[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    [qubes-devel] Qubes Air's usefulness
From:       Kelly Dean <kelly () prtime ! org>
Date:       2018-01-23 2:13:17
Message-ID: oLJzaJb819XAD4b9RC96xT9eJKs4akVd2IgkaR5k90f () local
[Download RAW message or body]


Andrew David Wong writes:
> Joanna Rutkowska has just published a new article titled "Qubes Air:
> Generalizing the Qubes Architecture." The article is available both on
> Joanna's blog:
> 
> https://blog.invisiblethings.org/2018/01/22/qubes-air.html
> 
> And on the Qubes website:
> 
> https://www.qubes-os.org/news/2018/01/22/qubes-air/

Qubes Air still has a master admin qube as a single point of failure. Qubes Air also \
makes the attacker's job easier, if he's trying to traverse from one VM to another \
within a slave zone in a system with heterogeneous VMMs, because he now has another \
VMM to choose from, with different vulnerabilities. He can either exploit the slave's \
VMM to gain control of the slave zone (including his target VM), or exploit the \
master zone's VMM to gain control of the entire system (including the slave's VMM). \
In contrast, a Qubes 4.0 system has only one VMM, so the attacker doesn't get a \
choice.

Qubes Air also doesn't really make deployment easier. If a user needs Qubes, that \
means he needs more security than a conventional OS gives. So, even in the easiest \
case (Qubes in a trusted cloud), his client device still at least needs an \
IOMMU-isolatable network device. Without that, the entire system is compromisable via \
the netvm, via merely an exploit of the network driver or stack, just like a \
conventional OS, so why would he bother running Qubes in the first place? But if his \
client device does have that feature, then the most practical OS to run on it is \
Qubes, so he's already going to have Qubes deployed before bothering with the cloud.

So then, what good is Qubes Air? Apparently, managing a cluster computer. But that's \
just an additional capability, after the user has already deployed and secured his \
Qubes system in the first place. Contrary to the news article, Qubes Air doesn't \
solve problems of initial deployment or single point of failure.

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/oLJzaJb819XAD4b9RC96xT9eJKs4akVd2IgkaR5k90f%40local.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]