Applications running in different security domains
|Developer||Invisible Things Lab|
|Source model||Open source (GPLv2)|
|Initial release||September 3, 2012|
|Latest release||4.0 / March 28, 2018|
|Latest preview||R4.0 rc4 / January 31, 2018|
|Update method||Yum (PackageKit)|
|Package manager||RPM Package Manager|
|Kernel type||Microkernel (Xen Hypervisor running minimal Linux-based OSes and others)|
|Userland||Fedora, Debian, Whonix, Microsoft Windows|
|Default user interface||KDE, Xfce|
|License||Free software licenses|
(mainly GPL v2)
Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Virtualization is performed by Xen, and user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows, among other operating systems.
On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution. Ultimately, the prize was awarded to Tails, another security-focused operating system, with Qubes and Open Whisper Systems being named runners-up.
Qubes implements a Security by Isolation approach. The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control over a machine.
In order to secure a desktop, a Qubes user should take care of isolating various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.
In Qubes, the isolation is provided in two dimensions: hardware controllers can be isolated into functional domains (e.g. network domains, USB controller domains), whereas the user's digital life is decided in domains with different levels of trust. For instance: work domain (most trusted), shopping domain, random domain (less trusted). Each of those domains is run in a separate virtual machine.
System architecture overview
Xen hypervisor and administrative domain (Dom0)
The hypervisor provides isolation between different virtual machines. The administrative domain, also referred to as Dom0 (a term inherited from Xen), has direct access to all the hardware by default. Dom0 hosts the GUI domain and controls the graphics device, as well as input devices, such as the keyboard and mouse. The GUI domain runs the X server, which displays the user desktop, and the window manager, which allows the user to start and stop the applications and manipulate their windows.
Integration of the different virtual machines is provided by the Application Viewer, which provides an illusion for the user that applications execute natively on the desktop, while in fact they are hosted (and isolated) in different virtual machines. Qubes integrates all these virtual machines onto one common desktop environment.
Because Dom0 is security-sensitive, it is isolated from the network. It tends to have as little interface and communication with other domains as possible in order to minimize the possibility of an attack originating from an infected virtual machine.
The Dom0 domain manages the virtual disks of the other VMs, which are actually stored as files on the dom0 filesystem(s). Disk space is saved by virtue of various virtual machines (VM) sharing the same root file system in a read-only mode. Separate disk storage is only used for userʼs directory and per-VM settings. This allows software installation and updates to be centralized. It is also possible to install software only on a specific VM, by installing it as the non-root user, or by installing it in the non-standard, Qubes-specific /rw hierarchy.
The network mechanism is the most exposed to security attacks. To circumvent this it is isolated in a separate, unprivileged virtual machine, called the Network Domain.
An additional firewall virtual machine is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised due to a device driver bug, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM).
Application Virtual Machines (AppVM)
AppVMs are the virtual machines used for hosting user applications, such as a web browser, an e-mail client or a text editor. For security purposes, these applications can be grouped in different domains, such as "personal", "work", "shopping", "bank", etc. The security domains are implemented as separate, Virtual Machines (VMs), thus being isolated from each other as if they were executing on different machines.
Some documents or applications can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.
Each security domain is labelled by a color, and each window is marked by the color of the domain it belongs to. So it is always clearly visible to which domain a given window belongs.
I had a revelation though on the second day of my trial when I realized I had been using Qubes incorrectly. I had been treating Qubes as a security enhanced Linux distribution, as though it were a regular desktop operating system with some added security. This quickly frustrated me as it was difficult to share files between domains, take screen shots or even access the Internet from programs I had opened in Domain Zero. My experience was greatly improved when I started thinking of Qubes as being multiple, separate computers which all just happened to share a display screen. Once I began to look at each domain as its own island, cut off from all the others, Qubes made a lot more sense. Qubes brings domains together on one desktop in much the same way virtualization lets us run multiple operating systems on the same server.
I'm sure you already can see a number of areas where Qubes provides greater security than you would find in a regular Linux desktop.
- Subgraph (operating system), a Linux distribution which approaches security through sandboxing
- "Qubes OS License".
- "Introducing Qubes 1.0!". September 3, 2012.
- "Qubes 4.0". March 28, 2018.
- "Qubes OS 4.0-rc4 has been released!". January 31, 2018.
- "License Qubes OS". www.qubes-os.org.
- "Qubes OS bakes in virty system-level security". The Register. September 5, 2012.
- "Qubes OS Templates".
- "Installing and using Windows-based AppVMs".
- "Endpoint Security Prize Finalists Announced!". Michael Carbone. February 13, 2014.
- "2014 Access Innovation Prize winners announced at RightsCon". Michael Carbone. March 11, 2014.
- "The three approaches to computer security". Joanna Rutkowska. September 2, 2008.
- "Qubes OS: An Operating System Designed For Security". Tom's hardware. August 30, 2011.
- "A digital fortress?". The Economist. March 28, 2014.
- "How Splitting a Computer Into Multiple Realities Can Protect You From Hackers". Wired. November 20, 2014.
- "Partitioning my digital life into security domains". Joanna Rutkowska. March 13, 2011.
- Rutkowska, Joanna (May 3, 2010). "Google Groups - Qubes as a multi-user system". Google Groups.
- "(Un)Trusting your GUI Subsystem". Joanna Rutkowska. September 9, 2010.
- "The Linux Security Circus: On GUI isolation". Joanna Rutkowska. April 23, 2011.
- "Playing with Qubes Networking for Fun and Profit". Joanna Rutkowska. September 28, 2011.
- "Qubes To Implement Disposable Virtual Machines". OSnews. June 3, 2010.
- DistroWatch Weekly, Issue 656, 11 April 2016
- Secure Desktops with Qubes: Introduction | Linux Journal
|Wikimedia Commons has media related to Qubes OS.|
- Official website
- Invisible Things Lab
- Invisible Things Blog
- DistroWatch overview
- Trusted Computing Technologies, Intel Trusted Execution Technology, Sandia National Laboratories, January 2011, by Jeremy Daniel Wendt and Max Joseph Guise