Header Ads

Qubes OS, "Security by Isolation" Can Protect You Even if You Get Hacked

If you are Interested in Security and Hacking, you have probably already heard of various security-focused Operating Systems like Tails, Whonix and Kali Linux.

Qubes OS is a Linux based security-oriented and open-source operating system for personal computers, which runs everything inside the virtual machines.
Its visualization mechanism follows ‘Security by Isolation’ (Software Compartmentalization) principle to secure the systems, i.e. enabling the Principle of least privileges.
So, If you are a victim of a malicious cyber attack, doesn't let an attacker take over your entire computer.

Last week, the team at Invisible Things Project has announced the official release of Qubes 3.0 (Version 3), which is now based on Hypervisor Abstraction Layer (HAL), Xen 4.4 virtualization technology and supports Debian Linux.

Qubes is often misunderstood as a Linux distribution, but instead it can be called as Xen distribution.

Key Architecture features

  • Based on a secure bare-metal hypervisor (Xen)
  • Networking code sand-boxed in an unprivileged VM (using IOMMU/VT-d)
  • USB stacks and drivers sand-boxed in an unprivileged VM (currently experimental feature)
  • No networking code in the privileged domain (dom0)
  • All user applications run in “AppVMs,” lightweight VMs based on Linux
  • Centralized updates of all AppVMs based on the same template
  • Qubes GUI virtualization presents applications as if they were running locally
  • Qubes GUI provides isolation between apps sharing the same desktop
  • Secure system boot based (optional)

(Note: In the diagram above, “Storage domain” is actually a USB domain.)

Xen is a Native or Bare-Metal Hypervisor that uses a microkernel framework and offer services that allow multiple operating systems to execute on the same computer hardware simultaneously.

A Hypervisor is a computer software, firmware or hardware that allows multiple operating systems to share a single hardware host, where:

Each operating system appears to have the host's processor, memory, and other resources all to itself.
A Hypervisor is of two types, Native/Bare Metal and Hosted Hypervisor; with one running directly on the system hardware and hosting Guest OS and other runs within a Host OS and Hosts Guest OS inside it respectively.

The native/bare metal hypervisor is considered as the Pure Hypervisor as it promises security compartmentalization, reliability and higher security.
Similarly, Xen Hypervisor handles memory management and CPU scheduling of all virtual machines ("domains"), and for launching the most privileged domain ("dom0").

‘dom0’ i.e. Domain Zero, is the control domain of the Xen Hypervisor that has direct access to hardware.

Like Xen, Qubes works in a similar manner by:

  • Enabling execution of each separate component in its window environment on the same screen.
  • Also, you can view and use each active "window" much like how Linux allows you to open many windows on one desktop screen.

By using Xen Hypervisor, Qubes has tightened the security of a system, as for an attacker, he must be capable of destructing the hypervisor itself in order to compromise the entire system, which is hard task to achieve.

“It is like using a VMware server with multiple guest OSes,” explained Joanna Rutkowska, founder and CEO of Invisible Things Lab.

Qubes Supports Whonix (Anonymous Operating System)

Further, it supports all the operating system environment like:

  • Microsoft Windows
  • Linux distributions
  • Whonix
Whonix is another security focused Linux-based operating system (Debian); it is capable of providing privacy, security and anonymity on the internet.
It enforces only Tor-based communication and allows Qubes users to connect to the Internet via a more secure anonymity-focused VM.

No comments

blogmytuts. Powered by Blogger.