2010-12-24

moving qubes`way on the mac

11.07: vm (virtual machine)-based security:
. an intro to security with virtualization
and a getting started manual for mac os x .
 .  this shows how some security experts have agreed,
vmware`Fusion can make the mac more secure .
[2013 update: my mac was destroyed while using
either vmware`Fusion/linux/pdf reader, or a usb stick.]

. a book on security against rootkits,
was saying that virtualization
is your first-line of defense against malwares
 -- including rootkits;
virtual computing can prevent
direct access to hardware;
and, avoid infecting firmware .
-- the threat of ruined firmware is a reason for
 avoiding the dual boot approach  (eg Bootcamp).

. mac is said to have good defenses;
because of its (partial) microkernel architecture
and its minority status;  but, of course,
that status is quickly changing .
. I feel safer knowing that vmware is an extra hurdle
between the internet and the mac's kernel;
it's revert to snapshot can flush out malwares
if they didn't manage to break the sandbox .

12.17: inviting friends
. you will benefit from trying vmware
and the mac-like ubuntu linux
 running within mac
for cool suspendable sessions;
it also provides secure roll-back-able sessions
-- only use of virtual machines
can prevent malware from ruining
your mac's firmware .
. I do now have all net routines running in ubuntu;
[... except itunes, ichat/skype, picasa,
and dictionary's wikipedia access ...]
. I still enjoy mac directly for non-internet:
finder, iphoto, xcode, ... .

who's using vmware`Fusion?

. this report introduces 2 security experts,
both of whom say they're using mac.vmware`Fusion:
while promoting other things as being safer .
(new to virtualization? see glossary)

Dr Heiser, co-founder and CTO of  Open Kernel Labs
toutes a formally verified microvisor!
--. his okL4 is now on 500 million  secure mobile devices !
he blogged in 2009:
. a hosted hypervisor like mac's vmware`Fusion
"( is great for PCs, as it allows you, for example,
to run Linux or Windows
inside an application on a Mac,

getting a bit of the best of two worlds. ...
 (for example I run Linux on VMware Fusion
on a Mac) ...)

 .  this professor of operating systems
goes on to say that a microvisor like his okL4;
is better at security and performance
than a huge app like Fusion
but at least it's presumed not preposterous
for a security expert to be claiming
usage of mac's Vmware`Fusion .

. Joanna Rutkowska and friends at
 Invisible Things Lab have designed QubesOS
for making it easy to use virtualization
to enforce correctness by isolation
-- Qubes is like a vmware`Fusion for Redhat linux,
only it uses a much smaller, safer hypervisor;
this is such a promising idea
that she was  listed recently as
 a "white hat to watch".

. speaking to Dino Dai Zovi, an author of
 "The Mac Hacker's Handbook",
Joanna defended the mac's security
with the caveat that she does her websurfing
in a browser virtualized by mac's Vmware`Fusion .
"(now an attacker needs to have a
VMWare Fusion escape exploit,
which I believe is a bit harder to find
than local kernel exploits for Vista or Mac.)
. in one interview she says her guest OS's
are Microsoft Windows;
apparently the Vista version at the time .

. I've been using Ubuntu's Linux instead;
but her choice had me wondering whether
 Linux has too many cooks in the kitchen;
I still think Ubuntu in VMware is safe enough,
and just as easy as mac
(at least for using web app's).

the military trusts (some) vmware:

More than 190,000 customers
—including all of the Fortune 100
as well as military and government installations—
trust VMware to virtualize their
 mission-critical applications.
however,
their Security Certifications & Validations
 --EAL4+(Evaluation Assurance Level) certification --
do not include the Fusion product:
# VMware ESX Server 3.5 -- not cheap .
# VMware vCenter 2.5

-- the military also helps catch bugs .
VMWare sandbox protection bypass 2008.04:
"( VMware would like to thank DoD's Andrew Honig
 for reporting this issue.)

contents

caveats and warnings

ok-labs warns vmware is no microvisor:

VMware is pretending to bring security
with their hosted hypervisor
--[compare them to a microvisor's
doubly-reduced attack surface:]
. the problem is that the hypervisor's host
is not a microkernel, but a huge place
with yet another uncaught bug,
and another potential malware
priviledge escalation exploit .
. the vmware can be corrupted by
malware originating in the host
which can then exploit vulnerabilities in vm's
to reinfect the host with a more potent malware .
. the vmware sandboxing ability
is only as good as the host's security;
[so, all websurfing must be done in vm's,
... and? ... anyway, soon Qubes will be stable!
it's based on Xen, not as safe as okL4 microvisor
but much safer than mac.vmware`fusion .]

Fusion's history of known bugs

# October 1, 2009 VMSA-2009-0013:
Kernel code execution vulnerability
. this is an interesting twist on reduced security;
it didn't give the sandboxed app's more power,
but it did give mac malware more power;
ie, mac was more vulnerable to its own apps !
"(  A file permission problem in the
   vmx86 kernel extension
 allows for
 executing arbitrary code
  in the host system kernel context
 by an
 unprivileged user on the host system. ) .
(CVE-2009-1244) breakout bug![candidate]
. alleged to allow guest OS users
 to execute arbitrary code on the host OS .
June 02, 2009 Immunity CANVAS Professional 6.47:
"(... exploits a vulnerability in VMware Display functions
in order to execute code from within a Guest VM
into the controlling Host.
Once exploited, the exploit tunnels a MOSDEF connection
over the Frame Buffer of the Guest
to communicate with the Host.)
# June 4, 2008 VMSA-2008-0009.2
critical security issues
# May 30, 2008 VMSA-2008-0008
critical security issues
... vmware's security blog...

book: Virtualization for security

p69 leaky sandbox warning

.  sandboxes like vmware are not complete;
the only sure protection against
sophistocated malware
is to periodically reset your entire system
with something like mac's Time Machine
or some other drive image recovery .

p105 sensitive data warning

. the interface supporting vmware tool's
creates a network between the guest and host OS's;
any such additional networking brings
 increased risk ( more attack surface) .
. installing the vmware tools in the guest
uses that network to share the clipboard;
and, any processes on a running guest
can view the clipboard at any time;
[so, if you're executing private operations
any untrusted guests must be suspended .]

 vmware sandboxing is complicated

... A virtual machine (vm) realizes a sandbox.
The holes of the VMWare sandbox are the emulated devices.
Thus, communication is rather expensive
and stating a security policy in terms of an emulated device
may be a difficult task. ...

2010.3: CanSecWest Applied Security Conference
. security researchers at Google,
over the last several years,
have discovered 20 kernel bugs,
about half remaining unpatched,
affecting Windows, Linux, and VMware .
. we must reduce the kernel attack surface
--[by moving to microkernels or microvisors .]
. attacks against kernel flaws are few in number
because they take an increased sophistication to pull off;
but, they could give cybercriminals complete access
to a system and all its resources .

vmware does not claim to be a security boundary
.  vmware [Fusion] does not claim to be a security boundary,
And indeed, it can be popped: [(CVE-2009-1244)].

vmware slowing mac can falsify gui

. when asking vmware to multi-task huge jobs
with large mac jobs, like the finder,
the mac gets starved for cpu time
and the gui becomes unreliable;
eg,
I was trying to open a folder in tree view,
but the mac`Finder was showing
 -- for a long time -- that it was empty;
that's a test I use for folder emptiness
before a deletion!
. generally,
if asking vmware to do any large job
(create or modify a vm, start microsoft, ...)
then don't use the mac for anything else;
also, luck with performance may vary
when having more than one vm open .

virtualization glossary

. a hypervisor  is making one machine
look like more than one machine
 and allowing each of those ‘virtual’ machines (vm)
 to run a different operating system .
. the term was coined by IBM's Don Skiba 1966,
when the OS was called the supervisor .
(it still is: when programming chips,
the OS kernel runs in supervisor mode;
apps run in untrusted user mode).
. the original "hypervisor" had the job of
switching between instruction sets,
so that one machine could run both
 {360, 7080} instruction sets .
"hypervisor" is modeled after "hypersphere":
. an OS is an app supervisor,
so a hypervisor is implementing multiple supervisors;
see it as higher-dimensional supervision,
hence hyper-supervision,
abbreviated as hypervisor,
like a higher dimensional sphere is a hypersphere .

. vmware Fusion is a hosted hypervisor:
implemented as a mac app,
the mac is said to be its host OS;
within the vm's are guest OS's .
. a hypervisor that needs no host OS
is of the native or bare-metal kind .
. if the native hypervisor has a microkernel
(where its supervisor code is minimalized
by running most of its code in user mode)
then it's called a microvisor.

. paravirtualization is when the hypervisor is
modifying the OS code before running it
so that supervisor-mode calls
are replaced with calls to the hypervisor .

. the brave new technology to be careful with
for fear of virtualization rootkits
 is  hardware virtualization (eg, Intel VT-x):
. the hardware is doing the same thing
 as  paravirtualization only without
 having to actually modify the guest OS .
. in VT-x mode, supervisor calls are
no longer executed directly
but instead reported to the hypervisor .
. the avoidance of OS modifications
allows unmodifiables as guest OS's .

. the key to isolating network activity is VT-d
(Intel's Virtual'Tech' for Directed I/O)
. this provides OS Protection:
An OS may define a domain containing its
 critical code and data structures,
and restrict access to this domain
 from all I/O devices in the system.
This allows the OS to limit corruption from
mal-programmed device drivers,
thereby improving OS robustness and reliability.
. it provides reliability by
recording and reporting to system software
any addressing and interrupt errors
that would otherwise corrupt memory
or impact VM isolation .
TPM (Trusted Platform Module)
 generates keys and certificates for private environments
and manages the machine trust state,
that can check the security on a workstation
 with a high level of confidence .
.  TXT (Trusted Execution Technology)
polices app's from invading each other
with the use of VT-d and TPM .
. the Free Software Foundation is concerned
it could be used abused for vendor lock-in.

vmware`Fusion 3.1

. this section shows how to get Fusion 3.1 on the mac,
install Ubuntu Linux into a vm;
get firefox secured, chromium watching movies,
reinstall vmtools, take a snapshot, clone a vm,
and move fluently between mac and ubuntu .
[12.18:
. Ubuntu's latest version is 10.10;
it's not fully supported by vmware yet;
so, for use of suspend and folder-sharing with mac
I'm using the 10.04 version .]

my notation for navigating a gui

. mac`menu#file/save as.../(select)
is saying:
among mac's numerous menu's,
open the file menu, then another submenu, ... .
. the div "/" as used here,
is a generalization of folder/subfolder;
there's also,
menu/submenu/dialog/a.button .
. ThatFile`right-click.menu/...
is saying:
 right-click on ThatFile
and choose from its context menu .
. a non-literal is in parentheses:
(your selected file)`right-click.menu/ .

sources and reviews

try the free trial version; Video Tutorials

see Apple Store's reviews:
. some users report Fusion can slow your mac down;
but, that's when microsoft's OS is getting settled in;
if you stay with linux it's fine .
. any users with crashing problems
didn't mention their ram investment;
I'm using 4gb ram
( with 2gb assigned to vista, 2gb to mac;
or else 1 gb to ubuntu linux, 3 gb to mac);
another source of slowness
is asking vmware to rollback changes;
plan to do nothing with your mac for a while
if you're rolling back a large installation .

ensuring your download is genuine

. when you're given access to a vmware download,
it will tell you what its MD5 signature is;
a base-16 number like this:
MD5 = d41d8cd98f00b204e9800998ecf8427e
. you can ensure the download is not tampered with
by using the md5 command to calculate
 the download's signature .
. open the terminal window with this:
/Applications/Utilities/Terminal.app
. when you drag a file
into the mac's terminal window;
the terminal will turn the file into a filename;
so, to get the download's signature,
type "md5" and a space, into the terminal,
then drag the vmware download into the terminal .
. the terminal window's text can be copied;
so paste into an editor
beside a copy of the declared signature
to easily see if they're identical .

Fusion doc's and resource

Documentation  Release Notes; Official FAQ;
forums; Forum's faq; HOWTO's
Official Product Support Page

Getting Started with VMware Fusion 3(pdf)
A Power User's Guide
Choosing the Right Virtual Machine Settings

vmware's Open Virtual Machine Tools:
. they've open-sourced the vmtools;
these are installed into a vm
in order to make cut&paste work with mac,
and for sharing folders .

getting a mac-like OS

. Fusion supports many guests:
# Mac OS X Server, freebsd,
# feature-loaded linux's,
# the high-reliability microkernel minix
# Windows 7 -- for Dragon Naturally Speaking;
however,
Fusion supports some guests better than others;
only Ubuntu Linux and  Microsoft are
fully integrated with the mac .

ubuntu is the mac of linux world:
 . it has a thoroughly graphical environment
(though it's style tends more towards microsoft's);
but, vmware helps with style:
whether you're on Ubuntu or Windows,
your mac's keyboard shortcuts also work
 in your guest machines;
eg, ⌘-c does a copy
(and so does control-c, in ubuntu only, as expected) .

. it was as if mac had linux virtualization in mind
when it made its keyboard choices,
looking at tab.keying:
# ⌘-tab moves through mac app's
(Fusion is a mac app)
# alt-tab moves through ubuntu app's (within ubuntu)
# control-tab moves through tabs of any current window .

. ubuntu's download page .
. mit.edu is a ubuntu mirror near the usa`east coast;
# current version(10.10) is not fully supported by vmware;
# Ubuntu 10.04 has full vmware support;
# (direct link to 10.04 for east coast).iso

creating a new vm(linux in virtual machine)

. if you don't have a bootable cd in your mac,
this should go as expected ...
. this asks Fusion for a new vm from an .iso file:
Fusion`menu#file/new../[continue without disk].button/ -
[use operating system installation disc image file].button;
(select the .iso file containing ubuntu);
. it should detect (OS: linux, Version: ubuntu);
and find you eligible for [easy install] .

[use Easy Install?].checkbox: yes;
[make your home folder accessible to the vm].checkbox: no;
-- I let my vm's share only certain folders,
those that are sure not to have private data .

. the username & password you're making
 is for your root acct; (the superuser or admin
 who can make unlimited system changes);
keep in mind you'll want 2 acct's {admn, user};
a user acct's password is used more often
and need not be quite as secure; whereas,
the pass for installation should be very secure,
or changed before web surfing .

. it gives you the chance to choose settings
(selecting shared folders, ram size, ...)
. with 4GB on my mac, I give linux a 1000mb
rather than the default 512mb .
. you can also do that later, here:
Fusion`menu#virtual machine/settings.../sharing/ .

getting settled into ubuntu

. just as on the mac,
your first ubuntu acct is an admin acct,
creating the user acct can be arranged here:
ubuntu`menu#system/admin'/users and groups .

. the default is to ask you for a password
any time ubuntu is unattended for 5min;
that can be changed here:
ubuntu`menu#system/pref's/screensaver/ -
[lock screen when screensaver is active].checkbox .

. when ubuntu is first installed,
it will say there are urgent updates
waiting for you to install
 -- before doing any web surfing!
the updates require your admin pass, and a restart .

. see the slideshow of outer space shots
ubuntu`desktop`right-click.menu/ -
change desktop background:
-- awe inspiring in full-screen mode:
ubuntu`menu#view/full screen .

.  adding applets to menubar:
ubuntu`menubar`right-click.menu/add to panel.../ ;
also, items from the menu can be
 dragged to the menubar
where they will stay for quicker access .

ubuntu linux doc's

New to Ubuntu
forum's and tutorials
security ideas

the ubuntu app store!

. here you can see what software is preinstalled:
ubuntu`menu#applications/ubuntu software center/ -
left.sidepanel`[installed software].tab .

. then there are thousands of openwares
to both download and install with a single click:
left.sidepanel`[get software].tab .

chromium with adobe flash player

. google's chromium browser
is useful for searches on foreign sites;
it automatically translates them .
. in the case of ubuntu's chromium,
google has made the flash player optional .
. when you go here:
ubuntu`menu#applications/ubuntu software center/
and, use the search box (chromium );
ubuntu 10.10 (but not 10.4)
will also show you the adobe flash plugin .
. there's a sound control on the menubar:
ubuntu`menubar/sound waves.icon .
. since chromium doesn't yet support
complete script control
I use it only for flash movies,
and translating foreign sites .
(... it's installed only on a vm meant for random web .)

firefox with noscript and wot(web of trust)

. ubuntu's default browser is firefox:
ubuntu`menubar`firefox.icon (a red fox on blue earth)
it has some security add-on's:
{ noscriptwot }
 firefox`menu#tools/add-ons/[get add-ons].tab/...
(use the search box to bring them into view) .

. one annoying thing about noscript
is that it can leave you wondering
how a website can be so useless,
and then you remember it needs scripts;
so, for each site, you have to decide
if their content is worth risking their scripts;
but, noscript is worth it,
you'd be suprised how often
even reputable sites are compromised:
. I was looking at a science news site
and a wild harddrive scan reminded me
I didn't have noscript installed!
-- I was in my html editor (also a browser,
but I hadn't planned on browsing with it) .
[12.21:
. let the noscript annoyance be your reminder
that vm's are run in pairs:
while the main.vm runs with noscript,
the wilderness.vm can run scripts
but then gets rolled back to flush out malware .]

. I made an html page of links
that I want firefox to show on startup:
file:///mnt/hgfs/SharedWithMac/index.html

. here's how to get and set that link:
firefox`menu#file/open file.../(choose file);
firefox`menu#edit/pref's/general.tab/ -
( when firefox starts: show my home page
, homepage: use current page
, save files to: (another shared folder)
).

vmware's time machine (snapshots, rollbacks)

. after preferences and updates are complete,
take advantage of vmware's time machine:
Fusion`menu#virtual machine/snapshots/take a snapshot../ .
. since rolling back also wipes out security updates,
I take a snapshot after each update .
the entire clean routine is:
( when alerted that updates are ready,
then do:
rollback to previous snapshot point,
apply updates, take new snapshot,
optionally delete old snapshot
).
-- one great reason for vmware's time machine:
uninstalling seemingly irrelevant Ubuntu app's
may leave your system in a mess;
but, no worry:
just take a snapshot before making any changes .

12.7: snapshot seems unfamiliar!
. rolling back to this snapshot left things very basic,
without even any vmtools?
... I think that's a vmware shortcoming;
I'm nearly sure vmtools was in place,
but it may not have suited the
more current version of vmware fusion).

12.9: rollbacks confuse updater:
 . I have a bunch of ubuntu`updates?
backup firefox and rollback before update .
. after a rollback, it says
 there's nothing to update?
use admn acct to check update mgt settings:
instead of notify-only,
have it install all security updates;
now have it check again: ok;
(or maybe the [check again].button
doesn't really work in a user acct?).

12.10: update mgt
/notifications only:
. while config'ing the update mgt
for one of the vm's
it occured to me that if I have a policy of
not allowing updates until rollback,
then none of my vm's should be
letting the update mgt
apply security updates without asking user;
I had changed that option for one vm (main),
because I was looking for work-arounds to the problem of
rolling back just before an update
would leave update mgt with the impression
that I didn't need an update .

12.10: mis: am I dumping updates?
. ubuntu 10.10 wanted to do more updates
but didn't I just do the same bunch yesterday!
is my vm-update routine somehow dumping updates?
. the routine is supposed to apply available updates,
then when it says updates are installed,
I set that state as the point to rollback to;
but what if the update mgt
is implicitely expecting a restart ?
. maybe I should restart after all updates
since it may not be obvious which updates
need a restart? .

cloning a vm

. the new vm created by the instructions above
can be found in  your mac's documents.folder:
~/Documents/Virtual Machines .
. the new install is a 6gb file;
Microsoft's install with 4snapshots is 68gb
or 44gb with 2 snapshots  .

. you can clone a vm simply by copying it;
first though, be sure vmware is not active .
. after copying the vm,
click it open to introduce it to vmware:
it needs to ask you whether your copied vm
was copied or moved;
 if you check your vm library:
Fusion`menu#virtual machine/snapshots/snapshots.../,
or
 Fusion`menu#window/virtual machine library/ -
(right-click a vm)`menu/snapshots/.. ;
you'll notice that your copy's name
is still the same as the original's .
. if you enter the library from the known copy,
the copy will be selected for you in the library;
to make its library name match its filename,
the right-hand pane of the library
has editable text fields
for the vm's name, and notes .

12.7: mis:
. caution when using the finder
for renaming the vmware's vm files;
vmware considers a rename
 to be moving the vm,
so when it asks you after a rename
whether this has been moved or copied,
the appropriate response is
you moved it .
-- links related to moves:
 format converterOpen Virtualization Format,
Fusion runs vm's created on pc's and linux boxes)

sharing mac`usb devices:

 . Fusion lets you share all your
 removable drives, and usb devices;
like so:
just as when sharing a removable between real machines,
you need to virtually unplug
from a host to a guest, and vice versa,
here:
Fusion`menu#virtual machine/usb/... .
or, if you're in single-window.mode
(Fusion`menu#view/single window),
you can see the usb icons
 at the bottom of any vmware window frame .

sharing mac`folders:

. selected folders on your mac
can be accessed by guest machines
by sharing folders you select:
Fusion`menu#virtual machine/shared folders/...
or
Fusion`menu#virtual machine/settings/sharing/..

. on a linux guest,
the shared files are found in:
ubuntu`menu#places/computer/file system/mnt/hgfs/
. on a microsoft guest,
shared folders are reached from a
network icon on the desktop .

. on microsoft guests,
in addition to shared folders,
there can be mirroring of common folders:
(desktop, documents, music, pictures).
. mirroring a folder like Music makes sense
even though you are mixing
 {mac, pc} music formats,
because vmware`Fusion lets you
 associate pc`types with pc`app's,
like so:
Fusion`menu#virtual machine/settings/ -
sharing/shared applications/
{ [allow your mac to open app's in the virtual machine].checkbox
 , [allow the vm to open app's on your mac].checkbox
} .

sharing mac`desktop

. unity mode  (Fusion`menu#view/unity)
is very useful unless you routinely need
your guest OS's menubar .
. it can also be buggier than other views:
# . I use the mac's widgets to see google's calender
and that wasn't showing time correctly
while vmware was in unity mode .
[or it could have been vmware was very busy
and I didn't notice it except when handling widgets ...]
. I only had the problem once,
but if you need the correct time ...
# . if you suspend a vm in full-screen mode,
it remains glued to your desktop, unclosable !

. when running multiple vm's (one for
 each of the various security domains)
it helps to stay organized by
keeping main.vm in full screen
(Fusion`menu#view/full screen),
and have wilderness.vm in window mode
(Fusion`menu#view/single window);
then flip between vm view's with ⌘-[~] .

reinstalling vmtools

. an Easy Install will automatically provide vmtools;
but, after a major system update,
sometimes the vmtools will have been overwritten;
(symptoms include: 
# ubuntu is no longer showing the shared folders,
# the cut&paste between OS's doesn't work) .
however:
. if vmtools cut&paste seems lost
 even when no updates occurred,
Fusion may simply need a restart .
quitting Fusion will suspend the current vm;
I didn't need to restart the vm's OS, only Fusion .
also:
. certain web app's (in browsers) can also be finicky;
the cure was to copy from the web app's text field
into a text editor within the same vm;
then copying from the text editor
should make it pastable into the mac .

. to reinstall vmtools, use:
Fusion`menu#virtual machine/update vmtools .
. this opens a virtual cd drive
containing vmwaretools.tar.gz,
which you can unpack by a  context menu:
vmwaretools.tar.gz`right-click.menu/extract to.../
. I'll choose desktop for this example;
the unpacked folder is: vmware-tools-distrib;
inside that is the installer script:
vmware-install.pl
-- it has to be run in the terminal,
like so:
. the ubuntu terminal works like the mac's does:
if you drag an item into it,
it turns into a pathname
that the terminal can understand .

. this opens the ubuntu`terminal:
ubuntu`menu#applications/accessories/terminal .
. to run vmware-install.pl
you need to be admin user;
in the terminal that means
 the vmware-install.pl command
needs to be prefixed with (sudo );
so, type in "sudo" then a space,
then drag vmware-install.pl
into the terminal; and then the enter.key .
. that should result in the terminal window
 containing this:
sudo '/home/admn/Desktop/vmware-tools-distrib/vmware-install.pl'

. after it asks for your admin password,
it then asks you a bunch of questions;
respond to all of them with the enter.key
to choose the default selection .

the qubes`way

what's holding up full vm use?

11.23:
(  the vmware pasteboard is not just limited;
it's buggy, sometimes a double paste
will give 2 results:
the old value, then the new!
)
. the solution to vmware's buggy pasteboard
is to get more into vm's, and do all logging
within the same machine I'm working in
so then the inter-machine pasteboard is not needed .

. I need to explore why I'm still working in dom0;
even though I constantly use the net;
which is heavily tied to logging:
not much gets read without taking some notes .
. what are the psychological hurdles
to doing all work in mac.vmware.linux vm's ?

. my usual routine is to do only web in a vm,
and then not trust that machine
-- not even with my log,
which stays in dom0 (directly on the mac)
along with banking and credit card shopping .

. the log has been mostly cleaned of privates
since I also use that log on a laptop
which isn't currently running vm's;
but there are on-going problems with
bank log leakage, the problem being:
 having a separate log for banking
is going to complicate log backup,
increasing the risk of loss or dup's .

. if the log is going to be visible to every vm,
I should keep the old log's off the card,
since there is too much to sort . [11.24: done]
. for the recent logs (in pim/log),
do a search of all filenames in "(bank),
and move those to aspect encrypt/log`bank . [11.24: done]

. give the banking vm access to
aspect encrypt/log`bank;
 [... or just work through pasteboard .]
. after a bank session do backup:
(from dom0 where my card crypt is accessable)
backup the dom0/aspect encrypt/log`bank
into card's crypt .
. to remind self that bank needs bak'ing,
keep a 99link in the log
that goes to where banking is . [11.24: done]

12.10: design

. this section discusses various ways of
 assigning jobs to vm's,
and the details of getting into
having all internet done in vm's
rather than directly on the mac .
. I also have a choice between
new versions of Ubuntu, and
versions supported by vmware
(that support provides rollbacks
and suspend modes).

vm's for password classes:

. one of my instinctive reasons for separate vm's
or for having separate rollback sessions,
is for isolation along the lines of
varying importance of particular passwords:
{ high-value passes: banking, private email;
, medium-value passes: social sites, forum, wiki, blog;
, low-value passes: identifiers for access to news, etc .
}
[12.10: the primary practical reason for https isolation
is the [man in the middle] attack
via browser scripting .]
. trackers may be reading the pasteboard
(for if you use a pass file
to remember long passes);
or, they might even be reading the keyboard
(for if you use macro keys or self-memory).

. some have warned that browser's (all?)
cannot securely store your passwords! [12.4:
eg, Lauren Twele  27 Jul 2010:
Even though the password function in Firefox is
useful and convenient, it is important to remember
that this tool does not provide
 audit logs
, access control
, reporting or provisioning.
The Firefox password tool would not meet
compliance or security standards in many organizations.
-- it needs identity and access management . ]
. for secure browsing where privacy is money,
it's good to have rollbacks or disposable vm's .

rollbacks

. reasons to roll back a vm include:
# having an undo after breaking the system,
# routinely cleaning the system of infections,
# routinely cleaning the system of sensitives
in anticipation of the next infection .

. complications of rolling back include:
# system updates:
. if routinely rolling back,
don't accept updates without rolling back first;
then replace the base snapshot
with the fresh update .
# app' updates:
. some app's are getting updated with your data:
eg, the browser is routinely used for saving
both bookmarks and low-value passwords .
. if the browser can vary the places
where it stores such app'support data,
then that should be stored off-vm
(using vmware's shared folder system);
or,
for each roll-back, these app's need to
have their app'suport data backed up .
(firefox makes this easy,
but if it's not automated, it could be forgotten).

suspend

. how does it cramp style that the
new ubuntu (u10.10 vs u10.4)
can't be suspended due to
not being officially supported?
suspending a vm is like hibernation mode;
and, is very useful for the main.vm's work:
letting you come back to the same session state
even after a shut down & plug-pull
(vs a sleep mode which crashes on plug-pull);
without hibernation,
unplugging a session means one needs to note 
the location of all open documents
and the reason they are open .

organization of vm's

. what is the minimal necessary set of vm's?
so far there's only been these 2:
# https:
{banking, shopping, other important https}
# main:
{ web mail, my social sites;
  , most other sites muzzled with noscript
}.

https.vm for banking vs shopping:
. where does online shopping fit in?
many shopping sites need banking (credit) info,
but they are not trusted because of
3rd party ad's .

email for news vs correspondence:
. many emails lead logically to news sites;
or to google searches that lead to
more news sites -- with 3rd party ad's .

12.9: pos: 2-vm organization:
. instead of using a separate machine for https,
I could just rollback for each session;
so then there would be 2 major vm's:
# stateless -- rollback for each session
# stateful -- for where
frequent rollbacks would be a hassle .
. what if I forgot to rollback ?
then without separate
 {https, wilderness} machines,
I'd very likely be banking on an infection;
but with 3 vm's, the worst likely case of
 forgetting a rollback on https.vm
is that some shopping site
might infect a banking site .
. shopping sites involve both unsecured
and sensitive info;
I should use some reminder as wallpaper
on that https.vm ... [12.10: or!
I should be doing shopping transactions on wilderness.vm
after rolling it back
(I'll naturally be reminded of that one rollback,
exactly because "(wilderness)
is taking credit card info! ).]

. reviewing my summary of the qubes routine,
my current variation of it will use 3 vm's,
and will split reuse of my current firefox profile .
. firefox profile is saved:
firefox`menu#help/troubleshooting.../[open containing folder].button

# main (yellow.vm):

-- suspendable (u10.4) --
. non-private email and firefox.noscript;
--
reusing old firefox profile(medium-value passes):
. the current noscript`whitelist is quite large;
most of these script bases are not needed for
routine work,
and should be relegated to the wilderness.vm,
so, reinstall the noscript,
or otherwise delete the current whitelist .
. firefox's low-level passwords should be kept .

# wilderness(red.vm):

-- uses latest features
vs suspendable (u 10.10) --
. when searches on the main.vm are bumping into
sites that need scripts in order to view the content,
that's your reminder to take that search
to the wilderness.vm .
. for online shopping, use this wilderness.vm
until ready to use https .
. wilderness.vm is also for research,
so vmware`suspend would be nice,
but wilderness also needs
multi-media that's best left to the
most current OS version;
eg, the latest ubuntu does have
a slicker version of chrome
working with adobe flash .
. firefox can partially help with hibernation
by saving the current tabs .
--
reusing old firefox profile
(keep the noscript`whitelist
, toss all but no-count passes ):
. noscript settings may be useful,
because services already allowed are usually safe,
and while you expect the wilderness.vm to get infected
it would be nice if crashings were minimized;
however,
the wilderness.vm shouldn't have
any passwords needed by main.vm's work
(a few trusted sites that minimize 3rd-party ad's);
so, if using the old firefox profile
is there any way to erase its passes ? yes .

# https-only (green.vm):

-- rollbacks (u10.4) --
. for banking and credit cards with https,
use the secure-connection vm,
and roll it back between each acct .

. the first level of defense for this banking vm
is not mixing {HTTPS, HTTP} connections
in order to avoid the man-in-the-middle attack;
the 2nd level of defense is realizing that
good sites can still get cracked,
therefore, they must be protected from eachother;
hence, ideally, there should be a rollback
between every https site session .
. also, don't trust https sites with
each others' passes:
if using a pass file, access it from dom0,
or have a separate pass file for each acct,
and copy that file to a shared folder .

. since vmware`rollback is important
it might be less risky to
use an officially vmware-supported os?
hence, to avoid having to
gamble or research on
what official support really means,
I'm using the supported u10.4
instead of the latest u10.10 .

-- no reuse of old firefox profile:
. can https sites be trusted to
stay out of the browser's passwords ? no .

implementation

12.8: concurrent use:
. to keep main.vm out of trouble,
the wilderness.vm needs to be easy to use;
ie, {main, wilderness} should both be
 running at the same time;
and, it should be easy to see where
3 vmware windows are:
{ vm library, main.vm, specialized.vm }
where the specialized.vm will be either
{wilderness.vm, http.vm, vista.vm }.
. library is upper-left corner,
main is shifted to left,
specialized is shifted to the right .
when the dom0`display is 1900x1200,
each vm`window is sized to 1200x1000 .

12.10: pos: too many changes for rollbacks:

. it's not easy getting into the habit of
rolling back to base before any changes,
-- the purpose of that is:
 all deliberate changes can part of new base
without letting any unintended changes get in .

. here's another reason for 3 vm's:
in the vm where infections are not likely,
lots of convenience adjustments can be made,
while in the wilderness.vm or https.vm,
inconvenience can be tolerated,
because we're not staying long
or doing anything too complicated .

12.10: mis: need reminder of admn vs user acct:
. I left main.vm in the admn acct, again?
. I need to put admn`acct's wallpaper set to
something alarming, like flowers .

# main.vm:

. my original (u10.4).vm is reused .
12.7:
. 10.4's firefox profile is copied again;
now I wipe out noscript's whitelist,
(firefox`menu#tools/add-ons/noscript`pref.button)
-- the new white list will be
just my social sites and email;
and this is my main.vm .
after cleaning out old snapshots .

12.8: mis:
acct priv's switched:
. the main acct was actually an admn acct
when I applied all those nice mod's to it?
I thought that was my user acct;
but that was a change I'd only done to u10.10
and the ubuntu's that went on the laptop .
. just flip things by making both admn's,
then setting the mod'd one to user mode  .

12.23: pos: private access:
. I need a vm that lets me access private data
and at the same time use https sites
for email and banking
(can vmware share mac's encrypted volumes? yes).
. the way I'm doing it now though
uses fewer vm's, or simplifies the https.v;
and, the only problem
(that of finding private dup's unexpectedly)
is fixed by arranging a mac-shared folder
with subfolders per intention:
{ copies for sharing with email
, things to be merged with private records
} .

12.23: mis: chrome accidently ran scripts in main.vm:
. I was using main.vm's chrome for watching
changes my html editor was making locally;
but eventually,
I was accidently using it for the web too?
uninstall it from the main.vm .

12.8: main.komodo:

. main.vm gets a manual installation of
my favorite text editor, komodo edit
 because it's not available from
 the ubuntu software center
(ubuntu`menu#app's/ubuntu software center)

its installer reports:
install: Installing ActiveState Komodo to
'/home/addn/Komodo-Edit-6'...
install: 'Komodo Edit-6.desktop' desktop shortcut created at
'/home/addn/Desktop/komodo-edit-6.desktop'
create a symbolic link to 'komodo', e.g.:
ln -s "/home/addn/Komodo-Edit-6/bin/komodo" /usr/local/bin/komodo
Documentation
bugs: komodo-feedback@ActiveState.com

. how does that .desktop file work in gnome?
(gnome is the std desktop system in ubuntu);
I studied it by changing its type to .txt,
that changed its icon;
clicking on it will now open the editor,
but won't open the thing I clicked on;
so, it must really be acting like a desktop shortcut,
but why? only because I changed its type to .txt?

. gnome lets us browse for a program
that will open a given doc type
and komodo needs that assist:
/home/addn/Komodo-Edit-6/bin/komodo .

12.8: main.komodo/relocated:

. linux's user mode protects us
only by restricting access to system folders,
and, expecting us to put binaries there .
. one problem with komodo being kept in
my home folder [@]/home/addn/Komodo-Edit-6/bin/komodo
is that it weakens user mode .
. assuming that, I next try to reinstall komodo
in the system folder /opt/ko .
-- I wasn't sure if I needed to pre make a subfolder,
so I did that with this:
addn@ubuntu:~$ cd /
addn@ubuntu:/$ cd opt
addn@ubuntu:/opt$ sudo mkdir ko
[sudo] password for addn:
-- next I'll cd to where the installer is
-- and the reinstaller looks like this:
sudo ./install.sh -I /opt/ko
-- now I'll make a link"ko in home folder:
sudo ln -s "/opt/ko/bin/komodo" /home/addn/ko

12.8: main.komodo/uninstalling:
. the old komodo install in my user acct
won't simply go away by a delete;
it claims it's locked by root,
so this root acct was able to delete it:
root@ubuntu:/home/addn# rm -r Komodo-Edit-6
[12.9: strangely, the next day
I had to redo removal of komodo install for an update
but, I couldn't find that command in the menu anymore?
something about switching acct's and passes?
it's there if an admn acct has the same pass as root? .]

12.8: main.vm/getting settled in:
. moved my routine logging process
 from mac (dom0.vm) to main.vm,
find smaller editor font .
[@] komodo`menu#edit/pref's/fonts&colors/fonts.tab
. resetting the base snapshot again .

12.9: main.komodo/reinstalling for update:

. the beautiful thing about the ubuntu software center
(ubuntu`menu#app's/ubuntu software center)
is that it automates updates;
komodo edit needs to be updated manually:
. komodo said it has a stability update
and that it needs an admn;
ok, ask again with an admn:
same problem? it needs better support for linux!
(or it's bugging me to buy the full version).

sudo rm -r ko
-- old install has to be deleted .
sudo mkdir ko
cd '/home/f/Desktop/Komodo-Edit-6.0.3-6811-linux-libcpp6-x86'
-- drop the installers dir into the terminal window .
sudo ./install.sh -I /opt/ko
-- Komodo Edit-6.desktop has been installed to: /opt/ko .

# wilderness.vm:

12.5: 10.10 status:
. u10.10 has one snapshot,
it now has no saved passes .
[12.7: this is wilderness.vm ]

12.8: wilderness.vm's base snapshot prep'ed:
. get the base snapshot ready:
resolution needs enlarging,
need to reduce font sizes;
shared folders"{exo, home, obj} should be
 readonly since wilderness is
 expected to get infected;
the only writable share is log(from vmwares),
and I'll be pulling stuff from there each web session
using the main.vm .

12.10: mis: lost shared folders:

. starting wilderness.vm shows it lost vmtools;
hence the loss of shared folders,
but a re-install turns up troubles:
. the vmtools`installer says:
"(
The path "/lib/modules/2.6.35-23-generic/build/include"
appears to be a valid path to the
kernel headers of the running kernel.
Would you like to change it? [no]
WARNING:
This program cannot compile any modules
for the following reason(s)...
- This program could not find a valid path to make.
Please ensure that ... gcc, binutils, make
and the kernel sources for your running kernel
are installed on your machine.
)
. it needs the kernel sources?
one of the options for update mgt
is being able to download sources
...
. the update mgt changes didn't help ?
well the usb hd can take things in batches .

. the last thing I did to this ubuntu 10.10
was set shared folders to read-only;
but most significantly,
there were major updates, right?
(it's not my policy to be
 logging every update of every vm,
but maybe that would be helpful ...).
[... again,
u10.10 is not officially supported
and in that case,
vmware's functionality can degrade at any time .]

12.9: update:
. rolling back before for update;
that seems to work ok,
even though this is 10.10 -- an unsupported os
where not every vmware feature does work .

12.10: mis: it has my passes?:
. I apparently thought it's ok for the wild web
to have a browser with all my passes in firefox;
but, I don't think that was my intention;
so, deleting that profile,
firefox auto'ly makes a new, blank one? ok .
. the new profile also resolves the problem of
vmware`fusion no longer providing
shared folders for ubuntu 10.10;
so, now the start page no longer tells me
it can't access my shared home page .

# https.vm:

12.7:
. share only 2 folders: home, log cache;
 to generate the https.vm,
make a copy of main.vm .

 flush any malware by rolling it back
to its earliest checkpoint  "(fresh install)
-- needs a bit of work after that!
mis:
. my rollback had wiped out months of system updates,
yet, running the update mgt was useless:
it said it had checked minutes ago .
. I should have waited on installing vmtools,
because after it finally did do
those system updates
it needs to reinstall vmtools again .

. https.vm's only user is the admn,
it has for the first acct,
 a custom priviledge (semi-admn);
and accts after that can have
either full admn or desktop user status;
-- it wasn't clear how to use the advances settings
to safely make another custom admn
(one with ubuntu's advised power restrictions).
. you can also change the acct's name,
but not the short name ?
(pay attention with creating things
unless you have lots of time for
chasing down documentation).

12.7: mis: ubuntu's gbrainy uninstalling:
. remove unneeded software: games, office, ...
because malware often depends on it .
. I forgot to get a snapshot before trying to
risk ubuntu's wildly unstable uninstaller ...
. and just like on my laptop,
(fujitsu p1510d lifebook )
ubuntu's uninstaller is hanging
 on a gbrainy game that canonical said
 it would personally support .
-- reminds of hal 9000's
 "(I can't allow you to do that dave!
[hal has pledged to support hal!] )
. other times I'd be surprised to find
that something like an email client
would be a required module for
the gnome desktop package .

12.8: https.vm tested:
. tried a bank transaction,
then realized I had to change some things;
so, now I'll preserve firefox changes
 with a profile copy,
and finish getting things as intended
before resetting the https.vm's base snapshot .

12.9: mis: {admn, user} acct confused:
. it was left in admn acct mode,
is that the way it was used ?
12.10:
. after using an admn acct in a suspendable vm,
maybe a better habit than changing acct's,
is to shutdown not suspend after admn sessions ?
rdy browser:
. https.vm doesn't have anything going on
in non-admn acct?
set up the user acct's browser:
change the start page to home page,
and change the download to log folder .

Joanna Rutkowska

. an expert in rootkit malware, her team
 discoved the 2009 Intel BIOS security bug
and the 2008 rootkit vulnerability in Xen
all vital for proving the security of Qubes,
a user-friendly Xen and Intel trusted boot system .

2007.08 Virtualized rootkits

. OS security researcher:
stealth technology, as used by
 rootkits and covert channels;
OS isolation mechanisms,
 and virtualization technology.
. started a consulting company,
Invisible Things Lab .

Can we blue-pill Linux or (Open)Solaris?
the Blue Pill rootkit depends only on
AMD supporting hardware virtualization .
. concerning the security of
software-based virtualization solutions
 (VMWare, Xen, VirtualPC, ...):
the isolation capabilities provided by
even today's software based VM Monitors,
are probably much stronger than
those provided by our general purpose OS's
-- Linux, Windows or BSD. [mac is a bsd;
and, its unique microkernel is far from micro]

2008.06 mac needs vmware

Dino A. Dai Zovi`mac needs a security upgrade:
. malware will begin to seriously affect MacOS X
it depends on Snow Leopard
and whether it features these improvements:
# Real address space layout randomization.
not just Library randomization with
dyld loaded at a fixed location .
# Full use of [DEP(no vmware)]
hardware-enforced Non-eXecutable memory (NX).

Currently, only the stack segments are
 enforced to be non-executable.
-- buffer overflows happen on the heap too .
[. this is also called Data Exec Prevention (DEP),
and vmware, like other paravirtualizations,
needs to be running without this .
. if the hypervisor's heap or stack
could be compromised,
DEP is not there to prevent execution of code
that was placed on the heap or stack .]
# Default 64-bit native execution
for any security-sensitive processes.
. every app that has security exposure
should run as a 64-bit process.
because function arguments are
passed in registers rather than on the stack,
and synergizing with ASLR and NX .
# Sandbox for web and 3rd-party app's
. scheme-based policies are highly valued .
# Mandatory code signing for any kernel extensions.
. we could avoid worries about
kernel rootkits, hyperjacking, 
or malware infecting existing kernel drivers .

. a new local privilege escalation vulnerability
gives local root access on MacOS X Leopard. [2008]
it can allow a web exploit or trojan horse
to gain root access without the user’s  knowledge;
while root access is pretty serious,
it is not necessary in order for the malware to
 do bad things to your system
(i.e. install itself to run automatically,
back-door Safari, etc).

Joanna Rutkowska responds:
. personal firewalls, and Host IDS/IPS systems
are all useless
when malware can get into the kernel.
If we could eliminate all priv-escalation bugs,
then we would be able to solve
a lot of today's security problems .
. here’s an example of why a local-root exploit
might be more dangerous than a remote-browser one:

Before switching to Mac,
with Vista on the primary laptop.
Joanna's security was done by
combining Vista sandboxing technologies
with the use of special user accounts:
the random-site Web-browser
would run as ‘joanna.web’,
while the email client
ran as ‘joanna.email’, etc.
.  joanna.web’s privileges consisted only of
access to c:/tmp/ .
But if somebody could use an exploit to
elevate from joanna.web to admin/kernel,
then all those clever security policies
turned out being useless.

. at the moment [June 24, 2008],
Joanna is using  VMWare Fusion
and the situation is similar,
but now an attacker needs to have a
VMWare Fusion escape exploit,
which [at the moment] is a bit harder to find
than local kernel exploits for Vista or Mac.

. a monolithic kernel can't be secured
— the potential attack space is just too large.
Especially, if we allow root-escalation attacks.
Dino's reply:
 Maybe we should just forget about
protecting the kernel
and just try to secure the hypervisors
to insure separation of monolithic OS's
[rather than trying to secure a microkernel
that could insure separation of processes]
There is no legacy code there,
the entire thing can be written with
modern secure coding techniques
and have a smaller attack surface by design.
And what do we have then? A microkernel!
In Tanenbaum and Torvolds’ classic debate,
Tanenbaum finally wins!
[Torvolds created Linux,
and is a persistent defender of monolithic designs
with huge attack surfaces -- not unlike the mac
(its partial use of a microkernel
is a debated improvement)
whereas, Tanenbaum created Minix 3 as a
 fault tolerant microkernel]

Joanna:
. secure hypervisors can be a remedy
for the current OS security problems.
and, Qubes will make hypervisors usable .

2009.07: Microsoft as guest OS

 Joanna's desktop machine is an eight-core Mac Pro
 (2 x 2.8 GHz Intel Xeon) with 16 GB of DRAM
an old MacBook is a general-purpose laptop;
 (Santa Rosa, Core 2 Duo 2.2 GHz, 4 GB of DRAM)
still though,
that beauty doesn't prevent her from seeing
the weak point of the Mac hardware:
the lack of TPM, TXT, VT-d,
and the design of OS X system
-- it's failing at
 the Security-by-Isolation approach .

. odd how many desktop security experts
focus on finding yet another app vulnerability
while ignoring the game-changers in security
--  TPM, TXT, VT-x, VT-d .

. there simply are no good desktop OSes:
-- whether Mac, Windows, or even Linux --
all those systems use those big monolithic kernels
which host hundreds of third-party drivers
--[a ubuntu user retorted that linux has
no 3rd-party drivers?
open source is completely 3rd-party! ]--
. these drivers operate at the same
 privilege level as the rest of the kernel.
. we can get around this weak isolation with
 virtualization:
Joanna was using [at the time]
 a hosted hypervisor (VMWare Fusion),
with Mac OS X as the host
and Windows [Vista] as guests .

--[. microsoft is indeed getting better at defense;
but better than linux?
. with linux there's more innocent hands
 adding more bugs that more people
can see how to exploit,
and more chances for them to
volunteer expressly for the purpose of
injecting an "innocent" mistake
that they know how to exploit for their next job? ]

. theoretically, a huge hypervisor like Vmware
should have no fewer security bugs
than the OS kernel itself.
Both are big and complicated,
and have many drivers inside them;
but practically,
a web exploit is more difficult:
starting from code running in the browser only,
attacking the guest's kernel,
break out of the hypervisor
and finally infect the host's kernel,
-- a totally different OS than the guest's ?

5 vm's for each security level:

# red: browsing random sites, no privacy;
-- expected to get infected;
. revert it to a known snapshot every week or so.
# yellow: semi-sensitive tasks,
. uses firefox.NoScript to keep it clean;
only allows scripting to a trusted few sites:
  online shopping, blogging, etc.
Sure, somebody might do a
 man-in-the-middle (MITM) attack against an
HTTP connection that is whitelisted by NoScript
and inject some malicious drive-by exploit,
but then again,
Yellow machine has only semi-sensitive information.
[unless credit cards are used? ]
# green:  https-only, bank's account
. it is quite important to make sure
only HTTPS is used for this machine
to mitigate potential MITM attacks;
for example, on any hotel Wi-Fi.
.  don't use the host's browser as a Green machine:
[the host is a huge attack vector;
and, all the attacks are coming from online;
so, take it offline .]
# email clients for {work, personal}
both have mozilla mail;
work needs a noscript browser .

other vmware tips:

#handling updates:
[getting prompt updates for each guest vm
dramatically reduces the number of attacks .]
# clipboard:
[every guest can be logging the clipboard .]
# transfer of files between vm's and host:
[more networking means more risk .]

QubesOS is the proper solution

. safer than Vmware Fusion would be
a very thin, bare-metal hypervisor like Xen
making use of things like
 VT-d for Dom0 disaggregation,
TPM and TXT for secured boot,
and high isolation through customized
 DomU partitioning.
Each DomU would be running
a hardened version of Linux.

2010.04 among top 12 "White Hats"

. Joanna's Blue Pill rootkit based on AMD's
Secure Virtual Machine, Pacifica,
received  a standing ovation at the 2006 Black Hat,
showing how easy it is for dangerous code
to hide in plain sight.
Rutkowska and Tereshkin 2007
show how the Vista kernel is vulnerable to
digitally signed third-party drivers
(a code-signing certificate is bought with $250).
 Joanna Rutkowska 2008  shows how
Xen can be subverted with rootkits.

. other White Hats on that list
include the 2 Co-authors of
 "The Mac Hacker's Handbook":
# Charlie Miller
. hacked Safari for the last three years
at the Pwn2Own contest,
found an iPhone exploit that consisted
 entirely of SMS text messages;
 the first to hack Apple's iPhone in 2007
and the Android phone in 2008.
#  Dino Dai Zovi
. also Co-authored "The Art of Software Security Testing"
Dai Zovi discovered and exploited
a multi-platform security vulnerability in
Apple's QuickTime for Java
to win the first Pwn2Own competition;
at Black Hat 2006, VM hyperjacking
 using Intel VT-x in a live demo.

2010.05 introduces QubesOS

. during research in securing the hypervisor
Joanna gathered experience regarding
 how system software
should -- and should not -- be built.

. the  'Security by Correctness' approach
cannot be applied to the entirety
of a modern molithic system,
because the test space is simply too vast .
Qubes uses Security by Isolation,
managed by the Xen hypervisor,
and otherwise relying only on
 the correctness of the GUI daemon .
The obvious design for a cross-vm GUI
 would be to connect all app's to
 one common X server;
but, the X protocol is very complex,
and there may be dozens of ways to exploit it.
. the GUI daemon's protocol had to be
much simpler than X's .

. a Virtual Machine's place in security
depends on hardware: the InOutMemMgtUnit
and some trusted boot technology.
Intel VT-d and Intel TXT technologies
implement those two important technologies,
and they have just entered the market in 2009 .

. we need to control the whole system,
e.g. what packages are installed in Dom0;
and, insure there will be no networking there,
thereby obviating the need for
hardening Dom0 against network attacks .

. the Qubes user is advised to have
 a separate vm for each security domain:
{surfing, privates, banking, shopping, etc};
it's virtually a half dozen separate mac's
all sharing the same keyboard and display .
--[. this is exactly clark howard's strategy
for secure online banking
(unfortunately, his hardware approach
of reserving a separate pc for banking
 doesn't cover the case where
a banker's site is compromised,
and infects the firmware)
likewise, ...]
 using Live CD's for conducting
high-risk  financial transactions.
is still vulnerable to
persistent BIOS infections .
. Qubes' defense from  BIOS infection
is that the hypervisor is virtualizing it;
only dom0 can access that;
and dom0 doesn't get any net access .

Qubes`wiki  Qubes`faq Qubes`codebase
how to contribute  dev`forum
. the gui uses the KDE flavor
(Kool Desktop Environment).
how VT-d virtualization provides security

IOMMU/VT-d is the key to security:
. there is no point in building
 a microkernel-based system if
 we don't correctly use IOMMU
to sandbox all the drivers.
(see Intel VT-d spec).

Qubes VS Nova Microhypervisor VS LynxSecure 2010.06.30:

[summary:
. in response to someone in the mailing list
 wanting a comparison of
 {Qubes, Nova Microvisor, LynxSecure},
 I asked the Qubes forum why they use
the large xen hypervisor
when the future is microvisors;
Joanna replied that
nothing fundamentally prevents
the use of other hypervisors in Qubes;

I think the path Joanna is taking with Qubes
 is to mirror the redhat-fedora model:
Redhat sells linux to enterprises,
while keeping a open source mirror of the same code
in the form of Fedora .
. Redhat has chosen Xen as its hypervisor,
basically because it existed before
efficient, validated microvisors did .
. with an open-source Qubes targeting Fedora,
she can similarly look forward to profiting from
Redhat enterprise customers who'd like
support with her product .]

"Ph.T"
to    qubes-devel@googlegroups.com
. I'm interested in Qubes because
Invisible Things Lab has invested a lot of research into
 how to securely reuse what's
open and ready for x86 -- xen --
for a solution similar to LynxSecure
(which is proprietary ... ).

. the Nova microhypervisor along with
 the Bastei secure operating-system layer,
are the primary technologies of Europe's
ROBIN project (Open Robust Infrastructures)
whose purpose is
"(to establish an alternative
to proprietary US solutions
that we expect will appear soon;)
[eg, LynxSecure .]

NOVA's microhypervisor is GPL 2
(here is version 0.1):
http://os.inf.tu-dresden.de/~us15/nova/nova-hypervisor-0.1.tar.bz2
NOVA compared to okL4 microvisor:
http://ertos.nicta.com.au/publications/papers/Heiser_Leslie_10.pdf

Qubes compared to okL4 microvisor:
Nick 04/11/2010
"(
 ... Everyone keeps doing redundant work. ...
 OKL4/seL4, Nizza & Perseus Architecture,
 and Nova microhypervisor
 [are doing the same thing as Qubes]
 The L4 ... groups have a well-validated microkernel,
 needed base services/drivers,
 a POSIX/Linux/other VM for legacy apps,
 and frameworks to integrate isolated apps
 with regular apps.
  Now, we need to work
 below   (trusted hardware/firmware)
 and above  (drivers/libraries/coreservices).
 We could build a trusted workstation, router, VPN, etc.
 [rather than]
 ... have (sighs) *another* OS  acting as a
 { hypervisor
, MILS[ multiple independent levels of security]
, security kernel }.
) .
Joanna Rutkowska <@invisiblethingslab.com>
to    qubes-devel@googlegroups.com
date    Wed, Jun 30, 2010

Qubes currently uses Xen,
a type I [bare-metal] hypervisor,
  [instead of a verified L4 microkernel]
but nothing fundamentally prevents
the use of other hypervisors.

[*another* OS?]
Qubes project focuses on things such as:
secure GUI isolation
, driver/backend sandboxing
, trusted boot
, and last but not least
 on hiding all the inconveniences of the above
 from the user
(easy copy-and-paste between VMs
, disposable VMs
, protecting against human mistakes
, etc).
my reply:
did he mean xen is not securable?
. is L4 to be compared to xen?
or do we not have practical access to it?
. what does okL4 verification mean to x86?
it's only verified for ARM, right?

Qubes Alpha 2 2010.07

 Joanna Rutkowska <@invisiblethingslab.com>
to    qubes-devel@googlegroups.com
date    Thu, Jul 1, 2010 at 7:15 AM
subject    [qubes-devel] [Announcement] Qubes Alpha 2 released!

* Graphical VM Manager
* Backup/Restore/Migration tools
* Now uses Fedora 13 as a base for Dom0
 (this results in newer Xorg packages)
* Dedicated KDE packages for Qubes
* New Dom0 kernel based on 2.6.34 kernel
 (this time we're testing a xenlinux one).
This kernel seems to support S3 suspend much better,
as well as have some newer graphics drivers, e.g. for Nouveau.
screenshots .
. *updated* installation guide .
Known issues:
# Suspend/resume is still highly experimental.
. it might crash your system, or lock up some of your VMs,
or it might screw up time in your VMs.
Use at your own risk!
# problems with NetVM working with many network cards.
Perhaps this is because of our new Dom0 kernel,
or perhaps because of the buggy Linux drivers,
that are not well tested under Xen PV guests
(where mfn = pfn assumption doesn't hold).
--
Hopefully we will release a new NetVM
 before Black Hat Vegas,
so, those of you have have VT-d enabled laptops
 could test it at a conference ;)
Please send your feedback to qubes-devel. Cheers, joanna.

Qubes 2010.10 realizes  Disposable VM's

. Support for fast-booting Disposable VM
Dynamic memory balancing between AppVMs
Redesigned NetVM support (for VT-d system)
Reasonably stable S3 sleep support (suspend-to-RAM),
that works even with a NetVM!
Improved GUI virtualization .

"( VT-d is only on newer Intel chips;
but even without VT-d,
the only Qubes feature you won't have
are the isolated netvm(s).
Even without VT-d you still get full AppVM isolation,
and much more security than
 Windows, Linux, or Mac.)
-- Joanna Rutkowska Oct 15, 2010