3

I want to create a dual-boot such that the content of each OS is separated from the other using encryption. The main point point would be to to test out potentially harmful software on one OS, and still be able to rely on the integrity of the other OS.

User A uses OS A and User B uses OS B. Lets assume:

  • both OSes are Windows 7.
  • two different partitions, one for each copy of Windows.
  • one physical storage unit available such as on a laptop
  • users of each OS both want to brute force (not vs each others) using attached hardware or use third-party software involving card readers
  • it is acceptable for each user to be able to destroy each-others Windows by erasing or over-writing a partition.

However neither user should be able to access or modify plaintext data from the other user's partition.

In the past I have arranged this with TrueCrypt and Hidden OS. I am looking for other ideas that are easy to implement and, more important, don't take a lot of time. I would prefer an arrangement that included only open source software.

Is this possible? If so, how?

Simply G.
  • 518
  • 3
  • 12
  • 4
    Is there a reason you're not using virtualisation? – Graham Hill May 30 '14 at 10:28
  • @GrahamHill [Visualization isn't as secure as one would think](http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security). – Philipp May 30 '14 at 10:40
  • Several reasons, most importantly is performance and third party devices (that simply not work for my purposes on virtual machines). But I also want log-on security and separation between users. My main point above is not the only reason. – Simply G. May 30 '14 at 10:53
  • It is possible, of course, that using some sort of Visualization and doing it the right way. It could work. I am looking for an answer involving straight up encryption however. – Simply G. May 30 '14 at 11:00
  • 2
    A rootkit on either OS may be able to modify your bootloader, which must be in the clear, and thereby eventually gain access to corrupt the other OS. If you really need to run two separate and isolated environments on the same hardware, and can't use virtualization, it would be safer to actually swap out physical hard drives. – Iszi May 30 '14 at 14:36
  • from administrator you can set access permissions for all users for file accessing. – shyammakwana.me Jun 03 '14 at 08:22
  • Your edit leaves this hanging --- your users what to brute force what _____? That action needs an object an which the action is done, and it sounds like it might make a difference to the question. – Caleb Jun 05 '14 at 10:00

2 Answers2

2

Relying on only one physical drive, you can split it into two partitions. Install Windows 7 on each one, and then use BitLocker (assuming you have Professional Enterprise or Ultimate [kudos to paulmorriss]) to encrypt the respective system volumes.

When you install the second Windows 7 OS in the other partition, it will prompt you to modify the boot loader to reflect both OSes. You can change the name that shows up during boot with the bcdedit command line tool (available in Windows Vista and later, it replaced the boot.ini config).

Edit: My apologies, I just saw the open source requirement. Reviewing the options listed here, there aren't many options that meet your requirements. The one that does is ProxyCrypt, but for your purposes of encrypting partitions, it needs to be used with other third-party tools (e.g., they state that Arsenal Image Mounter would need to be used as well).

If you want quick and easy, use BitLocker and separate partitions. If you want open source, check out ProxyCrypt.

technica.scholaris
  • 86
  • 4
  • 1
    Bitlocker is not available on Pro, but Enterprise or Ultimate. https://en.wikipedia.org/wiki/BitLocker – paulmorriss May 30 '14 at 14:40
  • I should not discuss BitLocker in this thread. Although I have a few things to say for good and bad. It is a really good answer otherwise, thank you. If you had actually described how to do it with ProxyCrypt or at least claimed to have used it yourself in this fashion I would have marked this as an answer. – Simply G. Jun 04 '14 at 06:56
0

The correct answer to this is that you really can't.

There are several ways to approximate the solution you describe, but no way no be 100% sure. There is an adage in the security world that physical access is 75%* of the game. This is great case study far why that is true.

The scenario you describe and the solution you think you are looking for will, for all practical purposes, work most of the time. You'll have made it very difficult for either user to compromise the other. But difficult is different than impossible.

No matter what you do to each partition and the software in it, you do not change the fact that at some point the other user is going to come along and decrypt their own partition and run their own software. With physical access to the machine and the low level software environment on it, it is possible to compromise the system.

The theoretical problem here is the same as that of a virtualization scenario with a host and a guest. As a guest operating system, you should never assume that your box is completely independent from the host. You may not be able to compromise the host but the host can almost certainly compromise you. If you don't trust your host machine, you guest should not be trusted either.

Back to your scenario. Although you are not using virtualization, the effect is roughly the same. Both User A and User B have bare metal access and can put themselves in the role of the host. All they need to do to compromise the other is play a few tricks on the other partition and OS so that it inadvertently plays the role of a guest.

The most obvious way to do this would be to compromise the bootloader with a rootkit. Other attack vectors come to mind as well, but tho long and the short of it is that you should NEVER assume that hardware under full control of another user and software environment can be used un-modified without potentially compromising yourself.

The solution here would most likely be to give neither A nor B access to bare metal and give them both a side by side guest environment. Assuming neither of them are given access to the host. This would be a more secure way to go. (Not perfect as it relies on the quality of your virtualization system, but it's better that knowing your bare metal is being used by another host).

Pragmatically speaking there is rarely a case where a virtual machine cannot do what you need it to do including giving access to card readers or other hardware devices. In the rare case where that is not the case, you will need to separate your environments the only fashioned way: physically. If User A and User B don't trust each-other and both need low level access to hardware, then give them each their own hardware already!

* Where the exact percentage is some random high number made up on the spot.

Caleb
  • 1,334
  • 11
  • 20
  • I agree with what you are saying, if one considers the user as a potential bad guy. In my scenario none of them will decrypt the partition and the 'bad guy' is installed software or remote hacking of the OS while running. But yes. For a secure solution, you cannot allow access to the hardware. – Simply G. Jun 04 '14 at 06:52
  • @SimplyG. From a theoretical standpoint there is no difference between an untrusted user and a user that is specifically running untrusted software. Practically speaking the former is likely to be more versatile and take less iterations to find and exploit and issue rather that scanning for predefined scenarios, but the security implications are the same. – Caleb Jun 04 '14 at 18:18
  • A malicious software is much more limited (then a malicious user) when it comes to attack vectors. Can you give some example of how an software can use 'bare metal' in this case to corrupt the other OS? – Simply G. Jun 05 '14 at 09:31
  • @SimplyG. As I said in my last comment the attack vectors and _not_ significantly different and the one I mention in my answer is open to both. – Caleb Jun 05 '14 at 10:01
  • After some testing and reading I must reluctantly agree - that while one could feel that it should protect against most malicious software - as long as they are not physically separated they cannot truly be separated. But as many others I am equally skeptical about true virtualization separation/isolation as well. I mark Caleb's answer as the answer to this question, yet are thankful for good tips on encryption tools. – Simply G. Jun 16 '14 at 13:00
  • @SimplyG. Virtualization has risks too, but for most hypervisors there are not KNOWN ways to break out of the guest system. When they are found they get fixed and there is scrutiny going into their making (if you are using a decent visualization system). With the solution you were proposing there are KNOWN VULNERABILITIES that nobody even intends to fix because nobody cares about the case and it is assumed to be insecure on theory alone (never-mind implementation issues). – Caleb Jun 16 '14 at 13:15