Qubes OS: A reasonably secure operating system

>>ploggi+(OP)
Joanna's (Qubes OS Founder) blog [1] is a gold mine when it comes to hardware-software boundary security. Especially "State considered harmful" [2] and "x86 considered harmful" [3] papers are eye-openers.

>>magnat+pi
That's why I don't get Qubes. She knows what a steaming pile PC hardware is, and decides to write a spinoff OS for it???

Seems like she'd have more effect designing hardware.

>>jstewa+wp
Q: Would the steaming pile be stinkier with an easy way to deploy & use VMs to separate things, or without?

A: Stinkier without, therefore Qubes.

>>rdiddl+mF
That's assuming the virtualization extensions are doing their job, and the other parts of the processor aren't leaking anything, and that Xen doesn't have any problems, and that the Qubes additions are solid, and that various interactions between these layers won't present any other problems, and probably a few other things...

I'd consider betting on one of those things being solid on its own, but not all of them together.

>>jstewa+TI
Well it obviously doesn't compete with whatever you're currently doing that solves all the same problems perfectly.

>>rdiddl+OJ
Why does it have to get personal rdiddly?

If you've spent any time with Intel's phone-book-sized opcode manual, or following the history of the PC, you get real skeptical when the words "secure" and "PC" are mentioned together.

>>jstewa+oK
Apologies for the sarcasm, really I'm just wondering what you're using then. To me there's no "secure" and "insecure," there's only "more secure" and "less secure."

>>rdiddl+q11
PC x86 architecture (including the Mac), for at least the past 20 years, has been cost-optimized as a games/performance machine, not a security one. Until that changes, the more/less secure axis is always going to be heavily biased towards "less" on the PC, regardless of what you run on top of it.

In my own space, the approach has typically been to minimize attack surface by using the least amount of the simplest possible hardware we can get away with, then verifying the hell out of it. 8/16-bit micros, RS-232, no BIOS, aggressive shielding, and an extreme approach to the actor model. For things that need more horsepower, super-simple 32-bit micros, a real-time microkernel, and loads of QA. It's not perfect, and we leave a lot of performance on the table, but as far as security-per-man-hour-expended goes, I'd put it up against anything on the PC any day of the week.

nickpsecurity made a very good comment on designs circulating in the assurance/defense sectors: https://news.ycombinator.com/item?id=15571546

The best part of his comment was the quote from Brian Snow:

"The problem is innately difficult because from the beginning (ENIAC, 1944), due to the high cost of components, computers were built to share resources (memory, processors, buses, etc.). If you look for a one-word synopsis of computer design philosophy, it was and is sharing. In the security realm, the one word synopsis is separation: keeping the bad guys away from the good guys' stuff!

So today, making a computer secure requires imposing a "separation paradigm" on top of an architecture built to share. That is tough! Even when partially successful, the residual problem is going to be covert channels (i.e. side channels). We really need to focus on making a secure computer, not on making a computer secure -- the point of view changes your beginning assumptions and requirements."

>>jstewa+3H1
That's great you have a design for something much more secure, but what are you actually using at the moment?

I agree Qubes (or other similar systems) are imperfect - partly due to software bugs, partly due to hardware vulnerabilities. But the it clearly is an improvement, if only thanks to the compartmentalization. I'm sure there are potential adversaries that have access to BIOS backdoors, Xen 0-days etc. But well ...

zlacker