

Qubes: an open source OS with strong security for desktop computing - evangineer
http://qubes-os.org

======
JoachimSchipper
This assumes that you can't break out of the VM, and that you can't gather
information across the VM boundary. From
<http://news.ycombinator.com/item?id=2573618>:

> ... [C]onsider e.g. <http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf> \-
> cross-VM attacks are real, and extremely scary.

------
moondowner
KDE, a good choice.

I see they've utilized KWin decorators to display green or red windows, nice
idea.

------
m0nastic
When I saw the diagram showing the way Joanna partitions her computing on her
blog in March, I thought I was looking at something a schizophrenic would have
drawn.

I think this line of research is interesting though, even if I don't foresee
ever using it.

------
nvictor
aren't the specs a little too much for an os focusing on security?

Minimum:

4GB of RAM

64-bit Intel or AMD processor (x86_64 aka x64 aka AMD64) Intel GPU strongly
preferred (if you have Nvidia GPU, prepare for some troubleshooting; we
haven't tested ATI hardware)

10GB of disk (Note that it is possible to install Qubes on an external USB
disk, so that you can try it without sacrificing your current system. Mind,
however, that USB disks are usually SLOW!)

~~~
eropple
I agree - it sounds like a performance nightmare across the board, even with
those aggressive specs.

Wonder how it handles OpenGL applications and games.

~~~
X-Istence
It is definitely not meant to be used for gaming. The whole idea is to put
everything in a Xen virtualised environment so that you can run untrusted
applications or applications with untrusted input in different security
levels.

~~~
eropple
Yes, I realize that. The practical concern is that people like to play video
games, and if your high-security desktop OS doesn't let them, it will be
discarded.

~~~
freyrs3
Qubes is not a desktop OS for the masses, it's a niche operating system for
professionals who need a high security environment. I would doubt it would be
discarded based on lack of game compatibility since anyone who has that level
of security knowledge is certainly going to be able to dual boot into whatever
more game-friendly OS they need.

~~~
eropple
That's the thing, though: I am skeptical that your "professional who needs a
high security environment" is going to be satisfied by this. It's turtles all
the way down--while I know Joanna herself was one of the folks behind the
Bluepill attack, why trust Qubes to not be vulnerable to its own version of
the attack? (This is obviously an oversimplification and executing such a task
is nontrivial--but breaking out of a VM was thought to be a lot harder than
Bluepill made it, too.)

The closest thing to an answer to that, as far as I can tell, is multiple
computers. Assuming Qubes works as advertised, however, it seems as if it
doesn't really scratch the bigger itch--the technology seems cool (I haven't
dug deeply into it), but does it address the social/usability problem of
security, even for these professionals who need that high security
environment?

From reading about this, it seems as if you could have stopped at "it's a
niche operating system," because to my mind it seems like professionals who
need a high security environment will just have multiple computers. If a
segmented system like Qubes is not going to run the stuff that your
hypothetical professional will want to run (games just being an example, and
one that seems to have been misleading), then why would it be preferable to
just rolling multiple computers? (Cost, which is the only advantage I can
think of, doesn't strike me as a significant factor to folks who are actually
doing things that necessitate this sort of security.)

~~~
rdl
There has been a lot of work out there on how to use a "separation kernel"
(basically, a hypervisor with proven/provable levels of isolation between
guests), plus stuff like Intel's VT-d, VT-x, etc., to provide real isolation
between guests. (also, really useful for RTOS and embedded systems)

If you've ever worked in a high security computing environment, you've had N
workstations on your desk, where N is often approaching 5 -- NIPR, SIPR,
JWICS, various task-specific machines, etc. These environments aren't just
nice air conditioned purpose-built offices in the US; they're tents in
Afghanistan, on aircraft and cramped warships, etc.

Sometimes people use KVM switches, but even then, you need separate hosts, and
it's usually best to use multiple monitors and keyboards anyway.

Invisible Things was has been testing the limits of current hypervisors, and
there's room for them to both work on what is possible once a real separation
kernel exists (now) in prototype form, and to continue to refine hypervisors
and develop a real separation kernel.

I'm still kind of amazed that these 2-4 people in Poland are probably the
world's foremost experts on hypervisor security.

~~~
sbierwagen
N=6, here.

[https://secure.wikimedia.org/wikipedia/en/wiki/File:Intel_Gr...](https://secure.wikimedia.org/wikipedia/en/wiki/File:Intel_GreenDoor.jpg)

------
evangineer
Related HN post: <http://news.ycombinator.com/item?id=2320207>

