What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security.
Alan: What happens if there’s a vulnerability in Xen and you can break out of the hypervisor?
Joanna: It depends on what you mean by "Xen". If you mean the actual hypervisor, then the vulnerability will likely by fatal. Over the past several years, though, there has been only one publicly-disclosed and exploited vulnerability in the Xen hypervisor that I'm aware of. It was in code written by the NSA to implement some security extensions for Xen (how ironic, huh?). This code was not enabled by default, so it wasn't fatal. The bug was found, exploited, and disclosed by us at Black Hat in 2008 (specifically by Rafal Wojtczuk).
However, there might also be a vulnerability in "Xen" that doesn't affect the actual hypervisor, but some other subsystem, such as a back-end driver or domain builder code (that reads and unpacks a user-provided custom kernel image). Most of the bugs in those systems do not affect Qubes because of the highly decomposed design we use.
There is also a chance there will be a bug in the underlying technology that is used by the hypervisor, such as Intel VT-d (that is used for building untrusted driver domains, not to be confused with VT-x). One (and only one, as far as I know) such attack that allows someone to bypass Intel’s VT-d-imposed protection has been demonstrated recently, incidentally also by us. I think this was the most complex and surprising attack that our team has ever presented, by the way.
Unfortunately there is little that we can do in case there are bugs in hardware technologies. We can only keep pointing out problems and hope the vendors, such as Intel, would be taking their job (more?) seriously.
By the way, there is another pending research paper from us relating to security vulnerability in another core hardware technology, but we're currently waiting for the vendor to come up with patches before we publish it (the plan is to do it in early fall, stay tuned).
Alan: Definitely. I’ll touch base with you closer to then. Can you walk us through how an end-user would interact with Qubes OS? Is it going to be easy enough for ordinary users?
Joanna: Using Qubes should be more or less as easy as using a standard Windows desktop.
The catch, however, is in properly configuring the Qubes desktop. Specifically, deciding how to partition somebody's digital life into separate domains. We can start with something as easy as "personal," "work," "banking," and "untrusted" domains. But then each user might want to add more domains depending on their usage and threat model.
For a paranoid user like myself, this could get really complicated. So, the bottom line is that, in practice, it would be a job for qualified IT staff to configure a Qubes desktop.
Still, we try to make this isolation, once configured, as seamless and automatic as possible. Again, our target for the 1.0 release is that the workflow on a properly-configured Qubes desktop would not be much different than a typical Windows desktop for business users.