How far can the tentacles of an untrustworthy OS go?

I’m not sure I ask the right question, simply because I’m not very tech savvy but this is kind of an important thing for me (maybe for someone else too) which would bring a lot of peace of mind. So thank you in advance to everyone replying here.

I’m currently having a home PC running an OS other than Linux, unfortunately. The reason being that I need some proprietary software for my job, which is not available on Linux.

So I thought I’d buy a SATA power switch and connect three hard drives via it:
1 - the proprietary OS
2 - PureOS as my main OS
3 - this one I wanna leave for any kind of testing, and stuff, it’s just awesome knowing that you have a spare HDD waiting for you to experiment on it

note: Dual booting I consider as “not safe”, or at least not as safe as having a physical power switch.

So I’d have installed 2 or possibly 3 OSs but only activated one at a time. So my question would be if anything remains into any hardware components (other than the hard drive itself where the OS is installed) that could compromise the integrity of the other OS that we would switch to? Or if having such an infrastructure, all 3 OSs are 100% separated, and if activating them each at a time, in no way possible they could communicate, even indirectly?

note: the switch between one OS to another, would be done in such a way: 1- power off the PC, 2- toggle the OS switch and 3- start the PC.

Thank you.

When running the first OS, your hardware could be compromised. Then, as soon as you connect the disk with the trusted OS, it will be compromised as well.
A compromise is less likely than it would be if the disk was connected all the time, but it can still happen (unless you had a stateless laptop (see https://blog.invisiblethings.org/2015/12/23/state_harmful.html) and such a thing doesn’t exist yet).
So you have to decide for yourself, whether the additional risk of a compromise is acceptable for you

My personal thought has been that when I get a Purism system, I’m just going to have another totally searate machine for Windows and proprietary software/games. One will be my “playing” machine (the Windows one) and the other will be my “communication & browsing machine” (the Linux one).

They’ll also be separated network-wise - the only thing on the network they’d both be connected to is a splitter that’d merge them to the modem - the splitter would branch-off to two different routers. Ideally I’d be using two separate modems actually, but I don’t think my ISP would allow that, or at least not for a reasonable price.

Ultimately, the rule is that you don’t connect anything to your secure device that you can’t trust, and the moment you expose the system to it, you can mentally consider the device “compromised”, kinda like a zombie infection.

Thus, I’ve concluded that I probably won’t connect anything to the Purism device, ever, aside from my encrypted USB (which I NEED to be able to use, I can only hope a company responsible for making FIPS 140-2 Level 3 USBs isn’t compromised… and if they are then I think we can assume the hardware already in Purism’s devices are already compromised, too) and a basic mouse. Aside from that, I’d only connect hardware that has FSF RYF certification.

I’m a gamer and I use productivity software, so yeah, I can’t get rid of Windows being in my life - like it or not those proprietary softwares are freaking awesome in what they can do compared to the vast majority of open-source software. This is the difference loads of money and lots of time makes. I wanna play games, I wanna download and play pirated anime & movies, I wanna photoshop, I wanna 3D model, I wanna make music in Fruity Loops, I wanna use hack tools and check out sketchy shit sometimes, etc. I also want to connect to the internet naked sometimes for better bandwidth, and maybe sometimes use some social media.

The Windows computer I could do all of that with. But the Purism computer wouldn’t be able to run those softwares. I’d be running it on Qubes, have it on a VPN+Tor at all times, never dare to expose it to any uncertified downloads of any kind let alone torrents, and I’d have all social media, Microsoft, and government URLs & IP addresses blocked via a hosts file and firewall (along with the list of all known ad/malware/tracking/porn/fakenews/gambing domains).

But yeah - my advice is to generally have two different computers. And make sure that only one of them has WiFi capability, max. It’d be best if you had them both wired, but if you’re going to use WiFi, make sure only one is using WiFi at a time because you don’t want them potentially communicating or anything…

@Alex @kV1x_2xx

So an OS can write anything it wants into HW components (aside from the drive) that could survive a reboot?

If so, what are the HW components that they can write things to? Motherboard, processor?

After identifying them, isn’t there a way to wipe that “extra” thing an OS can write?
If it is possible, then maybe after shutting down the untrustworthy OS, we could first boot into a neutral OS (say Ubuntu for example) where we could wipe the extra data that the untrustworthy OS could write and then boot into the main (safe) OS? Could this be possible?

Perhaps not quite what you’re asking, but here are some examples of exploits that can survive OS reinstalls and persist in the hardware.

https://puri.sm/posts/efi-uefi-proven-to-be-exploited-in-vault7/
https://puri.sm/posts/efi-uefi-vault7-exploit-utilizing-nvram-and-persistent-storage/

I’m not a tech professional, I really just shared my general approach.

I think the idea is they could create hidden partitions on hard disks, or infect device drivers, stuff on the motherboard, etc.

At least, that’s how I imagine it. I have a very generalistic and abstract understanding of computers and security, rather than a true understanding of all the details, thus why every time I talk here it’s always in layman’s terms - because my understanding of things is mostly layman and stuff I read in news articles online.

If you want detailed answers hopefully someone who’s actually a professional with this kinda stuff will enter the thread.

This would amount at least to reflashing the bios, cpu, controllers for say your hard drive, … after every reboot. Besides taking a lot of time, requiring you to store a secure copy of the data to overwrite with as well as the fact that you would have to reset even the binary firmware blobs you understand (thus preventing any updates of them) there is a more fundamental problem here. Namely, in order to trust-worthily overwrite your firmware you would need to trust the firmware used for it.
Point being: If your hardware is corrupted it could pretend to reflash itself to the assumed good state, but actually not do anything at all (this is extremely hard to detect).

It would be much easier to try to check your firmware during each reboot, this is commonly done using measured boots (like anti evil maid or heads), however it requires a TPM on your motherboard.

This response is very interesting to me. I could buy a Purism system and use it only for email and browsing and have a Mac in my case for photography. Is that what you’re suggesting?

I don’t know when you posted but that is my plan. Except I have a Dell with the dreaded Windows 10 on it. I’m getting the Purism mainly for Banking and browsing.

not to bump an old thread but the thing is those tetacles run really deep. if you start thinking about all the possibilities you can go quite MAD so it’s best to protect yourself however best you can and the rest well - cross your fingers !

no really - there are only a few RYF certified bare-metals out there like the VIKING(more well known) and some other more crepuscular but the majority of the bare-metals read motherboards and other silicon are quite walled-off.

puri.sm is the new kid on the block well just have to wait and see a few years down the road how the RYF certification goes and how nice pureOS gets. it’s quite hard to have a 100% factory clean system (bios,uefi,firmware and the OS) AND KEEP it CLEAN once you SURF the internets.

the only really SAFE computers are VIKINGs that don’t connect to the internet and don’t install software from outside sources … it’s probably possible if you’re a LFS guru, a genius-hacker, a firmware/bios/uefi wizzard or you have any of those as friends … and then you have puri.sm and the world of tomorrow.

I have no doubt you are right, reC. I just want to minimize it as much as possible.

In addition to infecting UEFI / BIOS, an untrustworthy OS (or a compromised trusted OS) can maliciously alter the firmware of other components and persist into the booting of other OSes off your other drives. 2015 was a busy year for exploring firmware-based attack vectors: We saw a proof-of-concept GPU firmware attack and a researcher making a bootkit within the HDD firmware that survives reformatting.

Needless to say, firmware-based attacks have been explored more in the past three years. Nation-state APT groups interested in targeting critical sectors like water and electric utilities have been developing attacks lower in the stack to subvert firmware-based SCADA devices. National labs have only in the past couple years been developing tools to analyze the trustworthiness of firmware (expect more in this space as supply chain has become the latest hot security topic).