DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th August 2019
paranoidone paranoidone is offline
New User
 
Join Date: Aug 2019
Posts: 3
Default Confused about Sandboxing in OpenBSD

Full disclosure: I have not installed OpenBSD yet but am very impressed with the security measures, small, clean code and the philosphy of the programmers. This is my first post.

I have read a lot, can use terminal commands and do not have any concerns with actually installing the OS. Consequently, I want to install OpenBSD and have some questions about sandboxing that confuse me.

Other forums mention the threat model. The threat model is unwanted survelliance from Google, Microsoft, Apple, the NSA, MI5, the Russians and the Chinese. The only way in is metaphorically peeking through the wireless window. I'm not doing anything that would warrant a visit...

I want to sandbox all of the internet applications, browser, flash viewer, pdf viewer, etc. I use my laptop only for surfing the internet and using word to write my resumes. I believe Libreoffice is supported but wine is not.

From what I've read on sandboxing and OpenBSD is that there are developers working on a special sandboxed version of Chromium, then there is plege() and pledge(2) which offer sandboxing, VMM ports and finally OpenBSD now supports ZenHypervisor, just like Qubes OS.

So, of all of these options, which ones do I actually install to get the kind of protection I'm looking for?

Thank you in advance for your answers.

Last edited by paranoidone; 15th August 2019 at 02:39 PM. Reason: Fix spelling mistakes
Reply With Quote
  #2   (View Single Post)  
Old 15th August 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

Hello and welcome.

First, clearly define "sandbox." Because if you mean "prevent any application I want to run from being able to discover anything about any other running process, its memory contents,, or any storage not dedicated to the application" you will spend a great deal of time attempting this level of isolation. OpenBSD does not provide this directly, except through pledge(2) and unveil(2), system calls which must be integrated into each application.

You mentioned chromium. This application has been ported to use pledge() and unveil(). So this particular browser is prevented from performance system calls outside of a restricted set, and it is storage-isolated.

Most third party packages do not have these two security features, as the integration effort can be significant.
(Several years ago, I added pledge() restrictions to the p7zip archive utility. It required weeks of effort and the aid of multiple developers, as the application's source code was undocumented, filled with recursive #ifdefs, and each code path had to be traced separately.)
Other security features are available that require applications to be designed from the ground up or a complete redesign to use, such as W^X. And futher still, there are security technologies that are design functions only, and don't use "OS features," such as privilege separation.

Lastly, vmm(4) is a hypervisor, using hardware virtualization features of select Intel and AMD processors. This permits the use of virtual machines for various categories of isolation. I've used these for labs, for building of -stable packages on -curren machines, for staging of production servers, etc.
Quote:
..., flash viewer,...
If you're interested in Flash, you've come to the wrong OS.
Reply With Quote
  #3   (View Single Post)  
Old 15th August 2019
paranoidone paranoidone is offline
New User
 
Join Date: Aug 2019
Posts: 3
Default

@jggimi

Quote:
You mentioned chromium. This application has been ported to use pledge() and unveil(). So this particular browser is prevented from performance system calls outside of a restricted set, and it is storage-isolated.
YES, this is what I meant by sandboxing.

Thanks for the explanation of what VMM does. That clears up the misunderstanding.

Quote:
If you're interested in Flash, you've come to the wrong OS.
I do not want to create flash content, just view youtube videos and there is code for that according the faq on openbsd. My focus is security not convenience so if I absolutely need a windows only app like Skype, then I may keep a second laptop for that purpose or create a dual boot machine.
Reply With Quote
  #4   (View Single Post)  
Old 15th August 2019
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by paranoidone View Post
I do not want to create flash content, just view youtube videos
...which doesn't use flash.
Reply With Quote
Reply

Tags
nsa, security, surveillance

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does OpenBSD use libarchive sandboxing code? betweendayandnight OpenBSD Security 4 13th August 2016 06:46 PM
Installation: Choosing a host & domain name ... (slightly confused) jackthechemist OpenBSD General 10 10th December 2010 07:51 PM
A little confused. Do "snapshots" (vs dump=image) have any correlation, non-unix? jb_daefo FreeBSD General 9 21st November 2009 04:41 AM
Wireless + wired = confused network setup davidgurvich FreeBSD General 3 27th May 2008 06:10 PM


All times are GMT. The time now is 06:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick