Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> That is until someone comes up with a debilitating Xen 0-day

But you're adding layers.

A Xen 0day, alone, isn't useful. You have to be able to deliver it, which probably implies local root.

To get something useful out of a user's home directory on a typical OS install, you pop the browser, do what you want.

To get something useful out of a user in Qubes, assuming they're using an untrusted browsing VM, you have to pop the browser, then get local root, then deploy your Xen exploit... and then maybe do something useful.

There's also the standard malware anti-RE-sandbox techniques used. Show up in a clean profile on a hypervisor? Maaaaaybe not a good idea to be evil. Lots of stuff will refuse to actuate in something that looks like a malware RE sandbox, and a disposable Qubes VM certainly would look like that.

I won't claim it's impossible, but I will claim that doing a cross-Qube hop through Xen is a lot harder than just one exploit and get the goodies.



> then get local root

With Qubes you already by default have local root [0], because LPE is usually almost a forgone conclusion if the attacker has a sandbox escape.

> A Xen 0day, alone, isn't useful.

I don't think there any attackers with the interest and capability to acquire a Xen sandbox escape that wouldn't readily have access to browser 0-days, unless the target is using something like Tor Browser Bundle with JS, SVG, and PDF.js disabled.

[0] https://www.qubes-os.org/doc/vm-sudo/


You have to pop the browser, then export their password keychain, because who's going to do run a bazillion copies of Chrome to separate them by site




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: