As you probably know already, I’m rather zealous in my belief that freedom of expression and privacy are fundamental rights, and they could only be guaranteed with technical safeguards.
Around the same time the Investigatory Powers Act (without opposition from New Labour) granted 40-odd public authorities access to most peoples’ Web browsing histories, Tory politicians took it upon themselves to submit a bill (also unopposed) to ban online pornographic videos that contain anything that wouldn’t be allowed on a commercial DVD. Meanwhile in the United States, The Powers That Be have given themselves a mandate, in the form of what’s referred to as ‘Rule 41‘, to maliciously hack any computer on a Tor circuit.
Given the mainstream media’s campaign against alternative media ‘fake news’ and the associations made between non-mainstream opinion and the ‘far right’, I wonder if tomorrow would see the banning of non-mainstream ideas, and maybe our browsing histories being made available to private sector organisations.
Obviously the solutions must be open source, they must be resilient against adversaries with advanced resources and their designs beyond the control of The Powers That Be. Subgraph OS provides us with an operating system security model needed for the current age, in one installation. As well as being a Linux distribution, I like to think of Subgraph OS as a template or pattern that other Linux installations can be configured to emulate with a little work. This is what I’ve done with my own Linux system over the years.
The first security measure is sandboxing of processes, using Linux namespaces to segregate resource usage. Conventionally a Linux system has a root process, and a single process tree that grows the more programs are running on the system. Linux Namespaces provides a way to logically isolate processes and process trees, so that each uses a separate instance of whatever system resources it needs. Since Linux Namespaces has been a native part of the kernel for a while, anyone could set this up on their own system.
As far as a compromised process is concerned, the root process is the first within the container, and the root privileges won’t extend outside to resources outside the namespace, and neither would the process be able to navigate beyond the virtual root directory – it shouldn’t, for example, be able to spawn a malicious process capable of installing rootkit components in the system directories. The namespace itself might be compromised, but its effects are isolated.
Based on the older YAZ proxy, Metaproxy creates an independent Tor circuit for each application, and handles the session routing between the applications and Tor proxy.
What protection does this provide? Despite being referred to as an anonymising technology, it only masks the IP addresses of the source and destination servers, and other layers of security are needed to strip payloads of anonymising data.
I should point out there are other options (e.g. VPNs and I2P) to fall back on, for anyone who doesn’t trust Tor.
Although the containers and namespaces at the application layer are good for isolating compromised processes and containing the damage, ideally the first line of defence is to prevent exploits executing in the first place, at a low level.
PaX provides three low level security measures: Fields are added to the ELF as it’s loaded into memory, so the stack can be made non-executable and the executable section as non-writeable. This effectively prevents the functionality of a running program being extended by malicious code. Address Space Layout Randomisation (ASLR) makes it much harder to an exploit creator to predict memory addresses, assigning a different memory map whenever a process is spawned from an executable file.
Modern operating systems already have similar native components, and existing kernels can be upgraded with versions incorporating the PaX extensions.
The full disk encryption included with Subgraph is based on the mature and open source dm-crypt. This is an effective defence against threats who gain physical access to the hardware while it’s switched off – for example, if it’s a laptop that’s stolen or mislaid. Often this is provided with mainstream distributions (Linux Mint and openSUSE) as an option during the installation process.
Storage volumes using dm-crypt can also be mounted on Windows systems using LibreCrypt Explorer, by the way, so that potentially allows for some portability.
One pretty essential layer of security that appears missing from Subgraph is payload/traffic anonymisation, but it should be possible to install Privoxy or Ghostery for this. I strongly recommend this. During the typical browsing session, the payload of browser traffic contains identifying data, and potentially the browser could fetch malicious code from compromised ad servers, even when using Tor.