I have been looking at Whonix and Qubes OS. I have a question. Is it possible for data to leave anon-whonix by other route than sys-whonix? For example, Qubes has qrexec and it looks like there is a lot of data moving between virtual machines through this. I wonder what could happen if anon-whonix gets infected and uses this qrexec to send data to another VM that has direct internet access. I guess some of this qrexec requires dom0 to allow it but has Whonix project done things to make it so that there is no possible qrexec that could be done silently? Thanks.
No. Qrexec is primarily Qubes’ responsibility. Qubes designed qrexec with security in mind. Therefore there is no security hardening required by Whonix.
Suppose there is a qrexec call from anon-whonix to sys-net. If anon-whonix becomes compromised, then it can get data out to sys-net. Typically sys-net should be “assume compromised” because it controls network interfaces with insecure drivers and firmware. Therefore data is now exposed outside the Tor network.
Qubes designed qrexec with security in mind. Therefore there is no security hardening required by Whonix.
In this case, I am sure this would be considered a security issue by Qubes developers.
This is because Qubes developers want to provide the ability to have offline VMs such as a vault VM or split-gpg (work-gpg). They would consider it a security issue if such VMs could unexpectedly reach the internet.
This goes back to the very design of Qubes. Quote:
The vault domain is an ultimately trusted one where I generate and keep all my passwords (using keepass) and master GPG keys. Of course, this vault domain has no networking access.
Some Qubes qrexec services had minor privacy issues. These have been handled in Qubes-Whonix source code during initial development.