Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-18 04:04:39 -05:00
Code Issues Packages Projects Releases Wiki Activity
47f39e102f
qubes-doc/developer/system/security-critical-code.rst
Marek Marczykowski-Górecki b93b3c571e
Convert to RST
2024-05-21 20:59:46 +02:00

109 lines
3.9 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

======================
Security-critical code
======================
Below is a list of security-critical (i.e., trusted) code components in
Qubes OS. A successful attack against any of these components could
compromise the systems security. This code can be thought of as the
Trusted Computing Base (TCB) of Qubes OS. One of the main goals of the
project is to keep the TCB to an absolute minimum. The size of the
current TCB is on the order of hundreds of thousands of lines of C code,
which is several orders of magnitude less than other OSes. (In Windows,
Linux, and Mac OSes, the amount of trusted code is typically on the
order of tens of *millions* of lines of C code.)
For more information, see :doc:`Qubes Security Goals </developer/system/security-design-goals>`.
Security-critical Qubes-specific Components
-------------------------------------------
The following code components are security-critical in Qubes OS:
- Dom0-side of the libvchan library
- Dom0-side of the GUI virtualization code (``qubes-guid``)
- Dom0-side of the sound virtualization code (``pacat-simple-vchan``)
- Dom0-side in qrexec-related code (``qrexec_daemon``)
- VM memory manager (``qmemman``) that runs in Dom0
- Select Qubes RPC servers that run in Dom0: ``qubes.ReceiveUpdates``
and ``qubes.SyncAppMenus``
- The ``qubes.Filecopy`` RPC server that runs in a VM (critical because
it could allow one VM to compromise another if the user allows a file
copy operation to be performed between them)
Security-critical Third-party Components
----------------------------------------
We did not create these components, but Qubes OS relies on them. At the
current stage of the project, we cannot afford to spend the time to
thoroughly review and audit them, so we more or less “blindly” trust
that they are secure.
- The Xen hypervisor
- Xens xenstore backend running in Dom0
- Xens block backend running in Dom0s kernel
- The RPM program used in Dom0 for verifying signatures on dom0 updates
- Somewhat trusted: log viewing software in dom0 that parses
VM-influenced logs
Attacks on Networking Components
--------------------------------
Here are two examples of networking components that an adversary might
seek to attack (or in which to exploit a vulnerability as part of an
attack):
- Xen network PV frontends
- VMs core networking stacks (core TCP/IP code)
Hypothetically, an adversary could compromise a NetVM, ``sys-net-1``,
and try to use it to attack the VMs connected to that NetVM. However,
Qubes allows for the existence of more than one NetVM, so the adversary
would not be able to use ``sys-net-1`` in order to attack VMs connected
to a *different* NetVM, ``sys-net-2`` without also compromising
``sys-net-2``. In addition, the adversary would not be able to use
``sys-net-1`` (or, for that matter, ``sys-net-2``) to attack VMs that
have networking disabled (i.e., VMs that are not connected to any
NetVM).
Buggy Code vs. Backdoored Code
------------------------------
There is an important distinction between buggy code and maliciously
backdoored code. We could have the most secure architecture and the most
bulletproof TCB that perfectly isolates all domains from each other, but
it would all be pretty useless if all the code we ran inside our domains
(e.g. the code in our email clients, word processors, and web browsers)
were backdoored. In that case, only network-isolated domains would be
somewhat trustworthy.
This means that we must trust at least some of the vendors that supply
the code we run inside our domains. (We dont have to trust *all* of
them, but we at least have to trust the few that provide the apps we use
in the most critical domains.) In practice, we trust the software
provided by the `Fedora Project <https://getfedora.org/>`__. This
software is signed by Fedora distribution keys, so it is also critical
that the tools used in domains for software updates (``dnf`` and
``rpm``) are trustworthy.
Reference in New Issue View Git Blame Copy Permalink