I wonder how do you manage your computing life with the problem of the clipboard / file sharing.
The documentation states :
“However, one should keep in mind that performing a copy and paste operation from less trusted to more trusted qube is always potentially insecure, since the data that we copy could exploit some hypothetical bug in the target qube. For example, the seemingly-innocent link that we copy from an untrusted qube could turn out to be a large buffer of junk that, when pasted into the target qube’s word processor, could exploit a hypothetical bug in the undo buffer. This is a general problem and applies to any data transfer from less trusted to more trusted qubes. It even applies to copying files between physically separate (air-gapped) machines. Therefore, you should always copy clipboard data only from more trusted to less trusted qubes.”
Also I remember a paper of Joanna Rutkowska assuming the same principles.
I guess most of us cheats theses rules sometimes ;
if one deploys post-installation scripts in dom0,
or takes notes in a vault and wants to copy in that URL,
or maybe wants to take that snippet into that template ...
I am curious to know how you think about it.
I would like to let the least possible of my data in the VMs which are exposed to the network. This, with the fact the ressources of my computer are limited, unfortunally may leads to open breaches in the comportamentalisation :
Now I have a vault where I takes notes and needs to paste things into it. I can't afford using a vault for each new context and it will not solve the issue of the clipboard.
Maybe I should just stick to the idea of one context equal one VM, and refine what I think is pertinent to put on the word ‘context’.
Otherwise, Is there really nothing one can do to enforce the integrity of a piece of text ?
Like using an OCR from dom0 to retranscript an screenshoot of a less trusted VM (is that dumb or also somehow flawed or just so loud nobody wants it) ?
I wonder how do you manage your computing life with the problem of
the clipboard / file sharing.
I guess most of us cheats theses rules sometimes ;
if one deploys post-installation scripts in dom0,
or takes notes in a vault and wants to copy in that URL,
or maybe wants to take that snippet into that template …
I am curious to know how you think about it.
My take on it is to weigh the risk. For instance, I have a ‘Purchasing’ vm and an Internet vm. I’ll do all my searching of what I want to buy in the Internet VM and then copy the specific URL over to the Purchasing VM, rather than using the Purchasing vm to peruse the internet. I feel there is much more likelihood of picking up malware by visiting random internet sites than if I copy and paste a single url from a site that I have already inspected its URL. I’ll do the same kind of checks when moving receipts and data from Purchasing to my Banking VM.
For the really paranoid you can create a dvm text editor, paste the URL/text data there for inspection before finally copying it to the real destination VM.
If the theoretical copy buffer attack is against Qubes itself I may still be screwed, but that would have to be done by an adversary that both knows what site I will be visiting and also know in advance that I use Qubes. We are talking Nation State adversary, who clearly already knows an awful lot about me. At that level of the game its only a matter of time since clearly I am a already a defined target of theirs. Pulling the plug would be the only effective defence at that point.
So, weigh the risks and take precautions where possible. Always try to double check what you are copying/moving across VM’s and be appropriately paranoid when moving data to a higher security domain.
When pasting to terminal, you should always think twice. (This BTW also holds for pasting a text copied from a webpage to a terminal – the webpage might let you copy something else that you can see…)
When pasting to a text editor with highlighting, there is some risk of a vulnerability in the text editor.
When pasting to a text editor with no highlighting etc., the risk is probably quite low.
Well, you could have an application that actively monitors clipboard and processes it in a vulnerable way. I don’t think this is much likely, but it is possible in theory.
On OCR: I am not sure how could it help. Maybe it could limit the character set and let you review the copied text. Cool, but I believe this can be done in some much easier ways…
@stevenlc: Nation State Adversary has a good acronym…
I wonder how do you manage your computing life with the problem of the clipboard / file sharing.
For example, the seemingly-innocent link that we copy from an untrusted qube could turn out to be a large buffer of junk that, when pasted into the target qube’s word processor, could exploit a hypothetical bug in the undo buffer.
Qubes does show the number of bytes copied to the buffer when you perform a shift-ctrl-c. If this is the same as the (small) number of characters you are copying, chances of a successful attack fitting in 20 bytes or whatever is pretty slim. File sharing is a different matter, can address somewhat by keeping your archive VM not network connected.