site  news  contact

Ultra-secure web browsing

January 07, 2022 — BarryK

Page created December 11, 2019
Updated: December 21, 2020; January 7, 2022   

EasyOS is designed from the ground-up to use containers. Any app can be run in a container, such as Chromium, Firefox, or whatever is your favourite browser, and there is isolation from the rest of the system.

Containerized apps appear on the desktop as icons with a padlock symbol on them, as you can see here:

img1

You can even have a complete desktop in a container, which is what the "pyro" icon in the above snapshot will run if you click on it.

Icon "www" will run the SeaMonkey web browser, and "console" will run the Sakura terminal emulator in a container.

Containers are easy to create and use, which you will find when you get to use EasyOS. They offer security, however, the very nature of containers is that they must share resources with the main desktop, for example, the screen, network and sound. This sharing, or lack of complete isolation, does mean that security is not perfect.

Everything is relative of course, and the security of containers is certainly a big step in the right direction. However, EasyOS also offers something else, total isolation...

Total isolation, the ultimate security

Firstly, what do you want to be isolated from? The answer is very simple: the drives on your computer.

What you want to do is browse the Internet, access bank account, or whatever, then shutdown. With no record, you were never there, no trace on the hard drives. Nothing, it never happened.

So even if you went to a website that somehow compromised your system. You just shutdown, and the intruder is gone, wiped out. If one of those ransom-ware intruders gets in and then tells you that your files are encrypted and you must pay $5000 to un-encrypt them, you just laugh and turn off your computer.

The means to achieve this protection is to run totally in RAM and totally disable the computer drives...

Boot running totally in RAM

EasyOS has a boot menu item, "Copy session to RAM & disable drives". Here is a snapshot when booting:

img2

Update 2020-12-21:
All of the boot menu choices are now offered in the Shutdown menu. In other words, from the desktop, in the Shutdown category of the menu, you can choose to reboot with any of the choices offered by the boot manager.

The following snapshot shows "Reboot, lockdown in RAM" being chosen:

img9

Note, "Rectify" brings up a sub-menu, with more choices, such as "Reboot, with filesystem check". Further information on the "Reboot, lockdown in RAM" menu choice is here:

https://bkhome.org/news/202008/save-session-while-running-totally-in-ram.html 

Being able to choose all of the reboot options from the Shutdown menu is great. It means that whatever boot manager you use, GRUB2, ReFind, Syslinux or whatever, you don't have to provide those options in the boot menu.

You would not choose "Copy session to RAM & disable drives" the very first time that you run EasyOS, you would do a normal bootup and setup Internet connection, gmail login, or whatever. This pre-configures everything as you want.

The next time that you bootup, choose "Copy session to RAM & disable drives", or "Reboot, lockdown in RAM" from the Shutdown menu, and the previous session will be copied to RAM, and you will have a desktop, with a major difference, no drives.

A usability detail:
You can choose to make this "Copy session to RAM..." the default at bootup. But if you want to go back to normal bootup, there is a choice in the boot menu to do that; "Normal bootup (remove lockdown)".

Here is the desktop. Normal looking, but the usual drive partition icons are missing:

img3

...notice, no container icons either. You are already totally isolated, no need for containers.

You are still running as the 'root' user, with administrator rights, except somewhat curtailed, as you cannot access any drives. And if you cannot access any drives, neither can an intruder.

Update 2020-12-21:
Administrator rights have been further curtailed. Think of it as "crippled root". Linux Capability CAP_SYS_ADMIN has been dropped in some builds of EasyOS, and securityfs "lockdown" LSM set to "confidentiality". Also, the internal HDD is put into deep-sleep mode. Some relevant blog posts:  1  2  3  4  

As mentioned above, at bootup the session is copied to RAM. For the technically-minded, the session folder is at /mnt/${WKG_DEV}/${WKG_DIR}.session -- you can find the values for those variables in /etc/rc.d/PUPSTATE  So, this gets copied to RAM, and the drive then gets disabled.

/files folder:
After bootup, you will see this folder. It is intended for you to keep all your downloads and personal files here. It is a special case. As it could get very large, not all of it is copied to RAM, only whatever is in /files/shared 

How to share files

You are running in RAM, no access to the computer's drives, but here is the trick: if you plug in a USB stick, it will be usable. Any drive that you physically plug in (or re-plug) is usable.

Say that you downloaded a file from the web, and you want to save it permanently. Just plug in a USB-stick and save it. Or if you have booted from a USB-stick, just re-plug it -- note, you cannot do this from software, it has to be an actual physical plug-in or re-plug.

In this photo, some screen snapshots were taken, so a USB-stick was plugged in, and then files could be copied to it:

img3

...sdb1 and sdb2 are partitions on the USB-stick, and sdb2 was mounted just by clicking the icon.

What if you want to make a change, maybe to the preferences of the web browser? No problem, just do a normal bootup, and make the changes.

"save" icon on desktop:
If you have booted from USB-stick, or any removable drive, there is now a "save" icon on the desktop. Replug the drive to make it visible, then click "save" and the session will be saved to the USB-stick. This feature is not available if boot Easy from an internal drive, as that is totally disabled.
A usability detail: everything under /files will also get saved. 

This feature of EasyOS is becoming increasingly recognised as something very special, but how is it done?

How it is done

In a nutshell, the initramfs, or initrd, drops certain Linux Capabilities when it performs a switch_root to the main desktop in RAM, which drops all capability of accessing the drives.

For EasyOS versions 2.2 or later in the Buster series, or 1.3 or later in the Pyro series, the 5.4.x Linux kernel has the "lockdown" feature, that is an extra level of security, to prevent any extra-clever method of peeking into the kernel to access the drives. 

The switch_root is onto a layered filesystem (using aufs), with 'easy.sfs' read-only bottom layer and RAM (actually a zram device) as top read-write layer.

These are technical details, which need not concern a user. 

One technical detail that is useful for the user to know, is that "zram" is used, meaning compressed RAM. What this means is that even if your PC has little RAM, say only 4GB, all files are stored compressed, so you will actually have almost twice that space, maybe 6 or 7GB free.

Note, it is recommended that a computer with at least 4GB RAM be used. Anything less, such as 2GB, you might have problems with running out of RAM space. Though, 2GB might be Ok if you are careful -- there is a "storage" icon in the system tray, so you will always know how much RAM space you have left.

How to run extra apps

As mentioned above, 'easy.sfs' is the bottom layer. This is a file that has all of EasyOS, so you have LibreOffice, SeaMonkey, Inkscape, etc., etc. But what if you want another app, such as Firefox?

Very simple, do a normal bootup and install the app. In a normal bootup, the desktop has "petget" and "sfsget" icons.

The former, "petget", is the traditional package manager, and install whatever you want.

"sfsget" installs SFS files, such as Firefox. You will be offered to install the SFS as a container or to the main desktop -- choose the main desktop.

Next time that you boot with "Copy session to RAM & disable drives", whatever you installed with "petget" and "sfsget" will be copied to RAM and be available. 

Disclaimers

Of course there cannot be an absolute guarantee of security, but it is looking good. If you are a Linux wiz and able to identify any way to access the drives, please communicate with Barry, via the "Contact me" link at the top of this web page.

There have to be the usual disclaimers, that although Barry, the creator and maintainer of EasyOS, has acted in good faith, you use EasyOS entirely at your own risk.  Further legal details are here.

Tags: user