[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Re: Qubes Security Bulletin #23
From: Eric Shelton <knockknock () gmail ! com>
Date: 2015-12-21 17:56:42
Message-ID: d3f189c5-02b2-476d-943b-1f2119bd9506 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Monday, December 21, 2015 at 12:28:24 PM UTC-5, VÃt Å esták wrote:
>
> On Monday, December 21, 2015 at 6:09:53 PM UTC+1, Eric Shelton wrote:
> >
> > I do not think that is correct. Looking at lines 78-108 of the QSB, the
> > characteristic that defines what you call a "traditional Xen deployment"
> > does not have anything to do with using an IOMMU, but instead whether a
> > backend is located in dom0 or in a "driver domain."
> >
> Sure, even without IOMMU, Qubes is not the "traditional Xen deployment"
> (TXD). But it is much more similar to the TXD, because all domains with a
> PCI device have access to whole RAM through DMA, so they are effectively a
> part of TCB. In such cases, the attack gives attacker nothing previously
> not owned on any non-IOMMU system.
>
>
> > In contrast, Qubes has at least the net backend in NetVM, as well as
> > ProxyVM as you noted. Plus, if you set up a USBVM, sharing a USB flash
> > drive or such causes the USBVM to act as a block backend as well.
> >
> That's true. However, if NetVM or USBVM is compromised on a non-IOMMU,
> then they can perform the DMA attack. It depends if ProxyVMs and
> FirewallVMs are to be considered as a significant additional risk.
>
Both of the above comments seem to be saying: "if you do not have an IOMMU,
you're already burned, because you are open to DMA attacks." I disagree
with the situation being quite that binary, and it assumes a DMA attack is
easy to come by. They are two distinct attack vectors. I suspect that QSB
#23 is the more powerful of the two for an attacker, because it is purely a
software issue for which an exploit might be engineered to work against
100% of vulnerable (meaning unpatched) systems, while a DMA-based attack
would likely be limited to targets with particular hardware. That does not
mean that a hardware-based attack cannot be devastating - for example, a
wireless adapter that can be subverted by "the packet of doom" - but such
attacks are a separate issue, and there is a security benefit in fully
addressing QSB #23 even on an IOMMU-less system.
Eric
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/d3f189c5-02b2-476d-943b-1f2119bd9506%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
On Monday, December 21, 2015 at 12:28:24 PM UTC-5, VÃt Å esták wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><div dir="ltr">On Monday, December 21, 2015 at 6:09:53 PM \
UTC+1, Eric Shelton wrote:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">I do not think that is correct. Looking at lines 78-108 of the QSB, the \
characteristic that defines what you call a "traditional Xen deployment" \
does not have anything to do with using an IOMMU, but instead whether a backend is \
located in dom0 or in a "driver domain."</div></blockquote><div>Sure, even \
without IOMMU, Qubes is not the "traditional Xen deployment" (TXD). But it is much \
more similar to the TXD, because all domains with a PCI device have access to whole \
RAM through DMA, so they are effectively a part of TCB. In such cases, the attack \
gives attacker nothing previously not owned on any non-IOMMU system.<br> \
</div><blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">In contrast, Qubes has at least the net backend in NetVM, as well as \
ProxyVM as you noted. Plus, if you set up a USBVM, sharing a USB flash drive or \
such causes the USBVM to act as a block backend as \
well.</div></blockquote><div>That's true. However, if NetVM or USBVM is \
compromised on a non-IOMMU, then they can perform the DMA attack. It depends if \
ProxyVMs and FirewallVMs are to be considered as a significant additional \
risk.<br></div></div></blockquote><div><br></div><div>Both of the above comments seem \
to be saying: "if you do not have an IOMMU, you're already burned, because \
you are open to DMA attacks." I disagree with the situation being quite that \
binary, and it assumes a DMA attack is easy to come by. They are two distinct \
attack vectors. I suspect that QSB #23 is the more powerful of the two for an \
attacker, because it is purely a software issue for which an exploit might be \
engineered to work against 100% of vulnerable (meaning unpatched) systems, while a \
DMA-based attack would likely be limited to targets with particular hardware. That \
does not mean that a hardware-based attack cannot be devastating - for example, a \
wireless adapter that can be subverted by "the packet of doom" - but such \
attacks are a separate issue, and there is a security benefit in fully addressing QSB \
#23 even on an IOMMU-less system.</div><div><br></div><div>Eric<br></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:qubes-devel+unsubscribe@googlegroups.com">qubes-devel+unsubscribe@googlegroups.com</a>.<br \
/> To post to this group, send email to <a \
href="mailto:qubes-devel@googlegroups.com">qubes-devel@googlegroups.com</a>.<br /> To \
view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/qubes-devel/d3f189c5-02b2-476d-943b-1f2119bd95 \
06%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/ \
msgid/qubes-devel/d3f189c5-02b2-476d-943b-1f2119bd9506%40googlegroups.com</a>.<br /> \
For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_4912_1033596904.1450720602283--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic