Qubes OS: A reasonably secure operating system

(www.qubes-os.org)

441 points ploggingdev | 1 comments | 19 Nov 17 16:06 UTC | HN request time: 0s | source

Show context

snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]▶

Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #

mmrezaie ◴[19 Nov 17 17:17 UTC] No.15734739[source]▶

>>15734641 #

Xen's hypervisor's size is very small. Qubes is about security and trustability of the whole system. In operating systems for measuring the trustability of the system, one very important measure is the lines of the code. Xen has a smaller footprint in the hypervisor part. Additionally, Xen has a robust model isolation for the drivers. That's why they went for Xen not KVM. But boy I wish to see more seL4. It was sad to see Gnu Hurd/seL4 didn't make it.

replies(3): >>15734755 #>>15734790 #>>15735029 #

xyzzyz ◴[19 Nov 17 17:19 UTC] No.15734755[source]▶

>>15734739 #

The problem with Xen is that no major industry player is backing it, especially with Amazon going KVM now.

(disclaimer: working at Google on virtualization security)

replies(3): >>15734816 #>>15734838 #>>15737654 #

ryacko ◴[19 Nov 17 17:33 UTC] No.15734838[source]▶

>>15734755 #

Any chance Google will sponsor secure processor architecture standards?

I mean, the US government no doubt had influence on the Trusted Computing Group (too bad the EFF totally shunned it), and through the magic of product binning and chip fab costs, we all have trusted platform modules.

ASLR currently seems wimpy.

I'm certain you are in a position to accomplish a great deal, no matter where you are in the hierarchy. Maybe the future is x86 hardware emulation for user mode processes.

replies(2): >>15734873 #>>15737871 #

1. nickpsecurity ◴[20 Nov 17 04:50 UTC] No.15737871[source]▶

>>15734838 #

The US and UK governments especially have been sponsoring great architectures for security that are described in enough detail for hardware engineers to implement or straight-up open source. CHERI at Cambridge is one of the latter which already runs FreeBSD. All Google has to do is pay a good team/company to build one that's reusable for their various products and services. Then, they can start targeting those to it at software level for better efficiency.

The project would cost money that Google has. There's not much new to invent, though. They just have to apply what's there. The performance penalties and ASIC costs are even much lower than they were in the past. Google refuses to do these things because either (a) they don't know about them or (b) more likely their management doesn't want to commit that much money to secure hardware. Typical of the big companies with the smartcard market the only exception far as stuff non-enterprises could afford.

For a quick example, they did retool software to support OpenPOWER architecture but could've also funded Raptor Workstation in a desktop or esp server form themselves. It would've been to their budget like pennies are to ours. Not even that. At least they did the Chromebooks, though, which are good for a lot of non-technical folks.

↑