
The Operating System That Can Protect You Even if You Get Hacked - ryutin
https://micahflee.com/2014/04/the-operating-system-that-can-protect-you-even-if-you-get-hacked/
======
muyuu
"You are absolutely deluded, if not stupid, if you think that a worldwide
collection of software engineers who can't write operating systems or
applications without security holes, can then turn around and suddenly write
virtualization layers without security holes."

Theo de Raadt, 2007

~~~
hershel
The idea behind qubes is to use the security properties of virtualization
layers to enable a secure , easy to use system. Given that virtualization
layers are relatively small ,code wise ,that's a good place to start.

Given that amazon uses xen in the EC2 platform(as many others), we're not only
talking only about "worldwide collection of software engineers " but also of
some serious commercial interests in it's security.

And XEN might not be the end point of that approach. There has been some
research on formally verified hypervisors.While it's not 100% foolproof since
you still have to depend on hardware security, which is a unknown(does intel
cooperate with NSA?), that could give great assurances for system security.

~~~
throwaway2048
xen is over 100k lines of code, not counting the kind of interfaces software
exposes using its APIs, and stuff like drivers.

its not small

~~~
hershel
You don't need to review all that code. From the qubes architecture document:

"it is possible to move all the drivers and driver backends out of Dom0. The
same is true for moving the IO Device Emulator (ioemu) out of Dom0."

------
euank
Of course, the entire premise of this operating system is that VMs are secure,
even though there have been exploits targeting them in the past [0].

Disabling virtualization capabilities in the bios is a semi-common
recommendation for securing a computer... Still, this OS is a darn sight
better than nothing and it'll certainly protect against most things. However,
touting it as perfect is misleading.

[0]:
[https://en.wikipedia.org/wiki/Blue_Pill_%28software%29](https://en.wikipedia.org/wiki/Blue_Pill_%28software%29)

~~~
dobbsbob
If they can break out of Chrome sandboxes they can target Qubes

~~~
euank
I don't see how that follows or relates; chrome's sandboxes are definitely not
VMs... VMs are in general better understood and far better isolated.

Can you expound on that comment?

~~~
zurn
How is the isolation in Xen better than Chrome sandboxes - do you mean the
attack surface is smaller, the code quality better, or the task somehow
inherently simpler/easier?

From where I sit, vulnerabilities in virtualization have seen less public
scrutiny than the Chrome sandbox. Eg none of the hypervisor vendors have a bug
bounty program, which would be at least some kind of signal.

~~~
throwaway7767
The attack surface of a paravirtualized Xen VM to its hypervisor is much
smaller than a linux application talking to the linux kernel.

Of course it's not perfect, but xen has a pretty good track record. And a
significant chunk of the flaws that have been found xen were found by the
qubes devs.

~~~
zurn
The Chrome sandbox setup doesn't correspond to a regular linux application
talking to the kernel though. It has a 2-layer sandbox, with the seccomp-bpf
and setuid sandboxes. They restrict the kernel interface to a whitelisted
subset.

------
comex
> If a Pidgin-zero-day-wielding attacker sends you a weird-looking message
> that takes over your computer, all it will actually take over is your Pidgin
> AppVM. The worst that the attacker can do is steal your OTR keys and spy on
> your chat conversations

Yes, the _only_ thing the attacker can do is compromise all of your chat
conversations and impersonate you on an ongoing basis. Maybe you keep a
separate browser VM for sensitive work: good, but only secure as long as you
never ever accidentally visit a site you don't completely trust, such as any
HTTP site.

Don't get me wrong, I think Qubes is really cool, but our ultimate goal,
collectively, should be an OS where the entire stack, except possibly a few
lowest level components (but not including things like filesystems and network
drivers), is written in a higher level language than C/C++ and guaranteed free
of memory corruption vulnerabilities in the first place. While non-memory
corruption vulnerabilities exist, they're generally drastically easier to
reason about and prevent, while C vulnerabilities can be anywhere, with
exploit mitigations that make most attacks only harder, not impossible.

In the meantime, I guess you could always browse using Chromium with ASan
enabled :)

~~~
Guvante
Every time I hear about moving the entire stack to high level languages I have
two thoughts:

* I love high level languages, but is there even a toy OS that provides a decent amount of functionality with tolerable performance without cheating? * There is no silver bullet to anything, let alone security. Automatic bounds checks only solve that one problem.

For instance, most would consider this an order of some of the vulnerabilities
that potentially exist in increasing severity. And note that the first one is
what Heartbleed is qualified as.

* Buffer overrun on read * Buffer overrun on write * Arbitrary code execution

------
deftnerd
The 3 people who work on Qubes [0] are very good security researchers and I
have more faith in their work than most.

It should be noted that the OS's VM'ing is based on the Xen bar-metal VM
kernel which is pretty well researched, small, and elegant.

[0]
[http://invisiblethingslab.com/itl/About.html](http://invisiblethingslab.com/itl/About.html)

------
MichaelGG
I've recently switched to using VMWare for everything, and disabling
networking on the host (use a pfSense VM for networking). It's quite handy,
but still feels a bit heavyweight. Of course, I'm sort of forced to run
Windows as the host to ensure best driver/battery support.

I really hope these approaches like Qubes take off and that things get
optimized for this type of workload. I'm not sure why Microsoft has ignored
lightweight virtualization, both on client and server.

~~~
ComputerGuru
That sounds great, but how many other virtual machines are you using, what is
your heuristic for deciding what task is run in which virtual machine, and how
strict are you about which sensitive data is used on multiple VMs?

(note: genuinely curious. I've gone down this route before myself before
realizing there was simply too much overlap between my "sensitive" and
"normal" work. I still employ similar configurations but for protection
against data corruption, ease of system administration, and R&D purposes
only.)

~~~
MichaelGG
Right now, just games/junk browsing, home (personal email, browsing,
projects), work (per customer). On Windows I use Sandboxie to further isolate
things like browsers.

It's not perfect, but at least when a client wants me to run some damn .exe to
join their oh-so-great screen-sharing platform, my home environment isn't
messed up. And I can run random games or utilities and quickly revert to a
snapshot.

The most sensitive keys stay in the host partition.

------
drill_sarge
As an attacker I care only about the data and don't give a a shit if it is a
real machine or a virtual one. If I can sniff the passwords in your browser or
just have a keylogger in one of the VMs I am fine. Not sure if that solves a
thing.

edit: I remember there were similar concepts a decade or so ago. where you had
your "green" desktop for intranet or whatever and then a seperate "red"
desktop which you could switch to and go to the evil internet. hint: no
benefit gained

------
jrochkind1
It seems likely that this indeed will give you increased security.

But it is dangerous to educate non-technical people that this VM-based OS
gives you absolute guarantees of security.

And please don't start redefining the term "air-gapped" such that it applies
to a VM that doesn't have network access. "air" "gapped" is a pretty absolute
concept, and does not mean a VM without network on a host that does.

------
rdl
I love Qubes; the people involved are awesome.

What I'd really like to work on is Compartment Mode Workstation with
physically distinct hardware.

Essentially, a "windowing KVM" frontend to a bunch of physically separated
processor/memory subsystems, connected via well-defined networking interfaces.
Essentially X Windows, but actually secure. This is sort of how desktop
virtualization (VDI) works today, but with a separate instance per
application.

~~~
jacquesm
Weird thought: that raspi module sells for $30 in quantity, you could easily
run _one_ process on that, and use the gpio pins to communicate with a host.
One user visible process, one subsystem.

It would be reasonably affordable.

Upper limits on the number of processes you could run would be dictated by how
many modules you plug in, you could make a backplane like model where you
daisychain multiple backplanes for more processes.

------
ianopolous
I do everything these days in a VM, Virtualbox at the moment. A different VM
for different classes of task. With the shared clipboard and shared folder
options it is still pretty convenient. Of course, my laptop has 16gb of ram
which helps if I want to run multiple VMs at once with more than a few gb
each. It's nice to have a base VM for each OS I use and just branch off that
for new VMs.

------
cyphunk
If someone is wondering, Qubes (and all Linux based distros) are not Macbook
friendly [1]. But honestly, if security or privacy are a priority for you then
you are probably not using a Macbook anyway.

[1]: [https://groups.google.com/forum/#!topic/qubes-
devel/uLDYGdKk...](https://groups.google.com/forum/#!topic/qubes-
devel/uLDYGdKk_Dk)

~~~
72deluxe
Why would you not be using a Macbook if you want security or privacy?

If you are referring to Mac OSX and its integrations with App Stores and
social media systems, note that it is entirely optional (I don't use any of
the social media guff bundled into the OS).

Unless you are referring to something else and think that buying a piece of
_hardware_ somehow means you don't care about privacy, regardless of which
_software_ you are running on that piece of hardware?

I don't think the piece of hardware is relevant?

~~~
cyphunk
If security and privacy are of _absolute_ priority to you (journalist,
activist) then using a OS with closed source essentials is absolutely absurd.

If security and privacy are of _some_ importance to you then using a OS with
closed source essentials due to ease of use or development environment only
increases the number of years until a strong privacy easy to use OSS system
gets rolled out more widely. Your actions have broader impact than just your
priorities.

Finally, there is more than just the software. Getting closer to the metal you
have to contemplate bootloaders trust and verifiability.

------
uuid_to_string
Love the comment by "z". :)

The people working on this are sharp, for sure.

But I will never think of VM's as a path to "security".

Xen is useful for a variety of purposes (including resiliency, which can help
if you are hacked), but I'll never rely on it for "security".

Curious what bootloader they are using for the Xen kernels.

~~~
kyboren
GRUB2, and optionally tboot for "anti evil-maid"
([http://theinvisiblethings.blogspot.com/2011/09/anti-evil-
mai...](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html)).

~~~
uuid_to_string
Can the user use their own choice of bootloader (besides those two)?

The bootloader I use can boot Xen kernels; no need for GRUB2. Is the Qube boot
process described somewhere?

~~~
kyboren
I don't see why not in theory, but in practice GRUB2 is the only available
option out-of-the-box. I'm curious why you're so interested in this, though.
Care to explain your ostensible desire for an alternative bootloader?

~~~
uuid_to_string
I just like the one I have been using.

I understand it reasonably well and am hesitant to switch.

I have tried others and have not been impressed.

I am a connoiseur of bootloaders I guess.

It's an important program, maybe the most important one.

Based on my limited knowledge of other computer users, I believe we all have
what we consider a "trusted" program that does some task for us over and over
again. We come to rely on it and appreciate it (for our own idiosyncratic
reasons). We are hesitant to switch to something else.

For me, that program is my bootloader.

~~~
sept
Could you share the name of your trusted, Xen-aware bootloader? Is it
something other than syslinux or uboot (ARM)?

~~~
uuid_to_string
For x86, it is something other than those two.

------
callumjones
If this was to catch on, would the NSA (assuming they don't already) throw
more resources at building viruses that attack the CPU directly - intercepting
any of the instructions sent by the VMs?

~~~
callumjones
Those that gave this negative points, care to share why?

------
mbesto
Isn't Bromium also doing this with vSentry?

[http://www.bromium.com/products/vsentry.html](http://www.bromium.com/products/vsentry.html)

------
Scramblejams
I'm really hoping they do a server-oriented flavor of Qubes -- would be
tremendously useful.

~~~
xorbyte
Wouldn't that just be regular Xen?

~~~
Scramblejams
No, Qubes is a lot more than just that.

------
zobzu
i'm not sure i'd feel comfortable with the webcam streaming as people visit :P

~~~
varkson
It's just a very boring video, I watched it to make sure.

