Qubes OS: The Bento Security Model in Action
One of my favorite jokes about security people is that you can divide them into two types: Builders and Breakers. Builders like to make things, like web applications or identity management infrastructures. Breakers like to find holes in things. They tinker and hack. Usually, you gravitate towards one skillset or the other; it is extremely rare to find someone who does both well. It’s like running: you either sprint, or run marathons.
So it was with great curiosity that I read about the announcement of the Qubes OS by Invisible Things’ Joanna Rutkowska. Joanna is best known as the bête noire of the virtualization world; her “Blue Pill” hypervisor-breaking software was widely noted, even by us. Her Black Hat speeches are legend. She is clearly in the Breaker camp, and one of the best ones too.
Qubes is a new operating system based on Linux and Xen that divides up the operating system into multiple isolated VMs that work together. It allows arbitrary portions of the operating system, such as the web browser, to run in one VM while other portions run in other VMs. Certain functions, like networking and storage, run in their own VMs. The VMs share a GUI (again, compartmentalized from the other VMs) and can exchange files. I won’t attempt to describe it in detail — the architecture document does that well enough:
Virtual Machines (VMs) are the primarily building blocks for the system. Qubes architecture optimizes disk (and in the future also memory) usage, so that itʼs possible to run many VMs in the system, without wasting precious disk resources. E.g. file system sharing mechanisms allow to reuse most of the filesystem between VMs, without degrading security isolation properties. Intel VT-d and TXT technology allows for creating safe driver domains, that minimize system attack surface… One can divide the VMs used by the system into two broad categories: the AppVMs, that are used to host various user applications, such as email clients, web browsers, etc, and the SystemVMs (or ServiceVMs) that are special in that they are used to provide system-wide services, e.g. networking or disk storage.
Qubes is interesting, at the very least, because of who is building it: someone who is better known for breaking stuff. But it is also interesting because it continues a line of thought that has been bubbling along for several years: the use of virtualization and virtualization-like technologies to isolate processes and divide operating environments into security domains. Other operating systems that share some of these same concepts include:
- Google Chrome OS
- Apple iPhone/iPad OS
- Microsoft’s Singularity Project
Typical features with all of these operating systems is process isolation (sandboxing), file system abstraction and (usually) trusted bootloaders to ensure OS integrity at boot-time. It is where operating systems are headed, and in the future, most reasonably-complex devices that are not PCs will sport a design that includes one or more of these elements.
I call this the “Bento” security model. It does for operating system security what the Japanese have done for lunch: divide stuff up into nice, neat compartments.
We will have more to say about Bento security later this year. But in the meantime, check out Qubes. It is not ready for prime time. But it is a very interesting experiment that bears observing.