On 2/15/19 8:47 AM, [email protected] wrote:
On Friday, 15 February 2019 16:37:17 UTC+11, Chris Laprise wrote:
On 2/14/19 10:02 PM, [email protected] wrote:
Hi all,
Right now I use Qubes for a bit of fun - setting up VPN's - chaining them,
trying to get HVM's up and running, just messing about. I do plan to totally
phase out my other OS's for it, but theres one thing that keeps going through
my mind.. how isolated are the VM's from each other actually?
I know Qubes is 'reasonably' secure, but how secure? Could a whistle blower
have a whonix VM open handling sensitive materials while at the same time have
a personal VM with ISP connection and google/facebook/work sites open, with no
issue at all? If the whistleblower would only be able to use the machine for
sensitive purposes due to leak potentials, etc, wouldn't this make using Qubes
pointless?
Of the myriad remote attacks that can be used against traditional
operating systems, basically one type is thought to be effective against
Qubes in general: Side-channel attacks.
https://en.wikipedia.org/wiki/Side-channel_attack
The best way to mitigate these is to not run public key crypto in
trusted VMs at the same time untrusted VMs are running (although this
can be a problem when VMs like sys-net and sys-usb are considered).
Also, test your hardware to see if its susceptible to rowhammer.
In contrast, even a physically isolated system can be less secure than a
Qubes system. This is because the devices and drivers used for
interfacing (SD cards, DVDs, USB drives - even occasionally) are much
more complex and vulnerable than the interfaces on a Qubes VM. And if a
Qubes VM does become compromised, chances are much better that the core
system and firmware will remain safe.
https://blog.invisiblethings.org/2014/08/26/physical-separation-vs-software.html
Finally, assuming that attacks will succeed at least occasionally (and
Qubes is built with this assumption for guest VMs): How recoverable is
the situation? A Windows system that had its firmware compromised will
continue to run malware even after the OS is wiped and re-installed. A
Qubes system OTOH probably has intact firmware and malware can be
removed by removing the affected VM.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Thanks for the reply, Chris.
So, apart from the rare chance of a side-channel attack. One should be able to
surf safely in Whonix, or a private VPN'd VM, while being able to surf regular
sites such as this google hosted mail group on another without overlap, or the
data from Whonix hitting a non-torified machine?
Yes, I believe the isolation in that context to be excellent, especially
since Qubes 4.0 now uses hardware isolation for VMs (PVH mode instead of
PV). PV mode had allowed some containment issues to arise in the past,
but hardware virtualization capability has become widespread enough (and
better supported in Xen) such that the new PVH mode could be used for
better isolation.
-
As for side-channel attacks, they are thought to be rare and difficult
to execute but I wouldn't count on it remaining that way. Tor Project
appears to be testing constant-time crypto to avoid some of the worst
side-channels:
https://trac.torproject.org/projects/tor/ticket/18896
Other improvements in side-channel resistance will come not from crypto
code but from better hardware such as RAM and CPUs. I believe you can
get somewhat better resistance already by using AMD instead of Intel
CPUs, as AMD appear to take fewer shortcuts and fare better against
Spectre and Meltdown, for example. ECC RAM support is also more
prevalent in AMD products, and this provides some protection against
rowhammer.
In the long term, some of us are hopeful that open source hardware could
address these nagging issues, as well as the issue of possible backdoors
in hardware and firmware. We have some advocates here for OpenPOWER,
although Qubes cannot yet run on it.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/230ec3ac-e064-0566-3c16-f64313f0d1e7%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
