Qubes OS: An Operating System Designed For Security

Features
By Alan Dang
published

What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security.

An Introduction To Qubes OS

Alan: And that’s what I want to talk about today. Your team is working on something that gets us closer to perfect isolation, Qubes OS. How are you doing something different than what Microsoft, Apple, and Google have failed to do with their browsers?

Joanna: First of all, we try to keep the amount of trusted code (so, the code that enforces the isolation in our system) to an absolute minimum. To do this we use a thin, bare-metal hypervisor (Xen) to run many instances of virtual machines, or domains, separated from each other. But having a thin hypervisor (or a microkernel) is only part of the story.

Some people might argue that by using virtualization we're not really solving any problem—after all, a virtualized, insecure OS is still an insecure OS. Virtualization, they would argue, only introduces another layer of complexity, perhaps only making things worse!

Indeed, it is true that the mere fact we’re using virtualization (another buzzword!) doesn't automatically bring more security. But virtualization provides us with something else that is very useful: compatibility. It allows us to redesign the whole system completely, decompose the trusted computing base, e.g. by moving the networking drivers and stacks to an untrusted domain, moving USB drivers and stacks to another untrusted domain, redesign GUI multiplexing, etc., and at the same time still be able to run all the applications that have been created for a "normal" OS, and which have no idea that networking stacks are now in some separated domain. They don't need to know this, because they still run inside a normal OS, which is virtualized, and special front-end drivers we provide for this OS know where to find the networking services in our redesigned system.

Without virtualization, we would need to either write all of the applications and drivers from scratch (this is what some academic projects focused on microkernels attempt to do), or, at the very least, rebuild each application by relinking it with custom libraries (but we would still need to rewrite most of the drivers, which is hard to imagine in practice for anybody except Microsoft to do).

So, in short, virtualization doesn't bring any security advantage by itself, but it allows for a brave redesign of the OS and yet to reuse all the applications and drivers in this radically-changed design. And this is exactly what we do in Qubes.

Alan Dang
37 Comments Comment from the forums
  • Interesting.
    Reply
  • iam2thecrowe
    i wont use it, because i dont really understand half of what is written in the article, they lost me at Bare Metal Hypervisor, but what the hell is with the seemingly random picture of the woman with the scarfe around her neck?
    Reply
  • OpenBSD: An Operating System Designed For Security
    Reply
  • LORD_ORION
    iam2thecrowei wont use it, because i dont really understand half of what is written in the article, they lost me at Bare Metal Hypervisor, but what the hell is with the seemingly random picture of the woman with the scarfe around her neck?
    The "bare metal hypervisor" is Xen. In a nutshell, it runs directly on the hardware of the server machine, and that is all it does (you install Xen, and it consumes the whole drive) You then install your operating systems virtually ontop of Xen. To access your operating system, you login to it from another machine using special Xen client software.

    As Xen is what runs the amazon elastic cloud, there is need for high security OSes like Qubes for enterprise business applications.
    Reply
  • FloKid
    Life always finds a way. I just wonder if you put a function for a USB and a function for an ethernet port in the same code, won't that start two kernels even if they are isolated and basically give you access to both in the same code? I might not be getting something, but I could see the same program having a hard time accessing all of the other kernels, since they are not in the same process. Could be good I guess, but I can see sorta a way around that if you have other malicious software already running hidden.
    Reply
  • 3-R4Z0R
    So this is essentially the same thing as Minix, only that it's been reinventing Minix again (just like about 20 other projects during the last 15 years that have never come as far as EU funded Minix which is even partially POSIX compatible)?
    Reply
  • i`d hit
    Reply
  • nevertell
    So what they are doing is sandboxing stuff into partitions using Xen ? WHY?
    I am more interested how are they making the transition between the domains, because if they're using IOMMU to have a discrete videocard available to the domains, how are they sharing it between the domains ?

    Tom's, you could make an article about virtualizing Windows 7 on top of xen with a normal Ubuntu install in dom0 and have a discreet videocard for windows 7 and use the integrated one for ubuntu/linux, like a sandy bridge igpu and some nvidia/radeon. If you prove that the transition between the domains is fast and easy, this would be AWESOME for regular linux users, as I hate to reboot to play some games. But that way, I could just switch between the domains, at any given time. I mean, RAM is cheap.

    Reply
  • killerclick
    Wow, it's a girl. Let's have an article about her, it'll draw the horny teenager crowd!
    Reply
  • amigafan
    Lol there would be more comments on this particular article but veterans know they'd quickly get decimated with thumbs downs ;)

    I won't even bother with mentioning "kitchen" in any context :D
    Reply