Isolationist

Qubes OS is one of the most original security solutions available. Using the Xen hypervisor, Qubes divides computing into security domains, or "qubes" (Figure 1) – including the root-like Dom0 – and incorporates them into the desktop menu (Figure 2). For other routine operations, such as copying to an external drive, Qubes OS creates a disposable qube that is discarded after the operation is complete (Figure 3). Recently, community manager Andrew David Wong explained more about Qubes OS in response to Linux Magazine's questions.

Figure 1: The Qubes OS desktop. Note the color coding for different security domains.

Figure 2: Qubes simplifies security by adding its security domains, or qubes, to the menu.

Figure 3: In Qubes, routine tasks such as converting a PDF file use temporary, disposable security domains..

Linux Magazine: Why is free software important to security?

Andrew David Wong: An operating system like Qubes OS aims to be the fundamental bedrock of people's digital lives. We strongly believe that any such security-critical software must be free and open source in order to be trustworthy. It is essential for any such software that the project and code are transparent and that the developers' interests are aligned with those of their users. We all rely on Qubes for our own personal security in addition to our daily work on Qubes itself.

LM: What prompted the founding of Qubes OS? Personal reasons? Technical challenges? An incident?

ADW: Joanna Rutkowska and her team at Invisible Things Lab (ITL) initially rose to prominence through their offensive security research. Their work on low-level security and stealth malware exposed vulnerabilities and demonstrated attacks many had not thought possible. After showing that the state of low-level security was even worse than commonly believed, their interests turned to figuring out how to improve it. Most experts will tell you that the people best suited to build a secure system are those who know how to break such systems. With their unparalleled expertise in virtualization security, the ITL team was uniquely suited to building a virtualization-based system that implements the principle of security by compartmentalization.

LM: Qubes OS is built on Fedora. How do the two interact?

ADW: Qubes uses Fedora as the operating system that runs in Dom0 and as one of many templates. We could substitute a different OS in Dom0, and Qubes would still be largely the same. Therefore, we don't think of Qubes as being based on Fedora. Rather, Fedora is just one among several distros Qubes uses and can use. Others include Debian, Whonix, Arch, Ubuntu, CentOS, Gentoo, and more.

In all such cases, we use the binary packages provided by the upstream distros. We don't rebuild everything from scratch. We simply add our own Qubes-specific packages on top of theirs. If one were to say that Qubes is based on anything else, it would be more accurate to say Qubes is Xen-based rather than Fedora-based. This is why we also don't think of Qubes as a Linux distro. If anything, it's more of a "Xen distro." But Qubes is much more than just Xen packaging. It has its own VM [virtual machine] management infrastructure with support for templates, centralized updating, and so on. It also has a very unique GUI virtualization infrastructure. All of this forms a custom layer that abstracts from the underlying hypervisor.

We're working to make it so that Xen could be replaced by a different hypervisor, such as KVM, at which time it will no longer be accurate to call Qubes a Xen distro anymore, either. This is why we tend not to think of Qubes OS as a distro of anything else but rather as a meta-OS for running distros.

LM: How is Qubes organized and governed?

ADW: The Qubes OS Project is a global, decentralized, Internet-based collaboration. We have a largely flat, informal structure. Marek Marczykowski-GÛrecki is the project lead, with several others in charge of specific areas. We have no physical offices, and most work has been remote since the beginning.

LM: Why is Qubes described as "reasonably secure"?

ADW: Given the team's experience and expertise in showing how ostensibly-secure systems can be defeated, they understand better than most that there is no such thing as perfect security, especially in a practical, usable system.

Even the best programmers in the world, working under optimal conditions, cannot write complex code for real-world end users that's guaranteed to be 100 percent bug free. Most programmers are working under far from optimal conditions under intense time and financial pressure. They're overworked, sleep deprived, and stressed out. Security is rarely a priority and typically little more than a distant afterthought. Day after day, these programmers around the world continue to pump out unfathomably large quantities of buggy, exploitable code, which we then run on our devices.

Meanwhile, security experts are in short supply, and there are not nearly enough to audit even a tiny fraction of the code being churned out, much less identify and fix the vulnerabilities it contains. The result is that new zero-day vulnerabilities are discovered and exploited at a staggering pace.

The core idea behind Qubes OS is that computer security is fundamentally broken. We can never hope to prevent compromise from occurring, so instead we assume that it will (or already has) and act accordingly. Qubes implements the principle of security by compartmentalization: It allows us to separate different parts of our digital lives in securely isolated compartments called qubes. This way, one qube being compromised doesn't affect the others. A single hack no longer threatens to take everything down in one fell swoop.

The Qubes philosophy is a fundamentally practical one. For example, some security experts regard modern web browsers as bloated, over-engineered, and too easy to exploit. Be that as it may, for regular desktop computer users, browsers are indispensable. They're how people access their money, get information, do their work, and communicate with others. Rather than eschew mainstream software like browsers, our approach is to acknowledge that such software is vulnerable and compartmentalize it accordingly. The browser in your untrusted web surfing qube will probably get compromised at some point, but that's okay, because it won't affect any of your other, more important qubes. In fact, we even have disposable qubes that automatically self-destruct when you're done using them so that a compromise from one session doesn't carry over to the next.

Qubes is free and open source software. We don't answer to shareholders or a board of directors. We don't answer to anyone except our users. This affords us the freedom and the luxury to be frank and honest with our users about the real limitations of computer security, including the limitations of Qubes OS itself. This ethos is nicely captured in the slogan "a reasonably secure operating system." Reasonable security is the best any real-world operating system can hope to achieve. We're just brutally honest about it from the get-go.

There's also a tongue-in-cheek aspect to the slogan. Even before we had a slogan at all, Qubes OS had already earned a reputation as one of the most secure operating systems in existence and quite likely the most secure operating system available to anyone with an Internet connection. Many of our community members found the understatement of calling it only "reasonably" secure quite amusing.

LM: Your endorsements include one from Edward Snowden. Did his endorsement affect Qube's popularity?

ADW: We'd like to think so! While we have only a rough estimate of the userbase, we do recall a noticeable bump in interest from his endorsement, and we're certainly grateful for his continued support.

LM: Who is the target audience? Do you know of common deployments for Qubes?

ADW: Ultimately, our target audience is everyone who needs secure desktop computing. We are especially interested in providing a secure platform for those living and working in hostile environments, such as journalists and activists living under totalitarian regimes. Historically, many security researchers and power users have been drawn to Qubes, and we're eager to continue supporting their needs, as well.

The Freedom of the Press Foundation uses Qubes OS in its SecureDrop project, as do the teams at Let's Encrypt and Mullvad. We take great pride in the fact that these organizations rely on Qubes for their security while they work to provide secure technologies for their own users.

LM: What are the hardware challenges to the adoption of Qubes OS?

ADW: Historically, hardware has been one of the greatest challenges. Due to the high security standards we set for Qubes OS, specific hardware features are required. You can read more about that at the following links:

• https://www.qubes-os.org/faq/#why-is-vt-xamd-v-important
• https://www.qubes-os.org/faq/#why-is-vt-dadm-viamd-iommu-important
• https://www.qubes-os.org/doc/system-requirements/
• https://www.qubes-os.org/doc/certified-hardware/

We have addressed these hardware challenges through the Qubes certified hardware program: https://www.qubes-os.org/doc/certified-hardware/.

In addition, our community has recently put a lot of work into curating a list of computers that work well with Qubes: https://forum.qubes-os.org/t/5560.

Our community members also routinely test hardware to which they have access and contribute the results to our Hardware compatibility list (HCL): https://www.qubes-os.org/hcl/.

LM: How does security affect user convenience?

ADW: Qubes OS is inherently complex because it's a compartmentalized system based on virtualization, which requires users to make conscious decisions about how to divide up their digital lives. It has a secure-by-design architecture. Secure designs always entail certain security-convenience trade-offs. Moreover, it's based on a Linux environment that's new to many users coming from Windows and Mac backgrounds. Most operating systems might have to contend with one or maybe two of these factors, but Qubes combines all three. So, it comes as no surprise that it can be a challenge for some users to learn and use.

However, we're serious about making Qubes easier to use. Nina Alter, a user experience [UX] and design expert, has joined the team and has been hard at work on UX improvements throughout the system, some of which are funded by external grants.

LM: Why is Qubes OS not compatible with a virtual machine?

ADW: Some users have been able to install Qubes in a virtual machine, but it is neither recommended nor supported. Qubes should be installed on bare metal. After all, it uses its own bare-metal hypervisor!

While we understand that it would be easier to install Qubes in a virtual machine in order to try it out, one common alternative is to install Qubes on a fast removable drive, such as a USB 3.0 flash drive or an external SSD. This allows you to try Qubes on various systems without replacing the existing operating system on the internal drive.

LM: What future directions are planned?

ADW: There are two main goals we're currently pursuing:

1. While many of Qubes' security features are available via user-friendly graphical interfaces, many others still require using the command line and editing specific configuration files. In upcoming releases, we'll focus on making these features more accessible to ordinary users, for example, by adding graphical interfaces for more parts of the system and providing ready-to-use configurations rather than requiring users to create their own.
2. Our security-by-compartmentalization approach uses virtual machines to isolate different workloads from one another, including those of our internal system services. This is similar to a microkernel architecture but with somewhat heavier workloads. We're going to expand in this direction by allowing more types of workloads to be isolated. The latest example of this is isolating the entire graphics subsystem in a GUI qube. We're also going to make these workloads lighter in order to allow for greater compartmentalization without requiring significantly more hardware resources, in particular, by leveraging the use of unikernels for certain workloads.

LM: Is there anything else you would like to add?

ADW: We are particularly grateful to our community for their steadfast support throughout the years. We're pleased to see all the interesting things they're making out of the building blocks we've provided, such as the KVM/Power port, Windows support, Qubes Video Companion, Wyng backup, and many more. Witnessing such a thriving ecosystem grow up around Qubes shows us how far we've come and how much the project has matured over the years, and we couldn't have done it without our users, contributors, donors, and partners. Thank you!