Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host (itnews.com.au)

Posted by EditorDavid on from the exploit-XSA-182 dept.

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

73 comments

  1. well, shitlord... by Anonymous Coward · · Score: 4, Insightful

    which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

    Well, "Qubes security researcher", which platform did you choose for your project, and did you audit it fully before making your releases? No?

    Which raises the age-old question: Has Qubes been written by competent developers?

    1. Re:well, shitlord... by Anonymous Coward · · Score: 0

      No one competent runs their OS on a VM.

    2. Re:well, shitlord... by casings · · Score: 1

      Good thing you posted this anonymously, so people don't know who the fucktard is.

    3. Re:well, shitlord... by martyros · · Score: 4, Informative

      Which raises the age-old question: Has Qubes been written by competent developers?

      What's really rich about that question is that if you read their advisory, the Qubes developers couldn't figure out how to exploit the vulnerability when handed a patch that changes the problematic behavior. If not spotting the issue without having it handed to them makes the Xen developers incompetent, what does that say about the Qubes developers?

      The fact is, though, that the vulnerability is actually quite hard to spot. It's not surprising at all that experienced security researchers would fail to spot it even when given a pretty big clue; much less that the initial developers would fail to spot it.

      --

      TCP: Why the Internet is full of SYN.

  2. Compliments of by Anonymous Coward · · Score: 0

    The N$A.

  3. the answer is no by phantomfive · · Score: 1

    Has Xen been written by competent developers?

    Strictly speaking the answer is no, but they are definitely as good as the VMWare guys, who've had plenty of vulns.

    --
    "First they came for the slanderers and i said nothing."
  4. Computer security is really, really hard by haruchai · · Score: 1

    And I can't help but wonder if much of it is because security was an afterthought for so long and if we would have been better off and designed for it from the get-go, even though it would have meant rewriting or scrapping decades of code.
    The counterargument i was hearing back in the late 80s was that too much would have to be redone - and that was before the explosive growth that's seen a billion people walking around with more computing power in their pockets than most companies had available back then.

    --
    Pain is merely failure leaving the body
    1. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      It's time to face the truth. Real computer security is impossible.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Computer security is really, really hard by Anonymous Coward · · Score: 0

      Security is hard because so many things have been added to computers, often in the name of security, that it is practically impossible to know everything that can go on in a computer. A secure system is a simple system.

    3. Re:Computer security is really, really hard by phantomfive · · Score: 2

      Real computer security is impossible.

      We can do much, much, much better than we are doing now.
      There is no reason that our lower-level systems (at least) can't be secure. You write them once (in the djb style), then don't change them, because they don't need to change.

      The problem now is that there is very little motivation for programmers to even care about security. You can't see it, and no manager ever asks at a sprint, "is the code you wrote secure?"

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Computer security is really, really hard by NotInHere · · Score: 1

      Security is always an afterthought. People want to get their products used and published, and want to make money. They need to release their stuff before the competitors do it. Only very rarely security is implemented from day one.

    5. Re:Computer security is really, really hard by Anonymous Coward · · Score: 0

      And I can't help but wonder if much of it is because security was an afterthought for so long and if we would have been better off and designed for it from the get-go, even though it would have meant rewriting or scrapping decades of code.
      The counterargument i was hearing back in the late 80s was that too much would have to be redone - and that was before the explosive growth that's seen a billion people walking around with more computing power in their pockets than most companies had available back then.

      Yes, the Linux kernel should have been implemented as a micro-kernel architecture but Lord Linus started his project as a hobby not a serious operating system or anything akin to such a serious competitor to commercial products. [ /sarcasm ]

    6. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      Sorry, it's "cat and mouse" all the way down. The treadmill is infinite. Two things are required to break the circle, Respect, and trust. Without both, all bets are off. Just call it a day and put down a cold one (or six) and chase the old lady around the house. Dwelling on it will only give you a heart attack.

      --
      “He’s not deformed, he’s just drunk!”
    7. Re:Computer security is really, really hard by phantomfive · · Score: 1

      Sorry, it's "cat and mouse" all the way down. The treadmill is infinite.

      No it's not, you can prove that your code is correct.

      --
      "First they came for the slanderers and i said nothing."
    8. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      Even I can assure you there is always a way in. Nothing is invincible. If it were it would be all over the papers, and we would have world peace.

      --
      “He’s not deformed, he’s just drunk!”
    9. Re:Computer security is really, really hard by phantomfive · · Score: 1

      Even I can assure you there is always a way in.

      Unplug the computer.

      --
      "First they came for the slanderers and i said nothing."
    10. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      We're working on it. Don't be surprised when it lights up.

      --
      “He’s not deformed, he’s just drunk!”
    11. Re: Computer security is really, really hard by Anonymous Coward · · Score: 1

      Sure, you keep harping on this, but you can only prove your code is correct. Not the operating system, not the additional libraries you use, not the output of the optimising compiler with your code as input.

      Software complexity rises with a O(^N) speed with N different connections between modules or conditionals. Proving every code path correct is a gargantuan task.

      That doesn't mean you shouldn't write your code to be secure and mathematically provable when possible. It means you shouldn't fall into the false sense of security that because your few lines of code are correct that the whole system is correct. You'll be sorely disappointed.

    12. Re:Computer security is really, really hard by Anonymous Coward · · Score: 0

      No, there really isn't. If proven correct (all the way down), then there is NO way. Full F'ing stop. End of story. Stop arguing, you are wrong.

      But I'm not sure it's possible to prove a non-trivial operating system as correct. If it is possible, then it's certainly not easy; and it may entail limits on what the OS can do. And such an OS is only as good as whatever layer it is running on (hence, it would require the CPU proven correct all the way down.)

      I think some people have tried to prove that it's not possible to prove the correctness of a non-trivial OS.

    13. Re: Computer security is really, really hard by phantomfive · · Score: 1

      Base your code on libraries that have been proven correct.

      --
      "First they came for the slanderers and i said nothing."
    14. Re:Computer security is really, really hard by Dog-Cow · · Score: 2

      You can prove code is logically correct, but you can't prove the logic is correct. If you don't understand the difference, don't be a security researcher.

    15. Re: Computer security is really, really hard by Dog-Cow · · Score: 3, Insightful

      While you're at it, build your own fucking universe where everything is secure from the subatomic particle on up. If you don't your task is impossible. The end.

    16. Re: Computer security is really, really hard by phantomfive · · Score: 1

      That's a very sophisticated argument. I'm impressed.

      --
      "First they came for the slanderers and i said nothing."
    17. Re:Computer security is really, really hard by Time_Ngler · · Score: 3, Insightful

      No, you're wrong. All programs have to run on hardware, which can't be proven to run the way its supposed to. Full stop.

    18. Re: Computer security is really, really hard by Anonymous Coward · · Score: 0

      Software complexity rises with a O(^N) speed with N different connections between modules or conditionals. Proving every code path correct is a gargantuan task.

      You do not have to prove that every code-path is correct. You just need to prove all code-path's that rely on external input are correct.

      Ie, if you have some type of parser that receives external input and that parser can be proven to be correct, and only give a limited number of outputs, you do not have to work thru the whole stack.

    19. Re:Computer security is really, really hard by phantomfive · · Score: 1

      I think some people have tried to prove that it's not possible to prove the correctness of a non-trivial OS.

      It's been done. You can get a fully verified OS. Incidentally, they didn't trust the compiler, so they also formally verified the assembly output.

      --
      "First they came for the slanderers and i said nothing."
    20. Re:Computer security is really, really hard by gweihir · · Score: 1

      Bullshit. Spoken like a true incompetent. Code vulnerabilities are caused by coders. They can be reduced and potentially eliminated by a) using better coders and b) spending more effort. In todays world where coders are often as cheap and incompetent so they just get the job still done (and management bonuses are not threatened), most code is vulnerable, but that is not fate.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    21. Re:Computer security is really, really hard by gweihir · · Score: 1

      I guess you have never heard of hardware verification. Puts you on same level like all the other morons claiming "everything is vulnerable".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    22. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      Please... Put your best system out in the wild with a big fat bounty and see how long it holds up.

      --
      “He’s not deformed, he’s just drunk!”
    23. Re: Computer security is really, really hard by Time_Ngler · · Score: 1

      You can prove a system is designed to do what it's supposed to, but given that we haven't discovered all of the laws of physics, you can't prove it will always do what it's supposed to.

      There is no physical way to determine whether a system is leaking information in some way, or if you flip bits in a certain pattern, you can cause the memory to become corrupted, etc.

    24. Re: Computer security is really, really hard by gweihir · · Score: 1

      That is untrue. Hardware verification most certainly deals with the risks you describe. Otherwise modern chips would not work.

      As to the laws of physics, you certainly can claim that fundamentally we do not understand anything (and it would even be true), but it is a worthless observation as it does not regard the context the original statement is in. You cannot go down the "nothing is certain" road and still do meaningful engineering. You can run in endless circles going that way though.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    25. Re:Computer security is really, really hard by gweihir · · Score: 1

      It would last forever. As nobody is paying _me_ a large sum of money for doing so, I have zero interest in doing this though.

      The argument you present is one of the more transparent fallacies used by the typical techno-skeptic moron.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    26. Re: Computer security is really, really hard by Time_Ngler · · Score: 1

      Dealing with risks does not mean eliminating them. I thought the original statement was in the context of having an actual real life computer running a provably correct algorithm.

      So either you are thinking the context was a theoretical computing device, or that your definition of "prove" includes assuming that hardware designed to "deal with the risks [I] describe" can protect against all known and unknown attacks, now and in the future. Tempest is still being updated, right?

      I don't know what you think I'm trying to say here... Of course, some risk has to be accepted to do meaningful engineering, but equating that to prove is just wrong.

    27. Re:Computer security is really, really hard by fustakrakich · · Score: 1

      As nobody is paying _me_ a large sum of money for doing so, I have zero interest in doing this though.

      Whoa! Like, did you even read? You put a fat reward on it, and somebody will have greater than zero interest, and will eventually succeed, within a reasonable amount of time. I thought that was spelled out in the post. Oh well, That's what I get for thinkin'..

      Thank you for your participation... It was most enlightening.

      I must be talking to the owner of the Titanic, or was it the Towering Inferno?

      --
      “He’s not deformed, he’s just drunk!”
  5. "... of unpatched installations" by LichtSpektren · · Score: 1

    So patch your OS. If it's not a zero-day it's not a problem. Why is this news?

    1. Re:"... of unpatched installations" by phantomfive · · Score: 1

      If it's not a zero-day it's not a problem.

      You don't know about zero-days. They haven't hit the news yet: but they're being used by hackers.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:"... of unpatched installations" by NotInHere · · Score: 1

      So that everyone finds out about it and maybe patches it?

    3. Re:"... of unpatched installations" by LichtSpektren · · Score: 1

      Anybody who casually neglects security updates unless he sees a news headline probably shouldn't be using anything that requires manual updates.

    4. Re:"... of unpatched installations" by slashrio · · Score: 1

      The vulnerability seems to assume paravirtualization, which can be switched off. Problem solved.
      Geez, you people almost got me scared about my qubes...

      --
      "Trump!!", the new Godwin.
  6. Hyperbole? by madsh · · Score: 0

    From Qubes website, describing its own role... > If it breaks, so goes the global digital economy. Well, let's see about that.

    1. Re:Hyperbole? by gweihir · · Score: 1

      Big egos and small skills usually go hand-in-hand....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Really? by Anonymous Coward · · Score: 0

    Show me this type of vulnerability in VMware, any version. I think you are a bit off base here.

    The Xen Guys are good, it sucks when this type of vulnerability were to surface, but there has never been one like this on vSphere.

    1. Re:Really? by phantomfive · · Score: 5, Informative

      Show me this type of vulnerability in VMware, any version

      Here's one example.

      Here's a story showing that VMWare tries to hide their vulnerabilities.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Really? by Anonymous Coward · · Score: 0

      No true scotsman..?

    3. Re:Really? by Kjella · · Score: 1

      Show me this type of vulnerability in VMware, any version. I think you are a bit off base here. The Xen Guys are good, it sucks when this type of vulnerability were to surface, but there has never been one like this on vSphere.

      Any computer software more complex than this has bugs:
      10 PRINT "HELLO, WROLD!"
      20 GOTO 10
      .
      .
      .
      (so does this one)

      --
      Live today, because you never know what tomorrow brings
    4. Re:Really? by Anonymous Coward · · Score: 0

      thank you that wired article read like a film

    5. Re:Really? by lgw · · Score: 1

      That wired story reads like fiction, and doesn't really explain anything.

      The first link is interesting - it's not a "bug" in VMware code (which thus far has only had a couple of exploitable bugs in its history), but an extremely clever remote exploit that's only loosely related to virtualization. Certainly a design flaw in VMware Workstation, though, since they allowed it to happen.

      By printing to the host's printer from the guest, which by default is Microsoft's bizarre fake printer, you can exploit Microsoft's almost insane level of stupidity with Word and printing.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:Really? by darkain · · Score: 2

      Take your pick: https://www.cvedetails.com/vul...

    7. Re:Really? by sexconker · · Score: 1

      Show me this type of vulnerability in VMware, any version. I think you are a bit off base here. The Xen Guys are good, it sucks when this type of vulnerability were to surface, but there has never been one like this on vSphere.

      Any computer software more complex than this has bugs:
      10 PRINT "HELLO, WROLD!"
      20 GOTO 10
      .
      .
      .
      (so does this one)

      That's demonstrable false. Software can be formally proven. Not all software for the general case. But if you limit inputs or execution time, you absolutely can prove software to be correct, bug-free, etc..

    8. Re:Really? by Anonymous Coward · · Score: 0

      They're out there, but the plebs aren't talented enough to spot them. You can identify a good programmer by how they can solve hard problems, you overlook a great programmer because they make hard problems look simple with their elegant solutions and you assume they're not that good. Kind of like in an anime where someone is so much more powerful than everyone else, no one else can tell how powerful they are and assume they're weak.

      It takes a true scotsman to identify a true scotsman. I've read the blogs of true scotsmen who have had to work with Xen's code or, god forbid, port it. And they say Xen's code is a pile of crap. One caveat though, Xen supports a lot of legacy and some of the blogs said it's very possible the quality of the code would be better if they didn't support the complexity of legacy. But as true scotsmen, they refuse to support legacy if it comes as such a price.

    9. Re:Really? by phantomfive · · Score: 1

      That wired story reads like fiction, and doesn't really explain anything.

      I posted it because it shows how the company, VMWare, responds to vulnerabilities. Wired has a crappy tone and I hate it (which is what you were complaining about when you said it "reads like fiction"), but on the other hand, they do a relatively good job with fact checking. Which isn't the same as doing a good job fact-checking, I guess.

      The first link is interesting - it's not a "bug" in VMware code

      Was the fix in VMWare code or in Microsoft code?

      --
      "First they came for the slanderers and i said nothing."
    10. Re:Really? by lgw · · Score: 1

      The fix is usually in the code of the company that gives a shit about its customers, regardless of where the actual problem is. This is fundamentally a horrible MS security bug, that VMware didn't wall off. I'd bet that VMware fixed it, because they actually care about security.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    11. Re:Really? by phantomfive · · Score: 1

      This is fundamentally a horrible MS security bug,

      That's true too.

      --
      "First they came for the slanderers and i said nothing."
  8. Crackers by Anonymous Coward · · Score: 0

    Like white people. Not hackers, like coughers.

  9. I blame it on two things: by Anonymous Coward · · Score: 0

    Lack of an open source Ada->C translator for bootstrapping GNAT(which is written in Ada, same issue as the LLVM Ada frontend.)

    And lack of an analysis of Ada/Spark/Ravenscar features versus C functionality to backport as many of the code protection mechanisms as possible to C, even if they are just optional extensions.

    Most of the issues with C/C++ could be resolved if they stopped piling new 'crap' on top of C/C++, fixed the underlying issues (most of which are due to the assumption made that most C programmers were also going to be system level programmers (An oversight due to the fact that C was essentially fixing up BCPL to help make porting UNIX easier), and seperate features that should be used for portable code from features which should only be used for system level or non-portable programming.

    1. Re:I blame it on two things: by lgw · · Score: 1

      C++ fixes these issues already, if you actually learn and use the language standard libraries (yes, what you're calling the 'crap' is the fix you're too arrogant to see).

      --
      Socialism: a lie told by totalitarians and believed by fools.
  10. Own the host? by Anonymous Coward · · Score: 0

    What is this, the 90's?

    1. Re:Own the host? by 93+Escort+Wagon · · Score: 1

      Well, at least he didn't say "pwn the b0xen".

      --
      #DeleteChrome
  11. WTF is Qubes? by kwerle · · Score: 2

    https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loos like they are all about the security, so this is kind of a big deal for them.

    https://www.qubes-os.org/tour/...
    What is Qubes OS?
    Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

    1. Re:WTF is Qubes? by Burz · · Score: 3, Informative

      You can think of Qubes as a desktop OS that demotes monolithic kernels (hopelessly insecure) to the role of providing features/drivers within unprivileged VMs. This is similar to the microkernel philosophy, but also recognizes that monolithic kernels are still where all the drivers and apps are to be found.

      Qubes also employs IOMMU hardware to contain network and USB controllers within unprivileged VMs to protect against DMA attacks. The admin VM that runs the desktop environment has no direct access to networking, and the user can assign other PCI devices to VMs as they see fit.

      The last piece of the Qubes picture is that it departs from how most hypervisors handle graphics, keyboards and inter-VM copying. Each is properly virtualized using a very simple protocol that is highly resistant to attack, so that VMs cannot sniff your clipboard contents or keystrokes, or take screenshots, etc. Copying between Qubes VMs is also probably much safer than copying between air-gapped machines using discs or flash drives because the former is far simpler.

      The Qubes Security Bulletin for this Xen vulnerability can be viewed here.

      Most Xen vulns either do not apply to Qubes or are DOS, and the Qubes project is skeptical that this one can be realistically used against Qubes. Still, the bulletin also describes how this vuln belongs to a class of memory management bugs that the Xen project has not done a good job in rectifying. This appears to be Xen's "weak spot" that could be a perennial source of vulns. As a result, Qubes will be moving away from PVMs (which use the questionable memory mapping code) to HVMs which employ on-silicon SLAT for VMs.

    2. Re:WTF is Qubes? by fnj · · Score: 2

      https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loo[k]s like they are all about the security, so this is kind of a big deal for them.

      "All about security", so they insert "user ALL=(ALL) NOPASSWD: ALL" in sudoers, right? And a PolicyKit rule for anybody to do anything? And DOM0 is set up with no-password root access? I gotta tell ya, those are real head-scratchers. They have some great ideas, but I'm not sure they are living in the same world I am.

    3. Re:WTF is Qubes? by slashrio · · Score: 2

      As the assumption is that VMs can not access each other's contents, and the owner of the computer is assumed to have protected his access to the host by using a password, individual passwords for individual VMs are not necessary anymore and the user can have sudo access, as there is only one user.
      Qubes OS is not multi-user.

      --
      "Trump!!", the new Godwin.
  12. who asks the age-old question... by St.Creed · · Score: 1

    ... How much did the qubes researcher, or anyone, pay for this software?

    I think it's the same as with the OpenSSL library: sure, it may be buggy and unsafe. But would you rather do without? And those complaining don't *have* to use Xen, or OpenSSL: they can always use commercial software. And I have to say that the trackrecord of the Xen solution vs. the commercial solutions is pretty good.

    Dissing developers who put in time and effort to help others is insulting to the entire OS community. Point out mistakes, sure. Report bugs, sure. But dissing them this way just to make yourself look better? Yuck.

    --
    Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  13. ALWAYS REQUIRE PROOF OF CONCEPT. by Anonymous Coward · · Score: 0

    >A malicious, paravirtualized guest administrator

    This means admin rights. Wtf is paravirtualized you stupid mother fucking liars. It hits spellcheck that is a fucking typo of a concept.

    The NEW QUBES update is actually the fucked off version. Keep what you have. Until somebody says HEY LOOK MOTHER FUCKERS I screen grabbed it happening, don't believe this fucking shit.

    The same applies to VirtualBox. They already did this. You don't want any version later than 4.2. The Guest Additions are where you get remote shared even with it disabled.

    Same shit different fucking liars. This method of lies is called social engineering. FUCK "itnews.com.au" in their asses with kangaroo blood for lube.

    With so much of computing already having succumbed to spyware, mostly for the US government, you should think twice every time you update ANYTHING. Apple on the other hand is China's bitch.

    tl;dr skip this update.

    1. Re:ALWAYS REQUIRE PROOF OF CONCEPT. by Anonymous Coward · · Score: 0

      It should also be noted that EditorDavid is already dead. That poster is FBI. FBI also have infiltrated Debian Linux. FBI are international moles to an unprecedented extent.

  14. Oh noes dose haxx0rz by Anonymous Coward · · Score: 0

    Aren't we lucky there's only so many of them around? Otherwise just ANYONE could do this. Lucky us!

  15. eggs in baskets by Anonymous Coward · · Score: 0

    AWS is one BIG f**king basket, filled with a lot of eggs, and it is only getting bigger.

  16. !Twitter by Anonymous Coward · · Score: 0

    Can we not link to tweets in summaries. I clicked on them thinking they contained more information on the story, but all they contained was the same information as the hyperlink. Ridiculous redundancy is not appreciated.

  17. FUD by Anonymous Coward · · Score: 0

    Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?

    Oh dear, is it time for another software project smear campaign? Time to fork it, remove a bunch of old platform code that was already being removed by the preprocessor and sell that as a "better" product. I bet it runs at PID 1 too.

  18. First link describes XSA-148, not XSA-182 by martyros · · Score: 2

    The first link is a description of XSA-148, which was published last October, not XSA-182.

    --

    TCP: Why the Internet is full of SYN.

  19. Physical vs Virtual by Euphorinaut · · Score: 1

    Oh so... is this why the tor people always say it's better to have the whonix workstation in a qubes VM but still have to go through the whonix gateway VM on a completely separate machine? Which just leads me to another question: Is there a smaller attack vector in physical separation or is it just a different one? Or is the idea that you have to get through a physical machine to get to the workstation machine but then still get through the VM to dox fully? It would seem like just getting to the gateway pc would be enough because it's still a machine on the same network right?

  20. Passion is good by Shane_Optima · · Score: 1

    First off, I'm not quite sure what to make of you calling Joanna a "shitlord". Has that epithet recently undergone a dramatic shift in meaning?

    Now, do you actually expect the leader of a relatively small distro to personally audit everything upstream before every single release? Or were you just being rhetorical and you think that harsh criticism is always unwarranted? I do not have the time or expertise to vet anything personally, but Joanna's white papers and her philosophy for Qubes have almost always struck me as spot-on. Xen was initially chosen because it is a thin type-1 hypervisor with less than 150,000 lines of code[1]]. It has major corporate backers and it's been around for over a decade. If any massive holes turn up, I'm all for Joanna or anyone else yelling for a bit. I'm not sure that Torvalds-style management is always called for, but horrendous mistakes should not slip by with a shrug, especially in a major project that is small enough (in terms of lines of code) to make comprehensive security reviews feasible.

    As it happens, Joanna already decided several years back that Qubes should not be wedded to Xen for all of time. Qubes 3.0 saw the introduction of the "Hypervisor Abstraction Layer", which was specifically intended to eventually allow Qubes to be ported to platforms. So, this isn't empty complaining we're talking about here... if the Qubes devs are dissatisfied with the direction Xen is headed, they can start looking for alternatives sooner rather than later.

    Joanna is the head of a extremely interesting project that produces 100% open source code. (Their Windows guest tools, previously proprietary but free of charge for personal use, were released under the GPL v2 earlier this year.) I would rather she spend her limited time and money making Qubes more awesome. And I'd rather the Xen devs and their corporate backers spend their time and money making Xen more efficient and secure. Does that sound unreasonable to you?

    Well, do you know what sounds unreasonable to me? Saying that Joanna should audit Xen before every Qubes release.


    1. "but that's misleading! Dom0 should be considered part of the hypervisor attack surface as well!" That was what I'd always assumed as well, but she convinced me otherwise... first with her whitepaper and then with her product, which has already isolated several vulnerable components in de-privileged domains. In particular, the network card drivers and the firewall are in separate domains and Dom0 has no network connections whatsoever.