Bheem OS

A Zero Trust Operating System

 

Eveything is VM... Everything is cool...

Subash SN

  • Developed DVNA
  • Trainer/Speaker at BlackHat USA, c0c0n, BSides ...
  • Worked on Cloud security, DevOps, Secure design ...
  • Self-hosting for the last 6+ years
  • Researching on privacy and security and freedom
  • Founded Openw3b Foundation
  • Say hello at subash@openw3b.org

 

Disclaimer

  • Subjective opinions ahead
  • Still under development
  • Live Github release :)

 

 

 

 

Let's explore!

What's an
Operating System?

What is an OS? [Subjective]

A piece of software that allows a user to operate on a hardware and run additional software

We'll revisit this!

Secure?

But why is it so hard to

Designed to trust!

User & Applications

Because it's

also drivers, hardware, ...

But how not to trust?

Zero trust can be applied in an OS?

Apps in a VM

Isolate apps from everything else!

Demo 1

Firefox running in crosvm

Usability of crosvm

1. Resize freely

2. Clipboard access

3. Built using Rust

4. Audio server issues

5. Mouse issues

Demo 2

Performance & Usability

(QEMU)

Performance

1. Identical CPU performance achievable

2. RAM Usage (memory ballooning)

3. GPU performance (virtio-gpu)

4. Faster load times with save, resume

Demo 3

Opening a video file

Filesystem access

1. File shared via virtio-fs

2. Seamless video playback

3. Drag & drop

Demo 4

Other Apps - Zoom

Device passthrough

1. USB Passthrough (Webcam too)

2. Mic passthrough

3. PCI Passthrough

Better way to do this is using Pipewire

How?

But,

Does it work

Dockerfile for apps

FROM ubuntu

# GUI Environment and basics
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y dhcpcd5 util-linux systemd systemd-sysv xorg i3-wm xterm sudo xss-lock ethtool pciutils netplan.io nano net-tools inetutils-ping iproute2
RUN systemctl disable gdm dhcpcd
COPY files/init /init
RUN chmod +x /init
RUN useradd -s /bin/bash -d /home/user/ -m -G sudo user
RUN chown -R user:user /home/user

# Install the package and configure launch command
ARG PACKAGES='firefox'
ARG COMMAND=firefox
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y $PACKAGES

# Autologin tty0 with user 
RUN mkdir -p /etc/systemd/system/getty@tty1.service.d
COPY files/override.conf /etc/systemd/system/getty@tty1.service.d/override.conf

# Configure i3wm
COPY files/.xinitrc /home/user/.xinitrc
COPY files/config /etc/i3/config
COPY files/.bash_profile /home/user/.bash_profile

# Add command to script and autorun
RUN echo $COMMAND > /opt/app.sh
RUN chmod +x /opt/app.sh
RUN echo 'exec --no-startup-id /opt/app.sh' >> /etc/i3/config

Dockerfile to disk image

#! /bin/bash

sudo rm fs/fs.tar fs/fs.qcow2
DOCKER_BUILDKIT=1 docker build --output "type=tar,dest=fs/fs.tar" .
sudo virt-make-fs --format=qcow2 --size=+500M fs/fs.tar fs/fs.qcow2
sudo chown user:user fs/fs.qcow2

Start the VM

#! /bin/bash
# Start Firefox using crosvm - start.sh

crosvm run -c 8 -m 4096 --disable-sandbox \
  --gpu backend=virglrenderer,height=1080,width=1920 \
  --tap-name tap_appvm1_in \
  --rwroot fs/fs.qcow2 \
  --display-window-keyboard \
  --display-window-mouse \
  -p 'init=/init net.ifnames=0 ip=10.99.1.2::10.99.1.1:255.255.255.0::eth0:off' \
  --socket vm.sock \
  --vhost-net \
  bzImage

*We actually start crosvm using a management wrapper

Start the VM (QEMU)

#! /bin/bash
# Start Firefox using qemu - start.sh

qemu-system-x86_64 -machine vmport=off \
   -enable-kvm -cpu host -m 2048m -smp 8 \
   -kernel bzImage \
   -append "root=/dev/vda rw init=/init" \
   -drive id=root,file=/mnt/ramdisk/fs.qcow2,format=qcow2,if=none \
   -device virtio-rng-pci \
   -device virtio-blk-pci,drive=root \
   -nic user,model=virtio \
   -vga virtio \
   -soundhw hda \
   -device virtio-tablet-pci,id=input2,bus=pci.0,addr=0x9 -spice port=0,disable-ticketing,image-compression=off,seamless-migration=on \
   -spice gl=on,unix,addr=vm.sock,disable-ticketing  \
   -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
   -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
   -monitor unix:monitor.sock,server,nowait \
   & remote-viewer spice+unix://vm.sock

Sandboxing?

What about

  • Firefox, Chrome sanboxing
  • Upto the application developer to build support
  • Could have bugs

Inbuilt sandbox

  • Upto the user to use
  • Bugs: Privilege escalation still possible

Firejail, Bubblewrap

Flatpacks, Snap and AppImage

  • User friendly, default in some OS
  • Previous Limitations still apply

x11docker & crostini

  • Can run in VMs
  • Uses wayland/X in the host
  • DRM: Wayland server, Driver could be buggy
  • virtio-gpu vs virtio-wl

Is kvm the best then?

Bugs still possible, but attack surface is lesser

  • Limited to KVM
  • Crosvm/QEMU source code
  • Virtio drivers
  • Guest agent

Qubes OS?

Isn't this like

Hardware Containers

Device - DEVVM

- Ethernet, Wifi, Bluetooth

 

Networking - NETVM (Chainable)

- VPN, Tor, Host, stacking

- Firewall/IPS/IDS

 

Audio + Mic + Webcam - AVVM (Pipewire)

- Access log

Key differences

  • XEN vs Linux/KVM base
  • Slow vs Accelerated graphics with virtio-gpu, vulkan, etc.
  • Aimed at Experts, lots of controls vs Normal users
  • Mature and tested vs New

One app per VM

vs VM for multiple apps

All apps have access to the files in VM

Exploited app -> Full VM burn

Cross-Platform support

 

  • Android via tool/waydroid
  • Windows via wine
  • Mac via Darling

 

 

Immutable filesystem

 

Exploits can't persist

  • Nix store for immutable apps
  • NixOS base for declarative OS

Declarative permissions

 

  • App permissions declared at virtualization stack
  • Permissions
    • Filesystem
    • Clipboard
    • A/V
    • USB
    • CPU, Memory
    • GPU
    • ...

Workspaces


  • Personal, Dev, Work, Banking workspace
  • Workspace runs on host, apps run in VMs
  • More of a Logical separation
  • Immutable and declarative
  • Install apps, access files, network as authz
  • Full desktop enviroment
  • Can also be a VM
  • Gaming workspace (via GPU pass-through)

Remote rendering

 

Since everything runs in VMs, it can technically run anywhere

  • Secure computing
  • Accelerated computing
  • Thin client

Enterprise lockdowns

 

  • Local Network IDS/IPS
  • Application + Files + Network rules
  • Backup & Update management
  • Authentication Revocation

Seamless updates

 

  • Update base OS by hibernating apps. No loss
  • Staggered updates and rollbacks

 

 

Powerful monitoring

 

  • Filesystem access
  • Network access
  • Memory
  • Heuristics monitoring

 

 

Everything happens in VM, bridged by middlewares. Easy to moniter

Seamless backups

 

  • OS Configuration
  • Application data
  • User data
  • Live migrate between systems

 

Admin vs User

 

Admin user

  • OS Installation
  • Workspace management
    • Allowed files
    • Allowed apps
    • Allowed networks
    • Allowed devices
  • Monitoring
  • Remote management (any)

Standard user

  • Install and use apps
  • Updates & Backups
  • Encrypted workspaces
  • Everything authz by admin

How can I use it now?

https://github.com/openw3b/vmpack

# Install vmpack
cd ~/
git clone git@github.com:Openw3b/vmpack.git .vmpack
ln -s ~/.vmpack/vmpack ~/.local/bin/vmpack

# Install Firefox
vmpack install firefox Fox1

Prerequisite: git docker libguestfs-tools socat virt-manager

 

Demo 6

vmpack

Features

  • Any base distro
  • Immutable base images
  • Hardening
  • Multiple app instances
  • Super easy to create new apps
  • Custom icon
  • Custom kernel
  • Custom qemu/crosvm options

Demo 7

Hardeing

No shell, nc, python ...

AppVM doesn't have one!

Reduced attack surface

How is it more useful?

  • Protection against priv-esc and other zero days
  • Much lower attack surface than any other sandboxing

Next steps

1. Reduce the size -  slim and harden

2. App directory mounts. Fully immutable

3. Use nix

4. Privacy toggles and indicators

5. Compatibility with other Distros/Mac

6. Notifications, Applets

7. Improved window management

....

Contribute at github.com/openw3b/vmpack

Git release!

What did we see so far?

  1. Zero trust : Don't trust users & applications
  2. Running apps in VMs is feasible and beneficial
  3. A new kind of OS and it's possibilities

What is an ZeroTrust OS? [S]

A piece of software that allows a user to operate on a hardware and run additional software in a secure, defined way even when the user and additional software are not trusted

Openw3b?

How does this fit in

Where do you access browse the web?

Openw3b Ecosystem

DesktopOS - An easy, powerful and secure desktop OS

MobileOS - An easy, powerful and secure mobile OS

Box - A affordable, reliable and simple self-hosting

Apps & Services - Self hosted Cloud(services)

Assistant - Self hosted and private voice assistant

openw3b.org

#openw3b:matrix.org

This is Web3?

Masterplan

  • Free

  • Open source

  • Self hosted

  • Federated

  • Friendly

Tech ecosystem

Please contribute?

Code          github.com/openw3b

Donate     donate@openw3b.org

Sponsor    sponsor@openw3b.org


Support FOSS

Spread Love, peace and joy!

SaveSoil.com

Looking for co-founders and full-time volunteers too!

Discuss     #openw3b:matrix.org

We are a non-profit tech foundation!

Credits

  • Qubes OS
  • Spectrum OS
  • x11docker
  • crosvm
  • QEMU
  • All of FOSS
  • Family & Friends
  • Sponsors
  • null, Nullcon and Germany!!!

Questions?

hello@openw3b.org

Thank you!

hello@openw3b.org

Bheem OS

By openw3b

Bheem OS

  • 653