On 04/15/2017 02:50 PM, Jean-Philippe Ouellet wrote:
What is your long-term goal with this effort? This and your "Qubes-VM-hardening" stuff [1] looks to be trying to allow data persistence while aiming to avoid the ability for the persisted data to somehow hijack control on subsequent VM boots.
Its not so much data as actual scripts... the latter roll out the red carpet for malware in regular template-based VMs. A statement of purpose for it would be: Leave no obvious pathways for malware to persist in the appVM startup process. Not terribly ambitious but probably worth doing.
If so, ISTM that this could be achieved using DispVMs with a persistent rw volume mounted somewhere other than /home (or any path which installed software automatically reads). Furthermore, such an approach also seems more robust than any attempt to essentially blacklist known-sensitive paths (which I think would eventually converge towards wanting to protect all of ~/.*) no?
DispVMs have only worked for me on-and-off, and customization is troublesome also (having app configs disappear). The implementation is still too 'rube-goldberg' at present. Also don't want to add new storage features to it.
Convergence towards '*'... nah. In /home I'm only interested in shell autostart scripts: bash, sh, desktop.
My current POC can also address persistence of malware in the root-owned parts of /rw. It will erase config, usrlocal, and bind-dirs if it finds specific user-added dirs in /etc/default. It will also copy scripts/files from there into the system. Even with this added scope, the problem space remains quite compact.
I'm curious what you have in mind and what the intended use case is.
Preventing shims and persistence loopholes in template-based VMs which have protected root access (i.e. vm-sudo). An argument against vm-sudo configuration is that its easy for an unpriv attacker to alter init scripts and acquire root privs when a user grants them for legitimate commands; Fixing that seems very realistic.
-- Chris Laprise, [email protected] https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/33ef30da-f359-38d6-531c-8a4681e73fa5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
