How do you think about the clipboard inter-VMs

[pillule]

Hello,

I wonder how do you manage your computing life with the problem of
the clipboard / file sharing.

The documentation states :
https://www.qubes-os.org/doc/copy-paste/
“However, one should keep in mind that performing a copy and paste
operation from less trusted to more trusted qube is always
potentially insecure, since the data that we copy could exploit
some hypothetical bug in the target qube. For example, the
seemingly-innocent link that we copy from an untrusted qube could
turn out to be a large buffer of junk that, when pasted into the
target qube’s word processor, could exploit a hypothetical bug in
the undo buffer. This is a general problem and applies to any data
transfer from less trusted to more trusted qubes. It even applies
to copying files between physically separate (air-gapped)
machines. Therefore, you should always copy clipboard data only
from more trusted to less trusted qubes.”

Also I remember a paper of Joanna Rutkowska assuming the same
principles.


I guess most of us cheats theses rules sometimes ;
if one deploys post-installation scripts in dom0,
or takes notes in a vault and wants to copy in that URL,
or maybe wants to take that snippet into that template ...

I am curious to know how you think about it.

I would like to let the least possible of my data in the VMs which
are exposed to the network. This, with the fact the ressources of
my computer are limited, unfortunally may leads to open breaches
in the comportamentalisation :
Now I have a vault where I takes notes and needs to paste things
into it. I can't afford using a vault for each new context and it
will not solve the issue of the clipboard.
Maybe I should just stick to the idea of one context equal one VM,
and refine what I think is pertinent to put on the word ‘context’.

Otherwise, Is there really nothing one can do to enforce the
integrity of a piece of text ?
Like using an OCR from dom0 to retranscript an screenshoot of a
less trusted VM (is that dumb or also somehow flawed or just so
loud nobody wants it) ?

--

[Steve Coleman]

On Tue, Jan 5, 2021, 11:04 PM pillule <pil...@riseup.net> wrote:

Hello,

I wonder how do you manage your computing life with the problem of
the clipboard / file sharing.

I guess most of us cheats theses rules sometimes ;
if one deploys post-installation scripts in dom0,
or takes notes in a vault and wants to copy in that URL,
or maybe wants to take that snippet into that template ...

I am curious to know how you think about it.

My take on it is to weigh the risk. For instance, I have a 'Purchasing' vm and an Internet vm. I'll do all my searching of what I want to buy in the Internet VM and then copy the specific URL over to the Purchasing VM, rather than using the Purchasing vm to peruse the internet. I feel there is much more likelihood of picking up malware by visiting random internet sites than if I copy and paste a single url from a site that I have already inspected its URL. I'll do the same kind of checks when moving receipts and data from Purchasing to my Banking VM. 

For the really paranoid you can create a dvm text editor, paste the URL/text data there for inspection before finally copying it to the real destination VM. 

If the theoretical copy buffer attack is against Qubes itself I may still be screwed, but that would have to be done by an adversary that both knows what site I will be visiting and also know in advance that I use Qubes. We are talking Nation State adversary,  who clearly already knows an awful lot about me. At that level of the game its only a matter of time since clearly I am a already a defined target of theirs. Pulling the plug would be the only effective defence at that point. 

So, weigh the risks and take precautions where possible. Always try to double check what you are copying/moving across VM's and be appropriately paranoid when moving data to a higher security domain. 

[Vít Šesták]

Well, it depends:

* When pasting to terminal, you should always think twice. (This BTW also holds for pasting a text copied from a webpage to a terminal – the webpage might let you copy something else that you can see…)

* When pasting to a text editor with highlighting, there is some risk of a vulnerability in the text editor.

* When pasting to a text editor with no highlighting etc., the risk is probably quite low.

Well, you could have an application that actively monitors clipboard and processes it in a vulnerable way. I don't think this is much likely, but it is possible in theory.

On OCR: I am not sure how could it help. Maybe it could limit the character set and let you review the copied text. Cool, but I believe this can be done in some much easier ways…

@stevenlc: Nation State Adversary has a good acronym…

Vít Šesták 'v6ak'

[awokd]

pillule:

>
> Hello,
>
> I wonder how do you manage your computing life with the problem of the
> clipboard / file sharing.

> For example, the seemingly-innocent link that we
> copy from an untrusted qube could turn out to be a large buffer of junk
> that, when pasted into the target qube’s word processor, could exploit a
> hypothetical bug in the undo buffer.

Qubes does show the number of bytes copied to the buffer when you
perform a shift-ctrl-c. If this is the same as the (small) number of
characters you are copying, chances of a successful attack fitting in 20
bytes or whatever is pretty slim. File sharing is a different matter,
can address somewhat by keeping your archive VM not network connected.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots