-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-07-03 05:49, danmichaels8...@gmail.com wrote:
> I have a question on the "security-critical code" page on the
> QUBES OS website....
>
> https://www.qubes-os.org/doc/security-critical-code/
>
> "There is an important distinction between the buggy code and
> maliciously trojaned code. We could have the most secure
> architecture and the most bulletproof TCB that perfectly isolates
> all domains from each other, but it still would be pretty useless
> if all the code used within domains, e.g. the actual email clients,
> word processors, etc, was somehow trojaned. In that case only
> network-isolated domains could be somehow trusted, while all others
> could be not.
>
> The above means that we must trust at least some of the vendors
> (not all, of course, but at least those few that provide the apps
> that we use in the most critical domains). In practice in Qubes OS
> we trust the software provided by Fedora project. This software is
> signed by Fedora distribution keys and so it is also critical that
> the tools used in domains for software updates (yum and rpm) be
> trusted."
>
> --------------------------------------------------------
>
> I am very confused by this part on the page.
>
> It seems to imply that QUBES depends on being able to trust the
> security of word processors etc.
>
> I thought the whole point of QUBES was that nothing is ever
> up-to-date and secure, and thus, you put everything in a sandbox
> and isolate it all... and therefore, it doesn't matter about things
> like security problems with a word processor.
>
> But this page seems to imply something different.
>
> Can someone explain this to me?
>
Here's an analogy:
Suppose you have a very secure house. It's very secure in the sense
that the walls and doors are very difficult to break, and the locks on
the doors are very difficult to pick. Only you have the keys to these
locks, so only you can unlock them.
However, some of the rooms in your house have windows. If an intruder
manages to open any of the windows, he can easily climb in and out. To
keep the windows secure, you rely on window shutters. However, you're
not sure how secure these shutters are because you got them from a
standard home improvement store, which focuses on making nice-looking,
functional window shutters (rather than security-oriented window
shutters). If it turns out that you purchased insecure shutters, then
it'll be relatively easy for intruders to enter all of the rooms in
your house that have windows. (However, it will still be very
difficult for them to move between rooms and to access any rooms
without windows.)
In this analogy, the window shutters represent apps (such as word
processors and browsers) that run in AppVMs. These are standard,
received from upstream projects, not developed by Qubes, and typically
not developed with security in mind. (Whonix is a notable exception,
of course.) The windows represent network access. The walls represent
VM isolation. The doors represent secure inter-VM channels
(copy/paste, file transfer).
The moral of the story is: It doesn't matter how strong your walls and
doors are if your window shutters are letting intruders in and out
through your windows. Likewise, it doesn't matter how good your VM
isolation is if your apps are all compromised. The exception is the VM
("room") that has no network access ("windows"). But even this isn't
entirely safe due to the existence of covert channels ("air ducts").
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXeTQJAAoJENtN07w5UDAwRuAP/AgnoOu21UIFYz8gv9hPRdG6
R2HTnKQVgrLCFpP1ZavjKsbJuVks5TzFdxuSfQ4z/uQDXPpYeDkSaB8+pQMIqhuR
4Hi0q5cIermPi+K1bls4QSEY4BEMCJAZMDEr2aDwXcTCHHbo77f4bNG9AgEyDSZS
q40vI2HWJn1hNRWZu6BxT+daYL+4JAI0K38RC11l89RwYXEqdwpwd8RgLVqUlEGX
YQFYACCg/02MfCE2XjWnKxVQDDIkfCPM7U2GgIQ/CUzYkH3n5eVewibM6/ArGqlE
gNOKmehlCyw1iSmtIH76Fvo8uFCca/i1HF4CyEo5PQpTwnbxsDF6yJ9bp6fJ6IEO
HShBgRQWDbnGvUe3jEdAis175oxAJpC827sD/So7QC8uj8d5e36XvThSdhkF7Xdw
+WoUt8N9ztLuXvez2HPGLBNvB/zQh/8dwWNg4mls5+HpNNDpS4Cdk5Oieq4nUYJ1
adE082xd1M4QrIk+z0yfflVY9pnAOrHbqLxZhuq94FIslo8cSM5yfy9iH7y9aNc3
gdJN49dVkOa396CcvTUMrerksxg1pWGwdvHZQWp/veMhuN+6haw3wZsLPMvcSj2T
HqGX8AqGxUubNBkpeJBu4kjEz3DN3a05HpAMdAk5tYXKfKqhb7m9+sGan072aC7A
kcohGC8azVldhm0iqT0y
=SIzR
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7b49b1df-0ad5-0989-e480-f812807df416%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.
