(www.qubes-os.org)

441 points ploggingdev | 2 comments | 19 Nov 17 16:06 UTC | HN request time: 0.001s | source

Show context

snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]▶

Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #

monocasa ◴[19 Nov 17 17:27 UTC] No.15734803[source]▶

>>15734641 #

No, I'd say that the weakest point is the IPC marshalling necessary to connect all of the containers together into a cohesive system. That's what I'd attack first.

replies(1): >>15734817 #

1. JoachimSchipper ◴[19 Nov 17 17:29 UTC] No.15734817[source]▶

>>15734803 #

A good place to look, but do note that that's the code written by the Qubes OS people - presumably, it's written with security in mind. Of course, Xen has had more eyeballs, so...

replies(1): >>15734850 #

2. monocasa ◴[19 Nov 17 17:34 UTC] No.15734850[source]▶

>>15734817 (TP) #

Chrome's IPC was written with security in mind too, but most of the sandbox escape exploits have been around IPC marshalling.

Unlike the nitty gritty of how the sandbox works, the IPC changes often with new releases. And quite frankly it isn't as fun, cool, or interesting as VMMs or other sandboxing techniques, so a lot of the time it isn't given the close eye that it should.

↑

Qubes OS: A reasonably secure operating system