Building secure applications with Qubes OS

Qubes OS Summit 2022

Michael Z, Senior Software Engineer

Overview

• About FPF
• SecureDrop
• What it is
• Who uses it
• “Classic” architecture…
• … plus SecureDrop Workstation

• SecureDrop Workstation
• Current architecture
• Lessons learned…
• Possible futures?

​

https://securedrop.org

Freedom of the Press Foundation

https://freedom.press

https://securedrop.org

About Freedom of the Press Foundation

• Advocacy
• Mostly focused on US press freedom issues
• US Press Freedom Tracker
• documents and categorizes press freedom violations across the US, involving national, state and local authorities.
• Digital Security Training,
• Training journalists and activists, organizational audits (internationally)
• Open Source Software Development
• SecureDrop, SecureDrop Workstation, Dangerzone…

https://securedrop.org

SecureDrop is an online whistleblowing platform, hosted on-premises by news organizations. It uses Tor onion services for source anonymity and GPG for encryption. The code is free software, licensed under the AGPL.

Some of the organizations that use SecureDrop

Current SecureDrop Team

https://securedrop.org

Quick intro: SecureDrop “Classic”

Application server: Runs two Python web applications (one for sources, one for journalists) exposed via Tor Onion Services.

Source Interface: Public v3 Onion URL, accessible by anyone in Tor Browser

Journalist Interface: Authenticated v3 Onion URL. Requires key-based auth to resolve. Only accessible to journalists.

What the source sees

What the journalist sees

Private key to decrypt documents only in the air-gap environment.

Downsides

• Existing workflows are slow (~1 hour round-trip)
• It’s hard to patch an air-gapped system
• To do their jobs, journalists need more tools than just viewing/exporting/printing

https://securedrop.org

Introducing �SecureDrop Workstation

Classic air-gap architecture

New consolidated architecture

Demo Time!

What we’ve learned

(or: pain points)

Changes to dom0 are mandatory

• It’s where templates get installed and VMs set up!
• SDW needs qrexec policies set up to allow VMs to communicate without user intervention

https://securedrop.org

Changes to dom0 are mandatory

• It’s where templates get installed and VMs set up!
• SDW needs qrexec policies set up to allow VMs to communicate without user intervention
• Installing anything into dom0 requires 1337 skillz
• Our installation procedure relies heavily on manual terminal input in multiple VMs
• No easy-access to copy-paste from a browser = pain

https://securedrop.org

Keeping Qubes OS fully updated is non-trivial

• We enforce an update policy that requires users to apply all OS updates before starting the client (once every 8h)
• We reboot sys-* VMs when necessary
• If dom0 is updated, a reboot is required

https://securedrop.org

Keeping Qubes OS fully updated is non-trivial

• We enforce an update policy that requires users to apply all OS updates before starting the client (once every 8h)
• We reboot sys-* VMs when necessary
• If dom0 is updated, a reboot is required
• The more templates an application like ours depends on, the more error prone and slow updating can become
• We slimmed down from 6 (or 8) Template VMs to 2 (or 4)

https://securedrop.org

Unusual UX challenges

• The devices widget is risky for non-technical users…
• SDW auto-attaches USB drives and printers to a dedicated non-networked named DispVM (sd-devices)

https://securedrop.org

Unusual UX challenges

• The devices widget is risky for non-technical users…
• SDW auto-attaches USB drives and printers to a dedicated non-networked named DispVM (sd-devices)
• VM separation creates unexpected behaviours
• Example: printing is entirely separate from viewing
• Documents are opened in a regular unnamed DispVM
• … but printer is only available in sd-devices

https://securedrop.org

SaltStack

• Difficult to debug
• When states fail, the info one looks for is often hidden
• Not all that idempotent as one would hope as soon as cmd.run sneaks in
• Enforcing an order of operation with multiple VMs depending on other VMs isn’t supported natively, requires OOB scripting
• Relying on it too much can bite you

https://securedrop.org

Possible futures

(or: things we’re still discussing)

Maintain our own RPC calls

• Main motivation: VM pipelines!
• qvm-open etc is good for direct VM communication, but for workflows involving multiple VMs, it gets complex to manage…

https://securedrop.org

Maintain our own RPC calls

• Main motivation: VM pipelines!
• qvm-open etc is good for direct VM communication, but for workflows involving multiple VMs, it gets complex to manage…
• e.g.: sanitize/redact/archive

https://securedrop.org

Maintain our own RPC calls

• Main motivation: VM pipelines!
• qvm-open etc is good for direct VM communication, but for workflows involving multiple VMs, it gets complex to manage…
• e.g.: sanitize/redact/archive
• Also: substituting technologies (Sequoia based RPC replacing split-GPG) or printing from DispVMs?

https://securedrop.org

Pluggable architecture

• Motivation: journalists still need more tools than just viewing! (e.g.: sanitize/redact/archive)

https://securedrop.org

Pluggable architecture

• Motivation: journalists still need more tools than just viewing! (e.g.: sanitize/redact/archive)
• Asking users/orgs to just change our templates?

https://securedrop.org

Pluggable architecture

• Motivation: journalists still need more tools than just viewing! (e.g.: sanitize/redact/archive)
• Asking users/orgs to just change our templates?
• Update policy + downstream template mods = ouch
• dom0’s best not to touch it rule may apply to our templates as well

https://securedrop.org

Pluggable architecture

• Motivation: journalists still need more tools than just viewing! (e.g.: sanitize/redact/archive)
• Asking users/orgs to just change our templates?
• Update policy + downstream template mods = ouch
• dom0’s best not to touch it rule may apply to our templates as well
• How to go about extending the application then?

https://securedrop.org

Pluggable architecture

• We’re looking for a persistent way for our client to discover…
• what’s possible to do …
• and what to do that with …
• while leaving templates untouched.

⇒ RPCs!

⇒ other VMs!

⇒ dom0 based “registry”?

https://securedrop.org

Pluggable architecture

• We’re looking for a persistent way for our client to discover…
• what’s possible to do …
• and what to do that with …
• while leaving templates untouched.
• Potential target: build a key-value store with qubes.features�similar to qubes.ext.services:ServicesExtension

⇒ RPCs!

⇒ other VMs!

⇒ dom0 based “registry”?

https://securedrop.org

Pluggable architecture

• We’re looking for a persistent way for our client to discover…
• what’s possible to do …
• and what to do that with …
• while leaving templates untouched.
• Potential target: build a key-value store with qubes.features�similar to qubes.ext.services:ServicesExtension
• Get configurability without Salt, use more DispVMs?

⇒ RPCs!

⇒ other VMs!

⇒ dom0 based “registry”?

https://securedrop.org

Conclusions

Qubes OS already is a powerful platform for multi-VM applications

• qrexec and its policy system are rad as hell
• They alone allow for building “native” multi-VM apps
• Installing a multi-VM app is hard, but a solvable problem
• A lot of the times, solutions to troubles we’re facing may be “discovered” in existing frameworks

https://securedrop.org

Questions?

Get involved!

• Twitter: @SecureDrop, @FreedomOfPress
• Code: https://github.com/freedomofpress/securedrop-workstation
• Our Gitter channel: https://gitter.im/freedomofpress/securedrop
• Want help installing SecureDrop? https://securedrop.org/help/
• Want to donate? https://securedrop.org/donate

https://securedrop.org

Fini

https://securedrop.org

This layout is not for section titles but for hot takes! 🔥

Useful timeline graphic from Jen that is probably useful for most SD presentations

Jan 2019

Dec 2019

Aug 2019

Apr 2019

SecureDrop 0.11.1

released

January 24, 2019

Emergency release for upstream vulnerability in apt package manager

SecureDrop 0.12.0

released

February 26, 2019

First support for Ubuntu Xenial, updated kernel, workaround for upstream NoScript bug

SecureDrop 0.12.1

released

March 20, 2019

Improved upgrade experience for administrators moving to Ubuntu Xenial

SecureDrop 0.12.2

released

April 25, 2019

Provide broader hardware support for SecureDrop servers

SecureDrop 0.13.0

released

May 29, 2019

Remove support for Ubuntu Trusty (end of life)

SecureDrop 0.13.1

released

June 18, 2019

Bugfix release for Python 3 compatibility issue

SecureDrop 0.14.0

released

July 10, 2019

Mitigations for ongoing attacks against GnuPG keyserver ecosystem

SecureDrop 1.0.0

scheduled

September 17, 2019

V3 onion service support, migration of servers to Python 3 only

​

​

SecureDrop 1.2.0

scheduled

December 3, 2019

​

SecureDrop 1.1.0

released

October 21, 2019

Tails 4 support release

​

https://securedrop.org

This title heading can handle two lines, so feel free to make these longer

• Keep main bullet points succinct
• Each level below can go into more detail, but this is more for things for people to follow up on when they ask “can I get a copy of the slides pls?”
• Another very important point
• More on that in our guide here: https://www.omfgdogs.com/
• BONUS: Everyone gets a free onion address!
• Offer limited to residents of CA, NY, MI, OR and MA
• If you have more points, create/duplicate a new slide for them, do not make text smaller to squeeze it all in!

https://securedrop.org

🌏 SecureDrop is now in 20 languages! 🌏

• Arabic
• Catalan
• Czech
• English
• German
• Greek
• Spanish
• French

• Hindi
• Icelandic
• Italian
• Norwegian
• Dutch
• Portuguese, Brasil
• Romanian
• Russian

https://securedrop.org

🌏 SecureDrop is now in 20 languages! 🌏

• Slovak
• Swedish
• Turkish
• Chinese, Traditional

https://securedrop.org

Use this caption area to cite source of third-party content: https://www.cyberscoop.com/securedrop-dhs-vulnerability-disclosure-def-con/

• ​

https://securedrop.org

Think of this spot as an “alt text” field. Also, link link link: https://twitter.com/EricTrump/status/1170065011634581504

• ​

https://securedrop.org

This heading should be < one line, keep it short and let the image shine

https://securedrop.org

Think of this spot as an “alt text” field. Also, link link link: https://twitter.com/EricTrump/status/1170065011634581504

• ​

https://securedrop.org

“Sometimes it makes sense to use or remove existing titles/body fields for non-standard stuff like quotes. Do what you gotta do but make it fashion.”

- Ron Wyden, US Senator (OR)

Questions?

Get involved!

• Twitter: @SecureDrop, @FreedomOfPress
• GitHub: https://github.com/freedomofpress/securedrop
• Join our Gitter channel to discuss how to get involved with code, translations, or docs: https://gitter.im/freedomofpress/securedrop
• Want help installing SecureDrop at your organization? https://securedrop.org/help/
• Want to donate? https://securedrop.org/donate

https://securedrop.org

SDW relies on:

• VM isolation
• Network isolation and chaining
• Templates and OS update infrastructure
• Disposable VMs
• qrexec and RPC policies

https://securedrop.org

UX challenge focus: printing

• TODO: Screenshots here? xpp vs eog printing UI (entire slide is WIP)
• SD client print → copy doc → conversion → xpp
• eog print → GNOME printing UI → cups/IPP
• Completely disparate pipelines with different expectations at different stages

https://securedrop.org

Allow printing from DispVMs

• Main motivation: Usability (and aesthetics)
• Modern printing infrastructure works by auto-detecting hardware and doesn’t need drivers to print
• … and is basically synonymous with, IPP
• RPC service to proxy IPP, provide a PDF printer in the source VM, ship result to the target VM with the printer attached to it for actual printing?

https://securedrop.org