Linked by Thom Holwerda on Sat 2nd Feb 2013 01:47 UTC, submitted by rohan_p
OSNews, Generic OSes "Whonix is a project to build an operating system that will offer the maximum privacy and anonymity possible straight out of the box. Its creator, 'Adrelanos', says the aim is to make it as hard as possible for privacy-conscious users to make missteps when it comes to remaining anonymous. 'It also provides loads of documentation and possibilities for interested users to make it even more secure,' he says." We've already covered Whonix before.
Permalink for comment 551306
To read all comments associated with this story, please click here.
RE[3]: Comment by Laurence
by Alfman on Mon 4th Feb 2013 05:27 UTC in reply to "RE[2]: Comment by Laurence"
Alfman
Member since:
2011-01-28

Laurence,

"The issue isn't with the network breaking out, but services. VMs still borrow services from the host environment (see the example posted below)."

That's a good link. I couldn't find the paper directly and alas I didn't watch the whole video, but I did watch enough to see two interesting tidbits:

1. kvm-intel and kvm-amd (which run in kernel mode) are relatively small and have a small attack surface which makes kernel exploits less likely.

2. qemu-kvm, which was responsible for the exploit and is allegedly the weakest chain is a userspace component.

It's bad for a VM to have exploits, however in theory it's still a layer of security on top of the kernel's own userspace restrictions. So it's tempting to argue that a *carefully* configured VM might still be more secure even with the risk of exploits.

The cited bug:
https://bugzilla.redhat.com/show_bug.cgi?id=699773

This kind of bug would require root access in the guest, which the web browser in Whonix's guest VM is unlikely to have. (Yea yea, Whonix doesn't use kvm...)

Just to state it explicitly, a successful exploit would probably look something like this:

1. Exploit the web browser/plugins to pown guest userspace.
2. Exploit the guest kernel restrictions to gain root.
3. Exploit the KVM to gain host shell access.
4. If host userspace networking isn't locked down, hacker wins.
5. Else exploit host kernel to gain host root.
6. Hacker wins.



"Not all hardware supports extensions and paravirtualisation will always perform faster than hardware emulation."

Of course, that's the reasons the virtual IO drivers are designed to allow IO without actually emulating hardware. But I don't deny that a native host processes will be more efficient than a VM.

Edit: Consider Windows running virtual IO drivers under a VM even though it's not a paravirtualized OS.


"Don't get me wrong, VMs do have their place too - I'm not trying to argue that containers are the holy grail of virtualisation (though technically not virtualisation), but I honestly do think containers are a massively underrated and overlooked tool"

I don't disagree with this at all.

Edited 2013-02-04 05:30 UTC

Reply Parent Score: 3