zlacker

Security challenges for the Qubes build process

submitted by kkl+(OP) on 2016-05-30 13:03:03 | 64 points 17 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
◧◩
2. otobur+J3[view] [source] [discussion] 2016-05-30 13:49:53
>>d33+93
Qubes is open source[1] (including the Windows capabilities[2]) so your question should be fairly easy to prove/disprove yourself.

I haven't delved into the source of any Qubes scripts or unit tests, but if one were to act on the rumours you heard perhaps they'd start with the Qubes Builder Scripts referenced in the article. If the Qubes team is able to implement a true append-only logging for their development+build process then perhaps any concerns around undocumented, unknown or untested scripts could be somewhat assuaged.

[1] https://github.com/QubesOS/

[2] https://www.qubes-os.org/news/2016/01/27/windows-tools-open-...

◧◩
5. kakwa_+in[view] [source] [discussion] 2016-05-30 18:53:43
>>d33+93
Just in case, I'm reposting my message from https://news.ycombinator.com/item?id=11652940

On the workstation part, it recommends QubesOS. Am I the only one who is skeptical about it?

From what I saw superficially reading their source code, there are some frightening stuff going on:

* tons of C code with nearly zero unit tests, same with the python code

* lots glue in form of bash or python scripts

* some not so beautiful stuff like:

- https://github.com/QubesOS/qubes-core-agent-linux/blob/maste... (kill -9 on a daemon...)

- https://github.com/QubesOS/qubes-core-agent-linux/blob/maste... (a daemon is a little bit more than an exe launched with '&'

- https://github.com/QubesOS/qubes-core-agent-linux/blob/maste... (changing a config file in an init script, humm, weird...)

- https://github.com/QubesOS/qubes-core-agent-linux/blob/maste... (starting a service inside the init of another service...)

- https://github.com/QubesOS/qubes-core-agent-linux/blob/maste... ("logging" with stderr redirection in a file)

And it's just the init scripts... I'm too lazy to take a look further inside the C or python stuff. IMHO, as a proof of concept, it's interesting, as a finished, reliable and secure OS, it's frightening...

◧◩
11. nickps+uG[view] [source] [discussion] 2016-05-30 23:07:47
>>gaius+Z7
Barely. Most of her work is behind what was done in the 80's and 90's for security kernels then 2000's for separation kernels. I criticized her for not building on proven foundations and methods. She censors my stuff but did eventually say and do some of same things. My Xen gripes, GUI trusted path... these come to mind.

For an example, here's an Orange Book A1-class VMM by legend Paul Karger. He's one of inventors of INFOSEC, genius designer/coder, and high-assurance veteran. Look at the design and assurance sections (p9 onward) of it to see what... in 90's... was necessary to secure a VMM via minimal privilege (POLA), correctness arguments, backdoor prevention, and covert channel suppression. Nothing today in OSS even has this baseline despite us discovering more problems and solutions. Re-reading it now, I noticed they were even doing continuous integration on it well before that became a fad.

http://lukemuehlhauser.com/wp-content/uploads/Karger-et-al-A...

A modern example, one I cited on their mailing list, is INTEGRITY-178B. The features plus assurance activities are a nice illustration of high-assurance approach to microkernels for security or virtualization vs things like Xen. Quite a few things worth copying for security- or reliability-focused OSS projects. Approaches that got open-sourced from CompSci are in links below it.

http://www.ghs.com/products/safety_critical/integrity-do-178...

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=9EE...

http://genode-labs.com/publications/nfeske-genode-fosdem-201...

Note: GenodeOS is a competitor that uses components like above with architecture designed to lower risk in TCB like in high-assurance. It's nice work. Fundamental architecture needs peer review, though, to ensure it has claimed properties.

12. nickps+LG[view] [source] 2016-05-30 23:13:31
>>kkl+(OP)
Anyone interesting in securing repo's or build systems should start with Wheeler's landmark collection on the topic:

http://www.dwheeler.com/essays/scm-security.html

Has basics in English, CompSci work, high-assurance considerations, and some example projects. A bright, security researcher that's very familiar with DVCS's should redo this in light of them with similar recommendations. More like a team of bright researchers but it needs to be done. I'm interested in any papers people already have on this that have similarly-thorough treatment of threat model and proposed mitigations.

Once you know builds, you might want to address subversion, design, implementations, covert channels, and other things if you're trying to stop Five Eyes, Russia, or China. That requires "high-assurance" security methods... when it's even possible... Got a small list here to get people started on how deep the issue goes just at high-level and subversion aspects:

https://news.ycombinator.com/item?id=10478742

◧◩◪◨
17. throwa+y22[view] [source] [discussion] 2016-05-31 18:41:14
>>throwa+Yq1
Genode is useable as a desktop. Use the Nova kernel.

No binaries are distributed for obvious reasons. You can setup a build environment very quickly. It's simple stuff. See the Genode book: http://genode.org/documentation/genode-foundations-16-05.pdf

Oh, check out the rump kernel integration afterwards.

Fyi, package manager integration via Nix is in the works.

[go to top]