Confused about Sandboxing in OpenBSD

[paranoidone]

Full disclosure: I have not installed OpenBSD yet but am very impressed with the security measures, small, clean code and the philosphy of the programmers. This is my first post.

I have read a lot, can use terminal commands and do not have any concerns with actually installing the OS. Consequently, I want to install OpenBSD and have some questions about sandboxing that confuse me.

Other forums mention the threat model. The threat model is unwanted survelliance from Google, Microsoft, Apple, the NSA, MI5, the Russians and the Chinese. The only way in is metaphorically peeking through the wireless window. I'm not doing anything that would warrant a visit...

I want to sandbox all of the internet applications, browser, flash viewer, pdf viewer, etc. I use my laptop only for surfing the internet and using word to write my resumes. I believe Libreoffice is supported but wine is not.

From what I've read on sandboxing and OpenBSD is that there are developers working on a special sandboxed version of Chromium, then there is plege() and pledge(2) which offer sandboxing, VMM ports and finally OpenBSD now supports ZenHypervisor, just like Qubes OS.

So, of all of these options, which ones do I actually install to get the kind of protection I'm looking for?

Thank you in advance for your answers.

[jggimi]

Hello and welcome.

First, clearly define "sandbox." Because if you mean "prevent any application I want to run from being able to discover anything about any other running process, its memory contents,, or any storage not dedicated to the application" you will spend a great deal of time attempting this level of isolation. OpenBSD does not provide this directly, except through pledge(2) and unveil(2), system calls which must be integrated into each application.

You mentioned chromium. This application has been ported to use pledge() and unveil(). So this particular browser is prevented from performance system calls outside of a restricted set, and it is storage-isolated.

Most third party packages do not have these two security features, as the integration effort can be significant.

(Several years ago, I added pledge() restrictions to the p7zip archive utility. It required weeks of effort and the aid of multiple developers, as the application's source code was undocumented, filled with recursive #ifdefs, and each code path had to be traced separately.)

Other security features are available that require applications to be designed from the ground up or a complete redesign to use, such as W^X. And futher still, there are security technologies that are design functions only, and don't use "OS features," such as privilege separation.

Lastly, vmm(4) is a hypervisor, using hardware virtualization features of select Intel and AMD processors. This permits the use of virtual machines for various categories of isolation. I've used these for labs, for building of -stable packages on -curren machines, for staging of production servers, etc.

Quote:

..., flash viewer,...

If you're interested in Flash, you've come to the wrong OS.

[paranoidone]

@jggimi

Quote:

You mentioned chromium. This application has been ported to use pledge() and unveil(). So this particular browser is prevented from performance system calls outside of a restricted set, and it is storage-isolated.

YES, this is what I meant by sandboxing.

Thanks for the explanation of what VMM does. That clears up the misunderstanding.

Quote:

If you're interested in Flash, you've come to the wrong OS.

I do not want to create flash content, just view youtube videos and there is code for that according the faq on openbsd. My focus is security not convenience so if I absolutely need a windows only app like Skype, then I may keep a second laptop for that purpose or create a dual boot machine.

[ibara]

Quote:

Originally Posted by paranoidone

I do not want to create flash content, just view youtube videos

...which doesn't use flash.