers due to the fact that they provide every user
> access to a much too complex software stack.)
Hmmm. OK, so I avoid systemd and nepomuk (actually all of KDE) but
polkit? I try and run a minimized DE environment, but on a workstation,
I'm constantly evaluating various codes, so how do I avoid polkit?
# equery d polkit
* These packages depend on polkit:
app-emulation/libvirt-3.3.0 (policykit ? >=sys-auth/polkit-0.9)
dev-util/sysprof-3.22.2 (gtk ? sys-auth/polkit)
(systemd ? sys-auth/polkit)
gnome-base/gconf-3.2.6-r4 (policykit ? sys-auth/polkit)
gnome-base/gvfs-1.30.4 (policykit ? sys-auth/polkit)
lxde-base/lxsession-0.5.2 (sys-auth/polkit)
net-firewall/ufw-frontends-0.3.2-r5 (policykit ? sys-auth/polkit)
net-print/hplip-3.16.3 (policykit ? sys-auth/polkit)
sys-auth/consolekit-1.1.0-r1 (policykit ? >=sys-auth/polkit-0.110)
sys-block/gparted-0.27.0 (policykit ? sys-auth/polkit)
sys-fs/udisks-1.0.5-r1 (>=sys-auth/polkit-0.110)
sys-fs/udisks-2.6.5 (>=sys-auth/polkit-0.110)
skipper james # equery d udisks
* These packages depend on udisks:
gnome-base/gvfs-1.30.4 (udisks ? >=sys-fs/udisks-1.97:2)
media-tv/kodi-17.3 (udisks ? sys-fs/udisks:0)
sys-fs/udisks-glue-1.3.5 (>=sys-fs/udisks-1.0.4-r5:0)
Take 'sysprof' for example. Sure I can remove it as nothing is dependent
on it, but installing it does require polkit. So can you explicitly
educate me on polkit, and some strategies to minimize any attack
surfaces it may open?
Reading and keyword searches so I can self-educate on such issues?
So how do we (systematically) minimize or 'partition' such complex
software stacks or follow alternate security strategies?
Then, what is the set of pen_tools we need to run against our networks
to see that it is indeed 'hardened' ? (workstation only atm, but
small self-managed, static IP network in followup).
'Tails' revisited might be a solution, or at least a starting point,
as wikipedia has this to say::
"Tails[1] was first released on 23 June 2009. It is the next iteration
of development on Incognito, a Gentoo-based Linux distribution. "
You know our current hardened leader, blueness, had a very interesting
approach to quick hardened installs [2]. 'Tinhat' was a secure gentoo
that ran completely 'in-ram' but is being scrubbed out of existence.
Or a gentoo centric Whonix [3]? Or a stage-4 [4]?
A common minimized and secure and minimized install for a gentoo
(amd64), would be welcomed by many, rather than a thousand adhoc
threads, imho.
curiously,
James
[1] https://en.wikipedia.org/wiki/Tails_%28operating_system%29
[2] http://releases.freeharbor.net/
https://wiki.gentoo.org/wiki/Project:Hardened_musl/Bluedragon
[3] https://www.whonix.org/wiki/HardenedGentooTG
https://www.deepdotweb.com/2014/06/13/simple-whonix-installation-tutorial/
[4]
https://blogs.gentoo.org/gsoc2016-native-clang/2016/07/24/a-new-gentoo-stage4-musl-clang/
