On 05/27/2016 12:14 AM, Andrew David Wong wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-05-26 13:51, Chris Laprise wrote:
On 05/23/2016 06:57 PM, Andrew David Wong wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 2016-05-23 12:49, Chris Laprise wrote:
On 05/23/2016 12:06 AM, Andrew David Wong wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 2016-05-22 11:52,[email protected] wrote:
I tooled around in 3.1 and got the basic understanding
that you arent running OS VMs like vmware but instead app
VM's, but im not familiar with how these work in respect to
isolation.
If i am running two app vms under the same template and
one app gets infected, does everything in that template
get infected?
No, each AppVM has only read-only access to its TemplateVM.
A compromised TemplateVM can compromise all AppVMs based on
it, but not vice versa. Furthermore, two AppVMs do not pose
any risk to each other merely in virtue of sharing the same
TemplateVM.
More information:
https://www.qubes-os.org/doc/software-update-vm/#tocAnchor-1-1-3
I am running a disposable app vm and i assume its infected, is
it possible to retrieve files from it without cross
contamination? Where are the instructions on how to do
this?
It's not really possible to answer that question in the
abstract. It always depends on the situation, and in general
it is difficult to do and almost always impossible to
verify.
Suspect files can be safely handled with qvm-copy between vms,
as long as no attempts are made to open them (even parsing them
can be risky). But the act of retrieval itself should be
considered safe.
This is in contrast to something like a USB drive that gets
mounted in different vms to move/retrieve data: The filesystem
itself poses a risk in that case.
Chris
IIUC:
1. We have to trust the compromised VM to qvm-copy the same file
we ask it to. It may appear to comply but in reality copy a
malicious file to the destination VM.
No, we don't have to trust a compromised vm in that way. The copy
operation itself is still safe.
Are you sure about that? What prevents a compromised VM from feeding
different data to its qrexec-agent or modifying the target file before
it's copied to the destination VM?
Yes, I'm sure. But the safety of qvm-copy and your point about
modification are both true, and every Qubes user should realize it.
2. Since the copied file may have been modified to be or replaced
with a malicious file, opening it in the new, clean VM could
result in cross-contamination.
Right. That's why copying and archiving files is fundamentally
different from opening them.
Sure, but as a practical matter, what are the odds that boromirsbeard
(or anyone in the same position) just wants to copy the file out of
the compromised VM but not open it in the destination VM? Pretty low,
so I think point 2 is worth mentioning here.
Yet, we still have to make the distinction. If we did not, there would
be no rhyme or reason to have confidence in more common operations like
"trusted pdf" or even system updates.
This is one of those subjects where there is a fine line to walk between
being too geared for a technical audience, and being too 'kind' to
novice users. If we say copy operations can cause compromise (to err on
the side of safety for a novice user), there are many MANY people who
are just experienced enough to "know" the logical conclusion that Qubes
can't protect them from anything and trusted pdf, secure dom0 menu
system and secure updates are therefore a "sham".
Trust me-- Hang out on Slashdot or Ars Technica forums sometime. You
will run into Qubes-haters who are very skilled hackers, yet they got
the wrong end of the stick. They hate Qubes or Xen because its
"fundamentally insecure" for technical reasons that don't exist.
Likewise, there are novices who may reject Qubes as they learn more
about computing and start to question how "unsafe copy" between any vms
can be consistent with good security.
So being mindful of the difference between copying and opening is
essential, as is reflecting that in the documentation and advice. To
heighten awareness of that difference is a positive thing for even the
most novice Qubes users.
FWIW, there is also another distinction here: Pasting info from an
untrusted vm into another vm does carry a significant risk. In that
respect it is not like copying.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/57485156.5080305%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
