Are there any security benefits of setting up standalonevm instead of appvm?

[Vasiliy]

Are there any security benefits of setting up standalonevm instead of appvm?

For instance, having 5 standalonevms based on minimal template with one program installed in each instead of having 5 appvms for one program in each based on a default template with all programs installed (for example, fedora-30)

I am mainly worried about 3 thing:

1. Thunderbird and other communication tools sometimes can be compromised and malicious code can affect all programs installed. I am scared that even if I don't use a program in an appvm, it can indirectly reduce my security.

2. If an attacker will successfully replace packages while updating the template, they will have full access to all my appvms. I know that Tor somewhat protects from it, but it can still happen.

3. Proprietary software may monitor activities of other programs even if I don't use it. Similar to what snap does (runs in the background and updates software without any interraction with the user) some proprietary programs may do the same even if I don't use them.

I would be happy to hear your opinions on this topic. Maybe you want to point out where I am incorrect or have some advantages and disadvatages that should be considred, except of usability. Thank you in advance.

[Chris Laprise]

IMO the only benefits of using standalone is configuration flexibility
when one or more packages directly conflicts with Qubes' template
system. It can also simplify the process of temporarily trying a complex
new app or configuration. There are no security benefits.

I don't think the package updates threat is what you think, since you
still have to update your standalone VMs to keep them secure anyway.
Plus you now have many more updates to run. Updates should all be
cryptographically signed, so in any realistic scenario they should be
the least of your worries.

OTOH, using your apps on standalone vms could result in a successful
attack against them leading to the guest OS being compromised. This is a
more realistic threat, and using template-based vms help protect against
it – the OS is clean again when you restart the vm.

Snap or flatpak may actually be a part of your ideal solution. I think
there are Qubes instructions for using them with template-based Appvms.
If not, you could use template-based Appvms and command them to install
the desired packages each time the vm starts.

Another thing that might help you is my Qubes-VM-hardening project. It
allows you to perform automatic checks and run scripts, and disable
/rw-based malware on vm startup:

https://github.com/tasket/Qubes-VM-hardening

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[dhorf-hfre...@hashmail.org]

On Wed, Jan 08, 2020 at 06:30:32PM +0100, Vasiliy wrote:
> Are there any security benefits of setting up standalonevm instead of appvm?

dont see any. if anything, it might reduce your security posture.
i consider the volatility of the root volume of a templated appvm
a good thing.
not really a strong/hard security feature, but it certainly will make
it harder for non qubes-aware evils to persist, or for you to wreck
things by accident.

> 1. Thunderbird and other communication tools sometimes can be
> compromised and malicious code can affect all programs installed. I am
> scared that even if I don't use a program in an appvm, it can
> indirectly reduce my security.

this is the "a computer is more secure without a compiler installed" cult.
i am not the only one to not participate in that.

> 2. If an attacker will successfully replace packages while updating
> the template, they will have full access to all my appvms. I know that
> Tor somewhat protects from it, but it can still happen.

if attacks on update mechanism bother you, adding more VMs that
need updating just increases the problem.
and tor does not protect you from this. at all.
it may actualy make you more visible and easier to attack in this way.
this depends on your threat model, mostly on whether you believe that
you are targeted a) as an individual, b) as a job function, c) as a
qubes user or d) in general.

> 3. Proprietary software may monitor activities of other programs even
> if I don't use it. Similar to what snap does (runs in the background
> and updates software without any interraction with the user) some
> proprietary programs may do the same even if I don't use them.

"dont run software in places where you dont want it to run" should
cover this. note the term "run", not "install".
it seems to be just another weird variant of (1).
if your systems execute stuff without your consent, you already have
a decent size problem.
and considering f.ex. less than 256 byte sized generic evils that download
arbitrary sized payloads from network and execute it, i dont see that
an attacker that can execute stuff on your system needs your help in
installing the stuff for him.

> I would be happy to hear your opinions on this topic. Maybe you want
> to point out where I am incorrect or have some advantages and
> disadvatages that should be considred, except of usability. Thank you
> in advance.

if your really are a believer in the (1)+(3) things, and are willing to
risk the additional exposure that comes from (2) with lots of roots,
going with lots-of-templates (that have one appvm each) still seems to
be much better than lots-of-standalones.

[Steve Coleman]

On 2020-01-08 12:30, Vasiliy wrote:
> Are there any security benefits of setting up standalonevm instead of appvm?

> 1. Thunderbird and other communication tools sometimes can be
> compromised and malicious code can affect all programs installed. I am
> scared that even if I don't use a program in an appvm, it can indirectly
> reduce my security.

If this happens in an HVM you are already toast. If it gets pulled into
a template while passing the signature test it lies dormant until you
run that app in the AppVM, and the system volume is non-persistent
there, so the binary blob that the hack downloads onto your system will
not stay resident on the system volume. It will likely have to repeat
the download each time the AppVM is launched, or recognize that its a
Qubes system and find an alternate way to maintain persistence. That is
a much higher bar to hurdle than simply installing that binary blob.

> 2. If an attacker will successfully replace packages while updating the
> template, they will have full access to all my appvms. I know that Tor
> somewhat protects from it, but it can still happen.

It only gains access if it is run, and if run in an AppVM it only has
temporary access to that one AppVM. While that does not keep it from
phoning home to the mother ship and sending all your stuff, it still
will have a hard time becoming persistent. If the sending your stuff
bothers you then think carefully about locking down the firewall rules
for each AppVM so long as you know what each AppVM is supposedly for.

Example: I have an AppVM called Email. Its only job is to protect the
rest of my system from external threats. The networking is set up with a
default deny firewall and only the authentication and mail servers are
permitted access. Anything else raises a red flag and my system informs
me of the problem. If I click on anything malicious like a hacked PDF
its opened in a one-time-use DispVM. Anything else is blocked from
downloading its payload.

Steve

[fiftyfour...@gmail.com]

Not an expert (or even technically inclined), but here's my suggestion:

I get how you feel because I've wondered about the exact same thing as you. Why not create multiple templates, with each containing programs you're comfortable grouping together? If your system supports it, you can put an app in each template.

I don't know whether this will increase your system's security, but I don't see why it would hurt as long as your system can handle it. More importantly, this configuration will make you feel more secure while not harming your security.

[Claudia]

January 8, 2020 6:28 PM, dhorf-hfre...@hashmail.org wrote:
> "dont run software in places where you dont want it to run" should
> cover this. note the term "run", not "install".

In practice, I think there are some exceptions to this. Some software doesn't have a clear line between installing and running, from the user's perspective. Consider for example, multimedia codecs, link handlers, device drivers, plugins for other apps. It's not realistic to expect the user to examine the metadata of every image or video on every web page to make sure a particular codec won't run.