Bitcoin Forum

If you set up a guest VM on a host computer, the programs in the guest VM can not (easily) attack the host computer.

But in the other direction, it is not true. Programs on the host machine can just manipulate the guest VM, e.g. just modify the disk image file.

Thus, a guest machine for bitcoin does not make sense at all (at least when the intended goal is protection).




But a hint may help:
A wallet file does not have to be online to receive money. You can just create a wallet on a offline computer and use the addresses.
Only if you want to spend money from that wallet, it has to be taken to an online machine.

tell me how VMWare Fusion with Win 7 works on a Mac.  same principle?  in this situation, would u put the client on the Mac or Windows side?

It ups the bar (malware can't just look in common locations for wallet.dat, it would have to understand that a VM is there and how to look at the FS in the VM), but you're right - VMs/jails/zones/sandboxes/whatever are only really any use to protect the host from the jail... there is nothing protecting the jail from the host.


I was thinking about this for securely processing BTC transactions in an automated fashion... I wonder if it's possible to hack up bitcoind to watch addresses it doesn't possess the private key for?

I create a new wallet, generate say, 100 addresses, and dump the public keys for them all. I setup bitcoind on my billing server, and feed it those 100 addresses. My billing software talks to it when someone wants to make a payment, and it hands them one of the addresses not in use. bitcoind reports confirmed payments to those addresses back to my billing software, which credits the account appropriately. A script checks, to complain very loudly, when it gets below a certain threshold of free addresses.

Then the only time the wallet needs to be opened and vulnerable is when I'm transferring money out to spend it, or when I'm generating new addresses. It could spend the rest of the time on a USB key in a safe.

Would that work that way, or am I missing some showstopper?

Hosting a VM does provide an advantage of obscurity.
99.9% of the people with bitcoin wallets will not use VMs, therefore most BTC-stealing malwares will not target VMs (even if it's "easy", you still need to target a VM specifically when trying to steal wallets from it. A simple approach of scanning your HD for "wallet.dat" will not find it if it's encoded in a VM filesystem).

It's not a good solution, but it adds one more layer of abstraction an attacker has to get over.

It's a good thing to do until your BTC are worth enough $ to make you buy a dedicated machine for BTC access, that will be "100%" malware free.

It doesn't matter.

VMWare is designed to protect the host from the guest. That's not what you need when talking about using VMs for bitcoin.


You could use it the other way around: Install a minimal operating system on the computer hardware, and then add a VM for all the unsecure fun stuff (games, browsing etc.). But that wouldn't work well, because it is the fun stuff what requires so much ressources.

I was thinking about that, too. It should be perfect in principle. But to make it comfortable, we need to implement a lot and it takes a while until it all works safely.

Yes, of course it is a way of obscuring, but the wasting of ressources is huge. You could have such an effect much cheaper.

Yeah, I mean I haven't really looked at the RPC stuff for Bitcoind at all... it could theoretically be done simply by generating the 100 addresses, sticking them in a DB in my billing software, then raping blockexplorer all day looking for those addresses - but that really wouldn't scale well.

I was thinking about writing up an RPC daemon which simply watched for transactions, reported them to the billing software and immediately shipped the money off to another box. But that has two downsides that immediately spring to mind: 1) it'll get eaten alive by transaction fees and 2) if the box running bitcoind gets owned, they could change the payout address and you may not notice until some BTC is gone.

I think not having the private keys anywhere online is a much more suitable idea.

It's just that the client software is so far from finished. It is not meant to be broadly used. The media attention brought a lot of users, but actually, it's too early for them.

There is not even a key export, or a feature that makes password-protected backup files that one could just carry around and store anywhere.

where do most trojans/viruses/malware come from; email or browsing?

I don't know, I haven't had Windows for a while. :P

are u implying Macs are much safer?

Macs are much worse.

i think the thing to keep in mind with VMs is that there really isn't any cross-platform malware.  the browser-based stuff will infect any platform, but adapts to the platform it infects: the sophistication to reside (for example) on a windows machine, and look for a mac file system, isn't there.

i would suggest installing a VM of a different operating system, which also uses a different browser.  for example:

on a windows host machine using internet explorer, install a VM of linux/firefox.  on a mac/safari host, install windows/firefox.  etc.

one thing i haven't tried is installing a VM into a TrueCrypt partition - no way an infected/compromised host is going to get at that!  has anybody tried that?

Encryption only helps until you open the encrypted file or container yourself on an infected machine. At that point its just a matter of how smart the malware is.

No, that's total rubbish. You don't understand anything, do you?

possibly more than you think.

dual boot two OSs on the same hard drive - one on the network, the other off.  put a VM on the OS that is off the network.

explain how infecting the on-network machine could get to the off-network VM, installed on an encrypted partition?

seems to me that if you have a VM on board, its smart to do your browsing and email in the VM and have your bitcoin client on the host with your malware scanner/antivirus programs.  in this scenario does having a USB key with the data directory plugged into the host side provide any further protection?

When the VM is running, nothing is encrypted. You can just copy the private keys from main memory.

Oh, you do it the other way around. I already said that it would work this way, but it is a total waste.

so the same goes for the encrypted USB stick.  when its plugged into the host and unencrypted, its wide open?

Yes. A program can just ask for files and the system will decrypt them automatically.

Use a separate user account for your bitcoin/wallet.  Then (assuming your main user account doesn't have administrator privileges), any wallet stealing processes you may encounter won't be able to access the wallet.

that would be the first line of defense - that (especially pre-7) windows users have surrendered by default: not running as admin.

from http://kerneltrap.org/OpenBSD/Virtualization_Security


The author was Theo de Raadt, (from the OpenBSD project)

Yes, but a VM is only a bad solution, a BSD system with a Windows guest wouldn't work for most users.

The only solution is a small isolated computer. Actually that computer could write transactions offline to a file, and the online-computer uses the transaction file only. Then no counterfeiting is possible.

yes.  isolation.

there are more ways to achieve that than taking yourself off the network, though.

i've given some recent thought to how malware is propagated.  it's targeted to OSs and browsers.  i wonder how much effort has been spent on writing the stuff for operating systems like... oh... Plan9?

so not much via email or downloads?

as i asked above, wouldn't confining your browsing to the VM go a long way to protecting your wallet on the host?

not really.  i've opened (as an experiment) emails and downloads targeted to windows machines on linux machines.  no effect (although - for example - gmail targeted malware won't care about you OS).  the stuff using java and even python doesn't do much if you don't have those installed.  standard browser lockdown procedures are pretty effective, even on windows machines, given a little forethought.

a while ago, just for giggles, i installed 6 windows VMs, opened them all and networked them together.  i went and found some malware, let it infect them all, and watched it bounce around...

That's not the point. It's not security to just say "nobody attacks me".

NOT TRUE, a VM can be set up to be completely isolated from the host

actually, in any rigorous security evaluation, that comes first.

it's put this way:  "who wants to steal or destroy what i want to protect?  and how good are they?"

how much money should one spend to defend the average, small website that sells $10 widgets and takes PayPal?  is the uberhacker of the russian steppes going to give you even a look?  no.  you don't have anything worth his time - so you really don't need to defend against him.

for that website, you need to defend against the average 22 year old hacker living in his parents' basement.  ...a not terribly expensive proposition.

are the block chain files interchangeable btwn OS's like the wallet?

Yes. That's what the P2P network is for. It distributes the block chain.

Yes, it would help. I would use a VM that doesn't try to do fancy optimization like using hardware virtualization or x86-to-x86 translation.  A simple, "pure" VM has less opportunities for its programmers to screw up and introduce security holes. Maybe QEmu? (http://wiki.qemu.org/Download)

Do as little as possible outside of a VM, and have Bitcoin running either outside all VMs or in a separate VM from your browsing/email/whatever.

Also, see my thread about Qubes: http://forum.bitcoin.org/index.php?topic=11837.0;topicseen (http://forum.bitcoin.org/index.php?topic=11837.0;topicseen)

You seem to be talking about emulators as opposed to VMs. That's even more waste, and emulation software is even more likely to have vulnerabilities than hardware virtualization.

When people write trojans, viruses, etc. they largely do it for profit (the good ones anyway).  They deveop their program to go after the the largest market possible.  Most of the people partaking in bitcoin are running it on Windows XP/7 or Mac.  Many are running the core systems (mining operations, information infrastructure) on linux and BSD.

The threat agents will develop the first round of bitcoin specif software focusing on a Windows XP system utilizing a pre-existing attack vector (un-patched SMB or IE zero day vulns).

You must take a risk based aproach to how you hold your btc:

1 - Thrift account (no more than 200usd exposure) - Windows XP with standard bitcoin software.  Password protect your login and make sure your running some decent anti-virus

2 - Easy access large account (no more than 10,000usd of exposure) - VMware image of Ubuntu JeOS with OS based full disk encyption.  Has no services running (if it's running apache you fail) and a stable release of bitcoind.  Connect this only to known trusted nodes when needing to spend coins.

3 - Hard access mother account (all those secret coins generated the first year) - Every possible disk that ever held a private key is suspect.  Almost all of those should have been wiped with random data 5 times.  <-- before doing that account key pairs should be replicated to 3 tpyes of medium (dvdrw, flash drive, usb ext. hd) and each of these medium would be placed at separate bank security deposit boxes.



my 00.02 btc

Protection through obscurity is the answer.

http://bitcoinvm.bitcoincommons.org/

well, it seems to me the whole premise of this thread is to refute what you've done.

Just want to make sure that no one else does what I've done so that malware will never be written to target my bitcoin.

so how do u refute whats been said throughout this thread that VM's do nothing to block an attack?

i was well aware of your software prior to this but haven't tried it out since you're so new as is the client so my interest was piqued by this thread.

And that means you have to wade through pages and pages of colorful invective -- and throw some back at him -- before he gets around to actually talking about the issue at hand, if he ever does. Theo de Raadt's attitude problem is the #1 reason I don't use OpenBSD.

That said, it's possible to provide reasonable security for virtual machines (for instance the use of SELinux with KVM (http://lwn.net/Articles/353970/)) though things like VMware don't really provide anything reasonable, especially on Windows.

We aren't in the 90's any more. Malware today is made from components and individually designed for each target.

Nobody would do that for a spam box, but when they got your bitcoins, it's a total win.

You can do that. But don't tell people - especially unexperienced users - that this is security.

If we seriously want to get a situation, where most of the users have some security, we have to think about solid ways.

A savings wallet with password-protected private keys can be understood by a lot of users -- even those who don't know much about IT.

Whatever happened to the concept of layering your security? If using a VM provides adds some level of isolation between potential malware and the Bitcoin wallet then it would certainly be beneficial to use it as part of an overall solution. You shouldn't discard it just because it is not 100% "impenetrable" (Are you looking for a Maginot Line-type solution?). Other steps can and should be taken to protect the host, other VM's, the local network, etc. You may argue that this is just obscurity, but in the real world throwing an additional roadblock is usually all that it takes to prevent the success of a potential attack.

It protects only in one direction: It protectes the host from the guest. Not the other way around!

But many people here use it the other way around. That does not work, it's just a little obscurity (which you could also have by renaming files).


Little Conclusion:
The title is not "stop using VMs", but "stop telling people that VMs do magic". If you know what you do, you can get some protection with VMs, as some people here do. But if you tell people, they will just install VMs (wasting ressources), and think they are secure, which they are not.
For example you could set up a VM full operating system based full disk encryption. That would protect the system while it is not running. When it is running, there is no more protection from the host. You can use that setup securely if you are fully aware of that facts. But most people just aren't, especially those who just listen to your security advice.

You have the same effect with my Ubuntu user account setup (http://forum.bitcoin.org/index.php?topic=15068.0). While the special user is logged out, there is no way to access the private keys. They are encrypted (and never stored anywhere else).
And it has a lot of advantages:
- It is way less a waste of ressouces.
- Login and logout are much faster than booting a VM. (Hibernating a VM would mean to store private information in swap space.) So there is a smaller time window for attackers.
- Even while the special user is logged in there is no way for other user's software to manipulate unless they really crack the operating system. (Opposed to that the VM is run by a user, thus the user's software can do anything with it.)

You really are one dumb fuck aren't you?

Any retort on the content of his message? Or just more echo-chamber assfuckery?

If I may add: and a firewall as well

Yes, and that would be an even better solution if you'd use a second network interface for the VM. Otherwise lots of attacks still can occur through the open ports in the firewall of the host, which has to be open to allow access to the virtual (browsing) machine.
Or do you think it's safe to have the firewall of your host port just forwarding everything except bitcoin traffic to the VM?