[Tails-dev] Tails 0.14 rc1 virtualization testing & howto in…

Nachricht löschen

Nachricht beantworten
Autor: adev
Datum:  
To: tails-dev
Betreff: [Tails-dev] Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer
Tails 0.14 rc1 686-pae sees all my cpu cores and RAM

Time to test virtualization.

virtualbox and vmplayer will use the 3.2.0-4-686-pae kernel headers and
compile and insert some kernel modules needed to run virtual machines,
create virtual network cards etc

Kernel headers 3.2.0-4-686-pae, vmplayer & virtualbox need gcc 4.6

There is no squeeze backport for gcc-4.6



A Solution:

dpkg --install gcc-4.4_4.4.5-8_i386.deb
ln -s /usr/bin/gcc-4.4 /usr/bin/gcc-4.6

vmplayer will now install, compile & insert kernel modules
virtualbox 4.2 will now install, compile & insert kernel modules

Side effects of gcc-4.4 = gcc-4.6, none observed
TODO:
1. View release notes & changelogs between gcc 4.4 and 4.6


Everything is running well. vmplayer in particular is *very* fast when I
copy the tails-0.14-rc1 iso to the ramdisk and boot it in a VM, GIMP and
all other apps load very fast


apt-get, it appears secure, using the debian public key(s) stored on the
tails livecd to verify the Releases file (which has the hash of the
packages file), then the hash of the Packages file(which has the hash of
the individual .debs), then the hash of the .deb so it should be ok to
install using apt-get over tor, I havent audited it yet though, there must
be bugs

Once you apt-get install gcc-4.4 and symlink it to gcc-4.6 you can apt-get
install virtualbox4.2 and it will install fine.

https://www.virtualbox.org/wiki/Linux_Downloads is verified by verisign,
so you only get verisign/ssl-level security

The webpage text shows 7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139
Oracle Corporation (VirtualBox archive signing key) <info@???>
as the key fingerprint for oracle_vbox.asc which you will need to add to
your apt-key repository, and edit /etc/apt/sources.list and add deb
http://download.virtualbox.org/virtualbox/debian squeeze contrib non-free
to the list. Full instructions are at https://www.virtualbox.org


If anyone wants to run virtualbox or vmplayer from within their tails
livecd you can do it



TODO:
1. Calculate what size requirements there would be if virtualbox was ever
shipped with tails
2. See how a git patch could be made that is easy simple and just makes
everything work well



Running virtual Tails from within a Tails live-cd:

Advantages:
* Can hide hardware serial numbers, even if an attacker gets root
* Allows stronger enforcement of tor-only connections, an attacker must
break out of a virtual machine, in addition to previous steps taken. A VM
can be configured to only be able to send traffic through the tor process
running on the host machine.
* Enables the features described at
https://tails.boum.org/todo/Two-layered_virtualized_system/


https://tails.boum.org/todo/Two-layered_virtualized_system/virtails.png is
a great diagram, but could be made even more secure by using multiple
computers to separate things even further, whonix has a multi-computer
design


Example setup, each item in brackets[] is a separate computer, connected
to the other computers via a crossover cable:

[Tails Storage Server] Runs encrypted storage from within a vm
|
Gives access to encrypted storage vis sshfs
| Encryption keys are never in RAM of vulnerable apache server
| running many end-user services

|
[Tails Server Edition] Runs Apache inside a virtual tails
|
|
|
[Tails Gateway] Runs only Tor process inside a virtual tails
|
|
|
[OpenBSD livecd] Transparent Bridge Firewall - Runs only pf and allows
only connections to a list of Tor bridges
|
|
Internet


^Bridges may not be recommended for tor hidden services? but this will
also work for a end-user client setup

^At any ethernet crossover cable, an intrusion detection system tap can be
added


A hacker could root a number of machines, and would have a very difficult
time ever revealing the real IP of the machine.

Please critique!



I'm not sure what the point of this email is, other than to get more
people interested in testing out virtualization! and making it easier for
anyone who saw some error messages using apt-get


I was told to discuss here ideas about virtualization and tails as it is
still early in the discussion process


What does everyone think about virtualization and tails?


References:
https://tails.boum.org/todo/Two-layered_virtualized_system/
https://tails.boum.org/todo/amd64_kernel/