cslarson/dapper

Build a (more) secure* desktop for using Ethereum dapps

Dapper OS (experimental)

A (more) secure* desktop environment for running Ethereum dapps

Dapper uses Archiso to build a basic Arch Linux desktop, streamlined for running Ethereum dapps, and designed to be run from a non-persisted live usb (see Instructions).

Security Features

• Hardened linux kernel (grsecurity)
• [Mandatory Access Control (MAC)] TODO apparmor, tomoyo, selinux?
• App sandbox (firejail)
• Firewall (ufw)
• No browser ads (privoxy)
• Encrypted dns traffic (dnscrypt)
• No admin (no sudo, no root login)
• Minimal support packages (wayland, connman, termite, epiphany, all)
• Runs from non-persisted live usb
• Pure Wayland desktop (More on Wayland vs X11 security)

Limitations

• currently i've been unsuccessful running dapper in a Virtual Machine (though systemd-nspawn works great, see Dev)
• the currently available iso will only run on intel/amd 64bit systems
• the current iso uses the gb keyboard layout
• Chromium on Linux is not currently pure Wayland but should be once v59 is released (very soon). As Mist depends on Chromium through it's use of electron, I'm waiting on that before adding Mist support to Dapper. See here for more details. At that point the browser may also switch from Epiphany to Chromium.

Instructions

1. build or download the dapper iso
   • [NEW] build on any system using Docker:
     1. clone this repo (git clone git@github.com:cslarson/dapper.git) or fork and customise (TODO - instructions on customising)
     2. work in that new directory (cd dapper)
     3. build the docker image sudo docker build --rm -t cslarson/dapper-builder .
     4. build the iso sudo docker run --rm -v /tmp:/tmp -t -i --privileged cslarson/dapper-builder:latest
     5. the built iso can be found at /tmp/dapper-<DATE>-x86_64.iso of your host (main os).
   • build on an Arch based system:
     1. install archiso (sudo pacman -S archiso)
     2. clone this repo (git clone git@github.com:cslarson/dapper.git)
     3. work in that new directory (cd dapper)
     4. remove the previous work directory if there is one (sudo rm -rf work)
     5. run the build script (sudo ./build.sh -v -N dapper)
   • download the most recent dapper iso:
     • fyi if this date is in the past then the packages may be out of date. if you're unable to build Dapper yourself or would otherwise like me to generate a new iso just create and issue and i'll be happy to do so.
     • using ipfs directly: ipfs get QmWNcsFBsfhcf69955HhSbAjbtC6ArtxUWGx2bdFMGRKuS -o dapper-2017.05.18-x86_64.iso
     • using ipfs gateway (rename after download): dapper-2017.05.18-x86_64.iso
2. create a bootable usb from resulting out/dapper-<DATE>-x86_64.iso (or the downloaded file)
3. partition another usb and label dapper-data.
   • this partition will store chain data and keys for the client of choice (geth or parity).
   • labelling as dapper-data will ensure the partition can be identified by Dapper.
   • for linux filesystems the partition needs to be accessible by the user dapper or group users. you may need to do something like sudo chown -R 1000 /media/dapper-data (1000 is the uid for the dapper user)
4. boot your pc from the dapper usb
   • you may need to enter your bios settings to accomplish this. usually there is screen right after turning on the pc where you are prompted to hit the "Delete" key to access the bios settings. the boot device can be selected there.
5. click on the pink monocle icon to open the menu
6. select a choice from the menu

Remember to backup any keys you create!!!!

The udisks2 package is included to allow mounting of additional usb drives primarily for the purpose of backing up any keys that were created. Drives will be mounted at /run/media/dapper.

Dev

After building, it's easy to quickly test out most modifications using a chroot-like tool called systemd-nspawn:

1. sudo systemd-nspawn --boot -D work/x86_64/airootfs
2. export DISPLAY=:0
3. weston

Contribute

• Provide feedback regarding security
• Provide feedback regarding usability
• Help seed the iso on ipfs
• Make a cool logo
• Improve the instructions
• Get dapper to boot in a vm
• Get dapper to work on raspberry pi/arm
• Work out way to build/dev on non-Arch systems
• Get the weston desktop to autorun the menu

*Disclaimer

Dapper is a tool I created for personal use. I am not a security expert. At this point Dapper has not been reviewed, audited, or received feedback from security experts and should not be relied upon until that occurs. Additionally, what was considered a principle security feature, Grsecurity/Pax, has recently become unavailable. Pending a change in that project, or implementation of a replacement, Linux kernel "hardening" is not implemented.

Logo?

See also

• Arch wiki page on security
• Linux distributions and WebKit security
• Reddit discussion on Wayland security
• LWN article on Wayland security
• Blog post on X11 & Wayland security