Qubes OS

Last updated

Qubes OS
Qubes OS Logo.svg
Qubes OS ws 4-1-2.png
Qubes OS 4.1.2 with its default Xfce DE running Fedora 37, Debian 11 and Whonix 16 virtualizations.
Developer The Qubes OS Project

Invisible Things Labs

Joanna Rutkowska
OS family Linux (Unix-like)
Working stateCurrent
Source model Open source with proprietary blobs, [1] [2]
Initial releaseSeptember 3, 2012;12 years ago (2012-09-03) [3]
Latest release 4.2.3  OOjs UI icon edit-ltr-progressive.svg / 17 September 2024;2 months ago (17 September 2024)
Marketing targetsecurity by compartmentalization, desktop, laptop
Available in Multilingual
Update method DNF (PackageKit)
Package manager RPM Package Manager
Platforms x86-64
Kernel type Microkernel (Xen Hypervisor running minimal Linux-based OSes and others)
Userland GNU [note 1]
Default
user interface 		Xfce
License Free software licenses
(mainly GPL v2 [4] )
Official website qubes-os.org

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. [5] Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

Contents

The runtimes of individual qubes are generally based on a unique system of underlying operating system templates. Templates provide a single, immutable root file system which can be shared by multiple qubes. This approach has two major benefits. First, updates to a given template are automatically "inherited" by all qubes based on it. Second, shared templates can dramatically reduce storage requirements compared to separate VMs with a full operating install per secure domain.

The base installation of Qubes OS provides a number of officially supported templates based on the Fedora and Debian Linux distributions. Alternative community-supported templates include Whonix, Ubuntu, Arch Linux, CentOS, or Gentoo. [6] Users may also create their own templates.

Operating Systems like Qubes OS are referred to in academia as Converged Multi-Level Secure (MLS) Systems. [7] Other proposals of similar systems have surfaced [8] [9] and SecureView and VMware vSphere are commercial competitors.[ citation needed ]

Security goals

Security domains scheme Qubes security domains.png
Security domains scheme

Qubes implements a Security by Isolation approach. [10] The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control of a machine. [11] [12]

To secure a desktop using Qubes OS, the user takes care to isolate various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment. [13]

In Qubes OS, the isolation is provided in two dimensions: hardware controllers can be isolated into functional domains (e.g. network domains, USB controller domains), whereas the user's digital life is divided into security domains with different levels of trust.

For instance: work domain (most trusted), shopping domain, random domain (less trusted). [14] Each of these domains is run in a separate qube.

The qubes have passwordless root access (e.g. passwordless sudo) by default. [15] UEFI Secure Boot is not supported out of the box, but this is not considered a major security issue. [16] Qubes is not a multiuser system. [17]

Installation and System Requirements

As a desktop-focused operating system, Qubes OS targets personal computer hardware. This market is dominated by laptops running Intel and AMD processors and chipsets.

The base system requirements for Qubes OS are:

User experience

Users interact with Qubes OS in much the same manner that they interact with any standard graphical desktop operating systems with some key differences:

System architecture overview

Xen hypervisor and domains

The Xen hypervisor provides strong isolation between its hosted virtual machines, called domains in Xen terminology.

The first domain started by Xen is the privileged administrative domain referred to as domain zero or more commonly dom0.

The Administrative domain: dom0

As of Qubes OS 4.1.2, the operating system running in dom0 is Fedora Linux running a paravirtualized Linux kernel. It is the Linux kernel in dom0 that controls and brokers access to all the physical system hardware, via standard Linux kernel device drivers.

The operating system hosts the user's graphical desktop and controls most hardware devices. This includes the graphics device, USB ports, storage and input devices, such as the keyboard and mouse. The base graphical desktop is composed of the X server, the Xfwm window manager and the XFCE desktop.

By design, dom0 has the least possible direct interaction with the qubes in order to minimize the possibility of an attack originating from there. [22] [23]

Updates to the dom0 operating system and the included Template OS images are performed via a special mechanism which does not require dom0 operating system to connect directly to a network.

The User domains: qubes

An app qube (an instance of a qube) provides secure, compartmentalized execution of standard user applications such as a web browser, an email client or a text editor.

Operation of app qubes is controlled by the Qube Manager. It launches the discrete app qubes and presents their applications on the desktop of dom0 as normal process windows.

This mechanism follows the idea of a sandbox. After running the application, viewing the document, etc., the whole disposable will be destroyed on shutdown. [24]

Qubes OS integrates all of the app qubes into a single common desktop environment. The identity of each app qube for a given process is provided by an unforgeable, colored window border which is defined in the properties of the app qube.

Disk usage in dom0 is minimized by allowing multiple app qubes to share a common "template" root file system image maintained in read-only mode. Additional disk storage is only used for userʼs applications, data and per-VM settings.

Network domain

The network mechanism is the most exposed to security attacks. To circumvent this, it is isolated in a separate, unprivileged qube, named the net qube.

Another firewall Domain is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM). [25]

Reception

Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project. [26]

Jesse Smith wrote a review of Qubes OS 3.1 for DistroWatch Weekly: [27]

I had a revelation though on the second day of my trial when I realized I had been using Qubes incorrectly. I had been treating Qubes as a security enhanced Linux distribution, as though it were a regular desktop operating system with some added security. This quickly frustrated me as it was difficult to share files between domains, take screen shots or even access the Internet from programs I had opened in Domain Zero. My experience was greatly improved when I started thinking of Qubes as being multiple, separate computers which all just happened to share a display screen. Once I began to look at each domain as its own island, cut off from all the others, Qubes made a lot more sense. Qubes brings domains together on one desktop in much the same way virtualization lets us run multiple operating systems on the same server.

Kyle Rankin from Linux Journal reviewed Qubes OS in 2016: [28]

I'm sure you already can see a number of areas where Qubes provides greater security than you would find in a regular Linux desktop.

In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organization Access Now. [29]

See also

Notes

  1. The base (dom0) operating system used by Qubes OS is Fedora (source), which (as of December 2022) uses the GNU coreutils.

Related Research Articles

<span class="mw-page-title-main">Operating system</span> Software that manages computer hardware resources

An operating system (OS) is system software that manages computer hardware and software resources, and provides common services for computer programs.

<span class="mw-page-title-main">Security-Enhanced Linux</span> Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

<span class="mw-page-title-main">Xen</span> Type-1 hypervisor

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and EPAM Systems.

x86 virtualization is the use of hardware-assisted virtualization capabilities on an x86/x86-64 CPU.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

<span class="mw-page-title-main">QEMU</span> Free virtualization and emulation software

QEMU is a free and open-source emulator that uses dynamic binary translation to emulate the processor of a computer. It provides a variety of hardware and device models for the machine, enabling it to run different guest operating systems. QEMU can be used in conjunction with Kernel-based Virtual Machine (KVM) to execute virtual machines at near-native speeds. Additionally, QEMU supports the emulation of user-level processes, allowing applications compiled for one processor architecture to run on another.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, including containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, and jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. Programs running inside a container can only see the container's contents and devices assigned to the container.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

<span class="mw-page-title-main">Joanna Rutkowska</span> Polish hacker and computer security expert (born 1981)

Joanna Rutkowska is a Polish computer security researcher, primarily known for her research on low-level security and stealth malware, and as founder of the Qubes OS security-focused desktop operating system.

Hardware virtualization is the virtualization of computers as complete hardware platforms, certain logical abstractions of their componentry, or only the functionality required to run various operating systems. Virtualization emulates the hardware environment of its host architecture, allowing multiple OSes to run unmodified and in isolation. At its origins, the software that controlled virtualization was called a "control program", but the terms "hypervisor" or "virtual machine monitor" became preferred over time.

<span class="mw-page-title-main">Virtualization</span> Methods for dividing computing resources

In computing, virtualization (v12n) is a series of technologies that allows dividing of physical computing resources into a series of virtual machines, operating systems, processes or containers.

An embedded hypervisor is a hypervisor that supports the requirements of embedded systems.

Temporal isolation or performance isolation among virtual machine (VMs) refers to the capability of isolating the temporal behavior of multiple VMs among each other, despite them running on the same physical host and sharing a set of physical resources such as processors, memory, and disks.

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

<span class="mw-page-title-main">Whonix</span> Anonymous operating system

Whonix is a Linux distribution, based on Kicksecure OS, claimed to be security hardened by its developers.

<span class="mw-page-title-main">Unikernel</span> Specialised, single address space machine images

A unikernel is a computer program statically linked with the operating system code on which it depends. Unikernels are built with a specialized compiler that identifies the operating system services that a program uses and links it with one or more library operating systems that provide them. Such a program requires no separate operating system and can run instead as the guest of a hypervisor.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original speculative execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Genode</span> Free and open-source software operating system

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

Comparison of user features of operating systems refers to a comparison of the general user features of major operating systems in a narrative format. It does not encompass a full exhaustive comparison or description of all technical details of all operating systems. It is a comparison of basic roles and the most prominent features. It also includes the most important features of the operating system's origins, historical development, and role.

References

  1. "Will Qubes seek to get certified under the GNU Free System Distribution Guidelines (GNU FSDG)?".
  2. "Qubes OS License".
  3. "Introducing Qubes 1.0!". September 3, 2012.
  4. "License Qubes OS". www.qubes-os.org.
  5. "Qubes OS bakes in virty system-level security". The Register. September 5, 2012.
  6. "Qubes OS Templates".
  7. Issa, Abdullah; Murray, Toby; Ernst, Gidon (December 4, 2018). "In search of perfect users: towards understanding the usability of converged multi-level secure user interfaces". Proceedings of the 30th Australian Conference on Computer-Human Interaction. OzCHI '18: 30th Australian Computer-Human Interaction Conference. Melbourne Australia: Association for Computing Machinery (ACM). p. 572576. doi:10.1145/3292147.3292231. ISBN   978-1-4503-6188-0 . Retrieved November 1, 2020.
  8. Beaumont, Mark; McCarthy, Jim; Murray, Toby (December 5, 2016). "The cross domain desktop compositor: using hardware-based video compositing for a multi-level secure user interface". Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC '16: 2016 Annual Computer Security Applications Conference. Los Angeles California USA: Association for Computing Machinery (ACM). p. 533545. doi:10.1145/2991079.2991087. ISBN   978-1-4503-4771-6 . Retrieved November 1, 2020.
  9. Atanas Filyanov; Nas, Aysegül; Volkamer, Melanie (July 1, 2013). "Poster: On the Usability of Secure GUIs". p. 11. S2CID   17605611.{{cite web}}: Missing or empty |url= (help)
  10. "The three approaches to computer security". Joanna Rutkowska. September 2, 2008.
  11. "Qubes OS: An Operating System Designed For Security". Tom's hardware. August 30, 2011.
  12. "A digital fortress?". The Economist. March 28, 2014.
  13. "How Splitting a Computer Into Multiple Realities Can Protect You From Hackers". Wired. November 20, 2014.
  14. "Partitioning my digital life into security domains". Joanna Rutkowska. March 13, 2011.
  15. Passwordless Root Access in VMs
  16. 1 2 Qubes FAQ
  17. Rutkowska, Joanna (May 3, 2010). "Google Groups - Qubes as a multi-user system". Google Groups.
  18. 1 2 Why Intel VT-d ?
  19. Qubes system requirements
  20. "Copying Files between qubes". Qubes OS. Retrieved June 5, 2020.
  21. "Copy and Paste". Qubes OS. Retrieved June 5, 2020.
  22. "(Un)Trusting your GUI Subsystem". Joanna Rutkowska. September 9, 2010.
  23. "The Linux Security Circus: On GUI isolation". Joanna Rutkowska. April 23, 2011.
  24. "Qubes To Implement Disposable Virtual Machines". OSnews. June 3, 2010.
  25. "Playing with Qubes Networking for Fun and Profit". Joanna Rutkowska. September 28, 2011.
  26. "Endpoint Security Prize Finalists Announced!".
  27. DistroWatch Weekly, Issue 656, 11 April 2016
  28. Secure Desktops with Qubes: Introduction |Linux Journal
  29. "Endpoint Security Prize Finalists Announced!". Michael Carbone. February 13, 2014.