[tor-talk] Is there a way to use internet in a sandbox environment? (Linux)
Ben Tasker
ben at bentasker.co.uk
Tue Mar 26 23:21:52 UTC 2019
Nothing is 100% safe, but by instituting isolation you'll have raised the
bar.
For "something" to escape your internet VM would require some kind of
hypervisor exploit. Technically there is the potential for rowhammer style
attacks from within that VM, but for the forseeable future that'd likely
mean a pretty targeted attack.
Basically it all depends on your threat model. Some prefer to boot tails
from read only media on a system with no disks, others don't need that
level so are willing to sacrifice a little security in the name of
convenience.
There's a lot more to opsec than just the browser you're running too.
That said, you specifically mentioned concerns about malware, so a simple
VM could well be enough for you (or even a multi-vm setup like Qubes to
reduce the risk of data leaks). You could also have a disconnected VM for
"offline" stuff, but it'd probably be overkill for most people.
On Tue, 26 Mar 2019, 10:52 npdflr, <npdflr at zoho.com> wrote:
> Thanks Ben Tasker for the information.
>
>
>
> Regarding KVM:
>
> If I use two KVMs one for offline use and other for online use then would
> you say that the KVM used for offline use is 100% safe? (as KVM basically
> is a hardware-assisted virtualization)
>
>
>
>
>
> ---- On Sun, 24 Mar 2019 15:51:27 -0700 Ben Tasker <ben at bentasker.co.uk>
> wrote ----
>
>
>
> Most browsers actually already do exactly this and run tabs inside a
>
> sandbox.
>
>
>
> If you wanted to restrict that further, you could look at chrooting or
>
> using docker. Or take it a step further and use a full blown VM (whether
>
> that's KVM or something like Virtualbox).
>
>
>
> But don't, please, follow the suggestion of using root for routine
>
> non-internet tasks. You should use privileged accounts only when you
>
> actually require that level of privilege. Also keep in mind that while
>
> malware running as an unpriviliged user cannot (generally) hose the system,
>
> it can still steal/corrupt whatever data that user has access to. Unless
>
> this is a shared system, you probably care more about that data than the OS
>
> files themselves.
>
>
>
>
>
>
>
> On Sun, 24 Mar 2019, 13:27 npdflr, <mailto:npdflr at zoho.com> wrote:
>
>
>
> > Using internet in a sandbox environment would be ideal to prevent
>
> > viruses/theft.
>
> >
>
> >
>
> >
>
> > I am posting some links related to this topic.
>
> >
>
> >
>
> >
>
> > 1) Discussion on stackexchange:
>
> >
> https://security.stackexchange.com/questions/35373/how-to-make-sandbox-only-internet-access
>
> >
>
> >
>
> >
>
> > 2) Using hypervisor/kvm to connect to the internet. Hypervisor
>
> > Technologies:
>
> >
> https://opensourceforu.com/2016/03/the-top-open-source-hypervisor-technologies/
>
> >
>
> >
>
> >
>
> >
>
> > 3) Virtual Desktop: https://help.comodo.com/topic-72-1-522-6274-.html
>
> >
>
> >
>
> >
>
> > 4) Another way would be to block internet for the root user in Linux and
>
> > allowing internet only for other users. In this way, one is using root
> for
>
> > offline activities and other users for online activities (just like a
>
> > sandbox environment).
>
> >
>
> >
>
> >
>
> > But it looks like if you enable internet connection for non-root user
> then
>
> > the root user is automatically connected to the internet (I maybe wrong).
>
> >
>
> > I have tried using some commands from the below links replacing
> "USERNAME"
>
> > with "root" (THERE MAYBE RISK INVOLVED IN DOING SO) but I had to restart
>
> > the system to enable the internet connection again.
>
> >
>
> >
>
> >
> https://askubuntu.com/questions/223434/how-to-disable-internet-for-a-user-on-a-system
>
> >
>
> >
>
> >
> https://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Any suggestions?
>
> >
>
> >
>
> >
>
> > Thank you.
>
> > --
>
> > tor-talk mailing list - mailto:tor-talk at lists.torproject.org
>
> > To unsubscribe or change other settings go to
>
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> >
>
> --
>
> tor-talk mailing list - mailto:tor-talk at lists.torproject.org
>
> To unsubscribe or change other settings go to
>
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list