Qubes code audit

Hi,

Has there been any third party audits on Qubes OS?

thanks

My understanding is it is Open Source,
see wiki

Thus to request an audit of a project that doesn’t make money off sells of installs is kind of redundant, since it is Open Source anyone can go and review the codebase.

While there are proprietary blobs, I suspect this is not from Qubes (though I could be wrong as I haven’t looked at any of the code at all especially since its first release and even then I just skimmed a little over the C language portions). As in Fedora to some are problematic (which is why I didn’t want the template but am stuck with it as the base Dom0 according to the documentation I skimmed over). Plus someone on this Forum mentioned that Purism did a hack to their boot to fullfill the FSF (Free Software Foundation) requirements while not also having to downgrade in security practices but that Qubes just decided to make life easy for the team by sticking with proprietary ways of doing whatever it is for the boot I don’t know I just read a blurb on here a few days ago mentioning all that. The point is, most of the system is already auditable and the parts that aren’t can if you wish to tinker hard core be pulled out and replaced like what Purism did apparently. Thus, to me while it isn’t perfect from FSF FLOSS standards it is good enough and plenty of eyeballs have been over the GIT repos. I mean even Snowden gave it a rave review in its early days.

Plus I am sure if someone was willing to pay hundreds of thousands of USD to perform a 3rd party audit the Qubes team would not turn it down they might even be thrilled, or one would hope so in being well received. I think you are asking a project that is free as in beer to fundraise and spend hundreds of thousands of USD to suffice a checkbox when the majority of the code is already OpenSource therefore auditable and I would argue could be a flexible FSF way too since none of them would cry over you altering the property blobs out.

In fact, since FSF, FLOSS, and now this audit question keeps coming up (according to past Forum posts I have skimmed through; I am new here btw) then really what some FSF fan should do is fork Qubes where it is still Qubes but Free as in Libre and Free as in Beer lol just saying

Also you or anyone is able to add by submitting improvements and features
(assuming the Qube team accepts your proposal commit)

Seriously it is OpenSource with property blobs. You can go audit it even for yourself. If you want a 3rd party stamp of appointment it will cost a ton of money, are you volunteering to provide those funds or lead the fundraiser for it?

Speaking of their GIT repo

Check this out!
Cool things coming soon for admin-ing I hope!
(I have no idea since I don’t know a lick of Python)

IMG_2051723×485 56.6 KB

I just wish it wasn’t only an API, so I hope they make an easy way for multi-user with 1 admin locally on the machine without needing to admin remotely as some have specific Threat Models like myself that can’t risk opening up SSH and stuff — and hopefully they have a GUI UI/UX for it too …

I disagree, and I would argue that important open-source project with a focus on security also do (e.g. see SecureDrop’s security audits to name one).

It is expensive to run a security audit, precisely because simply making the code open-source doesn’t get close to the level of review that can be achieved by people whose job is to do security audits. (Disclaimer: it is not my job to run security audits, just in case!)

Didn’t mean to imply I was against it, I am pro audits

As for the public vs professional audits I don’t know, I am actually on the fence. I think both have their own merits and strengths. So I am also not saying either method is better, having both would be ideal actually

It is just very expensive

I was on a crypto project and they had me look into audits, the reputable ones for the Solidity back in 2020 was charging a minimum of about $100K but with more research it that one company would have charged about $300K; so my real point is it is very expensive … nice to have, really pricey though so that is alot to ask of a free project is all I was trying to convey

If the illuminati have already penetrated the Qubes team, then they will be certain to get to the auditors as well before any secrets are revealed. We can’t trust Qubes, and we can’t trust the auditors. We can’t even trust the public source code unless we compile the install ISO from source code which I doubt anybody actually does… let alone having to repeat audit for every single little update in every single little qube you have.

Forget about trusting anything in cybersecurity. They got us checkmated on that one from really high up. Trust what your eyes can see and what your brain can understand, and seek alternative solutions for everything else.

Trusting the source has nothing to do with compiling the ISO from
source. And plenty of people do that.

This is meaningless. Not false, meaningless.

So maybe to give an neutral answer: AFAIK, there have been no third party audits.
I reckon there have been quite a few discussions about this…

im willing to donate to help pay for a third party audit every Qubes OS 4.xx update

edit: how much would something like this cost?

I mean, if there’s money involved I could do it as a seasonal gig. I’ll work for half whatever the competition charges. I can accept payment in crypto and crypto.

Unless there’s assembly involved then count me out I ain’t touching that

I’d like a community driven program where the QubesOS team selects a QubesOS repository/component of their choosing, and for that week or month that repository/component is highlighted on the forum/website/Github/etc for a community audit. A thread can be made to discuss any findings of concern, clarifications on what code is doing for the less savvy, better ways of doing things, code cleanup, etc.

This way we can get a focused look on each area of concern instead of multiple eyes all over the place. We would essentially be doing a group audit, component by component over time.

now that qubes is getting more popular and after xz utils backdoor, i think its important to make bump this on the priority list

Great idea !

Found the code complexity, surface, number of components kind of overwhelming when landing on Qubes planet - still today btw. And I am quite tech-savvy but Qubes is definitely a great piece of engineering. This idea to spotlight different components regularly could leverage momentum for people eager to dig in.

Are you close to launch / animate such program ?

Would be in, for real, reading and writing not-too-complex C / C++

I’d be happy to moderate and coordinate such a program with perhaps another volunteer. But I think it would be best to first ask @adw as the Community Manager if such a community program would be endorsed by the Qubes team.

If so, I can write up a draft on how it would be organized, and we could do a pilot run on a small component/repository for 1-month and see how it goes?

I’ll ask the team about this and let you know what I hear.

The team thinks this is a good idea! One specific recommendation is to start with some of the core-* components. There are also app-* components (like u2f and gpg) that are mostly self-contained and therefore easier to review.

@illuminati great proposal for the community

Personally particularly interested in helping make any move towards improving back-up integration. Automated and easy system-wide back-ups would be awesome IMO. This GH thread about incremental backup started in 2015 and discussion started reviving here lately (summary).

@illuminati are you interested in this one about exploring the possibilities to improve Qubes back-up system ? Do you think it would fit as a first pilot as you suggested to launch ?

@adw do you think the backup component would meet the requirements and Qubes team goals ?

I’m interested in improvements for backups, but I don’t think I could help out with that at the moment. Setting up an audit program is going to take up a lot of my free time, and I think it’s more of a priority issue for the community as a whole, especially with the recent concerns of possible state actors being behind the xz backdoor.

I’m not sure how incremental backups would fit into the scope of a pilot community audit program. Perhaps such a feature could be audited by the community when code is finalized and ready for general testing?

OMG this is awesome, thanks @PostedPortal

As @illuminati mentioned above, this is about auditing the existing code as it is right now, which sounds like it does not include the type of backup features you’re looking for, so I’m not sure if what you’re asking for is really what you want.