Bringing Nix to The Dojo

This summer, I worked at Arizona State University’s SEFCOM Lab to help advance their cyber security learning platform pwn.college.

Background

pwn.college works by defining each individual assignment in a module as a challenge. When a user clicks start on a challenge, it initiates a new docker environment for them. Inside the image, the challenge author can put any programs or dependencies that they need for the user to complete the challenge.

The Problem

The issue with this system is that for the image to work on pwn.college, it has to use their docker image as a base, or completely start from scratch with no guarantees it will work on pwn.college. When a challenge author wants to add a dependency like python, since the challenge image already has it, that isn’t going to be pretty. Only one version will actually show up to the user. That creates a nightmare because some infrastructure components run after the challenge starts, so they can break if you change the version. This had limited what opportunities were available for challenge authors to build on the platform.

The Solution: Nix

According to their website, “Nix is a tool that takes a unique approach to package management and system configuration.” The unique approach that they take means that packages are immutable and will work no matter where they are running. This is perfect for solving the issue of conflicting dependencies, since each nix package is completely independent, it won’t interfere with the challenge environment at all.

Actually implementing nix

On paper, implementing nix seems like the perfect solution, and a walk in the park. But, it isn’t that simple. Nixpkg and the nix cli are only one part of the nix ecosystem.

The Start

Originally, we were able to get most infrastructure dependencies working great, and extremely quick. The issues started when we tried to get the desktop environment working. We got a variety of errors trying to start xfce, the desktop environment that the dojo was using. Most of the messages we got were unhelpful, and mentioned some vague error with dbus that couldn’t even be fixed by looking through the source code of the window manager. The problem with using nix is that, if you don’t use it with nixos, you loose access to all the services and components which make nix able to run an operating system.

We decided to admit defeat against the dbus beast, and use fluxbox. Which was not well received by anyone since it was such a downgrade compared to xfce, but we pushed through.

Desktops, Desktops, and More Desktops

During this time, I decided to start researching other desktops since, while fluxbox worked, it wasn’t pretty in the slightest. I tried almost every other desktop under the sun that I could find. From pekwm to every wlroot, while some things worked, they weren’t good enough to be integrated into the dojo. One key issue that I found was that logging in was extremely broken because some parts were run as root in my testing and depended on logind or seatd for wayland. Eventually, I was able to get jwm to work which, in my own words

looks suprisingly good Image of jwm desktop, similar to fluxbox in style

The Final Stretch

On the same day that I got jwm to at least output something usable, something amazing happened. I was able to use jwm to start the xfce desktop without error.

Me: holy crap Image of XFCE Desktop its xfce

Then, from there I was able to figure out that as long as I started xfce’s components and not the service, I could run xfce in the dojo. My final script ended up being

nix-shell -p xfce.xfce4-panel xfce.xfdesktop xfce.xfwm4
# In Shell
export DISPLAY=:42
xfwm4 &
xfdesktop &
mkdir -p /run/current-system/sw/{lib,share}
cp -r ${pkgs.xfce4-panel}/lib/xfce4 /run/current-system/sw/lib/
cp -r ${pkgs.xfce4-panel}/share/xfce4 /run/current-system/sw/share/
xfce4-panel &

We were finally able to get a working desktop environment, and integrate nix into the dojo

The Results

It worked! Nix in pwn.college has been deployed to thousands of learners across the world. Nix has been particularly helpful for fuzzing challenges because of their different dependencies that they need. Along with that, it is being used to teach the “hard-to-setup next-generation tools being developed for the Department of Defense”.

This was an amazing project, and I am happy I was able to create something like this.