Firstly I really love the direction Qubes has taken the future of operating systems, and its has definitely become my OS of choice.
HOWEVER, i feel that Qubes OS relies HEAVILY on ONE security mechanism > Isolation.
There are 2 ways we can improve security
1. But adding layers of protection.
2. By reducing the attack surface area.
====================
Layers of protection
====================
In regards to layers of protection, IMO Qubes only has one. By isolating VM's if a system is infected, it has to breach that VM & gain access to dom0, where it then has total control of the system.
The problem is in the current configuration, there is nothing to stop a hacker or malicious software from running, manipulating VM system files, or downloading additional hack tools/scripts to attempt to breach into dom0.
To basic extra layers of protection missing from Qubes that usually hardens Linux security are;
Password protected root access on VM's
SELinux or AppArmor.
I have read Qubes excuse for NOT requiring a password for root access in VM's https://www.qubes-os.org/doc/vm-sudo/
I frankly think saying "its highly unlikely if that person (who could breach a VM to dom0) couldn't also find a user-to-root escalation in VM" as a very LAZY justification.
They have basically said, Elite hackers can gain root, so lets just not even bother with this foundational layer of security.
So we have VM's where any script kiddies code can run riot. This to me is over confidence in VM isolation, and a lax attitude because, hey if your infected you can just reboot & VM is clean again right? Except the infected files sitting in the home directory, just waiting to be opened again and run with root permissions.
And in the example of a server VM, that system may rarely be rebooted very often? Infecting the system to infect others that connect to that server. NOT GOOD.
From what i've read SELinux isn't running do to some compatibility errors, and because there is no point when the whole system has root access. Well lets lock down default VM root access, and lets find a way to make SELinux work in Qubes VMs & even dom0, or possibly AppArmor. Or maybe we need a totally new piece of software that is Qubes specific.
The more layers of security in the system the better.
================================
Reducing the attack surface area
================================
Qubes OS through the use of dom0 has reduced the attack surface area of the kernel, which is good.
However, where i think Qubes could improve right out of the box, is having dedicated minimized templates for sys-net & sys-firewall.
I spent time setting up fedora-23-minimal templates specifically for sys-net, sys-VPN, banking, email & browsing. I plan to make another for sys-firewall soon. VM's that have the minimal amount of programs on as possible, reduce the attack surface, and possible exploits.
Again SELinux not only adds a layer of protection, it also reduces the attack surface area vulnerable in the system.
=================
Finial suggestion
=================
I would like to see the option to setup a decoy OS in the installation procedure, similar to true crypt/Veracrypt.
These days many countries airport security can force you to turn on your laptop to be inspected, and while i imagine airport security being very confused by Qubes haha, It would be nice to not have to show them any secure files.
Another approach could be decoy VM's (as opposed to another entire decoy Qubes OS), that boot into different encrypted VM's depending on the password.
==================
I do think the Qubes OS team are doing a great job. And i hope they maintain a security based focus, and not depend solely on isolation.
===================
Looks like the DRAMA attack would require root access in VM, to compromises Qubes shared memory
"taskset 0x2 sudo ./measure -p 0.7 -s 16."
https://groups.google.com/forum/#!topic/qubes-users/qAd8NxcJB3I
=====================
I thought of a possible persistent attack vector, that would survive even after rebooting the VM.
If malware wrote its self into rw/config/rc.local it could reinfecting the system every restart.
===================
=======================
Also today i used the CLI command to move files between VM's
"qvm-copy-to-vm"
a dom0 prompt seems to be the only thing stopping an attacker spreading malicious code across the whole machine, including templates.
Using the DRAMA attack to Authorize, bypass or spoof permission to transfer malware across the entire system.
A VM root password would just add that extra layer of prevention.
===================
All of these attacks could be mitigated with a password for root access in VM.
SELinux policies could also limit directories being read & written to.
Im still studying Qubes OS tho. Perhaps there are existing security features in qubes im unaware of that prevent these attacks without requiring a VM root password?
Good suggestion. A script that shrinks templates into minimals. I like this idea. A script could then also create a min debian template too.
I just had a look inside the Qubes-R3.2-x86_64.iso
I found the templates under packages/q
I wonder if a script could also be used to turn a whonix-ws into a whonix-gw or vise versa. This could reduce the size of the Qubes.iso by about 500mb. making more room for other goodies.
Why not grsecurity/PaX? especially with Qubes 4 switching to HVM (or PVHv2 or whatever it's called now), it will apparently work fine.
Nice suggestion. I would certainly welcome its implementation.
Actually looks like there were successful efforts to implement this back in 2013.
https://groups.google.com/forum/#!topic/qubes-devel/l5mi2dklu18
Seriously, why didnt qubes pick this up and run with it?
I'd also rather see Grsecurity. But if for whatever reason that's not possible, both legally (I think Grsec guys require an all or nothing adoption) or technical (Subgraph guys were complaining about Qubes not being compatible with part of Grsecurity), then at least I hope all the security features being introduced into the Linux kernel in the future from the Kernel Self-Protection project, will be adopted and implemented by default by Qubes.
I don't know if this is possible with the new management in Qubes 3.2, but what I'd like to see in the immediate future is the possibility to configure some apps and sandboxes ahead of time - like for DispVMs.
For instance, let's say I want to see Chromium in a DispVM. I would like to always open DispVM with Chromium sandboxed by Firejail. I wouldn't want to configure that everytime I open a Dispvm, or any other VM.
The argument against this may be "why bother with that when DispVM will be discarded in minutes to hours anyway?"
Well, first, I'd like the extra protection even within DispVM. As the op said, you could still get VM-escaping exploits in that root-enabled environment.
Second, if I have a Personal VM, and a Work VM, a banking VM, and an Others VM, I'd have to configure Firejail for all of them, too. I'd prefer I'd do it only once. But I guess it wouldn't be THAT much of a hassle if I only had to do it four times once.
I'd still prefer to be able to configure it for DispVM, though. Because I'd probably want more than just Firejail configured. So I'd need a way to configure everything so I can use that configuration for all future DispVMs.
you can use apparmor too to harden your browser alongside grsec. It is prepackaged for whonix vms so you can refer to their Qubes install instructions on how to install it on debian. We would then have to make sure kernel accepts apparmor but most by default do. although in Qubes all these protections are not as meaningful as a baremetal os I still think they are still useful in ways. definitely helps not having to compile or configure anything yourself to use it, if it is considered ok and safe for official repo.
I still think alot of main security boils down to how many programs/services you have running at one time, and how many listening on network. Thats where compartmentalization helps as well.