Hubert Servidor's security hacks

Interesting or not ?

Qubes OS 4.0 : Hubert Servidor - YouTube

Regards.

PS: from Hubert Servidor · Issue #7154 · QubesOS/qubes-issues · GitHub

Is what interesting? The first two videos just showed someone clicking around on Qubes. Is there something occurring that you would like to share? I’m not sufficiently motivated to watch the last two videos.

1 Like

not all video are interesting, but there is a very important one


this is a upstream problem, CVE-2020-36314, it only affecting to home directory data in qubes appvm and can be avoided


not so important and somewhat useless


not sure how does it work but it need to fixed
edit: the video is too blurry and seem like it faked


holy $h*+, xen shared memory exploit ?!? very critical problem if haven’t fixed

In Qubes OS Dom0 is de administration domain and it has no networking so it is apparently “isolated”, giving a false sense of security. This video shows how interactive full remote control of a compromised Dom0 is trivial thanks to the Xen shared memory.

edit:
latest_version
note on this picture: there is a vm called HACKER-COMPROMISED
any thought?

1 Like

It says that it shows:

  1. full remote control
  2. of a compromised dom0.

English is not my first language, but how it is written it is clear that the cause is already compromised dom0, and the consequence is easy full control of it? So, how dom0 was compromised?

Isn’t Qubes all about that once in dom0, nothing else matters?

From the comments on that video, the author tells us :

“Hi Pete, this video is not about remote compromise, is about remote control. It just shows that there’s no Dom0 isolation at all.”

Now that would lead to a good investigation, provided the author would be around to explain.

Regards.

Without implementation details, these aren’t very helpful.

I’m skeptical there’s anything here that breaks compartmentalization.

B

That’s why I posted the link to the channel, perhaps someone here might be more knowledgeable than me about the subject.

I’m very interested into that though.

Regards.

The author is writing about dom0 is not isolated at all. I have never learned that dom0 is isolated, but VMs. Also, dom0 ultimately relies on Xen (the only black color in the concept diagram). I clearly remember Joanna writing about this that they had to choose some platform if they don’t want to create their own - and they didn’t want. So if there was a Xen bug then “the game is over”.

That explains a lot. What other options are available ? Nova ?

https://genode.org/documentation/platforms/nova
https://genode.org/documentation/general-overview/index

I have never learned that dom0 is isolated

Of course dom0 is isolated.

That explains a lot.

What exactly does that explain? Be specific.

Nova ?

The developers of Qubes and Xen take security seriously. Perhaps you would like to tell us about the bugs in Xen and Qubes?

Curiously, why do you think one of the Qubes developers marked the above so-called “security hacks” as invalid. Thoughts?

Furthermore, while in theory dom0 is isolated from the outside world, some graphical devices (e.g. displays connected via HDMI or DVI) offer two-way communication, which threatens this isolation and makes it harder to maintain. If a malicious device (rather than the user’s trusted monitor) were to be connected to one of these ports, it could inject data that could be processed inside of dom0. As long as graphical devices are in dom0, they also cannot be safely proxied to other domains. This is because the various solutions to multiplexing access to the GPU at the GPU/driver level (which would expose the “full” GPU to a VM) are orders of magnitude more complex than running display drivers in just one place. We consider this added complexity too risky to put it in dom0. Errors in the drivers could expose dom0 to an attack, and attacks on dom0 are the biggest threat to the Qubes security model.

This is what I meant…

1 Like

So far:
a) three of the videos I saw appeared to be “starting with VM 1 is compromised already, I can make unexpected or bad things happen in VM 1.” Well…yes, that is true!
b) one of the videos I saw appeared to be “starting with dom0 is compromised already, I can control dom0 remotely.” Well…yes, that is true!

How did they get compromised? It is not stated.

In particular, I already use one of these “hacks” personally as part of a workflow: I have one standalone VM where I have utilize a script to replace the QubesIncoming directory with a link that points to remote/external storage, which is similar to the “hack” which points elsewhere on the VM’s filesystem. It’s stated that this needs to be “fixed”, but no, it does not!
And on this topic…

Anyway…I interact with dom0, with my hands, ears and eyes and sometimes more (voice…when I’m mad), it is my machine after all.

So…dom0 is not 100% isolated, otherwise it would be useless: it has display ports (traditionally one-way…but mission creep has started giving some two-way features); it has PS2 keyboard and mouse; it has storage devices; etc.

Qubes is about mitigation and control over exposure.

To mitigate dom0 and/or system exposure: IOMMU is configured for protection from domUs and some hardware exploits; device disaggregation and disabling of PCIe hotplug are all used in Qubes to move some of the “more dangerous” dom0 connections out of reach of straightforward exploits. Etc.

In addition, if a machine is provided with higher quality bios/firmware, users can disable certain connections from their bios/firmware (e.g. webcam, firewire, thunderbolt, etc.) which also reduces dom0 exposure even before boot.

B

1 Like

My apologies. I must admit to being a bit annoyed by this thread. The OP posted the same thing for Qubes devs and it was dismissed as invalid. Then he does the same thing on this forum. He didn’t make any effort to explain or discuss anything at all about the alleged “hacks”. And then with very little discussion about the claims, he apparently draws the conclusion that dom0 is leaking, Xen is compromised and Qubes should implement a different hypervisor. The whole thing seems trollish and clickbaitish.

To clarify, by “isolated”, I mean compartmentalized. I don’t mean “impenetrable” nor do I mean to imply that there are no threats to dom0 security. I’m saying that the claim that the OP quoted: " It just shows that there’s no Dom0 isolation at all.” is obviously not true.

3 Likes

I agree with all of your points. Regarding dom0 “isolation”, I was not speaking in absolute terms. Please see my above reply to @enmus

Yes, it is trivial to set up a bidirectional channel from dom0 via any networked VM and run a reverse shell. Why on earth would this be a “hack”?

1 Like

@partition : I saw the video, I posted on the dev’s github as a “Task”, not as a “Bug” or an “Enhancement” or a “Support” or a “Security vulnerability” because I wanted to highlight the channel and eventually someone with more insight would take on.

That it was considered as “invalid” was one thing, YET “[I was] ask[ed] that [I] please post this on the Qubes Forum or qubes-users mailing list instead”, which I did. I didn’t have to explain any of the alleged hack, I was MYSELF asking “Interesting or not ?”

That you jump to conclusion is YOUR problem, that YOU pretend I stated Xen is comprised, which I didn’t, is YOUR problem, that you find my input " trollish and clickbaitish" is YOUR skewed perception of reality.

@enmus wrote that "So if there was a Xen bug then ‘the game is over’”.yet as “Joanna writing about this that they had to choose some platform if they don’t want to create their own - and they didn’t want” hence if Xen was flawed, perhaps it should be interesting to consider another well known hypervisor (NOVA) as replacement.

Anyway, as stated in the original ticked and by the author himself, it’s about Qubes 4.0.x, so maybe it isn’t even relevant to 4.1.x anymore.

Now if you obviously knows everything and consider newcomers with the same “benevolence” as typical Linuxian, I guess you won’t attract too much sympathy as an unwelcoming “niche platform” populated with obnoxious nerds.

Cool down, don’t put words into my mouth, and we’ll be able to move forward altogether toward a brighter future.

Understood. More succinctly…

No. :slight_smile:

B

Ok.

1 Like

this is the first time i heard nova is popular (i almost forget it exist)