On 07/13/2017 08:02 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
I know Joanna's reservations about VM introspection, but this
Bitdefender introspection example is interesting nonetheless:
https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
Im curious about these reservations. is it the attack surface?
Yes, at least two kinds:
1. Enabling API for reading VM memory break VM isolation - misbehaving
monitoring VM can steal any secret and you'll never know
If scanning VM instance (template based) could be granted access to only
one subject VM, risk may not be terribly different from a disposable VM
used to render documents.
This can also be approximated to some degree when scanning the private
storage of a subject VM... the attach function permits access to nothing
else, and the scanner's state will disappear after it issues a
(hopefully not false-negative) report and shuts down.
A template-based VM may also perform checks on its own private storage
as its mounted, as I'm exploring in a simple way with Qubes-VM-hardening.
But 'attaching' a subject VM's memory as if it were a read-only drive
would be a nifty thing to see.*
2. Parsing VM memory (operating system structures, application
structures etc) is very complex - VM that know it is monitored can try
exploit the parsing code; then go to point 1 for example
As for examples what could possibly go wrong when adding anti-virus
parsing whatever it can find, see here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
Of course, but recognizing browser + traditional OS threat model is
somewhat different vs Qubes disposable VMs.
(* Not suggesting feature requests; just want to explore possibilities.)
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/659ff35f-fa95-0f5e-8de4-e4551e0d8b52%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
