Application Privacy Leak
- From: Christian Hergert <christian hergert me>
- To: gnome-os-list <gnome-os-list gnome org>, safety-list gnome org
- Subject: Application Privacy Leak
- Date: Tue, 11 Nov 2014 15:18:48 -0800
Cross posting to OS list and Safety list:
One thing I've been thinking about off and on for a while, is what does
it look like to protect user data when you can't have full disk encryption.
For example, let's say you have a tablet. If you were to do FDE
(full-disk-encryption) at boot, how would you enter the password into
the dialog? One option is to put the on-screen-keyboard and UI code into
an initrd so that you could load it early. But the initrd is also
unencrypted in the /boot partition. So it too is susceptible to attack
(modifications).
One way to combat that is to use secure boot (with a TPM) so that you
only boot a trusted kernel and initrd that is signed. But you get the
same thing by using dm-verity which keeps a sort of merkle tree hash for
verification and can fail to fault the page in if the checksum does not
match. (This is what ChromeOS does). It sounds like btrfs is working on
something similar?
What this means is that while you leak what OS you are running in
cleartext, you at least are booting and running what you expect. An
acceptable trade-off in my opinion. (Or maybe it's seed comes from
`cpuid` or something).
Of course, pair this with encrypted home directories that are unlocked
by pin/password/etc.
I'm sure most of you already know the above (and I'm just summarizing),
but I think this implies the following as necessary.
- User installed applications need to be stored in the encrypted home
directory so that we don't leak information.
Why? Think about apps where simply the installation of it gives away
sensitive information (sexual orientation, religion, etc). Simply
detecting the installation of the app could compromise someone's safety.
I assume this might have some conflicts with the following:
1) sharing pages on disk
2) "globally" installed applications (as if this matters anymore?)
I think the idea of globally installed applications is just fine (think
libreoffice), just that it shouldn't be the default in a word where we
have a more broad user base and application availability than we do today.
-- Christian
[
Date Prev][Date Next] [
Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]