Improve Tails to limit the impact of security flaws, isolate critical applications, and provide same-day security updates
Tails is a live operating system used by journalists, activists, privacy concerned citizens, whistleblowers, and victims of intimate partner abuse. It is a toolbox for computer security that makes easier to use the right tools in the right way.
But no piece of software is ever perfect. Every release of Tails fixes numerous security flaws in the software we include in Tails: browser, cryptography and networking libraries, instant messaging client, etc. In the high-risk world we are living in, such security issues can be critical to the lives of the people who depend on our platform.
Our idea is to take this reality into account in our design and life-cycle in order to protect our users better from both known and unknown security flaws.
Tails relies heavily on
Tor: all connections to the Internet are forced to go through the Tor network without having to configure anything. But on top of the network anonymity provided by Tor, Tails is a complete operating system that also allows to work on sensitive documents, edit audio and video, and store all files encrypted.
That's why Tails has been recognized by security researchers as currently the strongest platform for both endpoint and communication security.
In one of the leaks by Edward Snowden, the NSA itself mentions Tails as "
adding severe CNE misery" on top of using Tor, which qualifies as "the king of high-secure, low-latency anonymity". CNE here stands for "Common Network Exploitation": security flaws that can be exploited by an attacker though the network.
But we think this is not enough, and we want to embed in Tails innovative and aggressive techniques to mitigate all kinds of security flaws:
- by defense in depth against unknown security flaws
- by reacting faster to known security flaws
Our strategy relies on three complementary aspects:
Sandboxing isolates critical applications from one another so that a possible exploit in one of them doesn't compromise the system as a whole.
For example, as of today, Tails loses some of its relevance as strong enough adversaries directly target the weaknesses of its web browser. An exploit in the web browser could currently put the rest of the system at risk. The NSA documents leaked by Edward Snowden clearly showed that the web browser is the main weak point, on the endpoint side, that allows attacking Tor users.
We want to sandbox the web browser, the Tor client, and possibly other critical applications such as the instant messaging client.
2. Same-day security updates
A new version of Tails is released every six weeks. Each release fixes between 5 and 20 security issues that affect the various pieces of software included in Tails. This means that our users are regularly vulnerable to known security issues until a new releases fixes them.
We want to be able to provide security updates as soon as a known issues is fixed.
Tails is already the first live operating system to provide automatic upgrades: every time Tails is started it checks if upgrades are available and automatically applies them.
But we want to further automate the building and testing of these upgrades to be able to publish automatic upgrades more quickly, and more frequently. Our objective is to publish fixes for known security issues within a day. Then the users will upgrade automatically the next time Tails is started.
3. Software hardening
Software hardening proactively protects the operating system and applications from external or internal threats, by controlling the behaviour of the applications and preventing unknown security flaws from being exploited.
We want to address two different aspects of software hardening to improve Tails using defense in depth:
- Strict access control. We want to limit the resources and capacities that each applications is allowed to manipulate. This will be implemented using AppArmor which is the most effective and easy-to-use Linux application security system on the market. AppArmor security policies define the system resources an individual application can access, and with what privileges.
- Compile-time hardening. Security flaws often use well-known computing techniques to exploit all kinds of applications using similar mechanisms. Some of those common flaws can be either detected in the source code while compiling the program, or mitigated by the compiler itself while creating the binary software. We want to harden at compile-time the applications we compile ourselves, like the browser, and work together with Debian to harden the binaries that we install from Debian packages.
In ONE sentence, tell us about your project to strengthen the Internet for free expression and innovation.
Our idea will protect the work and the lives of journalists and digital activists in high-risk situations by protecting them from security flaws as they appear, and make Tails the first live operating system to offer such a strong combination of preemptive security measures.
Who will benefit from what you propose? What have you observed that makes you think that?
All our current users will benefit from those improvements in the way we mitigate security issues, and from statistics on our website, we know that Tails is being started at least 7000 times a day.
Because Tails places usability as one of its core goal to make state-of-the-art security tools available to a very wide audience, it has been recommended as a must for journalists by security researchers such as Bruce Schneier and Jacob Appelbaum, and organizations defending free speech such as Reports without Borders, NDI, and the Freedom of the Press Foundation.
Furthermore, tools such as Tails or Tor, relate to both online privacy (private communications), and freedom of expression (opinions expressed publicly). For example, Tails can be vital to both an activist writing a dissident blog, and a victim of intimate partner abuse communicating with her lawyer.
What progress have you made so far?
Our collaboration with other projects within the Debian community, made it possible for Debian 7.0 (Wheezy) to reach important milestones with respect to sandboxing features and software hardening.
Since 2012, we have been building the foundations that make it possible to now work towards same-day security updates: automatic upgrades of Tails are available to our users, we have deployed the basic bricks for a continuous-integration platform, and our automated test suite covers substantial areas of Tails.
What would be a successful outcome for your idea or project?
When a critical security issue is made public in a piece of software included in Tails, either our hardening and sandboxing measures mitigate the practical impact of the vulnerability to the point that we can reasonably ignore it, or an automatic security update is made available to Tails users within a day.
Our collaboration with other projects such as Debian, helps keeping the Tails project sustainable by sharing the ongoing maintenance effort with others, but also positively impacts other projects and protects many users of other operating systems.
Do not hinder the usability of Tails as we think that usability is also a security feature: people who rely on Tails in high-risk situations really needs it to be easy to use and hard to misuse.
Who is on your team, and what are their relevant experiences or skills?
Almost two thousand commits, by more than ten people, have been made to our main Git repository in the last six months. This does not include important contributions from translators, advocates, graphics designers, etc. The following list, limited to a few key members of our team, is obviously incomplete:
anonym was the lead developer of Incognito, the ancestor of Tails, years before Tails even existed, and he joined the Tails project soon after it was born. Since then, he has designed and implemented a great number of features that Tails needed, thanks to his aptitude to wrap his mind around complex problems, and find elegant solutions to it. Writing our current automated test suite was another of his important achievements.
bertagaz is a Debian maintainer. Over the years, his contributions to Tails have spanned many areas, which gave him a detailed overview of the project, and makes his input and code reviews very useful. He is now focusing on improving the infrastructure behind Tails: configuration management, continuous integration and automated testing.
BitingBird does user support, helps in user interface design, and tirelessly advocates Tails in various communities, most notably the Free Software one. If you do not want to be happily recruited to contribute to Tails in some way or another, then you'd better keep away from her. She also manages to write documentation that sajolida finds good enough to be merged without too many changes, which is definitely not a claim everyone can do.
intrigeri founded the Tails project and is a Debian developer. He has been working within the Debian and AppArmor communities to improve hardening and sandboxing support in Free Software operating systems. He also designed and implemented the Tails automatic upgrades. His constant eye on long-term sustainability is certainly annoying at times, but it is probably not foreign to Tails reaching its fifth birthday.
sajolida is a skilled technical writer, primarily responsible for the documentation of Tails, and coordinating the user support team. He has also been helping developers to improve the user interfaces they were creating. More generally, he is key to make the Tails user experience as smooth as possible for many diverse people.
Tails is a world-wide collective effort. We consider ourselves part of the Tor ecosystem, and at the crossroad between the free software and the human rights communities.