In another forum, Graphene OS, there was discussion about Qubes.
Before continuing, I hope this thread can be extra respectful since it is question based on other forum and it’s good to be polite to developers of other operating systems.
A user of the Graphene OS forum wrote:
“It would be really hard but not impossible to get hacked in Qubes. If you get hacked, you just delete the VM. Graphene’s model is more to just prevent hacking of the OS at all cost, while being open source and free.”
A Graphene OS developer then replied:
“QubesOS doesn’t make it less likely that an individual application or OS running within it will get compromised. The purpose it serves is containing that compromise. It’s not hardened in the way that you’re implying.”
A user then said:
“That’s not entirely true about Qubes. The compatmentalization [sic] and containment means a hack may not ever really get past certain protections. An infected USB device connected to a minimal template [sic] may be less likely to have the attack surface to hack into the minimal template [sic].* Also networking often goes through multiple templates [sic] with an exploit needed to get to the next template. [sic]* Someone would need to escalate priviledges in the sys-net, then the firewall, and they could be minimal templates [sic] or different types of templates. Someone using a VM of an older vulnerable distro can still be hacked through the vulnerabilities in the VM or by downloading a malicious file, although it would hopefully not impact dom0, but it’s not correct to say that Qubes doesn’t offer attack surface reduction beyond containment.”
(user who posted this referred to VMs using certain templates as just “templates”)
A Graphene developer then replied:
“No, that’s completely wrong. You don’t have to go through those layers when targeting an application or the TCP/IP stack of the OS. They do not work that way. The rest is a contrived counterexample rather than a real world example. QubesOS does not only reduce attack surface but also increases it. Having multiple distributions involved adds attack surface too.”
The question is whether others agree that TCP/IP stack can be attacked without targeting multiple VMs so that TCP/IP stack can be compromised for a VM like Disp-Whonix-WS by compromise for sys-net, including if there are different templates (such as minimal gentoo for sys-net and Fedora for sys-firewall). When reading this did not understand Graphene developer and wanted to ask about it