Sign in with
Sign up | Sign in

The Slowly Evolving World Of Security

Qubes OS: An Operating System Designed For Security
By

Alan: Do you see Qubes as simply a proof-of-concept or something that will ultimately be a mainstream release?

Joanna: Definitely not a proof of concept! We hope it will be of interest to various organizations, commercial and government, which care about data security and are willing to invest some effort into configuring Qubes desktops. We plan to work on some commercial extensions, such as centralized policy management. The Qubes architecture is just great for use with Remote Attestation technology that might provide good security control to the IT staff over how employees’ workstations are configured (i.e. that they are configured properly).

On the other hand, I'm realistic enough to realize that it would never be a system for home users. The setup part would be just too difficult for a typical user, at least to do it right.

Alan: Are you still on track for a production-quality, stable release in October?

Joanna: I'd rather expect it at the end of the year :)

Alan: Why do you think things happen so slowly in security? We have the hardware technology to develop more secure operating systems. But it’s slow to get adopted. TPM still isn’t a standard feature on every new computer in 2011, despite the fact that it was introduced seven years ago. We even have software technology to develop secure systems, but it’s not getting implemented either. What will it take to get companies on-board?

Joanna: TPM is not something that can auto-magically make your system more secure. It can help implement trusted boot, which might be a reasonably good measure against Evil Maid Attacks, but doesn't make your OS any more secure against software attacks.

Much more important security technology is the previously-mentioned Intel VT-d, which allows for creation of untrusted driver subsystems like an untrusted networking subsystem, a USB subsystem, and so on. But this requires a radical redesign of the OS, so no surprise that it's not being adopted by most vendors.

I'm not sure which "software technology to develop secure systems" you have in mind? Perhaps you’re referring to Safe Languages and projects like Microsoft's Singularity?

Alan: Yeah.

Joanna: Well, when we read some early papers from the Singularity folks, such as this one, we see how excited they were about the software-enforced isolation that they have even proposed to remove some hardware isolation technologies from the processor (MMU, ring0/3)! Then, fast-forward two years ahead, and in another paper from the same folks, we see how they suddenly start to reconsider the use of hardware-enforced memory protection. Why do you think this happened? Because, hardware-enforced memory protection happens in just a bunch of gates (say a few thousand, maybe?), while the safe language-enforced protection is likely to be millions of lines of code that comprise the compiler/verifier and the runtime (e.g. garbage collector) that all need to be trusted!

So, don't get me wrong, I wish we had more software written in safe languages (I would love to have an email client written in a safe language), but we will never be able to replace the low-level hardware security mechanisms, such as memory protection (MMU), or DMA protection (IOMMU). The latter technology (Intel VT-d is an example of IOMMU) is absolutely critical, and even the early reports from the Singularity people (the optimistic ones) still recognize it.

Display all 37 comments.
This thread is closed for comments
  • 0 Hide
    Anonymous , August 30, 2011 4:52 AM
    Interesting.
  • 2 Hide
    Anonymous , August 30, 2011 5:23 AM
    OpenBSD: An Operating System Designed For Security
  • 2 Hide
    LORD_ORION , August 30, 2011 5:34 AM
    iam2thecrowei wont use it, because i dont really understand half of what is written in the article, they lost me at Bare Metal Hypervisor, but what the hell is with the seemingly random picture of the woman with the scarfe around her neck?


    The "bare metal hypervisor" is Xen. In a nutshell, it runs directly on the hardware of the server machine, and that is all it does (you install Xen, and it consumes the whole drive) You then install your operating systems virtually ontop of Xen. To access your operating system, you login to it from another machine using special Xen client software.

    As Xen is what runs the amazon elastic cloud, there is need for high security OSes like Qubes for enterprise business applications.
  • -2 Hide
    FloKid , August 30, 2011 6:13 AM
    Life always finds a way. I just wonder if you put a function for a USB and a function for an ethernet port in the same code, won't that start two kernels even if they are isolated and basically give you access to both in the same code? I might not be getting something, but I could see the same program having a hard time accessing all of the other kernels, since they are not in the same process. Could be good I guess, but I can see sorta a way around that if you have other malicious software already running hidden.
  • 3 Hide
    3-R4Z0R , August 30, 2011 6:24 AM
    So this is essentially the same thing as Minix, only that it's been reinventing Minix again (just like about 20 other projects during the last 15 years that have never come as far as EU funded Minix which is even partially POSIX compatible)?
  • 6 Hide
    Anonymous , August 30, 2011 8:18 AM
    i`d hit
  • 4 Hide
    nevertell , August 30, 2011 8:44 AM
    So what they are doing is sandboxing stuff into partitions using Xen ? WHY?
    I am more interested how are they making the transition between the domains, because if they're using IOMMU to have a discrete videocard available to the domains, how are they sharing it between the domains ?

    Tom's, you could make an article about virtualizing Windows 7 on top of xen with a normal Ubuntu install in dom0 and have a discreet videocard for windows 7 and use the integrated one for ubuntu/linux, like a sandy bridge igpu and some nvidia/radeon. If you prove that the transition between the domains is fast and easy, this would be AWESOME for regular linux users, as I hate to reboot to play some games. But that way, I could just switch between the domains, at any given time. I mean, RAM is cheap.

  • -6 Hide
    killerclick , August 30, 2011 9:50 AM
    Wow, it's a girl. Let's have an article about her, it'll draw the horny teenager crowd!
  • -5 Hide
    amigafan , August 30, 2011 10:58 AM
    Lol there would be more comments on this particular article but veterans know they'd quickly get decimated with thumbs downs ;) 

    I won't even bother with mentioning "kitchen" in any context :D 
  • 2 Hide
    Anonymous , August 30, 2011 1:07 PM
    Joanna arrogant as usual, smart as always.
  • 0 Hide
    LORD_ORION , August 30, 2011 1:49 PM
    Go here, this will probably explain better than the article.

    http://qubes-os.org/Screenshots.html
  • -2 Hide
    DSpider , August 30, 2011 2:10 PM
    You know, most viruses come from the internet. You could simply install VirtualBox and download Slitaz (a very small Linux LiveCD distribution - around 30 MB), and use that for your basic browser needs, completely separate from your main OS.

    As long as you don't set up shared folders and only share the clipboard, you should be ok.
  • -3 Hide
    alitenar , August 30, 2011 4:58 PM
    Why so much security! The anti virus companies need to "make a living" too!
  • 0 Hide
    phate , August 30, 2011 6:38 PM
    OpenBSD, SELinux, ... this sounds like a vaporware puff piece.

    The NSA has been using(and actually wrote much of) SELinux for years, and it seems to be working out for them.
  • 0 Hide
    LORD_ORION , August 30, 2011 7:23 PM
    phateOpenBSD, SELinux, ... this sounds like a vaporware puff piece.The NSA has been using(and actually wrote much of) SELinux for years, and it seems to be working out for them.


    Except that if you follow the link you can download the beta?
  • 0 Hide
    Anonymous , August 30, 2011 7:57 PM
    She doesn't say much about microkernels. I would like to know what she thinks about this blog post about OKL4 : http://www.ok-labs.com/blog/entry/microkernels-vs-hypervisors/

    By the way, the same people have created a version of L4 that, as I understand it, is formally verified to function exactly as specified, http://www.nicta.com.au/media/previous_releases3/2009_media_releases/world-first_research_breakthrough_promises_safety-critical_software_of_unprecedented_reliability . This should surely help to improve stability and security.
  • 1 Hide
    JackBlack07 , August 30, 2011 9:16 PM
    All there doing here is taking the same technology Sun Microsystems used to create Zones and repackaged it with Xen overhead. Look up Solaris 10 Trusted Extenstions .. same stuff..
  • 5 Hide
    philologos , August 30, 2011 10:35 PM
    Much better than Pubes OS!
  • 5 Hide
    calinkula , August 30, 2011 11:13 PM
    This is the same woman who said she had a 100% undetectable virus a few years back. She was challenged at the Black Hat conference that year and wouldn't present it without a large upfront payment.

    Do people still take her seriously?
Display more comments