On 04/15/2017 02:50 PM, Jean-Philippe Ouellet wrote:
> What is your long-term goal with this effort? This and your
> "Qubes-VM-hardening" stuff [1] looks to be trying to allow data
> persistence while aiming to avoid the ability for the persisted data
> to somehow hijack control on subsequent VM boots.
Its not so much data as actual scripts... the latter roll out the red
carpet for malware in regular template-based VMs. A statement of purpose
for it would be: Leave no obvious pathways for malware to persist in the
appVM startup process. Not terribly ambitious but probably worth doing.
>
> If so, ISTM that this could be achieved using DispVMs with a
> persistent rw volume mounted somewhere other than /home (or any path
> which installed software automatically reads). Furthermore, such an
> approach also seems more robust than any attempt to essentially
> blacklist known-sensitive paths (which I think would eventually
> converge towards wanting to protect all of ~/.*) no?
DispVMs have only worked for me on-and-off, and customization is
troublesome also (having app configs disappear). The implementation is
still too 'rube-goldberg' at present. Also don't want to add new storage
features to it.
Convergence towards '*'... nah. In /home I'm only interested in shell
autostart scripts: bash, sh, desktop.
My current POC can also address persistence of malware in the root-owned
parts of /rw. It will erase config, usrlocal, and bind-dirs if it finds
specific user-added dirs in /etc/default. It will also copy
scripts/files from there into the system. Even with this added scope,
the problem space remains quite compact.
>
> I'm curious what you have in mind and what the intended use case is.
Preventing shims and persistence loopholes in template-based VMs which
have protected root access (i.e. vm-sudo). An argument against vm-sudo
configuration is that its easy for an unpriv attacker to alter init
scripts and acquire root privs when a user grants them for legitimate
commands; Fixing that seems very realistic.