On 04/10/2017 11:51 AM, Chris Laprise wrote:
> Given the default Qubes security model, its not supposed to matter if
> malware can persist. Even the read-only nature of root on
> template-based VMs is supposed to be only a beneficial footnote.
>
> OTOH, I'd say your inquiry implies that internal VM security matters
> to you to at least some degree (no unguarded sudo, etc.) otherwise
> there is nothing to distinguish the /rw/usrlocal persistence issue
> from persistence via autostart scripts in /home (which can normally
> run sudo without any resistence).
>
> With sudo authentication enabled, the question of persistence becomes
> similar to that for a standalone VM... if a malware process can
> escalate privs (even via a temporary kernel bug) it can persist in the
> root-owned /rw/usrlocal even in a template-based VM.
>
> Maybe a better question is: Should we have the ability to turn off
> execution of /rw contents in templates?
>
Well, here's a simple for-instance. Say you're a developer of a rival
firm and I want to know all of your secrets so I target you. I know
you're an emacs user, and I know you use Qubes. I also know you're
paranoid enough to segregate all of your development work into one Qubes
VM (yay!), but *not* paranoid enough to cut off that VM from the
Internet (boo!), so not only do you do dev work in it, but you use the
web browser (Chromium, in this case) to interact with websites related
to your work (ex. github) but not to do anything else.
So (somehow, let's say MITM) I find a way to access your file system and
put stuff there. I know that most things get destroyed as soon as the VM
is shutdown, so what I do is I find a way to infect your /usr/local/bin
with malicious versions of Chromium and emacs and ls and all the other
utilities that you'd probably use on a daily basis.
While my versions do exactly what you would expect them to do, the
difference is that each time you launch one of my versions, it starts up
a key logging service (no root required!) in the background that
persists even after you close the app that launched it. So for that
entire session (assuming that AppVM is connected to the Internet), I can
capture all of your keystrokes. And because /usr/local is persistent and
you probably don't constantly check /usr/local for changes (because
again, you're not paranoid), those programs will stick around and launch
the next time you access the VM.
That's just one idea. My imagination isn't as good as others though, so
I'm sure other people can think of nasty things that can be done that
doesn't require privilege escalation. Sure, you can mitigate a lot of
this by cutting off VM access to the network entirely, but that's
because you're smart. The guy next to you may not be as smart (or
paranoid). While there would be some merit to cutting off execution in
/rw areas, for the most part, the way Qubes is set up works well and
that might be going too far. I do think a persistent /usr/local should
be optional, however, and ideally, be disabled by default and only
turned on if needed. There are some cases where one may want to install
custom packages of software that they may have compiled themselves and
would rather put them in /usr/local rather than /usr to help keep the
file system clean. ~/bin isn't much of a problem since a) it's last in
the PATH and b) if you're putting stuff in there, you definitely do so
with the intent to use it only on that AppVM's user account.