←back to thread

Qubes OS: A reasonably secure operating system

(www.qubes-os.org)
441 points ploggingdev | 3 comments | 19 Nov 17 16:06 UTC | HN request time: 0.628s | source
Show context
snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]
Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #
mmrezaie ◴[19 Nov 17 17:17 UTC] No.15734739[source]
Xen's hypervisor's size is very small. Qubes is about security and trustability of the whole system. In operating systems for measuring the trustability of the system, one very important measure is the lines of the code. Xen has a smaller footprint in the hypervisor part. Additionally, Xen has a robust model isolation for the drivers. That's why they went for Xen not KVM. But boy I wish to see more seL4. It was sad to see Gnu Hurd/seL4 didn't make it.
replies(3): >>15734755 #>>15734790 #>>15735029 #
xyzzyz ◴[19 Nov 17 17:19 UTC] No.15734755[source]
The problem with Xen is that no major industry player is backing it, especially with Amazon going KVM now.

(disclaimer: working at Google on virtualization security)

replies(3): >>15734816 #>>15734838 #>>15737654 #
ryacko ◴[19 Nov 17 17:33 UTC] No.15734838[source]
Any chance Google will sponsor secure processor architecture standards?

I mean, the US government no doubt had influence on the Trusted Computing Group (too bad the EFF totally shunned it), and through the magic of product binning and chip fab costs, we all have trusted platform modules.

ASLR currently seems wimpy.

I'm certain you are in a position to accomplish a great deal, no matter where you are in the hierarchy. Maybe the future is x86 hardware emulation for user mode processes.

replies(2): >>15734873 #>>15737871 #
standupstandup ◴[19 Nov 17 17:37 UTC] No.15734873[source]
It's Intel pushing that stuff forward, with SGX.
replies(1): >>15734993 #
ryacko ◴[19 Nov 17 17:58 UTC] No.15734993[source]
Then from recent Defcon and Black Hat talks, they are an absymal failure. ( https://www.youtube.com/watch?v=lR0nh-TdpVg Memory Sinkhole - Unleashing An X86 Design Flaw Allowing Universal Privilege Escalation ) (I don't understand it beyond what everyone says it can achieve)

Intel should be considered to be totally unreliable and incompetent.

I mean, no one buys office store safes and expects their things to be secure in them. But a processor is a little more expensive than a cheap safe and holds more valuable things.

Edit: and besides, Fortezza is an SSL protocol option.

replies(2): >>15735025 #>>15735058 #
ryacko ◴[19 Nov 17 18:15 UTC] No.15735058{4}[source]
>SGX is designed to shield software against SMM exploits.

Perhaps if we add one more thing, x86 will finally be secure. You are right, Intel should be left to their own devices.

replies(2): >>15735415 #>>15735868 #
1. hateduser2 ◴[19 Nov 17 19:21 UTC] No.15735415[source]
Seems like you replied to the wrong comment, the intended parent might not see your reply because of this.. probably should repost it in the right place
replies(1): >>15736733 #
2. ryacko ◴[20 Nov 17 00:08 UTC] No.15736733[source]
Hmm. I thought comment chains were limited in length.
replies(1): >>15739964 #
3. hateduser2 ◴[20 Nov 17 14:15 UTC] No.15739964[source]
Not that I know of.. although the reply button sometimes doesn’t show up.. you just have to click Into a comment if it’s missing for you