Slashdot Mirror

So they basically integrated, implemented, etc.. Qubes Linux as Windows?

Qubes Linux is a reinvention of Solaris zones from 20+ years ago...

So they basically integrated, implemented, etc.. Qubes Linux as Windows?

First: Qubes OS. https://www.qubes-os.org/

Second: Regardless of IT staffs' intention, management makes the final decision to let the systems be locked down. In many cases, they don't.

A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.

From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS lets you do a VM per window and color codes them. And something like BitVisor has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)

But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.

Qubes Hardware Compatibility List (HCL)
https://www.qubes-os.org/hcl/

"Has anyone else done this successfully?"

Check out Qubes OS https://www.qubes-os.org/ . Qubes is picky on HW requirements, but works well if you have the HW.

Separates different browser and email tasks into virtualized jails.

https://www.qubes-os.org/

Kinda like Sandboxie. Speaking of which, sandboxie?

I like the way Qubes OS is handling it.
https://www.qubes-os.org/video-tours/
It's almost like MS watched some of the videos...

Sounds like a job for Qubes Anti-Evil Maid:

Qubes security guidelines dictate that USB devices should never be attached directly to dom0, since this can result in the entire system being compromised. However, in its default configuration, installing and using AEM requires attaching a USB drive (i.e., mass storage device) directly to dom0. (The other option is to install AEM to an internal disk. However, this carries significant security implications, as explained here.) This presents us with a classic security trade-off: each Qubes user must make a choice between protecting dom0 from a potentially malicious USB drive, on the one hand, and protecting the system from Evil Maid attacks, on the other hand. Given the practical feasibility of attacks like BadUSB and revelations regarding pervasive government hardware backdoors, this is no longer a straightforward decision. New, factory-sealed USB drives cannot simply be assumed to be “clean” (e.g., to have non-malicious microcontroller firmware). Therefore, it is up to each individual Qubes user to evaluate the relative risk of each attack vector against his or her security model.

For example, a user who frequently travels with a Qubes laptop holding sensitive data may be at a much higher risk of Evil Maid attacks than a home user with a stationary Qubes desktop. If the frequent traveler judges her risk of an Evil Maid attack to be higher than the risk of a malicious USB device, she might reasonably opt to install and use AEM. On the other hand, the home user might deem the probability of an Evil Maid attack occurring in her own home to be so low that there is a higher probability that any USB drive she purchases is already compromised, in which case she might reasonably opt never to attach any USB devices directly to dom0. (In either case, users can–and should–secure dom0 against further USB-related attacks through the use of a USBVM.)

Like ESX, Xen is also a bare-metal hypervisor that is very secure (not counting QEMU, which is isolated in secure installations). Qubes OS is a desktop system based on Xen... https://www.qubes-os.org/

https://www.qubes-os.org/doc/a...

install Linux. Heck, in a VM if you're lazy.

In a VM if you're smart.... https://www.qubes-os.org/

Install Qubes OS on a spare SSD, preferably on a computer that supports vt-d properly (older business class notebooks can be really good here if you're on a budget.) Choose KDE or XFCE for your DE, and decide whether you want to use Debian or Fedora for your templates[1]. Configure your DispVM to use a ProxyVM for connectivity using commercial VPN, paid for using bitcoin/giftcards/prepaid credit cards if you're feeling paranoid. (This will be something like $3 / month, depending on who you're buying with.) Make sure you configure the ProxyVM to fail-hard if you lose your connection to the VPN, as opposed to connecting over clearnet in the event of a VPN failure.

(Optional: use a Tor ProxyVM instead of a commercial VPN ProxyVM. Qubes does ship with Tor and Whonix VMs for this very purpose but this is tricky business... Tor exit nodes are definitely not to be trusted. If you did this, I would advise using a VPN layer in addition to Tor in order to protect yourself from the exit node... just make sure the VPN hop is coming AFTER Tor, not before. Also, expect plenty of transient performance hits.)

Next, customize your DispVM's browser to include extensions such as uBlock Origins[2], self-destructing cookies[3], and a user agent randomizer (which you should configure to only change to the more popular browsers currently in use.)

The result of all of this? Your DispVM is a stateless VM; all data is lost every time it's shut down (Joanna currently has it set to auto-shut down every time you close the browser, which I find annoying as hell but I guess it's handy for a lot of people.) Your browser extensions will help guard against tracking in-between DispVM restarts. And by configuring it to use the ProxyVM, you'll never using your real IP address (and ideally you should alter your exit point from the VPN as well.) Unlike most VPN setups, a bug or exploit in the browser or in anything else in the DispVM's operating system will not leak data over the un-VPNed internet.

None of what I just said is trivial to set up, but guides are available and this setup would be extremely robust and easy to use (once configured.) The core of the Qubes UI/UX is in fact quite user-friendly, with an emphasis on GUI tools. It's also a pretty nifty hypervisor even if you don't give a toss about the increased security. It's damn fast, easily portable between different physical machines, templates are handy as hell, and all of your windows from all of your VMs (including your Windows 7 VMs) can appear in a single desktop with a single taskbar, alt-tab menu, etc. (KDE or XFCE; your choice.)


1. You could also built your own template using some other distro (like Ubuntu) if you really wanted. Templates allow you to have multiple VMs with different personal files but with the same apps and configuration (installing anything to the template instantly installs it on all VMs based on that Template.) Also, they're stupid fast.

2. This is basically Adblock Plus done right, with a dash of Request Policy and Noscript tossed in for good measure. You can easily toggle between blacklisting and whitelisting philosophies; it's awesome. (Note that uMatrix is available from the same author for people who want even more fine-grained control.) Note your whitelists / blacklists will be lost every time you shut down your DispVM, so if you've done a lot of tinkering be sure to export them and send them to another stateful VM to merge back into the DispVM image eventually. (This can be done with a simple right-click in a file browser.)

3. Not the best general purpose cookie manager but it's the easiest to use, particularly in a DispVM setup

Install Qubes OS on a spare SSD, preferably on a computer that supports vt-d properly (older business class notebooks can be really good here if you're on a budget.) Choose KDE or XFCE for your DE, and decide whether you want to use Debian or Fedora for your templates[1]. Configure your DispVM to use a ProxyVM for connectivity using commercial VPN, paid for using bitcoin/giftcards/prepaid credit cards if you're feeling paranoid. (This will be something like $3 / month, depending on who you're buying with.) Make sure you configure the ProxyVM to fail-hard if you lose your connection to the VPN, as opposed to connecting over clearnet in the event of a VPN failure.

(Optional: use a Tor ProxyVM instead of a commercial VPN ProxyVM. Qubes does ship with Tor and Whonix VMs for this very purpose but this is tricky business... Tor exit nodes are definitely not to be trusted. If you did this, I would advise using a VPN layer in addition to Tor in order to protect yourself from the exit node... just make sure the VPN hop is coming AFTER Tor, not before. Also, expect plenty of transient performance hits.)

Next, customize your DispVM's browser to include extensions such as uBlock Origins[2], self-destructing cookies[3], and a user agent randomizer (which you should configure to only change to the more popular browsers currently in use.)

The result of all of this? Your DispVM is a stateless VM; all data is lost every time it's shut down (Joanna currently has it set to auto-shut down every time you close the browser, which I find annoying as hell but I guess it's handy for a lot of people.) Your browser extensions will help guard against tracking in-between DispVM restarts. And by configuring it to use the ProxyVM, you'll never using your real IP address (and ideally you should alter your exit point from the VPN as well.) Unlike most VPN setups, a bug or exploit in the browser or in anything else in the DispVM's operating system will not leak data over the un-VPNed internet.

None of what I just said is trivial to set up, but guides are available and this setup would be extremely robust and easy to use (once configured.) The core of the Qubes UI/UX is in fact quite user-friendly, with an emphasis on GUI tools. It's also a pretty nifty hypervisor even if you don't give a toss about the increased security. It's damn fast, easily portable between different physical machines, templates are handy as hell, and all of your windows from all of your VMs (including your Windows 7 VMs) can appear in a single desktop with a single taskbar, alt-tab menu, etc. (KDE or XFCE; your choice.)


1. You could also built your own template using some other distro (like Ubuntu) if you really wanted. Templates allow you to have multiple VMs with different personal files but with the same apps and configuration (installing anything to the template instantly installs it on all VMs based on that Template.) Also, they're stupid fast.

2. This is basically Adblock Plus done right, with a dash of Request Policy and Noscript tossed in for good measure. You can easily toggle between blacklisting and whitelisting philosophies; it's awesome. (Note that uMatrix is available from the same author for people who want even more fine-grained control.) Note your whitelists / blacklists will be lost every time you shut down your DispVM, so if you've done a lot of tinkering be sure to export them and send them to another stateful VM to merge back into the DispVM image eventually. (This can be done with a simple right-click in a file browser.)

3. Not the best general purpose cookie manager but it's the easiest to use, particularly in a DispVM setup

Install Qubes OS on a spare SSD, preferably on a computer that supports vt-d properly (older business class notebooks can be really good here if you're on a budget.) Choose KDE or XFCE for your DE, and decide whether you want to use Debian or Fedora for your templates[1]. Configure your DispVM to use a ProxyVM for connectivity using commercial VPN, paid for using bitcoin/giftcards/prepaid credit cards if you're feeling paranoid. (This will be something like $3 / month, depending on who you're buying with.) Make sure you configure the ProxyVM to fail-hard if you lose your connection to the VPN, as opposed to connecting over clearnet in the event of a VPN failure.

(Optional: use a Tor ProxyVM instead of a commercial VPN ProxyVM. Qubes does ship with Tor and Whonix VMs for this very purpose but this is tricky business... Tor exit nodes are definitely not to be trusted. If you did this, I would advise using a VPN layer in addition to Tor in order to protect yourself from the exit node... just make sure the VPN hop is coming AFTER Tor, not before. Also, expect plenty of transient performance hits.)

Next, customize your DispVM's browser to include extensions such as uBlock Origins[2], self-destructing cookies[3], and a user agent randomizer (which you should configure to only change to the more popular browsers currently in use.)

The result of all of this? Your DispVM is a stateless VM; all data is lost every time it's shut down (Joanna currently has it set to auto-shut down every time you close the browser, which I find annoying as hell but I guess it's handy for a lot of people.) Your browser extensions will help guard against tracking in-between DispVM restarts. And by configuring it to use the ProxyVM, you'll never using your real IP address (and ideally you should alter your exit point from the VPN as well.) Unlike most VPN setups, a bug or exploit in the browser or in anything else in the DispVM's operating system will not leak data over the un-VPNed internet.

None of what I just said is trivial to set up, but guides are available and this setup would be extremely robust and easy to use (once configured.) The core of the Qubes UI/UX is in fact quite user-friendly, with an emphasis on GUI tools. It's also a pretty nifty hypervisor even if you don't give a toss about the increased security. It's damn fast, easily portable between different physical machines, templates are handy as hell, and all of your windows from all of your VMs (including your Windows 7 VMs) can appear in a single desktop with a single taskbar, alt-tab menu, etc. (KDE or XFCE; your choice.)


1. You could also built your own template using some other distro (like Ubuntu) if you really wanted. Templates allow you to have multiple VMs with different personal files but with the same apps and configuration (installing anything to the template instantly installs it on all VMs based on that Template.) Also, they're stupid fast.

2. This is basically Adblock Plus done right, with a dash of Request Policy and Noscript tossed in for good measure. You can easily toggle between blacklisting and whitelisting philosophies; it's awesome. (Note that uMatrix is available from the same author for people who want even more fine-grained control.) Note your whitelists / blacklists will be lost every time you shut down your DispVM, so if you've done a lot of tinkering be sure to export them and send them to another stateful VM to merge back into the DispVM image eventually. (This can be done with a simple right-click in a file browser.)

3. Not the best general purpose cookie manager but it's the easiest to use, particularly in a DispVM setup

I had two people different mod me troll in fairly quick succession long before anyone modded me up (plus another troll mod on another reply in this chain), so I felt the need to request a clarification. Obviously yes, it's the internet and people will do stupid shit but they didn't seem like posts that should have been particularly controversial.

Qubes isn't 100% perfect; there are a couple usability points that Joanna has apparently sacrificed in the name of security, namely GPU passthrough for Windows (e.g. for 3d gaming) and automatic icon transfer to Dom0 (improving, but still far from perfect.) And there are a handful of relatively minor bugs I've seen, but overall the learning curve is remarkably shallow for what it's actually doing behind the scenes (and also the performance has been utterly astonishing, at least for someone like me who is coming over from Virtualbox.) Everything is very GUI-centric, and of the things that still require the CLI it's generally pretty straightforward (with well-written man pages) and Joanna has expressed the intention to eventually have it all doable via GUI.

It is supposedly possible to build an Ubuntu template for Qubes but I've never tried. Qubes ships with Debian 8 but I think 7 and 9 are available as well, so if Debian unstable fixes the issue that might be the best way forward if you wanted to try Qubes.

Of course, almost any distro is easily installable as an HVM (which is the label Qubes and Xen uses for a "second desktop" approach akin to Virtualbox or QEMU / KVM), but you won't have the window mixing, clipboard sharing, PV / PVH drivers (necessary for the near-native speeds Qubes' templates offer) or easy file sharing functional right out of the box.

Because you don't have to run all of your applications in Windows? You can do the absolute minimum amount of work in Windows, only the stuff that you need Windows for, and then right-click to instantly send those files over to a Linux VM. The extra work involved is trivial. If you're apathetic about the differences between Windows and Linux desktops then that might not be much of a win[1] , but tnok85 (the person I was replying to) said that he preferred Linux desktops.

Also, even if you only ran Windows 7 in Qubes (not using any Linux VMs other than the built in connectivity ones that are already configured for you), it's still actually a "Linux Desktop". You never have to look at the start button if you don't want to--all of your Windows 7 applications can appear seamlessly in KDE or XFCE.

Also, Qubes' template system can be applied to Windows 7 in addition to Linux VMs. You can[2] very easily create multiple Windows VMs based on the same base image. There are a lot of ways you could use this functionality, but one possibility is one Windows VM could be strictly offline for security, one could be a regular online Win7 VM, and a third one could exclusively use a VPN or Tor ProxyVM for internet connectivity. And any application you install in the Win7 template would automatically propagate to all VMs based on that template (multiple templates are possible, either from-scratch or by cloning.)

Almost all of this is doable using GUI tools (I think you might need a tiny amount of CLI usage for setting up a Win7 template but there are guides available.


1. Except to the extent that using a hypervisor like Qubes is *great* for easy portability and security. System==>BackupVMs==>[just a few clicks later]==> done. Your entire environment is now be copied over and transferable to any other physical machine running Qubes. No CLI fiddling required (unless you want to), and you can even encrypt the backup without jumping through any extra hoops.

2. Well, the precise legality of this is... a gray area, but certainly you could do this legally if you had the right license from MS, or multiple licenses.

Isn't that what Qubes is all about? https://www.qubes-os.org/tour/...

There are plenty of security-focused Linux OSes, e.g. Tails, Qubes, Whonix, Ubuntu Privacy Remix, Kali Linux - just to mention a few. And then there is also the whole BSD family of free Unix OSes who are very security vetted, e.g. NetBSD, OpenBSD and FreeBSD. So I'm not sure what you mean by "the linux community is not capitalizing on the situation" ..?

Sorry about the bad link. The correct one is https://www.qubes-os.org/

That is a "fix" only if vendors maintain perfect security of their keys. The better solution would be to prevent any modification without a convoluted physical attack on the device innards... using ROMs for instance.

Also, knowing that endpoint security cannot realistically have multiple TCBs acting in parallel (hence, a large attack surface), the best design decision is to make critical peripherals (like keyboards and displays) as dumb as possible.

The complex bits should either be in the CPU or tightly bound to it. Otherwise, if you need to add complexity from other vendors and/or use flimsy security, then such peripherals can be contained in unprivileged contexts.

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loo[k]s like they are all about the security, so this is kind of a big deal for them.

"All about security", so they insert "user ALL=(ALL) NOPASSWD: ALL" in sudoers, right? And a PolicyKit rule for anybody to do anything? And DOM0 is set up with no-password root access? I gotta tell ya, those are real head-scratchers. They have some great ideas, but I'm not sure they are living in the same world I am.

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loo[k]s like they are all about the security, so this is kind of a big deal for them.

"All about security", so they insert "user ALL=(ALL) NOPASSWD: ALL" in sudoers, right? And a PolicyKit rule for anybody to do anything? And DOM0 is set up with no-password root access? I gotta tell ya, those are real head-scratchers. They have some great ideas, but I'm not sure they are living in the same world I am.

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loos like they are all about the security, so this is kind of a big deal for them.

https://www.qubes-os.org/tour/...
What is Qubes OS?
Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

https://www.qubes-os.org/ claims (tongue in cheek) to be "Reasonably secure." Really it loos like they are all about the security, so this is kind of a big deal for them.

https://www.qubes-os.org/tour/...
What is Qubes OS?
Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

Seems to me this very problem is what operating systems like Qubes were designed to address.

Since you can run the browser in two different environments for different purposes, it is possible that you only have Lastpass accessible when you're visiting trusted websites and you use the browser in the "untrusted" environment which does not have access to Lastpass when you surf random sites.

Then for someone to use this method to get your passwords, they have to hack a website you consider trusted.

Problem solved in a way that allows for the inevitable bugs and flaws in each app.

https://www.qubes-os.org/

That's why you should only browse inside VMs (esp. an OS that makes all apps run inside VMs) ... preferably running on a tight, bare metal hypervisor.

Browsers themselves are way too complex to ever secure them from within. They need to run in strong containment if you want to avoid a high level of risk.

Here is their description:

Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the “smart card” plays another Qubes AppVM. This way one, not-so-trusted domain, e.g. the one where Thunderbird is running, can delegate all crypto operations, such as encryption/decryption and signing to another, more trusted, network-isolated, domain. This way the compromise of your domain where Thunderbird or another client app is running – arguably a not-so-unthinkable scenario – does not allow the attacker to automatically also steal all your keys. (We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then.)

The diagram below presents the big picture of Split GPG architecture.

https://www.qubes-os.org/doc/s...

> So it's an OS?

What is QubesOS?

> Is a Linux derivative?

Is Qubes just another Linux distribution?

> Can it run software targeted as other OSes?

Managing Operating Systems withing Qubes

> Does it has system?

???

> Is it targeting anything specific in terms of hardware.

Hardware Compatibility List

> Or purpose (embedded, desktop, phone, server)?

How is QubesOS different from..?

> So it's an OS?

What is QubesOS?

> Is a Linux derivative?

Is Qubes just another Linux distribution?

> Can it run software targeted as other OSes?

Managing Operating Systems withing Qubes

> Does it has system?

???

> Is it targeting anything specific in terms of hardware.

Hardware Compatibility List

> Or purpose (embedded, desktop, phone, server)?

How is QubesOS different from..?

> So it's an OS?

What is QubesOS?

> Is a Linux derivative?

Is Qubes just another Linux distribution?

> Can it run software targeted as other OSes?

Managing Operating Systems withing Qubes

> Does it has system?

???

> Is it targeting anything specific in terms of hardware.

Hardware Compatibility List

> Or purpose (embedded, desktop, phone, server)?

How is QubesOS different from..?

> So it's an OS?

What is QubesOS?

> Is a Linux derivative?

Is Qubes just another Linux distribution?

> Can it run software targeted as other OSes?

Managing Operating Systems withing Qubes

> Does it has system?

???

> Is it targeting anything specific in terms of hardware.

Hardware Compatibility List

> Or purpose (embedded, desktop, phone, server)?

How is QubesOS different from..?

In other news: Qubes 3.1 was released today. Get it at https://www.qubes-os.org/

What is Qubes OS?

Qubes is a security-oriented operating system (OS). The OS is the software which runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

Why is OS security important?

Most people use an operating system like Windows or OS X on their desktop and laptop computers. These OSes are popular because they tend to be easy to use and usually come pre-installed on the computers people buy. However, they present problems when it comes to security. For example, you might open an innocent-looking email attachment or website, not realizing that you’re actually allowing malware (malicious software) to run on your computer. Depending on what kind of malware it is, it might do anything from showing you unwanted advertisements to logging your keystrokes to taking over your entire computer. This could jeopardize all the information stored on or accessed by this computer, such as health records, confidential communications, or thoughts written in a private journal. Malware can also interfere with the activities you perform with your computer. For example, if you use your computer to conduct financial transactions, the malware might allow its creator to make fraudulent transactions in your name.

Aren’t antivirus programs and firewalls enough?

Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any popular antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best antivirus programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s typically too late for those who have already been compromised. In addition, bugs are inevitably discovered in the common software we all use (such as our web browsers), and no antivirus program or firewall can prevent all of these bugs from being exploited.

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated virtual machines (VMs). A VM is basically a simulated computer with its own OS which runs as software on your physical computer. You can think of a VM as a computer within a computer.

This approach allows you to keep the different things you do on your computer securely separated from each other in isolated VMs so that one VM getting compromised won’t affect the others. For example, you might have one VM for visiting untrusted websites and a different VM for doing online banking. This way, if your untrusted browsing VM gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use, “disposable” VM. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.

Qubes is a very interesting Linux distro.
However, its USP is security, instead of the 3D Web 4.0 synergistic paradigms the submitter is asking.

I'll second that. Qubes is very innovative in the area of security.

Nothing as far as a distro (or desktop environment) with 3D VR or AI comes to mind but there is innovation in OS going on. Not many have attempted to answer the OP, so here's my list. Others mentioned Qubes, Urbit, and Mirage.io, which reminded me of Nix OS and HaLVM.

Both innovative and seems daily-driver ready:
1. Qubes OS - https://www.qubes-os.org/ - Linux distro that runs a Xen hypervisor to contain every app (including Windows ones) away from the desktop environment
2. Haiku OS - https://www.haiku-os.org/ - Tiny (under 200MB installed), Non-Linux that is binary-compatible with BeOS, nice understated GUI that is bland but usable
3. ReactOS - http://reactos.org/ - Win32 compatible open source OS, very active development scene working toward full NT kernel ABI compatibility. Seems stable enough to be a daily driver but hardware support is lacking
4. PC-BSD & freeBSD 10 - http://www.pcbsd.org/ http://www.freebsd.org/ - PC-BSD is a desktop distro of freeBSD 10 built for user-friendliness with automatic ZFS snapshoting and a nice graphical package manager, freeBSD 10 has a completely new package manager (pkg-ng replaces the 'pkg' binary)
5. Nix OS - https://nixos.org/ - Linux distro with innovative package manager promising atomic upgrades & rollback.

Innovative server-exclusive (ie no GUI):
5. SmartOS - https://smartos.org/ - Solaris + KVM + Docker w/ full Dtrace support. Claims ZFS as an innovation? Joyent is running a cloud of it
6. CoreOS - https://coreos.com/ - Linux distro exclusively for large Docker deployments. developing a suite of Go tools for datacenter management.

Innovative, but not ready for desktop use:
7. Redox OS - http://www.redox-os.org/ - OS written in Rust (rust-lang), which guarantees a lot of memory-safety, screenshots of desktop in 'News' section
8. Contiki OS - http://www.contiki-os.org/ - Linux distro for IoT embedded devices that claims an innovative network stack
9. Urbit - http://urbit.org/docs/user/int... - *nix distro with exclusively web-based userland, invite-only at the moment, doesn't seem like it will have a UI but that each user is the dev of their own interface
10. Mirage.io - http://mirage.io/ - Develop each app and compile into a single-purpose kernel to be run on some hypervisor
11. HaLVM - https://github.com/GaloisInc/H... - The Haskell Ligthweight Virtual Machine - which runs just the GHC on Xen, another 'build uni-purpose VMs' system

Probably the most 'innovative' in that its approach is very non-tradititional. Seems like a good idea at this time:

https://www.qubes-os.org/

Qubes is a very interesting Linux distro.
However, its USP is security, instead of the 3D Web 4.0 synergistic paradigms the submitter is asking.

That may be the case for cloud deployment. However, there are other very important areas that PVs are being used. For example: qubes, a security focused Linux distribution https://www.qubes-os.org/.

In addition, there is actually a full spectrum between PV and HVM: http://wiki.xen.org/wiki/Xen_P.... Very few use straight HVM, generally it is HVM + PV Drivers. Linux on Xen ends up using PVHVM. The sweet spot for Open Sources OS under Xen is PVH.

that would not let similar flaws to plague the hypervisor ever again

Can we trust people to critique code who can't even manage English grammar?

Yes. Very few program is written in English. C is more common.

And looking at the Qubes OS team https://www.qubes-os.org/team/, I'd bet English isn't the primary language for most of them.

https://www.qubes-os.org/

Like Windows, Linux is a complex rambling Swiss cheese and privilege escalations are pretty common.

Lean security protocols need to come first, which is why Qubes OS is based on a Type 1 hypervisor (Xen). An attacker can try to use an exploit (like in OP) all they want in an untrusted domain, but they aren't going to get access to the hardware (or the other VMs, unless the user has done something to specifically expose those VMs to the attack).

Sounds like QubesOS.

It's already implemented.
The powers that be have chosen "No one is cyber-secure" for you.

Granted, nothing is perfect. But I'd like to see any demonstration of hacking a system like this.

Or, rather, I'd like to see them try.

Real network security is defined by the quality of its endpoints. And to have secure endpoints we need a personal computing culture that values openness as the first step to better security.

- Firejail. Google it. Won't protect you against local kernel privilege escalation attacks, though.

Yes, contingency planning is good. Yes, single points of failure are bad. But you can get very, very good communication security if you really try.

Qubes OS should protect you against privilege escalation *and* VM breakout attacks where sandboxes like 'Firejail' do not. Its a hardened hypervisor-based desktop OS that isolates elements like graphics and network IO from each other using a system's IOMMU if necessary. Its single-user, and all security is implemented using the hypervisor.

Qubes is put out by white-hat hacker group Invisible Things Lab who switched their focus when they saw the need to do something about endpoint security. Their philosophy is to use the strongest means possible for isolation short of airgapping as a way to manage the complexity (large attack surface) of the personal computing environment; The security models of monolithic OS kernels

A bonus of isolating all the risky activities away from the graphics system is exposition: The windowing system becomes a reliable means to represent security context using window-frame colors and domain labels assigned by the user to the various VM domains.

Docker reminds me of Qubes in some ways. https://qubes-os.org/

Keep all the complex interfaces and code if you need them, but put them behind very small paravirtualization codebase ingrained into the OS which keeps them isolated -- from the core system, and from each other. Really, even your devices like USB controllers and NICs can be treated as untrusted in this way if you have an IOMMU. And you can have it in a normal desktop GUI.

Kernel-implemented security is a failure; Its ridiculous to go through continued years & decades of pain by relying on it and worrying about breakouts from its weak sandboxing tactics.

This is the one thing QubesOS could use to improve its security-by-isolation approach: Detection and repair in VMs. Even if you assume the hypervisor stays safe (and therefore, your trusted VMs stay safe), you're still relying on VMs to get everything done and the VMs doing the risky tasks are vulnerable to attack. It would be nice if those less-trusted VMs could get automatically restored after a successful attack.

Then you may like this... http://www.qubes-os.org/

Thankfully, it is possible to secure USB in a less extreme way. An OS like Qubes that can configure devices for automatic reassignment to an unpriviliged domain (i.e. virtual machine) can protect the hypervisor, BIOS, etc. from incidental attachment of malicious USB devices.

Currently, a Qubes user/admin can do this from the GUI on a per-USB-controller basis, but in future will be able to employ Xen PVUSB functionality to manage USB on a per-device basis.

Security by isolation is one way to solve that problem. With a hypervisor designed for strong security instead of primarily for conveniece as is usually the case, users can safely allocate their tasks and data to different domains. For instance, 'Work' and 'Personal' could be two domains that have network access, whereas 'Vault' would hold the most sensitive info (like certain keys and passwords) and have no networking. An 'Untrusted' domain is used for most of the general web surfing-- reading articles, watching video streams, etc. On Qubes, there is also a TorVM package that facilitates the creation of anonymous domains.

So, whatever "happens in Vegas stays in Vegas". Qubes even assigns high-risk hardware, like NICs, to their own unprivileged domains.

The nice thing about this setup is that the window manager resides in the privileged domain and both the WM and its graphics stack are isolated from attacks originating in the VM domains. Further, each domain is assigned a border-color when its created so you can always get an idea of what is running in which context by glancing at the desktop. A compromised browser in 'Untrusted', for instance, could put up a window asking for admin access to the privileged domain, but the red border (and [untrusted] marker in the title) would give it away.

Copy/paste and file copy between domains are also protected; they are integrated into the UI so as to require a confirmation step so the privileged domain knows the user really intends to perform the action.