Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

well, shitlord...

which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

Well, "Qubes security researcher", which platform did you choose for your project, and did you audit it fully before making your releases? No?

Which raises the age-old question: Has Qubes been written by competent developers?

Re:well, shitlord...

[casings]

Good thing you posted this anonymously, so people don't know who the fucktard is.

Re:well, shitlord...

[martyros]

Which raises the age-old question: Has Qubes been written by competent developers?

What's really rich about that question is that if you read their advisory, the Qubes developers couldn't figure out how to exploit the vulnerability when handed a patch that changes the problematic behavior. If not spotting the issue without having it handed to them makes the Xen developers incompetent, what does that say about the Qubes developers?

The fact is, though, that the vulnerability is actually quite hard to spot. It's not surprising at all that experienced security researchers would fail to spot it even when given a pretty big clue; much less that the initial developers would fail to spot it.

the answer is no

[phantomfive]

Has Xen been written by competent developers?

Strictly speaking the answer is no, but they are definitely as good as the VMWare guys, who've had plenty of vulns.

Computer security is really, really hard

[haruchai]

And I can't help but wonder if much of it is because security was an afterthought for so long and if we would have been better off and designed for it from the get-go, even though it would have meant rewriting or scrapping decades of code.
The counterargument i was hearing back in the late 80s was that too much would have to be redone - and that was before the explosive growth that's seen a billion people walking around with more computing power in their pockets than most companies had available back then.

Re:Computer security is really, really hard

[fustakrakich]

It's time to face the truth. Real computer security is impossible.

Re:Computer security is really, really hard

[phantomfive]

Real computer security is impossible.

We can do much, much, much better than we are doing now.
There is no reason that our lower-level systems (at least) can't be secure. You write them once (in the djb style), then don't change them, because they don't need to change.

The problem now is that there is very little motivation for programmers to even care about security. You can't see it, and no manager ever asks at a sprint, "is the code you wrote secure?"

Re:Computer security is really, really hard

[NotInHere]

Security is always an afterthought. People want to get their products used and published, and want to make money. They need to release their stuff before the competitors do it. Only very rarely security is implemented from day one.

Re:Computer security is really, really hard

[fustakrakich]

Sorry, it's "cat and mouse" all the way down. The treadmill is infinite. Two things are required to break the circle, Respect, and trust. Without both, all bets are off. Just call it a day and put down a cold one (or six) and chase the old lady around the house. Dwelling on it will only give you a heart attack.

Re:Computer security is really, really hard

[phantomfive]

Sorry, it's "cat and mouse" all the way down. The treadmill is infinite.

No it's not, you can prove that your code is correct.

Re:Computer security is really, really hard

[fustakrakich]

Even I can assure you there is always a way in. Nothing is invincible. If it were it would be all over the papers, and we would have world peace.

Re:Computer security is really, really hard

[phantomfive]

Even I can assure you there is always a way in.

Unplug the computer.

Re:Computer security is really, really hard

[fustakrakich]

We're working on it. Don't be surprised when it lights up.

Re: Computer security is really, really hard

Sure, you keep harping on this, but you can only prove your code is correct. Not the operating system, not the additional libraries you use, not the output of the optimising compiler with your code as input.

Software complexity rises with a O(^N) speed with N different connections between modules or conditionals. Proving every code path correct is a gargantuan task.

That doesn't mean you shouldn't write your code to be secure and mathematically provable when possible. It means you shouldn't fall into the false sense of security that because your few lines of code are correct that the whole system is correct. You'll be sorely disappointed.

Re: Computer security is really, really hard

[phantomfive]

Base your code on libraries that have been proven correct.

Re:Computer security is really, really hard

[Dog-Cow]

You can prove code is logically correct, but you can't prove the logic is correct. If you don't understand the difference, don't be a security researcher.

Re: Computer security is really, really hard

[Dog-Cow]

While you're at it, build your own fucking universe where everything is secure from the subatomic particle on up. If you don't your task is impossible. The end.

Re: Computer security is really, really hard

[phantomfive]

That's a very sophisticated argument. I'm impressed.

Re:Computer security is really, really hard

[Time_Ngler]

No, you're wrong. All programs have to run on hardware, which can't be proven to run the way its supposed to. Full stop.

Re:Computer security is really, really hard

[phantomfive]

I think some people have tried to prove that it's not possible to prove the correctness of a non-trivial OS.

It's been done. You can get a fully verified OS. Incidentally, they didn't trust the compiler, so they also formally verified the assembly output.

Re:Computer security is really, really hard

[gweihir]

Bullshit. Spoken like a true incompetent. Code vulnerabilities are caused by coders. They can be reduced and potentially eliminated by a) using better coders and b) spending more effort. In todays world where coders are often as cheap and incompetent so they just get the job still done (and management bonuses are not threatened), most code is vulnerable, but that is not fate.

Re:Computer security is really, really hard

[gweihir]

I guess you have never heard of hardware verification. Puts you on same level like all the other morons claiming "everything is vulnerable".

Re:Computer security is really, really hard

[fustakrakich]

Please... Put your best system out in the wild with a big fat bounty and see how long it holds up.

Re: Computer security is really, really hard

[Time_Ngler]

You can prove a system is designed to do what it's supposed to, but given that we haven't discovered all of the laws of physics, you can't prove it will always do what it's supposed to.

There is no physical way to determine whether a system is leaking information in some way, or if you flip bits in a certain pattern, you can cause the memory to become corrupted, etc.

Re: Computer security is really, really hard

[gweihir]

That is untrue. Hardware verification most certainly deals with the risks you describe. Otherwise modern chips would not work.

As to the laws of physics, you certainly can claim that fundamentally we do not understand anything (and it would even be true), but it is a worthless observation as it does not regard the context the original statement is in. You cannot go down the "nothing is certain" road and still do meaningful engineering. You can run in endless circles going that way though.

Re:Computer security is really, really hard

[gweihir]

It would last forever. As nobody is paying _me_ a large sum of money for doing so, I have zero interest in doing this though.

The argument you present is one of the more transparent fallacies used by the typical techno-skeptic moron.

Re: Computer security is really, really hard

[Time_Ngler]

Dealing with risks does not mean eliminating them. I thought the original statement was in the context of having an actual real life computer running a provably correct algorithm.

So either you are thinking the context was a theoretical computing device, or that your definition of "prove" includes assuming that hardware designed to "deal with the risks [I] describe" can protect against all known and unknown attacks, now and in the future. Tempest is still being updated, right?

I don't know what you think I'm trying to say here... Of course, some risk has to be accepted to do meaningful engineering, but equating that to prove is just wrong.

Re:Computer security is really, really hard

[fustakrakich]

As nobody is paying _me_ a large sum of money for doing so, I have zero interest in doing this though.

Whoa! Like, did you even read? You put a fat reward on it, and somebody will have greater than zero interest, and will eventually succeed, within a reasonable amount of time. I thought that was spelled out in the post. Oh well, That's what I get for thinkin'..

Thank you for your participation... It was most enlightening.

I must be talking to the owner of the Titanic, or was it the Towering Inferno?

"... of unpatched installations"

[LichtSpektren]

So patch your OS. If it's not a zero-day it's not a problem. Why is this news?

Re:"... of unpatched installations"

[phantomfive]

If it's not a zero-day it's not a problem.

You don't know about zero-days. They haven't hit the news yet: but they're being used by hackers.

Re:"... of unpatched installations"

[NotInHere]

So that everyone finds out about it and maybe patches it?

Re:"... of unpatched installations"

[LichtSpektren]

Anybody who casually neglects security updates unless he sees a news headline probably shouldn't be using anything that requires manual updates.

Re:"... of unpatched installations"

[slashrio]

The vulnerability seems to assume paravirtualization, which can be switched off. Problem solved.
Geez, you people almost got me scared about my qubes...

Re:Really?

[phantomfive]

Show me this type of vulnerability in VMware, any version

Here's one example.

Here's a story showing that VMWare tries to hide their vulnerabilities.

Re:Own the host?

[93+Escort+Wagon]

Well, at least he didn't say "pwn the b0xen".

Re:Really?

[Kjella]

Show me this type of vulnerability in VMware, any version. I think you are a bit off base here. The Xen Guys are good, it sucks when this type of vulnerability were to surface, but there has never been one like this on vSphere.

Any computer software more complex than this has bugs:
10 PRINT "HELLO, WROLD!"
20 GOTO 10
.
.
.
(so does this one)

WTF is Qubes?

[kwerle]

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loos like they are all about the security, so this is kind of a big deal for them.

https://www.qubes-os.org/tour/...
What is Qubes OS?
Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

Re:WTF is Qubes?

[Burz]

You can think of Qubes as a desktop OS that demotes monolithic kernels (hopelessly insecure) to the role of providing features/drivers within unprivileged VMs. This is similar to the microkernel philosophy, but also recognizes that monolithic kernels are still where all the drivers and apps are to be found.

Qubes also employs IOMMU hardware to contain network and USB controllers within unprivileged VMs to protect against DMA attacks. The admin VM that runs the desktop environment has no direct access to networking, and the user can assign other PCI devices to VMs as they see fit.

The last piece of the Qubes picture is that it departs from how most hypervisors handle graphics, keyboards and inter-VM copying. Each is properly virtualized using a very simple protocol that is highly resistant to attack, so that VMs cannot sniff your clipboard contents or keystrokes, or take screenshots, etc. Copying between Qubes VMs is also probably much safer than copying between air-gapped machines using discs or flash drives because the former is far simpler.

The Qubes Security Bulletin for this Xen vulnerability can be viewed here.

Most Xen vulns either do not apply to Qubes or are DOS, and the Qubes project is skeptical that this one can be realistically used against Qubes. Still, the bulletin also describes how this vuln belongs to a class of memory management bugs that the Xen project has not done a good job in rectifying. This appears to be Xen's "weak spot" that could be a perennial source of vulns. As a result, Qubes will be moving away from PVMs (which use the questionable memory mapping code) to HVMs which employ on-silicon SLAT for VMs.

Re:WTF is Qubes?

[fnj]

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loo[k]s like they are all about the security, so this is kind of a big deal for them.

"All about security", so they insert "user ALL=(ALL) NOPASSWD: ALL" in sudoers, right? And a PolicyKit rule for anybody to do anything? And DOM0 is set up with no-password root access? I gotta tell ya, those are real head-scratchers. They have some great ideas, but I'm not sure they are living in the same world I am.

Re:WTF is Qubes?

[slashrio]

As the assumption is that VMs can not access each other's contents, and the owner of the computer is assumed to have protected his access to the host by using a password, individual passwords for individual VMs are not necessary anymore and the user can have sudo access, as there is only one user.
Qubes OS is not multi-user.

who asks the age-old question...

[St.Creed]

... How much did the qubes researcher, or anyone, pay for this software?

I think it's the same as with the OpenSSL library: sure, it may be buggy and unsafe. But would you rather do without? And those complaining don't *have* to use Xen, or OpenSSL: they can always use commercial software. And I have to say that the trackrecord of the Xen solution vs. the commercial solutions is pretty good.

Dissing developers who put in time and effort to help others is insulting to the entire OS community. Point out mistakes, sure. Report bugs, sure. But dissing them this way just to make yourself look better? Yuck.

Re:Really?

[lgw]

That wired story reads like fiction, and doesn't really explain anything.

The first link is interesting - it's not a "bug" in VMware code (which thus far has only had a couple of exploitable bugs in its history), but an extremely clever remote exploit that's only loosely related to virtualization. Certainly a design flaw in VMware Workstation, though, since they allowed it to happen.

By printing to the host's printer from the guest, which by default is Microsoft's bizarre fake printer, you can exploit Microsoft's almost insane level of stupidity with Word and printing.

Re:I blame it on two things:

[lgw]

C++ fixes these issues already, if you actually learn and use the language standard libraries (yes, what you're calling the 'crap' is the fix you're too arrogant to see).

First link describes XSA-148, not XSA-182

[martyros]

The first link is a description of XSA-148, which was published last October, not XSA-182.

Re:Really?

[darkain]

Take your pick: https://www.cvedetails.com/vul...

Re:Really?

[sexconker]

Show me this type of vulnerability in VMware, any version. I think you are a bit off base here. The Xen Guys are good, it sucks when this type of vulnerability were to surface, but there has never been one like this on vSphere.

Any computer software more complex than this has bugs:
10 PRINT "HELLO, WROLD!"
20 GOTO 10
.
.
.
(so does this one)

That's demonstrable false. Software can be formally proven. Not all software for the general case. But if you limit inputs or execution time, you absolutely can prove software to be correct, bug-free, etc..

Re:Hyperbole?

[gweihir]

Big egos and small skills usually go hand-in-hand....

Re:Really?

[phantomfive]

That wired story reads like fiction, and doesn't really explain anything.

I posted it because it shows how the company, VMWare, responds to vulnerabilities. Wired has a crappy tone and I hate it (which is what you were complaining about when you said it "reads like fiction"), but on the other hand, they do a relatively good job with fact checking. Which isn't the same as doing a good job fact-checking, I guess.

The first link is interesting - it's not a "bug" in VMware code

Was the fix in VMWare code or in Microsoft code?

Re:Really?

[lgw]

The fix is usually in the code of the company that gives a shit about its customers, regardless of where the actual problem is. This is fundamentally a horrible MS security bug, that VMware didn't wall off. I'd bet that VMware fixed it, because they actually care about security.

Re:Really?

[phantomfive]

This is fundamentally a horrible MS security bug,

That's true too.

Physical vs Virtual

[Euphorinaut]

Oh so... is this why the tor people always say it's better to have the whonix workstation in a qubes VM but still have to go through the whonix gateway VM on a completely separate machine? Which just leads me to another question: Is there a smaller attack vector in physical separation or is it just a different one? Or is the idea that you have to get through a physical machine to get to the workstation machine but then still get through the VM to dox fully? It would seem like just getting to the gateway pc would be enough because it's still a machine on the same network right?

Passion is good

[Shane_Optima]

First off, I'm not quite sure what to make of you calling Joanna a "shitlord". Has that epithet recently undergone a dramatic shift in meaning?

Now, do you actually expect the leader of a relatively small distro to personally audit everything upstream before every single release? Or were you just being rhetorical and you think that harsh criticism is always unwarranted? I do not have the time or expertise to vet anything personally, but Joanna's white papers and her philosophy for Qubes have almost always struck me as spot-on. Xen was initially chosen because it is a thin type-1 hypervisor with less than 150,000 lines of code[1]]. It has major corporate backers and it's been around for over a decade. If any massive holes turn up, I'm all for Joanna or anyone else yelling for a bit. I'm not sure that Torvalds-style management is always called for, but horrendous mistakes should not slip by with a shrug, especially in a major project that is small enough (in terms of lines of code) to make comprehensive security reviews feasible.

As it happens, Joanna already decided several years back that Qubes should not be wedded to Xen for all of time. Qubes 3.0 saw the introduction of the "Hypervisor Abstraction Layer", which was specifically intended to eventually allow Qubes to be ported to platforms. So, this isn't empty complaining we're talking about here... if the Qubes devs are dissatisfied with the direction Xen is headed, they can start looking for alternatives sooner rather than later.

Joanna is the head of a extremely interesting project that produces 100% open source code. (Their Windows guest tools, previously proprietary but free of charge for personal use, were released under the GPL v2 earlier this year.) I would rather she spend her limited time and money making Qubes more awesome. And I'd rather the Xen devs and their corporate backers spend their time and money making Xen more efficient and secure. Does that sound unreasonable to you?

Well, do you know what sounds unreasonable to me? Saying that Joanna should audit Xen before every Qubes release.


1. "but that's misleading! Dom0 should be considered part of the hypervisor attack surface as well!" That was what I'd always assumed as well, but she convinced me otherwise... first with her whitepaper and then with her product, which has already isolated several vulnerable components in de-privileged domains. In particular, the network card drivers and the firewall are in separate domains and Dom0 has no network connections whatsoever.