A question I have about exploits is how they’re considered ‘spent’ by those who wield them. The threat of ‘wasting’ exploits come from detection and reverse engineering, with the latter being the fatal blow (detection alone might provide pieces of the puzzle, sometimes intentionally misleading). As far as I can tell, many sophisticated modern malware have ways to obfuscate and self-destruct to protect the value of the investment(s) contained within.
However, with less savvy targets like journalists and whistleblowers, this isn’t even a concern unless they have experts analyze the compromised VMs after the fact (which requires them to have detected the intrusion in the first place). If you’re a target who’s been driven to use Qubes, the value of the potential payoff is worth the risk, as you’ve noted. However, even when dealing with cybersecurity veterans, I think sophisticated malware can avoid reverse engineering most of the time. Then again, I’m not incredibly well-informed on this.
You’re right that plenty of people who use Qubes do not have the skill
or tools to do this analysis. Even still, we are talking about exploits
which would provide kernel mode access to literally any Linux system,
just by sending a packet through the system. This is an exceptionally
valuable exploit. Even if you are not expected to be able to detect it,
questions would be asked about the risk of such detection.
The problem with exploits is that unlike malware, they have to conduct
their attack mostly in the open. It is very difficult to obfuscate the
initial exploit because it must be interpreted and run in code which is
designed not to run it. Any obfuscation just makes the exploit less
likely to work, or worse, more likely to miss-behave and cause obvious
Anyways, it’s hard to articulate my gut feeling, but the gist of it is that the Linux kernel is a highly sought-after target for obvious reasons and having sys-net based on it is risky, despite what the technical limitations for an attacker might seem to be–‘unknown unknowns’ and all that. This beachhead, disposable or not, can be used as the staging ground for a system-wide attack that may or may not use side-channel attacks. Because of this, there should be an ethernet unikernel for those who feel they need it, and those users really shouldn’t be using wifi anyways, obviating the need for a wifi unikernel that would significantly complicate it. I hope I don’t come across as nitpicky and demanding, especially since I can’t really contribute to the development of such a unikernel (maybe I can help with non-technical tasks?)
It absolutely is a highly sought-after target. But this provides some
protections too. There are plenty of organisations trying to secure the
kernel as well.
This goes back to the most secure computer on the planet. It’s powered
off, encrypted, no-one knows the key and the vault it’s locked in is
lead lined. But no beachheads. At some point, if you want a useful
computer, you need to expose something. While sys-net seems quite
exposed, it’s still one of the more secure options out there.
So far as helping with development, there are plenty of non-technical
options. Things such as threat modelling (which is basically this thread
with a few extras), and community development are probably the most
useful at this early stage.