Quarantining an account from the Internet, or from all networking?

Bill Sconce sconce at in-spec-inc.com
Tue Aug 17 14:31:38 EDT 2010 

On 17 Aug 2010 08:43:35 -0400
kevin_d_clark at comcast.net (Kevin D. Clark) wrote:

> Suggestion: suppose you have setup your system with a uid that is
> protected by some iptables rules (call this UNTRUSTED), and futhermore
> also suppose that the binary that you really want to protect against
> is called "DOCREADER".  

Exactly! You've got it! This much is already done.  I just didn't put
details in the original post; I won't do *all* the details here either,
but here's a synopsis. (Like everything I write, it starts out as
only a few lines, but grows. Sorry; I hope you find it's worth it.)

_____________
Over the past couple of years, I've been, gradually, developing my
personal machine as a kind of feasibility proof that it's possible
to visit the Internet without submitting to Moglen's "spying, all
the time, for free".
                http://www.isoc-ny.org/?p=1338
                     ^ highly recommended
                           
It's most of the way there. Essentially, the rubric is to provide
a Linux account for each of several classes of activity, e.g.,

  o General browsing (no scripts, no Flash)
  o Special browsing (e.g, each site where I post data [e.g.,
         subscription sites], or single-site browsers [e.g.,
         a single-purpose account to inspect charge-card history])
  o Poisoned browsing
     o Browsing where cookies are required
     o Browsing where Javascript is required
     o Browsing where [gack] Flash is required
         [BTW, it's surprising how much of the Internet works just
         fine without having to turn on any of the poisoned stuff.]
     
  o PDF viewing (to be implemented; the reason for this thread)
  o Mail-client quarantining (to be implemented)
  o and more

Each of the browsing classes above is handled by by running it
under a discrete Linux account(*). Each such account is nonprivileged
(duh!) and the standard Linux permissions mechanisms are indispensable
in preventing, say, your browser account from knowing anything about
your e-mail account. I've set up each browsing account to typically 
run on a specific X desktop(*), to help me remember where things are,
and to enable having more than one kind of browsing go on at a time.
I often have three or four kinds of browsing going on.

For the poisonous accounts: once you allow Javascript to run
you pretty much have to assume that you've run arbitrary/malicious
binary code from the 'net. You should assume that "you" has done the
worst things that the current account has permissions to do. Writing
cookies, "resurrecting" zombie cookies, writing Flash cookies,
writing and reading arbritrary files to and from disk (oh, wait,
I already mentioned Flash cookies), doing whatever else Flash
does (no one knows!) Even doing installs, etc.  OK, accept it:
any place on your machine that was writable by "you" while "you"
was browsing must now be treated as poisoned.

After any poisonous account has been used I erase its home
directory; a clean home directory is reloaded for the next use.
Each poisonous account can write stuff to the disk (Flash will
certainly so so), but I can make it go away, and prove that
it's gone away. And sleep at night. It's my computer(*).

All of that's working and has been working for some time. (Although
of course it was something of pain get it working. :)  It was only
a question of pulling together tools that are  already there(*). 
But it's certainly not a technique which helps anyone else (yet?); 
this is just a feasibility proof(**). Nor is it a technique for
grandma's use case. Ever.  :(

My original post in this thread came from observing that programs
*other than browsers* can be, and are, designed to phone home.
Adobe Reader(tm), for instance. But not just Adobe, nor just
proprietary blobs. Any program whose source code you don't see,
especially any program which offers "services" such as displaying
hyperlinks. But any program can be exploitable, whether or not it's
complicit by design in spying. To put it another way, I'd like
for any program I run to be subject to proof by me that it hasn't
been able to spy.

For instance, thinking beyond PDF readers, my e-mail client. It
displays hyperlinks. It offers to display HTML. (HTML is turned off,
of course, but it bothers me that an e-mail client contains code
which knows anything about HTML.) It would be nice if the account in 
which my e-mail client runs were restricted so that it could open
sockets only to my POP/IMAP provider. That's a more exquisite
granularity than I was asking for (the ability to drop all packets).
Sounds good - a bonus!  Thanks, guys.

Stay tuned for the paper.  :)

In_2013_or_so'ly yrs,

Bill


__________________________________________________________
(*)  Sorry, Windows users. The tools you need just aren't
     available on Windows.

(**) "Feasibility proof".

     Few computer owners are likely to want to go to this much
     trouble. Heck, *I* don't want to go to this much trouble.

     But I'm damned if I have to accept "Javascript is
     required for a rich experience". It isn't.
     
     I'm damned if I have to accept "only click on links
     you trust".
     
     I'm damned if I have to give up a little freedom for
     a little convenience.
     
     I'm a curmudgeon, OK. But there's more. My personal laptop has
     to perform a number of functions, not just "my" browsing. Among
     other things, my laptop has access to client data, some of
     which are sensitive, some of which are protected by Federal law.
     In any case, some data on my machine belong to others, and I'm
     responsible for them. Those data are protected on disk by strong
     encryption (of course!), but when those partitions have been
     opened and made readable (by "me") I mustn't run a browser
     (or any program!):
         o which is capable of running arbitrary/unknown code
           (always the case for a browser! Also a PDF viewer, or...)
         o running as "me"
         o or running as any user having read permissions to that data.
     (The same goes for data of lesser sensitivity. For instance,
     I don't want unknown code reading my e-mail, or siphoning my
     address book -- not that anyone would do *that*...)
    
     It should be IMPOSSIBLE for ANY browser to read data which
     "me" has accepted responsibility for.
     
     It should be not just improbable, but IMPOSSIBLE, for "me"
     to leak confidential information back to the Web. (I should
     say: I need to be able to DEMONSTRATE that it's impossible
     to leak confidential data to the Web--even if I've been tricked
     into running the most poisonous binary code imaginable. With
     Javascript you never know/you can't know; the best anyone can
     do is argue over levels of improbability, and keep patching.
     
     Because I run Linux I can indeed demonstrate that(*), even if
     it has proven to be a little trouble.
     
     So I guess this hasn't been just a feasibility proof. It's
     what anyone *must* do who needs to tell clients "I accept
     my responsibility for your data".

More information about the gnhlug-discuss mailing list