[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] [tor-dev] Porting Tor Browser to the BSDs

On 2015-04-14 10:23 pm, Mirimir wrote:
On 04/14/2015 03:50 PM, Yuri wrote:
On 04/14/2015 14:41, WhonixQubes wrote:

I believe it is probably generally harder to break out of a virtual
machine than root a Linux distro, like Tails, because hypervisors have
a more limited attack surface compared to a full monolithic OS.

If you use Qubes, then it is infinitely harder to root the host system.

Can you describe the scenario how can somebody potentially break out of the virtual machine and root the host system, if VM is wired to connect
only through tor?


An adversary could install software in the Whonix workstation VM that
establishes an SSH connection to their machine. The SSH connection would
prevent the Tor process in the Whonix gateway VM from closing the
circuit. The adversary could then run exploits in the workstation VM
designed to gain host access.

If successful, it would be trivial to subvert the Whonix gateway VM.
That doesn't require root privileges. But they could also root the host, and install software in host that establishes an SSH connection to their
machine. Access then wouldn't depend on Whonix.

And just to give a bit of context for degree of ease for such an exploit...

IMO, generally speaking:

- Easier:  Tails with no VM isolation for Tor

-- Harder:  Whonix with VirtualBox, KVM, etc isolation for Tor

--- Hardest:  Whonix with Qubes isolation for Tor

Also, Whonix's CPFP (Control Port Filter Proxy) is of note, since it is what filters Tor commands between the Whonix-Workstation and Whonix-Gateway and intends to only allow *safe* Tor commands -- and not the unsafe ones that can expose deanonymizing host machine info.

More info:  https://www.whonix.org/wiki/Dev/Control_Port_Filter_Proxy

The CPFP can be deactivated and have Tor commands totally cut off for achieving even further security isolation of Tor with Whonix.

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to