Kicksecure ™: A Security-hardened, Non-anonymous Linux Distribution
Hardening by Default
- Linux Kernel Runtime Guard (LKRG) - kills whole classes of kernel exploits (next version)
- TCP ISN CPU Information Leak Protection [archive] (next version)
- security-misc [archive] (kernel hardening, Protect Linux User Accounts against Brute Force Attacks, strong linux user account separation, misc security settings)
- SecBrowser ™: A Security-hardened, Non-anonymous Browser
- higher quality randomness generation 
- Secure network time synchronization using sdwdate rather than insecure NTP [archive]
- Install security software by default such as AppArmor and Hardened Malloc (but not used for everything).
- Available apparmor profiles [archive] for confinement of potentially compromised high risk applications.
- Encrypted DNS (domain name resolution). 
Usability by Default
- https://github.com/Whonix/shared-folder-help [archive]
- https://github.com/Whonix/usability-misc [archive]
Distro-morphing / ISO
sudo apt-get install kicksecure-cliwill be possible on bare metal Debian hosts -- in other words, Debian installations can be easily converted into Kicksecure ™ by installing the kicksecure-cli or another Kicksecure ™ Debian package. This is also called distro-morphing [archive].
- a possible future ISO for installation on hardware depending on community interest and support
iPhone and Android Level Security for Linux Desktop Distributions
This section details potential future security enhancements for Kicksecure ™.
- On popular mobile operating systems (iPhone and Android) a compromised application cannot access data of any other applications.  
- A compromised application is unlikely to gain root.  On the Linux desktop the process of Preventing Malware from Sniffing the Root Password is rather cumbersome and unpopular. Therefore any compromised application on the Linux desktop could lead to root compromise which in turn might compromise the bootloader, kernel, or even hardware. It is difficult to detect and remove a rootkit [archive].
- The iPhone/Android approach provides strong protection against malware, meaning those platforms are a lot less impacted than Windows or Linux desktops. 
- Many vendors purposefully add a lot of spyware; one example is Carrier IQ [archive]. The GNU Project states: "Apple's Operating Systems Are Malware [archive]" and "Google's Software is Malware [archive]". In addition, many freemium [archive] applications spy on their users. Despite this downside, the security model of popular mobile operating systems affords better protection when attempting to prevent any malicious, unapproved party from establishing a foothold in their ecosystem.
|Most iPhone / Android devices ||"Libre Android" ||Linux Desktop Distributions||Kicksecure ™ Development Goals|
|Upgrades do not require vendor||No||Yes||Yes||Yes|
|User freedom to replace operating system||No||Yes||Yes||Yes|
|Administrator capabilities (root) not refused||No||Yes||Yes||Yes|
|No user freedom restrictions||No||Yes||Yes||Yes|
|No spyware included in operating system||No||Yes||Yes||Yes|
|No culture of freemium applications that spy on users in appstores||No||Yes||Yes||Yes|
|Culture of Freedom Software in appstores||No||Yes||Yes||Yes|
|Freedom Software||No ||Yes||Yes||Yes|
|Compromised application cannot access data of other applications||Yes ||Yes ||No||Yes|
|Malware on a compromised system cannot easily gain root||Yes||Yes||No||Yes|
|Reasonable resistance against system wide rootkit||Yes ||Yes ||No||Yes|
|Hardened Kernel [archive]||Yes||Yes||some||Yes|
|Full System MAC Policy [archive]||Yes||Yes||No||Yes|
Most popular iPhone / Android phones that are sold by mobile carriers or manufacturers have locked boot loaders. In many cases it is not possible to easily replace or upgrade the operating system by oneself; vendor upgrades are required. Kicksecure ™ will not implement these kinds of user freedom restrictions since it is not required nor desirable. The capability to replace or upgrade the operating system will remain fully supported. Popular mobile operating systems utilize security technologies which purposefully restrict user freedoms. In contrast, Kicksecure ™ aims to utilize the same security concepts for the goal of empowering the user and increasing protection from malware.
It is theoretically possible to provide the same iPhone / Android level security on the Linux Desktop too. Security technologies like hardened kernels or verified boot used by popular mobile operating systems could also be ported to Linux desktops. Some steps were already made in that direction such as security-misc [archive] and apparmor-profile-everything [archive]. Community contributions are gladly welcomed! Here is a list of potential security enhancements for Kicksecure ™:
- multiple boot modes for better security: persistent + root | persistent + noroot | live + root | live + noroot [archive]
- Disable SUID Binaries [archive]
- (re-)mount home (and other?) with noexec (and nosuid (among other useful mount options)) for better security [archive]
- enforce kernel module software signature verification [archive]
- deactivate malware after reboot from non-root compromise
- walled garden, firewall whitelisting, application whitelisting, sudo lockdown, superuser mode, protected mode [archive]
- Hardened Kernel [archive]
- Verified Boot
- signify signed releases [archive]
- Post-Quantum Cryptography (PQCrypto) resistant signing of releases [archive]
- Untrusted Root User [archive]
User Population / Promotion
- The security-minded community is larger than the anonymity-minded community. Through Kicksecure ™ we can work on our shared interest in computer security.
- Apply as many security settings by default without breaking usability too much.
- Kicksecure ™ is already the base for Whonix - Anonymous Operating System.
- This project might migrate to its own domain name kicksecure.com depending on community interest and available resources.
- Does anyone want to help create an installer ISO?
- Kicksecure ™ will hopefully soon become available as a TemplateVM for Qubes OS [archive].
- looking for new webmaster [archive]
- Through loading of the jitterentropy-rng kernel module by default.
- Through installation of the user space entropy gathering daemons haveged and jitterentropy-rng by default.
- use DNSCrypt by default [archive]
- That would require an exploit.
In comparison a compromised application on the Linux desktop running under user
userhas full access to all information that user has access to, including all files, keystrokes and so on. The exception is when mandatory access control (MAC) [archive] is in use and successfully confines that application.
- Occasionally there are exploits that allow applications to gain root, but as time passes more of these vulnerabilities are being fixed.
- Most iPhone / Android phones that are sold by mobile carriers or manufacturers have locked boot loaders, come with spyware installed by default which is non-removable etc. There may be rare exceptions to this rule. Hence "most" and not "all". These exceptions are not the point which shall be made in this comparison. See "Libre Android" column for what is theoretically possible.
- There is no "Libre Android" at time of writing. It's only a concept to illustrate a point. There is no "perfect" Android distribution. GrapheneOS has verified boot but root access is refused in default builds [archive]. Replicant allows root access, but no references were found that Replicant makes use of verified boot yet. It's not relevant to pick any specific Android distribution for the sake of making the point "iPhone and Android Level Security for Linux Desktop Distributions" no specific Android distribution was chosen for this compassion. A "perfect" Android distribution checking all "green yes" is possible in theory. It doesn't exist due to policy decisions. (GrapheneOS vs root in default builds vs device selection / features.) There are no technical reasons for non-existence. See also this Overview of Mobile Projects, that focus on either/and/or security, privacy, anonymity, source-available, Freedom Software..
- Comes with a lot proprietary software installed by default.
- Through verified boot.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)