Hash: SHA256

On Thu, Dec 01, 2016 at 12:07:56PM +0000, Andrew Clausen wrote:
> Hi Hopeful Fork,
> On 1 December 2016 at 08:59,  <hopefulf...@tuta.io> wrote:
> > Hello,
> >
> > Currently any AppVM has persistent storage, it is referenced by default at
> > least as /home, /rw/config, /usr/local. And software is executed from this
> > persistent storage from read-only system.
> >
> > This allows an adversary to install persistent AppVM exploit e.g. via
> > ~/.bashrc or /rw/config/rc.local. Advanced exploit can then hide its own
> > invocation script, so it won't be possible to detect it from running VM
> > itself (at least aafter /rw/config/rc.local is executed; so better check
> > when VM is turned off).
> >
> > I suppose that it is by design and that won't harm other, trusted VMs (with
> > an exception of unclear consequences of mounting this rw partition in
> > another dom). But there is a threat model when persistent exploit of
> > untrusted vm matters - the one when user wants to maintain anonymity.
> >
> > For example, a persistent exploit in network vm can be used to defeat MAC
> > randomization and track user location; it can even help mount attack against
> > Tor for an adversary that isn't user's ISP - exploit can monitor outgoing
> > Tor traffic and check correlations with incoming traffic of investigated
> > sites (that are within adversary's ISP).
> >
> > If the same is applicable to Whonix VMs, then it is even worse to anonymity:
> > persistent exploit in Gateway completely defeats Tor while persistent
> > exploit in Workstation can be used to deanonymise user via correlation
> > analysis if attacker is controlling user's ISP (in this case attacker can
> > send a controlled data stream to its own server over Tor and monitor
> > incoming Tor traffic at ISP level).
> At the moment, Qubes has a half-solution for this problem: Disposable
> VMs.  In principle you could use the Whonix workstation template VM
> for your disposable VMs, which have no persistent state.
> However, Qubes only lets you use one template for all of your
> disposable VMs.  So that means all of your disposable VMs would be
> using Tor, which is dangerous from an anonymity point of view (not to
> mention inconvenient).  For example, it would be dangerous to open
> Gmail in a disposable VM on Tor because that would link your exit node
> to your Gmail account.

Actually this isn't true, because of stream isolation. See here:

But the inconvenience argument still holds.

> It seems to me the best solution would be for Qubes to accommodate
> multiple disposable VM templates.

Multiple different Disposable VMs are already implemented in (upcoming)
Qubes 4.0.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to