Stories
Slash Boxes
Comments

SoylentNews is people

posted by Cactus on Saturday February 22 2014, @09:15PM   Printer-friendly
from the get-outta-my-sandbox dept.

CQ writes:

Qubes-OS, the Security-by-Isolation, VM-based operating system, has concluded that a port to the Windows OS line isn't feasible. In this post, the CEO of Inivisble Things Labs outlines what she had hoped to accomplish with the port and her explaination why it was just not meant to be.

This paper [pdf] contains all the technical bits you need to know, and the explanation on why the Windows APIs and system architecture are not appropriate for the task of creating an isolation system. It also has some interesting (if that's your thing) information on the Windows security model.

Does anyone here have any experience with Qubes? Does it make sandboxing easy enough for day to day use?

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Offtopic) by Anonymous Coward on Saturday February 22 2014, @09:21PM

    by Anonymous Coward on Saturday February 22 2014, @09:21PM (#4957)

    Thank you for being a friend
    Traveled down the road and back again
    Your heart is true, you're a pal and a cosmonaut.

    And if you threw a party
    Invited everyone you knew
    You would see the biggest gift would be from me
    And the card attached would say, thank you for being a friend.

    • (Score: -1, Troll) by Anonymous Coward on Saturday February 22 2014, @09:43PM

      by Anonymous Coward on Saturday February 22 2014, @09:43PM (#4962)

      YES! We have arrived!

  • (Score: 5, Insightful) by Lagg on Saturday February 22 2014, @09:32PM

    by Lagg (105) on Saturday February 22 2014, @09:32PM (#4959) Homepage Journal
    I don't have much experience with Qubes myself but I do have plenty of experience with this story. It happens often but because it usually amounts to vaporware it doesn't get much coverage. These days we take for granted the wrappers and abstraction over the windows API, hell even Microsoft takes it for granted. But when it comes to things that by nature can't really take advantage of that abstraction it makes writing portable code a gigantic undertaking. It's unfortunate but it's often better to choose to not try to port than do massive rewrites for the sake of a lib that was designed horribly from the very beginning. And that isn't even getting into the things like the plethora of opaque types that Microsoft likes to use. When you're writing a VM or other such things it gets infuriating to only have a vague guarantee that you're passing or dereferencing an address that holds a block of arbitrary bytes.

    and that's just the very tip of the iceberg. I'm not even touching upon the lower, more fundamental design and implementation problems in Windows that the paper talks about. All the above can probably be worked around, but an intentional bug that makes it trivial for a program to bypass your hooks and touch kernel mode? Well, to be quite frank. You're up shit creek and good luck reaching in to pull out a stick to paddle with.
    --
    http://lagg.me [lagg.me] 🗿
  • (Score: 5, Interesting) by jonh on Saturday February 22 2014, @10:12PM

    by jonh (733) on Saturday February 22 2014, @10:12PM (#4974) Homepage

    Reading between the lines of the PDF, it seems to be saying that they think they could have come up with a working solution if they'd bypassed the Kernel Patch Protection (and presumably gone on to patch the Windows kernel), but they didn't want to go down this route because they were worried that Microsoft might sue them. Is that a fair interpretation, or am I reading too much into it?

    • (Score: 5, Informative) by maxwell demon on Saturday February 22 2014, @10:45PM

      by maxwell demon (1608) Subscriber Badge on Saturday February 22 2014, @10:45PM (#4990) Journal

      That was one of the stated problems. The other one was security considerations. They didn't elaborate on that, but I think it's obvious: If your security relies on undocumented functionality which you are not supposed to use, then you cannot know if the next update of Windows will make some modifications in that functionality which happens to put a gaping security hole into your application (this doesn't even need to be intentional; the developers are allowed to assume nobody else uses that undocumented functionality, so they can change it in any way that fits, as long as the documented functionality doesn't break).

      You don't want to base your security on something which may change at any time in any conceivable way.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 1) by doug on Sunday February 23 2014, @04:19AM

        by doug (2830) on Sunday February 23 2014, @04:19AM (#5074)

        Basing your security on something that may change is perhaps viable if your business model is to be acquired by the OS vendor... as opposed to serving end customers.

         

  • (Score: 5, Informative) by FuckBeta on Sunday February 23 2014, @12:04AM

    by FuckBeta (1504) on Sunday February 23 2014, @12:04AM (#5012) Homepage

    "Does anyone here have any experience with Qubes? Does it make sandboxing easy enough for day to day use?"

    Yes. A few things to be aware of.

    Hardware: main requirements are modern CPU with virtualization extensions and enough RAM. A fast SSD is recommended but not essential. I run a (2008 model) Intel Q6600 with 4GB RAM which is sufficient for normal desktop use (as would any more modern i5 or better). Intel integrated graphics preferred due to the high quality open source drivers, however will work with most modern NVIDIA with the open source nouveau driver. Installing unsigned binary blobs in the privileged domain (DOM0) is a major risk and against the ethos of the security by isolation approach. For laptops, check the Qubes HCL.

    Software: Qubes is based on Fedora and comes with KDE. There is a user friendly gui interface to control the virtual machines, and the distinction between network VMs (e.g. firewall VM, tor network VM), template VMs (root filesystems which are accessed by appVMs using Copy on Write), and appVMs (where users run software is clear).

    Security domains: rather than running each application in its own VM, which is not resource efficient, instead we partition into security domains. These are colour coded, and the window manager colors the application windows appropriately. Red could be for untrusted web browsing, yellow for personal email, green for internet banking only, and blue for software development. Each domain has its own firewall rules, isolated storage, and can run with different software "templates".

    Other operating systems: Qubes uses Xen and version 2 (currently in Beta) has support for Windows based appVMs. If you have a Windows program you need to run, you can install it under a windows virtual machine, and isolate the unauditable and untrusted proprietary code from the rest of your network and data. Have tested with Windows 7 install from DVD with the above hardware, works smoothly.

    3D acceleration: the appVMs use a software framebuffer, so there is no direct rendering or acceleration. However, 1080p video will play smoothly on a Q6600 @ 2.6GHz, a six year old chip.

    Beta: I know its not a popular term in these parts, but the ITL team do an excellent job. Any issues, there is good documentation, a wiki, or pop over to the mailing list. The developers are very quick to respond and patch issues submitted by beta testers. (suggestion: use e.g. Clonezilla to keep full images of your system for simple backup and restore - this is a Beta product, and there will be some glitches upgrading - probably best installed on a spare HDD for non power users)

    In light of the Snowden revelations (which confirm in more detail what many in the community already suspected), Qubes is a critical product. For example, one of the FoxAcid exploits to bypass proxy obedience in a version of Firefox used by Tor Browser Bundle would have failed against a Qubes install where obedience was imposed at the NetVM level.

    Its defense in depth, security by isolation, based on a stable and trusted RPM based distro, put out by a team with excellent infosec pedigree. Cannot recommend highly enough, and I use as my main desktop.

    If there is enough interest from the community, I'll ask the Qubes team if they'd like to do an "Ask Soylent".

    --
    Quit Slashdot...because Fuck Beta!
    • (Score: 1) by mrclisdue on Sunday February 23 2014, @02:28AM

      by mrclisdue (680) on Sunday February 23 2014, @02:28AM (#5045)

      Very informative post. Thank you.

      cheers,

    • (Score: 0) by Anonymous Coward on Sunday February 23 2014, @02:45AM

      by Anonymous Coward on Sunday February 23 2014, @02:45AM (#5048)

      If there is enough interest from the community, I'll ask the Qubes team if they'd like to do an "Ask Soylent".

      I don't know about others, but I would like that if it happened. I've been following the project on-and-off for a while because I find its security design, as well as virtualisation in general, an interesting topic.

      (Posted AC because I modded you up and don't want to obliterate it.)

    • (Score: 1) by Khyber on Sunday February 23 2014, @03:30AM

      by Khyber (54) on Sunday February 23 2014, @03:30AM (#5060) Journal

      Qubes has a tiny learning curve, as well, for anyone familiar with operating even simple VMs.

      Seconding the recommendation.

      --
      Destroying Semiconductors With Style Since 2008, and scaring you ill-educated fools since 2013.
    • (Score: 2) by dilbert on Sunday February 23 2014, @05:11PM

      by dilbert (444) on Sunday February 23 2014, @05:11PM (#5226)
      I too appreciate your reply. I was very interested in Qubes some time ago, but it didn't seem quite mature enough last time I looked. I've been using multiple VMs in virtual box to accomplish the same thing (I even borrowed their idea of colors per VM to make it easy to know which domain/VM I'm in). Snapshots mean companies cannot track me across browsing sessions.
    • (Score: 2) by SMI on Friday February 28 2014, @05:08AM

      by SMI (333) on Friday February 28 2014, @05:08AM (#8285)

      Most informative post, ever. Thank you!

      • (Score: 1) by FuckBeta on Tuesday March 04 2014, @04:59PM

        by FuckBeta (1504) on Tuesday March 04 2014, @04:59PM (#10748) Homepage

        Glad you liked it.
        Qubes R2B3 is pretty stable, hopefully you can try it out.
        Any questions, hit us up on the mailing list.

        --
        Quit Slashdot...because Fuck Beta!
  • (Score: 2, Informative) by pixeldyne on Sunday February 23 2014, @03:29AM

    by pixeldyne (2637) on Sunday February 23 2014, @03:29AM (#5059)

    I can't say I'm a big fan of Windows but I'm often involved in virtualisation work. As far as I know the only product resembling chroot/jails is the Parallels Virtuozzo, which is based on an open source "containers" software (it's likely I'm wrong, it's been a while). Virtuozzo was great: it would allow me to run e.g. 10-20 windows 2003 "VMs" on a server with 4gb ram.

    There's a similar product (forgot the name) available for free, but it only works with XP.

    I'd be delighted if more people developed similar "container"-like virtualisation for Windows.

    • (Score: 2, Interesting) by lgw on Sunday February 23 2014, @06:31AM

      by lgw (2836) on Sunday February 23 2014, @06:31AM (#5096)

      I think this is just the wrong approach. Just run each process in its own VM on a thin hypervisor - don't trust a kernel for anything. Whatever isolation you write, attackers will eventually find flaws in. The bog name hypervisors no doubt still have flaws, but are far past any remotely easy VM escapes.

      The big problem with Windows as a guest OS is it's quite heavyweight. Something as light or lighter than XP would be great, though. And it's not like the OS needs to be secure at all when you're basically running one process per VM.

      • (Score: 2, Insightful) by weilawei on Sunday February 23 2014, @10:04AM

        by weilawei (109) on Sunday February 23 2014, @10:04AM (#5139)

        So, we're back to exokernels [osdev.org], which place the userland and kernel on an equal footing. Although, if your suggestion involves a hypervisor, that's actually closer to a microkernel [osdev.org]. At some point, you have to trust SOMETHING, be it the hypervisor, the microcode for the hardware, the actual hardware itself. Saying "don't trust the kernel" isn't an appropriate response, when you suggest replacing the kernel with another piece of software that looks suspiciously like an exo/microkernel.

        Unless you're equipped like Chipworks [chipworks.com], you're STILL going to need to make assumptions about the security of many components.

    • (Score: 5, Informative) by TheRaven on Sunday February 23 2014, @11:46AM

      by TheRaven (270) on Sunday February 23 2014, @11:46AM (#5152) Journal
      The closest thing to Qubes for Windows (which also predates it, is more mature, and is also available for OS X too) is the Bromium Microvisor. Bromuim was founded by the same people as XenSource and uses the same underlying technology. It lets you run individual IE and MS Office processes in a separate throw-away VM that can write files to some shared space, but has no other state that persists beyond the program's lifetime or can (baring hypervisor bugs) touch the rest of the OS.
      --
      sudo mod me up
  • (Score: -1, Flamebait) by Anonymous Coward on Sunday February 23 2014, @06:51AM

    by Anonymous Coward on Sunday February 23 2014, @06:51AM (#5102)

    yeah yeah .. and let's put wings on a oil tanker and teach it to cook breakfast.
    Qubes on winblows is impossible : )