[proposing new feature] Edit in VM: an idea that can improve security when managing documents
24 views
Skip to first unread message
Matteo
Sep 14, 2018, 3:16:07 PM9/14/18
to qubes-devel
Some background:
think about an office and suppose that you receive an email, you open
the docx in a dispvm, but if it looks legit you store in the "documents vm".
what if it wasn't legit but contain an exploit? (not a cryptolocker that
you can see but something else)
Also, the more you store mails attachments the more is probable that you
save a malicious attachment.
Not saving them is not an option because customers send invoices,
requests and documents.
**Here is the idea:**
there is a docx in the "documents vm" but you open it in a special vm
that allows you to edit it safely (kind of dispvm), all this with just
double click.
the difference is that when you save the file it will be saved on the
original "documents vm".
this improve security because even if the file is malicious, and
continue to be malicious after editing, it has no access to other
documents: the file is never opened/parsed in the "documents vm" so
malicious is never triggered.
in this way the "documents vm" it's actually a document vm, used only
for storage. it is not "more trusted vm that you use to create new
documents and edit existing one that passed a 'legit at first look' check".
It prevents attacks like:
check if it's dispvm, if yes do not trigger malicious behavior; now that
is in the documents vm, at first open trigger malicious behavior: search
important documents/data and exfiltrate it using internt (probably
disabled given the vm type) or by hiding data in other documents (the
most used one) so that as soon as the user move it to net-enabled vm or
send it to someone it can be intercepted.
opening in vm already exists
qubes file copy already exists (destination must be changed from qubes
incoming to original file location, and only there! we don't want it to
be able to modify every file)
any thought from Rutkovska / others?
ps: really awesome os, as soon as this pc breaks i'll buy a qubes 4
compatible, thanks for the incredible work!
think about an office and suppose that you receive an email, you open
the docx in a dispvm, but if it looks legit you store in the "documents vm".
what if it wasn't legit but contain an exploit? (not a cryptolocker that
you can see but something else)
Also, the more you store mails attachments the more is probable that you
save a malicious attachment.
Not saving them is not an option because customers send invoices,
requests and documents.
**Here is the idea:**
there is a docx in the "documents vm" but you open it in a special vm
that allows you to edit it safely (kind of dispvm), all this with just
double click.
the difference is that when you save the file it will be saved on the
original "documents vm".
this improve security because even if the file is malicious, and
continue to be malicious after editing, it has no access to other
documents: the file is never opened/parsed in the "documents vm" so
malicious is never triggered.
in this way the "documents vm" it's actually a document vm, used only
for storage. it is not "more trusted vm that you use to create new
documents and edit existing one that passed a 'legit at first look' check".
It prevents attacks like:
check if it's dispvm, if yes do not trigger malicious behavior; now that
is in the documents vm, at first open trigger malicious behavior: search
important documents/data and exfiltrate it using internt (probably
disabled given the vm type) or by hiding data in other documents (the
most used one) so that as soon as the user move it to net-enabled vm or
send it to someone it can be intercepted.
opening in vm already exists
qubes file copy already exists (destination must be changed from qubes
incoming to original file location, and only there! we don't want it to
be able to modify every file)
any thought from Rutkovska / others?
ps: really awesome os, as soon as this pc breaks i'll buy a qubes 4
compatible, thanks for the incredible work!
Sven Semmler
Sep 14, 2018, 5:10:31 PM9/14/18
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 9/14/18 2:16 PM, Matteo wrote:
> there is a docx in the "documents vm" but you open it in a special
> vm that allows you to edit it safely (kind of dispvm), all this
> with just double click.
You can already do this. All you have to do is set the default handler
in your "documents vm" to use qvm-open-in-dispvm.
You can even go a step further and hook up qvm-open-in-vm via a
desktop shortcut (to provide an ignored vm parameter) and then change
the policy in dom0 to always show you the dialog of all VMs to choose
which one to open it in.
Ivan Mitev explained the details to me back in May:
https://groups.google.com/d/msg/qubes-devel/0CpN7ol1ZdM/0cBPvwc6CgAJ
So in my setup:
- -> whenever I click a web link I get a dialog and can choose to either
open a new online dispvm or tor dispvm or open in an already running
(disp) vm
- -> whenever I open a document I get a dialog and I can choose to open
in an offline disp vm or an already running offline disp vm
... in other words: everything I ever open (links and documents) is
always in a disp vm and I can choose on the fly whether offline,
online or with TOR. Since changes to a document in a dispvm propagate
back to the calling VM this also works great for document I work on.
If it wouldn't require customization of the guest vm (the default
handler and the desktop shortcut), I would promote this to be the
default behavior. But I should probably write it all up nicely and
submit to the Qubes documentation. It's really powerful.
Cheers,
Sven
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlucJJIACgkQ2m4We49U
H7b7nQ/9HGyOn2Z1XWhvquuWAzBQPuJgE85cZ9IKCLK1OwjXpcUnej0/Dwa3jjL8
J6g2UVtsRx9/5jt0+tifRzFAlfOuFjvh/R80P335hnc4R+UceLq95dfnFaPFtLZk
+TelcKnJ5haSIsO/XErKPs+OqA4L5Ukdf7Wym36zIOm5TGU5QnrXHlIYr/Dpyjdt
sEG3gzk2itnTyEL4GOwK652tqMWHrzkc8ZnYLSmOOOdRCRJy/SCM+DV/DOSHrsvH
SZr5HpnCVLFWHn8WZ2af7h28g+foautDpsHGDfoU6hC/GU21nmCYKchKWUeuE7jM
sQCiVTv36MLgFD6WJg3hRZxr0x/T75V0iOAbS5rWZ+IRJaIoOF26ZrskYRfi5I62
MaeXgBFCMgvQr01pL6GUMMCrCIu01LViuJT8DsXW0vbxAI34gq1XexaUPaBWZJo5
rns+5oIixBUfuvROZPy3vwSKHxKdwFecHWkmVldFHcetnC9Q3rPveSRdAvhkNdQv
JpiFeCy/3n20cU7yOAJhEhs1xnRA1XH7VhyW6Dn4T1MgHWh74eVaEqQOUyl9Q+J1
p8HGONz8zSsPO+o9e+OCa2fMaPA8nfrTo1VjazMP1OmW5xLWedJb915aG+nxEfCy
ray1zbl2O8nCoOvtOOeJG1NeD7tv46m50Sv3SqbIXUOxS2KfLNs=
=zISj
-----END PGP SIGNATURE-----
Hash: SHA256
On 9/14/18 2:16 PM, Matteo wrote:
> there is a docx in the "documents vm" but you open it in a special
> vm that allows you to edit it safely (kind of dispvm), all this
> with just double click.
in your "documents vm" to use qvm-open-in-dispvm.
You can even go a step further and hook up qvm-open-in-vm via a
desktop shortcut (to provide an ignored vm parameter) and then change
the policy in dom0 to always show you the dialog of all VMs to choose
which one to open it in.
Ivan Mitev explained the details to me back in May:
https://groups.google.com/d/msg/qubes-devel/0CpN7ol1ZdM/0cBPvwc6CgAJ
So in my setup:
- -> whenever I click a web link I get a dialog and can choose to either
open a new online dispvm or tor dispvm or open in an already running
(disp) vm
- -> whenever I open a document I get a dialog and I can choose to open
in an offline disp vm or an already running offline disp vm
... in other words: everything I ever open (links and documents) is
always in a disp vm and I can choose on the fly whether offline,
online or with TOR. Since changes to a document in a dispvm propagate
back to the calling VM this also works great for document I work on.
If it wouldn't require customization of the guest vm (the default
handler and the desktop shortcut), I would promote this to be the
default behavior. But I should probably write it all up nicely and
submit to the Qubes documentation. It's really powerful.
Cheers,
Sven
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlucJJIACgkQ2m4We49U
H7b7nQ/9HGyOn2Z1XWhvquuWAzBQPuJgE85cZ9IKCLK1OwjXpcUnej0/Dwa3jjL8
J6g2UVtsRx9/5jt0+tifRzFAlfOuFjvh/R80P335hnc4R+UceLq95dfnFaPFtLZk
+TelcKnJ5haSIsO/XErKPs+OqA4L5Ukdf7Wym36zIOm5TGU5QnrXHlIYr/Dpyjdt
sEG3gzk2itnTyEL4GOwK652tqMWHrzkc8ZnYLSmOOOdRCRJy/SCM+DV/DOSHrsvH
SZr5HpnCVLFWHn8WZ2af7h28g+foautDpsHGDfoU6hC/GU21nmCYKchKWUeuE7jM
sQCiVTv36MLgFD6WJg3hRZxr0x/T75V0iOAbS5rWZ+IRJaIoOF26ZrskYRfi5I62
MaeXgBFCMgvQr01pL6GUMMCrCIu01LViuJT8DsXW0vbxAI34gq1XexaUPaBWZJo5
rns+5oIixBUfuvROZPy3vwSKHxKdwFecHWkmVldFHcetnC9Q3rPveSRdAvhkNdQv
JpiFeCy/3n20cU7yOAJhEhs1xnRA1XH7VhyW6Dn4T1MgHWh74eVaEqQOUyl9Q+J1
p8HGONz8zSsPO+o9e+OCa2fMaPA8nfrTo1VjazMP1OmW5xLWedJb915aG+nxEfCy
ray1zbl2O8nCoOvtOOeJG1NeD7tv46m50Sv3SqbIXUOxS2KfLNs=
=zISj
-----END PGP SIGNATURE-----
unman
Sep 14, 2018, 8:14:13 PM9/14/18
to qubes...@googlegroups.com
vm, then you minimise the risk of inadvertently opening a file there by
mistake.
You can, in fact, strip out almost any application other than a
qubesopen tool, or pdf and img-convert.
Sven Semmler
Sep 15, 2018, 1:11:35 AM9/15/18
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On 9/14/18 7:14 PM, unman wrote:
> You dont say this, but if you use a minimal template for the
> document vm, then you minimise the risk of inadvertently opening a
> file there by mistake.
That's in fact what I am doing - thank you for pointing that out. My
> You dont say this, but if you use a minimal template for the
> document vm, then you minimise the risk of inadvertently opening a
> file there by mistake.
'documents vm' is based on fedora-28-minimal and only runs TheBrain 8,
which is what I use to organize all my documents, thoughts and
projects. Nothing ever gets open there.
/Sven
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAluclU4ACgkQ2m4We49U
H7ZB2A//W/xMR7dSGnOp8iRygKKli1OqCucu7oTdGneSp6yCLeYveZXu5invczPG
rKGUofwIIWfW3EqRPu2Td/j2P0Dt5UV0Q7CDKJ39zFOS9liv9yYAcGgE2HcV59WX
GcPwK8Kkbf/sFPKV8VkEfQVVsBlHl79KpsuF3Ixf6NX//YXyQV5Y9HA1MKg4AFdX
WuFJXCTBIJjrrlMk/hfPPlXQDHS9uhOEW079So4nfk/hbMMocmuk9Zs0RW/cJ/pV
+JBFo8JRT6B2E17p37ilnv0S0/adrbimkpfDzYUpecxRh/z+caP4oEg02bsR7gCQ
HdQ1H/ahxaW4TUgUgtpJozidgZb9qrgBzK5bNsserRFQpgC+5kS5CXMz1Gv4CXZ2
FbVuQuXrpTH2jZXRvWk5IYYINY8tfilg/9Y3kYHG+gV61A8rSdNaI4pibznSYMd0
YKE2j89a+aNc2x73GkojT534FF406aZjoRW/s1Xmrxynd92Z210vgiPpoeeTu1Hm
nD2IzwqhPJ9wowYZ3HhrUi40Tty4GC0VlvlYZJDasmG0Qh6C5P9FhLdq4TmiI1rI
fPHUl0NHZeYbZ6ZS8OzKXqiqBc+BwkDW7A/vS89WJOEbBIvVsPPeorbpNXMByuGf
3l+YHJHIPhFCIp+ss07cIT8B2o8WtqoLa2WNaTveqkNxSOvOt2g=
=8nHf
-----END PGP SIGNATURE-----
Matteo
Sep 15, 2018, 4:34:53 AM9/15/18
to qubes...@googlegroups.com
Il 14/09/2018 23.13, Sven Semmler ha scritto:
> Since changes to a document in a dispvm propagate
> back to the calling VM this also works great for document I work on.
changes to propagate?
I have Qubes 3.2 since i have old notebook, and there is only
browser/terminal in dispvm, i don't think changes can propagate.
anyway thanks for the answer!
unman
Sep 15, 2018, 7:44:54 AM9/15/18
to qubes...@googlegroups.com
are restricted to one. If you want to work on files you will need to
change the dispVM to use a base template that is better featured.
in 4.0 this isn't a problem as the capability for multiple disposableVMs
is built in.
Reply all
Reply to author
Forward
0 new messages