While learning about Qubes OS, I am looking into how isolated individual qubes actually are and the possibility of vm-to-vm attacks.
A simple scenario: Two qubes - one
attacker and one
attacker, create some
qvm-open-in-vm victim malware.sh
I tried various victims (all disposable, for the sake of testing):
A. Based on fedora-37-xfce-dvm
malware.sh opens in Geany text editor in the victim qube.
B. Based on whonix-16-ws-dvm
Result: the victim qube opens an empty terminal window and a dialog box saying:
‘Failed to execute child process “”: Failed to execve: No such file or directory’
No idea what this is telling me.
C. Based on fedora-37-minimal-dvm
Result: nothing visible (no windows are opened)
If instead of
malware.sh I use an URL:
qvm-open-in-vm victim http://example.com
A. fedora-37-xfce-dvm based qube opens Firefox
B. whonix-16-ws-dvm based qube opens Tor Browser
C. Here I think I may have found a bug:
The exact command I used in
qvm-open-in-vm disp8300 http://example.com
disp8300 is the name of a running qube based on fedora-37-minimal-dvm. Something very weird is happening: Qubes OS starts creating new dispXXXX VMs one after another to infinity. As I am typing this, there are already 20+ and counting. Even closing the
attacker disposable doesn’t stop the process and new disposables keep piling up, so I will save and reboot, then finish this post…
OK. To make sure this is not an individual accident, I retried the latest test and the result was the same.
Based on all that, I am questioning:
- If one can
qvm-copy/move-to-vmbetween any domUs (including templates) with no restriction whatsoever, thus making any VM a potential attacker or victim, why is that called a “security-by-isolation” model? Isolation means no contact.
I understand the usability benefits but what can prevent an attacker to overfill victim’s storage by sending files with all the consequences from that?
Why is it allowed any qube to tell another “open this URL” and the other one obeys with no restriction whatsoever? This has quite serious security and privacy implications.
My “C” case shows a practical attack to the whole Qubes OS by causing this avalanche of disposables, exhausting system resources with all the consequences this may have. Is this an actual bug (as I think) or an expected behavior? Has it been reported?
What defines how a qube should act when another qube tells it “receive/open this”?
What mechanisms are there to restrict/control 4? (e.g. some security policy?)
How to create a truly isolated PVH VM to which one can’t send anything which is not explicitly allowed?