Hi There, Whonix/Kicksecure community here.
I have wrote an article showing where did i have reach with my experience of what we should have for the future as an OS, i would like to share that with you and see if you share the same vision.
In nowadays there is still no great secure operating system developed, especially one based on free software. Most of the necessary software exists, but the challenge lies in integrating it all into a cohesive whole to produce the most secure operating system.
What I will add here are software that already exist in reality, not theoretical ones.
Kernel (system)
Sadly, there is no reliable or usable freedom operating system based on a microkernel design. What we have are only monolithic ones, based on the Linux kernel.
Linux, by design, does not offer the same level of security as a microkernel. It is considered obsolete; nobody would want to build an operating system from scratch based on a monolithic design in nowadays.
Alternatives?
All mentioned are in active development and free software (sel4 is copyleft).
What i would avoid for sure is Zircon, because its google based.
Whatâs left are seL4 and Redox. Both are good, and if I had to choose one, I would choose seL4 due to its maturity.
Note (1): Minix and GNUmach are inactive.
Note (2): Hybrid kernel is not an option.
Packages Policy
The package is only going to be as secure and up-to-date as the upstream developers made it. There must be no interference or external involvement in adding or removing code from any package (no package maintainer).
Why
We have the Debian design, and weâve seen how flawed it is when it comes to security and feature fixes. Itâs horrible in every aspect. What we get from Debian is, at best, working software, but that doesnât mean itâs secure, up-to-date, or even always stable. Issues like packages crashing on shutdown when clicking X or freezing on specific Y action, are common (because they are already in the distro passing freeze timeline without upstream fixes), and such bugs when occurs are unlikely to be addressed in a timely manner.
A major security flaw in Debian and Debian-like philosophies is that if the upstream of a package fixes a security issue and pushes it to their users, Debian remains unaware of it and will not include the fix in their own package unless it is documented or assigned a CVE. As a result, users remain vulnerable for up to maybe entire five years.
Another issue is the complexity trust in the chain of delivery. The more people who can add, remove, or manipulate the code, the more trust becomes a concern. If the code goes from developer X to intermediary Y (or even more intermediaries) before reaching the user, then the user must trust not only X but also Y and anyone else in the chain. Moreover, X doesnât know Y or their practices, so X must also trust Y not to tamper with the code before reaching the user. This design introduces unnecessary trust assumptions. Code must be delivered directly from X to the user.
Note: Operating system developers should only interact with core/system-level packages, such as the kernel or desktop environment or VM configs or so.
System VS User Packages
System packages: Are going to be immutable, meaning read-only, no ability to modify with any rights (This helps as well with Verified Boot).
User packages: Will always be kept up to date with the upstream.
Kernel (user)/App-per-VM (ApV)
Realistically, having pure packages working directly with seL4 is not practical. It could take 10 to 20 years or even longer. (Linux has been around for over 30 years, and there are still packages that are Windows-only.)
So to solve this issue, we gonna use an already functional kernel which is linux!.. ok hold on a second didnt we just say that linux is a bad design? Thats correct if its used as the main operating system kernel, but if its used in a VM and that VM runs only a single application like firefox or thunderbird..etc the danger drastically decreased/minimized.
Note: AppArmor, SELinux, Firejail, Containers.. all are flawed designs when it comes to relying on them for security with packages running on Linux directly on hardware.
VM per Package per User (compartmentalization)
Each VM will run at the user level, and every VM will have its own dedicated user account. This isolation ensures that if a VM is compromised, it wonât lead to the compromise of all user packages or affect other VMs.
Default Block All
By default, when any app is installed in the VM, nothing is allowed automatically. Every permission including internet access must be explicitly granted by the user. This approach prevents any unwanted permissions from being applied silently without the userâs notice or consent.
No Backward Nor Sideward compatibility
No Backward: The operating system will continue updating itself for supported XYZ hardware. Once any hardware becomes obsolete, it will no longer be compatible, no legacy support.
No Sideward: There will be no compatibility for Linux, Windows, or BSD software at the system level. Compatibility may exist in App-per-VM. By default, only Linux apps are supported.
Additionally, if any app running in a VM does not work with a specific Linux version or hardware architecture, it is not the operating systemâs responsibility to ensure compatibility (upstream issue).
Packages Source (App-per-VM)
One might say that hosting our own packages on our own servers would be the ideal solution, and thatâs true. However, with a small team and limited resources, thatâs not currently feasible (though it remains the long-term goal).
What we can do instead is source packages from existing systems, whether Gentoo, Arch, Nix, or others as long as we can obtain pure, upstream, patchless packages. Reproducibility is essential here to ensure that the packages have not been tampered with in the path of delivery.
Note: We can also support App(per-VM) rollback, or install older version directly, since these packages already exists in these OSs repository.
This approach doesnât conflict with the core philosophy of keep it updated, as the primary focus remains on using updated software, not rollbacks.
App-per-VM Hypervisor type
Type 1 (bare-metal) hypervisors will be used for minimalism, reduced attack surface, and better performance.
seL4 provides libsel4vm, which fits well with this design.
Package Manager Security
All packages delivery must comply with TUF, meaning delivery path of the packages must be secured without the depends on TLS to do that.
Note: This level of security is not fully implemented by any existing package manager that Iâm aware of. However, it can be enforced when using our own server for packages, especially in the App-per-VM model.
Bootstrappability
I think this is possible, since the OS will be with minimal packages (as a system level). [ref]
Wayland only
There wont be x11/xorg nor xwayland, either wayland or no land.
No Rescue mode
Rescue mode is like giving a backdoor to your own OS or software. If you break your system or forget your password, itâs your responsibility, no one elseâs and no help will be provided, because thereâs nothing anyone can do.
This also encourages users to maintain proper backups of their data, whether on their own hardware or in the cloud.
(Rollback and Snapshots helps as well)
Architecture & CPU Support
Only x86 will be supported, due to its widespread use (Intel or AMD CPUs). Support may be extended in the future to other freedom (or almost freedom) based architectures, such as RISC-V.
ARM or similar proprietary architectures will not be supportedâthereâs no reason to waste time on them. Supporting the most common proprietary architecture (x86) is sufficient. (Though seL4 supports ARM anyway).
No Stupid or OLD Devices Support
There wont be any old or nonsense software support in the system level (like IRC in the kernel?! or Floppy Disk Support..)
If necessary, such support may be possible within the App-per-VM (ApV) model, since itâs based on Linux and already includes support for these kinds of legacy features. However, this will never be a priority.
Only Latest/Best Encryption Used
Since there will be no backward compatibility, only the best and most secure options available will be used, whether in TLS versions, cipher suites, OS-level encryption, or any other security-related components.
Offline Installation
It is more secure to avoid installing the operating system while connected to the internet, as also advised in Debianâs security manual.
Offline System Core
Similar to Qubes OS, the system core/base will not be connected to the internet (essential for security purposes).
Non-Systemd Init
Although not a direct security issue on its own, systemd is a bulky piece of software and has been heavily criticized for numerous things. The good news is that Genode OS has developed its own lightweight init component that works with seL4.
Hardware Specifications
Similar to qubes requirements or equivalent:
- Intel VT-x or AMD-v
- IOMMU
- SLAT
- TPM
Optional Preferable
Btrfs/Snapshots/Timeshift like
It should be easily to achieve this with immutable upgrades (you can rollback to the previous state).
Server Support
Finding a way to make ApV able to manage server/s.
FSDG Consideration
This all can go through only supporting freedom software (software for the ApV must be taken from FSDG distro repository in this case).
Secureboot
Only makes sense when it doesnt depend on microsoft keys.
Onion Repository
Will harden the avoidance of targeted attack (explained here).
Nested Virtualization
This feature will be the responsibility of the seL4 team, whether they implement it correctly and securely or not. Itâs particularly relevant in scenarios involving running an OS + VM inside another VM, or using a virtualizer/hypervisor within a VM (e.g. VirtualBox-in-VM).
Competitors
Proprietary competitors are on the rise. HarmonyOS, for example, is arguably the most mature general-purpose microkernel-based OS developed in China. Googleâs Fuchsia is another example. If we donât stay ahead of these developments, control over security will slip from our hands, placing it instead in the hands of large corporations or state-backed entities.