On 07/13/2017 08:02 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:

I know Joanna's reservations about VM introspection, but this
Bitdefender introspection example is interesting nonetheless:


https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori


Im curious about these reservations. is it the attack surface?

Yes, at least two kinds:
1. Enabling API for reading VM memory break VM isolation - misbehaving
monitoring VM can steal any secret and you'll never know

If scanning VM instance (template based) could be granted access to only one subject VM, risk may not be terribly different from a disposable VM used to render documents.

This can also be approximated to some degree when scanning the private storage of a subject VM... the attach function permits access to nothing else, and the scanner's state will disappear after it issues a (hopefully not false-negative) report and shuts down.

A template-based VM may also perform checks on its own private storage as its mounted, as I'm exploring in a simple way with Qubes-VM-hardening.

But 'attaching' a subject VM's memory as if it were a read-only drive would be a nifty thing to see.*


2. Parsing VM memory (operating system structures, application
structures etc) is very complex - VM that know it is monitored can try
exploit the parsing code; then go to point 1 for example

As for examples what could possibly go wrong when adding anti-virus
parsing whatever it can find, see here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252

Of course, but recognizing browser + traditional OS threat model is somewhat different vs Qubes disposable VMs.

(* Not suggesting feature requests; just want to explore possibilities.)

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/659ff35f-fa95-0f5e-8de4-e4551e0d8b52%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to