Silk Road forums

Discussion => Security => Topic started by: Ro-Jaws on August 26, 2013, 09:19 pm

Title: Qubes Qubes Qubes
Post by: Ro-Jaws on August 26, 2013, 09:19 pm
Hey,
I am looking for some help with Qubes. I have been using it for a couple of weeks now and on an everyday level the transfer was relatively painless (once I got my head around how templates relate to individual app VMs, a simple relationship but one that kept tripping me up for almost a week).

Even some of the marginally more complex stuff went without a hitch (such as setting up a torVM, adding bridges creating a new disposable VM template etc). However I have a couple of things I want to clear up before I start using Qubes for browsing SR and this forum.

The disposable VMs - they run entirely in RAM right? I know they check the savefile and then start but I read somewhere that when you open a specific file using a dispVM (like a PDF) any changes made are also made to the original so obviously I want to avoid this.

Linked to this is the wiping of RAM, looking at TAILS I see they use smem to wipe the ram upon shutdown, at some point I would like to get to that but for now I am just looking to run it at all. I am assuming it should be run in dom0 to give it full access to the RAM, is this correct?

Connected to this is the command for copying files to dom0, I cannot get this to work, it simply does nothing rather like most terminals when they are running a process, has anyone used this command successfully?

And finally (finally!) has anyone used the tbb_torless_launcher? It seems to work (as in I can access hidden services) but whenever I try to use the tor check site I get the message that the proxy is refusing connections.
Title: Re: Qubes Qubes Qubes
Post by: Kiwikiikii on August 26, 2013, 11:35 pm
qubes is not a safe OS to use, its permanent not live like tails so if anything does get into your main OS then the whole system is fucked until u wipe the drive. That and its a pain in the ass to configure and your whole system is locked to one computer, u cant take it with u like tails.
Title: Re: Qubes Qubes Qubes
Post by: astor on August 27, 2013, 12:43 am
The disposable VMs - they run entirely in RAM right? I know they check the savefile and then start but I read somewhere that when you open a specific file using a dispVM (like a PDF) any changes made are also made to the original so obviously I want to avoid this.

I don't think disposable VMs run entirely in RAM. I have seen no mention of that, and if it was a feature, I expect to have read it somewhere. It isn't mentioned in any of the documentation that I've dug up (which is unfortunately sparse):

http://qubes-os.org/trac/wiki/DisposableVms
http://qubes-os.org/trac/wiki/UserDoc/DispVMCustomization
http://theinvisiblethings.blogspot.com/2010/06/disposable-vms.html


I'm not running Qubes right now because the hard drive crashed on the old laptop that I was testing it on, but you should be able to look at the properties of the dispvm in the VM Manager and see whether / how much disk storage space it has been assigned.

A VM that runs only in RAM would be preferred, but I suppose it's not a big problem if you use full disk encryption. If someone has access to your decrypted hard drive, you are probably already screwed.

Quote
Linked to this is the wiping of RAM, looking at TAILS I see they use smem to wipe the ram upon shutdown, at some point I would like to get to that but for now I am just looking to run it at all. I am assuming it should be run in dom0 to give it full access to the RAM, is this correct?

Seems so, although you may be able to wipe the RAM of specific VMs too. IDK. I heard DDR3 memory decays very quickly anyway, so cold boot attacks are not very effective on it. All I can find about this issue re Qubes was this message from the qubes-devel mailing list:

Quote
> Also, they wipe the memory on
> shutdown to prevent data being held in RAM upon reboot. Would these
> features be of use in Qubes to further enhance security?
>

Right now (Qubes 1.0) we're not addressing any of the physical attacks
(such as Cold Boot, or Evil Maid). We really need a good trusted boot
for this, such as perhaps Intel TXT, which howover is still unsupported
on majority of laptops, and this is planned for Qubes 2.0 branch.

So, no.

And then this roadmap:

http://qubes-os.org/trac/roadmap

which says that the trusted boot / anti-evil mail stuff won't be added until Qubes version 3, meaning it could be a few years before they include a memory wipe feature.

Quote
Connected to this is the command for copying files to dom0, I cannot get this to work, it simply does nothing rather like most terminals when they are running a process, has anyone used this command successfully?

I haven't tried this, but cat with redirection is supposed to do nothing in the terminal. Did you check if the file is in the destination location? :)

Quote
And finally (finally!) has anyone used the tbb_torless_launcher? It seems to work (as in I can access hidden services) but whenever I try to use the tor check site I get the message that the proxy is refusing connections.

Haven't tried this either. Can you get to check.torproject.org in a regular browser (through the TorVM)? If so, then maybe the script is blocking everything but onion addresses, which seems strange. Can you paste it here?
Title: Re: Qubes Qubes Qubes
Post by: ECC_ROT13 on August 27, 2013, 02:43 am
astor is right.. Qubes isn't built to use and not leave a trace on the hard drive.   They're fairly clear that that isn't one of their design goals.   Their goal is to minimize the attack surface available to malicious code to the smallest degree possible.   

I believe a Disposable VM is simply a running snapshot that's just instantiated and then destroyed when you're done.  Shouldn't be pinned to memory any more than anything else in Qubes would be.   If you're worried about forensic recovery whenever somebody gets their hands on your computer, all you really have is your full disk encryption between them and you. 

I'd have a hard time believing that a VM-based system on disk could ever truly remove all traces of activities.   Lots of moving parts, lots of opportunities for things to get written to disk or swap.   

Unless you're running Qubes on a ramdisk or something.    That might be fun to try.   
Title: Re: Qubes Qubes Qubes
Post by: Jeks on August 27, 2013, 06:20 am
subbed, find qubes an interesting concept
Title: Re: Qubes Qubes Qubes
Post by: kmfkewm on August 27, 2013, 06:31 am
qubes is not a safe OS to use, its permanent not live like tails so if anything does get into your main OS then the whole system is fucked until u wipe the drive. That and its a pain in the ass to configure and your whole system is locked to one computer, u cant take it with u like tails.

Tails is not a safe OS to use, it lacks persistent entry guards because it is live and doesn't use strong isolation technology.
Title: Re: Qubes Qubes Qubes
Post by: Bazille on August 27, 2013, 01:29 pm
which says that the trusted boot / anti-evil mail stuff won't be added until Qubes version 3, meaning it could be a few years before they include a memory wipe feature.

Shouldn't that be possible with a simple script which fills up the RAM with random data when shutting down the system?

Edit: Simple is probably not enough. However this shouldn't be a problem if the computer has DDR3 memory, as it only keeps voltage for a few seconds after turning off the computer.
Turning on Memory Test in the computer's BIOS may also wipe the RAM every time you turn on the computer. So when someone is at your door, power off the computer (resetting it is probably not enough) and turn it on again to wipe the memory.

qubes is not a safe OS to use, its permanent not live like tails so if anything does get into your main OS then the whole system is fucked until u wipe the drive. That and its a pain in the ass to configure and your whole system is locked to one computer, u cant take it with u like tails.

You could simply use full disk encryption with Qubes, and it may be possible to install it on an USB stick. Though I've had too many headaches with encrypted bootable Linux systems on USB sticks recently, so I won't test that. Unless you use USB3 it can be extremely annoying because it's so slow under certain circumstances.
Title: Re: Qubes Qubes Qubes
Post by: rockwaterwind on August 27, 2013, 02:20 pm
subbed
Title: Re: Qubes Qubes Qubes
Post by: crystal on August 27, 2013, 03:03 pm
Unless you're running Qubes on a ramdisk or something.    That might be fun to try.   

That would be interesting. You could also create your own Qubes-like OS on ramdisk using debian+xen...

The system would have to be created and then mounted read only, with as much as possible of it mounted on a ramdisk (/home, /tmp and the like).

Idealy the whole system would be stored encrypted and extracted at boot on several RAM partitions...

Do you guys see any way to easily extract/mount a whole system on a ramdisk?

Title: Re: Qubes Qubes Qubes
Post by: envious on August 27, 2013, 03:19 pm
I'm having trouble discerning which is buggier, Qubes or Tails?
Title: Re: Qubes Qubes Qubes
Post by: astor on August 27, 2013, 03:47 pm
astor is right.. Qubes isn't built to use and not leave a trace on the hard drive.   They're fairly clear that that isn't one of their design goals.   Their goal is to minimize the attack surface available to malicious code to the smallest degree possible.   

I believe a Disposable VM is simply a running snapshot that's just instantiated and then destroyed when you're done.  Shouldn't be pinned to memory any more than anything else in Qubes would be.   If you're worried about forensic recovery whenever somebody gets their hands on your computer, all you really have is your full disk encryption between them and you. 

Yeah, I think their threat model right now is that Qubes locks down your computing environment so well that it is extremely difficult for an attacker to identify you, so the threat of a physical attack is secondary. Of course, an attacker might identify you in many ways not related to exploiting your OS, so they plan on physical defenses in the future.

OTOH, Tails assumes there is a high probability you will be physically attacked and your best defense is to leave no trace of your activities. (That is a reasonable assumption for its original user base, political dissidents at internet cafes in repressive regimes.)

We all want both defenses: the strongest isolation to protect against exploits and identification, and the best security against physical attacks, but no preconfigured solution offers that right now. Qubes looks the most promising going forward, since they mention defenses against physical attacks in their future milestones, while it doesn't look like Tails has any plans to add VM isolation.

Title: Re: Qubes Qubes Qubes
Post by: Kiwikiikii on August 27, 2013, 06:01 pm
qubes is not a safe OS to use, its permanent not live like tails so if anything does get into your main OS then the whole system is fucked until u wipe the drive. That and its a pain in the ass to configure and your whole system is locked to one computer, u cant take it with u like tails.

Tails is not a safe OS to use, it lacks persistent entry guards because it is live and doesn't use strong isolation technology.

You can create persistent entry guards by using a small set of bridges. Yes its not isolated, so if u get pwned then for that session u get pwned, but seriously if you are browsing the net with JS enabled then you'd probably enter the session with all your shit locked down anyways. As for qubes sure u have a persistent OS that isolates everything so the odds of getting hacked are minimal, but from a security standpoint both approaches have the same net effect as long as you know what you are doing.

Id pick tails just because its portable (and easy to backup) and doesnt leave any traces. FDE isnt going to help if some pious judge threatens you with contempt.
Title: Re: Qubes Qubes Qubes
Post by: astor on August 27, 2013, 07:18 pm
Supposedly, you can install Qubes on a thumb drive, so it can be a leave-no-trace-behind operating system, but I don't know anyone who has done it.
Title: Re: Qubes Qubes Qubes
Post by: crystal on August 27, 2013, 07:47 pm
Supposedly, you can install Qubes on a thumb drive, so it can be a leave-no-trace-behind operating system, but I don't know anyone who has done it.

It should be possible, and would be interesting to try - but each use would leave a trace on the thumb drive.

If an attacker has access to the thumb drive and finds a way to get your paraphrase or to break the encryption, it becomes available to see. Wiping the thumb drive every now and then and installing a fresh system might (partly) solve the problem; a way to create an image and load everything in ram would be better. But you'd have to build a new system each time you want to apply a security upgrade.

Keeping in ram only the folders/partitions where temp/log/whatever files can/will be written could be a solution. Some work would be needed to create such a list...
Title: Re: Qubes Qubes Qubes
Post by: astor on August 27, 2013, 08:00 pm
If an attacker has access to the thumb drive and finds a way to get your paraphrase or to break the encryption, it becomes available to see.

Tails with a persistent volume is vulnerable to the same attack, and that's how most people here use it. I think the plan is to flush it down the toilet so there's no trace of even a Tails system image on any storage media in their possession. Somebody said in a thread recently that their thumb drive is so small they can swallow it. :)

So Qubes on a thumb drive is not worse that Tails in that respect, but it's better because of VM isolation (although you have to setup a Tor VM, whereas on Tails you manually have to add bridges).
Title: Re: Qubes Qubes Qubes
Post by: Kiwikiikii on August 27, 2013, 08:33 pm
If an attacker has access to the thumb drive and finds a way to get your paraphrase or to break the encryption, it becomes available to see.

Tails with a persistent volume is vulnerable to the same attack, and that's how most people here use it. I think the plan is to flush it down the toilet so there's no trace of even a Tails system image on any storage media in their possession. Somebody said in a thread recently that their thumb drive is so small they can swallow it. :)

So Qubes on a thumb drive is not worse that Tails in that respect, but it's better because of VM isolation (although you have to setup a Tor VM, whereas on Tails you manually have to add bridges).

Id try qubes on a thumbdrive if any can write a tutorial on it. The one thing that bothers  me about tails is that if u get hacked its easy for an attacker to unmask you, tails has a clearnet browser for logging into wifi spots so all they have to do is use that and they have your IP. Pretty fucking risky for a anonymity standpoint.
Title: Re: Qubes Qubes Qubes
Post by: rockwaterwind on August 28, 2013, 11:39 am
I've been playing around with Qubes for the past few days... ran into some trouble setting up the TorVM but I have just got it working

Read this and have a look at the pretty pictures to get an idea of how everything slots together BUT DO NOT follow the instructions (they are for version 1 and we are now a year past those instructions)

http://theinvisiblethings.blogspot.sg/2011/09/playing-with-qubes-networking-for-fun.html

Ok - you need to follow the following instructions:

http://qubes-os.org/trac/wiki/UserDoc/TorVM

But they have missed a couple of steps, which you can figure out using the following link:

https://groups.google.com/forum/#!msg/qubes-users/fyBVmxIpbSs/R5mxUcIEZAQJ

Seems to be working like a charm so far.
Title: Re: Qubes Qubes Qubes
Post by: ECC_ROT13 on August 31, 2013, 05:26 am
We all want both defenses: the strongest isolation to protect against exploits and identification, and the best security against physical attacks, but no preconfigured solution offers that right now. Qubes looks the most promising going forward, since they mention defenses against physical attacks in their future milestones, while it doesn't look like Tails has any plans to add VM isolation.
You're exactly right.   What everyone wants is Tails meets Qubes.    But Qubes is i/o-intensive enough that I think you'd have to toss the whole thing in a decent sized ramdisk to make it usable from USB.   Most Xen dom0 kernels don't lend themselves to easy, Tails-style hardware compatability, either.  Everybody will need to go shopping for laptops with 32-64Gb of RAM and no hard drives.

USB-bootable Whonix (possibly with Tor running on host OS and not in separate VM) is probably the easiest thing to cobble together without very significant effort.  And it's still missing that minimized attack surface via Xen PV that makes Qubes so appealing.  We just have a slow booting Whonix that's not leaving a trace.  But it's probably the easiest way to do it if somebody wanted to.   Start with Debian live build, add virtualbox and preconfigured Whonix GW and Workstation, duct-tape in memory wipes from Tails, and add "toram" to the boot parameters.    I suspect it'd require >8GB RAM, and persistent storage would require dmcrypt-wrapped virtual disks to attach to both sides to store configs, keys, entry guards, etc.


Supposedly, you can install Qubes on a thumb drive, so it can be a leave-no-trace-behind operating system, but I don't know anyone who has done it.
Wow.. I'm guessing whoever tried it is still waiting for it to finish booting. :)
Title: Re: Qubes Qubes Qubes
Post by: astor on August 31, 2013, 06:36 pm
You're exactly right.   What everyone wants is Tails meets Qubes.

I would also love to see a Qubes Server Edition, basically Qubes without the GUI, and instead of choosing between KDE or Xfce, you could choose web and database servers which would be VM isolated. Add a TorVM and you have a highly secure, out of the box solution for hidden services.

Quote
USB-bootable Whonix (possibly with Tor running on host OS and not in separate VM) is probably the easiest thing to cobble together without very significant effort. 

Bazille has a tutorial that does pretty much that, except with a custom VM.

Quote

Supposedly, you can install Qubes on a thumb drive, so it can be a leave-no-trace-behind operating system, but I don't know anyone who has done it.
Wow.. I'm guessing whoever tried it is still waiting for it to finish booting. :)

LOL.
Title: Re: Qubes Qubes Qubes
Post by: Bazille on August 31, 2013, 10:55 pm
The USB sticks in my tutorials are not bootable though. I will create a tutorial how to install Whonix on a partly encrypted live (bootable) Xubuntu stick soon. 8GB quality (fast) USB stick and 4GB RAM is enough.  With it you'd have the portability of persistent Tails with the additional protection of an (software) isolated virtual machine and Tor entry guards. Speed is acceptable with fast USB2 sticks.

Quote
USB-bootable Whonix (possibly with Tor running on host OS and not in separate VM)

I suggest using the Whonix gateway in a virtual machine instead, unless you intend to install the Whonix gateway as host OS. It can be quite some work to make a fresh install of a Linux distro as secure and hardly fingerprintable as the Whonix gateway.
Title: Re: Qubes Qubes Qubes
Post by: kmfkewm on September 01, 2013, 01:41 am
Quote
I would also love to see a Qubes Server Edition, basically Qubes without the GUI, and instead of choosing between KDE or Xfce, you could choose web and database servers which would be VM isolated. Add a TorVM and you have a highly secure, out of the box solution for hidden services.

FreeBSD and OpenSolaris sound like they might interest you. You can configure TorVM with FreeBSD jails or OpenSolaris Zones. And also you can isolate everything you run, although you need to do it manually. You can upgrade all jails at the same time with FreeBSD as well.
Title: Re: Qubes Qubes Qubes
Post by: ECC_ROT13 on September 01, 2013, 08:05 pm
FreeBSD and OpenSolaris sound like they might interest you. You can configure TorVM with FreeBSD jails or OpenSolaris Zones. And also you can isolate everything you run, although you need to do it manually. You can upgrade all jails at the same time with FreeBSD as well.
It's been a few years since I tried FreeBSD jails, but they were perfect for easily isolating components.   Do you know if they support a virtual network interface (and virtual networking) to keep the jailed instance unable to discover its real IP (and network past a filtered gateway), or are they still aliasing to the physical adapter?