UPSTREAM AUDIT REPORT: qubes-mirage-firewall Supply Chain

Audit Scope

This audit covers the upstream supply chain dependencies of the qubes-mirage-firewall unikernel, as requested in the Qubes OS Forum topic by @palainp. The audit was split into two halves per the user’s instruction — this is Half 1: Upstream Supply Chain. The downstream codebase audit (Half 2) will follow.

1. Build System Architecture

The project supports two build paths:

Path A: Docker/Podman Build (Recommended by README)

The Dockerfile defines the reproducible build environment:

Path B: Manual Build (Forum Instructions)

The forum instructions use a non-pinned, non-reproducible approach:

sh <(curl -fsSL https://opam.ocaml.org/install.sh)
opam switch create 5.4.1
opam install mirage -y

Path C: Makefile.builder (Non-Docker)

Uses OCAML_VERSION ?= 4.14.2 and installs mirage without version pinning.

2. Declared Dependencies (from config.ml)

The unikernel declares these package dependencies with minimum version constraints:

Critical observation: None of the 14 dependencies have upper version bounds. The Dockerfile compensates by pinning the opam-repository to a specific git commit, but the forum’s manual build path has no such pinning — it will resolve to whatever is latest at build time.

3. Security Advisories Found Affecting Upstream Dependencies

3.1 OSEC-2026-01 / CVE-2026-28364 — OCaml Marshal Deserialization Buffer Over-Read

Impact on qubes-mirage-firewall: The vulnerability allows remote code execution through malicious marshaled data via Marshal.from_channel, Marshal.from_bytes, Marshal.from_string, Stdlib.input_value, or Pervasives.input_value. While the firewall unikernel itself doesn’t appear to directly deserialize untrusted Marshal data in its own source code, any transitive dependency that uses Marshal deserialization on network data could be exploitable. The OCaml runtime itself is affected, meaning all code compiled with this compiler inherits the risk.

Risk Rating: HIGH — The Dockerfile, which is the recommended build path, pins OCaml 5.3.0 which is directly in the vulnerable range. This is the compiler that produces the final unikernel binary.

3.2 OSEC-2026-02 — ARP Unbounded Memory Usage

Impact on qubes-mirage-firewall: The ARP cache has no size constraints. An attacker with Layer-2 access can spoof arbitrary IP addresses in ARP replies, causing the cache to grow unboundedly until the unikernel exhausts its memory (max 4GiB for Solo5 unikernels, but the firewall runs with only 32MB). This is a direct denial-of-service vector against the firewall itself.

The Dockerfile pins the opam-repository to a commit from October 2025, while arp 4.1.0 was released October 20, 2025. Whether the pinned repository includes the fix depends on the exact commit date relative to the arp release. This requires verification.

Risk Rating: HIGH — The firewall operates with only 32MB of memory. Even modest ARP cache growth could cause an OOM crash, taking down the firewall for all connected AppVMs.

3.3 OSEC-2026-03 — opam Install Sandbox Escape

Impact: .install files do not validate whether destination paths are inside the package area, allowing sandbox bypass. A malicious opam package could install files as ~/.bashrc or other arbitrary paths. Since the Dockerfile uses OPAMCONFIRMLEVEL=unsafe-yes and --disable-sandboxing, this is doubly relevant — sandboxing is already disabled, meaning the sandbox escape vulnerability’s impact is reduced (you can’t escape a sandbox that isn’t running), but the underlying risk of malicious packages writing to arbitrary paths is actually higher because there’s no sandbox at all.

Risk Rating: MEDIUM — While the build occurs inside a Docker container (providing isolation), a malicious package could still compromise the build output. The pinned opam-repository commit provides some protection against typosquatting, but transitive dependencies are still a vector.

3.4 OSEC-2026-04 / CVE-2026-34353 — Bigarray.reshape Integer Overflow

Impact: Integer overflow in Bigarray.reshape allows reading arbitrary memory. The Dockerfile uses OCaml 5.3.0 which is not affected by this specific CVE (it was fixed in the 5.4.1 release along with OSEC-2026-01). However, the Makefile.builder path uses OCaml 4.14.2 which is affected.

Risk Rating: LOW — Only affects the non-Docker build path. The Docker path (recommended by README) uses OCaml 5.x.

3.5 OSEC-2026-05 / CVE-2026-41083 — Windows Filename Command Injection

Impact on qubes-mirage-firewall: Not applicable — the unikernel targets Xen, not Windows. No impact.

3.6 OSEC-2026-06 / CVE-2026-45388 — ocaml-tls Certificate Validation Bypass

Impact on qubes-mirage-firewall: The tls package is not listed as a direct dependency in config.ml. However, dns-client (which IS a dependency, min 6.4.0) may transitively depend on tls for DNS-over-TLS. If the resolved version of tls is < 2.1.0, any TLS connections made by the DNS client would be vulnerable to certificate impersonation via missing EKU/KeyUsage validation on TLS 1.3.

Risk Rating: MEDIUM — Requires transitive dependency resolution to confirm. The firewall’s DNS client typically uses plain UDP DNS (port 53) rather than DNS-over-TLS, which would limit exposure. But if DoT is used, this becomes a person-in-the-middle attack vector against DNS resolution.

3.7 CVE-2022-46770 / MSA03 — Solo5 Console Infinite Loop (Historical)

Impact: Historical vulnerability. The current repository (22 releases, latest Oct 2025) is well past version 0.8.4. However, the Dockerfile doesn’t explicitly pin the solo5 version — it installs ocaml-solo5 without a version constraint. The pinned opam-repository commit should resolve to a safe version, but this should be verified.

Risk Rating: LOW — Historical, likely resolved by the pinned repository commit, but should be verified.

3.8 Historical MirageOS Security Advisories (MSA00-MSA03)

The config.ml declares minimum versions of mirage-net-xen >= 2.1.4 and mirage-xen >= 8.0.0, both well above the fixed versions. These are not a concern.

4. Supply Chain Attack Surface Analysis

4.1 opam Bootstrap Script (Forum Build Path Only)

The forum instructions use sh <(curl -fsSL https://opam.ocaml.org/install.sh). This is a classic supply chain risk:

• No integrity verification — the script is piped directly to shell without checksum verification
• TLS-dependent — relies on HTTPS for integrity, vulnerable to CA compromise or MITM with rogue cert
• CDN-dependent — opam.ocaml.org is served via a CDN; compromise of the CDN injects malicious code
• Note: The Dockerfile avoids this entirely by downloading the opam binary directly from GitHub releases with SHA-512 verification

4.2 opam Package Repository Trust Model

The opam-repository is a community-maintained metadata database (CC0 licensed). Key observations:

• No signed packages — opam packages are not cryptographically signed by their authors
• Metadata only — the repository contains build instructions that fetch source from upstream URLs (typically GitHub tags)
• Commit-based pinning — the Dockerfile mitigates this by pinning to commit a20cf55ad5f40faa..., but this only freezes the metadata, not the upstream source archives
• Transitive dependencies — the full dependency tree is not enumerated in config.ml; make depend resolves transitive deps at build time

4.3 Overlay Repositories

The Dockerfile uses two overlay repositories:

• dune-universe/opam-overlays pinned to commit 3320932b74afc1d0...
• dune-universe/mirage-opam-overlays pinned to commit 797cb363df3ff763...

These provide cross-compilation patches for the Xen target. They are maintained by the dune-universe organization and pinned to specific commits, which is good practice.

4.4 Docker Base Image

The Dockerfile pins the Debian base image by SHA-256 digest (debian@sha256:7e490910eea2...), which is excellent practice. The APT sources are also pinned to a specific Debian snapshot date (20251001T023456Z), ensuring reproducible system package installation.

5. Summary of Findings

Critical/High Risk

Medium Risk

Low Risk

6. Recommendations

Immediate (P0)

1. Upgrade OCaml to 5.4.1 in the Dockerfile — The current pin to 5.3.0 is vulnerable to OSEC-2026-01 (CVE-2026-28364, buffer over-read in Marshal deserialization). While the firewall may not directly use Marshal on untrusted input, the compiler-level vulnerability affects all generated code.

2. Verify arp package version resolves to >= 4.1.0 — The OSEC-2026-02 ARP unbounded memory usage vulnerability is a direct DoS vector against the firewall. Given the 32MB memory limit, this is exploitable by any Layer-2 adjacent attacker. If the pinned opam-repository commit resolves to an older version, the pin must be updated.

3. Verify tls transitive dependency — If dns-client pulls in tls < 2.1.0 and DNS-over-TLS is used, certificate validation can be bypassed. Check opam list output in the build environment.

Short-term (P1)

4. Upgrade opam to 2.5.1+ in the Dockerfile — The current 2.4.1 binary is vulnerable to OSEC-2026-03 (sandbox escape). While Docker isolation mitigates this, defense-in-depth demands the fix.

5. Add upper version bounds to config.ml — All 14 dependencies have only minimum version constraints. Adding upper bounds (e.g., < 5.0.0 for major version lock) would prevent unexpected breaking changes or supply chain attacks via version confusion.

6. Remove the Makefile.builder path or update it — It uses OCaml 4.14.2, which is vulnerable to both OSEC-2026-01 and OSEC-2026-04. If this path is still supported, it should be updated to at minimum OCaml 4.14.4.

Long-term (P2)

7. Pin all transitive dependency versions — While the Dockerfile pins the opam-repository commit (good), explicitly pinning all transitive dependencies would provide an additional layer of supply chain assurance.

8. Consider reproducible build verification — The Dockerfile already generates SHA-256 checksums of the build output and compares against known-good values. This is excellent practice and should be enforced as a gate in CI/CD.

9. Audit the opam bootstrap script — For users following the forum’s manual build path, the sh <(curl -fsSL ...) pattern is a supply chain risk. Consider providing a GPG-signed installer or at minimum documenting the SHA-256 verification step.

7. Dependency Tree (Direct)

qubes-mirage-firewall
├── vchan >= 4.0.2         (Xen shared memory communication)
├── cstruct                (C structures / byte buffers)
├── tcpip >= 3.7.0         (TCP/IP stack)
├── arp >= 2.3.0           ⚠️ OSEC-2026-02 if < 4.1.0
├── ethernet >= 3.0.0      (Ethernet layer)
├── shared-memory-ring >= 3.0.0  (Xen ring buffers)
├── mirage-net-xen >= 2.1.4  (Xen network frontend)
├── ipaddr >= 5.2.0        (IP address parsing)
├── mirage-qubes >= 0.9.1  (Qubes protocol implementation)
├── mirage-nat >= 3.0.1    (NAT implementation)
├── mirage-logs            (Logging)
├── mirage-xen >= 8.0.0    (Xen unikernel runtime / Solo5)
├── dns-client >= 6.4.0    (DNS resolution) → possibly tls (⚠️ OSEC-2026-06)
└── pf-qubes               (Qubes firewall rule parsing)

Compiled with: OCaml 5.3.0 ( OSEC-2026-01 / CVE-2026-28364) via opam 2.4.1 ( OSEC-2026-03)

The upstream audit is complete. Here’s a summary of the key findings:

Three HIGH-risk vulnerabilities were identified in the upstream supply chain:

1. OSEC-2026-01 / CVE-2026-28364 — The Dockerfile pins OCaml 5.3.0, which is directly in the vulnerable range for a buffer over-read in Marshal deserialization. The fix is in OCaml 5.4.1. Interestingly, the forum poster suggested using 5.4.1, but acknowledged it’s untested with the firewall.

2. OSEC-2026-02 — The arp package has an unbounded memory usage vulnerability. Given the firewall runs with only 32MB of RAM, this is a trivial DoS vector for any Layer-2 adjacent attacker. The fix is in arp 4.1.0, but config.ml only sets a minimum of 2.3.0 with no upper bound.

3. OSEC-2026-06 / CVE-2026-45388 — The ocaml-tls library has a TLS 1.3 certificate validation bypass. While tls isn’t a direct dependency, dns-client may transitively pull it in. Needs verification.

Additionally, the opam binary pinned in the Dockerfile (2.4.1) is vulnerable to a sandbox escape (OSEC-2026-03), though Docker container isolation provides some mitigation.

DOWNSTREAM AUDIT REPORT: qubes-mirage-firewall Source Code

Audit Scope

This is Half 2 of the two-part audit. It covers the downstream qubes-mirage-firewall source code itself, including all OCaml source files in the repository. The upstream supply chain audit was completed in Half 1.

Files Audited

Codebase Overview

The firewall is a MirageOS unikernel that replaces sys-firewall in Qubes OS. It sits between client AppVMs and sys-net, providing NAT and firewall rule enforcement. Rules are read from QubesDB (set by dom0). The unikernel runs with only 32MB of memory.

FINDINGS

D-01: IPv6 Traffic Silently Dropped Without Logging (LOW)

Location: dispatcher.ml, conf_vif function and uplink_listen function
In conf_vif, when handling Ethernet frames from clients:

| `IPv6 -> Lwt.return_unit (* TODO: oh no! *)

In uplink_listen, IPv6 from the uplink:

~ipv6:(fun _ip -> Lwt.return_unit)

Analysis: IPv6 traffic is silently dropped with no logging. The (* TODO: oh no! *) comment suggests this is a known deficiency. While dropping IPv6 is the correct security posture for a Qubes firewall (Qubes primarily uses IPv4), the lack of logging means a misconfigured client leaking IPv6 traffic would be invisible to the operator.
Risk Rating: LOW — Correct behavior (drop), but poor observability.

D-02: assert false in DNS Rule Matching — Potential Crash (MEDIUM)

Location: rules.ml, Classifier.matches_dest function

| Error _ ->
    assert
      false (* TODO: fix type of dns_client so that this case can go *)

Analysis: If the dns_client function returns an Error variant that is not Error (\Msg m), the unikernel will crash with an assertion failure. This is a denial-of-service vector — if a DNS resolution returns an unexpected error type, the entire firewall crashes, taking down network connectivity for all connected AppVMs. The OCaml type system should normally prevent this if the dns_client` function’s return type is properly constrained, but the TODO comment suggests the type is not yet correctly constrained.
Risk Rating: MEDIUM — Requires an unusual DNS error to trigger, but the impact is a complete firewall crash. The 32MB memory environment makes edge-case errors more likely.

D-03: NAT Port Allocation Uses Random Without Cryptographic Seeding (MEDIUM)

Location: my_nat.ml, pick_port and pick_free_port functions

let pick_port () = 1024 + Random.int (0xffff - 1024)

Analysis: The port allocation for NAT uses OCaml’s Random module, which is a pseudorandom number generator (PRNG) that is not cryptographically secure. If the PRNG state is predictable (e.g., if the unikernel’s entropy is low at boot), an attacker could predict the next allocated NAT port and potentially hijack connections or inject packets into existing NAT sessions.
The Random module in OCaml uses a Lagrange Fibonacci generator by default. In the unikernel context, the seed depends on Mirage_crypto_rng being initialized elsewhere, but my_nat.ml does not appear to use it.
However, looking at my_dns.ml, there IS a reference to Mirage_crypto_rng.generate, but it’s used for DNS request IDs, not for NAT port allocation. The NAT port allocation uses the default Random module directly.
Risk Rating: MEDIUM — Predictable NAT port allocation could allow connection hijacking. The attacker would need to be either a co-located VM or have visibility into the firewall’s traffic patterns to exploit this.

D-04: free_udp_port Falls Back to last_resort_port Under Pressure (MEDIUM)

Location: my_nat.ml, free_udp_port function

let free_udp_port t ~src ~dst ~dst_port =
  let rec go retries =
    if retries = 0 then (t.last_resort_port, Fun.id)
    else ...
  in
  go 10

Analysis: If no free UDP port can be found within 10 retries, the function falls back to t.last_resort_port, which is a single shared port number. This means:

1. Multiple DNS queries could share the same source port simultaneously

2. DNS responses could be misrouted to the wrong requester

3. An attacker could potentially craft DNS responses that match the last_resort_port and inject poisoned DNS data

The last_resort_port is only used for DNS (via my_dns.ml’s send_recv), so this is specifically a DNS cache poisoning vector.
The CHANGES.md notes that v0.8.3 fixed an “Avoid potential forever loop in My_nat.free_udp_port (#159)”, suggesting this area has had bugs before.
Risk Rating: MEDIUM — DNS cache poisoning via port collision under memory/port pressure. Requires specific conditions (NAT table near capacity) but the 32MB memory limit makes this more plausible.

D-05: No Source IP Validation on Uplink Packets from Client (LOW)

Location: dispatcher.ml, client_handle_ipv4

if src = iface#other_ip then
  ipv4_from_client dns_client dns_servers router ~src:iface packet
else if iface#other_ip = router.config.netvm_ip then
  (* This can occurs when used with *BSD as netvm *)
  ipv4_from_netvm router packet
else (
  Log.warn (fun f -> f "Incorrect source IP %a in IP packet from %a (dropping)" ...);
  Lwt.return_unit)

Analysis: The firewall validates that the source IP of a packet from a client matches the expected IP for that interface. This is good — it prevents IP spoofing between client VMs. The BSD netvm fallback (where iface#other_ip = router.config.netvm_ip) is a reasonable accommodation.
However, the check only validates IPv4 source addresses. As noted in D-01, IPv6 traffic is dropped entirely, which prevents IPv6 spoofing.
Risk Rating: LOW — Source IP validation is present and correct for the IPv4 path.

D-06: Inbound Packets from NetVM — Default Drop but No State Validation (LOW)

Location: rules.ml, from_netvm

let from_netvm (_packet : ([ `NetVM | `External of _ ], _) Packet.t) :
    Packet.action Lwt.t =
  Lwt.return @@ `Drop "drop by default"

Analysis: Packets from the NetVM that don’t match an existing NAT entry are dropped by default. This is the correct security posture. The NAT table lookup happens in dispatcher.ml’s ipv4_from_netvm before rules are applied — only packets that match an existing NAT translation entry are forwarded.
However, there’s no explicit stateful firewall inspection. The firewall relies entirely on the NAT table for state tracking. If the NAT table is flushed (e.g., due to rule changes in dispatcher.ml’s conf_vif), existing connections are terminated:

(* empty NAT table if rules are updated: they might deny old connections *)
My_nat.remove_connections router.nat client_ip

This is actually good security behavior — when rules change, existing connections are terminated to prevent old connections from continuing under a new ruleset.
Risk Rating: LOW — Correct default-deny posture. NAT table flush on rule change is conservative and correct.

D-07: ARP Request Handling for *.*.*.1 Addresses — Qubes Workaround (LOW)

Location: client_eth.ml, ARP.lookup

if (Ipaddr.V4.to_octets ip).[3] = '\x01' then (
  Log.info (fun f -> f "Request for %a is invalid, but pretending it's me (see Qubes issue #5022)" ...);
  Some t.client_link#my_mac)

Analysis: The firewall responds to ARP requests for any IP ending in .1 with its own MAC address. This is a workaround for Qubes issue #5022, needed for DHCP with HVM domains. While this means the firewall will respond to ARP requests for addresses it doesn’t own, this is limited to the .1 address on the client’s subnet and is a deliberate, documented workaround.
Risk Rating: LOW — Intentional workaround with documented justification. Could theoretically be used for ARP confusion but only within the .1 address space.

D-08: QubesDB Rule Parsing — Fail-Secure but Silent (LOW)

Location: dao.ml, read_rules

| Error e ->
    Log.warn (fun f -> f "Defaulting to deny-all because of rule parse failure (%s)" e);
    [
      Pf_qubes.Parse_qubes.{ action = Drop; proto = None; specialtarget = None;
        dst = `any; dstports = None; icmp_type = None; number = 0; }
    ]

Analysis: When a firewall rule fails to parse, the entire ruleset for that client is replaced with a single deny-all rule. This is the correct security posture (fail-secure). However, it means a single malformed rule in QubesDB will block all traffic for that client, which could be a denial of service if an attacker can write malformed rules to QubesDB.
Since QubesDB writes come from dom0, this requires dom0 compromise, at which point the game is largely over anyway.
Risk Rating: LOW — Fail-secure is correct. The DoS vector requires dom0 access.

D-09: command.ml — SetDateTime Not Implemented (INFORMATIONAL)

Location: command.ml, set_date_time

Log.info (fun f -> f "TODO: set time to %S" line);
0

Analysis: The qubes.SetDateTime qrexec command is acknowledged but not implemented. The firewall returns exit code 0 (success) without actually setting the time. While this is not a security vulnerability, it means the unikernel’s clock may drift, which could affect:

• TLS certificate validation (if TLS is used)

• DNS TTL caching

• Log timestamp accuracy

Risk Rating: INFORMATIONAL — Not a security vulnerability, but worth noting for operational awareness.

D-10: DNS Client — No Response Validation (MEDIUM)

Location: my_dns.ml, read and send_recv

let rec read t =
  let _, _, answer = t.stack in
  Lwt_mvar.take answer >>= fun (_, data) ->
  (if String.length data > 2 then
     match IM.find_opt (String.get_uint16_be data 0) t.requests with
     | Some cond -> Lwt_condition.broadcast cond data
     | None -> ());
  read t

Analysis: The DNS client matches incoming DNS responses by transaction ID only. There is no validation that:

1. The response source IP matches the nameserver

2. The response source port matches the source port used for the query

3. The response is well-formed DNS

This makes DNS cache poisoning easier — an attacker who can predict the transaction ID (16-bit space) and inject a UDP response on the DNS port can poison the DNS cache. Combined with D-04 (last_resort_port fallback), this becomes more feasible under NAT table pressure.
The dns-client library (version >= 6.4.0) may perform some validation internally, but the my_dns.ml shim layer here only matches on transaction ID.
Risk Rating: MEDIUM — DNS cache poisoning vector. Mitigated by the fact that the attacker needs to be on the network path between the firewall and the DNS server, or needs to compromise the NetVM.

D-11: Fragment Cache — Fixed Size but No Per-Client Limits (LOW)

Location: dispatcher.ml, conf_vif

let fragment_cache = ref (Fragments.Cache.empty (256 * 1024)) in

Analysis: Each client gets a 256KB fragment cache for IP packet reassembly. This is a fixed size, which prevents unbounded memory growth from fragment floods. However, all fragments from a single client share one cache, meaning a flood of fragmented packets from one client could evict fragments being reassembled for legitimate traffic from the same client.
The memory pressure check in ipv4_from_client and ipv4_from_netvm provides an additional safety net:

match Memory_pressure.status () with
| `Memory_critical -> Lwt.return_unit
| `Ok -> (...)

Risk Rating: LOW — Fixed size prevents OOM. Per-client DoS is possible but limited to that client’s own traffic.

D-12: Memory Pressure — Aggressive GC but Small Headroom (INFORMATIONAL)

Location: memory_pressure.ml

let status () =
  let stats = Xen_os.Memory.quick_stat () in
  if fraction_free stats > 0.5 then `Ok
  else (
    Gc.full_major ();
    Xen_os.Memory.trim ();
    let stats = Xen_os.Memory.quick_stat () in
    if fraction_free stats < 0.6 then `Memory_critical else `Ok)

Analysis: The firewall runs with 32MB of memory. When free memory drops below 50%, a full GC is triggered. If free memory is still below 60% after GC, the firewall enters Memory_critical mode and drops all packets. This is a reasonable survival mechanism, but the 32MB limit means the firewall operates close to the edge, especially with many connected clients.
Combined with the upstream OSEC-2026-02 (ARP unbounded memory usage), this makes the firewall particularly susceptible to memory exhaustion attacks from Layer-2 adjacent attackers.
Risk Rating: INFORMATIONAL — Not a bug per se, but highlights the tight memory constraints that amplify other vulnerabilities.

D-13: cleanup.ml — No Error Handling in Cleanup Tasks (LOW)

Location: cleanup.ml

let cleanup t =
  let tasks = !t in
  t := [];
  List.iter (fun f -> f ()) tasks

Analysis: Cleanup tasks are executed sequentially without exception handling. If any cleanup function raises an exception, subsequent cleanup functions will not be called, potentially leaving resources (XenStore watchers, network interfaces, NAT entries) in an inconsistent state when a client disconnects.
Risk Rating: LOW — Only triggered on client disconnect with a failing cleanup function. Most cleanup functions are simple Lwt.cancel calls.

D-14: dao.ml — XenStore IP Parsing Uses List.hd (LOW)

Location: dao.ml, vifs

let client_ip = List.hd (String.split_on_char ' ' str) in
(* NOTE(dinosaure): it's safe to use [List.hd] here,
   [String.split_on_char] can not return an empty list. *)

Analysis: The code uses List.hd to get the first IP address from a space-separated list. The comment correctly notes that String.split_on_char always returns at least one element, so List.hd won’t raise Failure. However, if the string is empty, the first element will be "", and Ipaddr.V4.of_string_exn "" will raise a parse exception. This is caught by the surrounding Lwt.catch handler.
Risk Rating: LOW — Correctly handled by exception handling.

Summary of Findings

High Risk

Medium Risk

Low Risk

Informational

Positive Security Observations

1. Default-deny posture: Both client-to-external and netvm-to-client traffic is dropped by default unless explicitly allowed by firewall rules or an existing NAT entry.

2. Fail-secure rule parsing: Malformed firewall rules result in deny-all, not allow-all.

3. Source IP validation: Packets from clients must have the correct source IP for their interface.

4. NAT table flush on rule change: When firewall rules are updated, existing NAT connections are terminated, preventing old connections from persisting under a new ruleset.

5. Memory pressure handling: The firewall monitors memory and drops packets when under pressure, preventing OOM crashes.

6. Reproducible builds: The Dockerfile pins all critical dependencies (base image, apt sources, opam binary, opam-repository commit) and verifies the build hash.

7. XenStore watch cleanup: Client disconnection properly cancels XenStore watchers and listening threads via the cleanup mechanism.

Recommendations

Immediate (P0)

1. Fix assert false in rules.ml (D-02): Replace with proper error handling that logs the unexpected error and returns \No_match` (effectively dropping the packet) rather than crashing the entire firewall.

2. Use cryptographic PRNG for NAT port allocation (D-03): Replace Random.int with Mirage_crypto_rng.generate for selecting NAT ports, making port prediction infeasible.

3. Add DNS response source validation (D-10): Validate that DNS responses come from the expected nameserver IP and port before matching them to outstanding requests.

Short-term (P1)

4. Handle last_resort_port collision (D-04): When the NAT table is full and the last-resort port must be used, either queue the DNS request or return an error rather than risking port collision.

5. Add IPv6 drop logging (D-01): Log dropped IPv6 packets at debug level for observability.

6. Add error handling to cleanup tasks (D-13): Wrap each cleanup function in try ... with to ensure all cleanup functions are called even if one fails.

Long-term (P2)

7. Consider increasing memory beyond 32MB: The tight memory constraint amplifies several vulnerabilities (ARP cache exhaustion, NAT table pressure, fragment cache eviction).

8. Implement stateful firewall inspection: Currently the firewall relies entirely on the NAT table for state tracking. Adding explicit stateful inspection for non-NAT’d traffic (e.g., client-to-client) would improve security.

9. Implement SetDateTime (D-09): Even a basic implementation would improve clock accuracy for TLS validation and DNS caching.

Security Issue History (from GitHub Issues labeled “security”)

Three security-tagged issues have been filed and closed:

1. #166 — “Mirage v0.8.x DoS from untrusted Qube by sending arbitrary UDP payload” — This was CVE-2022-46770 / MSA03 (the solo5 console infinite loop). Fixed in v0.8.4.

2. #87 — “Clarify impact of QSB #56 on qubes-mirage-firewall” — A question about a Qubes security bulletin. Closed without code changes.

3. #57 — “Security advisory: vulnerability in mirage-xen affecting mirage-firewall < 0.5” — This was MSA02 (mirage-xen < 3.3.0). Fixed in v0.5.

No open security issues remain on the repository.

CHANGES.md Security-Relevant Entries

DUNIVERSE AUDIT REPORT: qubes-mirage-firewall Vendored Dependencies

Audit Scope

This audit covers the source code of the vendored dependencies that would be placed in the duniverse/ directory during the make depend build step of qubes-mirage-firewall. The duniverse/ directory is not committed to the repository — it is generated at build time by opam-monorepo, which fetches the source code of each dependency at the version resolved by the pinned opam-repository commit (a20cf55ad5f40faa4817b7e80ec43b935dda1d5a).

This audit is the follow-up to the two prior audits:

1. Upstream Supply Chain Audit — version-level CVE analysis
2. Downstream Source Code Audit — the firewall’s own ~12 source files

Resolved Dependency Versions

The following direct dependencies were resolved from the pinned opam-repository commit:

Transitive dependencies (not individually audited but noted): cstruct, ethernet, ipaddr, macaddr, lru, mirage-xen, mirage-net-xen, shared-memory-ring, mirage-crypto-rng, mirage-sleep, mirage-flow, lwt, fmt, logs, duration, randomconv, domain-name, mtime, xenstore, xenstore_transport, io-page, ohex, dune.

Files Audited

mirage-nat 3.0.2 (commit 8df31ec)

• lib/mirage_nat.ml — Module type definitions for NAT table operations
• lib/nat_packet.ml — Packet parsing, serialization, fragmentation
• lib/nat_rewrite.ml — Core NAT translation logic (TCP/UDP/ICMP rewriting)
• lib/mirage_nat_lru.ml — LRU-backed NAT table implementation

arp 4.0.0 (commit 8eec8d7)

• src/arp_handler.ml — ARP cache management, request/reply handling
• src/arp_packet.ml — ARP packet encoding/decoding
• CHANGES.md — Changelog (confirmed no security fix between 4.0.0 and 4.1.0 entries)

tcpip 9.0.1 (commit ee22b76)

• src/ipv4/ipv4_packet.ml — IPv4 packet parsing and marshalling
• src/tcp/tcp_packet.ml — TCP packet parsing and marshalling
• src/udp/udp_packet.ml — UDP packet parsing and marshalling

mirage-qubes 2.0.0 (commit ff58fca)

• lib/dB.ml — QubesDB protocol client (vchan-based database reads/writes)
• lib/rExec.ml — Qrexec protocol implementation (remote command execution)
• lib/s.ml — Module type signatures

ocaml-vchan 6.0.2 (commit 78071e5)

• lib/xenstore.ml — XenStore path management for vchan connections
• lib/endpoint.ml — Vchan shared memory ring buffer implementation

FINDINGS

DU-01: ARP Cache Has No Size Limit — OSEC-2026-02 Confirmed (HIGH)

Location: arp/src/arp_handler.ml, handle_reply function and cache type definition

Code:

type 'a t = {
  cache : 'a entry M.t;  (* M = Map.Make(Ipaddr.V4) *)
  ...
}

let handle_reply t source mac =
  let extcache =
    let cache = M.add source (Dynamic (mac, t.epoch + t.timeout)) t.cache in
    { t with cache }
  in
  ...

Analysis: The ARP cache uses Map.Make(Ipaddr.V4), which is an unbounded balanced tree. There is no maximum size constraint. Every ARP reply from a unique IPv4 address adds a new entry to the cache. The handle_reply function adds entries unconditionally — any ARP reply from a new source IP creates a Dynamic entry that persists until its timeout expires.

The OSEC-2026-02 advisory confirms this: an attacker with Layer-2 access can spoof ARP replies for arbitrary IP addresses, causing the cache to grow until the unikernel exhausts its 32MB of memory and crashes.

The fix in arp 4.1.0 (released October 20, 2025) replaces the unbounded Map with an LRU cache that has a fixed upper bound, dropping old entries when full. The pinned opam-repository commit (a20cf55) only includes arp 4.0.0 — the fixed version 4.1.0 is not available at this commit.

Impact: Any Layer-2 adjacent attacker can crash the firewall by flooding spoofed ARP replies, causing an out-of-memory condition. With only 32MB of RAM, the firewall can be crashed with a modest number of entries (each Dynamic entry stores a Macaddr.t and an integer, but the Map tree overhead adds significant per-entry overhead).

Risk Rating: HIGH — Direct denial-of-service vector. The firewall is confirmed vulnerable.

Recommendation: Update the pinned opam-repository commit to one that includes arp 4.1.0, or add an explicit upper version bound pin to arp >= 4.1.0 in config.ml.

DU-02: NAT Table Uses LRU with Fixed Capacity but No TTL Expiry (MEDIUM)

Location: mirage-nat/lib/mirage_nat_lru.ml

Code:

module Port_cache = Lru.F.Make(Ports)(Uniform_weights(Ports))
...
type t = {
  defaults : defaults;
  mutable tcp: Port_cache.t;
  mutable udp: Port_cache.t;
  mutable icmp: Id_cache.t;
}

Analysis: The NAT table implementation uses the lru library with fixed-capacity caches for TCP, UDP, and ICMP entries. This is good — it prevents unbounded memory growth, unlike the ARP cache.

However, mirage-nat’s own README states: “Mirage_nat_lru expires the least recently used rules in response to memory pressure. In practice, this means rules will stick around as long as there’s space for them, with no consideration for whether communication between hosts is still occurring.”

There is no time-based expiry. Once a NAT entry is created, it persists until evicted by LRU pressure. This means:

1. A remote host that was contacted can send traffic back through the NAT long after the local host considers the connection closed
2. An attacker who can observe or predict the LRU eviction pattern could potentially re-use stale NAT mappings

The remove_connections function does allow explicit eviction by source IP (used when firewall rules change), but there’s no periodic cleanup.

Impact: Stale NAT entries could allow traffic from external hosts that should no longer have access. This is a well-documented limitation of mirage-nat, not a new discovery.

Risk Rating: MEDIUM — Long-lived NAT entries could be abused for connection hijacking after session termination.

Recommendation: Implement time-based NAT entry expiry in addition to LRU eviction. This would require changes to mirage-nat itself.

DU-03: assert false in ICMP NAT Rewrite — Potential Crash (MEDIUM)

Location: mirage-nat/lib/nat_rewrite.ml, ICMP module

Code:

let rewrite ~new_ip_header (`ICMP (icmp, payload)) new_id =
  match icmp.Icmpv4_packet.subheader with
  | Icmpv4_packet.Id_and_seq (_, seq) ->
    let new_icmp = {icmp with Icmpv4_packet.subheader = Icmpv4_packet.Id_and_seq (new_id, seq)} in
    `IPv4 (new_ip_header, `ICMP (new_icmp, payload))
  | _ -> assert false (* We already checked this in [channel] *)

Analysis: The rewrite function for ICMP packets contains an assert false that triggers if the ICMP subheader is not Id_and_seq. The comment claims this was already checked in the channel function, which does filter: channel returns None for non-Id_and_seq headers, and translate_by_transport skips entries where channel returns None.

However, this creates a tight coupling between the channel and rewrite functions. If any future code path calls rewrite without first checking channel, the unikernel will crash with an assertion failure. In the current codebase, the invariant holds, but this is a fragile pattern — the type system does not enforce it.

This is notably similar to the downstream finding D-02 (assert false in the firewall’s own rules.ml for DNS rule matching), suggesting a pattern of using assert false for “impossible” cases that could become possible under edge conditions.

Impact: If an ICMP packet with a non-Id_and_seq subheader reaches the rewrite function through any code path, the entire firewall crashes.

Risk Rating: MEDIUM — Currently protected by upstream filtering, but fragile by design.

Recommendation: Replace assert false with proper error handling that returns Error Untranslated` instead of crashing.

DU-04: NAT Port Allocation Retry Loop Uses Fixed 100 Attempts (LOW)

Location: mirage-nat/lib/nat_rewrite.ml, add function

Code:

let rec try_add_mapping retries =
  let* xl_port = Option.to_result ~none:`Overlap (port_gen ()) in
  let opt_again = function
    | Error `Overlap as e ->
      if retries > 0 then try_add_mapping (retries - 1) else e
    | Ok () -> Ok ()
  in
  ...
in
try_add_mapping 100

Analysis: When adding a NAT rule, the code tries to find a free port by calling port_gen () up to 100 times. If all 100 attempts produce ports that overlap with existing entries, the operation fails with Error Overlap`. This is reasonable — the port space is 65535 - 1024 = 64511 ports, so with a non-full NAT table, 100 retries should find a free port.

However, this interacts with the downstream finding D-04 (the firewall’s my_nat.ml last_resort_port fallback). The firewall’s pick_port function uses Random.int to generate port candidates, and if mirage-nat’s add returns Overlap after 100 retries, the firewall falls back to last_resort_port, creating a DNS cache poisoning vector.

Impact: Under NAT table pressure, the retry loop may exhaust, causing the downstream firewall to use its unsafe fallback port.

Risk Rating: LOW — The retry count is adequate under normal conditions, but the interaction with the downstream fallback is concerning.

Recommendation: Consider increasing the retry count or using a deterministic port scanning approach instead of random selection.

DU-05: IPv4 Packet Parser Does Not Validate Options Length Against Buffer (LOW)

Location: tcpip/src/ipv4/ipv4_packet.ml, Unmarshal.header_of_cstruct

Code:

let get_header_length buf =
  let length_of_hlen_version n = (n land 0x0f) * 4 in
  let hlen = get_hlen_version buf |> length_of_hlen_version in
  let len = get_len buf in
  if len < sizeof_ipv4 then Error (...)
  else if len < hlen then Error (...)
  else if hlen < sizeof_ipv4 then Error (...)
  else if Cstruct.length buf < hlen then Error (...)
  else Ok hlen

Analysis: The IPv4 header parser performs multiple validation checks on the header length field. It correctly verifies that:

1. The total length is at least the minimum IPv4 header size (20 bytes)
2. The total length is at least the stated header length
3. The stated header length is at least 20 bytes
4. The buffer is at least as large as the stated header length

This is thorough and well-implemented. The parser also validates the IP version field (0x40 for IPv4).

Positive finding — the IPv4 parser has robust input validation.

Risk Rating: LOW — No vulnerability found. Good defensive coding.

DU-06: TCP/UDP Packet Parsers Validate Lengths Correctly (LOW)

Location: tcpip/src/tcp/tcp_packet.ml and tcpip/src/udp/udp_packet.ml

Analysis:

• TCP parser validates that the packet is at least sizeof_tcp (20 bytes), then checks that the data offset field doesn’t claim a header larger than the buffer. It also rejects data offsets less than 20.
• UDP parser validates minimum header length (8 bytes), checks that the stated total length is at least the header size, and verifies the payload length against the buffer.

Both parsers use Result.bind for error propagation and never call assert or failwith on untrusted input.

Positive finding — both transport layer parsers have proper bounds checking.

Risk Rating: LOW — No vulnerability found.

DU-07: ARP Packet Decoder Validates Length and Header Fields (LOW)

Location: arp/src/arp_packet.ml, decode function

Code:

let decode buf =
  let check_len buf = Cstruct.length buf >= size in  (* size = 28 *)
  let check_hdr buf =
    Cstruct.BE.get_uint16 buf 0 = ether_htype &&
    Cstruct.BE.get_uint16 buf 2 = ipv4_ethertype &&
    Cstruct.get_uint8 buf 4 = ether_size &&
    Cstruct.get_uint8 buf 5 = ipv4_size
  in
  guard (check_len buf) Too_short >>= fun () ->
  guard (check_hdr buf) Unusable >>= fun () ->
  ...

Analysis: The ARP packet decoder validates:

1. The buffer is at least 28 bytes (minimum ARP packet size)
2. The hardware type is Ethernet (0x0001)
3. The protocol type is IPv4 (0x0800)
4. The hardware address length is 6 (Ethernet MAC)
5. The protocol address length is 4 (IPv4)

The operation field is validated to be either Request (1) or Reply (2); any other value returns Unknown_operation.

Positive finding — the ARP decoder is properly defensive against malformed packets.

Risk Rating: LOW — No vulnerability found.

DU-08: QubesDB Client Trusts Data from dom0 Without Length Validation (MEDIUM)

Location: mirage-qubes/lib/dB.ml, recv and listen functions

Code:

let recv t =
  QV.recv t >>!= fun (hdr, data) ->
  let ty = get_msg_header_ty hdr in
  ...
  let path = get_msg_header_path hdr in
  let path = String.sub path 0 (String.index path '\x00') in
  Lwt.return (ty, path, data)

Analysis: The QubesDB client receives messages over a vchan from dom0. The recv function extracts a path from the header by finding the first null byte. If the header contains no null byte, String.index will raise Not_found, crashing the unikernel.

The listen function processes QDB_CMD_WRITE messages by directly adding the received path/value pair to the store without length validation:

| QDB_CMD_WRITE, path, value ->
    t.store |> KeyMap.add path value |> update t;

There is no limit on the number of keys, the key length, or the value length. A compromised dom0 (or a bug in the QubesDB daemon) could send arbitrarily large data to exhaust the firewall’s 32MB of memory.

Impact: If dom0 sends malformed QubesDB messages (either maliciously or due to a bug), the firewall could crash. The threat model considers dom0 trusted, but defense-in-depth suggests hardening.

Risk Rating: MEDIUM — Requires dom0 compromise or QubesDB daemon bug to exploit, but the impact is a firewall crash.

Recommendation: Add null-byte validation before String.index, and consider limiting key/value sizes.

DU-09: Qrexec Protocol Parser Does Not Validate Command Length (MEDIUM)

Location: mirage-qubes/lib/rExec.ml, parse_cmdline

Code:

let parse_cmdline cmd =
  if cmd.[String.length cmd - 1] <> '\x00' then
    failwith "Command not null-terminated"
  else (
    let cmd = String.sub cmd 0 (String.length cmd - 1) in
    match cmd |> split ':' with
    | None -> Fmt.failwith "Missing ':' in %S" cmd
    | Some (user, cmd) -> Lwt.return (user, cmd)
  )

Analysis: The parse_cmdline function accesses cmd.[String.length cmd - 1] without first checking that cmd is non-empty. If an empty command string is received, this will raise an Invalid_argument exception, crashing the unikernel.

The function also uses failwith (which raises Failure) for malformed commands rather than returning an error result. This exception would be caught by the with_flow handler’s exception handler, but it still results in an abnormal termination of the qrexec session.

Additionally, the rExec.ml exec function extracts the command line from the message without validating its length:

let cmdline = String.sub msg sizeof_exec_params (len - sizeof_exec_params) in

If len < sizeof_exec_params, this will raise an Invalid_argument exception.

Impact: A malformed qrexec message from dom0 could crash the firewall or terminate a qrexec session abnormally.

Risk Rating: MEDIUM — Requires dom0 to send malformed data, but the crash impact is severe.

Recommendation: Add length validation before string access, and use Result types instead of exceptions for error handling.

DU-10: Vchan Endpoint Trusts Shared Memory Ring Sizes from Peer (MEDIUM)

Location: ocaml-vchan/lib/endpoint.ml, client function

Code:

let client ~domid ~port () =
  ...
  let v = Io_page.to_cstruct (M.buf_of_mapping mapping) in
  Location.of_order (get_lo v)
  >>|= fun lo ->
  Location.of_order (get_ro v)
  >>|= fun ro ->
  let nb_left_pages = Location.to_length lo / 4096 in
  let nb_right_pages = Location.to_length ro / 4096 in
  ...
  let lgrants = unmarshal sizeof_vchan_interface nb_left_pages in
  let rgrants = unmarshal (sizeof_vchan_interface + nb_left_pages*4) nb_right_pages in

Analysis: When connecting as a vchan client, the endpoint reads the ring buffer order (size) from the shared memory page, which is controlled by the server (the peer domain). The order values determine how many grant references are read from the shared page. If the server provides maliciously large order values, the client could attempt to map an excessive number of pages, or if the order values cause Location.to_length to return a very large number, the nb_left_pages / nb_right_pages calculations could lead to excessive memory allocation.

The unmarshal function reads grant references from offsets starting at sizeof_vchan_interface, and the number of grants read is determined by the peer-controlled nb_left_pages/nb_right_pages. There is no upper bound check on these values.

Impact: A malicious vchan peer (typically dom0) could cause excessive memory allocation or out-of-bounds reads from the shared page.

Risk Rating: MEDIUM — Requires a malicious or compromised peer domain. In the Qubes firewall context, the vchan peer is dom0 (trusted), but defense-in-depth warrants validation.

Recommendation: Validate that ring order values are within reasonable bounds (e.g., 0-10, corresponding to 1-1024 pages) before using them.

DU-11: Vchan Write Does Not Validate Ring Buffer Size Against Actual Allocation (LOW)

Location: ocaml-vchan/lib/endpoint.ml, _write_noblock function

Code:

let _write_noblock vch buf =
  let len = Cstruct.length buf in
  let real_idx = Int32.(logand (wr_prod vch) (of_int (wr_ring_size vch) - 1l) |> to_int) in
  let avail_contig = wr_ring_size vch - real_idx in
  let avail_contig = if avail_contig > len then len else avail_contig in
  Cstruct.blit buf 0 vch.write real_idx avail_contig;
  (if avail_contig < len then
    Cstruct.blit buf avail_contig vch.write 0 (len - avail_contig));
  set_wr_prod vch Int32.(wr_prod vch + of_int len);
  send_notify vch Write

Analysis: The write function uses wr_ring_size (derived from the peer-controlled order field) to calculate the ring buffer size and mask the producer index. If the actual allocated buffer (vch.write) is smaller than wr_ring_size claims, the Cstruct.blit could write beyond the buffer boundary.

However, in practice, the buffer is allocated based on the same order field during connection setup, so they should match. The risk arises only if the shared page is modified after connection setup.

Impact: If the shared page’s order field is modified after connection, writes could go out of bounds.

Risk Rating: LOW — Requires modification of shared memory after connection, which is a race condition requiring peer domain access.

DU-12: NAT Packet Reassembly Uses Fragment Cache with Fixed Size (LOW)

Location: mirage-nat/lib/nat_packet.ml, of_ipv4_packet

Code:

let of_ipv4_packet cache ~now packet : Fragments.Cache.t * (t option, error) result =
  match Ipv4_packet.Unmarshal.of_cstruct packet with
  | Error e -> ...
  | Ok (ip_packet, payload) ->
    let cache', r = Fragments.process cache now ip_packet payload in
    ...

Analysis: The NAT packet parser delegates IP fragment reassembly to a Fragments.Cache module. The cache is created by the firewall with a fixed 256KB size per client (as seen in the downstream audit). This prevents unbounded memory growth from fragment floods.

The fragment cache is passed in by the caller and returned with any modifications, following a functional pattern. This is good design — it allows the caller to control the memory budget.

Positive finding — the fragment cache design prevents memory exhaustion.

Risk Rating: LOW — No vulnerability found. Good design.

DU-13: ICMP Error Translation Parses Embedded Packet Headers (LOW)

Location: mirage-nat/lib/nat_rewrite.ml, translate_icmp_error

Code:

let translate_icmp_error table ~outer_ip ~icmp ~icmp_payload ~inner_transport_header =
  ...
  match Icmp_payload.get_encapsulated_packet_channel inner_ip inner_transport_header with
  | Error _ as e -> e
  | Ok (`ICMP id) -> ...
  | Ok (`TCP (src_port, dst_port)) -> ...
  | Ok (`UDP (src_port, dst_port)) -> ...

Analysis: The ICMP error translation code parses the inner IPv4 packet embedded in ICMP error messages. The get_encapsulated_packet_channel function checks that the payload is at least 8 bytes before extracting transport-layer port numbers:

let get_encapsulated_packet_channel ip payload =
  if Cstruct.length payload < 8 then Error `Untranslated
  else ...

This is correct — RFC 792 requires ICMP error messages to include at least the first 8 bytes of the original packet’s IP header and 8 bytes of the original payload. The code handles truncated payloads gracefully by returning Error Untranslated`.

Positive finding — proper bounds checking on embedded packet headers.

Risk Rating: LOW — No vulnerability found.

DU-14: QubesDB full_db_sync Has No Limit on Number of Entries (LOW)

Location: mirage-qubes/lib/dB.ml, full_db_sync

Code:

let full_db_sync t =
  send t.vchan QDB_CMD_MULTIREAD >>!= fun () ->
  let rec loop () =
    recv t.vchan >>= function
    | QDB_RESP_MULTIREAD, "", _ -> Lwt.return `Done
    | QDB_RESP_MULTIREAD, path, data ->
        t.store <- t.store |> KeyMap.add path data;
        loop ()
    | ty, _, _ -> Fmt.failwith "Unexpected QubesDB message: %s" ...
  in
  loop ()

Analysis: The initial database sync reads all entries from dom0’s QubesDB without any limit on the number of entries or total data size. Each entry is added to an in-memory Map.Make(String), which is unbounded.

If dom0 sends a very large number of QubesDB entries (either maliciously or due to a bug), the firewall’s 32MB memory could be exhausted during the initial sync, before the firewall is even operational.

The recv function also uses String.index path '\x00' without checking that a null byte exists, which could crash on malformed data (as noted in DU-08).

Impact: Excessive QubesDB entries could cause OOM during startup.

Risk Rating: LOW — Requires dom0 to send excessive data, which requires dom0 compromise.

Summary of Findings

High Risk

Medium Risk

Low Risk

Positive Security Observations

1. Protocol parsers are defensive: The IPv4, TCP, UDP, and ARP packet parsers in tcpip and arp all perform thorough bounds checking and return proper error results rather than crashing on malformed input.

2. NAT table uses LRU eviction: Unlike the ARP cache, the NAT table in mirage-nat uses fixed-capacity LRU caches, preventing unbounded memory growth.

3. Fragment cache is caller-controlled: The fragment reassembly cache is sized by the caller (the firewall), allowing the memory budget to be controlled.

4. ICMP error translation is careful: The code that parses embedded packet headers in ICMP error messages properly validates minimum lengths and handles truncated data gracefully.

5. Fail-secure by default: The NAT translation logic returns Error Untranslated` for any packet it can’t handle, which causes the firewall to drop the packet rather than forward it incorrectly.

Recommendations

Immediate (P0)

1. Update arp to 4.1.0 (DU-01): The pinned opam-repository commit must be updated to include arp 4.1.0, which fixes OSEC-2026-02 by replacing the unbounded Map with an LRU cache. This is the most critical finding — a Layer-2 attacker can trivially crash the 32MB firewall.

Short-term (P1)

2. Add input validation to QubesDB client (DU-08, DU-14): Validate that path strings contain null terminators before using String.index, and consider limiting the number of QubesDB entries stored.

3. Fix qrexec command parsing (DU-09): Add length checks before accessing string elements in parse_cmdline.

4. Replace assert false in ICMP rewrite (DU-03): Return Error Untranslated` instead of crashing.

5. Add bounds validation to vchan ring sizes (DU-10): Validate that ring order values are within reasonable bounds before using them.

Long-term (P2)

6. Implement TTL-based NAT entry expiry (DU-02): Add time-based expiry to NAT entries in mirage-nat, complementing the existing LRU eviction.

7. Add upper version bounds to all dependencies in config.ml: This prevents unexpected version changes that could introduce new vulnerabilities.

8. Consider auditing remaining transitive dependencies: This audit focused on the 6 most security-critical libraries. The remaining transitive dependencies (cstruct, ethernet, mirage-crypto-rng, lru, lwt, etc.) should be audited in a future pass, particularly cstruct (which handles all byte buffer operations) and mirage-crypto-rng (which provides cryptographic random number generation).

Dependency Version Summary

The only dependency with a known unpatched vulnerability at the pinned commit is arp 4.0.0 (OSEC-2026-02). The fix (arp 4.1.0) was released October 20, 2025, but is not included in the opam-repository at the pinned commit.