“After nearly three years of work, I have a pleasure to announce that Qubes 1.0 has finally been released! […] I would like to thank all the developers who have worked on this project. Creating Qubes OS has been a great challenge, especially for such a small team as ours, but ultimately, I’m very glad with the final outcome – it really is a stable and reasonably secure desktop OS.”
It seems it’s a Linux distribution that launches a number of applications within a VM? Why not use chroot?
To me it seems Linux doesn’t really have much issues regarding viruses, worms or trojans. The real danger today is phishing and I’m not sure this setup helps.
A few days ago I saw this guy on TV. He got a call from a “Microsoft” person with an Indian accent. He told him Microsoft detected his PC having problems. They walked him through a number of steps making him a crucial member of the team that set his PC up for outside abuse.
Then again some people actually deserve this.
That MS scam is popular here. It weeds out those that should not be allowed to use computers.
Thanks for the explanation on what Qubes OS is. The blog entry was rambling about security so much I stopped reading.
There is a summary:
Key architecture features:
Based on a secure bare-metal hypervisor (Xen)
Networking code sand-boxed in an unprivileged VM (using IOMMU/VT-d)
No networking code in the privileged domain (dom0)
All user applications run in ^aEURoeAppVMs^aEUR, lightweight VMs based on Linux
Centralized updates of all AppVMs based on the same template
Qubes GUI virtualization presents applications like if they were running locally
Qubes GUI provides isolation between apps sharing the same desktop
Storage drivers and backends sand-boxed in an unprivileged virtual machine(*)
Secure system boot based on Intel TXT(*)
Thanks! I think also the project screenshot page http://qubes-os.org/Screenshots.html helps to get a first look of what it is and how it works (before looking under the hood).
It looks okay, I guess, nothing original.
But basically it’s a modified Linux distribution. Therefor I think it kind of stretches the definition of what awards an operating system badge.
Also I think it solves a problem that’s not really there. I mean, it’s not like hordes of Linux users are running around naked in the streets in blind panic because their desktops are hit by viruses. I suspect that in practice all these extra security layers provider more hassle than the benefit of extra security.
What would be nice is to have some kind of system that allows the user to run any application of choice with added security and make this system an optional install for any Linux distribution.
Not every feature or bell ‘n’ whistle deserves an entire new “operating system”. What is you’re happy with your Slackware or Ubuntu, but you do like this idea?
You have to remember the people who are looking for extra security are not the average users.
Also when trying to create secure systems, it is all about seperation and layers of defense and creating small(er) pieces of code which handle that seperation.
The smaller those pieces are, the more predictable and more understandable they usually are and thus they can be better checked for errors.
But it still has to work easily or people just won’t use it.
I think they found an interresting balance.
Also default Linux installs already come with SELinux, apparmor and/or the hardend version of PHP.
Lightweight containers for running certain security sensitive applications, based on “LXC”, are also in the works.
Edited 2012-09-04 10:15 UTC
Linux is a kernel, not an OS.
QED
Edited 2012-09-04 12:46 UTC
Yes, that’s why I repeatedly mentioned “Linux distribution” as opposed to just “Linux”.
But when people talk about “Linux” I think it’s safe to assume they mean an operating system (with a Linux kernel). When people talk about the Linux kernel they often mention the word kernel anyway.
What we should take away from this is that
1) It’s perfectly fine for Qubes to call itself an OS.
2) It’s very different from your stock distro, which makes it even finer to call itself an OS. With a Linux kernel.
Now we eat.
It’s okay to call itself an operating system, but if I google around it seems it’s really yet another Linux distribution.
The feature that stands out is that it boots an entire virtual Linux host just for you to run an application.
What I ask myself is does this extra security really solves anything? How many desktop Linux users are the victims of any type of malware (not including Adobe Flash)? Does it protect again user errors, phishing attacks, DNS spoofs?
If you are paranoid you may like this, but you’d need to give up your current favorite operating system.
To me it seems you’d be far better of using any common Linux distribution and educate yourself (daily if possible) using Linux. Do all the security basics, be smart and be up-to-date and you’ll be fine.
Yeah it’s really not it’s own operating system.
Considering it is based on Linux I can see why they thought this solution was the only reasonable one.
If each process would have it’s own mount table (and in turn it’s own view of the filesystem, including multiplexing of resources) as in Plan9 and processes could only communicate through the filesystem and not through some obscure system calls there would not have been any need for this what so ever because that together with the MMU would been enough. Chroot, as pointer out earlier would not have been a reasonable alternative either.
The overhead of the solution they came up with must be incredibly high. It is an ugly workaround, but it’s nice they made it work anyway.
Edited 2012-09-04 11:12 UTC
This sounds like use of a virtual machine monitor (Xen, in this case) to provide separation between applications, some drivers, and other processes, and to run them in an unprivileged mode. Something that things like Minix and most true microkernel OSes do without the VMM .
Is it more secure than Linux chroot? Probably. More secure than FreeBSD jails/UML/<your favorite app virtualization scheme here>? Depends on how secure you think Xen is. It’s a fairly substantial amount of code regardless. Unless Qubes can run any general-purpose OS in one of the “appVM”s, I think the effort would probably have been better spent on one of the other technologies mentioned above.
Nice effort, but it looks like overkill to me.
I’d be more interested in something lighter and more integrated, like Selinux Sandboxing (hm, something to look into I guess).
Funny how the installation guide almost attacks NoScript – lol, what is that all about? Especially from people focused on security:
“Note: Be sure that you use a modern, non-handicapped browser to access the links below (e.g. disable the NoScript and the likes extensions that try to turn your Web Browser essentially into the 90’s Mosaic).”