The idea behind Disposable VMs is to have very lightweight virtual machines that can be created and booted quickly with a sole purpose of hosting only one application. “Then, once you’re done, you just throw it away,” Rutkowska explained.
Rutkowska, a security researcher known for her work on virtualization security and low-level rootkits, is building Qubes as an open-source OS meant to provide isolation of the OS’s components for better security. Qubes is based on Xen, X and Linux and relies on virtualization to separate applications running on the OS and also places many of the system-level components in sandboxes to prevent them from affecting each other.
In a blog post explaining the thinking behind Disposal VMs, Rutkowska said it would an ideal feature to open untrusted documents, especially when there’s an element of risk.
It’s quite reasonable to be afraid that a PDF might be malicious and might try to exploit your PDF viewer, and then try to steal your emails or other things you keep in the “work” AppVM (or “work-email” AppVM). It doesn’t matter if you trust the sender, as the sender’s OS might very well be compromised by some malware and might be infecting all outgoing PDFs without the user consent.
You could try opening the PDF in one of your non-sensitive VMs, e.g. the “random” VM that you use for causal Web browsing, to make sure that even if the PDF is malicious, that it won’t get access to any sensitive data. But what if the PDF is not malicious, and what if it contains some confidential data? In that case you might throw the baby out with the bath water (your “random” VM might have been already compromised and now it would be able to steal the secrets from your PDF file).
A disposable VM is an ideal solution here. You create a clean, disposable VM, just for the purpose of viewing the PDF. Then, once you’re done, you just throw it away. If the PDF was malicious it could done harm only to its own disposable VM, that doesn’t contain anything except… this very PDF. At the same time, the disposable VM is always started in a clean state, so there is no way somebody could steal the document. Only the document can steal itself 🙂
Rutkowska said basic support for Disposable VMs is planned for Beta 1, which is scheduled for the the end of the summer.