Slashdot Mirror
Xen-Based Secure OS Qubes Hits 1.0
Orome1 writes "Joanna Rutkowska, CEO of Invisible Things Lab, today released version 1.0 of Qubes, a stable and reasonably secure desktop OS. It is the most secure option among the existing desktop operating systems — even more secure than Apple's iOS, which puts each application into its own sandbox and does not count on the user to make security decisions. Qubes will offer users the option of using disposable virtual machines for executing tasks they believe could harm their computer. These VMs will be lightweight, easily and extremely speedily created and booted, and would be just as easy to discard."
First covered back in 2010. See some screenshots of the X11 part in action (and they say displaying clients from multiple "hosts" isn't useful...)
Because the first thing I see is:
Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).
Oh goodie...
Think I'll go with this one ;) : ... or you might try to download the ISO via bit torrent:
"It is the most secure option among the existing desktop operating systems"
what about OpenBSD?
Yes? What about it?
You know, the headline for all the sec related news should read: "New Secure OS (Not being OpenBSD) Rleased!" or "The Sky is Falling, We'll all be cyber-robbed real soon now (unless you are using OpenBSD)" or "New virus, be very afraid! (OpenBSD users, well.. you're fine)".. ;)
You know it just does not make good press
HTH, HAND.
-RG.
Apparently Qubes can't be installed in VMware Fusion. This occurs with both the default boot mode and the "failsafe" VESA mode. I supposed that does indeed make it the most secure operating system possible.
what about OpenBSD?
Or Solaris?
Would just like to point out iOS does in fact give user control over Privacy:
https://p.twimg.com/Avd_bj2CEAAokCD.jpg
The same pop-up occurs when an application wants to access your photo's, location, etc.
And you can also set up Provacy controls for apps in Settings:
http://i.imgur.com/LvImi.jpg
- "Scientia non habet inimicum nisp ignorantem"
Actually, it looks somewhat similar to the secure version of Solaris, running different processes in different VMs. I wonder if I have a crappy old machine lying around somewhere that I could test it on.
I'm not sure, but it seems to have a Fedora base. Talks about KDE a lot. See also: http://wiki.qubes-os.org/trac/wiki/InstallNvidiaDriver
Actually, it seems to be something like a modified version of Fedora running inside their own hypervisor, with Fedora modified to run some processes inside sandboxes provided by the hypervisor. I think that's what it is, but I'm not completely sure.
Blimey, have you checked her out? She has is now my third favourite woman (after my mother and the Queen).
Thanks. That's good to know. But it surely eliminates the majority of people who may wish to try it out.
Just run it in a VM.
You seem to have missed the comments further down about it not running in a VM.
A JVM is called a virtual machine, but it isn't virtual machine in the same sense as the one provided by Xen. The JVM is a simple bytecode interpreter/compiler. It sort of emulates a machine, but not a complete machine. It runs in user space on top of the native OS and cannot run an OS of its own.
Xen is a hypervisor whose virtual machines emulate a complete system. It doesn't just run the application program, it runs the whole bloody OS. The virtual machine has virtual disks, virtual memory, a virtual processor, even a virtual reset button, Support for this virtualization is built into modern processors, so it occurs at a very low level.
I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things, But it's one hell of a lot harder than breaking out of a JVM sandbox.
You should have stuck with the main page. From the linked page: "And what good is saying that our microkernel is formally verified, if we continue to use a bloated and buggy X server as our GUI subsystem?" It is an OS with its own microkernel. So you can reasonably expect to have difficulty determining which distribution it is based on, since it is not based on a distribution.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Learn basic coding, dude:
If (insideVM()) {
If(vmHost==exploitableVersion) {
doBreakOutRoutine( );
}
}
I can plug VNC clients to my FreeBSD jails too for sure and didn't rebrand the concept as a whole new OS.
"I wonder if I have a crappy old machine lying around somewhere that I could test it on."
No. You almost surely don't.
I've been fooling around with Qubes for six months now, looking for a good solution to the Bitcoin offline wallet issue. Qubes is perfect - you don't need to be offline, and yet you can manipulate your 'offline' wallet using Armory in a ("Black") Qubes VM with zero network contact; but you can use (secure copy/paste) file transfer to the online component of your wallet in a different VM with network access to send and receive bitcoins.
The thing is, you need some pretty specific hardware to enable all the security features of Qubes: either Intel VT-d, or IOMMU. Effective GPUs are limited as well. And chipsets, of course.
So unless your "crappy old machines" are a hell of a lot better than what's usually laying around, you're going to need to buy some hardware just like I did.
But it's worth it.
Riiiight. Because requiring every single programmer in the world to design perfect software with no errors is sooooo much easier than adding extra security to the OS.
People make mistakes, it's why the term human error exists. In the real world people accept this and work with it. It isn't something you can eliminate.
I'm not sure you're correct on that. I've read comments elsewhere suggesting it's a modified Fedora. Further, the statement you listed does not say anything about Qubes itself. It says there are microkernels that are verified as "secure", but that X itself is not.
Funny that my honest question gets modded down. This is not an obvious question that's readily apparent from the blog post nor project website.
PS: I don't reply to ACs.
here's their faq, it does seem sensible. however lack of opengl apps makes it a bit unfeasible for daily driver.
Home
Architecture
Screenshots
FAQ
Press
Resources
BulletIsn’t Qubes just another Linux distribution after all?
Well, if you really want to call it a distribution, then we’re more of a “Xen distribution”, rather then a Linux one. But Qubes is much more than just Xen packaging -- it has its own VM management infrastructure, with support for template VMs, centralized VM updating, etc, and also its very unique GUI virtualization infrastructure.
BulletWhat is the main concept behind Qubes?
To build security on the “Security by Isolation” principle.
BulletWhat about other approaches to security?
The other two popular approaches are: “Security by Correctness”, and “Security by Obscurity”. We don’t believe any of those two can bring reasonable security today and in the foreseeable future.
BulletBut what about safe languages and formally verified microkernels?
In short: these are non-realistic solutions today. We discuss this more in-depth in our Architecture Specification document.
BulletWhy Qubes uses virtualization?
We believe that today this is the only practically viable approach to implement strong isolation, and, at the same time, provide compatibility with existing applications and drivers.
BulletDoes Qubes run every app in a separate VM?
No! This would not make much sense. Qubes uses VMs to create security domains, such as e.g. ‘work’, ‘personal’, ‘banking’, etc. Typical user would likely need around 5 domains. Very paranoid users, who are high-profile targets. might use around a dozen domains.
BulletWhy Qubes uses Xen, and not e.g. KVM?
In short: we believe the Xen architecture allows to create more secure systems, i.e. with much smaller TCB, which translates to smaller attack surface. We discuss this much more in-depth in our Architecture Specification document.
BulletHow stable is the current Qubes release?
Right now we’re at the beta stage, which means the system is quite mature, but still need some polish, mostly at the UI-level. The system seems stable besides that.
BulletWhen do you anticipate the production quality version to be ready?
Fall 2011.
BulletDo you plan a commercial version of Qubes?
Qubes will always remain an open source project. However we plan to create some commercial extensions to the system in the future. This might include e.g. support for Windows-based AppVMs.
BulletWhat is so special about Qubes GUI virtualization?
We have designed the GUI virtualization subsystem with two primary goals: security and performance. Our GUI infrastructure introduces only about 2,500 lines of C code (LOC) into the privileged domain (Dom0), which is very little, and thus leaves not much space for bugs and potential attacks. At the same time, due to smart use of Xen shared memory our GUI implementation is very efficient, so most virtualized applications really feel like if they were executed natively.
BulletCan I w
world was created 5 seconds before this post as it is.
The way Qubes shares composition buffers of X applications over xen shared memory is much nicer than VNC. It is rootless unlike VNC and there is no extra copying of data over a socket so you get nice performance. They also do sound so you can actually watch youtube in a web browser that runs in a disposable VM.
Fedora has had the "sandbox" command for some years which uses SELinux to set up a disposable sandboxed context for running a program.
Since Fedora 17 there is also a "virt-sandbox" command using LXC or KVM to do a similar job:
https://fedoraproject.org/wiki/Features/VirtSandbox
I have been using Qubes for some time and have used it as the starting point for my own desktop. Qubes is a customized Xen kernel booting a customized linux kernel as Dom0 (or Host). It currently uses a modified Fedora for the Dom0 as Fedora has best support for various Xen tools, comes with a scriptable installer (Anaconda), and plans adoption of Wayland to replace the unsecure X protocol.
[Rent This Space]
It's just made-up crap code written so that the point is clear. Adding as many lines as possible was the point.
The point is that breaking out of VMs is done often enough that it's trivial once an exploit is identified.
Yes, no doubt simplified code compiles smaller and runs faster. Get the point, and stay out of details. Look around yout. It's a DISCUSSION FORUM.
You are correct about Zones. They're even lighter-weight than paravirtualized VMs, which in turn makes them ideal for some things, and not others. Solaris also has Logical Domains (LDOMs) which are very much like VMs. They see only the hardware that has been mapped into them. If you need something to be visible to multiple LDOMs (like your network interface) you have to have a control LDOM which owns that particular piece of a hardware and virtualizes it for any other LDOMs that want to see it. They're not the easiest thing in the world to set up, but work well (on larger hardware) and are nicely isolated.
Michael J.
Root, God, what is difference?
"even more secure than Apple's iOS"
Wow ... thats the benchmark is it ?
Electronic Music Made Using Linux http://soundcloud.com/polyp
So maybe we should surround all roads with foam as well, instead of expecting people to drive cars properly. Humans will make mistakes, and it isn't something you can eliminate.
"It is the most secure option among the existing desktop operating systems"
what about OpenBSD?
As someone who is paranoid enough that all my personal financial online transactions are done on a live cd, I love the consept of OpenBSD. In the past I have installed it on both a pc and a laptop. Not even after, or during, a week long Hunter S Thompsonesque drug and alchohol binge would I consider OpenBSD a desktop os.
--The site/article also mentions that it can be installed to a USB drive... ;-)
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Thank you! That's what I was trying to figure/find out!!
(I'm sure it's readily apparent somewhere in the documentation, I just had a difficult time finding it yesterday.)
PS: I don't reply to ACs.
Crap code offends me. Sorry, it's a personality flaw.
It's not just "insecure" applications, it's *malicious* applications. If you use Linux, how many packages do you have installed? Imagine how easy it would be for someone to slip some backdoor into a single one of those. And if you ever download small pieces of software for a one-off task, do you read all the source to make sure it's clean? Current OSes are incredibly insecure: any appliaction run as your user basically has access to all your data, your network and all devices. Making different users is perhaps sufficient for terminal applications, but for GUI applications you are limited by X11, which is not designed to isolate clients.
It's funny because your response was also crappy.
Mod me down, my New Earth Global Warmingist friends!
I've read a lot of comparisons here that mention Qube as "sounding just like running things in a VM/container/chroot" ... just fyi, from my reading of their architecture docs (several months ago) the difference is that they've isolated specific userspace processes to run in these lightweight VMs, and defined an API approach for other processes to interact with them. E.g., running the X server in a VM, while X apps can still make all expected calls, without being aware that they're crossing VM boundaries -- and yet under the covers, the isolation is there, and protecting both sides. That's somewhat more than just being able to run the apps you want in a VM.
Iirc, they've even isolated certain kernel processing into separate VMs, e.g. the network stack. But someone not relying on months-old memory, pls check me on that.
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
I really want this. One problem: The storage VM seems to be running Linux, but can you use any filesystem you want, and can you use software RAID?
Oh yeah? Well, your mother wears Army boots!
I hate to tell you this, but the BSD community has found a better alternative to certification, and it's been around for about 30 years: let others review the code (regardless of if it is or isn't free-software).
I know applicaiton I use have access to my network, just in the same way that physical products have access to the enviroment around me. It's still my responsability to use the right tools in the right way.