On Mon, Nov 7, 2016 at 2:29 PM, Chris Laprise <tas...@openmailbox.org> wrote: > The framebuffer is being handled by the trusted dom0 graphics stack, so is > actually a trusted input.
Perhaps we have run into trusted != trustworthy terminology issues. I meant to say that the content of the framebuffer being processed by the highly complex [1] compression algorithms is directly attacker-controlled, and thus attacking dom0 by displaying specially crafted bitmaps is a theoretical attack vector. [1]: https://sidbala.com/h-264-is-magic/ (from recent hacker news -- serves to illustrate that video compression has significant complexity, and it is not impossible to imagine the existence of exploitable edge cases) > its a simple matter to pipe the raw video to a codec in an appVM. Performing the compression in an AppVM in order to isolate dom0 from potential video codec bugs would be ideal, although to do so while retaining reasonable performance (frames per second) would require a non-trivial amount of work. You would want to eliminate excessive copying of large amounts of data (raw frames are large), and probably want to do something like the shared-memory composition buffer sharing done to achieve performance in the qubes gui daemon today. I would say this is not a simple matter as it would likely require some non-trivial hacking to get working well. > The threat model is pretty similar to Qubes' Trusted PDF feature. Not quite. The PDF processing happens in a throwaway VM, whereas here the video processing as done today happens in dom0. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_DG47%2B3z6%3DCRdQ%3DbYE2FwZAWxJ9bt3bKfdzN%3DByGT27nQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.