Bheem OS
A Zero Trust Operating System
Eveything is VM... Everything is cool...
Subash SN
- Developed DVNA
- Trainer/Speaker at BlackHat USA, c0c0n, BSides ...
- Worked on Cloud security, DevOps, Secure design ...
- Self-hosting for the last 6+ years
- Researching on privacy and security and freedom
- Founded Openw3b Foundation
- Say hello at subash@openw3b.org
Disclaimer
- Subjective opinions ahead
- Still under development
- Live Github release :)
Let's explore!
What's an
Operating System?
What is an OS? [Subjective]
A piece of software that allows a user to operate on a hardware and run additional software
We'll revisit this!
Secure?
But why is it so hard to
Designed to trust!
User & Applications
Because it's
also drivers, hardware, ...
But how not to trust?
Zero trust can be applied in an OS?
Apps in a VM
Isolate apps from everything else!
Demo 1
Firefox running in crosvm
Usability of crosvm
1. Resize freely
2. Clipboard access
3. Built using Rust
4. Audio server issues
5. Mouse issues
Demo 2
Performance & Usability
(QEMU)
Performance
1. Identical CPU performance achievable
2. RAM Usage (memory ballooning)
3. GPU performance (virtio-gpu)
4. Faster load times with save, resume
Demo 3
Opening a video file
Filesystem access
1. File shared via virtio-fs
2. Seamless video playback
3. Drag & drop
Demo 4
Other Apps - Zoom
Device passthrough
1. USB Passthrough (Webcam too)
2. Mic passthrough
3. PCI Passthrough
Better way to do this is using Pipewire
How?
But,
Does it work
Dockerfile for apps
FROM ubuntu
# GUI Environment and basics
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y dhcpcd5 util-linux systemd systemd-sysv xorg i3-wm xterm sudo xss-lock ethtool pciutils netplan.io nano net-tools inetutils-ping iproute2
RUN systemctl disable gdm dhcpcd
COPY files/init /init
RUN chmod +x /init
RUN useradd -s /bin/bash -d /home/user/ -m -G sudo user
RUN chown -R user:user /home/user
# Install the package and configure launch command
ARG PACKAGES='firefox'
ARG COMMAND=firefox
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y $PACKAGES
# Autologin tty0 with user
RUN mkdir -p /etc/systemd/system/getty@tty1.service.d
COPY files/override.conf /etc/systemd/system/getty@tty1.service.d/override.conf
# Configure i3wm
COPY files/.xinitrc /home/user/.xinitrc
COPY files/config /etc/i3/config
COPY files/.bash_profile /home/user/.bash_profile
# Add command to script and autorun
RUN echo $COMMAND > /opt/app.sh
RUN chmod +x /opt/app.sh
RUN echo 'exec --no-startup-id /opt/app.sh' >> /etc/i3/config
Dockerfile to disk image
#! /bin/bash
sudo rm fs/fs.tar fs/fs.qcow2
DOCKER_BUILDKIT=1 docker build --output "type=tar,dest=fs/fs.tar" .
sudo virt-make-fs --format=qcow2 --size=+500M fs/fs.tar fs/fs.qcow2
sudo chown user:user fs/fs.qcow2
Start the VM
#! /bin/bash
# Start Firefox using crosvm - start.sh
crosvm run -c 8 -m 4096 --disable-sandbox \
--gpu backend=virglrenderer,height=1080,width=1920 \
--tap-name tap_appvm1_in \
--rwroot fs/fs.qcow2 \
--display-window-keyboard \
--display-window-mouse \
-p 'init=/init net.ifnames=0 ip=10.99.1.2::10.99.1.1:255.255.255.0::eth0:off' \
--socket vm.sock \
--vhost-net \
bzImage
*We actually start crosvm using a management wrapper
Start the VM (QEMU)
#! /bin/bash
# Start Firefox using qemu - start.sh
qemu-system-x86_64 -machine vmport=off \
-enable-kvm -cpu host -m 2048m -smp 8 \
-kernel bzImage \
-append "root=/dev/vda rw init=/init" \
-drive id=root,file=/mnt/ramdisk/fs.qcow2,format=qcow2,if=none \
-device virtio-rng-pci \
-device virtio-blk-pci,drive=root \
-nic user,model=virtio \
-vga virtio \
-soundhw hda \
-device virtio-tablet-pci,id=input2,bus=pci.0,addr=0x9 -spice port=0,disable-ticketing,image-compression=off,seamless-migration=on \
-spice gl=on,unix,addr=vm.sock,disable-ticketing \
-device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
-device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
-monitor unix:monitor.sock,server,nowait \
& remote-viewer spice+unix://vm.sock
Sandboxing?
What about
- Firefox, Chrome sanboxing
- Upto the application developer to build support
- Could have bugs
Inbuilt sandbox
- Upto the user to use
- Bugs: Privilege escalation still possible
Firejail, Bubblewrap
Flatpacks, Snap and AppImage
- User friendly, default in some OS
- Previous Limitations still apply
x11docker & crostini
- Can run in VMs
- Uses wayland/X in the host
- DRM: Wayland server, Driver could be buggy
- virtio-gpu vs virtio-wl
Is kvm the best then?
Bugs still possible, but attack surface is lesser
- Limited to KVM
- Crosvm/QEMU source code
- Virtio drivers
- Guest agent
Qubes OS?
Isn't this like
Hardware Containers
Device - DEVVM
- Ethernet, Wifi, Bluetooth
Networking - NETVM (Chainable)
- VPN, Tor, Host, stacking
- Firewall/IPS/IDS
Audio + Mic + Webcam - AVVM (Pipewire)
- Access log
Key differences
- XEN vs Linux/KVM base
- Slow vs Accelerated graphics with virtio-gpu, vulkan, etc.
- Aimed at Experts, lots of controls vs Normal users
- Mature and tested vs New
One app per VM
vs VM for multiple apps
All apps have access to the files in VM
Exploited app -> Full VM burn
Cross-Platform support
- Android via tool/waydroid
- Windows via wine
- Mac via Darling
Immutable filesystem
Exploits can't persist
- Nix store for immutable apps
- NixOS base for declarative OS
Declarative permissions
- App permissions declared at virtualization stack
- Permissions
- Filesystem
- Clipboard
- A/V
- USB
- CPU, Memory
- GPU
- ...
Workspaces
- Personal, Dev, Work, Banking workspace
- Workspace runs on host, apps run in VMs
- More of a Logical separation
- Immutable and declarative
- Install apps, access files, network as authz
- Full desktop enviroment
- Can also be a VM
- Gaming workspace (via GPU pass-through)
Remote rendering
Since everything runs in VMs, it can technically run anywhere
- Secure computing
- Accelerated computing
- Thin client
Enterprise lockdowns
- Local Network IDS/IPS
- Application + Files + Network rules
- Backup & Update management
- Authentication Revocation
Seamless updates
- Update base OS by hibernating apps. No loss
- Staggered updates and rollbacks
Powerful monitoring
- Filesystem access
- Network access
- Memory
- Heuristics monitoring
Everything happens in VM, bridged by middlewares. Easy to moniter
Seamless backups
- OS Configuration
- Application data
- User data
- Live migrate between systems
Admin vs User
Admin user
- OS Installation
- Workspace management
- Allowed files
- Allowed apps
- Allowed networks
- Allowed devices
- Monitoring
- Remote management (any)
Standard user
- Install and use apps
- Updates & Backups
- Encrypted workspaces
- Everything authz by admin
How can I use it now?
https://github.com/openw3b/vmpack
# Install vmpack
cd ~/
git clone git@github.com:Openw3b/vmpack.git .vmpack
ln -s ~/.vmpack/vmpack ~/.local/bin/vmpack
# Install Firefox
vmpack install firefox Fox1
Prerequisite: git docker libguestfs-tools socat virt-manager
Demo 6
vmpack
Features
- Any base distro
- Immutable base images
- Hardening
- Multiple app instances
- Super easy to create new apps
- Custom icon
- Custom kernel
- Custom qemu/crosvm options
Demo 7
Hardeing
No shell, nc, python ...
AppVM doesn't have one!
Reduced attack surface
How is it more useful?
- Protection against priv-esc and other zero days
- Much lower attack surface than any other sandboxing
Next steps
1. Reduce the size - slim and harden
2. App directory mounts. Fully immutable
3. Use nix
4. Privacy toggles and indicators
5. Compatibility with other Distros/Mac
6. Notifications, Applets
7. Improved window management
....
Contribute at github.com/openw3b/vmpack
Git release!
What did we see so far?
- Zero trust : Don't trust users & applications
- Running apps in VMs is feasible and beneficial
- A new kind of OS and it's possibilities
What is an ZeroTrust OS? [S]
A piece of software that allows a user to operate on a hardware and run additional software in a secure, defined way even when the user and additional software are not trusted
Openw3b?
How does this fit in
Where do you access browse the web?
Openw3b Ecosystem
DesktopOS - An easy, powerful and secure desktop OS
MobileOS - An easy, powerful and secure mobile OS
Box - A affordable, reliable and simple self-hosting
Apps & Services - Self hosted Cloud(services)
Assistant - Self hosted and private voice assistant
openw3b.org
#openw3b:matrix.org
This is Web3?
Masterplan
-
Free
-
Open source
-
Self hosted
-
Federated
-
Friendly
Tech ecosystem
Please contribute?
Code github.com/openw3b
Donate donate@openw3b.org
Sponsor sponsor@openw3b.org
Support FOSS
Spread Love, peace and joy!
SaveSoil.com
Looking for co-founders and full-time volunteers too!
Discuss #openw3b:matrix.org
We are a non-profit tech foundation!
Credits
- Qubes OS
- Spectrum OS
- x11docker
- crosvm
- QEMU
- All of FOSS
- Family & Friends
- Sponsors
- null, Nullcon and Germany!!!
Questions?
hello@openw3b.org
Thank you!
hello@openw3b.org
Bheem OS
By openw3b
Bheem OS
- 653