Qubes OS

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation.[7] Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

Qubes OS
Qubes OS 4.1.2 with its default Xfce DE running Fedora 37, Debian 11 and Whonix 16 virtualizations.
DeveloperThe Qubes OS Project
OS familyLinux (Unix-like)
Working stateCurrent
Source modelOpen source with proprietary blobs,[1][2]
Initial releaseSeptember 3, 2012 (2012-09-03)[3]
Latest release4.1.2[4] Edit this on Wikidata / 15 March 2023 (15 March 2023)
Latest preview4.2.0-rc4[5] / October 13, 2023 (2023-10-13)
Available inMultilingual
Update methodDNF (PackageKit)
Package managerRPM Package Manager
Platformsx86-64
Kernel typeMicrokernel (Xen Hypervisor running minimal Linux-based OSes and others)
UserlandGNU[note 1]
Default
user interface
Xfce
LicenseFree software licenses
(mainly GPL v2[6])
Official websitequbes-os.org

The runtimes of individual qubes are generally based on a unique system of underlying operating system templates. Templates provide a single, immutable root file system which can be shared by multiple qubes.

This approach has a two major benefits. First, updates to a given template are automatically "inherited" by all qubes based on it. Second, shared templates can dramatically reduce storage requirements compared to separate VMs with a full operating install per secure domain.

The base installation of Qubes OS provides a number of officially supported templates based on the Fedora and Debian Linux distributions. Alternative community-supported templates include Whonix, Ubuntu, Arch Linux, CentOS, or Gentoo.[8] Users may also create their own templates.

Operating Systems like Qubes OS are referred to in academia as Converged Multi-Level Secure (MLS) Systems.[9] Other proposals of similar systems have surfaced[10][11] and SecureView and VMware vSphere are commercial competitors.

Security goals

Security domains scheme

Qubes implements a Security by Isolation approach.[12] The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control of a machine.[13][14]

To secure a desktop using Qubes OS, the user takes care to isolate various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.[15]

In Qubes OS, the isolation is provided in two dimensions: hardware controllers can be isolated into functional domains (e.g. network domains, USB controller domains), whereas the user's digital life is divided into security domains with different levels of trust.

For instance: work domain (most trusted), shopping domain, random domain (less trusted).[16] Each of these domains is run in a separate qube.

The qubes have passwordless root access (e.g. passwordless sudo) by default.[17] UEFI Secure Boot is not supported out of the box, but this is not considered a major security issue.[18] Qubes is not a multiuser system.[19]

Installation and System Requirements

As a desktop-focused operating system, Qubes OS targets personal computer hardware. This market is dominated by laptops running Intel and AMD processors and chipsets.

The base system requirements for Qubes OS are as follows (discussion below):

  • 64-bit Intel or AMD processor with virtualization extensions*
  • 6 GB RAM minimum
  • 32 GB disk space minimum [20]

[*Since 2013, Qubes OS only supports 64-bit processors.[18]

In addition, since release 4.x, Qubes OS requires either an Intel processor with support for VT-x with EPT and Intel VT-d or an AMD processor with support for AMD-V with RVI (SLAT) and AMD-Vi (aka AMD IOMMU). [21] This is not a major issue for AMD processors since AMD IOMMU is functionally identical to Intel's VT-d.[21]]

In practice, Qubes OS typically needs 8 GB+ of RAM. Even though it is possible to run it with only 6 GB of RAM, users will likely be limited to running no more than a couple of qubes at a time.[18]

By default, the Qubes OS installer allocates all space on the selected storage medium. No provision is made for sharing disk space with other operating system partitions on the target device. Full disk encryption is provided using LUKS/dm-crypt.[18]

The 32 GB minimum space requirement does not include space needed for new qubes, user applications, additional templates, user data, etc..

Important Note: Qubes OS is not intended to be run as part of a multi-boot system. If an attacker were to take control of one of the other running operating systems, they could potentially compromise the Qubes OS installation.[22]

That said, it is technically possible to use Qubes OS as part of a multi-boot system and even to use grub2 as the boot loader/boot manager.[22]

It is also possible to customize much of the Qubes OS installation but for security reasons this is recommended only for expert users.

User experience

Users interact with Qubes OS in much the same manner that they interact with any standard graphical desktop operating systems with some key differences:

  • The creation of qubes (security domains) offers the means to create discrete, lean, secure application spaces by linking them to a complete root filesystem using shared templates.
  • Applications launched from their respective qubes are distinguished by a unique colored window border.
  • Opening an application for the first time in a given qube may incur a modest delay depending on system hardware.
  • Sharing files[23] and clipboard paste buffers[24] utilize a special mechanism, as qubes do not share a common clipboard or file system.
  • Users can create and manage as many qubes as desired to suit their specific requirements.

System architecture overview

Xen hypervisor and domains

The Xen hypervisor provides strong isolation between its hosted virtual machines, called domains in Xen parlance.

The first domain started by Xen is the privileged administrative domain referred to as domain zero or more commonly dom0.

All other unprivileged user domains in Xen are referred to as domU (see below).

[Elsewhere in this document, the discussion of security isolation concepts refers to secure domains. To prevent confusion, further references to domains hosted by Xen in this section will prefer the term virtual machine / VM.]

The Administrative domain: dom0

As of Qubes OS 4.1.2, the operating system running in dom0 is Fedora Linux running a paravirtualized Linux kernel. It is the Linux kernel in dom0 that controls and brokers access to all the physical system hardware, via standard Linux kernel device drivers.

The dom0 operating system hosts the user's graphical desktop and controls most hardware devices. This includes the graphics device, USB ports, storage and input devices, such as the keyboard and mouse. The base graphical desktop is composed of the X server, the XFWM window manager and the XFCE desktop.

The programs installed on this desktop are focused primarily on managing the virtual machines and their dependencies. A crucial difference between Qubes OS and a conventional Linux distribution is this:

The user's productivity applications are installed and hosted in the domU virtual machines, not directly in dom0.

Applications launched from a given qube will be displayed as just another process window on this desktop. A distinguishing property of each window is a unforgeable colored border and title which denotes the qube which is hosting it.

In order to protect the integrity of dom0, it is completely isolated from the network by design. Applications running directly in dom0 (i.e.- not in a qube) have no means of directly connecting to any network. In Qubes OS, installation of additional software in dom0 proper is actively discouraged.

The virtual storage devices (hard disk, CD/DVD) of the qubes is managed by dom0. These are usually stored as a single monolithic file "per-virtual-disk" or CD/DVD image in ISO9660 (.ISO) format on the local file systems available to dom0.

By design, dom0 has the least possible direct interaction with the qubes in order to minimize the possibility of an attack originating from there.[25][26]

Updates to the dom0 operating system and the included Template OS images are performed via a special mechanism which does not require dom0 operating system to connect directly to a network.

The User domains: domU

In Xen, all virtual machines other than dom0 are called domU. For less technical users, the authors of Qubes OS chose to refer to any domU variously as qubes, Application Virtual Machines or app qubes.

An app qube (an instance of a qube) provides secure, compartmented execution of standard user applications such as a web browser, an email client or a text editor.

Operation of app qubes is controlled by the Qube Manager. It launches the discrete app qubes and presents their applications on the desktop of dom0 as normal process windows.

This is the overall objective of Qubes OS. Any running application from one qube is completely isolated from all running applications from other qubes, even if they are the same executable. Both applications appear seamlessly on the user's desktop.

For security purposes, app qubes can be used to group applications and functions based on the level of trust and isolation they require, such as personal, work, shopping, banking, etc.

In addition to persistent app qubes , applications can be run, and documents can be handled, in disposables through an action available in the Qube Manager.

This mechanism follows the idea of a sandboxes. After running the application, viewing the document, etc., the whole disposable will be destroyed on shutdown.[27]

Qubes OS integrates all of the app qubes into a single common desktop environment. The identity of each app qube for a given process is provided by an unforgeable, colored window border which is defined in the properties of the qpp qubes.

Disk usage in dom0 is can be minimized by allowing multiple app qubes to share a common "template" root file system image maintained in read-only mode. Additional disk storage is only used for userʼs applications, data and per-VM settings.

This allows software installation and updates to be centralized by updating the templates which are "inherited" by the app qubes based on them. It is also possible to install software within a single app qubes, by installing it as the non-root user, or by installing it in the non-standard, Qubes OS-specific /rw hierarchy.

Network domain

The network mechanism is the most exposed to security attacks. To circumvent this, it is isolated in a separate, unprivileged qube, named the net qube.

Another firewall Domain is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM).[28]

Reception

Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project.[29]

Jesse Smith wrote review of Qubes OS 3.1 for DistroWatch Weekly:[30]

I had a revelation though on the second day of my trial when I realized I had been using Qubes incorrectly. I had been treating Qubes as a security enhanced Linux distribution, as though it were a regular desktop operating system with some added security. This quickly frustrated me as it was difficult to share files between domains, take screen shots or even access the Internet from programs I had opened in Domain Zero. My experience was greatly improved when I started thinking of Qubes as being multiple, separate computers which all just happened to share a display screen. Once I began to look at each domain as its own island, cut off from all the others, Qubes made a lot more sense. Qubes brings domains together on one desktop in much the same way virtualization lets us run multiple operating systems on the same server.

Kyle Rankin from Linux Journal reviewed Qubes OS in 2016:[31]

I'm sure you already can see a number of areas where Qubes provides greater security than you would find in a regular Linux desktop.

In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organization Access Now.[32]

See also

Notes

  1. The base (dom0) operating system used by Qubes OS is Fedora (source), Which (as of December 2022) uses the GNU coreutils.

References

  1. "Will Qubes seek to get certified under the GNU Free System Distribution Guidelines (GNU FSDG)?".
  2. "Qubes OS License".
  3. "Introducing Qubes 1.0!". September 3, 2012.
  4. "Qubes OS 4.1.2 has been released!". March 15, 2023. Retrieved March 15, 2023.
  5. "Qubes OS 4.2.0-rc4 is available for testing". October 13, 2023. Retrieved October 14, 2023.
  6. "License Qubes OS". www.qubes-os.org.
  7. "Qubes OS bakes in virty system-level security". The Register. September 5, 2012.
  8. "Qubes OS Templates".
  9. Issa, Abdullah; Murray, Toby; Ernst, Gidon (December 4, 2018). "In search of perfect users: towards understanding the usability of converged multi-level secure user interfaces". Proceedings of the 30th Australian Conference on Computer-Human Interaction. OzCHI '18: 30th Australian Computer-Human Interaction Conference. Melbourne Australia: Association for Computing Machinery (ACM). p. 572576. doi:10.1145/3292147.3292231. ISBN 978-1-4503-6188-0. Retrieved November 1, 2020.
  10. Beaumont, Mark; McCarthy, Jim; Murray, Toby (December 5, 2016). "The cross domain desktop compositor: using hardware-based video compositing for a multi-level secure user interface". Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC '16: 2016 Annual Computer Security Applications Conference. Los Angeles California USA: Association for Computing Machinery (ACM). p. 533545. doi:10.1145/2991079.2991087. ISBN 978-1-4503-4771-6. Retrieved November 1, 2020.
  11. Atanas Filyanov; Nas, Aysegül; Volkamer, Melanie (July 1, 2013). "Poster: On the Usability of Secure GUIs". p. 11. S2CID 17605611. {{cite web}}: Missing or empty |url= (help)
  12. "The three approaches to computer security". Joanna Rutkowska. September 2, 2008.
  13. "Qubes OS: An Operating System Designed For Security". Tom's hardware. August 30, 2011.
  14. "A digital fortress?". The Economist. March 28, 2014.
  15. "How Splitting a Computer Into Multiple Realities Can Protect You From Hackers". Wired. November 20, 2014.
  16. "Partitioning my digital life into security domains". Joanna Rutkowska. March 13, 2011.
  17. Passwordless Root Access in VMs
  18. Qubes FAQ
  19. Rutkowska, Joanna (May 3, 2010). "Google Groups - Qubes as a multi-user system". Google Groups.
  20. Qubes system requirements
  21. Why Intel VT-d ?
  22. "Multibooting Qubes". Archived from the original on November 29, 2020. Retrieved July 3, 2020.
  23. "Copying Files between qubes". Qubes OS. Retrieved June 5, 2020.
  24. "Copy and Paste". Qubes OS. Retrieved June 5, 2020.
  25. "(Un)Trusting your GUI Subsystem". Joanna Rutkowska. September 9, 2010.
  26. "The Linux Security Circus: On GUI isolation". Joanna Rutkowska. April 23, 2011.
  27. "Qubes To Implement Disposable Virtual Machines". OSnews. June 3, 2010.
  28. "Playing with Qubes Networking for Fun and Profit". Joanna Rutkowska. September 28, 2011.
  29. "Endpoint Security Prize Finalists Announced!".
  30. DistroWatch Weekly, Issue 656, 11 April 2016
  31. Secure Desktops with Qubes: Introduction |Linux Journal
  32. "Endpoint Security Prize Finalists Announced!". Michael Carbone. February 13, 2014.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.