dc9 - 0.5
DebConf9
Speakers | |
---|---|
Torsten Werner |
Schedule | |
---|---|
Day | DebConf day 3 (2009-07-26) |
Room | Lower talkroom |
Start time | 18:00 |
Duration | 01:00 |
Info | |
ID | 371 |
Event type | lecture |
Track | DebConf |
Language | en |
Feedback | |
---|---|
Did you attend this event? Give Feedback |
immunity: securing untrusted processes
execute your internet browser in a secure container
Debian ships several tools like sudo and some UI frondends to get more privileges for subprocesses but no tool to effectively reduce such privileges, yet. The immunity tool provides a secure container to lock down any application that processes untrusted data like web browsers, their plugins and handler apps, and other multimedia apps. A ready to install Debian package is available as a proof of concept and it should work on any Debian or Ubuntu version or any other Debian derivative.
The talk will show the features of immunity, describe the implementation details and elaborate on future plans. The features of the version 0.4 are:
switching to a shadow user with the name "immunity-$USER" and the home dir "/var/lib/immunity/$USER" to avoid any dangerous interprocess communication, debugging, signals, ...
switching to group "immunity" that allows easy definition of filesystem ACLs and netfilter rules
empty the set of supplementary groups
works with a vanilla Linux kernel and does not need any external modules
does not need packages not available in Debian or other major distros
depends on features of the Linux kernel and won't work with other non Linux kernels
does not need SELinux or any other complex security framework
employs polyinstantiation of the filesystem
narrows the filesystem in the container
o only parts of /etc, /dev, /usr, /var and other parts of the filesystem can be seen in the container
o no /boot, /home, /media, /mnt, /root, /sbin, /sys, ...
o /proc will be optional in the future; /proc/bus/usb has already been disabled
disables all suid and sgid binaries
reduces number of device files to /dev/null and /dev/snd/* (alsa)
locks down all capabilities; they can't be regained from user space
implemented in Python
transfers X authorization to the shadow user; optional feature in the future
employs the X11 security extension (no screenshotting, keyboard stealing, copying + pasting); will be made optional in the future
porting to other Linux distributions should be easy