Qubes OS bakes in virty system-level security

Blue Pill creator stacks multiple sandboxed VMs

Website security in corporate America

Invisible Things Lab (ITL), a group of security researchers based in Warsaw, Poland, has announced Qubes 1.0, the first production release of a new desktop operating system designed to provide unprecedented security through the pervasive use of virtualization.

"Unfortunately, contrary to common belief, there are no general purpose, desktop OSes, that would be formally proven to be secure," ITL founder and CEO Joanna Rutkowska wrote in a blog post announcing the release on Monday. "At the very best," she said, "there are some parts that are formally verified, such as some microkernels, but not whole OSes."

To help rectify that situation, Rutkowska and her team built Qubes, an OS that uses virtual machines (VMs) to isolate sensitive applications and their data from parts of the system that may be vulnerable to compromise.

Qubes wasn't written from scratch, but instead draws upon existing open source components, although it uses them in new ways. At its heart is the Xen hypervisor, which it uses to create and manage the various VMs that form its security model.

In Qubes, users can create as many VMs – also known as domains – as they want, and assign them varying security levels based on the sensitivity of the applications and data they will be using in them. For example, one user might decide to create "home", "work", "banking", and "shopping" domains, each shielded from the others and each with its own security policies.

Below all of these application domains, Qubes maintains a separate administrative domain that provides a common GUI for all of the running applications. No matter which domains the various applications might be running under, they can all share the desktop on the same screen, and share the same input devices.

Screenshot showing Qubes OS VMs running at various security levels

A Qubes desktop running VMs at various security levels marked green, yellow, and red (click to enlarge)

That doesn't mean they can share data, however. The user has ultimate control over which files and other data can pass between which domains. Even operations as simple as cut-and-paste between domains aren't allowed without explicit user approval.

Qubes can also enforce network policies for each domain, both to prevent unwanted network activity by malware and to block commonplace user mistakes. For example, a user might configure Qubes so that only a web browser running in the banking domain can access online banking sites, while browsers running in other domains are blocked from those sites.

Qubes can even create "disposable VMs" for one-time actions that could compromise security even though they would ordinarily be allowed. For example, a user could choose to open a PDF file from a suspicious source in a disposable VM, minimizing the potential damage it could cause if the file contained exploit code.

Rutkowska cautions that, particularly in this early phase, Qubes shouldn't be considered a "safe" OS, but rather a "reasonably secure" one. That's because despite all of the layers of security built into the Qubes security model, the security it provides is not automatic. Instead, it relies on the user to make decisions, which Rutkowska admits won't be the right approach for everyone.

"This provides for great flexibility for more advanced users," she writes, "but the price to pay is that Qubes OS requires some skills and thinking to actually make the user's data more secure."

Rutkowska also warns that there may yet be bugs in the Qubes code that could be used to compromise its security model. She should know. In 2006, she made a name for herself in the security community by creating Blue Pill, a rootkit based on the hardware virtualization support features found in modern AMD and Intel processors.

Users who would like to try out the new OS can do so by downloading an ISO and following the instructions on the Qubes website. For those who would like to try to crack Qubes' security, on the other hand, Rutkowska says bring it on. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.