“What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security.”
Qubes OS: An Operating System Designed for Security
44 Comments
2011-08-30 11:04 pm
orestes
Interesting concept, but one does wonder how difficult it will end up being to set up and maintain properly in real environments? It’s not enough to be secure, it has to be usable from an administrative standpoint too.
Edited 2011-08-30 23:05 UTC
2011-08-31 8:31 am
Nicram
“What would an operating system look like it if were redesigned with security in mind?”
It would be OpenBSD then, that i use:)
KISS, great code quality and best manuals ever. Linux based distro is just… another Linux based distro, nothing more 
-
2011-08-31 9:01 am
renox“What would an operating system look like it if were redesigned with security in mind?”
It would be OpenBSD then, that i use:)
Not really: OpenBSD doesn’t have capabilities, doesn’t use “safe” languages such as Ada, etc.
-
2011-08-31 10:35 am
moondevilAn operating system coded in a mix of C and Assembly, without capabilities and which relies on pure code review as security measures is by definition not secure.
I am a firm believer in the use of safe languages for system programming. A few examples do exist, but they take years before the status quo of current systems do change.
In a way we have to thank all the kids exploiting bad coded applications out there. They have raised the awareness that sometimes safety is better than raw speed and made easier to get research grants for OS development with safe system programming languages.
-
2011-08-31 11:41 am
joshvWhat is a “safe” language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn’t on your safe list, but how do other languages do it differently enough that they aren’t vulnerable to similar exploits?
-
renox
What is a “safe” language? Java was supposed to be safe, but there are regular JVM exploits.
Note that the JVM isn’t coded in Java..
So JVM exploits doesn’t count as Java’s vulnerabilities.
Anyway, I agree with you that “safe” languages don’t really exist, but “safer” languages (i.e safer than C) do exist.
-
moondevil
Safe languages are languages that do the following:
– Bound check validation of arrays;
– Use proper string data types;
– No direct port IO;
– No pointer arithmetic;
– GC enabled if possible;
– Force initialization of variables before use;
– No direct conversion between data types
Ada, Oberon, Modula-3, D, Spec# are a few examples of safe system programming languages with real OS written in them (except D).
Usually you can always do the same dirty tricks as C and C++ allow, but only via unsafe mechanisms. Which you do have to call explicitly and is is very easy to constrain its usage to specific modules. Whereas in unsafe languages they can happen anywhere on your code.
Plus, in very performance critical code it is possible to disable some of the security checks if you so wish, but then you are at your own risk.
-
moondevil
What is a “safe” language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn’t on your safe list, but how do other languages do it differently enough that they aren’t vulnerable to similar exploits?
Those exploits take advantage that most JVMs are written in a mixture of C, C++ and assembly. So they exploit buffer overruns in the JVM, by providing invalid .class files or the native methods that do image manipulation for example.
That is why there are a few research JVMs written in Java itself with minimal amount of C and assembly, like the Squawk and JikesRVM ones.
-
joshv
Ah interesting, so a self-hosting VM based “safe” language could be considered to be safer than those that are hosted in a VM written in an unsafe language. Makes sense. Though I imagine there have to be some performance issues.
-
moondevil
It all depends on how everything is compiled in the end.
You might find this information interesting,
http://jikesrvm.org/Presentations
http://labs.oracle.com/projects/dashboard.php?id=155
Please note that Oracle labs are currently down.
-
joshv
Yeah, I guess either you are stuck running your safe VM inside of a VM written in an unsafe language, or somehow creating a native compile of the VM from the safe language source – but then you have to worry about the safety of the compiler and the resulting object code.
-
moondevil
Yeah, I guess either you are stuck running your safe VM inside of a VM written in an unsafe language, or somehow creating a native compile of the VM from the safe language source – but then you have to worry about the safety of the compiler and the resulting object code.
There are ways to prove that the small subset of unsafe code you might require is safe, via theorem provers. But this does not scale, hence the requirement to reduced it to the indispensable minimum.
You can have a fully an OS coded in a safe systems programming language, with Assembly only being used for the boot loader and creation of the unsafe modules that abstract hardware access. Everything else is done in a safe way.
This goes a bit into the abstract classes at the university with lots of math theory that not all CS students like.
-
2011-09-01 3:20 pm
sakeniwefuThere is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them.
Saying that C isn’t secure because of buffer overflows is a bit silly nowadays.
Memory corruption attacks are going the way of the dodo. The few still working, rely on lazy implementations of exploit prevention technologies or evil designs such as self-modifying-code and custom memory management. All high level management decisions which can be fixed, or not far away from C level.
Most security bugs being talked about in OpenBSD misc@ and tech@ lists nowadays are logic bugs. Most actual exploits for other systems in the wild, exploit logic bugs.
Your hash function drops every other bit because of some logic error and anyone can login as root in about ten attempts? Your web server code uploads any file to a user-specified path, and has permissions for everything? A race condition in your file locks?
No problem, just use Haskell. Oh, wait…
Please tell me how your safe languages will help me.
About proofs, Donald Knuth had this to say.
“Beware of bugs in the above code; I have only proved it correct, not tried it.”
It’s easy to make something work as designed. It’s harder to design something right, especially if you think you don’t need to worry about security.
Edited 2011-09-01 15:22 UTC
-
2011-09-02 7:26 pm
Alfman verbose=1sakeniwefu,
“There is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them.”
I say this as a knowledgeable C developer…it is far easier to corrupt the process in C than many of the other languages around.
Even though I code very defensively, I sometimes end up writing bugs. These can be as “harmless” as following the wrong code path and functions returning wrong answers (these errors will happen in any language), or they can corrupt the heap and stack (these errors would have been prevented/caught with safe languages).
“Saying that C isn’t secure because of buffer overflows is a bit silly nowadays.”
C doesn’t imply the existence of buffer overflows, however many languages do imply the non-existence of them.
I often prefer C never-the-less, but it takes a great deal of effort to make it safe under all conceivable conditions.
-
2011-08-31 7:27 pm
pfgbsd”What would an operating system look like it if were redesigned with security in mind?”
It would be OpenBSD then, that i use:)
Not really: OpenBSD doesn’t have capabilities, doesn’t use “safe” languages such as Ada, etc.
Capabilities or “safe languages” don’t necessarily imply security. That said there are capabilities and safe languages implemented for OpenBSD but few people know about them.
-
2011-08-31 10:37 am
PhuckedLOL OpenBSD is not secure at all.
OpenBSD is a hacked, rigged and slapped together piece of crap screaming to the world that its something its not. OpenBSD treats security as an afterthought, and its based on a outdated and archaic foundation. We need operating systems that are built from the ground up to be secure.
Edited 2011-08-31 10:39 UTC
-
2011-08-31 1:47 pm
said1Talking of Unix like OSes as “Designed for Security” is a true oxymoron. Sandboxing and in depth code reviews a la OpenBSD don’t help you very much when you have millions of lines of code running in kernel mode.
A far better choice would be a formally verified microkernel like seL4, where you don’t even need that heavy sandboxing to properly isolate applications.
-
renox
I agree with you, but ‘better’ is too strong, as don’t forget that seL4 has quite a few drawbacks too:
1- the formally verified seL4 is much younger than OpenBSD.
2- it is proprietary: its source code isn’t available.
3- to properly isolate applications on seL4, you don’t need “heavy sandboxing” ok but I think that you need to use “capabilities” APIs: the number of applications which use such APIs is much smaller than POSIX/OpenBSD applications.
-
said1
I agree with you, but ‘better’ is too strong, as don’t forget that seL4 has quite a few drawbacks too
Sure, and it have far more drawbacks, even if you can build something similar on top of “vanilla” (ehm… pistacchio) and open source L4, whose, even if not formally verified, security affinity is light years from monolithic kernels, it dramatically lacks of whatsoever is needed from a barely usable OS.
It is a matter of concept, Linux, *BSD, with all the security enabled bells and whistles as PaX, W^X, SELinux and so on… I’d rather name them all “Adapted for Security” rather of “Designed”.
2011-08-31 10:58 am
[email protected]
it is a nice concept but it won’t protect against exploits limited to a single application. especially the browser.
if someone exploits your browser into revealing your passwords, or tells it to wipe clean your home directory – it’s possible it will succeed.
it won’t escalate outside of application’s vm, but it’s still a problem.
filesystem damage can be alleviated with vm mechanism or filesystem snapshots, private data leaks cannot.
it gets more interesting if you want to share a directory between two apps that are on different security level and ensure that they can exchange the files, and protect against potential data damage in case each app is compromised/unstable.
2011-08-31 2:28 pm
Temcat
A quote from Rutkowska: “So, in short, virtualization doesn’t bring any security advantage by itself, but it allows for a brave redesign of the OS and yet to reuse all the applications and drivers in this radically-changed design. And this is exactly what we do in Qubes.”
What I don’t get so far is which exactly OS Qubes is based on so we can reuse its applications and drivers. Is it Windows, Linux, BSD? She does say that Qubes desktop will be “as easy to use as Windows desktop”, but this is different from saying that Qubes is based o Windows.
-
2011-08-31 7:23 pm
pfgbsd
What would an operating system look like it if were redesigned with security in mind?
OpenBSD.
-
pfgbsd
What would an operating system look like it if were redesigned with security in mind?
OpenBSD.
Replying to my own comment .. the issue is that really secure Operating Systems don’t do much: part of the security in OpenBSD consists of turning off anything that is not strictly necessary.
-
2011-09-01 11:35 pm
bannor99I don’t think so. OpenBSD is secure mostly because the code is audited, which is tedious, and they try to adhere to best practices of coding for an insecure languages.
IMO, redesigned for security means from the ground up.
It’s the difference between a maximum-security prison and a fenced stockade with dogs and frequent prisoner checks.
In short, designed for security means it should be hard for you to accidentally create a security hole while still being completely functional.
-
Alfman verbose=1
bannor99,
“I don’t think so. OpenBSD is secure mostly because the code is audited, which is tedious, and they try to adhere to best practices of coding for an insecure languages.”
I tend to agree that sometimes this is the best we can do, but security problems also stem from failure to keep a handle on complexity. Complexity is the enemy of security. How does OpenBSD stand next to linux in terms of complexity?
The ideal solution (in terms of security) would be for all components to be isolated and communicate through well defined (and enforced) IPC – essentially a microkernel.
“IMO, redesigned for security means from the ground up.”
I put forward some ideas a while back while discussing Neolander’s work. Starting with a safe language, we could build components who’s isolation is enforced through the compiler instead of through MMU/CPU protection hardware. This would eliminate all the overhead traditionally associated with microkernel IPC. One component would pass around object references as efficiently as calling a local function. The compiler would be responsible for ensuring a buggy component couldn’t corrupt another component in the same memory space. Since the references are isolated, variables are type safe, and arrays are bounds checked, even a malicious programmer is unable to mess with other components except through the well defined interfaces. And even those could be secured through policy.
Oh how I wish I could earn a living building it.
-
bannor99
QNX seems to have been able to build a true microkernel OS that performs very well – how did they do it?
Complexity may be the enemy of security but you cannot do away with it completely so you must have safe designs, tools, languages, etc.
I think we chose the wrong path decades ago and we may never fully switch. What i mean was that the monolithic design prevailed because of its performance and we had to live with the bugs, security risks, crashes and system restarts.
The $100 billion question – would we have been better of to go microkernel and try to mitigate the performance deficit ( which would improve quickly over time as hardware sped up by leaps and bounds every few years ) or did we do right by choosing performance and having to live with the downsides of the monolithic design?
-
Alfman verbose=1
bannor99,
“QNX seems to have been able to build a true microkernel OS that performs very well – how did they do it?”
I’m not very familiar with it at all, so I can’t really say.
“Complexity may be the enemy of security but you cannot do away with it completely so you must have safe designs, tools, languages, etc.”
Yea I know, but linux is an obvious example of where too much has gone into the kernel. Now every developer compiling the kernel has to weed through the most esoteric hardware in existence – and the self documentation doesn’t even make clear who needs it – anyone who’s compiled linux will recognize this problem.
They throw way too much into the kernel for the sake of it, not because of performance or because it makes any sense. Of course alot of this is Linus’ fault for steadfastly refusing to adopt a steady ABI/API which would allow devs to compile/distribute drivers outside of the kernel (even when they get linked back in during run time).
“I think we chose the wrong path decades ago and we may never fully switch. … The $100 billion question – would we have been better of to go microkernel and try to mitigate the performance deficit”
I concur. The inefficiencies of a microkernel approach would have been worked out in hardware, but the complexity/insecurity of a macrokernel cannot be.
What’s going on?
We get actual operating system news and it gets 3 lines on the second page.
We get patent news and it gets force fed to everyone.
Maybe it’s time for a name change to PatentNews.com
๐
Well your content-less comment certainly helped prove just how much regular readers are engaged by Serious OS news.
I, for one, would be interested to play with Qubes. From the article, it would seem to mean that Qubes would really perform poorly when compared to other operating systems. Instead of just one operating system, you’d be running 3-6. Most of that would be duplicate processing and duplicate memory usage. Also while you data may be secure due to the isolation of the virtual machines, a bot net would be more than happy to just inhabit one of them and continue attacking other systems, sending spam, and/or burrowing further into your network. Maybe it raises the bar a bit, but is the marginal security improvement worth the complexity? The more separated the virtual machines are, the more difficult it would be to interact with them. The less separated, the less secure. I think SeLinux is just now starting to be worth it for me.
Meh, 4 GB is min now, 8GB will be standard soon.
Sure your browsing instance could get infected and become a bot, but at least it’s not going to spread to the base OS or the other VMs. And it’s also very very easy to re-image a suspect VM with a known safe image.
Yeah, there are always tradeoffs to be made. In this case you’d be trading memory ( and maybe speed) for security. As I said before, maybe its worth it for some people. I just get sick of marketing material that promises a great improvement in X, while completely ignoring the accompanying regression in Y. Its always best to present all the info up front so people can evaluate technologies quickly and easily as possible.
I think that’s the primary goal of bot writers. So maybe the best approach for system admins is to regularly reimage the browsing vm to disrupt botnets and malware.
She’s hot too. She can totally secure my PC.
I was going to post something insulting here, but eventually I realized a polite refutation would probably be more useful. So…
Rutkowska is a world-renowned security expert. I’m not sure what your credentials are – for all I know they might be quite impressive – but you’ve basically gone and indicated that her skills take a back seat to her looks. Which is pretty insulting.
Think about it. If you were a legit genius, and people said stuff like that about you, I’m betting you’d get pretty tired of it pretty fast.
Edited 2011-08-30 23:13 UTC
Oh, come on. To say that a woman is pretty, it is quite a compliment. To ignore her qualities as a woman, that would be insulting IMHO.
Smart, pretty, and world-known expert – guys must have quite a hard nut to crack, or she may already have a happy personal life, so good for her! Loosen up. 
No. This sexist kind of behavior makes me think of http://xkcd.com/322/
Really. The only sexist behaviour in this thread are the men assuming this lady needs protecting. Saying a girl is pretty is not sexist – it’s a compliment, and I can assure you, most girls perceive it that way.
I happen to be one of those guys who has always preferred hanging out with women, and I can assure you: women are no different. They talk about us guys in the exact same way, and they sure as hell don’t need men “sticking up for them” whenever a guy calls them pretty.
So, I’ll just be upfront about it: she indeed looks quite attractive, and there’s nothing wrong with stating as such.
Edited 2011-08-31 10:52 UTC
Maybe an actual woman could chime in on this rather than men thinking they defend women.
If I say I don’t think she’s hot is that an insult or a compliment?
Too bad she’ll never read your ILOVEYOU email.
There is some people saying that she used to be a .. he.
(source: http://www.rutkowska.yoyo.pl )
๐
And…what’s your point? Have we not, as rational thinkers, far exceeded the point where the person’s sexual orientation takes a back seat to their accomplishments?
Guy, girl, transgender, natural sex, it doesn’t matter! Whether you agree with someone’s research or not, personal attacks — especially of a sexual nature — are not only childish but really have no place here. I’d expect this kind of pedantry on Slashdot but I thought the OSNews readership had grown up some.
And I do realize you weren’t making an accusation yourself, rather just bringing up the topic. But my point is, who the hell cares? I certainly don’t, and my opinion of the person’s research is not affected in the least by the question of her sexuality.
I was just pointing that information to people saying that “she is hot” because maybe they don’t know about this.
My opinion of her research is not affected in anyway.