Qubes OS 1.0 isolates programs inside virtual machines for increased security
The first stable version of Qubes OS, an open source desktop operating system designed to provide a greater level of security by isolating programs inside virtual machines with different permissions, was released Monday by Polish security firm Invisible Things Lab (ITL).
The ITL team led by CEO Joanna Rutkowska, a security researcher best known for her work in the area of low-level system security, has been developing Qubes OS for the past three years. Since Monday, version 1.0 of the operating system can be downloaded from the project's website.
Qubes OS follows a "security by isolation" design principle. Applications can be configured to run inside different "security domains" defined by the user and which are implemented as lightweight virtual machines (VMs) with separate security policies.
For example, a user could run separate instances of the same browser in their personal domain, work domain, online banking domain, each with different permissions and access to different data.
This doesn't make the browser less vulnerable to known exploits, but it can limit what attackers can do if they compromise it.
"A hypothetical exploit for your favourite web browser would work against Firefox running inside one of the Qubes VMs just as well as it worked for the same browser running on normal Linux," Rutkowska said Monday in a blog post. "The difference that Qubes makes, is that this attacked browser might be just your for-personal-use-only browser which is isolated from your for-work-use-only-browser, and for-banking-use-only-browser."
Files and text can be copied between different security domains, but these operations were implemented in a way that requires user confirmation in order to limit what an attacker can do with a compromised domain.
Users can also create so-called "disposable VMs" for opening files from untrusted sources or performing other one-time tasks that might pose security risks.
The Qubes security model is somewhat similar to that of iOS or Android, operating systems that also isolate applications inside a sandbox and ask users to grant them different permissions.
However, Qubes offers more flexibility and doesn't rely as much on security choices made by its developers. Because of this, users are expected to be able to take security decisions on their own, like what security domains to create, what restrictions to apply to them and what applications to run inside each of them.
How users are going to take advantage of Qubes' application isolation capabilities is entirely up to them, Rutkowska said. "I realize this might be a tricky part for some users and some usage scenarios, yet, on the other hand, this seems to be the most flexible and powerful approach we could provide."
"People should realize that by mere fact of using Qubes OS they won't become automatically more secure -- it's how they are going to use it might make them significantly more secure," Rutkowska said.
Qubes is based on Linux, the X Window System and the Xen hypervisor -- a virtual machine manager. However, the developers have tried to limit the amount of code that could have critical security vulnerabilities.
"In Qubes OS we took a practical approach and we have tried to focus on all those sensitive parts of the OS, and to make them reasonably secure," Rutkowska said. "And, of course, in the first place, we tried to minimize the amount of those trusted parts, in which Qubes really stands out, I think."
That doesn't mean that Qubes is guaranteed to be free of security flaws. In fact, during the development stage, researchers working on the project found three critical vulnerabilities that could have impacted the operating system's security -- one in code they wrote themselves and two in hardware from Intel.
Rutkowska invited the security community to try to break Qubes and even pointed to a page that lists where the operating system's critical code is located.
Because it is based on Linux, Qubes can run most Linux applications. In the future, it might even support Windows applications running in Windows-based virtual machines through a commercial extension.
"We believe Qubes OS represents a reasonably secure OS," Rutkowska said. "In fact I'm not aware of any other solution currently on the market that would come close when it comes to secure desktop environment."