qubes-doc/developer/system/security-critical-code.md

---
lang: en
layout: doc
permalink: /doc/security-critical-code/
redirect_from:
- /en/doc/security-critical-code/
- /doc/SecurityCriticalCode/
- /wiki/SecurityCriticalCode/
- /trac/wiki/SecurityCriticalCode/
ref: 55
title: Security-critical code
---

Below is a list of security-critical (i.e., trusted) code components in Qubes OS.
A successful attack against any of these components could compromise the system's security.
This code can be thought of as the Trusted Computing Base (TCB) of Qubes OS.
One of the main goals of the project is to keep the TCB to an absolute minimum.
The size of the current TCB is on the order of hundreds of thousands of lines of C code, which is several orders of magnitude less than other OSes.
(In Windows, Linux, and Mac OSes, the amount of trusted code is typically on the order of tens of *millions* of lines of C code.)

For more information, see [Qubes Security Goals](/security/goals/).

Security-critical Qubes-specific Components
-------------------------------------------

The following code components are security-critical in Qubes OS:

- Dom0-side of the libvchan library
- Dom0-side of the GUI virtualization code (`qubes-guid`)
- Dom0-side of the sound virtualization code (`pacat-simple-vchan`)
- Dom0-side in qrexec-related code (`qrexec_daemon`)
- VM memory manager (`qmemman`) that runs in Dom0
- Select Qubes RPC servers that run in Dom0: `qubes.ReceiveUpdates` and `qubes.SyncAppMenus`
- The `qubes.Filecopy` RPC server that runs in a VM (critical because it could allow one VM to compromise another if the user allows a file copy operation to be performed between them)

Security-critical Third-party Components
----------------------------------------

We did not create these components, but Qubes OS relies on them.
At the current stage of the project, we cannot afford to spend the time to thoroughly review and audit them, so we more or less "blindly" trust that they are secure.

- The Xen hypervisor
- Xen's xenstore backend running in Dom0
- Xen's block backend running in Dom0's kernel
- The RPM program used in Dom0 for verifying signatures on dom0 updates
- Somewhat trusted: log viewing software in dom0 that parses VM-influenced logs

Attacks on Networking Components
--------------------------------

Here are two examples of networking components that an adversary might seek to attack (or in which to exploit a vulnerability as part of an attack):

- Xen network PV frontends
- VMs' core networking stacks (core TCP/IP code)

Hypothetically, an adversary could compromise a NetVM, `sys-net-1`, and try to use it to attack the VMs connected to that NetVM.
However, Qubes allows for the existence of more than one NetVM, so the adversary would not be able to use `sys-net-1` in order to attack VMs connected to a *different* NetVM, `sys-net-2` without also compromising `sys-net-2`.
In addition, the adversary would not be able to use `sys-net-1` (or, for that matter, `sys-net-2`) to attack VMs that have networking disabled (i.e., VMs that are not connected to any NetVM).

Buggy Code vs. Backdoored Code
------------------------------

There is an important distinction between buggy code and maliciously backdoored code.
We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it would all be pretty useless if all the code we ran inside our domains (e.g. the code in our email clients, word processors, and web browsers) were backdoored.
In that case, only network-isolated domains would be somewhat trustworthy.

This means that we must trust at least some of the vendors that supply the code we run inside our domains.
(We don't have to trust *all* of them, but we at least have to trust the few that provide the apps we use in the most critical domains.)
In practice, we trust the software provided by the [Fedora Project](https://getfedora.org/).
This software is signed by Fedora distribution keys, so it is also critical that the tools used in domains for software updates (`dnf` and `rpm`) are trustworthy.
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00			`---`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`lang: en`
wiki -> doc migration 2015-04-10 16:17:45 -04:00			`layout: doc`
Revert "Remove all instances of `permalink:` in YAML frontmatter" This reverts commit c815e4c54c315dfca30c66f6a33e07b1ff90b786. https://github.com/QubesOS/qubes-issues/issues/6701#issuecomment-862822827 2021-06-16 22:56:25 -04:00			`permalink: /doc/security-critical-code/`
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`redirect_from:`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 18:14:40 -04:00			`- /en/doc/security-critical-code/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 03:04:59 -04:00			`- /doc/SecurityCriticalCode/`
Supporting more old trac links for backward compatibility in QSB. 2015-07-17 18:46:04 -04:00			`- /wiki/SecurityCriticalCode/`
			`- /trac/wiki/SecurityCriticalCode/`
Add lang + ref tags to frontmatter Those are fields used by the language switcher to correlate pages across different languages, even if they have different names/paths/titles. They are generated with the prepare_for_translation.py script. 2021-03-13 13:06:18 -05:00			`ref: 55`
Sentence case for titles 2021-07-08 21:06:41 -04:00			`title: Security-critical code`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00			`---`

Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`Below is a list of security-critical (i.e., trusted) code components in Qubes OS.`
			`A successful attack against any of these components could compromise the system's security.`
			`This code can be thought of as the Trusted Computing Base (TCB) of Qubes OS.`
			`One of the main goals of the project is to keep the TCB to an absolute minimum.`
Typo: order order 2023-03-08 10:35:11 -05:00			`The size of the current TCB is on the order of hundreds of thousands of lines of C code, which is several orders of magnitude less than other OSes.`
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`(In Windows, Linux, and Mac OSes, the amount of trusted code is typically on the order of tens of millions of lines of C code.)`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Refactor links in order to obey the new convention rule 2021-04-10 18:09:05 -04:00			`For more information, see [Qubes Security Goals](/security/goals/).`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`Security-critical Qubes-specific Components`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00			`-------------------------------------------`

Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`The following code components are security-critical in Qubes OS:`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`- Dom0-side of the libvchan library`
			- Dom0-side of the GUI virtualization code (`qubes-guid`)
			- Dom0-side of the sound virtualization code (`pacat-simple-vchan`)
			- Dom0-side in qrexec-related code (`qrexec_daemon`)
			- VM memory manager (`qmemman`) that runs in Dom0
			- Select Qubes RPC servers that run in Dom0: `qubes.ReceiveUpdates` and `qubes.SyncAppMenus`
			- The `qubes.Filecopy` RPC server that runs in a VM (critical because it could allow one VM to compromise another if the user allows a file copy operation to be performed between them)
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`Security-critical Third-party Components`
Consistently use the term "third-party" 2017-12-07 23:34:54 -05:00			`----------------------------------------`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`We did not create these components, but Qubes OS relies on them.`
			`At the current stage of the project, we cannot afford to spend the time to thoroughly review and audit them, so we more or less "blindly" trust that they are secure.`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`- The Xen hypervisor`
			`- Xen's xenstore backend running in Dom0`
			`- Xen's block backend running in Dom0's kernel`
			`- The RPM program used in Dom0 for verifying signatures on dom0 updates`
			`- Somewhat trusted: log viewing software in dom0 that parses VM-influenced logs`
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`Attacks on Networking Components`
			`--------------------------------`

			`Here are two examples of networking components that an adversary might seek to attack (or in which to exploit a vulnerability as part of an attack):`

Markdown formatting fixes - mark all code blocks with ``` - unify empty lines between sections - adjust list syntax (no space before dash) - adjust headers to use Atx-style syntax - remove trailing spaces 2021-03-13 12:03:23 -05:00			`- Xen network PV frontends`
			`- VMs' core networking stacks (core TCP/IP code)`
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00
			Hypothetically, an adversary could compromise a NetVM, `sys-net-1`, and try to use it to attack the VMs connected to that NetVM.
			However, Qubes allows for the existence of more than one NetVM, so the adversary would not be able to use `sys-net-1` in order to attack VMs connected to a different NetVM, `sys-net-2` without also compromising `sys-net-2`.
			In addition, the adversary would not be able to use `sys-net-1` (or, for that matter, `sys-net-2`) to attack VMs that have networking disabled (i.e., VMs that are not connected to any NetVM).
SecurityCriticalCode changed Moved page (previosly: Trusted_parts) 2011-09-19 05:17:04 -04:00
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			`Buggy Code vs. Backdoored Code`
			`------------------------------`

			`There is an important distinction between buggy code and maliciously backdoored code.`
			`We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it would all be pretty useless if all the code we ran inside our domains (e.g. the code in our email clients, word processors, and web browsers) were backdoored.`
			`In that case, only network-isolated domains would be somewhat trustworthy.`

			`This means that we must trust at least some of the vendors that supply the code we run inside our domains.`
			`(We don't have to trust all of them, but we at least have to trust the few that provide the apps we use in the most critical domains.)`
Refactor links in order to obey the new convention rule 2021-04-10 18:09:05 -04:00			`In practice, we trust the software provided by the [Fedora Project](https://getfedora.org/).`
Revise "Security-critical Code" (#651) 2018-05-16 21:00:15 -04:00			This software is signed by Fedora distribution keys, so it is also critical that the tools used in domains for software updates (`dnf` and `rpm`) are trustworthy.