Qubes OS: An Operating System Designed For Security

Interacting With The Qubes OS

Alan: What happens if there’s a vulnerability in Xen and you can break out of the hypervisor?

Joanna: It depends on what you mean by "Xen". If you mean the actual hypervisor, then the vulnerability will likely by fatal. Over the past several years, though, there has been only one publicly-disclosed and exploited vulnerability in the Xen hypervisor that I'm aware of. It was in code written by the NSA to implement some security extensions for Xen (how ironic, huh?). This code was not enabled by default, so it wasn't fatal. The bug was found, exploited, and disclosed by us at Black Hat in 2008 (specifically by Rafal Wojtczuk). 

However, there might also be a vulnerability in "Xen" that doesn't affect the actual hypervisor, but some other subsystem, such as a back-end driver or domain builder code (that reads and unpacks a user-provided custom kernel image). Most of the bugs in those systems do not affect Qubes because of the highly decomposed design we use.

There is also a chance there will be a bug in the underlying technology that is used by the hypervisor, such as Intel VT-d (that is used for building untrusted driver domains, not to be confused with VT-x). One (and only one, as far as I know) such attack that allows someone to bypass Intel’s VT-d-imposed protection has been demonstrated recently, incidentally also by us. I think this was the most complex and surprising attack that our team has ever presented, by the way.

Unfortunately there is little that we can do in case there are bugs in hardware technologies. We can only keep pointing out problems and hope the vendors, such as Intel, would be taking their job (more?) seriously.

By the way, there is another pending research paper from us relating to security vulnerability in another core hardware technology, but we're currently waiting for the vendor to come up with patches before we publish it (the plan is to do it in early fall, stay tuned).

Alan: Definitely. I’ll touch base with you closer to then. Can you walk us through how an end-user would interact with Qubes OS? Is it going to be easy enough for ordinary users?

Joanna: Using Qubes should be more or less as easy as using a standard Windows desktop.

The catch, however, is in properly configuring the Qubes desktop. Specifically, deciding how to partition somebody's digital life into separate domains. We can start with something as easy as "personal," "work," "banking," and "untrusted" domains. But then each user might want to add more domains depending on their usage and threat model.

For a paranoid user like myself, this could get really complicated. So, the bottom line is that, in practice, it would be a job for qualified IT staff to configure a Qubes desktop.

Still, we try to make this isolation, once configured, as seamless and automatic as possible. Again, our target for the 1.0 release is that the workflow on a properly-configured Qubes desktop would not be much different than a typical Windows desktop for business users.

  • Interesting.
  • iam2thecrowe
    i wont use it, because i dont really understand half of what is written in the article, they lost me at Bare Metal Hypervisor, but what the hell is with the seemingly random picture of the woman with the scarfe around her neck?
  • OpenBSD: An Operating System Designed For Security
    iam2thecrowei wont use it, because i dont really understand half of what is written in the article, they lost me at Bare Metal Hypervisor, but what the hell is with the seemingly random picture of the woman with the scarfe around her neck?
    The "bare metal hypervisor" is Xen. In a nutshell, it runs directly on the hardware of the server machine, and that is all it does (you install Xen, and it consumes the whole drive) You then install your operating systems virtually ontop of Xen. To access your operating system, you login to it from another machine using special Xen client software.

    As Xen is what runs the amazon elastic cloud, there is need for high security OSes like Qubes for enterprise business applications.
  • FloKid
    Life always finds a way. I just wonder if you put a function for a USB and a function for an ethernet port in the same code, won't that start two kernels even if they are isolated and basically give you access to both in the same code? I might not be getting something, but I could see the same program having a hard time accessing all of the other kernels, since they are not in the same process. Could be good I guess, but I can see sorta a way around that if you have other malicious software already running hidden.
  • 3-R4Z0R
    So this is essentially the same thing as Minix, only that it's been reinventing Minix again (just like about 20 other projects during the last 15 years that have never come as far as EU funded Minix which is even partially POSIX compatible)?
  • i`d hit
  • nevertell
    So what they are doing is sandboxing stuff into partitions using Xen ? WHY?
    I am more interested how are they making the transition between the domains, because if they're using IOMMU to have a discrete videocard available to the domains, how are they sharing it between the domains ?

    Tom's, you could make an article about virtualizing Windows 7 on top of xen with a normal Ubuntu install in dom0 and have a discreet videocard for windows 7 and use the integrated one for ubuntu/linux, like a sandy bridge igpu and some nvidia/radeon. If you prove that the transition between the domains is fast and easy, this would be AWESOME for regular linux users, as I hate to reboot to play some games. But that way, I could just switch between the domains, at any given time. I mean, RAM is cheap.

  • killerclick
    Wow, it's a girl. Let's have an article about her, it'll draw the horny teenager crowd!
  • amigafan
    Lol there would be more comments on this particular article but veterans know they'd quickly get decimated with thumbs downs ;)

    I won't even bother with mentioning "kitchen" in any context :D