Is it
(A) Just for easy access to the same network for all App VMs..?
(B) Because this is isolating Ethernet and WiFi from the rest of the system, to stop DMA attacks..?
It's not clear to me whether the VT-D protection is occurring because you are putting these devices in sys-net.
Or whether the VT-D is implemented regardless of which VM the Wifi/Ethernet are in.
I ask this because I want to run some programs in sys-net, and wonder whether a DMA attack could screw up these programs.
Thanks
The consensus so far is that anything I run inside sys-net should be vulnerable, and that it is advised not to run programs in sys-net.
So, in this case, how am I supposed to run my Ethernet Tor hotspot..?
I had somebody write me a script that lets Qubes connect by WiFi to my home router, and then serve out an Ethernet hotspot that runs everything through Tor.
The program works fine, but yes, it does run within sys-net.
Question:
Could a DMA attack on WiFi device or Ethernet device then take over the entire Net VM, modify my Tor script, and then do whatever, like, leak my real IP, pass all data to the hacker, etc?
"it bridges the two interfaces but uses NAT to achieve it"
I am NOT asking you to make an alternative system.
I am simply asking whether an attack on the WiFi/Ethernet in the Net VM could also end up messing up my Tor script.
Look at the question again:
"
Now, if the compromised sys-net can somehow otherwise breach other
AppVM's or dom0, you're screwed.
"
------
Yeah... and surely this is exactly what can happen, no..?
We had 2 Xen exploits in the last 1 year.
Surely a compromised sys-net can just run a Xen exploit, and can then breach into any other VM, including dom0.
This is the whole reason why I decided to use 2 laptops.. because Xen is not secure.
So, I think the solution is to simply use a WiFi and Ethernet that do NOT have any bugs in the first place.
As far as I can tell, networking firmware in Linux is actually implemented in Linux, and not installed on the actual device itself.
Therefore, so long as the driver was open source, then surely it can be audited for any DMA bugs.
Here is a comparison of open source wireless drivers
https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers
Are there any particular WiFi chips on this list that anyone recommends..?
Are certain ones known to be more secure than others..?
Because to me, this is where this thread has now ended up.
"The card doesn't have a host CPU and so it doesn't require a firmware source"
that seems like the most interesting
the driver would still need to be bug-free though
who knows whether any of these have even been audited
thanks for your replies though... very detailed and very useful
With Firefox, you have a page "Security Advisories", which lists the history of Firefox exploits.
I wonder if such a thing exists for WiFi drivers + firmware.
Or even a list of any major audits of WiFi drivers + firmware.
If there is some really easy way to see which WiFi devices are the most secure.
Something like "security advisories", but for WiFi devices.
But I guess if no eyeballs are even looking at the code, then no one will find any bugs.
Ultimately, what's needed is a Truecrypt-style major audit.
If we could crowd-fund an audit of a major WiFi chip(s), that may be the key.
I'm only trying to protect WHO I am, and not WHAT I'm doing.
So I don't care about DMA attacks on the 2nd laptop.
I only aim to protect the Tor hotspot thing that is set up in the Qubes system.
And for this, I think the solution is to use a safe WiFi/Ethernet device, if these things even exist.
Of course, this means that I don't even really need Qubes at all, which you pointed out in an earlier post.
I originally thought I needed Qubes for this system.... but in fact, VT-D simply doesn't do what I originally thought it did.
I originally thought VT-D isolated the networking devices themselves.
But in fact, VT-D simply allows networking devices to be inside the Net VM.
The Net VM still relies on Xen to separate itself from the rest of the Qubes system.
Hence, it all comes back to Xen. Maybe Qubes 4.0 and SLAT will make Xen secure.
But for now, I think using 2 laptops is more secure, so long as we can be sure there are no bugs in the networking drivers.
It does indeed come down, to either Xen, or my networking stack.
Let me ask... what is the security like for Ethernet..?
Let's say I connected to my home router via Ethernet, and also served out the Tor connection to a 2nd laptop, over Ethernet.
In this setup, there is no WiFi at all.
Would that make things more secure..?
I originally created my own, because I saw that Whonix didn't have VT-D.
But then I learned that VT-D is nowhere near as good as I thought.
I originally thought VT-D isolates the devices from the Net VM itself. But in fact, VT-D only keeps the devices inside of Net VM... and the security of Net VM itself is still dependent on Xen.
So... yes.... I will definitely look into using Whonix for this rather than my own script.
But just to re-iterate my previous question.. do you think Ethernet is any more secure than WiFi.
In your answer, you explicitly say to get rid of WiFi, due to security problems... But how about Ethernet..?
Thanks
I wasn't really talking things like RF leakage etc.
WOW
That's INSANELY complex.
A bit like how people have said phone basebands are incredibly complex, not to mention, closed source.
All this wireless stuff in general seems to be super super complex, and thus, prone to security problems.
> But just to re-iterate my previous question.. do you think Ethernet is any more secure than WiFi.
When I suggested heeding the advice of more knowledgeable people, I wasn't referring to me. In terms of Qubes' networking, Joanna makes her opinion pretty clear in her paper. You can get opinions on "ethernet vs wifi security" by using your search engine.
One thing that's not debatable is that wifi can make connections without physically plugging cables - much harder to do using a cable-only network. JJ makes some good points.
On Monday, September 26, 2016 at 7:25:43 PM UTC, johny...@sigaint.org wrote:
> (apt-get-transport tor is slightly preferable, since it goes directly to
> Debian's hidden service, encrypted of course, for updates. But hopefully
> package signing would reduce any risk for dodgy exit nodes and the like
> when using sys-whonix for updates.)
sys-whonix doesn't require apt-transport-tor. All you need to do is edit your apt sources to use the Debian onion mirrors. https://forums.whonix.org/t/debian-starts-onionizing/2797/11
--------------------------------
On my previous reply, I came to some rather misleading (ie wrong) conclusions regarding the benefits of various setups. The 3 scenarios worth examining are the following:
A. Default Qubes-Whonix
Internet -- [NetVM -- Whonix-GW -- AppVM]
B. Whonix Physical Isolation
Internet -- [Whonix-Gateway Box] -- [Laptop]
C. Qubes + Whonix Physical Isolation
Internet -- [NetVM1 -- Whonix-Gateway -- NetVM2] -- [Laptop]
First, we assume that Whonix-Gateway is trusted and that the Tor protocol is safe. If one wishes to hedge this assumption, he can route Tor over a second anonymizing network such as i2p or Jondo.
In terms of Attacks from the Internet:
* Qubes is preferable to non-Qubes since the networking code / device is isolated from the rest of the system by Qubes networking. A successful attack against the Tor Gateway requires a general networking exploit plus either a Xen breakout or a flaw in Qubes networking. [A], [C] are big winners.
In terms of Attacks from the AppVM/Client:
* [A] is vulnerable to a deficiency in Qubes networking as well as a Xen breakout from the AppVM itself.
* [B] is vulnerable to the Ethernet networking stack.
* [C] requires a vulnerability in both the Ethernet networking stack AND either the Qubes networking code or a Xen breakout.
* A disadvantage of both [B] and [C] is that they have the full networking stack in the Laptop, making the machine that much easier to compromise. A compromise of the Laptop may or may not de-anonymize the user. Ideally, the Laptop should also be compartmentalized using Qubes or as a hedge, a different hypervisor.
anything listening to traffic is a security risk. wireshark is a known security risk in itself. But that is whats cool about qubes, the sys-net is considered untrusted anyways. so actually perfect for running something like wireshark.