Qubes-OS

John Moser john.r.moser at gmail.com
Wed Jan 8 22:53:06 UTC 2014 

On 01/08/2014 11:08 AM, Anca Emanuel wrote:
> No, until you demo something useful.
Well, they have a large amount of stuff showing how they've demonstrated
VM isolation under a paravirtualizing hypervisor to separate out
security zones on a single system.  X11 is in one VM, some user
applications are in another VM, other user applications have their own VM...

That's not entirely "useful" unless:

1) the VMs are substantially isolated--having (write) access to network,
disk, and files is basically un-isolated; and
2) You can't accomplish the same at the kernel level.

If it were i.e. Minix, I'd say that a microkernel can easily apply its
own security policies--essentially that's what Xen is, with full
operating systems running as OS services; a uK would accomplish the same
by having separate disk/FS/network services for different security
domains.  But we're not moving to Minix and we're not rewriting Linux as
a microkernel; thus the concern of "what if you hacked the kernel?" is real.

The other concern is just how isolated are multi-VMs?  The only real
advantage is a kernel exploit doesn't show you the full memory space of
the operating system.  I guess that means your browser that's doing
banking has memory mapped to domBankStuff that's not accessible by the
kernel in domUntrustedBrowsing at all.  But as far as system compromise
goes, what kind of write access do you have?  Can you write files to
/home, shared across domains?  Or what?  Do you have different /home
directories?

It's an interesting concept.  The question, "Can we learn anything from
this?" addresses the many questions starting with "Does this do anything
useful?" and "How useful is that?" and then moving on to "Can we
incorporate this and leverage it to any benefit?"

There's a reason why I don't just show up drooling over the "isolation"
and "security" that virtualization provides:  it sure does provide that
when running 4 different server OSes on one host, but you start reducing
the benefits when you break down the isolation.  Peoples' holy grail
ideal of "we'll run a browser in this VM, and it can save files to your
main home directory" is really pointless:  if it can do that, why not
just run it with all the other stuff?  It obviously has compromising
access to your stuff.

So the question comes up:  can we learn anything from this?  Even if we
inspect it and come out with just the realization that all the
"Security" provided in this model is illusionary, that's something.  I
mean hell, even Microsoft created a bunch of chatter talking about how
Vista was going to let you use Hyper-V to run some software in a "secure
VM" instead of directly, on the same model.  Sobering up to the
realization that it's either A) a good idea or B) completely stupid and
pointless would be enlightening.



> On Wed, Jan 8, 2014 at 6:02 PM, John Moser <john.r.moser at gmail.com> wrote:
>> http://qubes-os.org/trac/wiki/QubesArchitecture
>>
>> This looks interesting.  Can we learn anything from this?
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>

More information about the Ubuntu-devel-discuss mailing list