Slashdot Mirror
Researcher Releases Hardened OS "Qubes"; Xen Hits 4.0
Trailrunner7 writes "Joanna Rutkowska, a security researcher known for her work on virtualization security and low-level rootkits, has released a new open-source operating system meant to provide isolation of the OS's components for better security. The OS, called Qubes, is based on Xen, X and Linux, and is in a basic, alpha stage right now. Qubes relies on virtualization to separate applications running on the OS and also places many of the system-level components in sandboxes to prevent them from affecting each other. 'Qubes lets the user define many security domains implemented as lightweight virtual machines (VMs), or 'AppVMs.' E.g. users can have 'personal,' 'work,' 'shopping,' 'bank,' and 'random' AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.'"
Xen's also just reached 4.0; some details below.
Dominik Holling writes "With a small announcement on their mailing list, the open source community hypervisor Xen has reached the official release of version 4.0.0 today. The new features are: 'blktap2 (VHD support, snapshot discs, ...), Remus live checkpointing and fault tolerance, page sharing and page-to-disc for HVM guests, Transcendent memory (http://oss.oracle.com/projects/tmem/).' A complete list of all changes can be found on the Xen wiki and the source can be found on the official website and the Xen Mercurial repositories."
I wonder how it will be when it hits stable, and what support it will have for devices
Someday we'll hit the human carrying capacity. And the band will just play on.
Still, this is still a great advancement... will be interesting to see what performance impact this has.
Make sure everyone's vote counts: Verified Voting
With the proliferation of multi-core CPUs and GPU clustering, I wonder how long until VMs simply become entirely separate physical systems sitting on your motherboard.
I'd like to read a serious comparison between this and jails in FreeBSD and sandboxes in Mac OS.
I think a lot of these ideas have been around for a very long time but they are such a pain in the ass, very few people actually use them.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
This idea is an example of failing to understand the problem.
The problem with security comes from several primary sources:
1. Complexity. Too many layers with poorly understood security implications. This lady might actually understand the monster she spawned but no admin trying to implement it will understand all of the corner cases. See SELinux.
2. Shoddy coding. So this gets tossed over the wall and will (assuming it is to matter) be completed by people who don't really understand it. Unless this one proves an exception it won't ever get a proper top to bottom security audit of the codebase. So it will have all the bugs in Linux, Xen and the hardware bugs in the virtualization layer and then it will add a whole new set of bugs to exploit.
And this one adds the fact it doesn't even try to secure the apps, it tries to stop misbehaving apps (like SELinux) from accessing things it shouldn't If history shows anything, giving an attacker any access to run code locally gives them all they need to leverage it into root eventually.
Democrat delenda est
This approach seems similar to the one taken by Microsoft in their Singularity OS. I wonder if the issue of context switching will become an issue and if it does, how will it be addressed.
Let me begin by saying that this sounds like a truly interesting approach to security. Virtualization technology defines very clear hardware-enforced boundaries between software domains. In the standard case, those domains contain different operating systems, each of which are provided privilege level-based sub-domains. In this particular case, each domain is dedicated to running sets of user-space applications, and the hardware boundary is used for userspace isolation, as opposed to virtual machine OS isolation.
So my "home" domain is infected, but my intellectual property is in my "work" domain. The virtualization boundary means that a virus can get Ring 0 access and still not be able to touch those IP files. Hurray ... except wait. There must be an interface between the "home" domain and the hypervisor, else things like copy-and-paste and hardware resource arbitration can't work. Here's what some infection paths would look like:
Maybe the paths can be locked down better, but a vulnerability is a vulnerability. It's clearly harder for a virus to get full control, but that's just throwing another obstacle in the way. If one is bad, and two is better, maybe three is even better, but nothing's perfect. Why is the domain-to-hypervisor path considered any more secure than the userspace-to-kernel path? If it's not, you're just adding more complexity, which could mean more potential for vulnerabilities! If you're locking down privilege boundaries, kernels like FreeBSD (jails) and even userspace execution environments like Java (JVM) have been working on that for years.
It's cool, but I doubt it will be game-changing.
Since KVM is in the mainline and redhat is now supporting that 100% this seems like a bad time to start anything on Xen.
To which I say good riddance, virtualization is just another app and kvm gets this right.
The Remus stuff in Xen is very cool. A couple of days ago there were some posts about HP's NonStop stuff as an example of something you could do with Itanium but not with commodity x86 crap. Remus means that you can. It builds on top of the live migration in Xen to keep two virtual machines exactly in sync.
Computers are deterministic, so in theory you ought to be able to just start two VMs at the same time, give them the same input, and then see no difference between their state later on. It turns out that there are a few issues with this. The most obvious is ensuring that they really do get the same input. This means that they must handle the same interrupts, get the same packets from the network, and so on. Anything that is used as a source of entropy (e.g. the CPU's time stamp counter, jitter on interrupts, and so on) must be mirrored between the two VMs exactly. This was already possible with Marathon Technology's proprietary hypervisor on x86, but is now possible with Xen.
As with the live migration, you can kill one of the VMs (and the physical machine it's running on) and not even drop network connections. This leads to some very shiny demos.
Oh, and I should probably end this post with a gratuitous plug for my Xen internals book
I am TheRaven on Soylent News
Looks like a nice approach to program isolation. A system which was in some ways similar to Qubes was developed for Windows known as WindowBox. My research takes another approach, program restriction. Systems such as SELinux and AppArmor allow precise policies to define the types of actions and resources which are made available to each application. However, the finer the granularity of privilege assigned, the more detailed and complex policies become. The system I created for my PhD research, FBAC-LSM, restricts applications based on the functionalities they perform. Eg Web Browser, Email Client, Image Viewer etc. Then the programs can not act beyond the things they need to do, and the damage which can be caused by vulnerabilities and malware is severely limited. Basing policy on functionalities means that policy is easier to construct (since it is based on high-level abstrations) than other systems based on fine grained restrictions. The advantages compared to isolation systems such as Qubes is that normal work flows (where a user creates, views, edits and shares the same files with many different apps) can be used while each application is restricted to the privileges it needs. FBAC-LSM is in development and is available as free open source software: http://schreuders.org/FBAC-LSM
Saw Qube.
Thought Cobalt.
Leaving sad.
Edward@Tomato - /home/Edward/ man woman
man: no entry for woman in the manual.
"Qua!?"
I've had a lot of problems with EC2 that upgrading to at least 3.3 would
fix. I just hope Amazon would start thinking about upgrading EC2 or migrate
it from Xen as they seem to have gotten stuck with 3.1 and I've seen
nothing that indicates there's going to be an upgrade.
The real issue still resides. The end users (PEBKAC). Take my father for example. Sure you have a Qube for banking and Qube for work and a Qube for home use. Now the home use one where he does his "Magic" or whatever he does to infect/taint/destroy any PC I put in front of the man, gets entirely infected Spywared/Malwared/chuncked and muddled. So he can't get to his phishing emails about how to make millions in the internets and by getting the diamonds out of Namibia. He cant do that from the infected Qube. He'll then go up the chain to his private banking Qube to install his makingmillions.exe so it will work again. Long story short.... Some people cannot help themselves but by being victims. I'd give the man Linux but he always finds a reason it's keeping him from being successful... I know by keeping these Qubes sandboxed it will be harder for it to get the taint, but they will find a new way to find my father.
Nothing new. This is basically the Immutable Service Containers architectural pattern. i.e. A Secure Execution Container for each service or application, everything denied by default, open up only whats needed. We do this with opensolaris today.
just some trivia information, it is a _guy_ who had his gender changed some time ago. actualy he/she looks quite cute :)
some more info here:
http://www.rutkowska.yoyo.pl/
(to get rid of banner there is arrow in top right corner)
I have been experimenting with virtualization for a couple years now. The best solution I have found is to run a FreeBSD 8.0 host. All the desired BSD compatible services run within a jail. Services that require Windows or Linux run in Headless VirtualBox instances.
Application virtualization having similar sandboxing has been out for several years now.
Great ... another 'OS' that has its own new set of problems ... plus before its actually useful in the real world you'll have to come up with ways to give it all the speed power and flexibility of the OSes we use now, which it doesn't have ... by the time you add it back you'll end up right back where you are now.
Apps and data is useless on an island. When you're on an island you're safe from attackers.
To actually do something useful however, data needs to move on and off the island, at which point, you're right back to square one more or less. The only difference is now you've got an OS ... that loads another OS ... that loads (in a virtual process space) an application.
I realize that abstraction can be a good thing, but considering that all thats being done here is literally adding another layer of abstraction with no additional benefits ... it would seem the right thing to do was just make a few tiny mods to the existing OSes rather than create a whole new one which is basically a copy of existing ones with a ever so slightly different core.
Lets face is, 'hardware virtualization support' is nothing more than a newer/slightly different implementation of what we've already had in processors for years. We've already had 'hardware virtualization' for years, this is just one more layer on top of the already existing support that does the same thing.
Why the hell would you be so retarded to assume its going to be different now, just because we've added more abstraction and code, its going to be safer? My experiences show the exact inverse to be true when you add code and complexity :/
Stop calling them 'hypervisors' its a freaking OS, except unlike what we normally think of as an OS with a kernel and a software defined API to get something done, you have an OS with a kernel and a software that emulates a hardware interface so it can run software with a kernel and a software defined API to get something done. Perhaps just fix the software defined API to isolate properly cause by the time you make your hypervisor OS useful like the traditional OS, its not going to be so isolated.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
That is actually a common misconception in the open source community. All dildos work well in an anus as well as they do in a vagina.
This is misleading. Ideally all butt tools have a FLARE (getting wider on the outside part). That's because objects are, ummmm, how do you say this, more likely to be sucked up and LOST back there.
That's the most important design difference with such equipment.
Stay safe and out of the emergency rooms, everyone!
IBM's virtual storage OSes (OS/VS1 through the current z/OS all share a lot of common componentry) in conjunction with hardware architecture have similar ideas: Each system service runs in its own address space. You have to be an authorized system service to communicate between address spaces, if you try otherwise your program fails. If you try to store outside of your virtual address range, your program fails. To become an authorized program requires permission in one way or another from system administrators, you can create one marked "authorized" but if it isn't loaded into storage from an authorized file (controlled by admins), your program will not execute in an authorized state. In addition, each hardware page has a storage protect key. Application programs run in key 8, important parts of other system services run in different keys. "The System" runs in key 0. To change keys requires that you be an authorized program. The astute have already figured where this is going: try to use storage that's not in your key - your program fails. The architecture not only protects the system from applications that behave poorly, but the storage key mechanism can protect authorized parts of the system from clobbering other parts of the system. This setup has been providing increasing high, and increasing, levels of availability since the advent of System/360 in the 1960s.
If all those AppVMs are instances of the same system, couldn't they also check each other's integrity? Even if a virus manages to infect the hypervisor, it will be really hard to infect all AppVMs at once.
From the article:
"These mechanisms finally move the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox)."
The Mythbusters showed that bulls will try to miss china if it's at all possible. http://mythbustersresults.com/episode85
At least since 1972? [...] Of course you have to violate 104 IBM patents to run it on an emulator
Unlike copyrights and trademarks, patents expire. So anything invented before 1990 is no longer patented. Or was this supposed to be a joke?
It will be called "Tesseracts"...
"Qubes" is a frikken terrible name. Something like "stained bedsheets" would be much better (Linen-XXX, geddit?). But I suppose a sense of humour is too much to expect nowadays.
http://ihatehate.wordpress.com
Check that out boys!
it's about how large the bug could spread out (just see how buggy the VM itself is l-p)
that's security by isolation
good job
^_^
it's VMs all the way down!
The IBM VM world has been doing this for decades. The terminology is Service Virtual Machine (or SVM).
The hypervisor provides just the virtualization layer. Each service within a z/VM system is provided via it's own virtual machine.
For example, TCP/IP.
There is no TCP/IP stack within the hypervisor level (though the hypervisor does provide virtual switches for communication between guest systems). The TCP/IP stack runs as a guest, the FTP server runs as a separate guest, the SMTP server runs as a separate guest, etc.
GNU HURD, thank you very much.
It's just around the corner.
I'm not a lawyer, but I play one on the Internet. Blog
Being able to create AppVMs on the fly is a great idea, and one that should be a common OS feature. But it sounds like it will have the same problem that a site-specific browser does: how do you ensure that a given operation will be carried out in the proper domain?
For instance, you get an email from a colleague (in your email security domain) that includes a link. You click the link. Now, in which domain does the browser window open?
If you tell me I need to copy the link, switch to my random-crap-from-colleagues domain, paste it into the location bar and click go, then you fail. I will someday forget and click the link. Or a cross-site-scripting vulnerability or plugin exploit will click it for me.
If you tell me that a UAC-style dialog will ask me where to dispatch the action to, you fail. I will get annoyed at the constant stream of dialogs and eventually make a mistake or stop using the system altogether.
We live and work in an interconnected world. Email shares with calendar and contacts, all three of those share with the browser. We'll need whitelists or something so that hypervisors and site-specific browsers will be able to guess which domain to dispatch things to, with the default being an untrusted domain.
http://www.qubes-os.org/trac/wiki/InstallationGuide
They don't have a real distro, you have to hack around in Fedora to get it to work.