Qubes OS

Qubes OS is designed to protect from sophisticated/targeted attacks.

No matter how protected your operating system is (sandboxie, comodo, apparmor,etc.), with one successful kernel exploit your system is owned.

The philosophy of Qubes OS is that you can not write perfect code so you try to reduce the code that enforces the isolation to the bare minimum. Basically it should be the enforcement code that should be “perfect”. Opera browser would still be compromised but the malicious code would still be contained, and would not be able to contact with others applications that are in others AppVMs because there is GUI isolation.

Windows, Linux, BSD, etc. have monolithic kernels with tens of millions of lines of code, making the attack surface on the kernel very big.

Qubes, on the other hand, uses Xen hypervisor to provide security isolation between domains, and Xen is just a few hundred of thousands lines of code. Meaning it will be very hard to find vulnerabilities, but because it is open source and has “so few” lines of code, every whitehat will be able to check the code in just a few days, and report vulnerabilities making Qubes stronger.

You will have security domains (AppVMs) that are implemented as lightweight virtual machines . You will have “banking”, “untrusted, etc. , and you can create your owns.

AppVMs are the virtual machines used for hosting user applications, such as a web browser, an e-mail client with GUI isolation. What this means is that if opera browser in untrusted is compromised it will not be able to keylog, snapshot, etc. , what you are doing in the banking domain with an other opera browser.
And once you boot your VM everything gets cleaned because there is a read only root filesystem shared by all the appVms. The only thing that is kept is the home folder, so Qubes does not protect you from your own mistakes (like installing a malicious extension).

There is also a Disp. Virtual machine that is for example when you receive an email in the work domain, and you are worried about the pdf that is sent, you can open it very quickly in an other VM. That means if the pdf is malicious it will not be able to get your other work files. The Disp. Virtual machine is created and booted in less than a second, and destroyed when is closed. They are preparing an option to open a file always in a disp. VM after the first time.

Qubes is based on Xen, X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.
Uses KDE desktop and Fedora template. I hope that in the future they offer other desktops (like unity) other templates (like ubuntu).
But you can install any other operating system inside Qubes similar to VMWare (except apple haha).


Basically Qubes offers very strong isolation (way superior than anything out there) with a lightweight approach, most virtualized applications feels like they are executed natively.

The problem is hardware. In terms of compatibility, and in terms of hardware it self ( 4 GB of ram, fast SSD disk strongly recommended, Intel VT-x needed to run HVM domains only, etc.)

It is great if you want to buy a new computer, if not it is a little harder.

The only thing out there that can be compared in terms of security is compiling your own kernel with Pax and Grsecurity patches. But that is basically just for geeks.

Do you really need it (are you a high target)? Maybe not, but it is free and if you have the computer for it, why not use it.
Regarding my self I am just happy that this level of security is being offered with simplicity in mind. Like i said compiling your kernel is just “crazy” , but anyone who knows how to use sandboxie or V. Box can use Qubes OS.

And not to forget that it is a recent project. Version one was released in September of 2012 and version II is in beta and had a lot of improvements (supports Windows-based AppVMs). I guess by V. III we will see more efforts put in terms of usability, like new desktops, etc. , but I am just speculating. Here is the roadmap .

This is just a little resume. There is much more. I will put a few links for the persons who have the patience or are simply bored haha.

I hope I have not made any mistakes but this was wrote on the fly, and for the record I have never used it, you can not install it in a virtual machine.

Ssj, if this were the good old days , when you were not bored with security, this would be your perfect OS haha ... Except for the hardware

Disposable VM
How is Qubes OS different from...
Qubes OS Project

How interesting, and thanks for the write-up. I'll be interested to see how development continues for this.

I'll be interested to see how development continues for this.

Me too.
In the roadmap for Version III they only say:

A revolution! More details to come later...

Makes you think

Qubes Release II Beta II might be released soon.

Templates for HVMs sometime in Beta 3 (maybe, no confirmation).

No the idea with the templates is that when one installs Windows (or
other OS) in an HVM, this HVM can be later used as a template for
creation of other AppVMs. So, you create an HVM, install Windows there
(using your installation media, your product key, your license), active
it, and then you shut this VM off. Now you can use it as a template to
create and run other AppVMs. The point here is that the other AppVMs do
not have their own copy of the Windows filesystem (C:\Windows,
C:\Program Files) -- this is only on the template VM's image -- they
only contain user's home folder.

I have not posted more about Qubes, basically because i started using GRsecurity.

I said it was hard, just for geeks, but it is not, as long as you have the right guide (terminal commands, open source drivers help, but for example i use the proprietary ones).

It is also free and it will work very well on old hardware, it will not slowdown your system.

That is an advantage regarding Qubes.

Which one is more secure, i can not say. I think few people can.


They basically offer:

- Industry-leading ASLR
-Chroot hardening (chrome uses it, so basically their sandbox will be much stronger with grsecurity)
-Exploit bruteforcing is harder

and much much more. Most i do not even understand haha.

GRsecurity

Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities.

A major component of grsecurity is its approach to memory corruption vulnerabilities and their associated exploit vectors. Through partnership with the PaX project, creators of ASLR and many other exploit prevention techniques -- some now imitated by Microsoft and Apple, grsecurity makes many attacks technically and economically infeasible by introducing unpredictability and complexity to attempted attacks, while actively responding in ways that deny the attacker another chance.

We stay on top of -- and in many cases drive -- the state of the art in security research. While the security teams of Linux distributions react to the latest widespread exploit simply by fixing the associated vulnerability, we quickly work in addition to close down any new exploit vectors, reduce the chance of similar vulnerabilities, and insert additional roadblocks for ancillary techniques that made the exploit possible or reliable.

As a result of this extensive approach, it is not uncommon to find in the event of a published exploit, particularly against the kernel, that the exploit's success is prevented by several separate features of grsecurity.