Qubes OS: A Different Approach to Security


Several Linux distributions aim at providing the best security to users. These Linux distros take different approaches to security and come with various pros and cons. Tails, for example, is a live operating system that uses the Tor network and several other cryptographic tools to protect privacy and ensure anonymity. However, since Tails is a live operating system, it doesn’t really become an OS one uses regularly. Another such distro is Subgraph, designed with a hardened kernel so it is resistant to network-borne exploits and malware attacks. And it takes protection even further. Subgraph comes with an application firewall that detects outbound connections by applications, ensuring that they aren’t sending out information they shouldn’t. The ability to choose distros based on security needs is one of the things that makes Linux appealing.

There’s also Qubes. Qubes is a security-oriented operating system based on Fedora. The OS tackles security with the concept of security by compartmentalization. This approach separates various parts of the operating system into compartments. These compartments run in their own lightweight virtual machines and are called qubes. This reduces the surface of attack, as what happens in one compartment has little or nothing at all to do with other compartments. (Mind you, there are measures to ensure resources are not wasted.)  

The single most important component of the operating system is probably the hypervisor because it is what enables isolation. Qubes uses the Xen Hypervisor for a number of reasons. The Xen Hypervisor allows fully virtualized and para-virtualized virtual machines. Xen is also thin and has driver domain support.

A Qubes user may create different domains for different activities, each in its own virtual machine. A user may create a Work domain and a Personal domain. The Work domain may house all things needed for work, like a browser, work documents, a word processing application, a messaging app, and other tools for work. The Personal domain may contain tools for personal work including a word processor, video player, a web browser, photo viewer, and a folder with personal files. These domains are independent. The browser history of the Work domain is different from the one in the Personal domain, even if the browsers are the same. The clipboard histories of each domain are independent as well, although there is a mechanism to safely copy across domains with additional security measures. The independence of domains ensures that compromise of one of the domains doesn’t escalate into a compromise of the whole system—hence reducing the surface of attack and mitigating damage.

Architecture Overview

Source:  https://www.qubes-os.org/attachment/wiki/QubesArchitecture/qubes-arch-diagram-1.png


AppVM is used for hosting applications. There is room to extend Qubes to support OSes other than Linux in AppVM. To save space, AppVM shares the same read-only filesystem.

Network Domain

Networking code (drivers, protocol stack, etc) exist in this domain, and the domain has access to networking hardware. Therefore, an attack on this domain only affects the network, not other domains.

Storage Domain

This domain has direct access to the storage devices of the system such as hard drive, USB, and CD/DVD. Data belonging to other domains cannot be read by this domain, and modification of the shared root filesystem is prevented. Intel Trusted Execution Technology (TXT) is employed to prevent compromising system boot code.

Secure GUI & Administration

This domain has direct access to graphics and input devices and runs on X server. It displays content hosted on an AppVM. Extra security is ensured in this domain, as a possible breach may easily affect other parts of the whole system.

Template Virtual Machine

A Template Virtual Machine (TemplateVM) is a virtual machine that supplies its root filesystem to another virtual machine. A VM built from a TemplateVM is termed a TemplateBasedVM. However, some VMs may not be based on any other VMs; this type is referred to as a StandaloneVM.

There are a number of options for TemplateVMs in Qubes: Fedora (default), Debian, Fedora-Minimal, Whonix, Ubuntu, and Arch Linux. Whonix is probably the most notable. Whonix ensures security and anonymity by routing network traffic through Tor. The Arch Linux template is quite experimental. Fedora-Minimal is small, as the name suggests. It includes a limited number of packages, which can be extended later.

Final Thoughts

Qubes is indeed built with security in mind. Whenever security—high-security—is the aim of a system, Qubes is definitely a candidate operating system. Take Snowden’s advice: “If you’re serious about security, QubesOS is the best OS available today. It’s what I use, and free. Nobody does VM isolation better.

Bruno is a junior at Ashesi University College studying Computer Science. He is interested in leveraging the power of technology to increase productivity. As a big fan of open source technology, he is currently exploring the possibility of using the Bitcoin Blockchain to fight corruption in government. Bruno is a regular contributor at Fixate IO.


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: