My brother John pointed me to this article:
This Secure Operating System Can Protect You Even if You Get Hacked (thehackernews)
which describes a little bit about a new operating system called Qubes.
Despite being intrigued, even after reading I didn’t really get it. So, I looked into it more and even downloaded it. This ended up being far more interesting than I first realized!
What is Qubes?
From what I gather, this is like a PhD thesis or research project for a couple of people – although there are a couple of dozen people who work on it. What it is, is a single-user operating system that runs a bare-metal hypervisor, which then hosts several operating system VM’s. You, as the sole user of the computer run in this special dom0 session which is the only thing that has access to these virtual machines. Even better, dom0 doesn’t have any direct network access – no network drivers are even available for it.
So, when you are sitting at this computer, you are using this protected dom0 session which has exclusive access to applications hosted in several virtual machines. Where things get really tricky is that everything runs in isolation.
meaning that you could open a browser from your “Personal” app VM. If that browser brings down some malware, it is physically impossible for it to affect anything outside of that app VM. This means that you can compartmentalize your computer usage. If one application is compromised by hackers or malware, it can’t affect or infect the other systems on your computer. Since these are virtual machines, they can be different operating systems too – so if you want to mainly run Linux, but really like Outlook 2013 on Windows 10, you can run those, and access them all side-by-side from your dom0 user session.
Here is a slide deck video from one of the project team members which explains a little more about how it works:
This would be somewhat equivalent of you running Hyper-V or VirtualBox on your laptop and running applications in each, except with Qubes, you can have those windows side-by-side on your desktop. That is an oversimplification though because Qubes also ensures isolation of memory, CPU, disk, USB, etc so that malware one won’t physically have access to other VM bubbles. With VirtualBox or Hyper-V, there may be exploits where one compromised VM could reach over into the next VM and extract data.
Ok, but why?
There seems to be a pattern in computing. When something is invented, it’s wildly insecure. Then eventually that causes such a problem that there is a 2.0 generation where everything is then secured. We saw this with:
- Telnet –> SSH
- FTP –> FTPS and SFTP
- E-mail –> secure connections to e-mail AND x.509 certificates
and we are on the verge of witnessing it again with the Internet of Things (IoT) boom at the moment. Everyone is creating little gadgets and doo-hickies, but with no security. At some point, someone will come up with a new standard for security, and IoT will finally be secure.
Now, with that said, what is the problem that Qubes is addressing? For that, see this video from the project owner:
In short, there are many attack vectors on an end-user workstation. You can attempt to break in many ways. Once you are in, you have compromised the ENTIRE computer. The idea here is to limit the impact of a breach on a single computer. If malware makes it in on your “untrusted” app VM, it can’t programmatically take a screenshot from your personal or work VM’s. Each application VM runs in isolation, which means when it’s compromised, it limited to just that application VM.
Who would use this?
In short, I don’t know. This project is less than 2 years old, but it’s got tremendous promise. As it sits right now, you’d have to lose a lot of your conveniences and creature comforts. They say that will support Linux, Windows, iOS, Android and other operating systems, but they won’t have that same “seamless” feeling that a native OS has.
Secondly, this goes directly against the grain of virtually everything else out there. Windows 10, MacOS X, and others are striving to give you a unified experience which encourages one big, compromise-able security bubble, not compartmentalization.
So right now, I could see someone working on top secret projects using this, but for the regular end-user, probably no so much – at least not yet.
I bring all of this up not so much because you should start using it today – but because it represents a significant step towards what needs to happen in end-user operating systems: applications should be compartmentalized. This is the first time (as far as I know) someone actually tried this, and tried to figure out what works and what doesn’t.
If ever Windows or MacOS sway back towards wanting things to be more secure, versus being more convenient, this sort of work paves the way for them to do that. Or if not, as this project evolves and becomes a little more convenient to use, this could become the way that security/privacy-minded people use an operating system – wrapped in an isolated application VM!