Hardened desktop operating systems
Also amnesiac and/or anonymous
September 11, 2019 — January 11, 2022
Need to level up your security in a suspect environment? At some point, you need to harden your OS to minimise exposure to some of the tricks the adversaries (gangsters/feds/gangster-feds/etc) could use on you if you had come to their attention. This is probably something that is worth your time if you are, for example, a journalist in a free-press-hostile state — maybe everywhere, soon enough. You might want to harden your mobile device also.
I’m no expert, but there is a clear trade-off between convenience and security which is confusing to navigate. Maybe have two computers, a cheap secure one to protect whistleblowing in authoritarian regimes and a fancy machine riddled with convenient off-the-shelf spyware for your day job.
One tactic you might employ for that secure machine, for certain risk profiles, is open-source hardened operating systems. It is harder, for now, probably, for states to inject spyware into open-source systems than into closed commercial ones because of the greater transparency of the setup. Presumably, in this case, they cannot simply ask a friend at a major software company to install spyware on your computer higher cost strategies such as zero-day exploits, hardware hacks and other tinfoil hat stuff.
If this is a real improvement in the risk profile, how would I benefit from it? Let’s have a look at some in-principle tools to set up our machines for confidential uses, which we might suppose are at the very least troublesome to molest without a warrant. Some of these might be difficult to prove even for spies with a warrant.
I’m going to dump a bunch of stuff while thinking it through. These notes are not intended to be authoritative, complete or pedagogic.
Quotes are taken from distrowatch.com unless otherwise stated. See their security-focussed distro list also.
1 Hardened hardware
To get maximum value from hardened software, we probably want hardened hardware. I have an uneasy suspicion that this is hard in general. Certainly, it is deep and weird; see Purism’s post on Intel’s Management Engine for example.
2 Pre-rolled hardened OSes
Hardened distros try to avoid the default not-especially-secure setup of computers that are designed to be friendly and welcoming and easy to do things on. But perhaps you want to have a computer that only lets you do things that are secure?
2.1 Qubes
Qubes OS is a security-oriented, Fedora-based desktop Linux distribution whose main concept is “security by isolation” by using domains implemented as lightweight Xen virtual machines. It attempts to combine two contradictory goals: how to make the isolation between domains as strong as possible, mainly due to clever architecture that minimises the amount of trusted code, and how to make this isolation as seamless and easy as possible.
Is this very much better than ordinary hardened distros? Not sure. It certainly burns lots of CPU cycles in maintaining security.
2.2 Kickos
Kickos, is the hardened core of Whonix, below. I don’t know much about it without all the fancy anonymisation stuff for which Whonix is famous.
2.3 Subgraph
Subgraph is another approach to hardened OS. It has the best graphic design. Seems to combine custom application firewalls with custom sandboxing for certain strategic desktop network apps, and a rewrite of various infrastructure in Go to encourage better memory safety. Lots of things are proxied and firewalled from one another.
2.4 Parrot
ParrotOS (Parrot Security, ParrotOS) is a free and open source GNU/Linux distribution based on Debian Testing designed for security experts, developers and privacy-aware people.
It includes a full portable arsenal for IT security and digital forensics operations, but it also includes everything you need to develop your own programs or protect your privacy while surfing the net
2.5 Kali
Kali:
Like Parrot, veeery focussed on security professionals. Similar pitch.
2.6 Alpine
🏗
Alpine Linux is a community-developed operating system designed for routers, firewalls, VPNs, VoIP boxes and servers. It was designed with security in mind; it has proactive security features like PaX and SSP that prevent security holes in the software to be exploited. The C library used is musl and the base tools are all in BusyBox. Those are normally found in embedded systems and are smaller than the tools found in GNU/Linux systems.
This is not a hardened distro per se, but rather a pre-compiled one with a smallish attack surface. But that might be a good starting point?
3 Pre-rolled anonymous OSes
Anonymous hardened OS are more paranoid than merely hardened OSes. They don’t just try to keep you safe from the nasties, they also try to hide who you are, by erasing distinguishing tells in the OS, and by using encrypted networks such as TOR. Maybe other stuff. They are also often also amnesiac which seems to mean that if you use one of these to do something, it will be hard afterwards to tell what you were using it to do.
Usually these systems are not designed to be your main or only OS, and indeed they are kinda annoying and slow to use. It’s for doing your confidential stuff, such as talking to journalistic sources, doing political organising in repressive regimes, escaping your abusive spouse, operating on black markets, presumably planning terrorism could benefit from these also.
3.1 Tails
The Amnesic Incognito Live System (Tails) is a Debian-based live DVD/USB with the goal of providing complete Internet anonymity for the user. The product ships with several Internet applications, including web browser, IRC client, mail client and instant messenger, all pre-configured with security in mind and with all traffic anonymised. To achieve this, Incognito uses the Tor network to make Internet traffic very hard to trace.
Tails is low on features, but that might mean it’s harder to hack. If you don’t mind decreasing your security, you can install extra software. The basic idea is it runs on a USB and keeps as much as possible in RAM so it should forget what you were up to relatively quickly. So it is ideally also deniable.
3.2 Whonix
Whonix is also a hardened OS, and anonymous. It is designed for running as a virtual machine. It is not as amnesiac as tails, but slightly better at hiding your use of the anonymising network TOR, AFAICT, since it is easier to tunnel it over a VPN. Virtual machines are intrinsically more dangerous in this era of speculative execution bugs etc, but also they avoid some stupid nonsense like needing a whole spare computer to use. It has an amnesia VM mode, whonix-live and also an amnesiac non-VM mode (basically, imitating tails
) called grub-live. For civilian use, possibly one could just run an encrypted VM image and rely on the Stasi not dropping in while it was still in memory.
It requires occasional weird incantations, e.g. if you get blkio
errors.
3.3 Heads
heads is admirably paranoid and aims to one-up tails in this regard by being even less trusting of even more chunks of usual infrastructure.
heads is a privacy-focused Linux distribution designed to make it easy for users to access the Internet anonymously using the Tor network. heads is based on Devuan and features only free (libre) software. The Linux kernel has had non-free blobs removed.
However, their release schedule is sluggish, and I suspect they don’t have the critical mass to constitute yet another confidential OS to the race.
3.4 Kodachi
Linux Kodachi is a Debian-based distribution which can be run from a DVD or USB thumb drive. The distribution filters all network traffic through a VPN and the Tor network, obscuring the user’s network location. The distribution attempts to clean up after itself, removing traces of its use from the computer.
Jack Wallen at TechRepublic profiles it: Kodachi is the operating system for those who value privacy but don’t want to learn Linux.
I am not sure about the provenance of Kodachi or its weird built-in VPN. It comes with source in the distro. The fact that this is documented in the video is one of many entertaining things about author Warith Al Maawali. Say what you like, he is certainly an extremely productive guy.
4 DIY hardened OS
How much do you trust the distro package maintainer though for any of these projects? (Just one guy is credited for e.g. Kodachi.) Or indeed, any OS distro? Groups like the core infrastructure initiative aim to reduce the degree of trust needed for the OS maintainers.
As it stands, it is hard to trust the build toolchain right now; with the best of intentions a maintainer cannot easily guarantee that the components they supply are secure even if the sources are, until deterministic builds and other technologies come online for linux distros. Notably, this is not on the cards for Ubuntu or Redhat, and Ubuntu have come under fire for having still less transparent build systems than the already opaque status quo in their “snap” packaging system. Tracking the status of reproducible builds? See, e.g. ReproducibleBuilds - Debian Wiki
Would you rather build from source? In principle, you can do this for any open source OS, but it’s a right pain in the arse in general. The chain of trust is long and has many links.
Distros like Gentoo/ funtoo support user source builds in principle — but they require you to know what you are doing to ensure that you have actually set them up in a secure fashion, which is hard. Most of us non-experts are probably safer cargo culting a fancy secure OS and trusting that it is configured securely.
4.1 PureOS
PureOS is an aggressively open and auditable OS. Think “hardcore Debian”. FAQ:
- PureOS is one of a few strict GNU/Linux operating systems, meaning it does NOT include any non-free, proprietary software and/or drivers/firmware (aka binary blobs).
- PureOS is pre-configured with privacy and security in mind. PureOS and Pureboot implement security-in-depth which aims to provide multiple layers of secure computing to protect both data at rest and data in transit.
It is clear that they have a very open model. Less clear is how hardened/paranoid the actual default configuration is. Presumably reasonably paranoid.
4.2 Gentoo
Gentoo Linux is a versatile and fast, completely free Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage. Portage is a true ports system in the tradition of BSD ports, but is Python-based and sports a number of advanced features including dependencies, fine-grained package management, “fake” (OpenBSD-style) installs, safe unmerging, system profiles, virtual packages, config file management, and more.
Hardening is a manual process.
4.2.1 Funtoo
Funtoo is EZ-Gentoo.
Funtoo Linux is a Gentoo-based distribution developed by Daniel Robbins (the founder and former project leader of Gentoo Linux) and a core team of developers, built around a basic vision of improving the core technologies in Gentoo Linux. Funtoo Linux features native UTF-8 support enabled by default, a git-based, distributed Portage tree and Funtoo overlay, an enhanced Portage with more compact mini-manifest tree, automated imports of new Gentoo changes every 12 hours, GPT/GUID boot support and streamlined boot configuration, enhanced network configuration, up-to-date stable and current Funtoo stages — all built using Funtoo’s Metro build tool.
The list of sensible modern requirements being listed as cutting edge features makes me nervous about vanilla Gentoo.
4.3 Arch
Arch does not compile from source per default but if I understand correctly it can?
Arch Linux is an independently developed, x86_64-optimised Linux distribution targeted at competent Linux users. It uses
pacman
, its home-grown package manager, to provide updates to the latest software applications with full dependency tracking. Operating on a rolling release system, Arch can be installed from a CD image or via an FTP server. The default install provides a solid base that enables users to create a custom installation. In addition, the Arch Build System (ABS) provides a way to easily build new packages, modify the configuration of stock packages, and share these packages with other users via the Arch Linux user repository.