Bheem OS

A Zero Trust Operating System

 

Eveything is VM... Everything is cool...

Subash SN

  • Developed DVNA
  • Trainer/Speaker at BlackHat USA, c0c0n, BSides ...
  • Worked on Cloud security, DevOps, Secure design ...
  • Self-hosting for the last 6+ years
  • Researching on privacy and security and freedom
  • Founded Openw3b Foundation
  • Say hello at subash@openw3b.org

 

Agenda

  • Discuss the issue
  • Show the solution
  • Why it makes sense
  • Attack demo
  • Questions

 

Disclaimer

Limited Knowledge + Limited Scope

 

 

 

 

Let's explore!

What's an
Operating System?

Got it, we'll revisit this!

Secure?

But why is it so hard to

Designed to trust!

User & Applications

Because it's

But how not to trust?

Zero trust can be applied in an OS?

Everything in a VM

Isolate everything from everything!

Demo 1

Firefox running in crosvm

Usability of crosvm

1. Resize freely

2. Clipboard access

3. Audio

4. Built using Rust

Demo 2

Performance & Usability

(QEMU)

Performance

1. Save/resume VM

2. Identical CPU performance achievable

3. RAM Usage

4. GPU performance (virtio-gpu)

Demo 3

Opening a video file

Filesystem access

1. File shared via virtio-fs

2. Seamless video playback

3. Drag & drop

Demo 4

Other Apps - Zoom

Device passthrough

1. USB Passthrough (Webcam too)

2. Mic passthrough

3. PCI Passthrough

Better way to do this is using Pipewire

How?

But,

Does it work

Dockerfile for apps

FROM ubuntu

# GUI Environment and basics
RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y dhcpcd5 util-linux systemd systemd-sysv xorg i3-wm xterm sudo xss-lock ethtool pciutils netplan.io nano net-tools inetutils-ping iproute2
RUN systemctl disable gdm dhcpcd
COPY files/init /init
RUN chmod +x /init
RUN useradd -s /bin/bash -d /home/user/ -m -G sudo user
RUN chown -R user:user /home/user

# Install the package and configure launch command
ARG PACKAGES='firefox'
ARG COMMAND=firefox
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y $PACKAGES

# Autologin tty0 with user 
RUN mkdir -p /etc/systemd/system/getty@tty1.service.d
COPY files/override.conf /etc/systemd/system/getty@tty1.service.d/override.conf

# Configure i3wm
COPY files/.xinitrc /home/user/.xinitrc
COPY files/config /etc/i3/config
COPY files/.bash_profile /home/user/.bash_profile

# Add command to script and autorun
RUN echo $COMMAND > /opt/app.sh
RUN chmod +x /opt/app.sh
RUN echo 'exec --no-startup-id /opt/app.sh' >> /etc/i3/config

Dockerfile to disk image

#! /bin/bash

sudo rm fs/fs.tar fs/fs.qcow2
DOCKER_BUILDKIT=1 docker build --output "type=tar,dest=fs/fs.tar" .
sudo virt-make-fs --format=qcow2 --size=+500M fs/fs.tar fs/fs.qcow2
sudo chown user:user fs/fs.qcow2

Start the VM

#! /bin/bash
# Start Firefox using crosvm - start.sh

crosvm run -c 8 -m 4096 --disable-sandbox \
  --gpu backend=virglrenderer,height=1080,width=1920 \
  --tap-name tap_appvm1_in \
  --rwroot fs/fs.qcow2 \
  --display-window-keyboard \
  --display-window-mouse \
  -p 'init=/init net.ifnames=0 ip=10.99.1.2::10.99.1.1:255.255.255.0::eth0:off' \
  --socket vm.sock \
  --vhost-net \
  bzImage

Start the VM (QEMU)

#! /bin/bash
# Start Firefox using qemu - start.sh

qemu-system-x86_64 -machine vmport=off \
   -enable-kvm -cpu host -m 2048m -smp 8 \
   -kernel bzImage \
   -append "root=/dev/vda rw init=/init" \
   -drive id=root,file=/mnt/ramdisk/fs.qcow2,format=qcow2,if=none \
   -device virtio-rng-pci \
   -device virtio-blk-pci,drive=root \
   -nic user,model=virtio \
   -vga virtio \
   -soundhw hda \
   -device virtio-tablet-pci,id=input2,bus=pci.0,addr=0x9 -spice port=0,disable-ticketing,image-compression=off,seamless-migration=on \
   -spice gl=on,unix,addr=vm.sock,disable-ticketing  \
   -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
   -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
   -monitor unix:monitor.sock,server,nowait \
   & remote-viewer spice+unix://vm.sock

Sandboxing?

What about

  • Firefox, Chrome sanboxing
  • Upto the application developer to build support
  • Could have bugs

Inbuilt sandbox

  • Upto the user to use
  • Bugs: Privilege escalation still possible

Firejail, Bubblewrap

Flatpacks, Snap and AppImage

  • User friendly, but limitations still apply

x11docker & crostini

  • Uses wayland/X in the host
  • DRM: Wayland server, Driver could be buggy
  • virtio-gpu vs virtio-wl

Is crosvm/kvm the best then?

Bugs still possible, but attack surface is lesser

  • Limited to KVM
  • Crosvm/QEMU source code
  • Virtio drivers
  • Guest agent

Small?

How

Demo 5

Pwned App

No shell, nc, python ...

AppVM doesn't have one!

Reduced attack surface

Size isn't much too

Alpine Dockerfile

400 MB for firefox

Qubes OS?

Isn't this like

Hardware Containers

Device - DEVVM

- Ethernet, Wifi, Bluetooth

 

Networking - NETVM (Chainable)

- VPN, Tor, Host, stacking

- Firewall/IPS/IDS

 

Audio + Mic + Webcam - AVVM (Pipewire)

- Access log

Technical differences

- Linux/KVM base vs XEN

- Accelerated graphics with virtio-gpu, vulkan, etc.

 

Root user & Standard user

 

Root user

  • Provisioned
  • Managed
  • Monitored

while respecting user privacy

Root user

  • Provisioned
  • Managed
  • Monitored

while respecting user privacy

One app per VM

vs VM for multiple apps

All apps have access to the files in VM

Exploited app -> Full VM burn

Declarative permissions

 

Only using virt stack

Immutable filesystem

 

Exploits can't persist

Workspaces vs domains

 

  • Personal workspace
  • Development workspace
  • Banking workspace
  • Disposable workspaces

Workspace is a full desktop environment

Enterprise lockdowns

 

  • Local Network IDS/IPS
  • Application whilelists
  • Per app/workspace filesystem permissions

Cross-Platform support

 

  • Android via tool/waydroid
  • Windows via wine
  • Mac via Darling

 

 

Seamless updates

 

  • Update base images and apps independently
  • Windows via wine
  • Mac via Darling

 

 

Powerful monitoring

 

  • Filesystem access
  • Network access
  • Memory
  • Heuristics monitoring

 

 

Seamless backups

 

  • OS Configuration
  • Application data
  • User data

 

How can I use it now?

Head over to github.com/openw3b/vmpack

Next steps

1. Reduce the size -  slim and harden

2. Use nix

3. Privacy toggles and indicators

4. Compatibility with other Distro/Mac

5. Notifications

6. Improved window management

....

Contribute at github.com/openw3b/vmpack

What did we see so far?

  1. Zero trust : Don't trust users & applications
  2. Running apps in VMs is feasible and beneficial
  3. A new kind of OS and it's possibilities

What is an OS? [Subjective]

A piece of software that allows a user to operate on a hardware and run additional software

What is an ZeroTrust OS? [S]

A piece of software that allows a user to operate on a hardware and run additional software in a secure, defined way even when the user and additional software are not trusted

Openw3b?

How does this fit in

Where do you access browse the web?

Openw3b Ecosystem

DesktopOS

MobileOS

Box

Apps & Services

Assistant

Masterplan

Free, Open source & Self hosted

Federated Cloud ecosystem

Please contribute?

Code          github.com/openw3b

Donate     donate@openw3b.org

Sponsor    sponsor@openw3b.org

 

Support FOSS

Spread Love, peace and joy!

SaveSoil.com

Looking for co-founders and full-time volunteers too!

Credits

  • Qubes OS
  • Spectrum OS
  • x11docker
  • crosvm
  • QEMU
  • All the FOSS
  • Family & Friends
  • Sponsors

Questions?

hello@openw3b.org

Thank you!

hello@openw3b.org

Made with Slides.com