Does a Bloated DispVM Increase the Chances of VM Escape?

… “escape” means very-malicious.xyz having the ability to compromise anything outside the DispVM.

Possible answers:

• “No, a very maximalistic and messy DispVM (template) is not a security problem; it’s only Xen (hypervisor) that matters.”
• “Yes, the more minimal the DispVM (template), the less chance for a very-malicious.xyz (viewed in DispVM) escaping DispVM and potentially compromising other VMs (or entire system).”

Yes (imo)

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

Unfortunately, Yes, but less likely compares to bare metal setups. exploitable bugs can happen on QubesOS, otherwise, there wouldn’t be any Qubes Security Bulletins (QSBs).

Avoiding complexity reduces bugs. - Linus Torvalds

Introducing complexity into a qube increases the chances of exploitable bugs. It’s best to keep your qubes nice and clean, simple and well-maintained.

I remember having a discussion about this on the forum a while ago, dunno in which topic.

My answer to your question is that it depends on the malware. Installed software could be used by the malware to trick the user (modify the software config and run it), software which installs a vulnerable suid binary could be exploited and compilers could be used to craft something with a smaller payload.

That said, if the qube has internet access, the malware could download all it needs for its purpose, the only extra threat it can’t plant is the vulnerable suid.

So, depending on the environment and installed software, I don’t think having let’s say libreoffice and GIMP installed in a qube where you use Firefox will increase significantly risks that a malware make use of them.

I know I may the only one in my side with this opinion, I’m fine with this.

@unman, why “imo”? Isn’t it strict yes or no based on rationale and knowledge? I need to understand, please.

Questions like this are rarely “strict yes or no”, as you can see from
reading past discussions on this.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

I think it’s safe to say that installing more software to an operating system theoretically increases the security risks. But that in practice, it’s more about risks assessment.

In case of malicious drivers bypassing ring0 from a DispVM I’d say “get that bloat out”.

I would say: No.
Not any installed software alone is not a security issue.

But I can also confirm, this is not strictly a black or white situation.

• If those app as running, makes a huge difference compared if ‘just’ installed.
• If those bloat is a compiler, then it migh helps an attacket do compile their malicious code to run on your system. - but this assumes the system is already compromised by other means.
• If those bloated apps are malicious or not. - but then you repository is the root cause, not the app itself.

Someone mentioned drivers, but ‘drivers’ are useless in a VM most of the time, unless you use PCI pass trough - but then again: the root cause is not the bloated (or malicious) app , but a security weakness of the PCI passtrough, the hardware architecture and/or the hypervisor itself.

That’s not all there is …

http://www.c7zero.info/stuff/AttackingHypervisorsViaFirmware_bhusa15_dc23.pdf

(Don’t miss the references!)