CQ writes:
Qubes-OS, the Security-by-Isolation, VM-based operating system, has concluded that a port to the Windows OS line isn't feasible. In this post, the CEO of Inivisble Things Labs outlines what she had hoped to accomplish with the port and her explaination why it was just not meant to be.
This paper [pdf] contains all the technical bits you need to know, and the explanation on why the Windows APIs and system architecture are not appropriate for the task of creating an isolation system. It also has some interesting (if that's your thing) information on the Windows security model.
Does anyone here have any experience with Qubes? Does it make sandboxing easy enough for day to day use?
(Score: -1, Offtopic) by Anonymous Coward on Saturday February 22 2014, @09:21PM
Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.
And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.
(Score: -1, Troll) by Anonymous Coward on Saturday February 22 2014, @09:43PM
YES! We have arrived!
(Score: 5, Insightful) by Lagg on Saturday February 22 2014, @09:32PM
and that's just the very tip of the iceberg. I'm not even touching upon the lower, more fundamental design and implementation problems in Windows that the paper talks about. All the above can probably be worked around, but an intentional bug that makes it trivial for a program to bypass your hooks and touch kernel mode? Well, to be quite frank. You're up shit creek and good luck reaching in to pull out a stick to paddle with.
http://lagg.me [lagg.me] 🗿
(Score: 5, Interesting) by jonh on Saturday February 22 2014, @10:12PM
Reading between the lines of the PDF, it seems to be saying that they think they could have come up with a working solution if they'd bypassed the Kernel Patch Protection (and presumably gone on to patch the Windows kernel), but they didn't want to go down this route because they were worried that Microsoft might sue them. Is that a fair interpretation, or am I reading too much into it?
(Score: 5, Informative) by maxwell demon on Saturday February 22 2014, @10:45PM
That was one of the stated problems. The other one was security considerations. They didn't elaborate on that, but I think it's obvious: If your security relies on undocumented functionality which you are not supposed to use, then you cannot know if the next update of Windows will make some modifications in that functionality which happens to put a gaping security hole into your application (this doesn't even need to be intentional; the developers are allowed to assume nobody else uses that undocumented functionality, so they can change it in any way that fits, as long as the documented functionality doesn't break).
You don't want to base your security on something which may change at any time in any conceivable way.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by doug on Sunday February 23 2014, @04:19AM
Basing your security on something that may change is perhaps viable if your business model is to be acquired by the OS vendor... as opposed to serving end customers.
(Score: 5, Informative) by FuckBeta on Sunday February 23 2014, @12:04AM
"Does anyone here have any experience with Qubes? Does it make sandboxing easy enough for day to day use?"
Yes. A few things to be aware of.
Hardware: main requirements are modern CPU with virtualization extensions and enough RAM. A fast SSD is recommended but not essential. I run a (2008 model) Intel Q6600 with 4GB RAM which is sufficient for normal desktop use (as would any more modern i5 or better). Intel integrated graphics preferred due to the high quality open source drivers, however will work with most modern NVIDIA with the open source nouveau driver. Installing unsigned binary blobs in the privileged domain (DOM0) is a major risk and against the ethos of the security by isolation approach. For laptops, check the Qubes HCL.
Software: Qubes is based on Fedora and comes with KDE. There is a user friendly gui interface to control the virtual machines, and the distinction between network VMs (e.g. firewall VM, tor network VM), template VMs (root filesystems which are accessed by appVMs using Copy on Write), and appVMs (where users run software is clear).
Security domains: rather than running each application in its own VM, which is not resource efficient, instead we partition into security domains. These are colour coded, and the window manager colors the application windows appropriately. Red could be for untrusted web browsing, yellow for personal email, green for internet banking only, and blue for software development. Each domain has its own firewall rules, isolated storage, and can run with different software "templates".
Other operating systems: Qubes uses Xen and version 2 (currently in Beta) has support for Windows based appVMs. If you have a Windows program you need to run, you can install it under a windows virtual machine, and isolate the unauditable and untrusted proprietary code from the rest of your network and data. Have tested with Windows 7 install from DVD with the above hardware, works smoothly.
3D acceleration: the appVMs use a software framebuffer, so there is no direct rendering or acceleration. However, 1080p video will play smoothly on a Q6600 @ 2.6GHz, a six year old chip.
Beta: I know its not a popular term in these parts, but the ITL team do an excellent job. Any issues, there is good documentation, a wiki, or pop over to the mailing list. The developers are very quick to respond and patch issues submitted by beta testers. (suggestion: use e.g. Clonezilla to keep full images of your system for simple backup and restore - this is a Beta product, and there will be some glitches upgrading - probably best installed on a spare HDD for non power users)
In light of the Snowden revelations (which confirm in more detail what many in the community already suspected), Qubes is a critical product. For example, one of the FoxAcid exploits to bypass proxy obedience in a version of Firefox used by Tor Browser Bundle would have failed against a Qubes install where obedience was imposed at the NetVM level.
Its defense in depth, security by isolation, based on a stable and trusted RPM based distro, put out by a team with excellent infosec pedigree. Cannot recommend highly enough, and I use as my main desktop.
If there is enough interest from the community, I'll ask the Qubes team if they'd like to do an "Ask Soylent".
Quit Slashdot...because Fuck Beta!
(Score: 1) by mrclisdue on Sunday February 23 2014, @02:28AM
Very informative post. Thank you.
cheers,
(Score: 0) by Anonymous Coward on Sunday February 23 2014, @02:45AM
I don't know about others, but I would like that if it happened. I've been following the project on-and-off for a while because I find its security design, as well as virtualisation in general, an interesting topic.
(Posted AC because I modded you up and don't want to obliterate it.)
(Score: 1) by Khyber on Sunday February 23 2014, @03:30AM
Qubes has a tiny learning curve, as well, for anyone familiar with operating even simple VMs.
Seconding the recommendation.
Destroying Semiconductors With Style Since 2008, and scaring you ill-educated fools since 2013.
(Score: 2) by dilbert on Sunday February 23 2014, @05:11PM
(Score: 2) by SMI on Friday February 28 2014, @05:08AM
Most informative post, ever. Thank you!
(Score: 1) by FuckBeta on Tuesday March 04 2014, @04:59PM
Glad you liked it.
Qubes R2B3 is pretty stable, hopefully you can try it out.
Any questions, hit us up on the mailing list.
Quit Slashdot...because Fuck Beta!
(Score: 2, Informative) by pixeldyne on Sunday February 23 2014, @03:29AM
I can't say I'm a big fan of Windows but I'm often involved in virtualisation work. As far as I know the only product resembling chroot/jails is the Parallels Virtuozzo, which is based on an open source "containers" software (it's likely I'm wrong, it's been a while). Virtuozzo was great: it would allow me to run e.g. 10-20 windows 2003 "VMs" on a server with 4gb ram.
There's a similar product (forgot the name) available for free, but it only works with XP.
I'd be delighted if more people developed similar "container"-like virtualisation for Windows.
(Score: 2, Interesting) by lgw on Sunday February 23 2014, @06:31AM
I think this is just the wrong approach. Just run each process in its own VM on a thin hypervisor - don't trust a kernel for anything. Whatever isolation you write, attackers will eventually find flaws in. The bog name hypervisors no doubt still have flaws, but are far past any remotely easy VM escapes.
The big problem with Windows as a guest OS is it's quite heavyweight. Something as light or lighter than XP would be great, though. And it's not like the OS needs to be secure at all when you're basically running one process per VM.
(Score: 2, Insightful) by weilawei on Sunday February 23 2014, @10:04AM
So, we're back to exokernels [osdev.org], which place the userland and kernel on an equal footing. Although, if your suggestion involves a hypervisor, that's actually closer to a microkernel [osdev.org]. At some point, you have to trust SOMETHING, be it the hypervisor, the microcode for the hardware, the actual hardware itself. Saying "don't trust the kernel" isn't an appropriate response, when you suggest replacing the kernel with another piece of software that looks suspiciously like an exo/microkernel.
Unless you're equipped like Chipworks [chipworks.com], you're STILL going to need to make assumptions about the security of many components.
(Score: 5, Informative) by TheRaven on Sunday February 23 2014, @11:46AM
sudo mod me up
(Score: -1, Flamebait) by Anonymous Coward on Sunday February 23 2014, @06:51AM
yeah yeah .. and let's put wings on a oil tanker and teach it to cook breakfast.
Qubes on winblows is impossible : )