Confused about virtualization's protections
28 views
Skip to first unread message
Mark Newman
Apr 5, 2019, 4:00:02 PM4/5/19
to qubes...@googlegroups.com
I understand how Xen works to compartmentalize one VM from another. What I don't understand is how or if it can help protect from things like rootkits, key loggers and especial the Intel Management Engine backdoor. (See:
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it)
I am not a security professional, and am hoping someone can explain so I can understand.
Thanks,
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it)
I am not a security professional, and am hoping someone can explain so I can understand.
Thanks,
awokd
Apr 5, 2019, 4:57:24 PM4/5/19
to qubes...@googlegroups.com
Mark Newman wrote on 4/5/19 8:00 PM:
exploit them. Unauthorized code needs to install that rootkit or key
logger on a machine somehow. See https://www.qubes-os.org/intro/ for an
overview. If an Intel ME exploit needs to run some software on the local
machine, Qubes will make it harder for it to communicate with what it needs.
However, compromise that takes place solely at the hardware level is not
something Qubes can protect from nor claims to. Qubes can't protect from
a network attack directly against Intel ME, for example. Some users
therefore use a non-onboard NIC and are also interested in Coreboot, ME
Cleaner, and/or an older AMD laptop that does not have a management engine.
> I understand how Xen works to compartmentalize one VM from another. What I don't understand is how or if it can help protect from things like rootkits, key loggers and especial the Intel Management Engine backdoor. (See:
> https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it)
> I am not a security professional, and am hoping someone can explain so I can understand.
Qubes helps protect from these threats by making it more difficult to
> https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it)
> I am not a security professional, and am hoping someone can explain so I can understand.
exploit them. Unauthorized code needs to install that rootkit or key
logger on a machine somehow. See https://www.qubes-os.org/intro/ for an
overview. If an Intel ME exploit needs to run some software on the local
machine, Qubes will make it harder for it to communicate with what it needs.
However, compromise that takes place solely at the hardware level is not
something Qubes can protect from nor claims to. Qubes can't protect from
a network attack directly against Intel ME, for example. Some users
therefore use a non-onboard NIC and are also interested in Coreboot, ME
Cleaner, and/or an older AMD laptop that does not have a management engine.
Reply all
Reply to author
Forward
0 new messages