What Is Qubes OS?

Maybe this isn't the best place to ask this, but I'll try anyway:

I'm a consultant involved in cybersecurity who often has to build and run VMs to either test out software, run things in sandbox, or connect to TOR from a VM I'll never use again.

Having said that, I currently use Windows with VMWare Workstation, but I find it frustrating and would prefer something that's less frustrating and feels more built-in.

Is there a solution that anyone would recommend for this kind of thing? Internal networks, Windows and Linux sandboxes, etc. I use Microsoft office products regularly, and my workstation (Dell Inspiron with an i9, 64GB ram, 2tb SSD) is connected to a thunderbolt 4 dock with 2 1440 monitors. I'd prefer for a Windows VM to have passthrough to the monitors and be able to interact with the host OS via that VM, so I can still share my screen during meetings and while coordinating efforts.

I don't known of this works with all your criteria, but you might want to go with UnRaid or Proxmox or a Type 1 hypervisor like vSphere/ESXi or Xen.

You don’t really mention specifically what you find “frustrating” about VMWare Workstation so it’s hard to know on what criteria to give a response.

I don’t know how “built in” it can be considered but I’ve used LXD a bit and since it now supports VMs as well I’m guessing you could define VMs in yaml in advance and “easily” (depending on your definition) tear down and re-deploy VMs with preconfigured network settings etc. Vagrant should also work for this with a Virtualbox or VMware backend (paid feature).

What exactly do you mean when you say that the VM should be able to “interact with the host OS”, isn’t that exactly what you don’t want and why you’re running a VM in the first place?

I'd like the ability to drop files to a VM from another VM, like shared folders in Workstation.

My frustrations with VMWare usually revolve around network connectivity issues. My internal or NAT networks often fail to give the guest VMs the expected connectivity.

Maybe Fedora with Xen is the route I should try, assuming I can give the Windows VM full GPU pass-through and use it as a "primary" machine. I need to be able to screenshare almost daily via Zoom.

I don't get the distinction between type 1 and type 2.

E.g. xen is type 1 and KVM is type 2. But at the end of the day it's a Linux kernel in both cases that runs the virtual machines, so what's the point of distinction?

It's what runs above the vms that is the distinction. For xen it has its own kernel instead of running Linux as the hypervisor and host system. Xen still uses Linux typically as the domain zero as it calls it for doing control and setup but it doesn't necessarily have full access to all the hardware on its own.

You work in cybersecurity and want more exposure between the host and the guest? You have a very different risk tolerance than I would in your shoes

It's about reducing the size and attack surface of the most-privileged code which runs in the system, e.g. moving code out of the kernel, making hypervisor/VMM smaller, nested VMs, hardware enclaves. This video covers some of the changes over the last decade, including Xen and Bromium, https://youtube.com/watch?v=bNVe2y34dnM

I use vbox regularly on a Linux host, it’s not seamless but it works okay. I have custom built vm images with packer that do things like enable auto login and disable screensaver (these don’t matter on a vm, your host is where they should happen). I don’t need gpu so the vbox drivers suffice, but if I did I would probably consider getting a quadro or something and doing pci pass through (not even sure if vbox supports this)

As a cautionary though, vms are a good boundary but not a comprehensive one. If your threat model includes execution of 0day exploits (malware analysis or browser exploit chains) that can breach hypervisor perimeters you shouldn’t be doing anything sensitive from the host. RDP is better, but iirc there are some case studies of execution on the rdp client.

GPU Passthrough can be solved with LookingGlass (https://looking-glass.io/) if you just want a solve that particular problem. I'm not sure how well it works on a laptop but if you have a dedicated graphics card (e.g. Nvidia) you should theoretically be able to get it working the way you want. I'm sorry for the lack of elegant all-in-one packages. I too wish for an Excalibur of VM solutions.

NixOS or Guix both allow one to fire up a vm based on a specification very easily, and positively encourage interation. The learning curve is steep but rewarding.

If you just have a need for isolating Windows applications have you tried the Windows Sandbox functionality built-in to Windows 10 Pro and Enterprise version? https://docs.microsoft.com/en-us/windows/security/threat-pro...

If I'm doing real malware execution and analysis, I would one- way transfer the relevant file(s) to my sandbox and disable any backward connectivity before execution, but I still need a reasonably simple way of getting files to (suspicious files, etc) and from (resulting logs, registry changes, pcap, etc) the malware sandbox. Ive kinda solved this already using a number of tools outside my work host, but just in the off situations where this is necessary I want to have a template VM prepped in advance.

It’s very different. Can I open a PDF from Windows into Windows Sandbox with 2 clicks and close with 1 after reading, nearly instantaneously, without noticing the virtualization? Nope. Windows Sandbox is just a fresh VM, almost useless.

If you're on Windows, and you want to download something, install it, see what its all about.

Windows Sandbox starts in like 8 seconds to be usable and is trashed when you close it.

So its far from useless.

But for your usecase, yes it wont work.

You can do exactly that. Setup a .wsb file that mounts your downloads folder to the VM desktop and disable network.

Open the .wsb (1 click) then open the PDF (1 or 2 clicks). When you're finished close the windows sandbox window and it'll all be gone.

I second this, it's called magic wormhole, if you want the source, croc is a more friendly solution built ontop of magic wormhole. In any event, quick and easy.

Using a zero install PDF viewer, the wsb login command and a few lines script file one could also have the PDF automatically open in the Windows sandbox with a double click or using "Open with" from the context menu.

You could piggyback off MS Edge in the sandbox to open the PDF. Provided you don't need any advanced features, and just want to read it.

But yes that is a great idea.

I can't find information online. Does xen really has it's own, written from scratch kernel or is it based on some other os?

> I'd like the ability to drop files to a VM from another VM, like shared folders in Workstation.

https://www.qubes-os.org/doc/how-to-copy-and-move-files/

Completely it's own from scratch. It's a very simple, relative to full Linux or other OS, kernel/hypervisor. It's built to load what it calls the Dom0 system, which it gives a communication channel to to start up other virtual systems that it calls DomU. This in theory lets you use any OS as the Dom0 for initializing everything (Linux, *BSD, even Windows I think) as long as there's some kind of support for that communications channel to tell the Xen kernel to start up another system.

https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...

I was more thinking of running a portable pdf viewer such as Foxit Reader Portable from a folder mounted read only in the sandbox.

PSA: wormhole.app and magic wormhole are not the same

If you want to use the well known magic wormhole then visit the repo for instructions: https://github.com/magic-wormhole/magic-wormhole

The current supported version is a python cli app. A rust version is being developed, but last I checked was not considered ready.