Protecting Against Malware From Other OSes?

[Alebin]

Is there any way to keep some maliciously crafted attack ran on other OSes from attacking an Ubuntu install, short of encrypting the partition that Ubuntu is installed on (which from what I understand is locally attackable as well). For instance, a Win8.1 machine could be affected by something that installs some driver that can read/write ext filesystem and attack an Ubuntu install. This would be something specifically crafted to that purpose, but it can happen.

The bootloader for decryption can be messed with, so the best I can figure is there's a need for some type of loader that's on a USB flash drive, that can be locked against writing, that decrypts and boots Ubuntu. Then Ubuntu would have to be shut down, the USB flash drive used to encrypt that partition, and then the USB flash drive is removed from the system and the system is powered down and back on to load another OS.

[cariboo]

If you can't find any real world examples of what you are asking, I wouldn't worry about it.

[Alebin]

Well the bootloader can be overwritten, think about the Evil Maid type attacks on encryption, and companies like paragon make extfs drivers for windows. Put that together with a bit of slick coding and you have exactly what I'm talking about.

I was thinking maybe encrypt the linux install with a livecd and something like veracrypt and decrypt it before booting to it when you want to use it, but the whole grub situation with a dual boot and such might cause issues.

[jamal5]

Hardware SSD encryption is what you need if you want to protect Grub from Evil Maid type attacks. You need a laptop and SSD (anything by Intel or Samsung) that supports it though.

[Alebin]

Hardware SSD encryption is what you need if you want to protect Grub from Evil Maid type attacks. You need a laptop and SSD (anything by Intel or Samsung) that supports it though.

Can the SSD's firmware not then be rewritten and end up being the same thing, but just one layer above?

Edit:
I have been reading that SSD encryption, especially on samsung drives, isn't what it seems and is possibly weak anyway.

Here's what I think is probably needed. The system boots from a CD that can't be altered. The CD loads up some minimal version of Linux that asks you if you want to load Windows, Ubuntu, or Re-Encrypt Ubuntu. If you select Windows, it simply boots to that partition/drive. If you select Ubuntu, it prompts you for a password or some other form of authentication or combination of authentications. After authenticating, it decrypts the Ubuntu partition/drive as a container basically, just as if you were deciding that you no longer want a storage partition/drive encrypted with veracrypt/truecrypt/etc; essentially removing the encryption from the partition/drive, being a slower process than normal booting. After decryption, it boots into Ubuntu. After the user is done with Ubuntu, they reboot to the CD and select Re-Encrypt Ubuntu, supplying the authentication, and the partition/drive is then encrypted. The system can then be reset and the user will be presented with the Windows, Ubuntu, Re-Encrypt Ubuntu selection again.

I have no idea how this would be actually accomplished though.

[jamal5]

Firmware cannot be written to by unsigned files (i.e. it requires the manufacturers private key), at least for SSD's. If you are worried about firmware hacks that require physical access, I'd focus on physical security as opposed to software security. Just realize that pretty much only the NSA or CIA are capable of this, so you are probably being overly paranoid. SSD encryption is perfectly solid if the hardware supports it, there's nothing to suggest otherwise, and all you need it to do is protect your bootloader not the actual sensitive data. What you've described seems way to complicated, paranoid, and I don't think it's even possible. You can't even use LUKS in a dual boot set up anyways (at least not easily).

[Alebin]

Well what I was thinking is more or less: install win8.1, install ubuntu, boot from an ubuntu live cd, encrypt the ubuntu installation partition with veracrypt, turn the machine off, turn the machine on, boot to win8.1, turn the machine off, turn the machine on, boot to the ubuntu cd, decrypt the ubuntu installation partition with veracrypt, reboot into the ubuntu installation, reboot to the ubuntu cd, encrypt the ubuntu installation partition.

If that makes sense. I just don't know how/if grub or any other boot loader would be very happy about it.

[Kale_Freemon]

If you really want to got that far with it, then by all means. You're probably going to break something or just waste your time though, as you're trying to prepare for something that is almost certainly not going to happen.

Yes, in theory, it can happen. But, in the wild, this type of thing either doesn't exist, or is too small to even worry about it. So, I'd just not worry about it too much and just ensure that Windows is protected with antimalware and that you implement safe browsing habits.

[bashiergui]

Yes, in theory, it can happen. But, in the wild, this type of thing either doesn't exist, or is too small to even worry about it. So, I'd just not worry about it too much and just ensure that Windows is protected with antimalware and that you implement safe browsing habits.

It's not that it's too small to worry about it. It's that this kind of attack is highly specialized. If there's someone willing to spend the time developing this custom attack to own you, then even if you manage to defend this one thing they'll find another way. Focus on how likely it would be that anyone would want in your computer that bad. Unless you're Ed Snowden, nobody wants your **** that bad. There are too many people running unpatched systems, old wordpress plugins, terrible ssh configurations, using crappy passwords. There's just no motivation for bad guys to bother with custom crap like you describe. Why work that hard when there is so much low-hanging fruit.

Agreed- on the windows side use anti virus, ad blockers in browsers, and PATCH YOUR SOFTWARE.