Hello!
i want to understand the security Properties of qubes OS on a deeper Level. Notice, for all my arguments/questions a simple “yes, but the increases security would be too low compared to the cost of implementing it” would be sufficient. i understand many ideas are a lot of work.
1) Easy Root access in VMs
to quote Passwordless root access in qubes | Qubes OS
# Because, really, if somebody could find and exploit a bug in the Xen
# hypervisor -- as of 2016, there have been only three publicly disclosed
# exploitable bugs in the Xen hypervisor from a VM -- then it would be
# highly unlikely if that person couldn't also found a user-to-root
# escalation in VM (which as we know from history of UNIX/Linux
# happens all the time).
That is true, but i think it would be harder if the VM “personal” (i.e. not the template that provisions the VM!) would have not way of accessing root. So if there would be no sudo/su binaries(it is simply not needed for the “personal” VM), and no other way of authenticating to root (for instance polkit), it surely would be more difficult?
I imagine, all user-to-root escalations are easy because the usual linux installations require users to sometimes escalate to root. But here, if no one can escalate to root, then also the attacker cant?
# At the same time allowing for easy user-to-root escalation in a VM
# is simply convenient for users, especially for update installation.
I understand that for the VM that configures the template. But the VM that uses the template, there is no use for that.
2) attacker is allowed to execute anything they want
even more: when i have a VM that is solely for running firefox, denying the execution of everything else would make an attack surely much more difficult compared to “attacker has full control to run everything they want in the VM”
When i have some important personal files on this VM, for which i dont want to create a separate VM to keep the management complexity low, an attacker can very easily steal these files.
3) attacker has read write access to $HOME
if firefox couldn’t even read anything besides $HOME/Downloads, they also wouldnt be able to steal anything from my personal files.
And for instance, they can easily gain persistent access to this VM by deploying their attacker executable to somewhere in $HOME and executing it in ~/.bash_profile or sth.
But when they couldn’t even modify these files in the VM, they also couldn’t persist their access into ~/.bash_profile.
That way they surely could find a way to always change the DNS server of this VM everything firefox or sth starts. (either the firefox config itself, or via files in /etc)
4) documents describing the security properties of qubes OS
I know of course the Documentation on the website where also some of this is described. I also know the “Qubes OS Architecture” Version 0.3 from January 2010 by Joanna Rutkowska and Rafal Wojtczuk. (but i haven’t read it yet)
Are there any other documents describing the security on a deeper level?