The Qubes team describes their operating system as “reasonably secure”. Community Manager at Qubes Andrew David Wong said, “We’re painfully aware that the status quo is essentially no real security at all,”. The mission of Qubes was to build out an operating system with reasonable security by being transparent about their development.

Today I am going to be looking at/ reviewing an article by Joanna Rutkowskadiscusses[1]. This article discusses the need for the evolution of Qubes OS, the concept of “Security through Compartmentalization” to address some serious problems that exists in the current version of Qubes OS (4.0).

Attackers knows that if they can own sysadmins, then they can own the network. A slide leaked by Edward Snowden shows an NSA operator saying, “I hunt sysadmins”, this depicts the way how predators thinks. In a world where each nation-state predators thinks this way, there arise a need to protect the enterprise, the integrity of data and intellectual property. In my opinion, the Qubes can be a defense in depth solution. The Qubes OS let the users compartmentalize their data into different VMs and hence providing multiple security domains.

Andrew David Wong states that “Qubes is especially valuable in industries where sensitive data has to be securely segregated, such as finance and health”. The current version of Qubes itself integrate a large aspect of security by partitioning networking into separate, banishing USB into their own VMs etc. However, enterprise adoption was limited due to lack of remote administration capabilities and automated deployment.

The vision for Qubes Air was a result of the problems that existed in the Qubes operating system. The biggest problem being, the deployment cost (the difficulty of finding compatible laptop for installation). Instead of installing a new operating system rather than adding a new application have affected the wide adoption of Qubes. Another big issue encountered by Qubes was the overdependence on the hypervisor since Qubes relied heavily on virtualization technology for isolation of Qubes. Over the years, security researchers have found several security bugs including the “Meltdown and Spectre Attacks” and “Row Hammer Attack”. As a result of these problems, Qubes proposed a solution by moving Qubes into the cloud. However, the article also discusses a solution which does not involve cloud.

On one hand, Running Qubes over cloud eliminates deployment issues. However, this approach trade security for convenience or privacy for convivence. On the other hand, Qubes can be deployed in hybrid mode where a subset of the Qubes can be running locally (sensitive VMs) while others can be running over the cloud. Hybrid mode also proposed a solution for over-dependence on a single isolation technology of one specific hypervisor, since it can be used to host VMs over several cloud providers hence allowing Qubes to diversify their risk exposure against an attack. Moreover, the ability to deploy Qubes over separate physical device of many kinds have opened up several opportunities to resolve issues related with processors and hypervisors.

The article also discusses the changes Qubes architecture needs to bring together the proposed idea of Qubes Air. Qubes Zone is a concept that makes all these scenarios possible with a Unified architecture. The main change that was brought into the Qubes Zone from the prior Qubes Odyssey was the ability to hold more than one zone in a single system. Additionally, the article discusses certain features the Qube must have, which includes implementation of vchan endpoint, qrexec, one uplink network interface, two kind of volumes etc.

Although the Qubes was initially designed for desktop computing, with the evolution of some security optimized management, Qubes Air will also be useful in non-desktop applications. Furthermore, the article discusses about the security optimized GUI protocol and its impacts. Moreover, the articles question the relevancy of the new architecture in the upcoming years and Joanna provides justification to why the new model make perfect sense.

In this article, Joanne Rutkowska states that “The essence of Qubes does not rest in the Xen hypervisor, or even in the simple notion of ‘isolation,’ but rather in the careful decomposition of various workflows, devices, apps across securely compartmentalized containers,”. The efforts by the Qubes team to improve the security endpoint will be inevitable with Qubes Air.

In conclusion, I believe that Qubes Air assures reasonable security. With the evolution of Qubes Air the security issues and problem that existed in the current Qubes architecture can be resolved. Although the approach of Qubes deployment on cloud can be beneficial in many cases, from a security point of view, trading security/privacy for convenience does not make it a worthy trade. However, with the successful implementation of Qubes Air the admins will be able to distribute payloads across platforms such as cloud VMs, PCs, USB Armory, Raspberry PIs etc. with less effort. The downside is the hardware requires VT-x and VT-d to support security features. Moreover, the user interface is not easy to master for non-technical users.

Reference:

1 “Qubes Air: Generalizing The Qubes Architecture”. Qubes OS, 2019, https://www.qubes-os.org/news/2018/01/22/qubes-air/.