Hi everyone!
I’m trying to figure out if the VM I use such as debian or fedora instance have a clue(application-wise) that I use Qubes OS? I mean if there’s an application that I have to “trust”, can it sneak I’m using Qubes OS within the VM itself? If yes, how? And can I hide it or at the very least make it difficult to identify it?
Yes, very much so.
Link to the Qubes FAQ.
Ehm… So what can I do about it? Also, I don’t think these kind of apps will care much of a “canonical” way.
Nothing. The “canonical way” described in the FAQ is “by design”. There are many other threads touching on this subject but the summary is: you cannot easily hide the fact that you run QubesOS from apps in DomU’s aka virtual machines.
What exactly would “hiding the usage of Qubes OS” mean here?
Would it be only about Qubes OS-specific processes, tools, and workflows, and trying to spoof them, or something more generic, like detection of a hypervisor, and the fact, that some software just runs virtualized?
I suppose one could tinker with the former, but clever malware would be able to deduce it nevertheless. For the latter, see the characteristics available when running pafish on a disposable Fedora 38 qube:
[pafish] Start
[pafish] Windows version: 6.2 build 9200 (native)
[pafish] CPU: GenuineIntel (HV: XenVMMXenVMM) Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits
[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
[pafish] Sandbox traced by missing mouse movement
[pafish] Sandbox traced by missing mouse click activity
[pafish] Sandbox traced by missing double click activity
[pafish] Sandbox traced by missing dialog confirmation
[pafish] Sandbox traced by missing or implausible dialog confirmation
[pafish] Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()
[pafish] Sandbox traced by checking operating system uptime using GetTickCount()
[pafish] Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
[pafish] Wine traced using Reg key HKCU\SOFTWARE\Wine
[pafish] End
I can’t tell you every possible way, but yes there are artifacts from using qubes visible to your app qubes.
For instance, there are a lot of Qubes specific commands you have access to. Like qvm-copy
which allows you to copy files from one VM to another. I am sure there are many ways your VM can detect it must be a Qubes VM.