Is browser cross-contamination between VM qubes possible?

Hypothetically, if a Threat Actor were to devastate the VM qube browser template so badly with an exploit, could such an attacker then compromise the integrity of the template source by altering how that browser behaves across ALL qubes that run that browser app?

For example, I had an “admin” account on my MacOs that I rarely logged into, yet when my regular user account got infected it eventually used the Adobe Suite to compromise all accounts even the admin because Adobe was set up in a weird way that it crossed all domains or whatever that is called. In QubesOS, from my understanding currently is that the Templates share the same source.

Thus, if such is the case, then there is a small risk that if an attacker completely owns a qube’s broswer that browser’s template could be at risk, and if that template is used for other qubes then those qubes now have an in-route to compromise them as well like a cascading effect.

Is that possible without truly breaking through the VM to the Dom0 Hypervisor?

Thus, to ensure no cross-contamination occurs if there were any medium level breach within the qube I will sandbox it by only using a browser that I will not use in any other qube; as I already know some of my attacker’s methods and the browser is a “weak link” that he exploits, along with Adobe, and Google products. I should still be safe re-using the templated OS, though I am unsure if I should repeat that same OS base template inside other qubes as I a remain cautious; though the difference in what browser app used should be enough of a mitigation effort I hope; because if he can break a hardened version of Debian such as KickSecure then I am up against major odds if that ends up being the case.

So is corruption possible of a base template app or the base template OS itself?

1 Like

I think that you will encounter a lot of answers here: Templates | Qubes OS

1 Like

So each is “read only”, however there is 1 path to the root file system it also says,

" * Speed: It is extremely fast to create new app qubes, since the root filesystem already exists in the template."

Does this then imply, the only way to accomplish cross-contamination would be for an attacker to jump out of the VM escaping the Hypervisor into Dom0?

“An important side effect of this system is that any software installed in an app qube (rather than in the template on which it is based) will disappear after the app qube reboots (see Inheritance and Persistence). For this reason, we recommend installing most of your software in templates, not app qubes.”
source of quote:
Templates | Qubes OS

Oh! So if I want to be really safe, I can choose not to install the browser in the template HOWEVER that means every time the qube is launched a browser has to be reinstalled again and again since that qube will be set to “disposable”

This is great to know!

It seems you don’t really understand templates.

If 2 AppVM shares the same template, they are only running from a copy of that template, they aren’t sharing anything except the data from the original template, at rest, that can’t be levered to contaminate another qube using the same template.

As for disposals, they are just an AppVM that is ephemeral, you want to install the software in their template, not every time you run the disposable qube.


At rest, so if 2 VMs were “on” at the same time this then becomes a risk? Or is the template always “at rest” even when qube VMs launch from it?

the templates are always copied (in a very effective way) when you run a qube, and any changes are discarded.

1 Like

So the templates don’t have internet access and are isolated from the other VMs that you are running.

Think of every VM as it’s own computer running inside your system. Each VM has the “operating system” part created new each time you open it based on saved operating system information (stored in the “template”)

In order for cross-VM contamination to happen, you have to either allow the templates access to the Internet (NEVER DO THAT!!!) or dom0 would have to be compromised, which is the operating system that coordinates everything.

So it’s possible, but it would mean someone has to compromise all of the Xen architecture and get into dom0 and somehow access the templates to corrupt them

1 Like

Good to know! Thank you for clarifying

No … they will have internet access. I am just setting it up first offline then when I have this and my hardened LAN ready I will plop it onto the internet behind 2 VPNs and 3 Firewall layers

So only possible if Dom0 is compromise, got it

How would I know if I am allowing sys-firewall and/or sys-net on the VM level rather than on the Template level?

If you think the templates should have internet access, you should re-read the information about Qubes again. You fundamentally are missing how Qubes works and what it does.

The templates are like “Original Operating System ISO” but it’s a special version for Qubes. You download templates for Qubes. They should never have internet access.

sys-firewall and sys-net are not templates, so when you allow internet access, it doesn’t affect the templates which are different things




Okay so my QubesOS vocabulary is obviously lacking greatly

I mean the qubes, the VMs, the tiny little computers within the computer on top of XEN — they will have internet access

So when I enabled say sys-USB it didn’t change the template it only changed that qube VM? So the same would be for sys-Firewall and sys-net … ?

Is it called these?

• Xen is Dom0?

• Templates are templates?

• the windows launched from those templates are then what, “VMs” or are they called “qubes”?

1 Like

It’s wrong.

There are videos on YouTube that probably explain the basic concepts and an invidious instance you can use?

We aren’t that different:

I also dislike reading documentation but it’s important to do so you understand the basics.

Read the documentation anyway? Smart people who made Qubes or are connected to the project made the documentation so new users can understand.

A window is launched from a VM based on a template. dom0 is not Xen. Saying a template is a template is tautological… 1=1, 2=2, etc

I am not trying to discourage you. Qubes is incredible and it’s hard. Just read through the documentation a little bit more so you don’t do something like accidentally open a cool new file called that is actually a backdoor hack in a template?

You also need to learn how to verify SHA256 signatures if you want to correctly use this to prevent being hacked or only install from repositories (not including snap in that for obvious reasons).

There are articles and videos on YouTube on how to compare SHA256 signatures. You need to learn how to download things in templates and use them in VMs. So much of this is covered in the documentation.

I am asking here if a vocab list exists or if all is currently mixed-in

I agree

I am not here to learn right now

I am here for survival and therefore do not have the luxury of taking the time to learn. I will learn later if that makes you feel better knowing I will eventually but this is not my current priority

I wouldn’t be here, no offense, if I didn’t have to. I knew of QubesOS existence for a decade now (its a decade old I believe finally); never once had a reason to touch it let alone learn it until now. I knew of it, which luckily gave me better choices in my current situation

1 Like

So there are different parts of each VM. The part that comes from the templates and gets reloaded each time and the user files.

For sys-firewall and sys-net, they are like their own little computers. If someone wants to hack you, they may need to hack those first. Because you don’t really do anything in those VMs, it’s hard to hack those, especially because they reload the original OS each time, preventing someone from doing something like getting into the OS, escalating privileges, and finding a way to remotely control your computer.

You do other things in other VMs.

Let’s say you want to browse the Internet. You open up a Tor in it’s own VM, it’s own computer, based on a template.

You then open a webpage containing malicious javascript designed to hack you and it’s a zero day exploit and Tor doesn’t protect against it.

The evil hackers have now compromised this VM. Then you close the VM. They haven’t compromised dom0 or the other VMs or templates. You delete this VM because you think it’s compromised. You create a new VM.

Sometimes people will use disposable VMs for things like Tor because they are more likely to encounter a malicious javascript exploit while on the Internet. As soon as you close it, the entire computer is destroyed. (Although it could be recovered if you haven’t applied the Ram-based qubes guide, which is advanced.)

Let’s say you find a new file. It’s a cool new program and you want to try it out. You put it in a VM and it turns out when you run it that it’s a trojan. Only that VM is compromised unless it’s an incredibly good trojan.

Qubes protects you against non-specific threats in which you aren’t targeted personally. If someone is targeting you personally, they can probably hack you if they are smart enough if they know 0day exploits in Debian or Fedora. There are also possible firmware level exploits. It’s still better to use Qubes.

I am aware of that

I always look for GUI tool warez first before actually doing it especially if I can also avoid CLI (command line)

Have you ever considered though, that the documentation may still be confusing for newbies? Hence my quoting of said documentation upon further clarification of my original question above that started this post thread lol

Each VM in Qubes is it’s own virtual computer that is based on a template which is like a special type of ISO that allows a fast install of the entire operating system. The templates can only be updated in ways that make them harder but not impossible to be hacked. You never connect a template directly to the Internet because you then bypass this special way to update the template. There are also special ways to install software in templates that allow you access to the software in the VMs. You don’t need to understand all the vocabulary. It takes a few months to understand the basics and it’s normal unless you are a computer scientist. I am also not a computer scientist. You’ll do fine.