
“Paranoid Mode” Compromise Recovery on Qubes OS - jerheinze
https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/#plan-b
======
floatboth
> …I don’t believe that advances in so called “safe languages” or anti-
> exploitation technology could significantly change this landscape. These
> approaches, while admittedly effective in many situations, especially
> against memory-corruption-based vulnerabilities, cannot address other broad
> categories of software vulnerabilities, such as security bugs in application
> logic, nor stop malicious (or compromised) vendors from building backdoors
> intentionally into their software.

True. But never underestimate how common memory corruption bugs are. It's
_fucking embarrassing_ just how common they are. Look at the Project Zero
tracker. Just the first page of the newest issues: "double-free", "out-of-
bounds write", "use-after-poison", "use-after-free", "kernel double free",
"kernel memory corruption due to off-by-one", "kernel heap overflow", "kernel
uaf due to double-release", "heap-buffer-overflow"… And it's _these bugs_ that
often lead to the scariest situation for regular users, "I just visited a web
page and my browser got pwned".

------
hackuser
An excellent point that applies to almost any system:

 _The inconvenient and somehow embarrassing truth for us – the malware experts
– is that there does not exist any reliable method to determine if a given
system is_ not _compromised._

~~~
_sbrk
Total bull. Take the filesystem offline and run Tripwire over it (assuming you
did this after a fresh install).

We solved this problem in the 90s. Try to keep up.

 _sigh_

~~~
alasdair_
Right. And what do you do when the filesystem comes back clean because the
malware resides in some re-flashed firmware?

You can almost get a pass for being condescending ("try to keep up") if you
know what you are talking about, but being both condescending AND wrong just
makes you look foolish.

------
madez
> True, there is a number of conditions that can warn us that the system is
> compromised, but there is no limit on the number of checks that a system
> must pass in order to be deemed “clean”.

This is wrong. A computers behaviour, even if allowed to access "true
randomness", can be determined in finitely many steps. Sure, the upper bound
to the number of steps is unfeasibly big, but not without limit.

Practically, there might be no difference if you assume there is no limit, but
excluding the possibility seems u justified.

