Security by Compartmentalization: Qubes is an Open-Source OS Tackling the Most Sophisticated Modern Threats

TL; DR: Qubes, a free and open-source operating system, helps safeguard your digital life using a fresh security-by-compartmentalization approach. The OS segments your environment into multiple secure and isolated virtual machines that are ultimately integrated into a streamlined system. The next frontier for Qubes is the cloud, with plans to scale the OS beyond a single machine.

In a world where exaggerated claims are the norm, it’s shocking to see an operating system marketed as “reasonably secure.” But that’s exactly how the folks behind Qubes describe their software — and they do so with pride.

“We’re painfully aware that the status quo is essentially no real security at all,” said Andrew David Wong, Community Manager at Qubes. “That’s why, when we set out to build Qubes, we decided to make ‘reasonable’ security our goal and be completely transparent about it.”

To that end, Andrew said the Qubes team is careful not to extol unattainable results.

“We don’t make empty promises to our users that we know no one can deliver on,” he said. “We do, however, find it amusing that many security experts around the world have deemed a ‘reasonably secure’ operating system to be the most secure operating system available.”

Security researchers at the Invisible Things Lab, which launched the Qubes project in 2009, have spent years finding clever ways to exploit operating system vulnerabilities. “Studying the weaknesses of these systems allowed them to see how those systems could be strengthened, and their interest turned from breaking systems to building them,” Andrew said.

Upon acknowledging that no computer system is impenetrable, the researchers decided to build one that isolates breaches, thus limiting the damage that can be done. With that, Qubes was born.

Today, the operating system employs isolated virtual machines to secure environments that remain seamlessly integrated from the user perspective. The forward-thinking approach not only empowers users to master their software environment, but it also helps cut costs and organize data. With plans to bring the operating system to the cloud with Qubes Air, Qubes continues to push boundaries to the benefit of its open-source community.

The problem with conventional operating systems, Andrew said, is that a single attack can cripple your digital universe. And online criminals are everywhere imaginable — some will even leave a malicious USB drive in a public area hoping that an unsuspecting victim will plug it into their computer, introducing malware.

“A malicious USB drive gets plugged into your machine, or an attacker exploits a vulnerability in your network stack without you knowing, and now the attacker owns everything,” Andrew said. “All of your data. Every account you log into on that machine. If you use a password manager, all of your passwords are now his.”

In this scenario, the attacker takes total control of the device — and thus the user’s entire online world. The attacker can determine what the user sees and what the computer sends and receives. Andrew said even two-factor authentication, in which a system requires a password as well as a verification code, cannot defend a user against this type of breach.

Qubes prevents attackers from gaining access to entire machines through the power of the Xen hypervisor, which compartmentalizes the operating system into securely isolated domains.

“Your one physical machine becomes many virtual machines (VMs), each secured from the outside world and from each other to varying degrees, depending on how they serve you, with secure channels of interoperation between them,” Andrew said.

That said, Qubes goes far beyond virtualization. According to Andrew, the true value of Qubes lies in the way these different domains are combined into a seamless desktop experience — all without sacrificing security.

“We’ve thought about everything — from how to share the root filesystems of VMs so that they can be updated simultaneously while saving disk space (our TemplateVM approach) to having Disposable VMs that can be used for handling untrusted files, connecting to a shady Wi-Fi network, or reading files of a potentially malicious USB drive before self-destructing,” he said.

Andrew said the Qubes philosophy is centered on a rousing mantra: Distrust the infrastructure. In other words, users should be wary of trusting hosting providers, content delivery networks, email servers, PGP keyservers, package repositories, DNS services, and other external systems controlled by third parties.

“As a project, we focus on securing endpoints instead of attempting to secure ‘the middle’ (i.e., the infrastructure), since one of our primary goals is to free users from being forced to entrust their security to unknown third parties,” he said. “Our aim is for users to be required to trust as few entities as possible.”

Because Qubes believes users can never fully control or trust the external infrastructure they rely upon, attempts to make that external infrastructure appear safe will only provide a semblance of security, and that’s a disservice. “We believe the best solution is not to attempt to make the infrastructure trustworthy, but instead to concentrate on solutions that obviate the need to do so,” Andrew said.

Of course, all of this is possible through IT trends that have emerged in recent decades, such as the availability of virtualization technology on commodity hardware — which was key to creating Qubes as an operating system that anyone can install on their laptop and desktop computers.

Andrew said the industry is currently witnessing another revolution in compartmentalization.

“Intel Software Guard Extensions (SGX) and similar technologies hold the promise of allowing an application to be isolated from the OS, rather than the other way around,” he said. “This is a security game-changer since it was previously unthinkable that an application could be trusted while it was running in an untrusted OS.”

The broader availability of GPU virtualization, as well as more robust device-sharing between VMs in general, also hold potential for future iterations of the system, Andrew said.

While security is Qube’s primary focus, the operating system also delivers unexpected non-security benefits. For example, segmenting data and apps into distinct domains forces users to do a better job at organizing their digital lives.

In addition, the operating system empowers users to separate digital instances of their personal and professional lives that shouldn’t be intertwined.

“You can do your personal banking, work for several different clients, enjoy media, and any other activities you like without worrying about cross-contamination between those separate activities,” Andrew said.

Qubes also grants the user total control over software installations. It’s not uncommon to install a piece of software that makes unexpected changes or interferes with an existing workflow. With Qubes, users can isolate software within designated VMs, so it never has more power over the computer than explicitly assigned.

“This is also fantastic for programmers who want to have different development environments on different operating systems,” Andrew said. “Qubes allows them to have as many as they want on the same physical machine, securely, and it lets them try out new software — especially from untrustworthy sources — without worrying about compromising those environments or any of their clients’ data.”

The operating system also saves sysadmins the hassle of trying to impose email security best practices on non-technical users. All email attachments automatically open in a lightweight Disposable VM that disappears after being closed.

“If it turns out that an attachment was actually from an attacker instead of your boss, no problem,” Andrew said. “Just close the document, and the DisposableVM automatically destroys itself, leaving the rest of your system safe.”

Because Qubes is an open-source platform, its team is composed of individuals who collaborate online from across the globe, occasionally meeting face to face via industry conferences.

When it comes to internal development, the open-source software project is exceedingly transparent.

“All of our non-proprietary work and discussions are public on GitHub and our mailing lists,” Andrew said. “We regularly discuss new features and bug fixes with everyone from brand-new users to folks who have been writing Qubes code for years.”

The team is currently working on a long-term project called Qubes Air, which will bring Qubes to the cloud without sacrificing security. This will enable the platform to scale beyond a single physical machine, combining multiple devices into a unified environment while maintaining clearly-defined and secure domains. Several of the key features of Qubes Air will be available in Qubes 4.1.

The technology will serve multiple use cases, including connecting personal computers, integrating home and corporate servers, and uniting various cloud VMs.

Andrew said any risks inherent in moving to the cloud will be mitigated by the architecture of Qubes, which allows users to delineate appropriate boundaries while minimizing attack surfaces at those points of contact.