Qubes OS

Last updated

Qubes OS
Qubes OS Logo.svg
Qubes OS ws 4-1-2.png
Qubes OS 4.1.2 with its default Xfce DE running Fedora 37, Debian 11 and Whonix 16 virtualizations.
Developer The Qubes OS Project
OS family Linux (Unix-like)
Working stateCurrent
Source model Open source with proprietary blobs, [1] [2]
Initial releaseSeptember 3, 2012;11 years ago (2012-09-03) [3]
Latest release 4.2.1 [4]   OOjs UI icon edit-ltr-progressive.svg / 26 March 2024;5 days ago (26 March 2024)
Latest preview 4.2.1-rc1 [5] / March 16, 2024;15 days ago (2024-03-16)
Available in Multilingual
Update method DNF (PackageKit)
Package manager RPM Package Manager
Platforms x86-64
Kernel type Microkernel (Xen Hypervisor running minimal Linux-based OSes and others)
Userland GNU [note 1]
Default
user interface 		Xfce
License Free software licenses
(mainly GPL v2 [6] )
Official website qubes-os.org

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. [7] Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

Contents

The runtimes of individual qubes are generally based on a unique system of underlying operating system templates. Templates provide a single, immutable root file system which can be shared by multiple qubes. This approach has two major benefits. First, updates to a given template are automatically "inherited" by all qubes based on it. Second, shared templates can dramatically reduce storage requirements compared to separate VMs with a full operating install per secure domain.

The base installation of Qubes OS provides a number of officially supported templates based on the Fedora and Debian Linux distributions. Alternative community-supported templates include Whonix, Ubuntu, Arch Linux, CentOS, or Gentoo. [8] Users may also create their own templates.

Operating Systems like Qubes OS are referred to in academia as Converged Multi-Level Secure (MLS) Systems. [9] Other proposals of similar systems have surfaced [10] [11] and SecureView and VMware vSphere are commercial competitors.[ citation needed ]

Security goals

Security domains scheme Qubes security domains.png
Security domains scheme

Qubes implements a Security by Isolation approach. [12] The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control of a machine. [13] [14]

To secure a desktop using Qubes OS, the user takes care to isolate various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment. [15]

In Qubes OS, the isolation is provided in two dimensions: hardware controllers can be isolated into functional domains (e.g. network domains, USB controller domains), whereas the user's digital life is divided into security domains with different levels of trust.

For instance: work domain (most trusted), shopping domain, random domain (less trusted). [16] Each of these domains is run in a separate qube.

The qubes have passwordless root access (e.g. passwordless sudo) by default. [17] UEFI Secure Boot is not supported out of the box, but this is not considered a major security issue. [18] Qubes is not a multiuser system. [19]

Installation and System Requirements

As a desktop-focused operating system, Qubes OS targets personal computer hardware. This market is dominated by laptops running Intel and AMD processors and chipsets.

The base system requirements for Qubes OS are:

User experience

Users interact with Qubes OS in much the same manner that they interact with any standard graphical desktop operating systems with some key differences:

System architecture overview

Xen hypervisor and domains

The Xen hypervisor provides strong isolation between its hosted virtual machines, called domains in Xen terminology.

The first domain started by Xen is the privileged administrative domain referred to as domain zero or more commonly dom0.

The Administrative domain: dom0

As of Qubes OS 4.1.2, the operating system running in dom0 is Fedora Linux running a paravirtualized Linux kernel. It is the Linux kernel in dom0 that controls and brokers access to all the physical system hardware, via standard Linux kernel device drivers.

The operating system hosts the user's graphical desktop and controls most hardware devices. This includes the graphics device, USB ports, storage and input devices, such as the keyboard and mouse. The base graphical desktop is composed of the X server, the XFWM window manager and the XFCE desktop.

By design, dom0 has the least possible direct interaction with the qubes in order to minimize the possibility of an attack originating from there. [24] [25]

Updates to the dom0 operating system and the included Template OS images are performed via a special mechanism which does not require dom0 operating system to connect directly to a network.

The User domains: qubes

An app qube (an instance of a qube) provides secure, compartmentalized execution of standard user applications such as a web browser, an email client or a text editor.

Operation of app qubes is controlled by the Qube Manager. It launches the discrete app qubes and presents their applications on the desktop of dom0 as normal process windows.

This mechanism follows the idea of a sandbox. After running the application, viewing the document, etc., the whole disposable will be destroyed on shutdown. [26]

Qubes OS integrates all of the app qubes into a single common desktop environment. The identity of each app qube for a given process is provided by an unforgeable, colored window border which is defined in the properties of the app qube.

Disk usage in dom0 is minimized by allowing multiple app qubes to share a common "template" root file system image maintained in read-only mode. Additional disk storage is only used for userʼs applications, data and per-VM settings.

Network domain

The network mechanism is the most exposed to security attacks. To circumvent this, it is isolated in a separate, unprivileged qube, named the net qube.

Another firewall Domain is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM). [27]

Reception

Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project. [28]

Jesse Smith wrote a review of Qubes OS 3.1 for DistroWatch Weekly: [29]

I had a revelation though on the second day of my trial when I realized I had been using Qubes incorrectly. I had been treating Qubes as a security enhanced Linux distribution, as though it were a regular desktop operating system with some added security. This quickly frustrated me as it was difficult to share files between domains, take screen shots or even access the Internet from programs I had opened in Domain Zero. My experience was greatly improved when I started thinking of Qubes as being multiple, separate computers which all just happened to share a display screen. Once I began to look at each domain as its own island, cut off from all the others, Qubes made a lot more sense. Qubes brings domains together on one desktop in much the same way virtualization lets us run multiple operating systems on the same server.

Kyle Rankin from Linux Journal reviewed Qubes OS in 2016: [30]

I'm sure you already can see a number of areas where Qubes provides greater security than you would find in a regular Linux desktop.

In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organization Access Now. [31]

See also

Notes

  1. The base (dom0) operating system used by Qubes OS is Fedora (source), which (as of December 2022) uses the GNU coreutils.

Related Research Articles

In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here:

<span class="mw-page-title-main">Xen</span> Type-1 hypervisor

Xen is a free and open-source type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Citrix, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, Bitdefender and epam.

x86 virtualization is the use of hardware-assisted virtualization capabilities on an x86/x86-64 CPU.

A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Unlike an emulator, the guest executes most instructions on the native hardware. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and macOS instances can all run on a single physical x86 machine. This contrasts with operating-system–level virtualization, where all instances must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.

In computing, paravirtualization or para-virtualization is a virtualization technique that presents a software interface to the virtual machines which is similar, yet not identical, to the underlying hardware–software interface.

<span class="mw-page-title-main">QEMU</span> Free virtualization and emulation software

QEMU is a free and open-source emulator. It emulates a computer's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems. It can interoperate with Kernel-based Virtual Machine (KVM) to run virtual machines at near-native speed. QEMU can also do emulation for user-level processes, allowing applications compiled for one architecture to run on another.

OS-level virtualization is an operating system (OS) virtualization paradigm in which the kernel allows the existence of multiple isolated user space instances, called containers, zones, virtual private servers (OpenVZ), partitions, virtual environments (VEs), virtual kernels, or jails. Such instances may look like real computers from the point of view of programs running in them. A computer program running on an ordinary operating system can see all resources of that computer. However, programs running inside of a container can only see the container's contents and devices assigned to the container.

<span class="mw-page-title-main">Protection ring</span> Layer of protection in computer systems

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

<span class="mw-page-title-main">Joanna Rutkowska</span> Polish hacker and computer security expert

Joanna Rutkowska is a Polish computer security researcher, primarily known for her research on low-level security and stealth malware, and as founder of the Qubes OS security-focused desktop operating system.

The following is a timeline of virtualization development. In computing, virtualization is the use of a computer to simulate another computer. Through virtualization, a host simulates a guest by exposing virtual hardware devices, which may be done through software or by allowing access to a physical device connected to the machine.

Hardware virtualization is the virtualization of computers as complete hardware platforms, certain logical abstractions of their componentry, or only the functionality required to run various operating systems. Virtualization hides the physical characteristics of a computing platform from the users, presenting instead an abstract computing platform. At its origins, the software that controlled virtualization was called a "control program", but the terms "hypervisor" or "virtual machine monitor" became preferred over time.

In computing, virtualization or virtualisation in British English is the act of creating a virtual version of something at the same abstraction level, including virtual computer hardware platforms, storage devices, and computer network resources.

<span class="mw-page-title-main">Kernel (operating system)</span> Core of a computer operating system

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

An embedded hypervisor is a hypervisor that supports the requirements of embedded systems.

Temporal isolation or performance isolation among virtual machine (VMs) refers to the capability of isolating the temporal behavior of multiple VMs among each other, despite them running on the same physical host and sharing a set of physical resources such as processors, memory, and disks.

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

<span class="mw-page-title-main">Whonix</span> Anonymous operating system

Whonix is a Linux distribution, based on Kicksecure OS, claimed to be security hardened by its developers. Its main goals are to provide strong privacy and anonymity on the Internet. The operating system consists of two virtual machines, a workstation and a Tor gateway running Debian. All communications are forced through Tor.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Genode</span> Free and open-source software operating system

Genode is a free and open-source software operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.

References

  1. "Will Qubes seek to get certified under the GNU Free System Distribution Guidelines (GNU FSDG)?".
  2. "Qubes OS License".
  3. "Introducing Qubes 1.0!". September 3, 2012.
  4. "Qubes OS 4.2.1 has been released!". March 26, 2024. Retrieved March 26, 2024.
  5. "Qubes OS 4.2.1-rc1 is available for testing". www.qubes-os.org. March 16, 2024. Retrieved April 1, 2024.
  6. "License Qubes OS". www.qubes-os.org.
  7. "Qubes OS bakes in virty system-level security". The Register. September 5, 2012.
  8. "Qubes OS Templates".
  9. Issa, Abdullah; Murray, Toby; Ernst, Gidon (December 4, 2018). "In search of perfect users: towards understanding the usability of converged multi-level secure user interfaces". Proceedings of the 30th Australian Conference on Computer-Human Interaction. OzCHI '18: 30th Australian Computer-Human Interaction Conference. Melbourne Australia: Association for Computing Machinery (ACM). p. 572576. doi:10.1145/3292147.3292231. ISBN   978-1-4503-6188-0 . Retrieved November 1, 2020.
  10. Beaumont, Mark; McCarthy, Jim; Murray, Toby (December 5, 2016). "The cross domain desktop compositor: using hardware-based video compositing for a multi-level secure user interface". Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC '16: 2016 Annual Computer Security Applications Conference. Los Angeles California USA: Association for Computing Machinery (ACM). p. 533545. doi:10.1145/2991079.2991087. ISBN   978-1-4503-4771-6 . Retrieved November 1, 2020.
  11. Atanas Filyanov; Nas, Aysegül; Volkamer, Melanie (July 1, 2013). "Poster: On the Usability of Secure GUIs". p. 11. S2CID   17605611.{{cite web}}: Missing or empty |url= (help)
  12. "The three approaches to computer security". Joanna Rutkowska. September 2, 2008.
  13. "Qubes OS: An Operating System Designed For Security". Tom's hardware. August 30, 2011.
  14. "A digital fortress?". The Economist. March 28, 2014.
  15. "How Splitting a Computer Into Multiple Realities Can Protect You From Hackers". Wired. November 20, 2014.
  16. "Partitioning my digital life into security domains". Joanna Rutkowska. March 13, 2011.
  17. Passwordless Root Access in VMs
  18. 1 2 Qubes FAQ
  19. Rutkowska, Joanna (May 3, 2010). "Google Groups - Qubes as a multi-user system". Google Groups.
  20. 1 2 Why Intel VT-d ?
  21. Qubes system requirements
  22. "Copying Files between qubes". Qubes OS. Retrieved June 5, 2020.
  23. "Copy and Paste". Qubes OS. Retrieved June 5, 2020.
  24. "(Un)Trusting your GUI Subsystem". Joanna Rutkowska. September 9, 2010.
  25. "The Linux Security Circus: On GUI isolation". Joanna Rutkowska. April 23, 2011.
  26. "Qubes To Implement Disposable Virtual Machines". OSnews. June 3, 2010.
  27. "Playing with Qubes Networking for Fun and Profit". Joanna Rutkowska. September 28, 2011.
  28. "Endpoint Security Prize Finalists Announced!".
  29. DistroWatch Weekly, Issue 656, 11 April 2016
  30. Secure Desktops with Qubes: Introduction |Linux Journal
  31. "Endpoint Security Prize Finalists Announced!". Michael Carbone. February 13, 2014.