Converting untrusted PDFs into trusted ones: The Qubes Way (2013)
Qubes OS provides a method to convert untrusted PDFs into trusted ones using Disposable VMs, creating a "Simple Representation" in RGB format, though it limits text search and editing capabilities.
Read original article
The article discusses a method for converting untrusted PDF files into trusted ones using Qubes OS, which enhances desktop security by isolating potentially harmful files. The author, Joanna Rutkowska, highlights the challenges posed by complex PDFs that can compromise systems. The existing method in Qubes OS involves using Disposable VMs to open files safely, but this can be cumbersome due to the time it takes to create these VMs. The proposed solution involves parsing the original PDF in a Disposable VM and generating a "Simple Representation" of the file, specifically in RGB format, which is easier to handle securely. This method allows for the safe conversion of PDFs by ensuring that only simple, non-malicious data is processed. The article details the implementation of this conversion service using Qubes' infrastructure, emphasizing the importance of strict policies to prevent malicious exploitation. While this approach effectively mitigates risks, it does come with limitations, such as the loss of text search and editing capabilities in the converted files. Overall, the method aims to provide a more efficient way to handle untrusted PDFs while maintaining security.
- Qubes OS offers a method to convert untrusted PDFs into trusted ones using Disposable VMs.
- The proposed solution involves creating a "Simple Representation" of PDFs in RGB format for safer processing.
- The conversion process is designed to minimize risks associated with parsing complex PDF files.
- Limitations include the loss of text search and editing capabilities in the converted documents.
- The implementation relies on strict policies to ensure security during file conversion.
Related
Qubes OS 4.2.2 has been released
Qubes OS 4.2.2 consolidates security patches, bug fixes, and updates. It enhances file-copying between qubes, reverts a restrictive change, and offers installation options. Users are advised to back up before updating.
Remove PDF password protection using qpdf and AppleScript
The article explains how to remove PDF password protection on macOS using qpdf and AppleScript. It involves installing qpdf, creating a Quick Action in Automator, and running an AppleScript to decrypt PDFs. This method offers a lightweight solution for password removal.
Hacking with PDF (2022)
The article outlines how PDF files can be exploited through techniques like injection and XSS, emphasizing the need for understanding PDF structure to prevent attacks and analyze malicious content.
The Curious Case of QUEENCREEK
The article highlights risks of automated software like QUEENCREEK, initially suspected as malware but found legitimate. It emphasizes the need for vigilance in identifying potential threats using tools like Sysinternals Autoruns.
Why one would use Qubes OS? (2023)
Qubes OS is a security-focused operating system that uses virtualization for application compartmentalization, ideal for users needing data separation, but has high resource demands and a steep learning curve.
- Alternative Solutions: Users mention other tools like Dangerzone, which offer similar functionalities without requiring Qubes OS, and suggest exploring formats like ePub for safer document handling.
- File Size Concerns: Some commenters express frustration over the large file sizes of the output PDFs, comparing them to PNGs and questioning the efficiency of the conversion process.
- Security and Isolation: There are discussions about the necessity of using VMs for PDF rendering, with suggestions for simpler sandboxing methods, such as using Docker or chroot jails.
- Parsing and Simplification: Commenters propose the idea of parsing PDFs to remove unnecessary elements while retaining essential content, which could enhance usability for machine learning applications.
- General Security Practices: The conversation touches on broader security practices, including the potential for scanning PDFs for unsafe code and the importance of converting documents into safer formats.
12 commentshttps://github.com/freedomofpress/dangerzone
> Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.
From the learn more about page:
> Dangerzone was inspired by TrustedPDF but it works in non-Qubes operating systems, which is important, because most of the journalists I know use Macs and probably won’t be jumping to Qubes for some time.
> It uses gVisor sandboxes running in Linux containers to open dangerous documents, instead of virtual machines. And it also adds some features that TrustedPDF doesn’t have: it works with any office documents, not just PDFs; it uses optical character recognition (OCR) to make the safe PDF have a searchable text layer; and it compresses the final safe PDF.
Previously (announcement and details of gVisor sandboxing etc):
Safe Ride into the Dangerzone: Reducing Attack Surface with GVisor
https://github.com/QubesOS/qubes-app-linux-pdf-converter
Their source code seems to take the most obvious path... flatten it to an image printout then possibly do more? https://github.com/QubesOS/qubes-app-linux-pdf-converter/blo... https://github.com/QubesOS/qubes-app-linux-pdf-converter/blo...
Though at a quick skim I can't see any OCR steps.
Two more things can happen.
The increasing volume of memory-safe utilities means they can be used on one or both sides of this. That might prevent the exploit entirely. If a memory-safe CPU, it can still help to isolate in case of hardware failures (esp bitflips).
It can also be used to boost performance in non-Qubes systems where a secure (or OSS) processor is in use. They’re often slower than commodity CPU’s. So, one can use the disposable VM’s on commodity CPU’s to filter data (block most attacks), transform it, and send it over simple, wire protocol. Commodity VM’s might also present it back to the user in dressed up form.
Outside of security, a long time ago, they were doing similar things to decrease latency and boost bandwidth on Beowulf clusters. A team made Fast (or Active?) Messages to eliminate TCP/IP as a bottleneck. So, sometimes a security technique can also be a performance booster.
I love the idea of making PDFs dumber and safer but maybe ePub would fit the bill? I'm just thinking out loud, I would like to do this again, but the Qubes way of spinning up a disposable VM to produce a monster PDF file is unsatisfying. More general Qubes being slow was a big reason I switched off of it
Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=10538888 - Nov 2015 (5 comments)
Surely you can do that instead? Parse the PDFs and format them in basic ways without support for "extensions" or anything. Let the user read that before using the "real" document with extensions potentially enabled.
So there is a certain sense of absurdity of needing to spin up an entire VM just to render a PDF. Running a standard PostScript renderer in a user executable (perhaps in a chroot jail to be a little bit paranoid) should be enough for safety. Or just stick it inside a Docker.
Restrict the permissions on the user process to “read my static data files like fonts” and “write output to this 1 file, or a parsing error to this other 1 file”.
Related
Qubes OS 4.2.2 has been released
Qubes OS 4.2.2 consolidates security patches, bug fixes, and updates. It enhances file-copying between qubes, reverts a restrictive change, and offers installation options. Users are advised to back up before updating.
Remove PDF password protection using qpdf and AppleScript
The article explains how to remove PDF password protection on macOS using qpdf and AppleScript. It involves installing qpdf, creating a Quick Action in Automator, and running an AppleScript to decrypt PDFs. This method offers a lightweight solution for password removal.
Hacking with PDF (2022)
The article outlines how PDF files can be exploited through techniques like injection and XSS, emphasizing the need for understanding PDF structure to prevent attacks and analyze malicious content.
The Curious Case of QUEENCREEK
The article highlights risks of automated software like QUEENCREEK, initially suspected as malware but found legitimate. It emphasizes the need for vigilance in identifying potential threats using tools like Sysinternals Autoruns.
Why one would use Qubes OS? (2023)
Qubes OS is a security-focused operating system that uses virtualization for application compartmentalization, ideal for users needing data separation, but has high resource demands and a steep learning curve.