WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Locked Down OS  (Read 4058 times)

Offline bsavoie

  • Newbie
  • *
  • Posts: 3
Locked Down OS
« on: March 23, 2011, 01:42:34 PM »
My company is in the business of hosting secured, proctored exams over the internet. We partner with Universities to offer this service. In order to take an exam using our software, test takers must download a custom software application from us that locks down their machine prior to the test. This lockdown insures that test takers do not use things like calculators and web browsers.

Frankly, this lockdown model stinks. We need special versions of our software for each of supported platforms, and, as you might imagine, locking down a remote system is not the easiest thing in the world to do. This model has been a huge barrier!

I'm exploring other options. One option we are considering is distriuting our test environment on a thumb drive. That way we only have to deal with the OS of our choosing, and we have complete control over the testing environment. TinyCore seems like exactly what we need.

The perfect scenario for us would be TinyCore on a stick, that when plugged in, boots straight to a browser. We would also need to install a specific driver for our specialed webcam. Once booted, the OS can really do ONLY one thing and that is navigate to our url to take the test. No other accessories should be available, and our url should be the only url that the test taker could navigate to.

So that's a very brief overview of what we need to do. On the surface, these requirements seem like an ideal application for TinyCore. I'm hoping for some feedback on the feasibility of this idea. I'm a 30+ year Developer. My work has all been strictly on the Microsoft platform, so please, pardon my ignorance of LINUX distros. We have a talented staff of Developers, from lots of different backgrounds, so any custom development work we need to do for this project would be acceptable. Of course if there's too much of that, we are probably barking up the wrong tree.

Thank you, Any thoughts?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11056
Re: Locked Down OS
« Reply #1 on: March 23, 2011, 01:46:01 PM »
Assuming there's a proper linux driver for your webcam, it should be quite feasible. It's pretty fast to build single-purpose appliances on TC, in fact the two most often done ones are straight rdesktop (Windows RDP client) and a browser/kiosk.
The only barriers that can stop you are the ones you create yourself.

Offline bsavoie

  • Newbie
  • *
  • Posts: 3
Re: Locked Down OS
« Reply #2 on: March 23, 2011, 06:12:12 PM »
Thanks Curaga. Well said. A kiosk is exactly the model I'm looking for. Would you happen to be able to point me at any resources that describe how I might build one? It seems like it would fairly straight forwward. I completely understand how to build the TinyCore on a stick, and I think I understand how I would make one of the available browser apps part of my distro. I'm not sure how I would make that browser the one and only only app that my image was willing to run.

I'm also wondering if I would be able to get sufficient control over one of the TinyCore supported browsers, or if we'd need to write our own simplified browser app.

I'd be very interested in seeing documentation on how those folks built the "RDP" and "browser/kiosk" apps. If you are aware of any docs that describe how to build a kiosk on TinyCore (or any LINUX distro for that matter), that would be awesome.

That sounds like a good place to start. I'll try to find some docs on building LINUX based kiosk/appliance.

Offline gutmensch

  • Retired Admins
  • Hero Member
  • *****
  • Posts: 605
  • I can make it disappear, have no fear!
    • remembrance blog
Re: Locked Down OS
« Reply #3 on: March 23, 2011, 06:28:45 PM »
one very easy method would be to load the opera.tcz extension into a folder tce/optional/ on your usb key, put "opera.tcz" into /tce/onboot.lst and use as bootcode "noicons". finally autostart opera by putting a command like "opera -k -noexit &" into a file /home/tc/.X.d/browser, which you can backup to your usb stick using the backup/restore facilities of tiny core. -k means kiosk mode for opera, -noexit means he's ignoring Alt + F4. of course you'll have to take care of Ctrl + Alt + Bkspace and other VTs but it's a starting point ;-)
If I seem unduly clear to you, you must have misunderstood what I said. (Alan Greenspan)

Offline maro

  • Hero Member
  • *****
  • Posts: 1228
Re: Locked Down OS
« Reply #4 on: March 23, 2011, 08:59:16 PM »
Here is another thread which touches on some aspects of how to prevent the user from getting control over the system (e.g. by getting access to a shell).

I believe what you'll need to do is to strip down TC a fair bit: eliminating boot codes (e.g. by changing '/etc/init.d/tc-config'), removing the ability to load any additional extensions, eliminating any options to execute user supplied startup scripts (e.g. '/opt/boot*.sh', '/etc/profile.d', '~/.X.d'), etc. So in general to customise the whole startup sequence to only support your chosen application (e.g. a browser) and pretty much nothing else.

I tend to agree that TC could be a good basis for all this, since it's not too difficult to really grasp all the steps that are being executed as part of the boot process (compared to the much larger "usual suspects" like Debian, Ubuntu, Fedora, Suse, ...).

Sofar I guess most of the work would be to carefully remove some capabilities. One thing you'll probably need to add would be some mechanism to ensure that the kernel and initrd have not been changed by the user. I could envisage a scenario to take the initrd from your USB stick and "enhance" it by adding back capabilities you've removed previosly. Another approach I could think of would be to boot your USB stick in a VM and use all the "forbidden tools" on the host. So you probably will need to add tests to detect all these cases. Not really a large amount of work I'd imagine to add those tests, and I guess you already had to consider other ways of cheating ...

Offline bsavoie

  • Newbie
  • *
  • Posts: 3
Re: Locked Down OS
« Reply #5 on: March 24, 2011, 12:52:59 PM »
Thank you Maro & Gutmensch. You've been very helpful. I think I have what I need to put together a prototype. You guys rock!