QubesOS

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Isolation is provided through the use of virtualization technology. This allows the segmentation of applications into secure virtual machines called qubes. Virtualization services in Qubes OS are provided by the Xen hypervisor.

The runtimes of individual qubes are generally based on a unique system of underlying operating system ''templates''. Templates provide a single, immutable root file system which can be shared by multiple qubes. This approach has two major benefits. First, updates to a given template are automatically "inherited" by all qubes based on it. Second, shared templates can dramatically reduce storage requirements compared to separate VMs with a full operating install per secure domain.

The base installation of Qubes OS provides a number of officially supported templates based on the Fedora and Debian Linux distributions. Alternative community-supported templates include Whonix, Ubuntu, Arch Linux, CentOS, or Gentoo. Users may also create their own templates.

Operating Systems like Qubes OS are referred to in academia as ''Converged Multi-Level Secure (MLS) Systems''. Other proposals of similar systems have surfaced and SecureView and VMware vSphere are commercial competitors.

Security goals

Qubes implements a ''Security by Isolation'' approach.
The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/ hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control of a machine.

To secure a desktop using Qubes OS, the user takes care to isolate various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.

In Qubes OS, the isolation is provided in two dimensions: hardware controllers can be isolated into ''functional domains'' (e.g. network domains, USB controller domains), whereas the user's digital life is divided into ''security domains'' with different levels of trust.

For instance: work domain (most trusted), shopping domain, random domain (less trusted). Each of these domains is run in a separate qube.

The qubes have passwordless root access (e.g. passwordless sudo) by default.Passwordless Root Access in VMs
/ref> UEFI Secure Boot is not supported out of the box, but this is not considered a major security issue.Qubes FAQ
/ref>
Qubes is not a multiuser system.

Installation and System Requirements

As a desktop-focused operating system, Qubes OS targets personal computer hardware. This market is dominated by laptops running Intel and AMD processors and chipsets.

The ''minimum'' base system requirements for Qubes OS are:

* 64-bit Intel or AMD processor with virtualization extensions
* 6 GB of RAM
* 32 GB of disk space

User experience

Users interact with Qubes OS in much the same manner that they interact with any standard graphical desktop operating systems with some key differences:

* The creation of qubes (security domains) offers the means to create discrete, lean, secure application spaces by linking them to a complete root filesystem using shared templates.
* Applications launched from their respective qubes are distinguished by a unique colored window border.
* Opening an application for the first time in a given qube may incur a modest delay depending on system hardware.
* Sharing files and clipboard paste buffers utilize a special mechanism, as qubes do not share a common clipboard or file system.
* Users can create and manage as many qubes as desired to suit their specific requirements.

System architecture overview

Xen hypervisor and domains

The Xen hypervisor provides strong isolation between its hosted virtual machines, called ''domains'' in Xen terminology.

The first domain started by Xen is the privileged ''administrative domain'' referred to as ''domain zero'' or more commonly ''dom0''.

The Administrative domain: dom0

As of Qubes OS 4.1.2, the operating system running in dom0 is Fedora Linux running a paravirtualized Linux kernel. It is the Linux kernel in dom0 that controls and brokers access to all the physical system hardware, via standard Linux kernel device drivers.

The operating system hosts the user's graphical desktop and controls most hardware devices. This includes the graphics device, USB ports, storage and input devices, such as the keyboard and mouse. The base graphical desktop is composed of the X server, the Xfwm window manager and the XFCE desktop.

By design, dom0 has the least possible direct interaction with the qubes in order to minimize the possibility of an attack originating from there.

Updates to the dom0 operating system and the included Template OS images are performed via a special mechanism which does not require dom0 operating system to connect directly to a network.

The User domains: qubes

An app qube (an instance of a qube) provides secure, compartmentalized execution of standard user applications such as a web browser, an email client or a text editor.

Operation of app qubes is controlled by the ''Qube Manager''. It launches the discrete app qubes and presents their applications on the desktop of dom0 as normal process windows.

This mechanism follows the idea of a sandbox. After running the application, viewing the document, etc., the whole disposable will be destroyed on shutdown.

Qubes OS integrates all of the app qubes into a single common desktop environment. The identity of each app qube for a given process is provided by an unforgeable, colored window border which is defined in the properties of the app qube.

Disk usage in dom0 is minimized by allowing multiple app qubes to share a common "template" root file system image maintained in read-only mode. Additional disk storage is only used for userʼs applications, data and per-VM settings.

Network domain

The network mechanism is the most exposed to security attacks. To circumvent this, it is isolated in a separate, unprivileged qube, named the ''net qube''.

Another ''firewall Domain'' is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM).

Reception

Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project.

Jesse Smith wrote a review of Qubes OS 3.1 for DistroWatch Weekly:

Kyle Rankin from Linux Journal reviewed Qubes OS in 2016:

In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organization Access Now.

See also

* Hyperjacking
* Whonix

Notes

;References

External links

*

Qubes OS
on DistroWatch

{{FOSS

2012 software
Linux distributions
Operating system security
RPM-based Linux distributions
Tor onion services
X86-64 Linux distributions