Qubes OS

From The Hidden Wiki
Revision as of 13:12, 26 October 2016 by Dog123 (talk | contribs) (Created page with "'''Qubes OS''' is a security-focused desktop operating system that aims to provide security through isolation. Vi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Virtualization is performed by Xen, and user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows, among other operating systems.

On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution.

Security goals

Qubes implements a Security by Isolation approach. The assumption is that there can be no perfect, bug-free desktop environment. Such an environment counts millions of lines of code, billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control over a machine.

In order to secure a desktop, a Qubes user should take care of isolating various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.

In Qubes, the isolation is provided in two dimensions: hardware controllers are isolated into functional domains (GUI, network and storage domains), whereas the user's digital life is decided in domains with different levels of trust. For instance: work domain (most trusted), shopping domain, random domain (less trusted). Each of those domains is run in a separate virtual machine.

Qubes is not a multiuser system.

System architecture overview

Xen hypervisor and administrative domain (Dom0)

The hypervisor provides isolation between different virtual machines. The administrative domain, also referred to as Dom0, has direct access to hardware. Dom0 hosts the GUI domain and controls the graphics device, as well as input devices, such as keyboard and mouse. The GUI domain runs the X server, which displays the user desktop, and the window manager, which allows the user to start and stop the applications and manipulate their windows.

Integration of the different virtual machines is provided by the Application Viewer, which provides an illusion for the user that applications execute natively on the desktop, while in fact they are hosted (and isolated) in different virtual machines. Qubes integrates all these virtual machines onto one common desktop environment.

Because Dom0 is security-sensitive, it is isolated from the network. It tends to have as little interface and communication with other domains as possible in order to minimize the possibility of an attack originating from an infected virtual machine.

Network domain

The network mechanism is the most exposed to security attacks. This is why it is isolated in a separate, unprivileged virtual machine, called the Network Domain.

An additional proxy virtual machine is used for advanced networking configuration.

Storage domain

Disk space is saved by virtue of various virtual machines (VM) sharing the same root file system in a read-only mode. Separate disk storage is only used for userʼs directory and per-VM settings. This allows software installation and updates to be centralized. Of course, some software can be installed only on a specific VM.

Encryption is used to protect the file systems, so that the storage domain cannot read confidential data owned by other domains.

Application Virtual Machines (AppVM)

AppVMs are the virtual machines used for hosting user applications, such as a web browser, an e-mail client or a text editor. For security purpose, these applications can be grouped in different domains, such as “personal”, “work”, “shopping”, “bank”, etc. The security domains are implemented as separate, Virtual Machines (VMs), thus being isolated from each other as if they were executing on different machines.

Some documents or application can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.

Each security domain is labelled by a color, and each window is marked by the color of the domain it belongs to. So it is always clearly visible to which domain a given window belongs.

External links