After spending time researching and figuring out how to pass through a device on KVM Whonix I have come to learn that this can be dangerous.
Device Passthrough is on the list of things not to do but is necessary for some. I want to compare this to Tails and hear what someone more experienced has to say.
On Tails mounting removable media is native and does not require extra configuration. Simply plug in the device and mount it. Is there a difference in security implications to this and to passing it through on a Virtual Machine? *
Can the device mounted on the VM place malware on the host even if it is never mounted there or does it remain isolated in the VM? *
Info: on Tails the media would be removed before booting back to the main OS, on Whonix it would never be accessed on the Host.
Potentially a privilege escalation exploit could be used to access the internal drives on the Host or in this case other OS on Tails. In Whonix, could malware with or without root privileges access the host because of the Device Passthrough or only that device? *
Would malware created for the general population be an issue with Device Passthrough, or only targeted malware for Whonix or VM users? *
In short is Device Passthrough more harmful than mounting a device on Tails.
If I have said something that does not apply please tell me so.
Not against pci bus usb passtrhough, it is the same for both Tails running on USB and Whonix on virtualizers or usb itself.
Not mounted, cannot run. My understanding
Only if you allow those devices to be mounted. But it is not for Whonix, it is for Tails and every other OS.
Malware for the general population are phishing attacks, malicious downloads, not physically inserting a malicious usb to your computer.
Also, Device Passtrough is not “bad”, it is a mean for a vm to reach the host usb. On normal systems not virtualized like Tails, it is direct connection.
This also means that an infected host can attack the vm.
Summary: Tails does not have more protection against malicious usb devices that whonix using usb passtrough.
QubesOS as host has some protections against a malicious usb, such as not parsing the partition table, using a separate usb qube, but nothing is perfect or course and most qubes security bulletins major issues reports problems about pci passtrough.
least secure: connect USB directly to the host operating system (any, Debian, Tails, Kicksecure, …)
It’s really very threat model specific.
So don’t use PCI passthrough is more about not exposing any hardware to the VM which could be potentially compromised by malware. Avoiding hardware compromise (malicious reflash of hardware).
On the other hand, the USB device itself could be infected with a malicious firmware.
Yes, if the USB firmware is malicious.
No, I doubt that.
In theory, there could be a malicious USB firmware that can exploit device passthrough code but not the host kernel.
The right way to think about this probably to look where parsing of untrusted inputs are happening. And in any interaction, eventually all code is run by the CPU and the host kernel or even host hypervisor.
For example, if you have a malicious libre office document that can exploit libre office but don’t open it with libre office then the malicious code isn’t parsed by the hypothetically vulnerable parser (libre office) and hence in this theoretic example no compromise would happen.
See also rowhammer / nethammer.
Note, I don’t maintain Whonix KVM. This question should similarly apply to VirtualBox. Seems even unspecific to Whonix.
I believe this is different from USB passthrough. This is done by going to the Storage tab on KVM. See my thread in the KVM section for more info if interested.
Malicious firmware is not within my threat model, very unlikely to be a threat to me.
Thank you both for taking the time. I believe the threats of Device Passthrough is outside the scope of my threat model.
This thread may be moved to a more appropriate section.