Re: [qubes-devel] Re: 'Hypervisor Introspection defeated Eternalblue a priori'
On 07/13/2017 08:02 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote: On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote: I know Joanna's reservations about VM introspection, but this Bitdefender introspection example is interesting nonetheless: https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori Im curious about these reservations. is it the attack surface? Yes, at least two kinds: 1. Enabling API for reading VM memory break VM isolation - misbehaving monitoring VM can steal any secret and you'll never know If scanning VM instance (template based) could be granted access to only one subject VM, risk may not be terribly different from a disposable VM used to render documents. This can also be approximated to some degree when scanning the private storage of a subject VM... the attach function permits access to nothing else, and the scanner's state will disappear after it issues a (hopefully not false-negative) report and shuts down. A template-based VM may also perform checks on its own private storage as its mounted, as I'm exploring in a simple way with Qubes-VM-hardening. But 'attaching' a subject VM's memory as if it were a read-only drive would be a nifty thing to see.* 2. Parsing VM memory (operating system structures, application structures etc) is very complex - VM that know it is monitored can try exploit the parsing code; then go to point 1 for example As for examples what could possibly go wrong when adding anti-virus parsing whatever it can find, see here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252 Of course, but recognizing browser + traditional OS threat model is somewhat different vs Qubes disposable VMs. (* Not suggesting feature requests; just want to explore possibilities.) -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/659ff35f-fa95-0f5e-8de4-e4551e0d8b52%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-devel] Re: 'Hypervisor Introspection defeated Eternalblue a priori'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote: > On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote: > > > > I know Joanna's reservations about VM introspection, but this > > Bitdefender introspection example is interesting nonetheless: > > > > > > https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori > > > > > > Im curious about these reservations. is it the attack surface? Yes, at least two kinds: 1. Enabling API for reading VM memory break VM isolation - misbehaving monitoring VM can steal any secret and you'll never know 2. Parsing VM memory (operating system structures, application structures etc) is very complex - VM that know it is monitored can try exploit the parsing code; then go to point 1 for example As for examples what could possibly go wrong when adding anti-virus parsing whatever it can find, see here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZaAoTAAoJENuP0xzK19csCqgH/RkDFLyKmIlzqasHgDp61WNE D1r5F9UfjMYYlQCaw8niupdFrdzl13TDfZGvPsZenQ6V1Z+wglPgu5Wu4CRWt7m8 9iJ++xWqLMalEP8bz5tphXT9mpXvdhPWH/xzeABLrD97JnDenL+lNWU5pgmDwev4 WxIzqEjElJb3jp5z2iM4AS+dyFtZKYMrLbupp8Bx7qWRLLwxI3/lWCH5XGwvgNDO 5KSagseX5m9D05RfV4lEetq+kXT+RUxvyIQmOfgPWGmYUPuFk9AoQ7WODdQEgdmp H1AflTbFvS6vQ6iImM4KFodtf7NmgHWJwlNyxiBJpPwZBykUzYPDcymlXNIzxyw= =voU1 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170714000227.GH1095%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-devel] Re: 'Hypervisor Introspection defeated Eternalblue a priori'
On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote: > > I know Joanna's reservations about VM introspection, but this > Bitdefender introspection example is interesting nonetheless: > > > https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori > > Im curious about these reservations. is it the attack surface? xen hypervisor introspection looked like a total win to me. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/cd3cb803-62fd-4c37-9982-bc3982807ace%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.