Qubes OS bakes in virty system-level security

Blue Pill creator stacks multiple sandboxed VMs

Providing a secure and efficient Helpdesk

Invisible Things Lab (ITL), a group of security researchers based in Warsaw, Poland, has announced Qubes 1.0, the first production release of a new desktop operating system designed to provide unprecedented security through the pervasive use of virtualization.

"Unfortunately, contrary to common belief, there are no general purpose, desktop OSes, that would be formally proven to be secure," ITL founder and CEO Joanna Rutkowska wrote in a blog post announcing the release on Monday. "At the very best," she said, "there are some parts that are formally verified, such as some microkernels, but not whole OSes."

To help rectify that situation, Rutkowska and her team built Qubes, an OS that uses virtual machines (VMs) to isolate sensitive applications and their data from parts of the system that may be vulnerable to compromise.

Qubes wasn't written from scratch, but instead draws upon existing open source components, although it uses them in new ways. At its heart is the Xen hypervisor, which it uses to create and manage the various VMs that form its security model.

In Qubes, users can create as many VMs – also known as domains – as they want, and assign them varying security levels based on the sensitivity of the applications and data they will be using in them. For example, one user might decide to create "home", "work", "banking", and "shopping" domains, each shielded from the others and each with its own security policies.

Below all of these application domains, Qubes maintains a separate administrative domain that provides a common GUI for all of the running applications. No matter which domains the various applications might be running under, they can all share the desktop on the same screen, and share the same input devices.

Screenshot showing Qubes OS VMs running at various security levels

A Qubes desktop running VMs at various security levels marked green, yellow, and red (click to enlarge)

That doesn't mean they can share data, however. The user has ultimate control over which files and other data can pass between which domains. Even operations as simple as cut-and-paste between domains aren't allowed without explicit user approval.

Qubes can also enforce network policies for each domain, both to prevent unwanted network activity by malware and to block commonplace user mistakes. For example, a user might configure Qubes so that only a web browser running in the banking domain can access online banking sites, while browsers running in other domains are blocked from those sites.

Qubes can even create "disposable VMs" for one-time actions that could compromise security even though they would ordinarily be allowed. For example, a user could choose to open a PDF file from a suspicious source in a disposable VM, minimizing the potential damage it could cause if the file contained exploit code.

Rutkowska cautions that, particularly in this early phase, Qubes shouldn't be considered a "safe" OS, but rather a "reasonably secure" one. That's because despite all of the layers of security built into the Qubes security model, the security it provides is not automatic. Instead, it relies on the user to make decisions, which Rutkowska admits won't be the right approach for everyone.

"This provides for great flexibility for more advanced users," she writes, "but the price to pay is that Qubes OS requires some skills and thinking to actually make the user's data more secure."

Rutkowska also warns that there may yet be bugs in the Qubes code that could be used to compromise its security model. She should know. In 2006, she made a name for herself in the security community by creating Blue Pill, a rootkit based on the hardware virtualization support features found in modern AMD and Intel processors.

Users who would like to try out the new OS can do so by downloading an ISO and following the instructions on the Qubes website. For those who would like to try to crack Qubes' security, on the other hand, Rutkowska says bring it on. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.