Can a VM see I'm using Qubes?

Hi everyone!
I’m trying to figure out if the VM I use such as debian or fedora instance have a clue(application-wise) that I use Qubes OS? I mean if there’s an application that I have to “trust”, can it sneak I’m using Qubes OS within the VM itself? If yes, how? And can I hide it or at the very least make it difficult to identify it?

1 Like

Yes, very much so.

Link to the Qubes FAQ.

1 Like

Ehm… So what can I do about it? Also, I don’t think these kind of apps will care much of a “canonical” way.

1 Like

Nothing. The “canonical way” described in the FAQ is “by design”. There are many other threads touching on this subject but the summary is: you cannot easily hide the fact that you run QubesOS from apps in DomU’s aka virtual machines.

1 Like

What exactly would “hiding the usage of Qubes OS” mean here?

Would it be only about Qubes OS-specific processes, tools, and workflows, and trying to spoof them, or something more generic, like detection of a hypervisor, and the fact, that some software just runs virtualized?

I suppose one could tinker with the former, but clever malware would be able to deduce it nevertheless. For the latter, see the characteristics available when running pafish on a disposable Fedora 38 qube:

[pafish] Start
[pafish] Windows version: 6.2 build 9200 (native)
[pafish] CPU: GenuineIntel (HV: XenVMMXenVMM) Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz
[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits
[pafish] CPU VM traced by checking cpuid hypervisor vendor for known VM vendors
[pafish] Sandbox traced by missing mouse movement
[pafish] Sandbox traced by missing mouse click activity
[pafish] Sandbox traced by missing double click activity
[pafish] Sandbox traced by missing dialog confirmation
[pafish] Sandbox traced by missing or implausible dialog confirmation
[pafish] Sandbox traced by checking disk size <= 60GB via GetDiskFreeSpaceExA()
[pafish] Sandbox traced by checking operating system uptime using GetTickCount()
[pafish] Wine traced using GetProcAddress(wine_get_unix_file_name) from kernel32.dll
[pafish] Wine traced using Reg key HKCU\SOFTWARE\Wine
[pafish] End
4 Likes

I can’t tell you every possible way, but yes there are artifacts from using qubes visible to your app qubes.

For instance, there are a lot of Qubes specific commands you have access to. Like qvm-copy which allows you to copy files from one VM to another. I am sure there are many ways your VM can detect it must be a Qubes VM.