More Secure Tor Browsing Through A Virtual Machine in Ubuntu

[Ringo]

When I started working on this, I knew that projects like TorVM and
incognito existed, but I wanted to try something different. The problem
being that if an attacker is able to compromise the browser, the http
proxy, or Tor, the user could have their IP revealed, or at least that
was my understanding of it. I'm not sure what protections the current
systems have against this, but I'm guessing it's something along the
lines of a set of iptables rules that restrict certain
users/applications to localhost?

If we add that to the host of other problems that seems to come with
using Tor in a truly secure manner (updates in programs that break user
anonymity, people who want to run active scripting and remote code,
etc.), we're looking at a giant problem that can best be solved by
sandboxing the entire operating system instead of just certain
applications/users/parts of the OS.

In my model, the virtual machine can only connect (even as root) to the
host machine. I figure that anything running in a "torified" environment
should never need to access anything other than Tor, so I just removed
the possibility of that happening.

The problem with this model, as you state correctly is the high resource
usage and I think there's some way to bring this down but that's not
somewhere where I have a ton of experience.

I'm also working on a hidden service set-up guide using a similar model
and I did a little to lessen resource usage but much more needs to be
done. I think that for a browser vm, most consumer-grade computers can
handle a vm running damn small linux or some similar distro.

Ringo



Kyle Williams wrote:
> Ringo,
> So I find it funny that you write this as I am compiling a micro X11 VM for
> the exact application you describe, for many of the same reason you mention.
> I've been playing with this idea for quiet some time now, about a year.
> I have a rough working prototype of what I would like to see, but it's about
> 420MB in size, based on gentoo, and to me that is way to large.
> I've looked into Xbuntu and lots of others, and the solution I'm trying is
> to use the Kamakazie OpenWRT build for generic x86 running just X and a web
> browser application.
> So trying to get Mozilla, aka Firefox, integrated into the kamakazie build
> system is a nightmare.  I tried, coderman tried, and we're not going to try
> anymore with it.  Mozilla code wasn't designed for this type of thing.
> 
> Three days ago coderman and I thought that chrome might be a good option.
>  He downloaded the linux version, compiled and said it looked pretty
> straight forward and would probably work.
> So now I'm recompiling the Micro X11 VM with a kernel update, then I'll try
> and add chrome into the Mix.  If all goes well, we should have something in
> a few weeks.
> 
> Just so you know, I thought this was going to be much easier than it has
> turned out to be....their are all kinds of incompatibility issues, bugs, and
> customizations that always come up.
> It has taken a very long time since initial idea to get this far and keep it
> this small.  Right now the X11 VM is coming in around 11MB, that's with Tor,
> kernel, X11, and the minimums needs to run.
> I'm not sure how big Chrome is, but we'll see.
> 
> It'll be based on a similar build system as Tor VM.  The idea is to keep it
> small in size, low in memory usage, and integrated like it's any other
> application on the system, even though it's running in a VM.  The VM engine
> we used in Tor VM is Qemu.  My personal goal is to try and get everything at
> or below 50MB in size, but we'll see how that turns out.
> 
> If you haven't looked at Tor VM, you might want to do so.  It's a good base
> to start a project like what you describe, and is what we've been working on
> (quietly) for some time now. :)
> https://www.torproject.org/torvm/
> http://www.janusvm.com/tor_vm/
> 
> 
> - Kyle
> 
> On Tue, Aug 18, 2009 at 11:12 PM, Ringo <2600denver at gmail.com> wrote:
> 
>> I would appreciate any feedback people have on this. This is just an
>> idea and it's kind of beta, so don't use this unless you know what
>> you're doing. PGP key at bottom of message
>>
>>
>>
>>
>> More Secure Tor Browsing Through A Virtual Machine in Ubuntu
>>
>> Whenever somebody uses the internet through Tor using the standard
>> set-up, they are assuming that the program (such as Firefox) they're
>> using is immune to serious remote attacks such as code execution attacks
>> that could allow an adversary to run commands on their system. It is
>> possible to use Tor without making these assumptions, thus making Tor
>> use safer.
>>
>> The basic idea behind securing Tor browsing through a virtual machine is
>> to put the user's programs in a sandbox. A virtual machine is the
>> ultimate example of this. Even if an attacker were to be able to gain
>> command-line access through a vulnerability in a program such as
>> Firefox, they still wouldn't be able to obtain the user's IP address,
>> look at their file system, or gain access to any other
>> personally-identifiable information.
>>
>> As an added benefit of running a virtual machine, you can also allow
>> scripts, flash, and all sorts of other nasty code to run in your browser
>> as even if it tries to break out it won't be able to. You should be
>> aware that this will break your anonymity across identities through
>> things like flash cookies. We'll discuss that more later as well as
>> steps that can be taken to prevent it.
>>
>> Unfortunately, virtual machines require a lot of memory, cpu time, and
>> disk space. If you don't have extra of these, you might want to consider
>> building a chroot jail instead. If you want to install a virtual
>> machine, keep reading.
>>
>> I'll be using Xubuntu for this guide because it's an easy distribution
>> for newbies to use and it's relatively lightweight. If you're dealing
>> with less system resources, you might want to try doing this with Damn
>> Small Linux or installing Fluxbox. If you get it to work, please
>> document how it was done so other people can lean from your experience.
>>
>> Part One: Download Xubuntu
>> The first thing we'll have to do is grab a copy of Xubuntu. If you have
>> lots of spare resources, you can use Ubuntu as the instructions will be
>> almost identical.
>> You can get the 9.04 (Jaunty Jackalope) version of Xubuntu at
>> http://www.xubuntu.com/get#jaunty. I strongly suggest you use the
>> Torrents they provide at
>>
>> http://mirror.anl.gov/pub/ubuntu-iso/CDs-Xubuntu/9.04/release/xubuntu-9.04-desktop-i386.iso.torrent
>> .
>>
>>
>> Part Two: Configure Your Host System
>> While we're waiting for Xubuntu to download, let's set up your host
>> system. The first thing we'll need to do is create a user to run the
>> virtual machine. Go to System>Administration>Users and Groups and add a
>> new user. You'll need to set a password for them, so make sure you write
>> it down when you do. Also, go to advanced and write down the user id.
>> I'm calling this user “torify” in my examples.
>> I'm assuming you already have Tor/Privoxy set up at the standard ports
>> (9050 and 8118) if not, please install them and remember any
>> non-standard configurations you have.
>> Let's set up our firewall so the “torify” user can only access localhost:
>> sudo iptables -t nat -A OUTPUT -m owner --uid-owner torify -j DNAT
>> --to-destination 127.0.0.1
>>
>> This firewall rule will only stick around until you restart your system
>> (or re-connect to the network). If you want to make it persistent,
>> there's a guide at https://help.ubuntu.com/community/IptablesHowTo which
>> explains how to even if you're using the Gnome or Xcfe Network Manager.
>>
>> If you have any software listening on any port (even if it's only
>> accessibly from localhost) then the virtual machine will be able to see
>> it. This is not a risk if you're browsing Tor safely in your virtual
>> machine but if you allow flash, java, etc. then it could become a risk.
>> A common open port on Linux systems is port 631, which is the CUPS
>> service's web interface for managing print jobs. If you open
>> http://localhost:631 in your web browser, you should be able to see if
>> it's there or not. You can temporarily disable it by going to the System
>> Monitor (in System>Administration), finding cupsd in the process list,
>> and killing it. This will only kill CUPS until the next system restart
>> (or possibly the next login).
>>
>> Next, we'll install the software required to run the virtual machine.
>> Type the following command in the terminal (Start>Accessories>Terminal).
>> If your processor doesn't support virtualization, you should only
>> install qemu. If you don't know if your processor supports it, go ahead
>> and install it as you can always remove it later.
>> sudo aptitude install qemu kqemu-common kqemu-source
>>
>> Once this is installed, you'll have to restart. Go ahead, I'll still be
>> here.
>>
>> Now that you've got Qemu/KVM installed, let's do the final step in
>> configuring your system. Remember where I asked you to write down the
>> user id? Replace “id” in the following two commands with the id of your
>> “torified” user.
>> sudo adduser `id -un` libvirtd
>> sudo adduser `id -un` kvm
>>
>> This allows your torify user (and virtual machine) to take advantage of
>> advanced virtualization features if you have them.
>>
>> Part Three: Install and Browse
>> So you're almost ready to start browsing via Tor.  First we'll need to
>> make a hard drive for your virtual machine. I suggest around 8G
>> (gigabytes) but you can do more. To make a hard drive of this size in
>> your current directory, run this command:
>> qemu-img create -f raw file.disk 8G
>>
>> Run this command to start installing your virtual machine. You can
>> change what's after -m if you have more or less available memory
>> (megabytes). Some processors have additional virtualization support.
>> Instead of using qemu, just try using kvm (same text after the command).
>> If you get errors or it doesn't work, you should probably stick with
>> qemu. Next, run this command to boot your torified operating system.
>>
>> qemu -hda file.disk -m 512 -name TorMachine -cdrom
>> xubuntu-9.04-desktop-i386.iso -boot d
>>
>> Select “try xubuntu without any changes..” and then double-click the
>> install icon on the desktop when it's loaded. The instructions are
>> pretty straight-forward. When it asks you for a network proxy, type in
>> http://10.0.2.2:8118 so it can grab updates.
>>
>> Once Xubuntu is installed, be sure to restart and update everything
>> before browsing the web. It will automatically notify you of updates. If
>> it doesn't notify you of any updates, something may have gone wrong so
>> manually check by running the command “sudo update-manager”.
>>
>> Part Four: Using Your Virtual Machine
>> Alright, we're all done setting up your virtual machine. All of your
>> proxy settings in Xubuntu should be the same as in your host system
>> except that you should replace 127.0.0.1 with 10.0.2.2. I strongly
>> suggest installing TorButton and NoScript in your web browser but
>> allowing scripts is also a possibility.
>>
>> Before you start your virtual machine, make sure you've applied the
>> iptables rules and disabled CUPS. Then, use this command from the
>> directory with your virtual hard drive to start your virtual machine. Go
>> in and tweak the settings just how you like them.
>> qemu -hda file.disk -m 512 -name TorMachine
>>
>> In the future, if you're not planning on changing settings, saving
>> files, etc. or you're taking the risk of allowing active scripts to run,
>> make sure you add “-snapshot” to the end of the command you start your
>> virtual machine with. This will stop your virtual machine from saving
>> any changes that are made to it, like flash cookies. Changes will be
>> stored while only you're using the virtual machine, so when you close it
>> and re-open it, it's like starting a fresh system.
>>
>> If you have any suggestions for changes to this guide, feedback, or
>> questions please drop me an email at ringo{at}hackbloc.org.
>>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>>
>> mQGiBEniUKIRBADfn8kULsRd3si+zPnVbeVp4C/cjxfOxvPURPjRMDPRZPuDuEI5
>> QIiMP+lZs0Y1BS/zubrwJ/R+knZW0dfkCbd0IBqhtcci4ZiDXRCNxxYow0MysweG
>> sbZE0QY4T2u40ffOLs9m/ENiDebUxknTyAg8/Jim9aBdEDgurCc7HCX+iwCghfLh
>> 1POMWQRkXB4zUmXQfp+u+0MD/j5SUN6ct6fH4ex3L/WeIHRA+PZXBEpQv5HCwcYO
>> 9VAtS0KYTtrBePXuhabjmiyhWIVsPHa8A+5RW3ONkK4gQ71E7sh2nu44p0rOSVkz
>> 9/ZQiHVCjxZJNhvCsabIFT2/G8OFo2XPnJ0+8Gfluueb5a/HKArUWHIvkws82kQ5
>> 75RJBACJp436/Bvk/CpKDkIG8v/4dQkyNKhv5AEAbx3jNjdOAxNSK0tBaQAulgCk
>> GFNkk+wpv6OWaawgQzFh71KvmEswSLObXk+S6WZgC+Epy4XmfzzDG/gIHD0VuBQ+
>> 2D8JzFT/TiDMu6wdYu4kgDg5sO4a5Yzn7xoYMF5YWzXnPKhXi7QacmluZ28gPHJp
>> bmdvQGhhY2tibG9jLm9yZz6IZgQTEQIAJgUCSeJQogIbIwUJAeEzgAYLCQgHAwIE
>> FQIIAwQWAgMBAh4BAheAAAoJEFUc7QiIWsvrdtkAn3KtPdxxC/qWmmIFZ4Nc4cFE
>> as42AJoDwdk/N9I3sPvc91wTTlbsKhoHLrkEDQRJ4lCiEBAAs2JYGr1k1Dgi3DMy
>> h0ziX+22tIWWyIJoGKWKFspA7nGeniOBodLBvR+POtqqGCh+bkm9I0X/YMF9oVcP
>> xXBql7H6E4JSgtCk7xtohDpLlfcCpsddVxcJdXYLynTUMcmJtCER0bCNIkTmYoV7
>> uNXAqmUNAp4zaI70yWsidpAVHme0+sBUYNinfBdlcaMddzslbDtRV7yGKgvW3E5e
>> hPNTJ0pWF6WJg4VsEOFoP7pldtQ4YWScskvuCk957K4t4Of3QZs13Nn9sQZleFJU
>> E2L1bxEHuSqY/f1F/pbKmc7in8qkoBBAyhUbzCNxxELdof3uJpBy0pw0468GvSyb
>> Z4jyh2XFvxFFAcelzc453y9GOylIC0OQczkrzOa6QrIWQSmeCzn/byjLoi+TRFve
>> usRmJn5H9MJg+k+mG5LJM2mcyQJU2UOPDvSurKmk50vByBED6Qn5CvhXJp18H6Uk
>> 2r+PICG4h8aN9KZpSrMAqYggyKgAxHTlCaQzGCwvJGiX6lx6iIm2GLoqeHdRHZZX
>> 9XognVcbTwUWJkL0LR9nhm5U0GhFGM9eRdLw89C/Z/s1/Q/QLjoDh60qXcYo+vFS
>> 5bJtiT52HnlA002opyi+Zn5mk9aXQiksOJruIdNw1rvJSe+uAIYQeBv+rinxzAyL
>> 4f/p/+vvgnfgkEc2G1hLuGTvWMsAAwYP+gIhIgQ6UwQ0Bu1gyRN88Gs9H0fnQ74Z
>> RmFXDgUtpn1YrFzFfTNegQh8vvgo1pXV4ZDPc0w9Cs8QHrspnkYrvSymAEmwYtGd
>> nvnAVVROIJfN5d140Z1FJXCgFp/3m2SAX1omYyN3/5WX9ef1uaYWub48kSdqfHlr
>> xe8Z15nXQ9E6WMgDtP5jXpfCkAnweW6/WSGRrHlRyBUevCTyRSZ4dwtim0GHsls9
>> VbfDYWJVxiKWdgjtjg+PfsXrdQG2KICEHXprS9/tYCheWaHP4couXVHDPUNMGK/w
>> HSYXbr0/xA0i0JHpRzVCDweKZ32hgbYkTXp0U7ArBYLtbfpWlB8uWHFFAIS5yJQL
>> YMwc8/qFCgl5fUGMk4ZLTgbftQo/sfcOAIPQl2nVjhnvzucj8PgBBaJgH9ORTpW6
>> 89zIzOtfXfju0dq4LC6Xj4h6SA/duh8dEiBzewNJ1FwnlrywvaQjsVdx5+5RolAk
>> gZKcT4hHCj+s2vCAyF5R70rfKkZkKhMuUzEWc4R4AzbkmI1eTtEl/FJVCzBsJRan
>> HC+YMgCdf2ujTxvBltytpWrs0nvzFVY6+RyihQsqlV6KeOtDBTv38a8Q5gdARK0j
>> 5og+X3SWHW0p29PSKk6a3NeSB08J0wlXsrNOJ/JXlYw/yIifZdgl6fO8V7rPBoQt
>> xIQB5UKSXj8YiE8EGBECAA8FAkniUKICGwwFCQHhM4AACgkQVRztCIhay+vXkQCf
>> beWbtPmJOWbXn+9LEaJTqcN73REAn2MmtesdDs24QjWfZeTfc8dyEZ2n
>> =O0oE
>> -----END PGP PUBLIC KEY BLOCK-----
>>
>