Plash: Empowering Security

Introduction

Many people believe that in order to provide security, computers need to be locked-down. Users must be prevented from being able to run and install arbitrary software that might cause damage or otherwise compromise a system's security. Some fear that increasing levels of insecurity will hasten a trend towards systems that are less customisable and more appliance-like [1]. The power of the PC that comes from its ability to be used as a universal machine that can be applied to any problem might be lost.

However, while this fear is certainly well founded and despite popular belief, we do have the tools at our disposal to ensure that the PC can be a universal machine that is both inherently powerful and secure. This note draws attention to one particular tool in existence right now that is not only a proof-of-concept for this idea, but also a working implementation that allows users to run arbitrary software whilst ensuring that both they and the system they are using remain secure.

Introducing Plash

This tool is called Plash [2] and currently runs on GNU/Linux with binary packages available for Debian-derived distributions including Ubuntu [*]. Plash enables ordinary users to install software packages that might have been built by anyone in the world, ensuring that the software cannot harm the user nor the rest of the system unless the user explicitly chooses to allow it to do so. Plash enables non-Administrators to install any software they might require in order to get their work done. Administrators, meanwhile, need not lie awake fretting that their users will have rendered their systems insecure by doing so.

The trick lies in how Plash provides its security. We'll use an example to illustrate. Suppose Bob, an ordinary user, wants to install a new wordprocessor that he's read is the greatest thing since slided bread. Unfortunately, because the software is new, Bob isn't sure that it is safe to install because it hasn't been packaged specifically by his distribution of Linux. Bob is worried that by installing it, the package might either accidently damange his perfectly configured machine or, worse, it might maliciously try to damange his machine. Bob knows that while installing software, any installation scripts that might be run as part of the install process can modify his system in whatever way they choose. He is rightly skeptical of installing this new piece of software, despite its apparent usefulness.

So how does Plash help? Bob can use Plash to simply install the software package safe in the knowledge that it can neither harm his system whilst being installed, nor cause any damage to his machine once it is installed unless he explicitly allows it to do so [**]. When installing the package, Plash places it in its own "sandbox" so that it is unable to cause harm but does so in such a way that the application is unaware that it has been sandboxed. Plash achieves this by virtualising the environment in which the installed package lives, thereby allowing it to believe it is running as normal when it has actually been quarantined away from the rest of the system. Bob can use the wordprocessor to edit any of his files by simply using the "Open File" dialog as normal. Plash virtualises this dialog so that it grants the wordprocessor access to whatever file Bob chooses to open. Alternatively, if the package is configured to recognise files of a certain type, Bob can double-click them in the file browser to launch the wordprocessor, giving it access in order to edit the selected files.

Plash installs the package and all of its dependencies into the same sandbox, thereby allowing the package access to the other software and libraries it needs to function. Any files that might be created when the package is installed are created within the sandbox so that they are ready and waiting when the application is run. The application can also create its own files within the sandbox. Finally, Plash grants access to standard facilities that the application might require when it is run, such as the X display system and the network.

Unlike other sandbox approaches, Plash removes the need to specify detailed policy information for each application by leveraging the information that is already available about the application in the form of standard package dependencies and by making smart use of existing facilities like the "Open File" dialog to infer security information.

More details about how Plash functions can be found on its website at plash.beasts.org.

Conclusion

Plash empowers users by enabling them to use their PC to its full potential while ensuring that it remains secure. It does so by allowing users to install ordinary packages into sanboxes so that they appear to run as normal while preventing them from harming the rest of the system.

Plash demonstrates that by using smart solutions that go beyond standard security measures, we can secure the PC without limiting its power.

Endnotes

[*] The author has no affiliation with the Plash project and is merely an interested fan trying to spread the good word.

[**] Plash is a work in progress. At the time of writing, its package tools provide most of the functionality described here but some still remains to be implemented. In particular the ability to prevent install scripts from harming the system is still yet to be implemented, although Plahs's current capabilities make implementing this feature in future releases almost trivial.

References

[1] Jonathan Zittrain, "Protecting the Internet Without Wrecking It. How to meet the security threat". Boston Review, March 2008.

[2] Plash: http://plash.beasts.org

[3] Plash Package Tools: http://plash.beasts.org/wiki/PackageTools

EmpoweringSecurity (last edited 2008-05-31 20:53:26 by TobyMurray)