Hi,
While learning about Qubes OS, I am looking into how isolated individual qubes actually are and the possibility of vm-to-vm attacks.
A simple scenario: Two qubes - one attacker
and one victim
.
In attacker
, create some malware.sh
, then:
qvm-open-in-vm victim malware.sh
I tried various victims (all disposable, for the sake of testing):
A. Based on fedora-37-xfce-dvm
Result: malware.sh
opens in Geany text editor in the victim qube.
B. Based on whonix-16-ws-dvm
Result: the victim qube opens an empty terminal window and a dialog box saying:
âFailed to execute child process ââ: Failed to execve: No such file or directoryâ
No idea what this is telling me.
C. Based on fedora-37-minimal-dvm
Result: nothing visible (no windows are opened)
If instead of malware.sh
I use an URL:
qvm-open-in-vm victim http://example.com
Results:
A. fedora-37-xfce-dvm based qube opens Firefox
B. whonix-16-ws-dvm based qube opens Tor Browser
C. Here I think I may have found a bug:
The exact command I used in attacker
was:
qvm-open-in-vm disp8300 http://example.com
where disp8300
is the name of a running qube based on fedora-37-minimal-dvm. Something very weird is happening: Qubes OS starts creating new dispXXXX VMs one after another to infinity. As I am typing this, there are already 20+ and counting. Even closing the attacker
disposable doesnât stop the process and new disposables keep piling up, so I will save and reboot, then finish this postâŚ
OK. To make sure this is not an individual accident, I retried the latest test and the result was the same.
Based on all that, I am questioning:
- If one can
qvm-copy/move-to-vm
between any domUs (including templates) with no restriction whatsoever, thus making any VM a potential attacker or victim, why is that called a âsecurity-by-isolationâ model? Isolation means no contact.
I understand the usability benefits but what can prevent an attacker to overfill victimâs storage by sending files with all the consequences from that?
-
Why is it allowed any qube to tell another âopen this URLâ and the other one obeys with no restriction whatsoever? This has quite serious security and privacy implications.
-
My âCâ case shows a practical attack to the whole Qubes OS by causing this avalanche of disposables, exhausting system resources with all the consequences this may have. Is this an actual bug (as I think) or an expected behavior? Has it been reported?
-
What defines how a qube should act when another qube tells it âreceive/open thisâ?
-
What mechanisms are there to restrict/control 4? (e.g. some security policy?)
-
How to create a truly isolated PVH VM to which one canât send anything which is not explicitly allowed?