• Stars
    star
    138
  • Rank 264,508 (Top 6 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created over 7 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Qubes-based SecureDrop Journalist Workstation environment for submission handling

By contributing to this project, you agree to abide by our Code of Conduct.

Gitter

Example of viewing submitted documents inside Qubes OS using the SecureDrop Client

Bringing SecureDrop to Qubes

This project aims to improve journalists' experience using SecureDrop, by moving the journalist workflow to a single computer running multiple virtual machines with Qubes OS. Data is moved as automatically and transparently as possible between otherwise isolated VMs.

We are currently piloting this project with a small number of news organizations; see our blog post for additional information.

  1. Detailed Rationale
  2. Architecture
  3. What's In This Repo?
  4. Installation
  5. Threat model

Detailed Rationale

SecureDrop's architecture and threat model are proven, but the current approach also has major drawbacks:

  • Journalists must access a separate, airgapped device to even validate that a submission is relevant. The airgapped workflow is complex and slow, and may reduce the reliance on SecureDrop overall.

  • The complexity of the setup and the usage procedures create operational security risks. For example, journalists may accidentally boot up the wrong device using the Secure Viewing Station (SVS) USB drive, breaking the airgap, or they may attempt "workarounds" to shortcut the laborious process of checking for submissions.

  • Applying security updates to the SVS is difficult, which may cause administrators to wait a long time before doing so. While the SVS is airgapped, an insecure SVS still exposes additional vectors of attack, especially since the journalist is by design opening unknown files on the workstation.

  • Once a document has been decrypted on the SVS, a journalist is more or less on their own right now. Work on the submission and the collaboration with other journalists are "not our department". Yet, security failures are likely during this stage. It's difficult to address this fundamental issue with the current workflow, since the SVS is essentially a dead end as far as SecureDrop is concerned.

The Qubes OS approach addresses this at multiple levels:

  • By disabling Internet access and mitigating against other exfiltration risks on a per-VM basis, we can combine multiple functions into a single device. Checking SecureDrop submissions is as simple as booting up your workstation, downloading recent submissions, and inspecting them. This has the potential to greatly reduce time and effort spent by SecureDrop journalists, administators and trainers, and to increase day-to-day SecureDrop use.

  • Qubes OS' security model lets us add specific software features (such as redaction of documents) with careful consideration in each case what level of system or network access an application requires. This lets us gradually extend the functionality we can offer to journalists beyond the mere download of submissions.

  • We can potentially add VMs that enable end-to-end encrypted communication with other SecureDrop journalists, intermediated by the SecureDrop server. This enables us to add software features that, for example, let journalists collaborate in categorizing submissions, assigning work, versioning changes to documents, and so on.

However, the Qubes OS approach is not without downsides. It stands and falls with the security of Qubes OS itself, which in turn may be impacted by Spectre/Meltdown type CPU level vulnerabilities, hypervisor vulnerabilities, and so on. These risks must be compared against the operational security risks of the current architecture, including the work that journalists do after downloading a submission. The Qubes OS website provides a useful comparison of its security model with that of using a separate machine.

While we are strongly committed to piloting the use of Qubes OS for SecureDrop, no final decision has been made to move to this new architecture. This decision will require a full audit of this new approach, consideration of alternatives, and extensive validation with SecureDrop's current user community.

Architecture

The current architecture replaces the Journalist Workstation and Secure Viewing Station Tails installations with specially-configured Qubes VMs; these are the VMs the user will primarily interact with. There are a number of other configured VMs which provide ancillary services.

(Data Flow Diagram for the SecureDrop Workstation)

Currently, the following VMs are provisioned:

  • sd-proxy is where the SecureDrop proxy resides, which allows the non-networked sd-app vm to communicate with the Journalist Interface over Tor.
  • sd-app is a non-networked VM in which the SecureDrop Client runs used to store and explore submissions after they're unarchived and decrypted. Any files opened in this VM are opened in a disposable VM.
  • sd-whonix is the Tor gateway used to contact the journalist Tor hidden service. It's configured with the auth key for the hidden service. The default Qubes Whonix workstation uses the non-SecureDrop Whonix gateway, and thus won't be able to access the Journalist Interface.
  • sd-gpg is a Qubes split-gpg AppVM, used to hold submission decryption keys and do the actual submission crypto.
  • sd-viewer is an AppVM used as the template for the disposable VMs used for processing and opening files.
  • sd-log is an AppVM used for centralized logging - logs will appear in ~/QubesIncomingLogs from each AppVM using the centralized logging service.

Submissions are processed in the following steps:

  1. Journalist uses the SecureDrop Client to access the Journalist Interface via the Journalist API. After logging in, the journalist clicks on any submission of interest.
  2. The SecureDrop Client will use sd-gpg to decrypt the submission using Qubes' split-GPG functionality (decryption is done in a trusted, isolated VM, keeping GPG keys off of the system-wide DispVM).
  3. The decrypted submission is stored on the sd-app Secure Viewing Station VM, where it's placed in a local database.
  4. Any file opened by the SecureDrop Client in the Secure Viewing Station VM is opened in a Disposable VM, largely mitigating attacks from malicious content.

See below for a closer examination of this process, and see docs/images for screenshots related to the steps above.

What's In This Repo?

This repository can be broken into three parts: 1) a set of salt states and top files which configure the various VMs, 2) scripts and system configuration files which set up the document handling process, and 3) the pre-flight updater used to update all VMs relevant to the SecureDrop Workstation.

Qubes uses SaltStack internally for VM provisionining and configuration management (see https://www.qubes-os.org/doc/salt/), so it's natural for us to use it as well. The dom0 directory contains salt .top and .sls files used to provision the VMs noted above.

  • Makefile is used with the make command on dom0 to build the Qubes/SecureDrop installation, and also contains some development and testing features.
  • The SecureDrop Client is installed in sd-app and will be used to access the SecureDrop server Journalist Interface via the SecureDrop proxy.
  • The SecureDrop Proxy is installed in sd-proxy to communicate to the SecureDrop server Journalist Interface via sd-whonix.
  • Within sd-app, the SecureDrop Client will open all submissions in the sd-viewer disposable VM.
  • files/config.json.example is an example config file for the provisioning process. Before use, you should copy it to config.json (in the repository's root directory), and adjust to reflect your environment.
  • sd-journalist.sec.example is an example GPG private key for use in decrypting submissions. It must match the public key set on a SecureDrop server used for testing. Before use, you should copy it to sd-journalist.sec, or store the submission key used with your SecureDrop server as sd-journalist.sec.
  • launcher/ contains the pre-flight updater component (sdw-launcher), which updates all TemplateVMs relevant to the SecureDrop Workstation prior to use, as well as the sdw-notify script, which reminds the user to update the system if they have not done so recently.

Installation

Installing this project is involved. It requires an up-to-date Qubes 4.1 installation running on a machine with at least 16GB of RAM (32 GB recommended).

The project is currently in a closed beta, and we do not recommend installing it for production purposes independently. See our blog post for more information. If you are participating in our beta program, please consult our end user documentation for detailed setup instructions, and do not hesitate to reach out for assistance.

To install a development version (using test data on the server and a test encryption key to decrypt it), in summary, you will need to:

  1. Ensure you have an up-to-date SecureDrop server or staging environment
  2. Apply all available system updates in Qubes OS
  3. Clone this repository into a development VM
  4. In the development VM, install Podman, Docker or another OCI compatible container engine (the build environment depends on it)
  5. Create a config.json and sd-journalist.sec (Submission Private Key) appropriate for your environment
  6. Copy the contents from your development VM into ~/securedrop-workstation in dom0
  7. In dom0, export SECUREDROP_DEV_VM (name of your dev VM) and SECUREDROP_DEV_DIR (full path to repo checkout in dev VM) and run make clone
  8. Run make dev in dom0 to provision a development environment.

This is only a summary; see our developer documentation for detailed instructions.

Threat model

This section outlines the threat model for the SecureDrop Workstation, and should complement SecureDrop's threat model. This document is always a work in progress, if you have any questions or comments, please open an issue on GitHub or send an email to [email protected].

Assumptions

Assumptions About the SecureDrop Servers

  • The SecureDrop Application and Monitor servers are properly installed and configured.
  • Operational security, administration and usage of the SecureDrop instance follows the guidance provided by the SecureDrop documentation.

Assumptions About the Securedrop Workstation Install

  • SecureDrop Workstation was installed correctly
  • Updates are applied to SecureDrop Workstation provisioning code, VM templates and dom0 as they are available.

Assumptions About the World

  • The security assumptions of dm-crypt and LUKS are valid.
  • The security assumptions of Tor, the Hidden Service protocol and Hidden Service authentication are valid.
  • The security assumptions of RSA are valid.
  • The security assumptions of the Qubes operating system are valid.
  • The security assumptions of the Xen hypervisor are valid.

Attack Scenarios

As the SecureDrop Workstation is not Internet-reachable, an attacker must first obtain code execution on a virtual machine. This can be achieved through a malicious SecureDrop submission, websites visited by a journalist or a vulnerability in the provisioning code and its dependencies. The Virtual Machine in which the adversary obtains code execution will dictate what information is potentially compromised, as well as the attack surface exposed for lateral movement or escalation of privilege.

What Compromise of the Display VM (sd-viewer) Can Achieve

The Display VM (sd-viewer) is disposable, does not have network access, and is used to display only one submission before being destroyed.

  • An adversary can read the decrypted submission.
  • An adversary can attempt to elevate their privileges and escape the VM.
  • An adversary can attempt to communicate through a side channel to another VM or device in the SecureDrop Workstation's environment.
  • An adversary can exhaust storage in the centralized logging VM (sd-log).

What Compromise of the Proxy VM (sd-proxy) Can Achieve

  • An adversary can intercept and modify any and all communication between the Tor Browser and the SecureDrop Journalist Interface, including but not limited to:
    • Send messages to (but not view messages from) sources.
    • Delete messages and submissions.
    • Access encrypted messages and submissions.
    • Access plaintext journalist passwords to the Journalist Interface.
  • An adversary can attempt to elevate their privileges and escape the VM.
  • An adversary can exhaust storage in the centralized logging VM (sd-log).

What Compromise of the Whonix Gateway VM (sd-whonix) Can Achieve

  • An adversary can obtain the Journalist Interface's ATHS cookie.
  • An adversary can intercept and modify any and all communication between the Proxy VM and the SecureDrop Journalist Interface, including but not limited to:
    • Send messages to sources (but not view messages from a source).
    • Delete messages and submissions.
    • Access encrypted messages and submissions.
    • Access plaintext journalist passwords to the Journalist Interface.
  • An adversary can attempt to elevate their privileges and escape the VM.

What compromise of the App VM (sd-app) can achieve

The App VM is where securedrop-client resides. It does not have network access, and the Qubes split-gpg mechanism permits access to GPG keys from this VM.

  • An adversary can view all decrypted submissions.
  • An adversary can decrypt arbitrary encrypted submissions.
  • An adversary can interact with the SecureDrop Journalist Interface or modify SecureDrop client code.
  • An adversary can attempt to elevate their privileges and escape the VM.
  • An adversary can exhaust storage in the centralized logging VM (sd-log).

What Compromise of the GPG VM (sd-gpg) Can Achieve

The GPG VM does not have network access, and the Qubes split-gpg mechanism restricts access to this VM per the Qubes GPG RPC policy.

  • An adversary can decrypt and encrypted message or submission.
  • An adversary can store and view any message that is being decrypted by the SecureDrop Workstation.
  • An adversary can attempt to elevate their privileges and escape the VM.

What Compromise of the Log VM (sd-log) Can Achieve

The Log VM does not have network access nor does it contain any other secrets.

  • An adversary can read log messages from any VM using the centralized logging service.
  • An adversary can tamper with log messages from any VM using the centralized logging service.
  • An adversary can attempt to elevate their privileges and escape the VM.

What Compromise of dom0 Can Achieve

dom0 can do all of the above: spawn arbitrary virtual machines, access all data, modify all SecureDrop Workstation provisioning code, as well as introduce mechanisms to establish persistence and exfiltrate data. By design, Qubes' dom0 does not have network access, files cannot be copied to dom0, and clipboard sharing is disabled.

More Repositories

1

securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
Python
3,609
star
2

dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
Python
3,553
star
3

encryption-works

Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance
353
star
4

sunder

Sunder is a user-friendly graphical interface for Shamir's Secret Sharing.
JavaScript
160
star
5

trackthenews

Monitor stories from news outlets for words or phrases that matter to you
Python
137
star
6

securethenews

An automated scanner and web dashboard for tracking TLS deployment across news organizations
Python
100
star
7

ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop
Python
49
star
8

gotham-grabber

Python
48
star
9

securedrop-protocol

Research and proof of concept to develop the next SecureDrop with end to end encryption.
Python
47
star
10

securedrop-client

a Qt-based GUI for SecureDrop journalists 📰🗞️
Python
41
star
11

securedrop.org

Code for the SecureDrop project website
Python
40
star
12

fingerprint-securedrop

A machine learning data analysis pipeline for analyzing website fingerprinting attacks and defenses.
Python
29
star
13

signal-protocol

Python bindings to libsignal-protocol-rust
Python
24
star
14

ansible-role-jitsi-meet

Installs the Jitsi Meet open source videoconferencing software
Ruby
23
star
15

securedrop-docs

Documentation for the SecureDrop project
Shell
22
star
16

ansible-role-elk

Installs a turnkey ELK stack for log aggregation and analysis, with optional Riemann support for alerting
Ruby
18
star
17

pressfreedomtracker.us

Code for the U.S. Press Freedom Tracker project website
Python
17
star
18

ansible-role-build-debian-package

Ansible role for building Debian packages (.deb files) for distributing installers
17
star
19

threat-modeling

experimental threat modeling tools
Python
14
star
20

securedrop-sdk

Tooling for developing against the SecureDrop API
10
star
21

securedrop-https-everywhere-ruleset

HTTPS Everywhere ruleset for human-readable Onion URLs for SecureDrop instances
Python
10
star
22

ansible-role-jenkins-config

Repo to further configure jenkins post install
Groovy
9
star
23

securedrop-ux

Public wiki and repository for the SecureDrop User Experience team
HTML
8
star
24

npm-audit-plus

A wrapper around NPM's built-in audit that adds extra features
JavaScript
8
star
25

securedrop-proxy

Qubes RPC proxy service for the SecureDrop Client
8
star
26

securedrop-i18n

securedrop translations - do not install from here or file PRs here! please use https://github.com/freedomofpress/securedrop
Python
7
star
27

securedrop-builder

Packaging logic for building SecureDrop-related Debian packages
Python
7
star
28

qubes-template-securedrop-workstation

Build the base Qubes VM template for the SecureDrop Workstation
Makefile
7
star
29

ossec

This repository contains all of the code and documentation related to the generic OSSEC packages maintained by the Freedom of the Press Foundation for all SecureDrop instances.
Shell
7
star
30

securedrop-workstation-docs

User documentation for the SecureDrop Workstation
Dockerfile
5
star
31

securedrop-signal-poc

prototype e2e server and source + journalist clients for securedrop
Rust
5
star
32

ansible-role-elastalert

Elastalert ansible role
5
star
33

ansible-role-beats

Ansible role for installing and configuring elastic beats
Makefile
5
star
34

ansible-role-grsecurity-build

Ansible role for building grsecurity-patched kernels from source
Roff
5
star
35

dangerzone.rocks

Contents of the dangerzone.rocks website
CSS
5
star
36

securedrop-export

code for exporting from the securedrop qubes workstation
5
star
37

containers

Repo to house all FPF related containers
Python
4
star
38

ansible-role-signal-desktop

Python
4
star
39

securedrop-apt-test

Artifact storage for SecureDrop packages (dev only)
Python
4
star
40

kernel-builder

Roff
4
star
41

build-logs

Build logs for SecureDrop core and workstation packages
Roff
4
star
42

securedrop-dev-docs

SecureDrop Developer Documentation
Shell
4
star
43

secure-fs

An open-source library that ensures restrictive file permissions and safe paths when creating and working with files and directories.
Python
4
star
44

otter

Infrastructure framework for Qubes-OS based testing on VMWare
Python
3
star
45

ansible-role-riemann

Ansible role for configuring the Riemann stream processor for alerting on Logstash events.
Ruby
3
star
46

ansible-role-paxctld

Set PaX flags on binaries via a system service, for grsecurity-patched kernels
2
star
47

securedrop-styleguide

The styleguide for the SecureDrop project
HTML
2
star
48

ansible-role-ntfy

Ansible role for installing the ntfy pip module for sending notifications
2
star
49

sdstatus

Rust
2
star
50

ansible-role-docker-registry

Configures a self-hosted Docker registry
Python
2
star
51

wagtail-supertable

▦ Extensions for Wagtail's built-in table block
JavaScript
2
star
52

securedrop-reachability-monitor

Nagios gives a lot of false positives that SecureDrop instances are down. We're going to use stem to get to the bottom of why.
Python
2
star
53

securedrop-log

centralized logging for AppVMs in qubes
2
star
54

ansible-role-django

Ansible role for django development
HTML
1
star
55

ansible-role-grsecurity-install

Ansible role for installing grsecurity kernel Debian packages
Python
1
star
56

securedrop-grsec

Debian metapackage for SecureDrop grsecurity-hardened kernels
1
star
57

ansible-role-kibana

Kibana ansible role
Python
1
star
58

foiafeed-ttnconfig

Configuration files for the FOIA Feed instance of Track The News
Python
1
star
59

signal-groups

python bindings to signal's zkgroup
Rust
1
star
60

ansible-role-doctl

Configures doctl command line client for DigitalOcean API
Python
1
star
61

container-onion-service

Shell
1
star
62

securedrop-workstation-ci

Repository for holding scripts related to running CI for SecureDrop Workstation (hosted on a Qubes machine)
Python
1
star
63

fpf-misc-resources

1
star
64

ansible-role-openssl-node

Utilizes a pre-existing CA certificate to generated signed client openssl certs
1
star
65

wa-knn-fingerprint-securedrop

An implementation of Wang's kNN classifier intended for integration with the https://github.com/freedomofpress/fingerprint-securedrop machine learning pipeline.
Go
1
star
66

securedrop-yum-test

Artifact storage for SecureDrop Workstations RPM packages (dev only)
Python
1
star
67

.github

Templates and community guidelines shared across public FPF repositories
1
star
68

securedrop-yum-prod

Artifact storage for SecureDrop Workstations RPM packages (production)
Python
1
star
69

apt-tools-prod

Artifact storage for Dangerzone and other non-SD .deb packages
Python
1
star
70

yum-tools-prod

Artifact storage for Dangerzone and other non-SD .rpm packages
Python
1
star
71

securedrop-protocol-server-resty

OpenResty implementation of the experimental SecureDrop-ng server protocol
Lua
1
star
72

maint-dangerzone-pyside6

Build instructions for creating a PySide6 RPM, which is currently missing from the official Fedora repos.
Shell
1
star