[Plash] Plash: Empowering Security

[Toby Murray]

Anyone interested in POLA needs to know about Plash. It's woefully
under-hyped and much more powerful than I believe many (including those
in the POLA community) are aware. I've tried to write something short,
sharp and sweet to address this. Please read it if you're interested and
give me feedback. Eventually, I'd like to push this to a wider audience
to spread the word further but want to get more of a mandate for doing
so first.

In particular, comments on how far I've deviated from Plash's current
feature-set would be most helpful. 

Cheers

Toby

Plash: Empowering Security

Toby Muray


Introduction

Many people believe that in order to provide security, computers need
to be locked-down. Users must be prevented from being able to run and
install arbitrary software that might cause damage or otherwise
compromise a system's security. Some fear that increasing levels of
insecurity will hasten a trend towards systems that are less
customisable and more appliance-like [1]. The power of the PC that
comes from its ability to be used as a universal machine that can be
applied to any problem might be lost.

However, while this fear is certainly well founded, despite popular
belief we do have the tools at our disposal to ensure that the PC can
be a universal machine that is both inherently powerful /and/
secure. This note draws attention to one particular tool in existence
right now that is not only a proof-of-concept for this idea, but also
a working implementation that allows users to run arbitrary software
whilst ensuring that both they and the system they are using remain
secure.


Introducing Plash

This tool is called Plash [2] and currently runs on Debian-compatible
Linux distributions such as Debian and Ubuntu [*]. Plash enables
ordinary users to install software packages that might have been built
by anyone in the world, ensuring that the software cannot harm the
user nor the rest of the system.  This allows non-Administrators to
install any software they might require in order to get their work
done.  With Plash, Administrators, meanwhile, need not lie awake
fretting that their users will have rendered their systems insecure by
doing so.

The trick lies in how Plash provides its security. We'll use an
example to illustrate. Suppose Bob, an ordinary user, needs to install
a new wordprocessor to enable him to work more productively. He checks
to see whether the wordprocessor is available as a package for his
system, e.g. by using "apt-cache search" etc. and is pleased to learn
that it is.  However, his delight is soon dampened when he realises
that he doesn't have permission to install the package and must ask
the Administrator, Alice, to install it for him.  Alice must now
decide whether the wordprocessor can be trusted. In almost all cases,
unless the software is well known and widely used, Alice has no choice
but to err on the side of caution and assume it could be dangerous --
either because it is purposefully malicious or because it contains
vulnerabilities that, if exploited, could allow an attacker to comprise
the system's security. Inevitably this leads Alice to deny Bob's
request to have the package installed. Alice and Bob are both left
frustrated with Bob unable to do his work. In short, nobody wins.
Bob's PC is rendered impotent by its archaic requirement that all
software it runs to be trustworthy.

So how does Plash help? With Plash, Bob can simply install the package
using the "plash-pkg-install" command [3].  When installing the
package, Plash places it in its own "sandbox" so that it is unable to
cause harm but does so in such a way that the application is unaware
that it has been sandboxed. Plash achieves this by /virtualising/ the
environment in which the installed package lives, thereby allowing it
to believe it is running as normal when it has actually been
quarantined away from the rest of the system. Bob can use the
wordprocessor to edit any of his files by simply using the "Open File"
dialog as normal. Plash virtualises this dialog so that it grants the
wordprocessor access to whatever file Bob chooses to
open. Alternatively, if the package is configured to recognise files
of a certain type, Bob can double-click them in the file browser to
launch the wordprocessor, giving it access in order to edit the 
selected files.

Plash installs the package and all of its dependencies into the same
sandbox, thereby allowing the package access to the other software and
libraries it needs to function. Any files that might be created when
the package is installed are created within the sandbox so that they
are ready and waiting when the application is run. The application can
also create its own files within the sandbox. Finally, Plash grants
access to standard, innocuous, facilities that the application might
require when it is run, such as the X display system and the network.

Unlike other sandbox approaches, Plash removes the need to specify
detailed policy information for each application by leveraging the
information that is already available about the application in the form
of standard package dependencies and by making smart use of existing
facilities like the "Open File" dialog to infer security information. 

More details about how Plash functions can be found on its website at
plash.beasts.org.


Conclusion

Plash empowers users by enabling them to use their PC to its full
potential while ensuring that it remains secure. It does so by
allowing users to install ordinary packages into sanboxes so that they
appear to run as normal while preventing them from harming the rest of
the system.

Plash demonstrates that by using smart solutions that go beyond
standard security measures, we can secure the PC without limiting its
power.


Endnotes

[*] The author has no affiliation with the Plash project and is merely
    an interested fan trying to spread the good word.


References

[1] Jonathan Zittrain, "Protecting the Internet Without Wrecking It.
     How to meet the security threat". Boston Review, March 2008.

[2] Plash: http://plash.beasts.org

[3] Plash Package Tools: http://plash.beasts.org/wiki/PackageTools