dc9 - 0.5

DebConf9

Speakers
Torsten Werner
Schedule
Day DebConf day 3 (2009-07-26)
Room Lower talkroom
Start time 18:00
Duration 01:00
Info
ID 371
Event type lecture
Track DebConf
Language en
Feedback

immunity: securing untrusted processes

execute your internet browser in a secure container

Debian ships several tools like sudo and some UI frondends to get more privileges for subprocesses but no tool to effectively reduce such privileges, yet. The immunity tool provides a secure container to lock down any application that processes untrusted data like web browsers, their plugins and handler apps, and other multimedia apps. A ready to install Debian package is available as a proof of concept and it should work on any Debian or Ubuntu version or any other Debian derivative.

The talk will show the features of immunity, describe the implementation details and elaborate on future plans. The features of the version 0.4 are:

  • switching to a shadow user with the name "immunity-$USER" and the home dir "/var/lib/immunity/$USER" to avoid any dangerous interprocess communication, debugging, signals, ...

  • switching to group "immunity" that allows easy definition of filesystem ACLs and netfilter rules

  • empty the set of supplementary groups

  • works with a vanilla Linux kernel and does not need any external modules

  • does not need packages not available in Debian or other major distros

  • depends on features of the Linux kernel and won't work with other non Linux kernels

  • does not need SELinux or any other complex security framework

  • employs polyinstantiation of the filesystem

  • narrows the filesystem in the container

    o only parts of /etc, /dev, /usr, /var and other parts of the filesystem can be seen in the container

    o no /boot, /home, /media, /mnt, /root, /sbin, /sys, ...

    o /proc will be optional in the future; /proc/bus/usb has already been disabled

  • disables all suid and sgid binaries

  • reduces number of device files to /dev/null and /dev/snd/* (alsa)

  • locks down all capabilities; they can't be regained from user space

  • implemented in Python

  • transfers X authorization to the shadow user; optional feature in the future

  • employs the X11 security extension (no screenshotting, keyboard stealing, copying + pasting); will be made optional in the future

  • porting to other Linux distributions should be easy

Recordings