[Freedombox-discuss] Policy questions

[Sandy Harris]

Rob van der Hoeven <robvanderhoeven at ziggo.nl> wrote:

>> A standard tactic for security is isolation of services.
>> ...
>>
>> Clearly we cannot expect to use a separate machine
>> for each FB service, but we need some strategy that
>> limits the damage if any one service turns out to have
>> a security flaw. Some list posts suggest using virtual
>> machines, and that is one plausible solution, though
>> costly.
>
> Hi Sandy,
>
> I am the one that suggested virtual machines, and i am using them at
> this moment. ...
>
> In my opinion building a FreedomBox without using VM technology is very
> dangerous.

To me, the question seems more complex and still open. It is
clear that we need strong security, and therefore a carefully
designed strategy for isolation. It is not clear to me that VM
techniques are the way to go.

There are plenty of other candidates. The OS provides
mechanisms intended to do what we need, process
isolation, chroot, file permissions and so on. There are
extensions like SE-LInux and GRsecurity that give
more.

There may also be problems with the VM method.
Random numbers are one. More-or-less all crypto
depends on those. random(4) depends on the
driver having access to things like mouse clicks
and disk interrupts. I doubt that it will work well
on a headless server with solid state disk, let
alone in a VM.

This is just one problem that seems obvious.
Has anyone done a security audit on one of
the VM methods? Without that, should it be
trusted?

> Not all the software running on the FreedomBox will be mature
> and i expect a lot of serurity/stability issues.

I tend to think only mature software should be used.
There are other places for development and experiments.
The box needs to be very solid.

I wonder if Debian stable is solid enough, or if we should
be aiming at something more like OpenBSD, an audited
secure distro.