On Sunday, September 25, 2016 at 7:34:28 AM UTC-4, johny...@sigaint.org wrote:
> > Simple question: Why are Ethernet and WiFi in sys-net..?
> >
> > Is it
> >
> > (A) Just for easy access to the same network for all App VMs..?
> >
> > (B) Because this is isolating Ethernet and WiFi from the rest of the
> > system, to stop DMA attacks..?
> Primarily (B).  Any DMA attack or other network hardware compromise is
> confined to the net VM, and not your more critical work VM's (or dom0).
> > It's not clear to me whether the VT-D protection is occurring because you
> > are putting these devices in sys-net.
> >
> > Or whether the VT-D is implemented regardless of which VM the
> > Wifi/Ethernet are in.
> I'm not quite clear what you're getting at here.  The network device(s)
> could live in any VM, and thus be isolated from the rest of the system.
> But by Qubes convention, the devices are put in sys-net, which is
> sys-firewall's NetVM, which in turn is typically the NetVM for other
> AppVM's.
> > I ask this because I want to run some programs in sys-net, and wonder
> > whether a DMA attack could screw up these programs.
> It absolutely could.  I'd generally recommend against running anything in
> sys-net unless its very specifically needed, raw net-related, or low-risk.
>  Things like wireshark, iptraf are useful to have in sys-net, for example.
> Any program running in sys-net doesn't benefit from the firewall rules
> protection at all, either.
> Just as with dom0, the fewer programs running (and thus the smaller attack
> surface) in sys-net (and sys-firewall), the better.
> Which is why I'd like to see unnecessary things like pulseaudio, exim,
> (and possibly even the X server) not included in sys-net by default.  I
> think there's a Qubes ticket to that effect.
> Digressing a bit, but here's an interesting, leaner replacement for
> sys-firewall:
> http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
> What's the nature of the program(s) you want to run in sys-net?  Is there
> any reason they couldn't be run in another AppVM instead?
> JJ

anything listening to traffic is a security risk.  wireshark is a known 
security risk in itself.  But that is whats cool about qubes,  the sys-net is 
considered untrusted anyways. so actually perfect for running something like 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to