Hacker News new | ask | show | jobs
by ForkMeOnTinder 928 days ago
So on desktop, if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.

What's the current state of the art for Android virtualization? Let's assume we're talking about the newest Pixel and newest Android version. Is there any way to safely run malware or the Facebook app in some sort of air-gapped container and throw it away when you're done?
4 comments
fleventynine 928 days ago
> if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.

You are putting too much faith in your VM monitor to keep you safe. There's a lot of attack surface in (for example) QEMU peripherals, and there's plenty of examples of VM escape [1]. CrosVM is probably the only publicly available VMM I'd be willing to trust, and even then I'd be nervous running state-sponsored malware on a machine with important data.

[1] https://www.google.com/search?q=qemu+vm+escape

link
bonzini 928 days ago
While QEMU uses C, which is not great, it has on its side 15+ years of hardening by the KVM developers. The problem with QEMU is not so much insecurity, it's that it contains the kitchen sink.

However, most of the exploits you'll find in QEMU are against configurations that are never used in real world virtualization scenarios where guests are untrusted. You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.

For a while, slirp was the remaining major issue because it was used way beyond the original intention. But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking.

link
ungamedplayer 928 days ago
> You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.

This is not true. Even non default configuration of any software or hardware that contains a security vulnerability can get a CVE. It has in the past and will again in the future.

Source: I have assigned over 2000 cves for the kernel.

link
bonzini 928 days ago
Yes, and the policy of QEMU is to not assign CVEs for bugs that would generally be hit only when QEMU is used as a development platform, as opposed to using it to offer virtualization services.

https://www.qemu.org/contribute/security-process/

We are colleagues by the way. :)

link
worthless-trash 928 days ago
> We are colleagues by the way. :)

I'm aware, I see you comment here regularly.

QEMU doesn't have to assign CVE's but any other CNA can. I do not believe that its good security or even good practice to negotiate out of exploitable flaws. Its a dis-service to users.

I don't have enough skin in the game to change upstream QEMU's mind on this, systems in exploitable configurations are just as exploitable with or without a CVE assigned. People with exploitable configurations now just can't find out there is a problem.

link
bonzini 927 days ago
The question is whether something is exploitable or just a crash. It is also a disservice to user to worry them about having to do an immediate update and evacuation of all hosts because of an out of bounds access in Gravis Ultrasound emulation.

Would any crash in GCC be a vulnerability because compilers are fed untrusted source code? Perhaps, but in practice godbolt.org is going to be the only case in which you care.

link
csdvrx 927 days ago
> But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking

In case anyone else needs a link: http://blog.vmsplice.net/2021/10/a-new-approach-to-usermode-...

link
monocasa 928 days ago
I'd probably trust firecracker too since it was designed specifically to avoid qemu's attack surface and runs in production for Amazon.
link
my123 928 days ago
Qemu also runs in production darn near everywhere, especially on Xen.
link
surajrmal 928 days ago
It also happens to be a fork of crosvm
link
monocasa 928 days ago
It is not, but they do share some code.
link
surajrmal 928 days ago
According to their own FAQ it is indeed: https://github.com/firecracker-microvm/firecracker/blob/main...
link
surajrmal 928 days ago
Luckily android is using crosvm
link
jmprspret 928 days ago
> Is there any way to safely run malware or the Facebook app in some sort of air-gapped container and throw it away when you're done?

User profiles can be used in this exact way. Guest user if you intend to install+wipe it right away (though this will prove cumbersome eventually due to having to reinstall the app every time, etc). There is a significant isolation benefit to them, though not currently virtualized. With the isolation can come usability issues. Like transferring files from one profile to another.

They can very slow however (slow to load+setup, and switch between, I mean. when you're inside its effectively a separate, fresh, OS install).

link
ClassyJacket 928 days ago
*malware like the Facebook app
link
heavyset_go 928 days ago
Pretty sure Android already uses Linux containers/namespaces for app isolation.
link
seabrookmx 928 days ago
You're thinking of ChromeOS I think, which uses a combination of containers and virtualization (via the same VMM in this article) for Linux and Android apps..
link
heavyset_go 925 days ago
Yeah, apparently Android uses users and namespaces, but not containers as we typically know them like ChromeOS does.
link
saagarjha 928 days ago
It uses separate UIDs mostly.
link
phone8675309 928 days ago
Along with SELinux
link