A widely used and known technique that works in more than a specific
case will likely be used.
This means trying to not rely on particulars of a target and trying to
bypass as many security measures as possible.
> - some of said attacker
> capabilities can be mitigated or eliminated through some of the security
> measures that one might otherwise be tempted to dismiss out of seeming
> irrelevance or laziness, because said measures break dependencies or
> introduce delays for the meeting and/or bypassing of said dependencies for a
> combination of said capabilities to perform meaningful penetration and
> compromise,
Long-winded and quite pointless. You do not put a padlock against
children inside a hardened safe, then claim it improves security.
> and considering that the window of opportunity for the attack is
> always limited
It's quite often not. Attacks are still made now against ancient
Windows XP machines. Payloads vs older versions of Firefox are in the
wild; or even old Internet Explorer.
You can retry an attack many times unless the target detects it - even
just crashing is not necessarily good enough.
Window of opportunity is mostly limited for physical attacks such as
evil maid - unless there is an update that closes the bug you get to
exploit. But those generally lag quite a bit behind issues they fix,
even in open source projects.
> by definition thus magnifying the mitigation capability of
> said measures in many cases (especially in the case of an intelligent target
> with an environment that requires exploration for meaningful penetration),
Yes, and such a target will not be stopped by a trivial technique. A
guy who can crack safes is not stopped by a padlocked box.
> the best approach is for any given system with any given security measures
> is to use all of said security measures except in the case where the
> introduction of said security measure would degrade system security
(Which it would due to added maintenance and much more complex setup...)
> or make
> impossible the introduction of a more important security measure - thus
> implying that the selection of said security measures for architectural
> inclusion within said system should also be prioritized for inclusion based
> on metrics such as impact and mitigation value, noting that the ideal
> implementation of said systems architecture will have to be re-prioritized
> on a per application basis to maximize the effectiveness of the conglomerate
> set of system security measures in mitigation of compromise.
Ugh that is a mouthful, signifying nothing.
There is no mitigation value in a weaker isolation layer that is
inside a stronger layer.
> i know qubes is not the security hero for everything under the sun, but
> given the above philosophy (which applies to most of the "relevant" qubes
> users) i would argue that right now qubes needs to be sandwiched between a
> hardened domu and a hardened dom0.
Feel free to provide a repository with rebuilt hardened packages.
> we have both mentioned whonix and other
> projects for example but i want to see qubes prioritize better default
> templates (especially for servicevm), better disposable vms, support for
> multiple dispvm templates, better dom0 hardening, and software package by
> software package dispvm templates for the core packages that are included.
Define better and preferably implement them. I'm personally not making
Fedora packages myself, because they are pain in the rear end.
I've tried and I just don't have the time to mess with it, also due to
lack of a machine I could sacrifice for just dom0 development.
Debian ones are as bad to develop if not more.
> im bothered by this... i havent kept up to date. i take it back. ive been
> using qubes for so long im over a year out of date on this topic. i would
> like to change my suggestion to debian out of available alternatives simply
> because closer to whonix,
That is not a virtue by itself. Qubes dom0 is trimmed way more than even Whonix.
> which is a major part of the ecosystem for many
> people, and also because re-use of whonix security measures. for the record
> if youre curious i brought up trisquel because purism/richard
> stallman/minimalism/noblob/etc.
Trisquel is nowhere near as minimal as Qubes Dom0. Seriously, just
take a peek. You'd have to trim it and audit it.
The firmware things are best kept in a device-specific VM, for example
NetVM, USB VM, in the future - GUI VM.
Deblobbing for sake of deblobbing (or "purity") is not worth it, esp.
if the blobs already run in separate VMs.
You can replace the distro in there anyway if you want to.
> "Provide an actual alternative that is reasonably better than Fedora at
> being a desktop."
>
> debian a la whonix. see above
Better at what?
> Remember that we do not care about the desktop environment as long as
> it's trimmed."
>
> fvwm, jwm, openbox, and fluxbox are great choices. xfce and lxde could be
> offered as a bloated alternatives for people who like shiny objects.
> (gnome/kde=madness). openbsd ships a super hardened fvwm implementation that
> is old but rock solid/battle tested.
And unusable, just like a rock should be. ;) Making those usable takes
*a lot* of work.
They lack critical features such as proper pager (Openbox/fluxbox),
multiscreen support, system tray, file manager.
Full mouse support, configurability without editing text files... I
could enumerate further.
Once you add external software to do it, the package becomes less than
stellar and is still clunky.
Their code bases, while small, are ancient and hard to audit. For
FVWM, you get to audit TCL/TK. (OpenBSD didn't do so.)
I don't understand your definition of bloated. Please compare memory
usage instead of empty words like this.
Especially of trimmed Qubes dom0 KDE, which is not your random KDE -
it tosses the heavier, more worthless, internet connected features
that wouldn't work in Dom0.
Marek has already made a version of Xfce for Qubes, while another made
Awesome WM config for Qubes.
> "Chrooted processes are again worthless in Qubes.
> No amount of filesystem protection will stop local kernel exploit from
> working - unless it has to be launched from the filesystem. It's at
> best a minor inconvenience. Many, if not most, VFS bugs were related to
> either special FS like
> proc, sys, dev or to actual writes, not execution. "
>
> i mildly agree here, and only because the magnitude of mitigation from qubes
> in your scenario is so great that it casts a shadow over other issues. ill
> make up a use-case: theres a guy named joe in a place we'll call "snufflez"
> who worships "shamalama". unfortunately for joe it is a crime punishable by
> death to warship shamalama for the people os snufflez. hes sitting in his
> living room and downloading the holy book of shamalama. this guy doesnt need
> to be kernel exploited to have his head chopped off, and he doesnt want
> people to easily profile his setup or location because of a browser bug.
This is not a security issue, but a privacy issue.
Whonix folks are working with Qubes devs to make the VMs less
fingerprintable. That is already much better than what LXC or chroots
provide out of the box.
Chroots don't help it at all. Ever.
If you're arguing to attempt to make Firefox less exploitable, then do
provide better package of Firefox instead of rewriting the whole OS or
adding pointless features.
(Or run Whonix with its well configured Firefox in Qubes AppVM, routed
via TorVM. It's been done.)
The guy shouldn't be keeping his book of shamalama in the same VM as
he downloaded it in, or view it in there. There are DispVMs and other
AppVMs for it.
> a
> couple little things are enough. let me fix your sentence: "Chrooted
> processes are practically worthless in Qubes in the context of protecting
> from many types of exploits that would shatter the qubes security model of
> context separation, especially the worst ones, and especially considering
> that the security afforded by chroots is in almost all cases covered by
> existing qubes/xen security features." to which i would add "however if we
> broaden our paranoia to a much higher level of sensitivity to the extent
> that even enumerating and looking around a vm sandbox is a major threat then
> other things count"
Again, you're arguing for fixing Firefox rather than adding chroots.
If the attacker breaches Firefox, they have access to a huge set of
identifying data if it wasn't ephemeral (like it is in DispVM, which
you should use).
No chroot will prevent Firefox from accessing Firefox data files.
Other files should be kept in another VM and on an external disk, if
you want them to not be found.
> "Please provide an example of such an attack that would be mitigated by
> adding a chroot, or making the file system noexec, or making the file
> system nosuid.
> Note that it does not have to be already mitigated by Qubes separation. "
>
> im wondering if after reading what i wrote so far in this message you still
> want me to answer this question. try to put yourself in my head first and
> think real world.
In a real world, you have automated payloads like Zeus or the advanced
NSA crack kit, or the KSA equivalent (described in literature) that do
all of the things I've described and more.
Please read up on real world attacks. These payloads can be bought or
hired, so there is no huge up front development cost more than once.
There are phishing toolkits, you can even hire a specialists if you
know where and have the money.
This again makes attempts at hardening against badly designed attacks
worthless or negative worth due to added complexity of the setup.
> "The resource reqs of Qubes alone are slightly lower than of Fedora
> itself. I've checked. The cut down KDE is very nicely trimmed.
> Start it, launch one or two applications. Measure memory usage.
> Do the same on a distro of your choice with same applications, but
> much lower security. Compare. Do this after replacing the applications
> with tiny variants, measure again.
> Data, not assumptions.
> What you're advocating is really premature optimization. "
>
> my sys-firewall is currently using over 2gb ram right now bro.
Interesting, it has 256 MB limit set in my Qubes Manager. If what you
say is true, it's a major bug. I'd say it's not true.
Just be careful you're not comparing ballooned sizes. Qubes will
balloon the VMs to allocate unused memory if that option is checked.
This memory will be reallocated to VMs that need it - unless there is a bug.
I might be wrong, but I think ballooning is disabled for ServiceVMs by default.
> also whats
> with the library goliath desktop environments with bobbles and boobles? i
> consider xfce bloated.
Feel free to replace dom0 with whatever you want. Sacrificing
usability for "general public" is not the point of Qubes OS -
providing a secure and *useful* desktop is one.
Also feel free to audit the code you are replacing it with.
> "This sounds like "I hate Fedora but I can't say why." There are valid
> reasons to dislike it of course, but you need to actually say them.
> What does "conservative defaults" mean? It's still a desktop, not a
> single use web appliance. "
>
> i dont hate fedora, i just hate fedora for qubes. you shouldnt have to take
> things away to make it better.
That's security for you. Sacrifice as many features as you can to
reduce attack surface, without making the system unusable.
You're arguing both ways...
> to make it easier ill just compare fedora to
> debian. i dont trust fedora as much as debian.
<snip> Conspiracy theory </snip>
> "shouldnt be a one-size-fits-all, "dump all your binaries here",
> template..... Because? What is improved by removing such a template?
> Definitely not maintenance or ease of development. Or ease of use..... But
> do actually explain the threat model behind this reasoning. Is it script
> kiddies with poor scripts? "
>
> have you ever broken into a box and thought "oh darn i wish i could... oh
> cool this guy has a compiler installed for me!"
No, attackers upload shellcode. It's a binary, with various tricks to
make it smaller.
> or "good thing he has
> blahblah installed i have a priv escalation exploit for that right here! 1
> parameter pass and... poof".
No, attacker uploaded working shellcode with a local root exploit
binary; either together or separately.
What do you think exploit writers are, lazy and dumb? They don't know
all the details of the target beforehand so have to isolate from any
such dependencies on the target - otherwise they risk their thing to
not work.
After you have a command and control connection setup, you can upload
what you need - usually nice static binaries or scripts with your own
statically compiled interpreter.
> <snip> More rant. </snip>
Again, don't assume your adversary is stupid. That way lies disaster.
Nonsense defenses are still nonsense.
> "They don't. They reserve up to 256 MB ram each (I'll have to check the
> actual number). You could make them smaller somewhat too, I mean, to
> about 128 MB each.
> The main gobbler in NetVM is... Network Manager's GUI, which requires X.
> However, replacing that with code in Dom0 is foolish from security
> PoV. Factoring it out into a separate "display VM" is a lot of work
> for not a lot of memory saving and major increase in Qubes comm
> protocol complexity.
> The latter means bugs and security issues. "
>
> im aware of the challenges. for the netvm i would say use command line in
> dom0 (attach to domu) to exec inside the netvm or make a gui wrapper for
> that. why would that be foolish?
The GUI wrapper has to access possibly attacker-controlled NetVM, so
it has to be fuzzproof, audited and even preferably mathematically
verified if it is to run in Dom0. Risky.
You could put this code in the common GUI VM but that would make
compromising GUI much easier - and if your GUI is compromised you're
in the world of trouble - attacker can insert additional commands to
be executed.
A sane alternative is to run a separate GUI-only (AppVM-like) domain
for the NetVM while having additional communication protocol, but that
is still pretty fat (fatter because you get to run more code and more
VMs) and plenty of work to write such a daemon. Feel free to implement
it if you think it would improve security.
Generally the attack vector for the NetVM is not the control GUI (the
attacker cannot rename interfaces), but network stack, device drivers
and firmware.
The GUI is separated already using Qubes GUI protocol, as in all AppVMs.
> "Please explain how this helps over having an icon that launches a
> disposable VM with this running.
> I'm not being facetious here at all. "
>
> im not sure you understood me. what i mean is for example we should have a
> disposable libreoffice vm, not just firefox or a 1 size fits all.
But why? Are you clinging to the idea that either the attacker needs
application <x> to exploit or that users will be tempted to break
their usage patterns for convenience?
> "Do it. See what you can and cannot do. I've tried myself, the gains
> are... less than satisfactory. And it's a lot of work.
> Note that Qubes templates do not run a pretty large chunk of DE already.
> Again, the main hog in a GUI VM is... actual GUI subsystem and actual
> target application.
> If you want Qubes ballooning to be more tweaked towards faster
> changing requirements, why not say so? And preferably do so.
> Feel free to also try to use Xen's autoballooning, frontswap,
> frontcache and *post the results*.
> I've actually had trouble getting Qubes to play nice with that stack. "
>
> well i suppose that the impression ive always had is that qubes in the
> interest of keeping things simple just assumes you have ample ram and picks
> performance oriented rather than resource conservative defaults for
> everything.
You assume Qubes assumes. :)
No, Qubes defaults are generic, and Qubes modified ballooning is meant
to prevent VMs from gobbling up memory needlessly.
It predates Xen autoballooning, frontswap and frontcache though.
> ive done some tweaking and i think i have my machine moderately
> cleaner but since i have 64gb ram this is more for cleanliness than
> anything.
I've had Qubes work reasonably on a machine with 4 GB of RAM, no
modifications. (Qubes 2.0 RC 1 I think. The machine is not used for
that purpose anymore due to lack of VT-d.)
> "It never was. Strawman if I ever seen one. The user picks what they
> run, mostly. The extras are vastly limited, run ps or top in the VM to
> see them. "
>
> i can give you one recurring case for me: i want to use a dispvm for
> something. lets say gedit...
Then.. launch a DispVM with gedit? It takes a few clicks to add an
icon to do so.
DispVM startup times have been improved a lot in 3.x series, but
they're still not instantaneous, even with SSDs.
> "See above about having to at least explain how it is better. I've
> considered this problem personally at length too and came to different
> conclusion... Assumption. Please provide data. "
>
> i think i addressed this above but if you disagree we should talk more. in a
> way you were talking about apples and i was talking about fruit.
The problem is, you're not talking, you're rambling. It's getting tedious.
> <snip> More rambling </snip>
> "It's not feedback, you're trying to redesign Qubes, without actually
> verifying the properties of current and target design. Might as well
> just not redesign it and develop at random. "
>
> i dont think im redesigning... according to you yourself half of what i was
> suggesting is doable as-is but qubes just doesnt ship that way. the other
> half is "ditch fedora, ship more hardened", which is not a redesign.
Ditching Fedora is a major change. Implement it, patches are accepted,
it's been discussed... So. Many. Times.
The main thing is that Dom0 is pretty sensitive. Qubes team actually
partly audited the code that's in there, tossed unneeded and unsafe
features - this would have to be redone.
Providing additionally hardened packages is fine - but you'd need some
automated and trusted tool to do it or it becomes a large maintenance
load.
> "It is already in a virtual machine. What does the additional chroot get
> you? "
> "Template VM is already read only - you'll modify the volatile part of
> it. You have prevented access to disk, but the attack still has all
> kinds of access to memory. "
>
> you can run anything as firefox, and firefox is the point of that dispvm,
> but if you need to escalate privs it would be harder. right now in qubes
> sudo is wide open and ive read the reasoning behind it but please look at my
> scenario paragraph above.
Sudo gives you access to the VM root.
If you can exploit Firefox, usualy running additional local root
exploit(s) is simple; even kernel hardening like PAX makes it only
moderately more difficult.
(Unless it's an exploit that only allows you access to protected store
or other such Firefox features. But then, sudo is just as irrelevant.)
Are you suggesting it to "secure" multiple applications and use cases
in a single AppVM? Risky and hopefully unnecessary.
> "You can. Extremely easily. You've shown that you cannot *write them to
> disk*, so persistence is a bit harder. Although nowadays people do not
> like to restart machines, virtual or otherwise. "
>
> persistence is not an issue for a dispvm
It is until you shut that VM down.
> but it is for others. anyway right
> about now im thinking my example sucks for multiple reasons, one of which i
> didnt know about until you educated me. ill get back to you. :)
>
> "To begin with, show me a HIDS and NIDS that actually work in an actual
> *desktop* environment. I bet you don't have anything on hand - it's a
> major effort to get it to work reasonably with low false positive
> rate. "
>
> as i said tuning is everything. the assumption there is that everything is
> profiled over time. you wont get to a low false positive rate for a while.
Meaning it's mostly worthless for desktop, where requirements and use
cases change. Anything new?
Not to mention you'll get the Vista effect due to many worthless
popups right off the bat. Unusable security is no better than no
security at all - users will disable the popups/info or learn to
ignore them.
> "The former is very tricky to implement too, and you cannot just really
> run it inside the VM where it can be easily circumvented - but that'd
> be better than nothing still."
>
> actually its better than better than nothing, because the attacker might be
> able to break in and stop logging or delete local stuff or even nuke the vm
> but i still get everything on my inline nids.
Care to show this setup?
> its pretty solid assuming he
> cant get into the nids.
Again assuming the attacker is stupid. Very bad assumption. That said,
NIDS is reasonably isolated in the NetVM or ProxyVM.
It's HIDS that is the problem.
> "Running it in Dom0 is a major security risk. It is a complex piece of
> software with many failure modes.
> So, now you get to implement a monitoring domain which Xen might be
> able to do, but I haven't been able to coax it to do so.
>
> Using some framework like Volatility to inspect the critical paths in
> a VM memory space; having a peek at the volatile image file to spot
> garbage. "
>
> i am not advocating that. thats not how i do it
Yes, do it in a way where it can be easily circumvented, as it's
placed inside the AppVM/DispVM itself?
I was talking about HIDS, not NIDS, mind you.
NIDS are even more worthless. Either you depend on predefined set of
rules (no can do on desktop, even with extensive database) or the
learning mode and hope anything won't change (doesn't work well even
with servers, not to mention desktops).
How do you detect unknown, possibly custom exploit from network
packets? The simple answer is that you don't in general, so you cannot
trust such a system.
It's the same problem thwarting antivirus software.
(As opposed to a good HIDS, where weird usage patterns can be
detected. It shares some of the problems though.)
It's generally better to split tasks that do not require networking
from ones that do, and Qubes has a built-in firewall to enforce it.
> "You still need appropriate GUI for the target end user somewhere."
>
> 2 options: 1 is to hang another vm off the nids-proxy and use it as a
> management station 2 is to just launch things on the nids-proxy (i use
> command line and web interface and both work well like this)
I haven't seen a usable NIDS GUI ever.
> "Note this vastly conflicts with your "save resources" concept."
>
> what did you think i was saving the resources for?
To waste them on unreliable and problematic pseudosecurity measures?
> "Take care, "
>
> happy thanksgiving. thanks for taking the time to respond. love your work.
My work? You mean ITL work? :)
--
Radosław Szkodziński