what does qubes do to protect sys-usb?
pixel fairy
Noor Christensen
> what does qubes-os do to protect sys-usb from dma or other attacks?
it), is that it provides a workflow where you enable USB devices when
needed and only for the specific VM that needs it.
The effect being that no VMs have access to the USB device unless you
attach it to them first, which would limit the attack surface since the
devices are not exposed unnecessarily.
That being said, I have no knowledge about any additional security
measures applied by Qubes in this context, besides this whitelisting
workflow.
-- noor
|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| no...@fripost.org ~ 0x401DA1E0
cooloutac
> what does qubes-os do to protect sys-usb from dma or other attacks?
the thread right after you kind of answers your question too. Another purpose is also to protect dom0 from a malicious usb device. which is the most important core of the system.
Unman
>
provided you have VT-d Xen will limit the memory available to the device
to that of the qube.
pixel fairy
> what does qubes-os do to protect sys-usb from dma or other attacks?
im fully aware of how sys-usb protects the rest of system from malicious devices. what id like to know is how sys-usb protects itself.
for example, could a dma attack compromise sys-usb, and cause it to install malicious firmware on a usb device that then gets passed to dom0 or an appvm.
Unman
be spread to other devices attached to sys-usb. I'm not clear how you
think that compromise could be passed to dom0 or an appVM though,
unless you have in mind some flaw in pciback or the Qubes tools?
pixel fairy
>
> Yes, sys-usb can be compromised, and it would be possible for malware to
> be spread to other devices attached to sys-usb. I'm not clear how you
> think that compromise could be passed to dom0 or an appVM though,
> unless you have in mind some flaw in pciback or the Qubes tools?
the compromised device is then passed to dom0 or the appvm and infects those when its attached. for example, a bash bunny might have a payload to infect an already plugged in mouse, or wait for the next device that gets plugged in. some mice are fancy enough to have firmware settings, so i wouldnt be surprised if these could more easily be compromised.
one possibility, which may already be in effect (i dont have a working laptop to look) is to make sys-usb filter out anything "not mouse" on a "mouse" device etc, or manage it in a similar manner to block devices.
Unman
payload shouldn't be triggered in the target. That's why , generally,
the advice is to use the specific tool rather than pass through.
I use rules to filter what can be attached where: that has the effect of
enforcing separation between USB ports and qubes, but it isn't part of
standard sys-usb. You can filter out "not mouse", but I'm not clear on
how you would filter "not mouse" on a mouse device, if the sys-usb is
intended to also handle not-mouse devices. Perhaps it could be done by
monitoring every insertion? I dont know.
pixel fairy
> intended to also handle not-mouse devices. Perhaps it could be done by
> monitoring every insertion? I dont know.
filter out anything that is not an HID mouse event packet. as i understand it, the usb device is attached over a userspace socket so sys-usb is constantly sending the usb data to the target. this is where said data can be filtered.
in my faded memory (qubes 3.2 until last november), connecting mice and keyboards were recognized as such in the pop-up, and keyboards with built in pointing devices would have separate pop ups for those.
cooloutac
I think just at least separating them from dom0 is a step up. In other words don't allow any usb device to dom0. whether or not they can infect the vm or other devices is another story.
I tried once to have two sys-usb's and swap the same controller but apparenlty it doesn't work or I might have to disable a security feature for it to work so I said why bother. I consider anything I plug a usb device into untrusted anyways.
Which brings us to the good point you bought, many of us have thought about before, which is the safest kb's and mice to use? I guess the simplest and most legacy like? is pci>usb or does it matter at all? I really have no idea and would like to know myself.
But one things for sure I do consider storage devices, phones and tablets way more insecure then keyboards and mice. But when I get to that point I soon assume my other hardware is probably way more likely infected then my kb. And then I just start to wonder why bother, do I have to buy all new electronics hardware for my home top to bottom every year. Is security only for rich people?
anyone know whats the safest model kb's to use?
cooloutac
Actually I think if really paranoid might have to go buy it off the shelf in person in the store.
pixel fairy
> anyone know whats the safest model kb's to use?
if your using a laptop, then your laptops pointing input devices are probably safest. next would be usb keyboards or ps2 keyboard through a usb converter.
qubes does have special support for mouse and keyboard specifically for dom0, so this should protect the host from those input devices doing other things. havent read that code yet.
i hope that keyboards and mice are not easily flashed with firmware, especially from the host its plugged into. but, this is possible with at least some flash drives, because thats how badusb works.
theres a counter project called goodusb which might be good for sys-usb. https://github.com/daveti/GoodUSB its from 2 years ago