Page MenuHomePhabricator

securityProject
ActivePublic

Members (1)

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

Security enhancements.

Recent Activity

Sat, Aug 1

HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

The good news is I think I've figured out the equivalent tc-netem command looking the slot parameter in the manual:

Sat, Aug 1, 5:42 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

May 30 2020

HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

Ticket above closed and convo moved to tails-dev.

May 30 2020, 4:33 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Mar 22 2020

Patrick updated the task description for T942: Whonix Host Firewall for Whonix Host.
Mar 22 2020, 6:15 PM · Whonix 15, security, Whonix-Host, Whonix

Mar 21 2020

Patrick renamed T942: Whonix Host Firewall for Whonix Host from polish Whonix Host Firewall for Whonix Host to Whonix Host Firewall for Whonix Host.
Mar 21 2020, 11:44 AM · Whonix 15, security, Whonix-Host, Whonix
Patrick added a project to T942: Whonix Host Firewall for Whonix Host: Whonix 15.
Mar 21 2020, 11:39 AM · Whonix 15, security, Whonix-Host, Whonix
Patrick updated the task description for T942: Whonix Host Firewall for Whonix Host.
Mar 21 2020, 11:34 AM · Whonix 15, security, Whonix-Host, Whonix

Jan 7 2020

HulaHoop added a comment to T552: Packaging USBKill.

An interesting product that triggers a system wipe if the cable is pulled:

Jan 7 2020, 5:51 PM · Whonix-Host, security, Whonix

Dec 24 2019

madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Dec 24 2019, 5:07 PM · security, Whonix, apparmor-profile-everything
Patrick closed T943: make /boot and /lib/modules unreadable even for root as Resolved.

Would an audit denyrule for /boot be useful for the sake of audit?

Dec 24 2019, 4:49 PM · security, Whonix, apparmor-profile-everything
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Dec 24 2019, 4:37 PM · security, Whonix, apparmor-profile-everything
Patrick added a comment to T943: make /boot and /lib/modules unreadable even for root.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

Dec 24 2019, 12:17 PM · security, Whonix, apparmor-profile-everything

Dec 23 2019

madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot/ is already unreadable.

Dec 23 2019, 9:27 PM · security, Whonix, apparmor-profile-everything

Dec 7 2019

Patrick renamed T943: make /boot and /lib/modules unreadable even for root from make /boot unreadable even for root to make /boot and /lib/modules unreadable even for root.
Dec 7 2019, 9:14 AM · security, Whonix, apparmor-profile-everything
Patrick triaged T943: make /boot and /lib/modules unreadable even for root as Normal priority.
Dec 7 2019, 9:13 AM · security, Whonix, apparmor-profile-everything

Dec 5 2019

Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:16 PM · Whonix, security
Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:12 PM · Whonix, security
Patrick renamed T941: lock down interpreters / compilers (interpreter lock) (compiler lock) from lock down interpreters (interpreter lock) to lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:12 PM · Whonix, security
Patrick updated the task description for T941: lock down interpreters / compilers (interpreter lock) (compiler lock).
Dec 5 2019, 4:07 PM · Whonix, security
Patrick triaged T942: Whonix Host Firewall for Whonix Host as Normal priority.
Dec 5 2019, 4:04 PM · Whonix 15, security, Whonix-Host, Whonix
Patrick renamed T941: lock down interpreters / compilers (interpreter lock) (compiler lock) from lock down interpreters to lock down interpreters (interpreter lock).
Dec 5 2019, 3:51 PM · Whonix, security
Patrick triaged T941: lock down interpreters / compilers (interpreter lock) (compiler lock) as Normal priority.
Dec 5 2019, 3:51 PM · Whonix, security
Patrick updated the task description for T940: grub boot password.
Dec 5 2019, 3:35 PM · security, Whonix-Host, Whonix
Patrick triaged T940: grub boot password as Normal priority.
Dec 5 2019, 3:22 PM · security, Whonix-Host, Whonix

Nov 25 2019

Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 25 2019, 1:32 PM · C Code, security, Whonix

Nov 16 2019

Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:20 AM · C Code, security, Whonix
Patrick added a comment to T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:19 AM · C Code, security, Whonix
Patrick updated the task description for T543: TCP ISNs and Temperature induced clock skews.
Nov 16 2019, 11:18 AM · C Code, security, Whonix

Nov 6 2019

Patrick updated subscribers of T362: systemd SystemCallFilter= containment option seccomp hardening.
Nov 6 2019, 3:34 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix
Patrick closed T362: systemd SystemCallFilter= containment option seccomp hardening as Resolved.

This was done. If not, please create specific tickets where it isn't done.

Nov 6 2019, 3:34 AM · enhancement, whonixcheck, msgcollector, sdwdate, onion-grater (Control Port Filter Proxy), security, Debian version 9 codename Stretch, systemd, Whonix

Oct 15 2019

HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

https://redmine.tails.boum.org/code/issues/17156

Oct 15 2019, 9:26 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Oct 13 2019

HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

Analysis by Cyrus cited here for completion:

Oct 13 2019, 4:18 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Oct 7 2019

HulaHoop added a comment to T543: TCP ISNs and Temperature induced clock skews.

An alternative proposal for editing ISNs without involving the kernel:

Oct 7 2019, 3:11 AM · C Code, security, Whonix

Oct 6 2019

HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.
Oct 6 2019, 10:53 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research
Patrick closed T596: keep an eye on kloak anti keystroke deanonymization tool as Resolved.

Implemented for some time now.

Oct 6 2019, 9:54 PM · Whonix 16, security, Whonix
Patrick updated subscribers of T530: CPU-induced latency Covert Channel Countermeasures.
Oct 6 2019, 9:50 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research
Patrick added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

Reported build failures:

Oct 6 2019, 9:47 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research
HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

When an implementation is decided, let's decide if we can include this in security-misc for use on Linux hosts and Kicksecure. We would need some way in detecting the active NIC since on wireless systems wlan0 is the interface of choice and not eth0

Oct 6 2019, 9:01 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research
HulaHoop added a comment to T530: CPU-induced latency Covert Channel Countermeasures.

tc-netem is a utility that is part of the iproute2 package in Debian. It leverages functionality already built into Linux and userspace utilities to simulate networks including packet delays and loss.

Oct 6 2019, 6:04 PM · virtualizer, VMware, VirtualBox, KVM, Qubes, security, Whonix, research

Apr 23 2019

Patrick updated the task description for T552: Packaging USBKill.
Apr 23 2019, 12:39 PM · Whonix-Host, security, Whonix
Patrick updated the task description for T552: Packaging USBKill.
Apr 23 2019, 12:38 PM · Whonix-Host, security, Whonix

Apr 6 2019

Patrick lowered the priority of T727: solve the Xen entropy scarcity problem / implement something like virtio-rng into Xen upstream from High to Normal.
Apr 6 2019, 8:22 PM · security, Qubes, Whonix

Apr 5 2019

Patrick added a comment to T543: TCP ISNs and Temperature induced clock skews.

@Patrick What is the status of integration?

Apr 5 2019, 10:20 PM · C Code, security, Whonix
HulaHoop added a comment to T543: TCP ISNs and Temperature induced clock skews.

@Patrick What is the status of integration? Since we have kloak this is also a great defense to have. There is a script on there for packing as a deb:

Apr 5 2019, 8:55 PM · C Code, security, Whonix

Mar 28 2019

Patrick added a comment to T596: keep an eye on kloak anti keystroke deanonymization tool.

release kloak v0.2

Mar 28 2019, 12:55 AM · Whonix 16, security, Whonix

Mar 1 2019

Patrick added a comment to T596: keep an eye on kloak anti keystroke deanonymization tool.

Many code enhancements were recently added by its author.

Mar 1 2019, 9:03 AM · Whonix 16, security, Whonix

Feb 15 2019

marmarek added a comment to T709: port Whonix package build process to Qubes package build process.

To build a package with qubes-builder, you need to add Makefile.builder file with just one line: DEBIAN_BUILD_DIRS := debian. This will tell qubes-builder that given repository contains Debian package.
Alternatively, if that would be too much of a problem, it should be easy to add an option that do auto detection (probably just looks for debian directory).

Feb 15 2019, 12:20 AM · security, Qubes, build, Whonix

Feb 14 2019

Patrick added projects to T709: port Whonix package build process to Qubes package build process: build, Qubes, security.
Feb 14 2019, 8:01 PM · security, Qubes, build, Whonix

Jan 23 2019

Patrick updated the task description for T114: Permanent Takedown Attack Defender.
Jan 23 2019, 11:15 AM · whonixcheck, upstream, enhancement, security, Whonix
Patrick updated the task description for T114: Permanent Takedown Attack Defender.
Jan 23 2019, 11:14 AM · whonixcheck, upstream, enhancement, security, Whonix
Patrick closed T678: tb-updater onion mirros downloads support as Resolved.
Jan 23 2019, 5:45 AM · security, Whonix 15, Whonix 14, Whonix, tb-updater