Xen-Based Secure OS Qubes Hits 1.0

← Back to Stories (view on slashdot.org)

Xen-Based Secure OS Qubes Hits 1.0

Posted by Unknown on Monday September 3, 2012 @10:55AM from the subhurds-for-the-masses dept.

Orome1 writes "Joanna Rutkowska, CEO of Invisible Things Lab, today released version 1.0 of Qubes, a stable and reasonably secure desktop OS. It is the most secure option among the existing desktop operating systems — even more secure than Apple's iOS, which puts each application into its own sandbox and does not count on the user to make security decisions. Qubes will offer users the option of using disposable virtual machines for executing tasks they believe could harm their computer. These VMs will be lightweight, easily and extremely speedily created and booted, and would be just as easy to discard." First covered back in 2010. See some screenshots of the X11 part in action (and they say displaying clients from multiple "hosts" isn't useful...)

41 of 175 comments (clear)

Min score:

Reason:

Sort:

And I feel so safe downloading it.. by R_Growler · 2012-09-03 11:07 · Score: 2

Because the first thing I see is:
Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).
Oh goodie...
Think I'll go with this one ;) : ... or you might try to download the ISO via bit torrent:
1. Re:And I feel so safe downloading it.. by 0123456 · 2012-09-03 11:29 · Score: 5, Funny
  
  Because the first thing I see is:
  Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90's Mosaic).
  Real men use wget. Or telnet.
2. Re:And I feel so safe downloading it.. by fm6 · 2012-09-03 12:41 · Score: 3, Informative
  
  I haven't visited the Qubes web site, But the fact that No'Script breaks it is not a big issue, NoScript breaks half the sites on the web. NoScript assumes that all scripting is evil and that you should never allow it unless you absolutely have to — after multiple warning from NoScript as to how dangerous it is.
  If you think this is a sane approach to security, you should consider abandoning graphical browsers altogether. I think Lynx is still being maintained.
3. Re:And I feel so safe downloading it.. by 0123456 · 2012-09-03 12:50 · Score: 2
  
  NoScript breaks half the sites on the web.
  No, it doesn't. But thanks for playing.
4. Re:And I feel so safe downloading it.. by Black+LED · 2012-09-03 13:02 · Score: 5, Insightful
  
  If your site breaks because the client doesn't have JavaScript enabled, then you are doing it wrong. The site should gracefully degrade so that anyone can use it.
5. Re:And I feel so safe downloading it.. by sjames · 2012-09-03 13:30 · Score: 2
  
  I have no idea why it says that, the links appear to work fine with noscript in full force.
6. Re:And I feel so safe downloading it.. by smash · 2012-09-03 16:00 · Score: 2, Interesting
  
  should, yes. most of the web does not.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
7. Re:And I feel so safe downloading it.. by forkazoo · 2012-09-03 19:35 · Score: 2, Insightful
  
  should, yes. most of the web does not.
  Thankfully, most of the web that does not, isn't useful. Seriously, after adding necessary exceptions for a few days, the overwhelming majority of the web that I care about works just fine with NoScript installed. Most of what doesn't work is stupid, and the vanishingly small remainder is easy enough to whitelist with a click or two. Anything that requires clicking through whitelisting 37 domains to make it work properly, usually just turns out to be an adcrap laden hellhole that doesn't work at all even when it is 'working properly.'
8. Re:And I feel so safe downloading it.. by Seahawk · 2012-09-03 20:09 · Score: 2
  
  Isn't that like saying: "Your application shouldn't break because a windowing system isn't available, but instead fall back to curses"?
  Sometimes, IMHO, it's just not worth it to have a non-js enabled fallback.
9. Re:And I feel so safe downloading it.. by Black+LED · 2012-09-03 21:15 · Score: 2
  
  I would say it's more akin to someone sending you an HTML formatted email without an option for a plain text version.
Re:secure you say? by R_Growler · 2012-09-03 11:19 · Score: 4, Funny

"It is the most secure option among the existing desktop operating systems"
what about OpenBSD?
Yes? What about it?
You know, the headline for all the sec related news should read: "New Secure OS (Not being OpenBSD) Rleased!" or "The Sky is Falling, We'll all be cyber-robbed real soon now (unless you are using OpenBSD)" or "New virus, be very afraid! (OpenBSD users, well.. you're fine)"..
You know it just does not make good press ;)
HTH, HAND.
-RG.
X startup failed, aborting installation by WD · 2012-09-03 11:21 · Score: 2

Apparently Qubes can't be installed in VMware Fusion. This occurs with both the default boot mode and the "failsafe" VESA mode. I supposed that does indeed make it the most secure operating system possible.
1. Re:X startup failed, aborting installation by sjames · 2012-09-03 15:36 · Score: 2, Informative
  
  It is possible in some cases to run a VM in a VM. It's been done for decades on mainframes. It just happens that this particular VM won't run in a VM, but it's not an unreasonable thing to try.
Not quite true about iOS... by EGSonikku · 2012-09-03 11:24 · Score: 2

Would just like to point out iOS does in fact give user control over Privacy:
https://p.twimg.com/Avd_bj2CEAAokCD.jpg
The same pop-up occurs when an application wants to access your photo's, location, etc.
And you can also set up Provacy controls for apps in Settings:
http://i.imgur.com/LvImi.jpg

--
- "Scientia non habet inimicum nisp ignorantem"
1. Re:Not quite true about iOS... by PopeRatzo · 2012-09-03 11:32 · Score: 2
  
  Would just like to point out iOS does in fact give user control over Privacy:
  Is there a way to use iOS without iTunes, because iTunes does, by default, require personal information. Is there a way to set up iTunes and purchase apps for iOS without giving up any personal information?
  If not, then aren't those "privacy" setting in iOS a little like closing the barn door after your mule has been kidnapped and gang-raped by a biker gang and sold into white slavery?
  
  --
  You are welcome on my lawn.
2. Re:Not quite true about iOS... by girlintraining · 2012-09-03 11:37 · Score: 2
  
  Would just like to point out iOS does in fact give user control over Privacy
  Apple uses a different definition of privacy than other people do; they define it as "giving information to anyone other than us." So your data is private, as long as you don't mind Apple having all of it.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:Not quite true about iOS... by EGSonikku · 2012-09-03 11:45 · Score: 2
  
  Older iOS devices. The iPhone 4S, and the new iPad don't require a connection to iTunes at all for activation. You can take it right out of the box and turn it on and be on your merry way.
  
  --
  - "Scientia non habet inimicum nisp ignorantem"
4. Re:Not quite true about iOS... by jbolden · 2012-09-03 12:43 · Score: 2, Interesting
  
  Is there a way to use iOS without iTunes, because iTunes does, by default, require personal information. Is there a way to set up iTunes and purchase apps for iOS without giving up any personal information?
  Unless you are on an enterprise account there is no tracking between accounts and what you buy. The only company with that information is Apple and Apple doesn't sell data. Its sort of like worrying about privacy from the bank that's running your credit cards.
5. Re:Not quite true about iOS... by EGSonikku · 2012-09-03 14:29 · Score: 2
  
  Then, as I said, you make an account as John Smith and make up an address and use gift cards or throw away credit cards. I mean, you can't blame Apple that purchasing things requires money. That's hardly an issue with iOS.
  
  --
  - "Scientia non habet inimicum nisp ignorantem"
Re:secure you say? by 0123456 · 2012-09-03 11:28 · Score: 4, Informative

Actually, it looks somewhat similar to the secure version of Solaris, running different processes in different VMs. I wonder if I have a crappy old machine lying around somewhere that I could test it on.
Re:POSIX by Tapewolf · 2012-09-03 11:29 · Score: 2

I'm not sure, but it seems to have a Fedora base. Talks about KDE a lot. See also: http://wiki.qubes-os.org/trac/wiki/InstallNvidiaDriver
Re:POSIX by Tapewolf · 2012-09-03 11:34 · Score: 2

Actually, it seems to be something like a modified version of Fedora running inside their own hypervisor, with Fedora modified to run some processes inside sandboxes provided by the hypervisor. I think that's what it is, but I'm not completely sure.
What a specimen by TummyBanana · 2012-09-03 11:35 · Score: 4, Funny

Blimey, have you checked her out? She has is now my third favourite woman (after my mother and the Queen).
1. Re:What a specimen by spasm · 2012-09-03 13:11 · Score: 3, Insightful
  
  And people wonder why women avoid IT..
2. Re:What a specimen by Zero__Kelvin · 2012-09-03 13:56 · Score: 2, Insightful
  
  Yes. It is a well known fact that women hate it when guys think they are hot.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:What a specimen by capedgirardeau · 2012-09-03 15:10 · Score: 2, Insightful
  
  I don't see anything in the comment you replied to that indicates poster meant she was attractive or was in any way objectifying or sexist.
  In fact quite the opposite when you read who is other two top females are, his mom and the Queen, women he presumably respects for reasons other than sexist reasons.
  It read to me like he checked out her significant credentials in her chosen field and was very appropriately impressed.
  
  --
  Wax on, wax off baby!
4. Re:What a specimen by serviscope_minor · 2012-09-04 01:24 · Score: 2
  
  The article is about lightweight virtualisation containers (interesting).
  Some prat thought this would a good time to start making off-topic and irrelevent comments about the appearance of one of the people involved. Notice how this only ever seems to happen with women. Noone ever points out if a guy involved is ugly or not or bald or whatever (most guys can spot an ugly bald guy, so why no comments? Why no comments if the guy is good looking too?).
  Basically what happens is that for a small but annouyingly vocal minority of /. commenters any article about a guy doing things is about the technical stuff, anything a women does becomes about her appearance.
  Do you honestly claim that you don't see how that is plain douchy?
  asically you are saying that we can't observe that a woman is good looking in any context other than a beauty contest, since - for example - if I make such an observation at Starbucks I am an asshole since it has nothing to do with coffee.
  No, you are an asshole because you seem to be unable to see why every article involving women but not men degenterates into a discussion about the woman's appearance, is sexist.
  
  --
  SJW n. One who posts facts.
I Use Words Good by fm6 · 2012-09-03 12:32 · Score: 5, Informative

A JVM is called a virtual machine, but it isn't virtual machine in the same sense as the one provided by Xen. The JVM is a simple bytecode interpreter/compiler. It sort of emulates a machine, but not a complete machine. It runs in user space on top of the native OS and cannot run an OS of its own.
Xen is a hypervisor whose virtual machines emulate a complete system. It doesn't just run the application program, it runs the whole bloody OS. The virtual machine has virtual disks, virtual memory, a virtual processor, even a virtual reset button, Support for this virtualization is built into modern processors, so it occurs at a very low level.
I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things, But it's one hell of a lot harder than breaking out of a JVM sandbox.
1. Re:I Use Words Good by LordLimecat · 2012-09-03 13:13 · Score: 3, Interesting
  
  I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things
  Someone who could figure out how to do that would rent a private virtual server from Rackspace and go to town. I imagine there would be far more lucrative targets than a desktop.
2. Re:I Use Words Good by fm6 · 2012-09-03 13:23 · Score: 2
  
  Not at all. You could put a Xen-breaking package in a trojan or virus and create virtual zombies for your botnet. But your malicious Rackspace VM would be limited to penetrating VMs that happened to live on the same physical server.
  But.... I used to be the documentation lead for the Sun Fire X4600, a server that could have 8 quad-core processors and half a terabyte of RAM. You could run hundreds of VMs on the thing. Discontinued, alas.
3. Re:I Use Words Good by LordLimecat · 2012-09-03 15:40 · Score: 2, Insightful
  
  What im saying is that if youve cracked through to the hypervisor, they have some serious problems. If you manage to get root access to the box, all bets are off, especially if they have some kind of clustering-- you could potentially provision scads more VMs, and they would be loadbalanced.
4. Re:I Use Words Good by blueg3 · 2012-09-03 17:14 · Score: 4, Informative
  
  I imagine a sufficiently clever hacker could think of a way to bypass the guest OS and the hypervisor and do wacky things,
  Can and has. The sufficiently clever hacker that has been behind most incidences of piercing the guest-hypervisor veil is one Joanna Rutkowska, CEO of Invisible Things Lab.
  Interesting how that works, don't you think?
5. Re:I Use Words Good by Bert64 · 2012-09-03 19:00 · Score: 2
  
  Your VM could be clustered, and could get migrated to another server, giving you another target to attack.
  Having root on one cluster node might give you the ability to access other nodes, depending on configuration... At the very least you could probably force a vm to be migrated, and then use that to root the other node.
  You would have access to all the other vm images running on the same host, some of which may have access or common passwords to other images running on other physical hardware...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
6. Re:I Use Words Good by lindi · 2012-09-03 20:46 · Score: 3, Informative
  
  That bug was found by Rafal Wojtczuk who is also an author of Qubes: https://groups.google.com/forum/?fromgroups#!topic/qubes-devel/JIpZoQUP6dQ
Re:lacking documentation or lack of focus by Zero__Kelvin · 2012-09-03 14:04 · Score: 2

"I've looked through the docs, and can't tell what distro this is based upon."
You should have stuck with the main page. From the linked page: "And what good is saying that our microkernel is formally verified, if we continue to use a bloated and buggy X server as our GUI subsystem?" It is an OS with its own microkernel. So you can reasonably expect to have difficulty determining which distribution it is based on, since it is not based on a distribution.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:Yeah, VMs are the answer by fm6 · 2012-09-03 14:32 · Score: 2

Learn basic coding, dude:
If (insideVM()) { If(vmHost==exploitableVersion) { doBreakOutRoutine( ); } }
Re:secure you say? by Anonymous Coward · 2012-09-03 16:43 · Score: 2, Interesting

"I wonder if I have a crappy old machine lying around somewhere that I could test it on."
No. You almost surely don't.
I've been fooling around with Qubes for six months now, looking for a good solution to the Bitcoin offline wallet issue. Qubes is perfect - you don't need to be offline, and yet you can manipulate your 'offline' wallet using Armory in a ("Black") Qubes VM with zero network contact; but you can use (secure copy/paste) file transfer to the online component of your wallet in a different VM with network access to send and receive bitcoins.
The thing is, you need some pretty specific hardware to enable all the security features of Qubes: either Intel VT-d, or IOMMU. Effective GPUs are limited as well. And chipsets, of course.
So unless your "crappy old machines" are a hell of a lot better than what's usually laying around, you're going to need to buy some hardware just like I did.
But it's worth it.
Re:A secure approach to insecure software by gl4ss · 2012-09-03 18:58 · Score: 2

here's their faq, it does seem sensible. however lack of opengl apps makes it a bit unfeasible for daily driver.
Home
Architecture
Screenshots
FAQ
Press
Resources
BulletIsn’t Qubes just another Linux distribution after all?
Well, if you really want to call it a distribution, then we’re more of a “Xen distribution”, rather then a Linux one. But Qubes is much more than just Xen packaging -- it has its own VM management infrastructure, with support for template VMs, centralized VM updating, etc, and also its very unique GUI virtualization infrastructure.
BulletWhat is the main concept behind Qubes?
To build security on the “Security by Isolation” principle.
BulletWhat about other approaches to security?
The other two popular approaches are: “Security by Correctness”, and “Security by Obscurity”. We don’t believe any of those two can bring reasonable security today and in the foreseeable future.
BulletBut what about safe languages and formally verified microkernels?
In short: these are non-realistic solutions today. We discuss this more in-depth in our Architecture Specification document.
BulletWhy Qubes uses virtualization?
We believe that today this is the only practically viable approach to implement strong isolation, and, at the same time, provide compatibility with existing applications and drivers.
BulletDoes Qubes run every app in a separate VM?
No! This would not make much sense. Qubes uses VMs to create security domains, such as e.g. ‘work’, ‘personal’, ‘banking’, etc. Typical user would likely need around 5 domains. Very paranoid users, who are high-profile targets. might use around a dozen domains.
BulletWhy Qubes uses Xen, and not e.g. KVM?
In short: we believe the Xen architecture allows to create more secure systems, i.e. with much smaller TCB, which translates to smaller attack surface. We discuss this much more in-depth in our Architecture Specification document.
BulletHow stable is the current Qubes release?
Right now we’re at the beta stage, which means the system is quite mature, but still need some polish, mostly at the UI-level. The system seems stable besides that.
BulletWhen do you anticipate the production quality version to be ready?
Fall 2011.
BulletDo you plan a commercial version of Qubes?
Qubes will always remain an open source project. However we plan to create some commercial extensions to the system in the future. This might include e.g. support for Windows-based AppVMs.
BulletWhat is so special about Qubes GUI virtualization?
We have designed the GUI virtualization subsystem with two primary goals: security and performance. Our GUI infrastructure introduces only about 2,500 lines of C code (LOC) into the privileged domain (Dom0), which is very little, and thus leaves not much space for bugs and potential attacks. At the same time, due to smart use of Xen shared memory our GUI implementation is very efficient, so most virtualized applications really feel like if they were executed natively.
BulletCan I w

--
world was created 5 seconds before this post as it is.
Re:New OS or glorified shell script ? by lindi · 2012-09-03 21:03 · Score: 4, Insightful

The way Qubes shares composition buffers of X applications over xen shared memory is much nicer than VNC. It is rootless unlike VNC and there is no extra copying of data over a socket so you get nice performance. They also do sound so you can actually watch youtube in a web browser that runs in a disposable VM.
Re:lacking documentation or lack of focus by Aaron+B+Lingwood · 2012-09-03 21:14 · Score: 3, Informative

I have been using Qubes for some time and have used it as the starting point for my own desktop. Qubes is a customized Xen kernel booting a customized linux kernel as Dom0 (or Host). It currently uses a modified Fedora for the Dom0 as Fedora has best support for various Xen tools, comes with a scriptable installer (Anaconda), and plans adoption of Wayland to replace the unsecure X protocol.

--
[Rent This Space]
Re:secure you say? by MichaelJ · 2012-09-04 00:15 · Score: 3, Informative

You are correct about Zones. They're even lighter-weight than paravirtualized VMs, which in turn makes them ideal for some things, and not others. Solaris also has Logical Domains (LDOMs) which are very much like VMs. They see only the hardware that has been mapped into them. If you need something to be visible to multiple LDOMs (like your network interface) you have to have a control LDOM which owns that particular piece of a hardware and virtualizes it for any other LDOMs that want to see it. They're not the easiest thing in the world to set up, but work well (on larger hardware) and are nicely isolated.

--

Michael J.
Root, God, what is difference?