On 10/22/13 07:22, Joanna Rutkowska wrote:
> So, no mounting of AppVMs volumes in Dom0! That's the reason, BTW, why
> we don't support incremental backups in Qubes.
I personally would _never_ advocate involving Dom0 mounting an unknown
data filesystem in any backup scheme. But recently I have been wondering
myself if there might be a compromise with regards to AppVM access to
offline storage in general, and in particular for the possibility of
running local incrementals.
I Personally had to implement a IT corporate/network backup of one AppVM
using proprietary network backup software just to be compliant with IT
policy. Shutting down that one VM, or even multiple VM's just to back
them up has been somewhat problematic in scheduling. The best I have
been able to do is perhaps twice a week. It appears it would be quite
hard to automate a Qubes full backup since it naturally affects almost
everything running on that physical hardware if you wand to back up
everything. My 'compliant' incrementals by contrast kick off every 15
minutes, but for now it only runs in my most important work VM.
Having a way to automate an online scheduled incremental for individual
AppVM's independently as a part of a Qubes infrastructure would be
extremely desirable, and as such there would naturally be tradeoffs in
any design given Qubes overall security goals. I have therefor been
thinking if there were a way of leveraging existing security aware
software with the Qubes internal network topology with DispVM's, or
possibly even facilities within Qubes itself, to support some form of
incremental backup architecture that might make some sense security
wise. Ideally one that would not introduce too much of an attack
surface. So, let me just toss a few ideas out there to see what others
might think.
What I have been thinking is one of the following:
1) A DispVM based backup service layered as an encrypted network
filesystem (yes, I can sense you all cringing at the very thought of
this already, but give me a chance):
- A specialized disposable backup VM, with an attached physical drive or
raid volume, which runs only a single sshd like server. Nothing else
runs here. This server hands a client-unique encfs server side encrypted
directory as a chrooted volume to each connecting AppVM client. The
client VM's connection has no access to anything other than their own
server side encrypted space. No other software runs in this disposable
storage VM, and no interpretation of any data structure or content
occurs here, thus little possibility of data corruption attacks due to
the layering of encryption on both client and server side. The client
session has no shell, and so there is no need of any /usr,/etc/ or
anything else mapped into its virtually allocated system file space
other than what is directly needed for ssh tunneling support.
- Each client VM has a different ssh key/id to identify their connection
to this server, so the authenticity of both the server and specific
client is fairly well vetted. The Qubes firewall may provide an extra
level of protections directing who can talk to what VM and when.
- On the client VM side the connection is fuse session mounted through
sshfs and thus only active during the actual backup/storage session. Any
data written to the local fuse volume should be encrypted first before
being passed on to the backup DispVM session, so nobody on the server
end can read or tamper with the client data.
No client VM can play with any other clients data due to the individual
chroot environments and multiple layers of encryption. There is little
possibility that a circumvented storage VM will permit reading or
tampering of the data because data is double encrypted using different
keys found on each end. Malware might somehow obtain the servers set of
encryption keys but still will be unable to decrypt the clients backup
data. Since the server is a disposable VM there should be no persistent
malware present on the backup-instance-per-client-connection VM which
might be capable of messing with a subsequent restore session, and the
backup data file could be checksumed and verified cryptologically by the
client before its use, so even if it had been tampered with that could
be detected. For any injected malware getting a foothold on the DispVM
backup server instance, to inject something into the client side
encrypted file data it would first need the clients private key, and if
it had that you likely have bigger problems already.
The weakest link might be the ssh protocol itself and its interaction
with the fuse-mount mechanism on the client side, before the client side
decryption. If the backup server instance were circumvented while in
operation it could certainly serve bad ssh data back to the client side
in attempt to corrupt the clients IP stack, ssh client software, fuse
mount, or decryption module. Still significant, but not exactly easy
considering they have to first take control of a stripped-down single
use DispVM running only one service, and protected by the Qubes
firewall, in order to pull it off.
The benefit of the above is that each client VM would potentially have
access to volumes of much needed offline storage, even beyond simple
backups if desired, which should be reasonably safe from tampering or
data exfiltration by external threats. But this reasonableness is
obviously not quite up to the hardware separation requirements that the
Qubes system as a whole strives for. For some people this trade off
might be suitable, for others maybe not.
2) Or one could also try layering a simple backup capability built on
top of the Qubes domain file qvm-copy-to-vm mechanism, where the client
VM may need to allocate additional space enough to cache an encrypted
backup incremental file of itself, locally, before it is moved out to an
archival VM's physical disk space. The backup DispVM could receive and
keep different client data files separated into differently encrypted
directories based on the source of the client data. This might then be
good enough to prevent clients from corrupting each others backup data
as they have no opportunity to overwrite other VM's data.
In this scenario, because qvm-copy-to-vm is generally a push-only
mechanism, it would be up to the client to maintain a catalog of backed
up data, and then would need some way to signal for the deletion of
older datasets when that backup set is no longer needed, as the backup
DispVM would have no clue what is actually in any given backup file so
it could not just do any kind of log-rotate type deletion other than
what can be known by general filename conventions. Since this is simply
a one way copy mechanism, restores could only be performed through
manual interaction through Dom0, only serving as the controlling command
center, to recopy the archived files back to an individual AppVM for a
proper data restore there. In that case Dom0 also needs access to the
backup servers crypto keys to extract the proper backup data from any
given per-client encrypted directory/volume.
The 'double the space' requirement for local backup file caching might
be eliminated if there were a such thing as a disposable virtual USB
drive that could be used to cache the encrypted backup file until it can
be moved over to the backup VM. Once the virtual USB physical space is
unmounted its space could be scrubbed for reuse elsewhere. This might
actually be handy for any VM where temporary disk space is required,
such as during VM dependent software installs or creation of temporary
ISO images.
> I personally think that splitting home directories into "more useful"
> and "less useful" parts for backup is just not worth it. However, one
> improvement we could make is to give an option to bacup only the
> private.img of StandaloneVMs (so ignoring the root.img, which is
> normally backup up for Standalone VMs).
Its very likely that any incremental backup will only be defined to
include user created files that are deemed important enough. Keeping
multiple copies of important documents as you are working on them can be
a life saver if you need to roll back for any reason. If a person were
to accidentally configure an incremental set of mostly static files they
would only be backed up once, as they won't change except when the
template underneath changes. It would be a waste of backup disk space
for sure, but at least you would still have all your email you otherwise
would have lost had that last incremental not fired off just an hour
before your VM's drive failed. These days loosing a single unread email
could potentially loose you a job if your particular industry is in
lay-off or downsizing mode. No, things are not like that for me, but
eventually Qubes will be moving into industries where this can and will
happen. Life is full of tradeoffs, and not all of them are always
technical ones.
I believe in the Qubes design goals and I often push others to take a
long and serious look at it for what important security features it can
provide. But at the same time I need to take simple precautions with
backups because I have simply lost way more than my share of disk drives
in the last couple of months. And between disk failures I am still
trying to work out the complexities of getting my actual work done given
this new structure enforcing paradigm. And I'm definitely sticking with
it. Its worth it. ;)
> joanna.
Thank you for all your hard work and the whole teams dedication. I will
be interested in any comments to the above, as I am sure there are built
in features of Qubes I have yet to learn about.
Steve.