On Tuesday, 23 January 2018 11:57:44 UTC, Andrew Clausen wrote: > Hi all, > > > > > Joanna Rutkowska has just published a new article titled "Qubes Air: > > Generalizing the Qubes Architecture." The article is available both on > > Joanna's blog: > > > > https://blog.invisiblethings.org/2018/01/22/qubes-air.html > > > > And on the Qubes website: > > > > https://www.qubes-os.org/news/2018/01/22/qubes-air/ > > > I confess I found the writing a bit difficult to understand this time. I > suggest adding some more example use cases. > > > Consider the following use case -- is this what Joanna had in mind? > > > Suppose you are a journalist, and you have received a PDF document on a USB > stick from an anonymous source. Given all the recent > meltdown/rowhammer/spectre/xen debacles, you aren't thrilled about plugging > in the USB stick into your Qubes laptop. And even if you did plug it in, you > wouldn't be thrilled about running the Qubes PDF converter on it either. > > > So what do you do? > > > On the USB front, you might buy a Raspberry Pi, and plug the USB stick into > that instead. You could then scp the PDF document from the Rasbperry Pi onto > the Qubes laptop. Qubes Air would make this easier by making using the > Raspberry Pi appear just like another USB VM (like sys-usb). > > > You could also do the PDF conversion on the same Raspberry Pi (specifically > the half of the conversion that would normally run inside a disposable VM). > Qubes Air would also make this work smoothly, as if the disposable VM were > running on the Qubes laptop. > > So, what are the security trade-offs? > > > First, this Raspberry Pi arrangement means that both steps are better > isolated from the Qubes laptop. Previously, a successful attack on the > sys-usb VM or the disposable VM could be escalated via Meltdown et al to take > over the whole laptop. Now they can't. > > > Second, the Raspberry Pi has inferior isolation within itself (e.g. no > IOMMU). This means that if the journalist re-uses the same Raspberry Pi for > several different sources, those sources could interfere with each other. > For instance, if source A is malicious, it could reprogram the Raspberry Pi > to destroy all data from source B. > > Are you hoping that Qubes Air could overcome this obstacle? For example, are > you hoping that a dedicated Raspberry Pi just for disposable VMs would be > able to isolate all disposable VMs from each other? > > Kind regards, > Andrew
My understanding is that this paper did not explore this type of exposure. It is mainly focused on GUI "remoting" and compute "remoting". The risk you exposed with the USB front-end and the lack of compartmentalization are a problem you are right. So the right way is still to put the USB stick in the laptop, however the USB VM would run in the RaspberryPi (a FileSystem "remoting" would be required). And for example the decryption of the docs in the USBVM would be protected from shared CPU cache types of attacks. This is my understanding... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e288fe06-4474-4a37-9ded-c564dabf3d13%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
