Breaking the Security Model of Subgraph OS

126 views
Skip to first unread message

Micah Lee

unread,
Apr 11, 2017, 1:13:34 PM4/11/17
to qubes-users
I met up with Joanna at the recent Tor meeting in Amsterdam, and we
tried to see if we could hack Subgraph OS, which I was running on my
travel computer. We succeeded, and I've written up all the details here:

https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/

And also made a video of the exploit here:

https://www.youtube.com/watch?v=SVsllZ7g7-I

The analysis compares how Qubes would handle such an attack.

Tai...@gmx.com

unread,
Apr 11, 2017, 10:25:28 PM4/11/17
to Micah Lee, qubes-users
What exactly makes subgraph special and not just another
apparmor/selinux MAC type clone?

The firewall is a neat bit of progress however, but again that can also
be accomplished with an apparmor MAC default profile however allow app
to access site etc is only on an IP basis not a DNS basis (dns basis is
sketchy anyways).

The "firewall not designed for malicious apps" is silly, a calculator or
anything for that matter should not be accessing the internet without
permission - period - however did we live life before everything even
our toaster was connected to the internet to retrieve optimal toasting
parameters.

cooloutac

unread,
Apr 11, 2017, 11:03:28 PM4/11/17
to qubes-users, mi...@micahflee.com
Nice will def read this!

As far as I know only diff between doing it yourself is they have their own sandbox or something and everything is sandboxed that needs network? And write a couple programs from scratch like a mail client? I can't remember, I tried it out very briefly and didn't like it... I think I remember installing htop and seeing root processes and that took me by surprise thinking it was supposed to have hardcore kernel restrictions.

Then I think I was asking some questions of the developers on irc and didn't take it seriously or trust it.

Bernhard

unread,
Apr 12, 2017, 4:34:48 AM4/12/17
to qubes...@googlegroups.com
> What exactly makes subgraph special and not just another
> apparmor/selinux MAC type clone?
>
> The firewall is a neat bit of progress however, but again that can
> also be accomplished with an apparmor MAC default profile however
> allow app to access site etc is only on an IP basis not a DNS basis
> (dns basis is sketchy anyways).
I perfectly agree that this 'phone home' business is inaccaptable. If
you consider that this type of firewall is easy to set up within qubes I
invite you to write a small tutorial on the subject for 'normal users'
.... thank you! Bernhard


Zrubi

unread,
Apr 12, 2017, 5:07:50 AM4/12/17
to Bernhard, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/12/2017 10:34 AM, Bernhard wrote:

> I perfectly agree that this 'phone home' business is inaccaptable.
> If you consider that this type of firewall is easy to set up within
> qubes I invite you to write a small tutorial on the subject for
> 'normal users' .... thank you! Bernhard

Such advanced firewall is on my todo list for ages.
My first candidate is running suricata in a proxyVM

https://suricata-ids.org/

However I had no RAM to play with such things in my machines.
No I have enough computing resource - but not enough free time :(


- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJY7e5NAAoJEH7adOMCkunmtEIP/1KGn93gd3WdfC1on3+//f4e
/ht1q6yVosHXypBT0WpRLrdWWEy+oBRfiMTbxq9xi/1CIwvMIcvOZHj0+rb+XHnZ
3j8qmmUFQQtVqyazlJuyJZYiDU1DFQl+CEA1NP/31TWNsv5bClH3jTgks68D8dr5
eUQml9KZBIgMTUfuwAJh3cx6r8/0BBET6+50wUTtua9ZXodIv1sP4xFhiZ5t/n0S
Vkc8g3MQ7YjHcBEqtbAlHTW6a9WfMEzXvHhikmUH2hE2/tp7ZFjyBv/2nHNHQUTY
2J4z7wBiLNx2Ix8ww3NsDUMVS+GV3ZvvRVveBQyx3/baQRWZik+fL3sTmpj+gGZX
uGZVblFEyE3/Q1pDk6L+0QLAZdLrre8fsYI/6uXumJYmB6LizVm7sNDLDfXyi3v2
MbleTOF0emif2B6/nfPkdXIbdolnyFTGvIf3a8emZKGwdyuuOpOVfnVdydAOLHjX
IqGZ8480UW0DSOixoTXqKB7+Gtv0o2xILuAsaPKA0DcXfbGWIysvzEc7pvXsOemf
ibKn4ZV0XJmXwqrP3Qk+dfmWh3gGxkB1OWmB/RFTKBQGk1TUlPV9ZlZ1B0FrsfkW
cZ534dmp8GkC8B/tCMAWma9lMKDaxYIo8VwEv2LkuT772bFxZZw3lKBxYqLtEALO
ZU3XD7jyaYjEt4vjNpzh
=DZ1F
-----END PGP SIGNATURE-----

cooloutac

unread,
Apr 12, 2017, 12:49:03 PM4/12/17
to qubes-users

with Qubes its so easy to stop, for example for the "phoning home from media players" I just use a media-vm and disable internet access on it. Of course the firewall deny except is an easy option too if you want to limit internet access on a specific vm.

For my case, only reason I would need custom firewall scripts, is to log network activity, but problem is some Qubes system processes I would not be able to log.

And Can't believe Subraph is still in alpha. I feel like I tried it out over a year or two ago? If you compile your own grsec kernel and use the automatic desktop security over performance settings You will have more kernel protections then they have. I don't understand that. It doesn't actually hurt performance that I have ever noticed. And their whole arrogant and nonchalant attitude about everything is hard to take serious. David Mirza is an extremely nice guy, but I think hes just the marketing guy he doesn't really know how anything works, Bruce Leidl is really the brains behind it and he seemed a little vindictive to me. They are very typical imo, ITL is anything but. To me its like theory vs real world.

Reply all
Reply to author
Forward
0 new messages