-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Dec 01, 2016 at 12:07:56PM +0000, Andrew Clausen wrote:
> Hi Hopeful Fork,
> On 1 December 2016 at 08:59, <hopefulf...@tuta.io> wrote:
> > Hello,
> > Currently any AppVM has persistent storage, it is referenced by default at
> > least as /home, /rw/config, /usr/local. And software is executed from this
> > persistent storage from read-only system.
> > This allows an adversary to install persistent AppVM exploit e.g. via
> > ~/.bashrc or /rw/config/rc.local. Advanced exploit can then hide its own
> > invocation script, so it won't be possible to detect it from running VM
> > itself (at least aafter /rw/config/rc.local is executed; so better check
> > when VM is turned off).
> > I suppose that it is by design and that won't harm other, trusted VMs (with
> > an exception of unclear consequences of mounting this rw partition in
> > another dom). But there is a threat model when persistent exploit of
> > untrusted vm matters - the one when user wants to maintain anonymity.
> > For example, a persistent exploit in network vm can be used to defeat MAC
> > randomization and track user location; it can even help mount attack against
> > Tor for an adversary that isn't user's ISP - exploit can monitor outgoing
> > Tor traffic and check correlations with incoming traffic of investigated
> > sites (that are within adversary's ISP).
> > If the same is applicable to Whonix VMs, then it is even worse to anonymity:
> > persistent exploit in Gateway completely defeats Tor while persistent
> > exploit in Workstation can be used to deanonymise user via correlation
> > analysis if attacker is controlling user's ISP (in this case attacker can
> > send a controlled data stream to its own server over Tor and monitor
> > incoming Tor traffic at ISP level).
> At the moment, Qubes has a half-solution for this problem: Disposable
> VMs. In principle you could use the Whonix workstation template VM
> for your disposable VMs, which have no persistent state.
> However, Qubes only lets you use one template for all of your
> disposable VMs. So that means all of your disposable VMs would be
> using Tor, which is dangerous from an anonymity point of view (not to
> mention inconvenient). For example, it would be dangerous to open
> Gmail in a disposable VM on Tor because that would link your exit node
> to your Gmail account.
Actually this isn't true, because of stream isolation. See here:
But the inconvenience argument still holds.
> It seems to me the best solution would be for Qubes to accommodate
> multiple disposable VM templates.
Multiple different Disposable VMs are already implemented in (upcoming)
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.