Joanna announces codehash.db, a software/firmware code hash database

Joanna Rutkowska of Invisible Things Lab posted a message to the Secure Desktops list, announcing a new public hash database for software and firmware! lightly-edited announcement below, see the list archive for full announcement:

Introducing a public db for software and firmware hashes:
I’ve recently created this simple repo which is an attempt to somehow addresses a problem of software and firmware “verifiability” (the word is somehow loaded, hence in quotation marks).  I imagine that once more and more vendors, such as e.g. Tails or Subgraph, or secure messenger app devs, or various firmware projects (coreboot, Trezor, OpenWRT, etc) agreed to stick to this format, we could expect each of them to submit hashes + signatures with each new release of their software.  These hashes would then be subsequently verified and submitted by other witnesses.  Each person or organization will be free to host a repo similar to the one above, only with the “proofs” from the select witness they consider somehow trusted or meaningful.


(Now if OEMs and IBVs would only publish their golden image hashes, including after each update….)


ITL’s Stateless Laptop proposal

Joanna Rutkowska of Invisible Things Lab (ITL) has proposed the Stateless Laptop, and will be presenting at CCC in a few days (2015/12/27) on the topic.


I can’t begin to create a list of tags this article covers… This article is all about firmware security (and hardware security) for x86 systems, a MUST READ!!

Purism must consider this a holiday gift from ITL: the spec for their next Librem box. Looking forward to this box, built with fully Open Source Hardware designs/parts, hopefully from multiple OEMs next year! 🙂


Critical bug in Xen hypervisor

Wow, Joanna of ITL says “IMHO this is the worst bug affecting Xen, ever.”

Excerpt from Qubes Security Bulletin #22:

Critical Xen bug in PV memory virtualization code (XSA 148)

The Xen Security Team has announced a critical security bug (XSA 148) in the hypervisor code handling memory virtualization for the PV VMs [1]:

| The code to validate level 2 page table entries is bypassed when
| certain conditions are satisfied.  This means that a PV guest can
| create writeable mappings using super page mappings.
| Such writeable mappings can violate Xen intended invariants for pages
| which Xen is supposed to keep read-only.

The above is a political way of stating the bug is a very critical one. Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly.

Full advisory:



New ITL research on x86 security!!

Joanna of Invisible Things Lab has a new blog post on Intel x86 security!!





And there’s a second paper in the works, as well!


QubesOS 3.0 released

Qubes released 3.0 today! Joanna Rutkowska posted a blog entry on it today. This release is dedicated to the memory of Caspar Bowden, a pioneer in privacy. Excerting Joanna’s anouncement of some of 3.0’s features:

Qubes is now based on what we call Hypervisor Abstraction Layer (HAL), which decouples Qubes logic from the underlying hypervisor. This will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really “not yet another virtualization system”, but rather: a user of a virtualization system (such as Xen).

We upgraded from Xen 4.1 to Xen 4.4 (now that was really easy thanks to HAL), which allowed for: 1) better hardware compatibility (e.g. UEFI coming soon in 3.1), 2) better performance (e.g. via Xen’s libvchan that replaced our vchan). Also, new Qubes qrexec framework that has optimized performance for inter-VM services.

We introduced officially supported Debian templates.

We integrated Whonix templates, which optimize Tor workflows for Qubes.

The work on 3.1 is underway, with some features planned, including UEFI support, Live USV edition, and a management/pre-configuration stack.

Full announcement:

EFI support ticket:


Verifiedworthy Computing

I dislike Twitter, it’s a pain in to comment on in a WordPress blog. It appears that WordPress doesn’t always embed the HTML table, sometimes leaving an empty page.

Regardless of how much of pain it is to deal with Twitter-based content, below are two interesting Twitter-based conversations from Joanna of ITL, in two separate but related ‘threads’. I hope some of the vendors she’s thinking of are reading her comments. 🙂 Please click on both of the below Twitter URLs to get the full conversation.


Joanna Rutkowska to speak in Sweden next month

Joanna Rutkowska is one of the speakers at “Next Generation Threats“, taking place in Stockholm, Sweden in September.

Trust as the no. 1 enemy of security: the client systems study

We are forced to trust a lot of things: the files we receive or websites we visit, that they are not going to exploit bugs in our (trusted) apps, the (trusted) software we use has no backdoors built in or added by 3rd parties. Also that the (trusted) OS components are secure and can protect our data, that the underlying (trusted) firmware and hardware is not subverting security mechanisms implemented by our (trusted) Operating System. The more trust we are forced into, the less secure our digital lives are, of course. Trust is the #1 enemy of security. Is there anything we can do about it? What’s the smallest reasonable amount of trust we need in case of a typical client (desktop) system today? Can trust be distributed?

Joanna Rutkowska is a founder of Invisible Things Lab and the Qubes OS project, which she has been leading since its inception in 2010. Prior to that she has been focusing on system-level offensive security research. Together with her team at ITL, she has presented numerous attacks on virtualization systems and Intel security technologies, including the famous series of exploits against the Intel Trusted Execution Technology (TXT), the still-only-one software attack demonstrating Intel VT-d escape, and also supervised her team with the pioneering research on breaking into the Intel vPro BIOS and AMT/MT technology. She is also known for writing Blue Pill, the first hardware virtualization-based rootkit, introducing Evil Maid attack, and for her prior work on kernel-mode malware for Windows and Linux in the first half of the 2000s.