Darwin's Theories Blog

New Theories for a New Time

Qubes OS: Not just for security nerds

2022-11-04
Run Every Desktop App in a separate VM

Security often seems like a joke: there seem to be more, and better-funded, bad actors than security practitioners. What can the average person do? One thing would be to just stop using computers and smartphones. But 99.783281% of the two people I polled on that question wouldn’t go near that approach with a six-foot Pole. Next best thing? Stop using Microsoft Windows, because most of the bad actors target that platform simply because it is so widely used. There are plenty of alternatives out there: macOS (based partly on Unix), "a thousand different feelings" of Linux, one version each of Berkeley Unix descendants like OpenBSD, NetBSD, and FreeBSD, and Solaris Unix descendants like Illumos.

There’s a twofold problem with these: the software you want may not be available, and, the security you want may not be available. While OpenBSD focusses on security (and as part of that maintains several packages that everybody else uses, including the Secure Shell SSH/scp/sftp suite), its adoption by mere mortals is sometimes hampered by lack of the commercial software that people think they need (there is often a free alternative, but that’s a topic for another post). Most of the other OSes claim to be secure as well, but not all have the track record to prove it.

What if you could combine the best of everything, and wind up with better security? That’s the premise of Qubes OS. Pretty much everyone is aware of the notion of 'cloud computing', in which companies run services on 'cloud instances' which are usually 'virtual machines'. A virtual system is an operating system that provides a number of shared computers on one physical computer. There are any number of virtual systems, including well-known brands like VMWare, Linux KVM, one called 'Xen', and desktop systems like VirtualBox. OpenBSD even provides its own, vmm. Qubes OS a Xen-based virtualization system to provide virtual computers for desktop/laptop software; its unique approach is that it aims to run every category of app in a separate virtual machine, so that if one VM gets compromised, the infection cannot spread to the others. "Category" is left to the user to define, but often separates into work, personal, and so on.

If one VM subsystem does get compromised, or corrupted by a software glitch or a failed upgrade, you just delete it and re-create it. Most Qubes VMs (just 'qubes" for short) are either templates or application vms (AppVMs); software is generally installed on templates, whose files are mounted read-only onto the AppVMs, so the AppVM cannot harm the template.

For example, I have a Microsoft Windows 11 Pro "template" VM, and several AppVMs that use it: a Windows VM for miscellany (solitaire, if I had time), one for Teams, and another for PowerPoint. Of course I only have one running at a time, due both to licensing and to memory usage.

Pros:

* Good separation between apps for security
* Color coding (unforgeable) of different security domain windows
* Efficient virtualization

Cons:

* Complex setup, of necessity
* Hard to use USB-based network adapters
* Need to think more about security (actually a pro)
* In Linux VM's /usr/local is not exported from the template; must install in /usr
* Issues with copy-paste between vm's (CTRL/Alt/C-V but that's assigned in std terminal emulator)
* Compartmentalization of filesystem storage
* Inability to sub-virtualize

Central files?

One possible answer to the problem of having to setup your home directory on multiple machines would be to have one machine working as a file server to all the others. Such a machine could provide NFS and/or SMB filesharing (the former popular on Unix/Linux and the other standard on Windows). On a laptop like the Framework, you could have two versions of this filesystem, on two different "expansion card" SSDs, one for real use and a minimal version when travelling in risky areas or to lands with authoritarian/intrusive regimes. But this is actually something that the Qubes people would tell you not to do! The issue is that having all your files in one basket somewhat defeats the compartmentalization that is so central to Qubes. A virus hiding in one file would then be available to inflict damage on all your virtual machines, for example. But it does offer convenience for those used to having all their files in one place.

In the end I had to set aside my experimentation with Qubes, although I had things fairly well set up. I do mobile development, and it turns out that the Android Emulator is — guess what? — a virtual machine. And Qubes does not support running virtual machines under virtual machines.

Nonetheless, Qubes is a valuable addition to our supply of anti-bad-actor technologies. A number of security experts recommend it for some users, and so do I.