Using a Different OS in the Network Domain (arch-spec question)
61 views
Skip to first unread message
Daniel Moerner
Nov 20, 2016, 9:53:34 PM11/20/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
My apologies if this has already been asked or explained; I did not
find anything obvious in a quick search of the mailing lists.
§6.1 of the arch-spec-0.3.pdf document (pages 29-30) includes the
following remark:
"While it might be tempting to base the network domain on a regular
AppVM root filesystem that all other VMs share, this might not be
the optimal solution from the security point of view. Namely,
there exist a slight chance of a bug in the regular Linux TCP/IP
stack (in contrast to a more likely bug e.g. in the WiFi driver or
WiFi stack). If such a bug existed and the attacker used it to
exploit the stack in the network domain, then the attacker could
automatically use this same exploit to further exploit any
network-connected AppVM that used this very network domain.
Thus, itʼs better to use a different OS in the network domain, e.g.
FreeBSD, instead of Linux, so that the attacker couldnʼt reuse the
same hypothetical bug in the TCP/IP stack -- quite obviously
two different OSes would have very different TCP/IP stack
implementations."
It doesn't seem like this suggestion ended up making it into Qubes. I
was wondering if the developers changed their opinion on the value of
a separate TCP/IP stack or if there were implementation issues.
Best,
Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIwBAEBCAAaBQJYMmGhExxkbW9lcm5lckBnbWFpbC5jb20ACgkQyz0BTtfxsyop
aw//SgzDXlEowGF1cSSqosE1WgOcplIuYI1/Xx29ALrimk6Y2fipI9NUKR1D0DtU
MemD76KOKD29+I0nV/ElMw3VZ2vtIXsEZv5qqsd+auMiFCHNqYJH9OUrFLs21OOu
q2b3k1L6ZC2ZSz0aGuyxjv+B7jnaecCf+ml6opkPAsBFsygjHOzz5fMCnYItOCjn
iDSIvCjJSeP217tatVYE6JxehNURSclUmz3RmWzVtiJSUQhCzcRAMvc4oU2KLuwK
QM3qXlIkx4zxq7LYuzEc493glPVySj7D04pMrLr/7f95uyb7+2/b0L+8kqzulzn2
L0pi0sK06TUNMGwrRRSk2xw4BekBsZduuZdM8EmgJxj8fwXrRGwElKWP1z5OJFNz
uhTxjfHske2HggsE5LjTqrohytWk0ZziN7YOP1DCixeiqYxmDZgliN2kH0eQigVv
qVBvlBoKzBiorInAua8zGkuVbcHruPe2oN2pCzYcQC6V4+CC9cNuBgT4wJO8Ijlm
LIXZDpqDv3+qs/DXeME+elaoNrW/jh2rKNrxaXFZyUpcYyT6VoblFM9/nIlIvXGR
IF0gG3GK5G2Jx19piRlkNfm6Z9rqfgNVm9j8WQ9DSX5ZZu78JCmxWACn14SYKpXY
bbTThmlcgb21kIsnuG0adQqGRh2arAdf+395QqYZ1vzE4ug=
=9a+5
-----END PGP SIGNATURE-----
Hash: SHA256
Hi all,
My apologies if this has already been asked or explained; I did not
find anything obvious in a quick search of the mailing lists.
§6.1 of the arch-spec-0.3.pdf document (pages 29-30) includes the
following remark:
"While it might be tempting to base the network domain on a regular
AppVM root filesystem that all other VMs share, this might not be
the optimal solution from the security point of view. Namely,
there exist a slight chance of a bug in the regular Linux TCP/IP
stack (in contrast to a more likely bug e.g. in the WiFi driver or
WiFi stack). If such a bug existed and the attacker used it to
exploit the stack in the network domain, then the attacker could
automatically use this same exploit to further exploit any
network-connected AppVM that used this very network domain.
Thus, itʼs better to use a different OS in the network domain, e.g.
FreeBSD, instead of Linux, so that the attacker couldnʼt reuse the
same hypothetical bug in the TCP/IP stack -- quite obviously
two different OSes would have very different TCP/IP stack
implementations."
It doesn't seem like this suggestion ended up making it into Qubes. I
was wondering if the developers changed their opinion on the value of
a separate TCP/IP stack or if there were implementation issues.
Best,
Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIwBAEBCAAaBQJYMmGhExxkbW9lcm5lckBnbWFpbC5jb20ACgkQyz0BTtfxsyop
aw//SgzDXlEowGF1cSSqosE1WgOcplIuYI1/Xx29ALrimk6Y2fipI9NUKR1D0DtU
MemD76KOKD29+I0nV/ElMw3VZ2vtIXsEZv5qqsd+auMiFCHNqYJH9OUrFLs21OOu
q2b3k1L6ZC2ZSz0aGuyxjv+B7jnaecCf+ml6opkPAsBFsygjHOzz5fMCnYItOCjn
iDSIvCjJSeP217tatVYE6JxehNURSclUmz3RmWzVtiJSUQhCzcRAMvc4oU2KLuwK
QM3qXlIkx4zxq7LYuzEc493glPVySj7D04pMrLr/7f95uyb7+2/b0L+8kqzulzn2
L0pi0sK06TUNMGwrRRSk2xw4BekBsZduuZdM8EmgJxj8fwXrRGwElKWP1z5OJFNz
uhTxjfHske2HggsE5LjTqrohytWk0ZziN7YOP1DCixeiqYxmDZgliN2kH0eQigVv
qVBvlBoKzBiorInAua8zGkuVbcHruPe2oN2pCzYcQC6V4+CC9cNuBgT4wJO8Ijlm
LIXZDpqDv3+qs/DXeME+elaoNrW/jh2rKNrxaXFZyUpcYyT6VoblFM9/nIlIvXGR
IF0gG3GK5G2Jx19piRlkNfm6Z9rqfgNVm9j8WQ9DSX5ZZu78JCmxWACn14SYKpXY
bbTThmlcgb21kIsnuG0adQqGRh2arAdf+395QqYZ1vzE4ug=
=9a+5
-----END PGP SIGNATURE-----
Jean-Philippe Ouellet
Nov 21, 2016, 12:14:06 AM11/21/16
to Daniel Moerner, qubes-devel
On Sun, Nov 20, 2016 at 9:53 PM, Daniel Moerner <dmoe...@gmail.com> wrote:
> It doesn't seem like this suggestion ended up making it into Qubes. I
> was wondering if the developers changed their opinion on the value of
> a separate TCP/IP stack or if there were implementation issues.
You are correct in the observation that this is not currently
> It doesn't seem like this suggestion ended up making it into Qubes. I
> was wondering if the developers changed their opinion on the value of
> a separate TCP/IP stack or if there were implementation issues.
implemented in Qubes. AFAIK it's just due to always having higher
priority things to work on.
There has been a very nice effort by Thomas Leonard to implement a
minimal sys-firewall as a MirageOS-based unikernel:
- http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
- https://github.com/talex5/qubes-mirage-firewall
One of the things I am working on is getting OpenBSD as a first-class
Qubes citizen (including as sys-firewall). However, I am very
reluctant to make any promises or suggest a timeline for that.
Here are the relevant previous threads / issues that I am aware of:
- https://github.com/QubesOS/qubes-issues/issues/806
- https://github.com/QubesOS/qubes-issues/issues/1005
- https://groups.google.com/forum/#!topic/qubes-users/4usaW-cSkIc
Cheers,
Jean-Philippe
P.S.: There are many other disparities between the arch spec and
reality, and IMO it should really be re-written, but don't interpret
that as me volunteering ;)
Daniel Moerner
Nov 21, 2016, 9:31:26 AM11/21/16
to Jean-Philippe Ouellet, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On 11/21/2016 12:13 AM, Jean-Philippe Ouellet wrote:
> You are correct in the observation that this is not currently
> implemented in Qubes. AFAIK it's just due to always having higher
> priority things to work on.
>
> There has been a very nice effort by Thomas Leonard to implement a
> minimal sys-firewall as a MirageOS-based unikernel: -
> http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qube
sos/
>
>
- - https://github.com/talex5/qubes-mirage-firewall
> You are correct in the observation that this is not currently
> implemented in Qubes. AFAIK it's just due to always having higher
> priority things to work on.
>
> There has been a very nice effort by Thomas Leonard to implement a
> minimal sys-firewall as a MirageOS-based unikernel: -
> http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qube
sos/
>
>
>
> One of the things I am working on is getting OpenBSD as a
> first-class Qubes citizen (including as sys-firewall). However, I
> am very reluctant to make any promises or suggest a timeline for
> that.
>
> Here are the relevant previous threads / issues that I am aware
> of: - https://github.com/QubesOS/qubes-issues/issues/806 -
> https://github.com/QubesOS/qubes-issues/issues/1005 -
> https://groups.google.com/forum/#!topic/qubes-users/4usaW-cSkIc
Thanks for sharing all these links! The use of MirageOS as a
> One of the things I am working on is getting OpenBSD as a
> first-class Qubes citizen (including as sys-firewall). However, I
> am very reluctant to make any promises or suggest a timeline for
> that.
>
> Here are the relevant previous threads / issues that I am aware
> of: - https://github.com/QubesOS/qubes-issues/issues/806 -
> https://github.com/QubesOS/qubes-issues/issues/1005 -
> https://groups.google.com/forum/#!topic/qubes-users/4usaW-cSkIc
sys-firewall is particularly interesting, not least because I can
actually do things with OCaml. I will look into that when I have time.
Good luck with your OpenBSD project.
Best,
Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
yhAAtCZT5qHojOKMtqJVhdpd3m/7XWmet2BvCco4C626NJCRSAlg4hvh4B2+78y9
QRIJJ+LUHj1kaK3MnKm3vOjNvKXbLxJsy4MAUFo/lf06wMjWslS5q6mlb+2yIfeC
anDncWc7wSCddRyFfDER3BdMMeloEB+8I5w3+xoWyIHO2xylruKwyuz9GgWifrUB
9hHoh8ghRbwOPiXsx5O7fmG+CbsrKkpGH8wZmQtFia9vqkYFJa2e2NoyGlP1Ittr
kMCuulV9wvQniuagwctf9KiRvTitLYofXMhtkGP9jmXnRKCiBWkN6X/sL3J+4Kr/
PZkX/Ofn5Y/DPcDzJVe9wa0ZenxrZOxmm3cjQohZ3BurvKLYWULlzxhiLSvUgF8z
nnoVxyZNC4ZY5+KZUYpQoqc+Hs2bMIMBwJpe4IGL9Vsbiee/a7tTQzm9CBLr7o32
Zh7FkT1kBgbvfwYKIHy8L4Y9lICoDiTvCorMOMsFuN/Jiv01B4VJZxP5LYSSnTV/
2PLGRUzUxvdPvluFn8SYKxVedUeHyUs17OceaAq9KTrfXKYLnnQCv24gdzkuhNx5
DfsLQfk8oOyQJ6xYicdGDd2w12+ZboqFtIsrJ4d9A/hUlgMt1WnRydZeSeuxf68S
9MukQdwU3kIJMk2QSV8WYWPBqAFS86OLwS5u3DPDhfQI9M4=
=n5Lb
-----END PGP SIGNATURE-----
Andrew David Wong
Nov 25, 2016, 8:53:49 AM11/25/16
to Jean-Philippe Ouellet, Daniel Moerner, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 11/20/16 21:13, Jean-Philippe Ouellet wrote:
> On Sun, Nov 20, 2016 at 9:53 PM, Daniel Moerner <dmoe...@gmail.com> wrote:
>> It doesn't seem like this suggestion ended up making it into Qubes. I
>> was wondering if the developers changed their opinion on the value of
>> a separate TCP/IP stack or if there were implementation issues.
>
> You are correct in the observation that this is not currently
> implemented in Qubes. AFAIK it's just due to always having higher
> priority things to work on.
>
Yes, exactly this. If someone were to contribute high-quality patches
implementing this, we would be happy to accept them.
> P.S.: There are many other disparities between the arch spec and
> reality,
This is correct. It's an historical document.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYOEJYAAoJENtN07w5UDAw0d0P/2JxrVDMYJ4e7tA3OkaJizW5
+YrottaBHLBfHMfk9cBMUkp+fxKeba0AysLRMPmXsqgYVyBY9swcvxo/9cKIeqrD
TQtEJJeOPjW5qNMcHJ2mCiuKhRfEaCm/G3/+Ic5yloVvBNae/DwFbGSZAp4pndj/
TAoP1bzkPxmP/ghXZC3bh+izJpJKE3zsRMilFdvPTf6xz+ook0x7NlKuZRfkblld
nzbuaI65okTKku2SOvXRW9XvnyEWGOvfVJ9RCB+jb5L89uoxIq2eg/3Hk0YxIOdW
xxkg647EahSD9TFYV5hkZm/NzQ0szkvmhFvRNci3fYu17QP3dNu0Ji9gGfoVeIBN
BGZkUAoqSJEam4vITQX1+SjpJnQ/C8D4qAXyhO2y6fYFEDo3WULfreQ7ixE7coA5
rUmQDSu2pwZQd0Wtlkl48uQ5BqMsf3rFps/KQ7WhxeD6xEx4hSNBjKpDehOV1vW4
Ivt9ylBu5MEM5hh+hD4dH/3JiktESXDZp14BdouXZP5nibwOHUMdZYi/mzn+QrPO
XWsPnrNSuu3ICjrIpnuuyWtj7M69PdTH0rxlobHCZVHGUdysoGZqvIJ1L2HQ2nDm
BevVtR2yyay3tQ2ePeg6s1ZBra6Gb6X5c4ZrRsk0hxBVcNhqU9e0zIeCxZIR5lV5
Vqs6dbOioMns1fLA3THJ
=Zk5x
-----END PGP SIGNATURE-----
Hash: SHA512
On 11/20/16 21:13, Jean-Philippe Ouellet wrote:
> On Sun, Nov 20, 2016 at 9:53 PM, Daniel Moerner <dmoe...@gmail.com> wrote:
>> It doesn't seem like this suggestion ended up making it into Qubes. I
>> was wondering if the developers changed their opinion on the value of
>> a separate TCP/IP stack or if there were implementation issues.
>
> You are correct in the observation that this is not currently
> implemented in Qubes. AFAIK it's just due to always having higher
> priority things to work on.
>
implementing this, we would be happy to accept them.
> P.S.: There are many other disparities between the arch spec and
> reality,
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYOEJYAAoJENtN07w5UDAw0d0P/2JxrVDMYJ4e7tA3OkaJizW5
+YrottaBHLBfHMfk9cBMUkp+fxKeba0AysLRMPmXsqgYVyBY9swcvxo/9cKIeqrD
TQtEJJeOPjW5qNMcHJ2mCiuKhRfEaCm/G3/+Ic5yloVvBNae/DwFbGSZAp4pndj/
TAoP1bzkPxmP/ghXZC3bh+izJpJKE3zsRMilFdvPTf6xz+ook0x7NlKuZRfkblld
nzbuaI65okTKku2SOvXRW9XvnyEWGOvfVJ9RCB+jb5L89uoxIq2eg/3Hk0YxIOdW
xxkg647EahSD9TFYV5hkZm/NzQ0szkvmhFvRNci3fYu17QP3dNu0Ji9gGfoVeIBN
BGZkUAoqSJEam4vITQX1+SjpJnQ/C8D4qAXyhO2y6fYFEDo3WULfreQ7ixE7coA5
rUmQDSu2pwZQd0Wtlkl48uQ5BqMsf3rFps/KQ7WhxeD6xEx4hSNBjKpDehOV1vW4
Ivt9ylBu5MEM5hh+hD4dH/3JiktESXDZp14BdouXZP5nibwOHUMdZYi/mzn+QrPO
XWsPnrNSuu3ICjrIpnuuyWtj7M69PdTH0rxlobHCZVHGUdysoGZqvIJ1L2HQ2nDm
BevVtR2yyay3tQ2ePeg6s1ZBra6Gb6X5c4ZrRsk0hxBVcNhqU9e0zIeCxZIR5lV5
Vqs6dbOioMns1fLA3THJ
=Zk5x
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages