Qubes OS

For the arcade game, see Q*bert's Qubes.

Qubes OS

Applications running in different security domains
Developer	Invisible Things Lab
OS family	Unix-like
Working state	Current
Source model	Open source (GPLv2)^[1]
Initial release	September 3, 2012 (2012-09-03)^[2]
Latest release	3.2^[3] / September 29, 2016 (2016-09-29)
Latest preview	R3.2 rc3^[4] / August 31, 2016 (2016-08-31)
Available in	Multilingual
Update method	Yum (PackageKit)
Package manager	RPM Package Manager
Platforms	x86-64
Kernel type	Microkernel (Xen Hypervisor running minimal Linux-based OSes and others)
Userland	Fedora, Debian, Whonix, Microsoft Windows
Default user interface	KDE, Xfce
License	Free software licenses (mainly GPL v2^[5])
Official website	www.qubes-os.org

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation.^[6] Virtualization is performed by Xen, and user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows, among other operating systems.^[7]^[8]

On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution.^[9]

Security goals

Security domains scheme

Qubes implements a Security by Isolation approach.^[10] The assumption is that there can be no perfect, bug-free desktop environment. Such an environment counts millions of lines of code, billions of software/hardware interactions. One critical bug in any of these interactions may be enough for malicious software to take control over a machine.^[11]^[12]

In order to secure a desktop, a Qubes user should take care of isolating various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.^[13]

In Qubes, the isolation is provided in two dimensions: hardware controllers are isolated into functional domains (GUI, network and storage domains), whereas the user's digital life is decided in domains with different levels of trust. For instance: work domain (most trusted), shopping domain, random domain (less trusted).^[14] Each of those domains is run in a separate virtual machine.

Qubes is not a multiuser system.^[15]

System architecture overview

Xen hypervisor and administrative domain (Dom0)

The hypervisor provides isolation between different virtual machines. The administrative domain, also referred to as Dom0, has direct access to hardware. Dom0 hosts the GUI domain and controls the graphics device, as well as input devices, such as keyboard and mouse. The GUI domain runs the X server, which displays the user desktop, and the window manager, which allows the user to start and stop the applications and manipulate their windows.

Integration of the different virtual machines is provided by the Application Viewer, which provides an illusion for the user that applications execute natively on the desktop, while in fact they are hosted (and isolated) in different virtual machines. Qubes integrates all these virtual machines onto one common desktop environment.

Because Dom0 is security-sensitive, it is isolated from the network. It tends to have as little interface and communication with other domains as possible in order to minimize the possibility of an attack originating from an infected virtual machine.^[16]^[17]

Network domain

The network mechanism is the most exposed to security attacks. This is why it is isolated in a separate, unprivileged virtual machine, called the Network Domain.

An additional proxy virtual machine is used for advanced networking configuration.^[18]

Storage domain

Disk space is saved by virtue of various virtual machines (VM) sharing the same root file system in a read-only mode. Separate disk storage is only used for userʼs directory and per-VM settings. This allows software installation and updates to be centralized. Of course, some software can be installed only on a specific VM.

Encryption is used to protect the file systems, so that the storage domain cannot read confidential data owned by other domains.

Application Virtual Machines (AppVM)

AppVMs are the virtual machines used for hosting user applications, such as a web browser, an e-mail client or a text editor. For security purpose, these applications can be grouped in different domains, such as “personal”, “work”, “shopping”, “bank”, etc. The security domains are implemented as separate, Virtual Machines (VMs), thus being isolated from each other as if they were executing on different machines.

Some documents or application can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.^[19]

Each security domain is labelled by a color, and each window is marked by the color of the domain it belongs to. So it is always clearly visible to which domain a given window belongs.

References

↑ "Qubes OS License".
↑ "Introducing Qubes 1.0!". September 3, 2012.
↑ "Qubes 3.2". September 29, 2016.
↑ "Qubes OS 3.2 rc3 has been released!". August 31, 2016.
↑ https://www.qubes-os.org/doc/QubesLicensing/
↑ "Qubes OS bakes in virty system-level security". The Register. September 5, 2012.
↑ "Qubes OS Templates".
↑ "Installing and using Windows-based AppVMs".
↑ "Endpoint Security Prize Finalists Announced!". Michael Carbone. February 13, 2014.
↑ "The three approaches to computer security". Joanna Rutkowska. September 2, 2008.
↑ "Qubes OS: An Operating System Designed For Security". Tom's hardware. August 30, 2011.
↑ "A digital fortress?". The Economist. March 28, 2014.
↑ "How Splitting a Computer Into Multiple Realities Can Protect You From Hackers". Wired. November 20, 2014.
↑ "Partitioning my digital life into security domains". Joanna Rutkowska. March 13, 2011.
↑ Rutkowska, Joanna (May 3, 2010). "Google Groups - Qubes as a multi-user system". Google Groups.
↑ "(Un)Trusting your GUI Subsystem". Joanna Rutkowska. September 9, 2010.
↑ "The Linux Security Circus: On GUI isolation". Joanna Rutkowska. April 23, 2011.
↑ "Playing with Qubes Networking for Fun and Profit". Joanna Rutkowska. September 28, 2011.
↑ "Qubes To Implement Disposable Virtual Machines". OSnews. June 3, 2010.

External links

Official website
Invisible Things Lab
Invisible Things Blog
DistroWatch overview
Trusted Computing Technologies, Intel Trusted Execution Technology, Sandia National Laboratories, January 2011, by Jeremy Daniel Wendt and Max Joseph Guise

Red Hat Enterprise Linux and Fedora derivatives

Red Hat Enterprise Linux	CentOS ClearOS Fermi Linux Inspur K-UX Oracle Linux RedSleeve Rocks Cluster Distribution Scientific Linux Turbolinux Yellow Dog Linux

Fedora	Aurora SPARC Linux Berry Linux BLAG Linux and GNU Korora MythDora Planet CCRMA Qubes OS Red Flag Linux

Linux distributions

Arch Linux	Antergos ArchBang Chakra Manjaro Linux Parabola GNU/Linux-libre

Debian	antiX Astra Linux Bharat Operating System Solutions Devuan gNewSense HandyLinux Kali Linux Knoppix SparkyLinux SteamOS Tails Ubuntu Official: Edubuntu Kubuntu Lubuntu Ubuntu MATE Xubuntu Unofficial: Bodhi Linux Elementary OS Linux Mint Trisquel

Fedora	BLAG Linux and GNU Korora Red Hat Enterprise Linux CentOS ClearOS Linpus Linux Oracle Linux Qubes OS Rocks Cluster Distribution Scientific Linux SME Server

Gentoo Linux	Calculate Linux Chromium OS Chrome OS Funtoo Linux Sabayon Linux

Other	Asturix Frugalware Linux Mandriva Linux Mageia OpenMandriva Lx ROSA Linux openSUSE SUSE Linux Enterprise Server PCLinuxOS Puppy Linux Slackware Porteus Salix OS VectorLinux Source Mage

Category Comparison List Commons

Virtualization software

Comparison of platform virtualization software

Hardware
virtualization
(hypervisors)

Native

Hosted

Specialized	Basilisk II bhyve Bochs Cooperative Linux DOSBox DOSEMU L⁴Linux Mac-on-Linux Mac-on-Mac PCem SheepShaver SIMH Veertu Windows on Windows Virtual DOS machine Win4Lin

Independent	Microsoft Virtual Server Parallels Workstation Parallels Desktop for Mac Parallels Server for Mac PearPC QEMU VirtualBox Virtual Iron VMware Fusion VMware Player VMware Server VMware Workstation Windows Virtual PC

Tools

OS-level
virtualization

cgroups-based
- CoreOS
- lmctfy
- Linux-VServer
- LXC
- Docker
- OpenVZ
FreeBSD jail
iCore Virtual Accounts
Kubernetes
Linux namespaces
Solaris Containers
Workload Partitions

Desktop
virtualization

Application
virtualization

Network
virtualization

Distributed Overlay Virtual Ethernet (DOVE)
NVGRE
Open vSwitch
Virtual security switch
Virtual Extensible LAN (VXLAN)

Free and open-source software

General	Alternative terms for free software Comparison of open-source and closed-source software Comparison of source code hosting facilities Free software Free software project directories Gratis versus libre Long-term support Open-source software Open-source software development Outline

Software packages	Audio Bioinformatics Codecs Collaboration Configuration management Device drivers Graphics Wireless Geophysics Health Mathematics Operating systems Programming languages Routing Statistics Television Video games Web applications Content management systems E-commerce Word processors Android apps iOS apps Commercial Trademarked Formerly proprietary

Community	Free software movement History Open-source software movement Organizations Events

Licenses	Apache APSL Artistic Beerware Boost BSD CC0 CDDL EPL GNU GPL GNU LGPL ISC MIT MPL Ms-PL/RL WTFPL zlib

License types and standards	Comparison of free and open-source software licenses Contributor License Agreement Copyfree Copyleft Debian Free Software Guidelines Definition of Free Cultural Works Free license The Free Software Definition The Open Source Definition Open-source license Permissive free software licence Public domain Viral license

Challenges	Binary blob Digital rights management Hardware restrictions License proliferation Mozilla software rebranding Proprietary software SCO/Linux controversies Secure boot Software patents Software security Trusted Computing

Related topics	The Cathedral and the Bazaar Forking Microsoft Open Specification Promise Revolution OS

Book Category Commons Portal