Critical bug in Xen hypervisor

Wow, Joanna of ITL says “IMHO this is the worst bug affecting Xen, ever.”

Excerpt from Qubes Security Bulletin #22:

Critical Xen bug in PV memory virtualization code (XSA 148)

The Xen Security Team has announced a critical security bug (XSA 148) in the hypervisor code handling memory virtualization for the PV VMs [1]:

| The code to validate level 2 page table entries is bypassed when
| certain conditions are satisfied.  This means that a PV guest can
| create writeable mappings using super page mappings.
| Such writeable mappings can violate Xen intended invariants for pages
| which Xen is supposed to keep read-only.

The above is a political way of stating the bug is a very critical one. Probably the worst we have seen affecting the Xen hypervisor, ever. Sadly.

Full advisory:

New ITL research on x86 security!!

Joanna of Invisible Things Lab has a new blog post on Intel x86 security!!

Click to access x86_harmful.pdf

And there’s a second paper in the works, as well!

QubesOS 3.0 released

Qubes released 3.0 today! Joanna Rutkowska posted a blog entry on it today. This release is dedicated to the memory of Caspar Bowden, a pioneer in privacy. Excerting Joanna’s anouncement of some of 3.0’s features:

Qubes is now based on what we call Hypervisor Abstraction Layer (HAL), which decouples Qubes logic from the underlying hypervisor. This will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really “not yet another virtualization system”, but rather: a user of a virtualization system (such as Xen).

We upgraded from Xen 4.1 to Xen 4.4 (now that was really easy thanks to HAL), which allowed for: 1) better hardware compatibility (e.g. UEFI coming soon in 3.1), 2) better performance (e.g. via Xen’s libvchan that replaced our vchan). Also, new Qubes qrexec framework that has optimized performance for inter-VM services.

We introduced officially supported Debian templates.

We integrated Whonix templates, which optimize Tor workflows for Qubes.

The work on 3.1 is underway, with some features planned, including UEFI support, Live USV edition, and a management/pre-configuration stack.

Full announcement:

EFI support ticket:

Verifiedworthy Computing

I dislike Twitter, it’s a pain in to comment on in a WordPress blog. It appears that WordPress doesn’t always embed the HTML table, sometimes leaving an empty page.

Regardless of how much of pain it is to deal with Twitter-based content, below are two interesting Twitter-based conversations from Joanna of ITL, in two separate but related ‘threads’. I hope some of the vendors she’s thinking of are reading her comments. 🙂 Please click on both of the below Twitter URLs to get the full conversation.

Joanna Rutkowska to speak in Sweden next month

Joanna Rutkowska is one of the speakers at “Next Generation Threats“, taking place in Stockholm, Sweden in September.

Trust as the no. 1 enemy of security: the client systems study

We are forced to trust a lot of things: the files we receive or websites we visit, that they are not going to exploit bugs in our (trusted) apps, the (trusted) software we use has no backdoors built in or added by 3rd parties. Also that the (trusted) OS components are secure and can protect our data, that the underlying (trusted) firmware and hardware is not subverting security mechanisms implemented by our (trusted) Operating System. The more trust we are forced into, the less secure our digital lives are, of course. Trust is the #1 enemy of security. Is there anything we can do about it? What’s the smallest reasonable amount of trust we need in case of a typical client (desktop) system today? Can trust be distributed?

Joanna Rutkowska is a founder of Invisible Things Lab and the Qubes OS project, which she has been leading since its inception in 2010. Prior to that she has been focusing on system-level offensive security research. Together with her team at ITL, she has presented numerous attacks on virtualization systems and Intel security technologies, including the famous series of exploits against the Intel Trusted Execution Technology (TXT), the still-only-one software attack demonstrating Intel VT-d escape, and also supervised her team with the pioneering research on breaking into the Intel vPro BIOS and AMT/MT technology. She is also known for writing Blue Pill, the first hardware virtualization-based rootkit, introducing Evil Maid attack, and for her prior work on kernel-mode malware for Windows and Linux in the first half of the 2000s.

Qubes 3.0-RC alpha of LiveUSB release

Joanna Rutkowska of Invisible Things Lab posted a message to the qubes-users mailing list today, announcing a new Live USB image format of Qubes OS.

“We have built and uploaded the first ever working Qubes Live USB image! 🙂 It’s based on the recently released 3.0-rc2 release. Now you should be able to run and try Qubes OS of any laptop without needing to install it anywhere!”

Note that it currently does not work with UEFI:

“We have faced several challenges when making this Live USB edition of Qubes OS, which traditional Linux distro don’t need to bother with:
1. We needed to ensure Xen is properly started when booting the stick. In fact we still don’t support UEFI boot for the sitck for this reason, even though the Fedora liveusb creator we used does support it. Only legacy boot for this version, sorry.
Current limitations
7. UEFI boot doesn’t work, and if you try booting it via UEFI Xen will not be started, rendering the whole experiment unusable.”

Read the full announcement here:!topic/qubes-users/IQdCEpkooto