Joanna Rutkowska, a security researcher known for her work on virtualization security and low-level rootkits, has released a new open-source operating system meant to provide isolation of the OS’s components for better security.
The OS, called Qubes, is based on Xen, X and Linux and is in a basic, alpha stage right now. Qubes relies on virtualization to separate applications running on the OS and also places many of the system-level components in sandboxes to prevent them from affecting each other.
Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system.
Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.
The concepts of isolation and sandboxing have been around for decades, and are used in a number of applications, including hardened operating systems and some security products. And many security experts say that sandboxing is one of the more effective ways of preventing malicious code from affecting entire systems, rather than just one vulnerable application.
In a guest column in January on Threatpost, security researcher Dino Dai Zovi said that he expected more and more vendors to implement sandboxing and isolation in the coming year.
“The desktop analogue to the network firewall is the privilege separated
and sandboxed application. These mechanisms finally move the
bull (untrusted data) from the china shop (your data) to the outside
where it belongs (a sandbox). While it doesn’t quite reduce the attack
surface, it significantly raises the bar for an attacker through
defense-in-depth. If an attacker is able to exploit a vulnerability and
execute code, they must then exploit another vulnerability in the
sandboxing mechanism in order to break free and even read the user’s
data,” he wrote.
Rutkowska said that she plans to release the full version of Qubes by the end of 2010, and that she may create some commercial extensions to the OS in the future.
