immunity: securing untrusted processes

The talk will show the features of immunity, describe the implementation details and elaborate on future plans. The features of the version 0.4 are:

• switching to a shadow user with the name "immunity-$USER" and the home dir "/var/lib/immunity/$USER" to avoid any dangerous interprocess communication, debugging, signals, ...

• switching to group "immunity" that allows easy definition of filesystem ACLs and netfilter rules

• empty the set of supplementary groups

• works with a vanilla Linux kernel and does not need any external modules

• does not need packages not available in Debian or other major distros

• depends on features of the Linux kernel and won't work with other non Linux kernels

• does not need SELinux or any other complex security framework

• employs polyinstantiation of the filesystem

• narrows the filesystem in the container

  o only parts of /etc, /dev, /usr, /var and other parts of the filesystem can be seen in the container

  o no /boot, /home, /media, /mnt, /root, /sbin, /sys, ...

  o /proc will be optional in the future; /proc/bus/usb has already been disabled

• disables all suid and sgid binaries

• reduces number of device files to /dev/null and /dev/snd/* (alsa)

• locks down all capabilities; they can't be regained from user space

• implemented in Python

• transfers X authorization to the shadow user; optional feature in the future

• employs the X11 security extension (no screenshotting, keyboard stealing, copying + pasting); will be made optional in the future

• porting to other Linux distributions should be easy