mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-28 00:39:30 -05:00
Merge branch 'edit-security-critical-code-doc' of https://github.com/pierwill/qubes-doc into pierwill-edit-security-critical-code-doc
This commit is contained in:
commit
3555e143f6
2
doc.md
2
doc.md
@ -230,7 +230,7 @@ System
|
||||
------
|
||||
* [Qubes OS Architecture Overview](/doc/architecture/)
|
||||
* [Qubes OS Architecture Spec v0.3 [PDF]](/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf)
|
||||
* [Security-critical elements of Qubes OS](/doc/security-critical-code/)
|
||||
* [Security-critical Code in Qubes OS](/doc/security-critical-code/)
|
||||
* [Qubes Core Admin](https://dev.qubes-os.org/projects/core-admin/en/latest/)
|
||||
* [Qubes Core Admin Client](https://dev.qubes-os.org/projects/core-admin-client/en/latest/)
|
||||
* [Qubes Admin API](/news/2017/06/27/qubes-admin-api/)
|
||||
|
@ -9,50 +9,73 @@ redirect_from:
|
||||
- /trac/wiki/SecurityCriticalCode/
|
||||
---
|
||||
|
||||
Security-Critical Code in Qubes OS
|
||||
Security-critical Code in Qubes OS
|
||||
==================================
|
||||
|
||||
Below is a list of security-critical (AKA trusted) code in Qubes OS. A successful attack against any of those might allow to compromise the Qubes OS security. This code can be thought of as of a Trusted Computing Base (TCB) of Qubes OS. The goal of the project has been to minimize the amount of this trusted code to an absolute minimum. The size of the current TCB is of an order of hundreds thousands of lines of C code, which is several orders of magnitude less than in other OSes, such as Windows, Linux or Mac, where it is of orders of tens of millions of lines of C code.
|
||||
Below is a list of security-critical (i.e., trusted) code components in Qubes OS.
|
||||
A successful attack against any of these components could compromise the system's security.
|
||||
This code can be thought of as the Trusted Computing Base (TCB) of Qubes OS.
|
||||
One of the main goals of the project is to keep the TCB to an absolute minimum.
|
||||
The size of the current TCB is on the order order of hundreds of thousands of lines of C code, which is several orders of magnitude less than other OSes.
|
||||
(In Windows, Linux, and Mac OSes, the amount of trusted code is typically on the order of tens of *millions* of lines of C code.)
|
||||
|
||||
For more information about the security goals of Qubes OS, see [this page](/security/goals/).
|
||||
For more information, see [Qubes Security Goals].
|
||||
|
||||
Security-Critical Qubes-Specific Components
|
||||
|
||||
Security-critical Qubes-specific Components
|
||||
-------------------------------------------
|
||||
|
||||
Below is a code produced by the Qubes project that is security-critical.
|
||||
The following code components are security-critical in Qubes OS:
|
||||
|
||||
- Dom0-side of the libvchan library
|
||||
- Dom0-side of the GUI virtualization code (*qubes-guid*)
|
||||
- Dom0-side of the sound virtualization code (*pacat-simple-vchan*)
|
||||
- Dom0-side in qrexec-related code (*qrexec\_daemon*)
|
||||
- VM memory manager (*qmemman*) that runs in Dom0
|
||||
- select Qubes RPC servers that run in Dom0: qubes.ReceiveUpdates and qubes.SyncAppMenus
|
||||
- The qubes.Filecopy RPC server that runs in a VM -- this one is critical because it might allow one VM to compromise another one if user allows file copy operation to be performed between them
|
||||
- Dom0-side of the libvchan library
|
||||
- Dom0-side of the GUI virtualization code (`qubes-guid`)
|
||||
- Dom0-side of the sound virtualization code (`pacat-simple-vchan`)
|
||||
- Dom0-side in qrexec-related code (`qrexec_daemon`)
|
||||
- VM memory manager (`qmemman`) that runs in Dom0
|
||||
- Select Qubes RPC servers that run in Dom0: `qubes.ReceiveUpdates` and `qubes.SyncAppMenus`
|
||||
- The `qubes.Filecopy` RPC server that runs in a VM (critical because it could allow one VM to compromise another if the user allows a file copy operation to be performed between them)
|
||||
|
||||
Security-Critical Third-Party Components
|
||||
|
||||
Security-critical Third-party Components
|
||||
----------------------------------------
|
||||
|
||||
These are the components that we haven't written or designed ourselves, yet we still rely on them. At the current project stage, we cannot afford to spend time to thoroughly review and audit them, so we just more or less "blindly" trust they are secure.
|
||||
We did not create these components, but Qubes OS relies on them.
|
||||
At the current stage of the project, we cannot afford to spend the time to thoroughly review and audit them, so we more or less "blindly" trust that they are secure.
|
||||
|
||||
- Xen hypervisor
|
||||
- The Xen's xenstore backend running in Dom0
|
||||
- The Xen's block backend running in Dom0 kernel
|
||||
- The rpm program used in Dom0 for verifying Dom0 updates' signatures
|
||||
- Somehow optional: log viewing software in dom0 that parses VM-influenced logs
|
||||
- The Xen hypervisor
|
||||
- Xen's xenstore backend running in Dom0
|
||||
- Xen's block backend running in Dom0's kernel
|
||||
- The RPM program used in Dom0 for verifying signatures on dom0 updates
|
||||
- Somewhat trusted: log viewing software in dom0 that parses VM-influenced logs
|
||||
|
||||
Additionally when we consider attacks that originate through a compromised network domain and target the VMs connected to it. Those attacks do not apply to domains connected to other network domains (Qubes allows more than one network domains), or those with networking disabled (Dom0 is not connected to any network by default).
|
||||
|
||||
- Xen network PV frontends
|
||||
- VM's core networking stacks (core TCP/IP code)
|
||||
Attacks on Networking Components
|
||||
--------------------------------
|
||||
|
||||
Buggy Code vs. Back-doored Code Distinction
|
||||
-------------------------------------------
|
||||
Here are two examples of networking components that an adversary might seek to attack (or in which to exploit a vulnerability as part of an attack):
|
||||
|
||||
There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somewhat trusted, while all others could be not.
|
||||
- Xen network PV frontends
|
||||
- VMs' core networking stacks (core TCP/IP code)
|
||||
|
||||
The above means that we must trust at least some of the vendors (not all, of course, but at least those few that provide the apps that we use in the most critical domains). In practice in Qubes OS we trust the software provided by Fedora project. This software is signed by Fedora distribution keys and so it is also critical that the tools used in domains for software updates (yum and rpm) be trusted.
|
||||
Hypothetically, an adversary could compromise a NetVM, `sys-net-1`, and try to use it to attack the VMs connected to that NetVM.
|
||||
However, Qubes allows for the existence of more than one NetVM, so the adversary would not be able to use `sys-net-1` in order to attack VMs connected to a *different* NetVM, `sys-net-2` without also compromising `sys-net-2`.
|
||||
In addition, the adversary would not be able to use `sys-net-1` (or, for that matter, `sys-net-2`) to attack VMs that have networking disabled (i.e., VMs that are not connected to any NetVM).
|
||||
|
||||
Cooperative Covert Channels Between Domains
|
||||
-------------------------------------------
|
||||
|
||||
Qubes does not attempt to eliminate all possible *cooperative* covert channels between domains, i.e. such channels that could be established between two *compromised* domains. We don't believe this is possible to achieve on x86 hardware, and we also doubt it makes any sense in practice for most users -- after all if the two domains are compromised, then it's already (almost) all lost anyway.
|
||||
Buggy Code vs. Backdoored Code
|
||||
------------------------------
|
||||
|
||||
There is an important distinction between buggy code and maliciously backdoored code.
|
||||
We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it would all be pretty useless if all the code we ran inside our domains (e.g. the code in our email clients, word processors, and web browsers) were backdoored.
|
||||
In that case, only network-isolated domains would be somewhat trustworthy.
|
||||
|
||||
This means that we must trust at least some of the vendors that supply the code we run inside our domains.
|
||||
(We don't have to trust *all* of them, but we at least have to trust the few that provide the apps we use in the most critical domains.)
|
||||
In practice, we trust the software provided by the [Fedora Project].
|
||||
This software is signed by Fedora distribution keys, so it is also critical that the tools used in domains for software updates (`dnf` and `rpm`) are trustworthy.
|
||||
|
||||
|
||||
[Qubes Security Goals]: /security/goals/
|
||||
[Fedora Project]: https://getfedora.org/
|
||||
[Understanding and Preventing Data Leaks]: /doc/data-leaks/
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user