Virtual Machine as a core Android Primitive

You can't claim you're not surprised? So you can claim you are surprised? You're surprised by this. I feel like I'm trying to understand double negatation logic in code haha

The multi-user part for Android OS is not an extrapolation, it is inevitable.

Fun facts, Unix name is a joke to Multics, where Multi stands for multi-user, and everyone know what happened soon to Unix single user name indication.

A use-case I can imagine is e.g. a password vault, a banking app, or a secure messaging app that you want isolated from everything. Even when running. And where "everything" includes infected apps, an infected host or even physical access.

Not sure if this architecture can handle that, nor of it's the best architecture to solve this problem, though.

I'd love to be able to use a Qubes like OS on my phones. There's so much vile garbage I need to run on my phone yet at the same time, I want my phone to have access to my passwords and email. Segregating apps is long overdue.

DRM on Android is already ubiquitous and runs in trusted hardware contexts (TEEs). These are also used for Android’s secure key storage.

Normal apps usually don’t have the opportunity to run there, so this levels the playing field somewhat in terms of security.

And unless there is also attestation or binary encryption involved, I doubt this would give app developers any DRM-like capabilities.

It is. I'd like to believe that the android team is removed enough from Google's shenanigans that they aren't doing it specifically for them, but there are a lot of corporate app developers (including Google) who want exactly this feature. This means much higher difficulty hacking in multiplayer games (yes haha mobile games, but they're huge in china for example), increased DRM for Netflix et al., and I'm sure the chrome for Android team is salivating at the prospect of running your browser in a trusted VM. Your bank obviously would also enjoy the added security but in reality the current safeguards work well enough for these purposes. This is about protecting apps from adversarial users, not protecting apps from unwittingly infected users.

Run an older/newer version of android in the VM, assuming the host is light enough?

Maybe another OS, if someone does the groundwork on that. Or, fully suspend and move running instances across devices, which I think xen can already do.

One prime example is to protect credentials. Windows already uses this in a feature called credential guard.

It looks like the host kernel is not in full control – there is a EL2-level hypervisor, pKVM [1] that is actually the highest-privilege domain. This is pretty similar to the Xen architecture [1] where the dom0 linux os in charge of managing the machine is running as a guest of the hypervisor.

1. https://source.android.com/docs/core/virtualization/architec... 2. https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...

I don't know about Android, but AMD CPUs support encrypting regions of physical memory with different keys which are accessible only to one particular VM running, but also not accessible to the host:

AMD Secure Encrypted Virtualization (SEV)

https://www.amd.com/en/developer/sev.html

The architecture pattern is similar to Bromium/HP AX + Type 2 μXen on x86, https://www.youtube.com/watch?v=bNVe2y34dnM (2018), which ships on HP business PCs.

Bare metal runs a tiny L0 hypervisor making use of hardware support for nested virtualization. In turn, the L0 can run an L1 hypervisor, e.g. KVM or "host" OS, or minimal L1 VMs that are peers to the L1 "host"-guest of L0.

Google pKVM-for-Arm tech talk (2022), hopefully x86 will follow, https://www.youtube.com/watch?v=9npebeVFbFw

You can inspect their hypervisor code and verify the host kernel can not access the VM after creation but if you are running as root then you can obviously inspect whatever process is under host/hypervisor control.

You make the various hardware modules security context aware. You then give the host a separate security context from guests. You need a trusted hypervisor to bootstrap it.

Protected KVM on Arm64: A Technical Deep Dive, Quentin Perret (KVM Forum 2022), https://www.youtube.com/watch?v=9npebeVFbFw (first 5m)

It must be relying on a TPM somehow, right? That isn't possible with any normal software VM

Possibly one cybersecurity-related thing you could do is run a headless browser inside this VM, and bridge the network requests to the host network (a little bit like Docker).

Using my open-source BrowserBox^0 project then you could have a "bit more isolated" Browser running on your Android device that would add "VM escape" to any zero-day exploit chain that might be a risk.

This is speculation tho, I don't know if it's actually feasible based on the Android reality right now, but assuming the capabilities that are provided are like a regular headless VM, then it should be. :)

0: https://github.com/BrowserBox/BrowserBox

This is probably for playing DRM content, apps like Netflix will provide an encrypted VM image to play a movie.

I think the design is intended so that you mostly only get to do the last one.

Hopefully standard tooling will appear in time. Patreon PoC of unprivileged VMs, https://www.xda-developers.com/nestbox-hands-on/

> On the Pixel 7, the most configuration you'll need to do is similar to Shizuku. You connect to your own phone over wireless adb, configure the maximum container size, and then choose your Linux distribution. It'll download, configure, and then execute the virtual machine.

It is still baffling that root is so shunned upon in the Android communities. Imagine not having root access to your linux laptop. Magisk users are persecuted and punished by Google for getting root access, which is the bare minimun for a device you own.

This is already possible if your phones ship with the KVM kernel module, like on some Pixel devices, but reading the article suggests that KVM will become standard on all Android devices to enable this.

edit: according to this[1], yes, the pKVM functionality that's standard in Android exposes KVM functionality so that you can run VMs on Android.

[1] https://www.xda-developers.com/android-13-dp1-google-pixel-6...

AVF supports this, people have used it to boot Linux and Windows. See for example https://twitter.com/kdrag0n/status/1493089098944237568

Straight from the horse's mouth:

> pKVM is built on top of the industry standard Kernel-based Virtual Machine (KVM) in Linux. It means all existing operating systems and workloads that rely on KVM-based virtual machines can work seamlessly on Android devices with pKVM.

It sounds like it will become common eventually. I just wish that there were a more supported pathway to running full VMs like that. These devices are powerful enough to do it pretty well now.

Are the VMs hardware accelerated?

> if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.

You are putting too much faith in your VM monitor to keep you safe. There's a lot of attack surface in (for example) QEMU peripherals, and there's plenty of examples of VM escape [1]. CrosVM is probably the only publicly available VMM I'd be willing to trust, and even then I'd be nervous running state-sponsored malware on a machine with important data.

[1] https://www.google.com/search?q=qemu+vm+escape

> Is there any way to safely run malware or the Facebook app in some sort of air-gapped container and throw it away when you're done?

User profiles can be used in this exact way. Guest user if you intend to install+wipe it right away (though this will prove cumbersome eventually due to having to reinstall the app every time, etc). There is a significant isolation benefit to them, though not currently virtualized. With the isolation can come usability issues. Like transferring files from one profile to another.

They can very slow however (slow to load+setup, and switch between, I mean. when you're inside its effectively a separate, fresh, OS install).

*malware like the Facebook app

Pretty sure Android already uses Linux containers/namespaces for app isolation.

Maybe because it requires a platform signature to use?

If Android phones can run non-Android VMs of the user's choice, the phones will gain new purpose.

Android apps are already running on top of a Virtualisation Technology", both current ART (Android Runtime) and the previous one, Delvik, runtimes are virtual machines, process level virtual machines, but they do bytecode translation/JIT nonetheless.

If AVF allows running native code, it might actually be cheaper than the current arrangement.

Android apps performs better if built natively, Google might take some steps to enhance its performance.

This is such a bad take.

I'd love the easy ability to run confidential computing loads with fine grained control over the data it gets access to. You can do this now on the desktop using SGX (etc) but on mobile it's really hard.

As a specific example of this, it'd be great to be able to run Whisper continually and have strong, system level guarantees about what can read the data.

This seems like an excellent tool for digital ID cards, banks, government authentication apps, maybe 2FA apps, cryptocurrency wallets, you name it. Anything that's more important than a calculator.

DRM and remote attestation already use a separate secure environment, so I don't see what would change by adding virtualisation.

Maybe banking apps would let you run them on rooted phones if they were in an isolated VM

See for example the Xbox, where everything runs as a VM.

Yep, you need only look at the number of server providers offering confidential computing (pretty much only the big 3) and the premium they charge for it (10x, except AWS “trust me bro” Nitro)

Confidential computing is cool and useful when you’re the one controlling the VM, but scary when you’re the one blindly running it on your hardware

Hopefully this gets (publicly!) backdoored like SEV, SGX, etc

On the contrary, this is about support for new virtualization model in ARMv9, which the latest Pixel use.