Mitigations for resource usage covert side channels in qubes

Suspicious_Actions · April 19, 2022, 1:13pm

When using shared resources, one is able to modulate data into the usage pattern. This is bad.

The other day i thought a bit on how to extract information from a vault qube.

The first thing that came to my mind:

“If i utilize the CPU in qube A, i may be able to detect that in qube B by measuring the time when qube B is rescheduled. I should be able to transmit information over this channel.”

Sure: The adversary need to have RCE in both qubes, but think big. Think supply chain attack for example.

Before i got to write a POC i used my favorite search engine and sure enough i am not the first to come up with that idea. Here is a POC.

I have not attempted to use this in qubes.

A few questions:

How does the xen hypervisor schedule? Does scheduling change when load changes? My suspicion: Yes.
What other side channels could be utilized? caches might be covered by existing mitigation, but maybe RAM or PCI devices?
What are our mitigations?

Regarding mitigations:

Things anybody can do now:
Pause critical qubes like password vaults when not in use.

I cannot think of one solution that would fit all without impacting performance in an extreme way, so maybe the best approach would be to monitor ressource usage of domUs and try to detect patterns.

If the attacker cranks down SNR to avoid detection this would make the attack much harder to detect, but take much longer. This might be a worthwhile thing to explore in addition to pausing. May also detect something like Rowhammer.

What are your thoughts on this?

fsflover · April 19, 2022, 4:28pm

And, vice versa, pause all other qubes when doing something with vaults:

Suspicious_Actions · April 20, 2022, 8:13am

Thanks for the link!

Pausing all other qubes surely would mitigate the attack greatly, but has more implications that just pausing the vault. It is highly dependend on what one does with qubes, while only pausing the vault basically is not.

I think implementing this as a simple bash script in dom0 is very easy and i will play around with that and see what is breaking.

However, i think this has other implications, as this would leak metadata about when highly sensitive operations are performed to all qubes, making this specific information much more vulnerable.

With this knowledge an advanced adversary could leverage other means of exploitation. Especially regarding the anonymity side, this can be abused for a great number of cross referencing and confirmation attacks on anonymous identities or even singular browsing sessions, giving more leverage against (hypothetical) Tor attacks.

I have not concluded what my stand on this is, but will think about it further.

In the meantime: Is there a reason, why the pause function is called “emergency pause”? This sounds a bit like a last resort thing, and not like a regular operation.

Some other things i came up with:

The most vulnerable information are in the holy grails: Our password safes. The location and kind of information is blatantly obvious to unsophisticated and thus small malware.
Extracting useful information out of (my) other vaults, like multi TB big libraries are impractical unless the adversary knows exactly what he is looking for.

Based upon this, i came up with two other ideas:

Decoy information: One could flood the keepass with a lot of decoy keys. This would only affect the (time) cost of attack linearly. One needs to make sure, to not have identifiers for the key like “monero wallet key” as names. With my other idea, this scales with O(n²) or even O(n³) (if i am not mistaken).
Split information: Additionally one could create another vault based on a different template with a differen password manager that does hold the other half of the keys and the identifiers. Creating a correct password would need both vaults to work together, so your adversary would have to pwn both. His malware would need additional complexity, increasing the chance of detection.
Another attempt would be to simply opt out of using vaults for passwords. Something like a hardware password manager, maybe even homemade that would simulate key presses is another option, but comes with other security implications.

A combination of all above mitigations might be envisioned. Or even an automated means of spawning new vaults, giving a theoretical advantage of O(n^n) which seems pretty significant, if the user can afford this with software diversity and ram usage.

phl · April 20, 2022, 8:47am

Unpopular take on this topic: if you have information in a vault that you consider critical enough to think about this kind of advanced threat levels: do not store it on a computer with Internet access.

Just use a separate air-gapped computer that you boot up if you require access to these passwords and transfer them by hand.
What should prevent an attacker this powerful from finding an escape-to-hypervisor exploit in Xen? Or from compromising your computer on a firmware level (BIOS/UEFI, Intel ME, graphics cards driver, …)?

KarlinQubes · April 20, 2022, 8:55am

HEADS would be the measure to protect against BIOS/UEFI persistent rootkits. ME can be neutered. Graphics card is optional.

I agree with you RE: airgapping the p/w’s if the threat level is this high, but it is still a good exercise to see how much we can mitigate on our primary systems.

Suspicious_Actions · April 20, 2022, 9:04am

Great take on this, and i would mostly agree.

However…

My use case for a password manager is… well, managing my passwords for mostly online services. I could use a truely air gapped system for this, but i would have to manually type in the password. This is not great usability an chances are, that my passwords will get easier and shorter because of this.

Another option would be a “partially air-gapped” system, that yould communicate with my PC for example over QR-codes and a webcam or by emulating an USB keyboard, which i mentioned above. As long as there is enough entropy induced by this part of the system, the system is strong. To mitigate other unknown vulnerabilities, a combination of software airgap + hardware airgap could lead to more security than a hardware airgap alone.

This is a very good question.

My opinion on this is, that a xen hypervisor escape exploit would be too expensive to burn on me/us.

Organizations that deploy this high level exploits always have systems in place to weight risk against gain. From what i have heard, the operatives do not get permission to use a secret exploit if there is a realistic chance of it getting caught.

We are the reasonably paranoid ppl that virtualize everything and run full audit mode. On any glitch we safe all the logfiles and try to find out what happened. This is a very high risk setting for using such an exotic and hopefully rare exploit. → Not worth the risk.

Going into firmware level seems easier/cheaper/safer to me. I am not into that very much, but against BIOS you have coreboot for better security, also flashing firmware or BIOS from within domUs seems unlikely to me, but i am not expert here by any means, so feel free to correct me!

Oh and one last thing:

I am just thinking of this because of scientific interest, not because i think such an attack is reasonable to be waged against me personally as i, like everybody else, have nOtHiNg To HiDe.

fsflover · April 20, 2022, 9:16am

github.com/QubesOS/qubes-issues

VM suspend ("Pause") and qmemman

opened 11:37AM - 09 Sep 19 UTC

closed 09:21AM - 05 Aug 23 UTC

brendanhoar

T: bug C: core P: default eol-4.0

**Qubes OS version** R4.0 current-testing **Affected component(s) or functio…nality** Resuming from the the Qubes Domain VM/Pause functionality (aka VM suspend) **Brief summary** If I suspend a domain utilizing significant RAM that has meminfo-writer service enabled, perform several VM operations, and then resume the VM, the VM usually instantly terminates. **To Reproduce** Create a VM where maxmem is 1/3 of RAM. Perform some memory intenstive operations in the VM. Stop the operations and let the VM settle. Pause the VM. Do something similar in other VMs without suspending them. Resume the VM. **Expected behavior** VM terminates. **Actual behavior** Resuming a VM should be able to ease a VM back into the memory horsetrading without panicking. B

github.com/QubesOS/qubes-issues

Explicitly paused VMs get started on system suspend/resume.

opened 10:49AM - 13 Jan 16 UTC

caturandom

T: bug C: core P: minor needs diagnosis affects-4.1 affects-4.2

When suspending a VM I'd expect it to be still suspended after closing and openi…ng my laptop lid. But this is not the case. I assume that on system suspend every VM gets paused and on system resume every VM gets started again even if it has been explicitly sent to sleep before .

github.com/QubesOS/qubes-issues

Improve UX regarding VM pausing

opened 10:15AM - 10 Aug 20 UTC

andrewdavidwong

T: enhancement C: core ux P: default

**The problem you're addressing (if any)** Most users don't know what pausing… a VM does or when they should do it. **Describe the solution you'd like** Some better way for Qubes OS to make VM pausing intuitive for users, or just improve the UX regarding VM pausing in general, however you deem best. **Where is the value to a user, and who might that user be?** Users won't use the pause functionality for the wrong reasons or in the wrong way. Users won't see the pause button and wonder fearfully what it does. **Describe alternatives you've considered** Document information about pausing VMs. This would also be good, but of course not everyone will read the documentation. **Additional context** See the discussion on #5988. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** We currently don't mention pausing much in the documentation. [Understanding and Preventing Data Leaks](https://www.qubes-os.org/doc/data-leaks/) mentions it in passing. **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #5988, #5987, #5967, #5305, #4700, #4101

github.com/QubesOS/qubes-issues

qvm-shutdown on paused VMs behaves oddly

opened 04:32PM - 07 Aug 20 UTC

closed 09:24AM - 05 Aug 23 UTC

3hhh

T: bug C: core ux P: default eol-4.0

**Qubes OS version** 4.0 **Affected component(s) or functionality** `qvm-sh…utdown` **Brief summary** `qvm-shutdown` hangs for a while and then apparently kills paused VMs. **To Reproduce** ``` qvm-run --dispvm surfing-dvm xterm qvm-pause disp1234 qvm-shutdown --wait disp1234 ``` **Expected behavior** `qvm-shutdown` performs the shutdown. Possibly even gracefully (i.e. by unpausing the VM first). **Actual behavior** `qvm-shutdown` hangs for 10s or so. Then it apparently kills the VM. **Recommendation** From my point of view it would be sensible to handle paused VMs as follows: `qvm-shutdown`: Unpause and shutdown gracefully as usual. `qvm-kill`: Do not unpause, remove it from memory instantly (shouldn't take 10s). **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #5967

Suspicious_Actions · April 20, 2022, 9:17am

ouch…

Thanks for the information!

fsflover · June 17, 2022, 12:59pm

github.com/QubesOS/qubes-issues

Windows become unresponsive for VMs that were paused before suspend

opened 12:55PM - 06 Jun 22 UTC

resulin

T: bug C: core P: default needs diagnosis

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## Qubes OS release 4.1 ### Brief summary Windows become unresponsive for VMs that were paused before suspend ### Steps to reproduce **Have this patch applied: https://github.com/QubesOS/qubes-core-admin/pull/473**. Open some VMs. Pause them. Suspend. Wake up from suspend. Then try to interact with some windows from those VMs. ### Expected behavior Windows are responsive. ### Actual behavior Windows aren't responsive. Issue was confirmed and reproduced by another member on the forum: https://forum.qubes-os.org/t/suspend-swap-and-whonix-gateway-performance-issues/11310/17

tripleh · June 17, 2022, 2:33pm

[1] does automatic pause & shutdown.

[1] https://github.com/3hhh/qidle