Playing in the Sandbox

Improve Security and Privacy with Userspace Compartmentation

Toby Betts

SeaGL, 2019-11-16

Disclaimer

This presentation is for educational purposes only and does not contain any professional advice or recommendations and is not endorsed by SeaGL
Use at your own risk, yes this means you
Your actual mileage may vary
Make verified backups before implementing any system or workflow changes

Difficulty Level

Technical:

2/5 multitools: you should be comfortable administering your own box, chmod should not scare you

Difficulty Level

Paranoia:

3/5 tin foil cats: some Big Brother conspiracy paranoia, negligible Illuminati mentions

https://twitter.com/OphirHarpaz/status/1083701070126301184

https://twitter.com/jeanqasaur/status/1082367319957880832

https://twitter.com/k8em0/status/1083242702865498112

https://twitter.com/briankrebs/status/1094081981103583234

Problem Statement

Adware and trackers monitor your online activities
Cookies can both track and manipulate behavior
Different sites can share ~~their~~ your data to identify you

We need a way to:

Maintain a clean browser state

We need a way to:

Split browsing activities into separate logical groups

We need a way to:

Keep them separated

Goals

Avoid leaking data between websites or browsing sessions
Limit data collection from cookies, ad networks, & trackers
Every site should only see activity and history pertinent to itself
Assume data breaches will happen, plan to limit scope of impact

In other words we want this:

Not this:

Outside of Scope:

Hiding your IP address (use Tor)
Hiding your activities from the NSA
Hiding your activities from your employer and/or spouse

Incognito Mode

It's the last word in online safety! ...Right?

Incognito Mode

https://www.fastcompany.com/90311396/incognito-mode-wont-keep-you-private-try-browser-compartmentalization

Incognito Mode

https://www.fastcompany.com/90311396/incognito-mode-wont-keep-you-private-try-browser-compartmentalization

https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8

@thegrugq says:

High value targets should be separated and kept clear of low value targets
E-mail accounts should not be used for anything other than their purpose and kept separate from your personal account
Proper compartmentation limits damage of any one compromise
Without proper compartmentation attackers leverage information from one compromised account to access another related account
At a bare minimum — keep your business and personal life (and accounts) separate

This means:

Don't use the same browser for your bank and your MMORPG
Don't reuse passwords
Don't reuse usernames
Don't reuse e-mail addresses

Compartmentation is Key

Use a Password Manager

https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/

Use a Password Manager

Lots of good choices, some support 2FA / extensibility plugins

1Password - https://1password.com
Bitwarden - https://bitwarden.com
KeePass - https://keepass.info
KeePassXC - https://keepassxc.org
LastPass - https://www.lastpass.com
pass - https://www.passwordstore.org (wrapper around GnuPG)
Password Safe - https://www.pwsafe.org (Bruce Schneier's offering)

Gmail Address Extensions

Allows one Gmail account to accept messages for multiple unique addresses

name@gmail.com can expand to:

name+alaskaairlines@gmail.com
name+reddit@gmail.com
name+8675309+paypal@gmail.com (secret token obfuscates phishing)

Feature added to Postfix v2.11 in 2014

https://gizmodo.com/how-to-use-the-infinite-number-of-email-addresses-gmail-1609458192

Securing the Browser

Q: How do you secure software you didn't write?

Securing the Browser

Q: How do you secure software you didn't write?
A: The same way you secure everything else.

Securing the Browser Container

Containers:

Are NOT just Docker images
Are a general term for methods of providing resource isolation
Come in many shapes and sizes: can describe a chroot, a jail, a VM, or something else entirely
Put one or more processes into a unique environment with its own rules
Ultimate guide to FreeBSD jails: https://www.tiltedwindmillpress.com/product/fmjail

Securing the Container, TL;DR Version

Linux containers make extensive use of two related technologies:

Namespaces
Control groups

TL;DR: Namespaces give a process a private view of the environment and dictate what the process sees on its host machine, cgroups restrict what that process can do within that environment

Securing the Container, TL;DR Version

Namespace: "Our hotel only has a lobby, an elevator, and the 6th floor."

cgroups: "You can only use the elevator between 8 AM and 11 PM and you can't order room service."

Losing Privileges

seccomp(2) and pledge(2) are two methods developers can use to restrict what a process can do by explicitly defining what resources they expect to use and requesting that the kernel deny it access to everything else.

If a process requests something it has already pledged to not want/need/already have, it is killed.

Securing the Browser System Calls

A developer has a number of process-restricting tools available:

Linux: cgroups(7), namespaces(7), seccomp(2), user_namespaces(7),
POSIX: chroot(2), getrlimit(2)
OpenBSD: pledge(2), unveil(2)

All of these help isolate program resources in some way... but I'm not a developer!

Virtual Machines

Multiple platforms: VMWare, VirtualBox, Hyper-V, bhyve...
Emulates entire hardware stack in software
Virtual processor, virtual memory, virtual storage, virtual network interface...
Separate operating system, patch process
Resource intensive, CPU emulating CPU, the machine is imagining itself

VMs define clear security boundaries, but with high overhead. What if I just want to read Slashdot and HN at the same time?

firejail

User-configurable Linux utility - https://firejail.wordpress.com

Restricts the running environment of untrusted applications
Gives every program a "jail-like" sandbox where it thinks it's PID 1
Built with browsers in mind
Quick start: firejail /usr/bin/firefox
Runs setuid (Be careful!)
Allows complex namespace configurations to be user-defined

https://firejail.wordpress.com/

firejail (Example 1)

Create a new namespace for a program and disable network access for it:

firejail --net=none /path/to/program

The only network program will see is its own dedicated lo0

firejail (Incognito Mode *= 10)

Run Firefox in a completely new temporary directory:

firejail --private /usr/bin/firefox

This is incognito/private browsing mode on steroids.

firejail (Source Code)

Repository is on Github: https://github.com/netblue30/firejail

GPLv2 license
Code is easy to read, easy to patch
Linux-specific

Securing the Browser, DragonFly BSD-style

Matthew Dillon, DragonFly BSD founder, had had enough.

No, not this Matt Dillon.

https://marc.info/?l=dragonfly-users&m=143931438715045&w=2

Securing the Browser, DragonFly BSD-style

Matthew Dillon, DragonFly BSD founder, had had enough.

https://marc.info/?l=dragonfly-users&m=143931438715045&w=2

Matthew Dillon says:

"What I have done is segregate my browser use into user accounts separate from my main account. I created three accounts (one for my 'secure' firefox use, such as accessing bank account, one for general 'unsecure' browsing, including most of my social media browsing, and one for my chrome instance which I use for other things."
—Matthew Dillon

Matthew Dillon says:

"What I have done is segregate my browser use into user accounts separate from my main account. I created three accounts (one for my 'secure' firefox use, such as accessing bank account, one for general 'unsecure' browsing, including most of my social media browsing, and one for my chrome instance which I use for other things."
—Matthew Dillon

First make sure your main account(s) are fully protected. For example:

chmod 700 /home/yourmainaccount

Matthew Dillon says:

Create three new accounts (I used UIDs 30000, 30001, and 30002 and called them dfw1, dfw2, and dfw3). For each one of dfw1, dfw2, and dfw3 (using dfw1 as an example), set it up so you can ssh into it from your main account.
mkdir /home/dfw1 mkdir /home/dfw1/.ssh cp ~/.ssh/id_rsa.pub \ /home/dfw1/.ssh/authorized_keys chown -R dfw1 /home/dfw1

Matthew Dillon says:

Then from your main account, do a
ssh dfw1@localhost -n ls -la
to test that you've set it up and it works. I'm assuming you are also:

Running sshd on your system, and
Set up the ssh-agent for your main account / X session so you don't need to enter your local ssh key unlocking password every time you use ssh

Now you can create scripts that run firefox and/or chrome in these accounts, separate from your main account.

Matthew Dillon says:


  
#!/bin/csh
  
# script for ~/bin/firefox  (assumes ~/bin is in your path)
  
scp ~/.Xauthority dfw1@localhost:
  
ssh dfw1@localhost -n "setenv DISPLAY :0.0; firefox"

You can then tie these scripts into your GUI as buttons or whatever. You can have a script for each compartment. I have a script for 'Sfirefox' (my 'secure' firefox), 'Ufirefox', and 'chrome'.

Thanks Matt!

Matthew Dillon's method uses X11 and SSH
It's platform-agnostic and works under Linux and BSD
Gives the side-account full access to the X session
Has very low overhead (uses X shared memory, not an SSH tunnel)
Relies on the security boundaries that define user permissions in your OS
PulseAudio needs network access (load-module module-native-protocol-tcp)
And it's compatible with firejail

Securing the Browser, DragonFly BSD-style


  
ssh-keygen -t ed25519 -N '' -q -f ~/.ssh/firefox
  
sudo groupadd firefox
  
sudo useradd --system --gid firefox --create-home \
  
  --shell /bin/false --home-dir /home/firefox firefox
  
sudo mkdir ~firefox/.ssh
  
sudo mv ~/.ssh/firefox.pub \
  
  ~firefox/.ssh/authorized_keys
  
sudo chmod 0700 ~firefox/.ssh
  
sudo chmod 0600 ~firefox/.ssh/authorized_keys

Run ~/bin/firefox.sh


  
#!/bin/sh
  
USER=firefox
  
KEY=~/.ssh/${USER}
  
IP=127.0.0.1
  

  
scp -i ${KEY} -q ~/.Xauthority ${USER}@${IP}:
  
ssh -i ${KEY} -l ${USER} ${IP} -X -n "DISPLAY=:0.0 \
  
  dbus-launch --exit-with-session
  
  /usr/bin/firejail \
  
    --private-home=.mozilla \
  
    --profile=/etc/firejail/firefox.profile \
  
    /usr/bin/firefox"

But What About Windows?

Windows Sandbox
Found in Windows 10 Pro/Enterprise build 18305 and up (1903 & newer)
Creates lightweight OS instance using Hyper-V "hybrid" virtualization
Not a full VM: reuses hardware, core system files

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849

But What About Windows?

Sandboxie - https://www.sandboxie.com

~~Not free, not open source, 30-day free trial~~
Unrestricted version free to use as of Sept 2019, will transition to open source
Runs apps in user-defined sandboxes
Segregates new files & downloads, manual recovery
Works well with portable browsers - https://portableapps.com

https://community.sophos.com/products/sandboxie/f/forum/115109/major-sandboxie-news-sandboxie-is-now-a-free-tool-with-plans-to-transition-it-to-an-open-source-tool