Operating systems - QubesOS

Malicious software have for sole purpose to compromise systems. Even software built by seemingly trustworthy parties can be exploited. Modern software is inherently complex, vulnerabilities are not uncommon and proving their correctness is not (yet) feasible. Traditional desktop operating system when compromised puts all users data at risk.

QubesOS, a secure Xen-based free and open source operating system mitigate theses issues by compartmentalizing and isolating access to hardware components, system services and digital activities in virtualized machines called qubes.

Hardware Compatibility

In order to be a reasonably secure operating system certain decisions had to be made. Modern, fast, hardware with the necessary virtualization technologies are required. A system without the full requirements may still work, but without heavy tweaking an unskilled user may suffer a death by a thousand paper cuts. Certain tasks (i.a video editing, CAD software, games, etc) requiring access to the Graphics processing unit (GPU) have poor performances as GPU virtualization is not implemented unless direct GPU access is provided to a qube with GPU passthrough.

Security architecture

Understanding the security architecture, its main component and characteristics are imperative for proper use.

Qubes are differentiated by their type, use, and trust.

Types

Templates

Templates are qubes running Fedora, Debian or Whonix sharing their system storage with others qubes.

App qubes

App qubes have their own private storage storing user data but no system storage of their own relying on templates instead.

Standalones

Standalone are fully independent qubes containing both system and private storage.

Disposable templates

Disposable template are app qubes used as a base for disposable ones.

Disposables

Disposable are non-persistent qubes created on the fly and destroyed after use.

Uses

Admin Qube

The administrative qube is used to configure and manage the system using the following tools:

  • A qubes manager to administrate qubes
  • A template manager to install, update and remove template
  • A policy editor defining interactions between qubes
  • A backup and restore tool.

Service Qubes

Service qubes serve very specific purposes:

  • The networking qube with Ethernet and WiFi access
  • The USB qube with USB devices access
  • The firewall qube managing incoming and outgoing network traffic
  • The Tor gateway qube routing all traffic over Tor

Software Installation and Configuration

Installation and configuration of software are done in templates.

Storing sensitive documents

Sensitive documents including password manager are stored in an app qube without internet access.

Privacy and Anonymity

Privacy and anonymity related task are performed in a Whonix based app qube or disposable.

User defined activities

Other activities can be split in qubes for purposes indicated by their name.

Untrusted activities

Untrusted activities can be perform in the untrusted app qubes, standalones or in disposables.

Trust

The admin qube, the official templates, the vault, the firewall and the Tor gateway are considered trusted. If compromised the security of the system would partially fall apart at the exception of a compromised admin qube resulting in completely untrusted system. Otherwise a template would only affect qubes relying on it, an app qube or standalone would only comprise themselves. And a compromised Tor gateway would endangered the privacy and anonymity of users.

Network, USB and any other qubes interfacing with the outside world are by their nature untrusted.

Trusted actions

But ultimately keeping a trusted system depends on users actions. The admin qube should only be used to configure and manage the system. No other software should be installed nor untrusted code executed. Template should only be used to install software from their official repositories and configurations should be made with knowledge of their ramifications.

Preforming untrusted actions

Users may sometimes need to perform insecure actions, such as installing untrusted software or handling untrusted documents. Software should be installed in standalone qubes instead of risking the integrity of templates. Documents should be handled in untrusted qubes or disposable ones.

Inter qubes communication

Qubes are isolated domains but are still able to communicate securely between each others for common functionalities such as qube administration, clipboard access, files transfer by using the qrexec framework.

Usability

Desktop integration

Despite the extensive use of virtual machines, the applications inside of qubes are integrated in the same way they would in any other desktop operating system.

Policies and Security prompts

Trust can be enforced through policies, by tightening or relaxing rules and determining what action to take depending on the permission, the source and target qube. A denied permission would result in user-notified failed action, an allowed one would silently be executed and one with a status of ask would present a security prompt for confirmation. Usb, clipboard and file access, devices attachment and assignment, URL handling are covered.

Colored Trust

A color system visually represent trust with colored window borders indicating the security level as a visual aid.

Flexibility

The setup described here matches the default one. More familiar users can expand upon it and match it to their particular needs. Such as switching to minimal templates, creating audio or GUI services qubes, compartmentalizing even more users activities (general web browsing, banking) or making extensive use of disposables.

Sources

External Resources

The text is available under the license Creative Commons Attribution-ShareAlike 4.0