Is there any benefit of running per AppVM TorVMs?
216 views
Skip to first unread message
Joonas Lehtonen
Aug 9, 2014, 8:00:32 AM8/9/14
to qubes...@googlegroups.com, ax...@openmailbox.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Axon:
> Are you suggesting (contrary to the outcome of the previous
> discussion on this topic) that there might be some benefit to
> having more than one TorVM?[1]
>
> [1]
> https://groups.google.com/d/topic/qubes-devel/le7-Rrq6yxY/discussion
What
>
is your threat model?
Two notions here:
1) Can you theoretically improve the stream isolation by running
multiple torvms?
Unlikely, and I agree with your statement from [1][2].
2) Can you reduce the impact of a torvm compromise by running per VM
torvms?
Yes, you might have a change to limit the impact of a torvm compromise.
Simply compare the impact of a torvm compromise that is handling
traffic of all your VMs with a torvm compromise that is handling
traffic of a single VM.
Hypotetical scenario: Attacker got remote code execution in one of
your VMs running behind a torvm *and* compromised your torvm via a
TransPort/SOCKSPort 0day (but he has no linux kernel IP/TCP 0day to
compromise -> firewallvm).
I'm not saying that you should run per VM torvms. After all, how
likely is a transport/socksport 0day really? I hope it is rather unlikely.
I'm saying that depending on your threat model there might be benefits
of such a setup. The underlying assumption here is that an attacker is
able to compromise only some anonvms but not all of them (so he can
attack/compromise/deanonymize only some torvms with its
transport/socksport 0days).
And then there is the guard topic - where I largely agree with Patrick
(that persistent guards are a good thing), but that is not a topic for
qubes-users.
If RAM would not be limited resource we wouldn't have this discussion
I guess ;)
[2]
>> I think the default stream isolation settings probably mean it
>> is useless to have multiple TorVMs
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT5g1ZAAoJEG58zmw5nc+veVcP/3o8HKGzYcVPLCkrqdMC47vV
HdDB8GL3OE3gkvSudNY6InkuS/LBXFCxlvNHshcoG9A4E4GgTpnIrlfC4aOotZxz
5C9ly5aJhL1t77Hd4FZt2nju/yjHg0e+jaiGU/kl80Kc+gguAEpoCocBjuKMggPZ
QHXVhRZ83WRzoFvsfgGQNv3k5giDxB9mAXV3sd3sdF5ZU+LwfDDyjhuHxg2wOeDh
3shG8EwTbXNePPs5mjrYIoAIl1r2s370ZxO074SGzzikqsxnlKHmsc2Ig0QU2Rag
S4kBh9eGqi6OVTnY2CtcxkWLZbUwzSdpBzeIUGj09JbzQw/uOt2S74pw6wZXBfHn
UwVBNb43YiJxn2XeiJ7NyGu2qDEg++uwMyEg1g1v31XnOHUv+KgEwWr5E1sKSTvf
+cNGundCEVZogtDqNY2tv1zf8j+bKgB6pI2a4xyJMPrMFYteMufqwVjHQdInCk9Y
DSb7exOtXt2K8zNwIPh57JZYPiOSTBqzFghcbVNxLijh4e5Qc3dBn3BTNuGwc1Yy
/7lSQ6tyXXAh5lU+vEiJ6pcFlIy7WFgCCaNtJNlBh/V19L24qDLHMSdoN1lRi1SR
a1pJVai6dLA3CGNlWlzMiv2T7uUNRbVnlB9SniJfZoI1pTdKtMb1LJvK2rOC6e5a
mzGJ6qT0DJOBgHT+Ywoy
=tofi
-----END PGP SIGNATURE-----
Hash: SHA512
Axon:
> Are you suggesting (contrary to the outcome of the previous
> discussion on this topic) that there might be some benefit to
> having more than one TorVM?[1]
>
> [1]
> https://groups.google.com/d/topic/qubes-devel/le7-Rrq6yxY/discussion
What
>
is your threat model?
Two notions here:
1) Can you theoretically improve the stream isolation by running
multiple torvms?
Unlikely, and I agree with your statement from [1][2].
2) Can you reduce the impact of a torvm compromise by running per VM
torvms?
Yes, you might have a change to limit the impact of a torvm compromise.
Simply compare the impact of a torvm compromise that is handling
traffic of all your VMs with a torvm compromise that is handling
traffic of a single VM.
Hypotetical scenario: Attacker got remote code execution in one of
your VMs running behind a torvm *and* compromised your torvm via a
TransPort/SOCKSPort 0day (but he has no linux kernel IP/TCP 0day to
compromise -> firewallvm).
I'm not saying that you should run per VM torvms. After all, how
likely is a transport/socksport 0day really? I hope it is rather unlikely.
I'm saying that depending on your threat model there might be benefits
of such a setup. The underlying assumption here is that an attacker is
able to compromise only some anonvms but not all of them (so he can
attack/compromise/deanonymize only some torvms with its
transport/socksport 0days).
And then there is the guard topic - where I largely agree with Patrick
(that persistent guards are a good thing), but that is not a topic for
qubes-users.
If RAM would not be limited resource we wouldn't have this discussion
I guess ;)
[2]
>> I think the default stream isolation settings probably mean it
>> is useless to have multiple TorVMs
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT5g1ZAAoJEG58zmw5nc+veVcP/3o8HKGzYcVPLCkrqdMC47vV
HdDB8GL3OE3gkvSudNY6InkuS/LBXFCxlvNHshcoG9A4E4GgTpnIrlfC4aOotZxz
5C9ly5aJhL1t77Hd4FZt2nju/yjHg0e+jaiGU/kl80Kc+gguAEpoCocBjuKMggPZ
QHXVhRZ83WRzoFvsfgGQNv3k5giDxB9mAXV3sd3sdF5ZU+LwfDDyjhuHxg2wOeDh
3shG8EwTbXNePPs5mjrYIoAIl1r2s370ZxO074SGzzikqsxnlKHmsc2Ig0QU2Rag
S4kBh9eGqi6OVTnY2CtcxkWLZbUwzSdpBzeIUGj09JbzQw/uOt2S74pw6wZXBfHn
UwVBNb43YiJxn2XeiJ7NyGu2qDEg++uwMyEg1g1v31XnOHUv+KgEwWr5E1sKSTvf
+cNGundCEVZogtDqNY2tv1zf8j+bKgB6pI2a4xyJMPrMFYteMufqwVjHQdInCk9Y
DSb7exOtXt2K8zNwIPh57JZYPiOSTBqzFghcbVNxLijh4e5Qc3dBn3BTNuGwc1Yy
/7lSQ6tyXXAh5lU+vEiJ6pcFlIy7WFgCCaNtJNlBh/V19L24qDLHMSdoN1lRi1SR
a1pJVai6dLA3CGNlWlzMiv2T7uUNRbVnlB9SniJfZoI1pTdKtMb1LJvK2rOC6e5a
mzGJ6qT0DJOBgHT+Ywoy
=tofi
-----END PGP SIGNATURE-----
Joonas Lehtonen
Aug 12, 2014, 5:49:10 PM8/12/14
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Another answer to this question by andrea (Tor core developer):
Hash: SHA512
https://twitter.com/puellavulnerata/status/499110027878096896
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT6ovKAAoJEG58zmw5nc+v/IQP/1Im+HK9ScJw8LE6fhAO9J8y
7eaQqYWSkBg35nDkChqZfbDVHrfngolF7CJu3sWaH6OL1+JXZQP4E+jYfEzK3sbI
vd4/rfl48Jt/4apUTbiLcnQPqPsFC5iDXF1u1e9RXORqpESInmy4GGsr78pYNSLW
qMtcVwlOfgI2Kq+d3efCXLgwPTg1kqjBvKSmF1922D5GXevBEo6ReFb/qVLUW9Az
nLqW1TEYbNg9Wap87HhvMhopn4KDUrf1qGxoXXL4mN+2YU8kD4A1lljwAz9ITKXB
PaSjU+JssKIuFTKJm/ePdsA1ISv0FmAV0R1xjM5LzqRKJ4RFGXrZYiD4UHXYf/eQ
Q6Ha45XJp9HdbNTjdTjXX7HCYwuHbW3UWd/aUIy6oOX0XSbaAxufJ3xQUbDztGTi
dzGza1LjsI3KWL/wcSyw3hcQkrix3olYRJ/dH1WhXfdW7VXcH1mSZSFpYySxAnXn
WjMTsa5JPKxxry0PfSn3pDZpLJ4+7tURlENk9nHgVbS+5gnPahSovZgT9W57rsGu
gUS4U/9d2tiyGZzdmFgrGIZdz0nK8EQXvuyMu39k4ys2vAdzyrJd6pT7SX+esBH5
zKaI6pjeTqIZqZSm+I/OGtNl8A6kWAxDSsMzjIESVlxwW61A8yB2faIwASNu9Yet
Z2tBkPvNUSsde75A6TrQ
=KFF2
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages