On Sun, Nov 23, 2014 at 02:41:10PM -0500, Jonathan Thornburg wrote: > > I can see several possible forms of exploit-mitigation: > > (a) use the noscript firefox extension to block javascript > > (b) use capsicum to sandbox forefox and any plugin processes > > (c) run firefox in a chroot jail > > (d) have firefox talk to an Xephyr(1) instance > > so it's semi-isolated from the main X server > > (e) maybe have firefox go through an ssh tunnel to localhost > > (f) run firefox as an unpriviliged user _firefox, group _firefox, and > > use Unix file permissions to deny that user access to $HOME/
Well, other way could to use Qubes OS as "hypervisor" (yeah x86 virtualization) and run OpenBSD as VMs. Although OpenBSD is not para- virtualized for Xen but Qubes OS supports Windows and they just need to support vmchannel inter-VM communication interface. Qubes OS exploits this interface and wrote lightweight GUI protocol on top of that and other lightweight communication messaging. See https://wiki.qubes-os.org/ IIUC even NetBSD doesn't have vmchannel driver ready :( j.
