Re: [qubes-devel] [proposing new feature] Edit in VM: an idea that can improve security when managing documents

[airele...@tutanota.com]

15. Sep 2018 00:14 by un...@thirdeyesecurity.org:

On Fri, Sep 14, 2018 at 04:13:53PM -0500, Sven Semmler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 9/14/18 2:16 PM, Matteo wrote:
> there is a docx in the "documents vm" but you open it in a special
> vm that allows you to edit it safely (kind of dispvm), all this
> with just double click.

You can already do this. All you have to do is set the default handler
in your "documents vm" to use qvm-open-in-dispvm.

You can even go a step further and hook up qvm-open-in-vm via a
desktop shortcut (to provide an ignored vm parameter) and then change
the policy in dom0 to always show you the dialog of all VMs to choose
which one to open it in.

Ivan Mitev explained the details to me back in May:
https://groups.google.com/d/msg/qubes-devel/0CpN7ol1ZdM/0cBPvwc6CgAJ

So in my setup:

- -> whenever I click a web link I get a dialog and can choose to either
open a new online dispvm or tor dispvm or open in an already running
(disp) vm

- -> whenever I open a document I get a dialog and I can choose to open
in an offline disp vm or an already running offline disp vm

... in other words: everything I ever open (links and documents) is
always in a disp vm and I can choose on the fly whether offline,
online or with TOR. Since changes to a document in a dispvm propagate
back to the calling VM this also works great for document I work on.

If it wouldn't require customization of the guest vm (the default
handler and the desktop shortcut), I would promote this to be the
default behavior. But I should probably write it all up nicely and
submit to the Qubes documentation. It's really powerful.

Cheers,
Sven

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlucJJIACgkQ2m4We49U
H7b7nQ/9HGyOn2Z1XWhvquuWAzBQPuJgE85cZ9IKCLK1OwjXpcUnej0/Dwa3jjL8
J6g2UVtsRx9/5jt0+tifRzFAlfOuFjvh/R80P335hnc4R+UceLq95dfnFaPFtLZk
+TelcKnJ5haSIsO/XErKPs+OqA4L5Ukdf7Wym36zIOm5TGU5QnrXHlIYr/Dpyjdt
sEG3gzk2itnTyEL4GOwK652tqMWHrzkc8ZnYLSmOOOdRCRJy/SCM+DV/DOSHrsvH
SZr5HpnCVLFWHn8WZ2af7h28g+foautDpsHGDfoU6hC/GU21nmCYKchKWUeuE7jM
sQCiVTv36MLgFD6WJg3hRZxr0x/T75V0iOAbS5rWZ+IRJaIoOF26ZrskYRfi5I62
MaeXgBFCMgvQr01pL6GUMMCrCIu01LViuJT8DsXW0vbxAI34gq1XexaUPaBWZJo5
rns+5oIixBUfuvROZPy3vwSKHxKdwFecHWkmVldFHcetnC9Q3rPveSRdAvhkNdQv
JpiFeCy/3n20cU7yOAJhEhs1xnRA1XH7VhyW6Dn4T1MgHWh74eVaEqQOUyl9Q+J1
p8HGONz8zSsPO+o9e+OCa2fMaPA8nfrTo1VjazMP1OmW5xLWedJb915aG+nxEfCy
ray1zbl2O8nCoOvtOOeJG1NeD7tv46m50Sv3SqbIXUOxS2KfLNs=
=zISj
-----END PGP SIGNATURE-----

You dont say this, but if you use a minimal template for the document
vm, then you minimise the risk of inadvertently opening a file there by
mistake.
You can, in fact, strip out almost any application other than a
qubesopen tool, or pdf and img-convert.

--
You received this message because you are subscribed to the Google Groups "qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180915001411.7sl6jgcz3azv35g5%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Something similar is the sd-svs in SecureDrop-on-Qubes, see https://github.com/freedomofpress/securedrop-workstation

Anyway, it seems like there could be some issues:

a) Documents that "link" other documents. For example: html pages that reference locally-downloaded images/css, Inkscape docs with linked images, bash scripts that source other scripts. Unfortunately qvm-open-in-vm currently only copies just one file, so all links are broken in the dispvm.

b) Can't save progress. qvm-copy-to-vm only copies back the edits after the VM shuts down, right? So what if the system crashes in the meantime?

[Sven Semmler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 9/14/18 10:41 PM, airele...@tutanota.com wrote:
> a) Documents that "link" other documents. [...]

Yes, that's a corner case that needs manual steps (e.g. start dispvm,
copy all files in, copy them back out before closing vm)

> b) Can't save progress. qvm-copy-to-vm only copies back the edits
> after the VM shuts down, right? So what if the system crashes in
> the meantime?

Sure, that's true. Personally if I work on something larger, I just
close the VM every hour or so and open a fresh one to calm my nerves.
Although I've never experienced a crash in Qubes. But I get your point.

To me these are worthwhile trade offs, your situation / judgment might
differ.

/Sven
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlucmNkACgkQ2m4We49U
H7Ybhg//Xeo/z2AcPUJEVBtkjCdyCKSd7vrQPmS+h1+vvoCB2lt66SdZZ2/q9wRc
pifRaMGz0ZFI+PNK9VwG66t6A29Y/791jxk0EiI1xDUEVI4A6RuYWar2br1v4PD7
Yv6YegPHJUU7V3zn+1t6KAel3BBGPgaMXYPWnkRs4L2rtQzDEBXI/Fh3JLvHlRcX
RvpnieSoWrq3pGswwtHM2MwZu4rUm7L7d1N/P0bAcqGIDi8c0P4Q9kJA0nTUdPFY
UKRD9B0gErVajdqKI/SLvKtTFT6gpdakzuI6W3CAxcUSl0F6W0jMKss0bf7gZn+y
99bdRhouy7amJ3QiHpqHG+mCysr6SLJPkJF5VN4SAL0OAVXg3ddZXoPkrm/ib43U
VKIq+Ms5QFlcVg3lkw1jtJNwG4l9MtS4FnoW+Ulce2ODpAEcHV1Z4h5KeIoiOoiY
lfzhX9oX7eFy6SvABvsnFXz5WOuHVkfJbpM3jrd0NNiJZWGVGkJUXoomL0MB/Kfl
FzSqEa8fo9G0Oj5ho5mEKMBnCnlzi8O2m6QcaD31WGaUxNx1ElrFjfWM6aW9BN2v
kTozPwz37g7QuFSjOW4A65DO30eiwSU2d/gF56RZJkVR25896PcRdJUCAnJRsxvU
QAkPfmoq5DXJngQHLSF6lp0ncopIlJzIVX2uIZZMrjqeEaEWza4=
=NGjl
-----END PGP SIGNATURE-----