* [gentoo-hardened] Joanna Rutkowska's Qubes on Gentoo Hardened?
@ 2010-04-17 14:10 7v5w7go9ub0o
2010-04-17 14:50 ` Javier J. Martínez Cabezón
0 siblings, 1 reply; 3+ messages in thread
From: 7v5w7go9ub0o @ 2010-04-17 14:10 UTC (permalink / raw
To: for hard list
Has anyone implemented Qubes on hardened gentoo?
If so, your thoughts please.
TIA
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Joanna Rutkowska's Qubes on Gentoo Hardened?
2010-04-17 14:10 [gentoo-hardened] Joanna Rutkowska's Qubes on Gentoo Hardened? 7v5w7go9ub0o
@ 2010-04-17 14:50 ` Javier J. Martínez Cabezón
2010-04-24 23:37 ` [gentoo-hardened] " 7v5w7go9ub0o
0 siblings, 1 reply; 3+ messages in thread
From: Javier J. Martínez Cabezón @ 2010-04-17 14:50 UTC (permalink / raw
To: gentoo-hardened
I didn't implement it but i would like to say something about this
interesting question.
Until my knowledge qubes only gets you isolation and nothing more. It
creates "domains" (that is nothing more than a named xen guest VM to
one special use like "shopping virtual machine"). It does not make
nothing new at the moment.
In my opinion it gives only a high overhead to the system since each
VM gets (if I'm not wrong) 400 Mb of RAM.
The same isolation you get without this overhead using grsecurity's
chroot, rsbac_jail etc and if you want to sleep better in the night
you have to only create one separate user like a shopping user
isolating it with MAC.
Second, I would like to know how does make the communication between
the guest VM application and the host system, I suppose that with
xnest or displaying in the required IP, I don't know. Xorg is a high
risky software when using in a network environment approach. So
isolation could be broken from here.
Hardened gentoo (I believe) supports VM's like Virtual Box, User Mode
Linux, Xen and a lot of more you could try to install them and make a
installation in one of them (I make use of VM's to virtual servers).
This is what qubes do.
2010/4/17 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>:
> Has anyone implemented Qubes on hardened gentoo?
>
> If so, your thoughts please.
>
> TIA
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [gentoo-hardened] Re: Joanna Rutkowska's Qubes on Gentoo Hardened?
2010-04-17 14:50 ` Javier J. Martínez Cabezón
@ 2010-04-24 23:37 ` 7v5w7go9ub0o
0 siblings, 0 replies; 3+ messages in thread
From: 7v5w7go9ub0o @ 2010-04-24 23:37 UTC (permalink / raw
To: for hard list
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3003 bytes --]
Thank you for the reply!
On 04/17/10 10:50, Javier J. Martínez Cabezón wrote:
> I didn't implement it but i would like to say something about this
> interesting question.
>
> Until my knowledge qubes only gets you isolation and nothing more. It
> creates "domains" (that is nothing more than a named xen guest VM to
> one special use like "shopping virtual machine"). It does not make
> nothing new at the moment.
>
> In my opinion it gives only a high overhead to the system since each
> VM gets (if I'm not wrong) 400 Mb of RAM.
>
> The same isolation you get without this overhead using grsecurity's
> chroot, rsbac_jail etc and if you want to sleep better in the night
> you have to only create one separate user like a shopping user
> isolating it with MAC.
Yep...... this is what I'm doing now; lots of little unprivileged users
executing GRS chroot jails. In many cases (e.g. browser, snort, etc) I
load the jail into RamDisk first, so that if something is quietly changed -
other than bookmarks - it is not retained. Bookmarks are saved before
shutting down the RamDisk jail.
>
> Second, I would like to know how does make the communication between
> the guest VM application and the host system, I suppose that with
> xnest or displaying in the required IP, I don't know. Xorg is a high
> risky software when using in a network environment approach. So
> isolation could be broken from here.
Think she would agree with you about Xorg;
I'm a newbie; but FWICT they've created some new software - including a
secure means of managing and communicating between VMs:
"..We have designed the GUI virtualization subsystem with two primary
goals: security and performance. Our GUI infrastructure introduces only
about 2,500 lines of C code (LOC) into the privileged domain (Dom0),
which is very little, and thus leaves not much space for bugs and
potential attacks. At the same time, due to smart use of Xen shared
memory our GUI implementation is very efficient, so most virtualized
applications really feel like if they were executed natively..."
> Hardened gentoo (I believe) supports VM's like Virtual Box, User Mode
> Linux, Xen and a lot of more you could try to install them and make a
> installation in one of them (I make use of VM's to virtual servers).
> This is what qubes do.
Guess my goal is putting the most vulnerable process on my desktop - my
browser - into a VM that can cruise with JS, Java, etc. all active,
without any chance of some zero-day browser issue. I was going to use
KVM, but it looks like KVM will not soon have access to the GPU, whereas
the latest Xen can do that.
As far as communications between VMs, my plan was/is to use SSH or NX
over Virtual Ethernet; each VM properly firewalled. This works well; but
Rutkowska's GUI sounds interesting, and less complex.
I'm -guessing- one could use hardened-Gentoo as the core, and compile
Qubes SRPMs to implement her software. Figured someone might have done
it already.
Thanks again for your thoughts!!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-04-25 0:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-17 14:10 [gentoo-hardened] Joanna Rutkowska's Qubes on Gentoo Hardened? 7v5w7go9ub0o
2010-04-17 14:50 ` Javier J. Martínez Cabezón
2010-04-24 23:37 ` [gentoo-hardened] " 7v5w7go9ub0o
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox