adding gresecurity to Qubes

[xopl...@gmail.com]

Hello I was wondering if Qubes might ever add Gresecurity in the future?I think adding it would be great since you'll have a hardened kernel

[raah...@gmail.com]

On Friday, June 3, 2016 at 2:39:49 AM UTC-4, xopl...@gmail.com wrote:
> Hello I was wondering if Qubes might ever add Gresecurity in the future?I think adding it would be great since you'll have a hardened kernel

It has been discussed before. Alot of it is privilege escalation protections which would be meaningless in qubes. Some of it would be nice. Some people in the mailing list have claimed to got a grsec kernel working if you search it, but it might be more trouble then its actually worth.

I kind of believe in the philosophy that nothing is 100%, there is no such thing as completely stopping attacks, if attacker is persistent enough and you continue to use the services you use a computer to enjoy, you will be compromised eventually. There will always be bugs till the end of the time and the best thing to do is just mitigate the damage. For example in qubes the sys-net is assumed untrustworthy but it does its best to separate its exposure from rest of the system.

Not sure if you know this, but Brad Spengler, the developer of grsecurity, doesn't even use his own kernels. He prefers to use windows.

[raah...@gmail.com]

He also just had a recent issue with one of his patches that was totally borked and suspect and blocked everyone from the grsec twitter account out of shame.

[xopl...@gmail.com]

On Tuesday, June 7, 2016 at 12:34:29 AM UTC-4, raah...@gmail.com wrote:
> He also just had a recent issue with one of his patches that was totally borked and suspect and blocked everyone from the grsec twitter account out of shame.

wow thanks for the information,and yes I totally agree there will never be a way to be fully 100% a system is unexploitable,bug-free,backdoor free,all we can really due is reduce the coding,and make it more simple

for years projects such as firefox,OpenBSD,gresecurity,etc. have been constantly updating their respective projects,i see no near possible end to its security audits,in the fore see-able future.

and i did not know Brad Spengler does'nt use his own kernel :O I did hear though he was quite disrespectful when a certain someone found a bug and he got butt-hurt or something and deleted that certain someone off his twitter

and the escalation protections is not needed why?just wondering is all,I have a hunch it is because of Qubes awesome security by isolation approach,and because its based off a micro-kernel Xen right?due to its small amounts of coding?

[raah...@gmail.com]

He blocked everyone off his twitter, he flies off the handle alot it seems. Well I'm no expert, but for example qubes has passwordless sudo. But maybe i'm misunderstanding myself I'm not sure.

[Lorenzo Lamas]

Imho it would still be a good idea because of the PaX protections on user applications.
For example it could prevent exploitation of your mail client. The infection may not be able to survive AppVM reboot but it could still steal information. You can of course limit the damage by compartmentalizing more granular, but that doesn't prevent it in the first place and more AppVMs means more resource usage.

[Sandy Harris]

On Fri, Jun 3, 2016 at 2:39 AM, <xopl...@gmail.com> wrote:
> Hello I was wondering if Qubes might ever add Gresecurity in the future?I think adding it would be great since you'll have a hardened kernel

It may not be necessary. There is a kernel hardening project
which is bringing some of the grsecurity & PaX stuff into the
mainline kernel.
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

[7v5w7go9ub0o]

On 06/15/2016 03:14 AM, dlme...@gmail.com wrote:
> On Wednesday, 15 June 2016 04:40:03 UTC+10, Lorenzo Lamas wrote:
>> ".....Imho it would still be a good idea because of the PaX protections on user applications.
>> For example it could prevent exploitation of your mail client...."


Ditto. what he said!

>> The infection may not be able to survive AppVM reboot but it could still steal information. You can of course limit the damage by compartmentalizing more granular, but that doesn't prevent it in the first place and more AppVMs means more resource usage.

Ditto again!


> That's how I looked at it too. (Additionally, reboots don't protect against infections in /home, such as malicious browser extension, modified .bash_rc, etc.)

Ditto again. There once was strong interest in multiple varieties of
DispVMs - i.e. you could have a Thunderbird VM in addition to the single
browser VM. This would allow cleansing through reboots.

(FWIW, some presently run TBird and other applications exclusively in
individual DispVMS - by starting a DVM, "emptying" /home, then starting
TB after copying Tbird user config and mail txt data into it. Before
shutdown, copy updated mail/usenet txt data only back to vault for
subsequent use)

[Lorenzo Lamas]

On Wednesday, June 15, 2016 at 6:31:23 AM UTC+2, Sandy Harris wrote:

It may not be necessary. There is a kernel hardening project
which is bringing some of the grsecurity & PaX stuff into the
mainline kernel.
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project

May not be objective coming from the grsecurity dev, but the kernel hardening project should be taken with some salt:
https://forums.grsecurity.net/viewtopic.php?f=7&t=4476

[Sandy Harris]

In security work, more-or-less everything should be taken with
salt, but you make a good point.

The main argument on the other side, as I understand it (salt
needed here too), is that kernel developers want bite-size
patches,incremental stuff that changes one thing at a time
and can be tested independently. grsecurity does not provide
those, so it is unlikely to ever be incorporated into the
mainline kernel.

The hardening project mostly takes good ideas from grsecurity
and other sources and massages them into a form that is
likely to produce patches that mainline kernel developers
will accept.

[xopl...@gmail.com]

hi what do you mean by takened with salt?

[jkitt]

It's an old English idiom that means to "not take seriously":

http://idioms.thefreedictionary.com/take+with+a+pinch+of+salt

[xopl...@gmail.com]

Also why does Qubes not ship with Gresecurity by default I know that privilege escalation protections would be meaningless according to raah,but Gresecurity also add other security features https://grsecurity.net/features.php

I know Qubes is quite reasonably secured with its isolation and xen architecture,but I like adding precaution such as extra security in case of an attacker somehow bypasses the isolation or find an exploit or flaw in the xen architecture

[jkitt]

I couldn't agree more - just because you live in a safe neighborhood it doesn't mean you go out and leave your door unlocked. Every mitigation is useful.

However, with grsecurity there's a great deal of performance overhead, some things like X really don't like grsecurity, and with a semi-stateless system there's not a great need for such mitigations. Also, I've heard that there's some things that just can't work under a virtualized environment - not sure what yet. However, a compromised system can still be used to attack other systems. I've noticed that by default Qubes domains don't block connections to the local LAN - which is an attack vector from default configured domains; not to mention the compromise of any data in that domain.

I'd like to see something like subgraph or a gentoo hardened GRS template.

[raah...@gmail.com]

if you manage to get a patched nvidia driver installed, with patches available from pax team(which sometimes don't work). You can even game with grsecurity with full security on (usually only disabling memprotect for certain programs to run) and no performance loss noticeable.

Some features, maybe the most beneficial ones, like Kernexec and UDEREF, are not supported by xen. Here is a thread discussing some things related to grsec and hypervisor host. http://www.gossamer-threads.com/lists/gentoo/hardened/57609

[raah...@gmail.com]

You can probably compile kernel for templatevm. I think with the latest qubes release this is made easier, I haven't tried yet.