Secure Desktops with Qubes: Introduction

This is the first in a multipart series on Qubes OS, a security-focused operating system that is fundamentally different from any other Linux desktop I've ever used and one I personally switched to during the past couple months. In this first article, I provide an overview of what Qubes is, some of the approaches it takes that are completely different from what you might be used to on a Linux desktop and some of its particularly interesting security features. In future articles, I'll give more how-to guides on installing and configuring it and how to use some of its more-advanced features.

When it comes to Linux security, server security tends to get the most attention. When you are hardening servers, you generally try to limit what any individual server does and use firewalls to restrict access between servers to only what is necessary. In a modern environment where a server is running only SSH plus maybe one or two other networked services, there are only a few ways for an attacker to get in. If a particular server does get hacked, ideally you can detect it, isolate that server and respond to the emergency while the rest of your environment stays up.

Desktop Linux security is a completely different challenge because of just how many different things you do with your desktop. Each action you take with your desktop computer opens up a new way to be compromised. Web browsing, especially if you still have certain risky plugins like Flash installed, is one major way a desktop can be compromised. E-mail is another popular attack vector since you need to open only one malicious e-mail attachment or click on one malicious phishing link for an attack to succeed. Linux desktops also often are used as development platforms, which means users might be downloading, building and executing someone else's code or running services directly on their desktop to test out their own code. Although some Linux users are smug when they think about all of the malware on other platforms, the fact is that the days when Windows was the only desktop OS in town are over, and these days, much of the malware is written in a cross-platform way so that it can run on many different operating systems.

The biggest issue with desktop Linux security is what's at risk if you do get hacked: all of your personal data. This could be anything from user names and passwords to important accounts like your bank or credit-card accounts, your social-media accounts, your domain registrar or Web sites you shopped at in the past that have your credit-card data cached. An attack could expose all of your personal photos or access to private e-mail messages. Attackers could leave behind a Remote Access Trojan that lets them get back into your machine whenever they want, and in the meantime, they could snoop on you with your Webcam and microphone. They even could compromise your SSH, VPN and GPG keys, which opens up access to other computers.

The core idea behind how Qubes provides security is an approach called security by compartmentalization. This approach focuses on limiting the damage an attacker can do by separating your activities and their related files to separate virtual machines (VMs). You then assign each VM a certain level of trust based on the level of risk that VM presents. For instance, you may create an untrusted VM that you use for your generic, unauthenticated Web browsing. You then might have a separate, more-trusted VM that you use only to access your bank. You may decide to create a third highly trusted VM that has no network access at all that you use to manage off-line documents. If you also work from your personal computer, you may create separate VMs for personal versus work activities, with the work VM being more trusted. If you browse to a malicious Web site with your untrusted Web browser, the attacker won't have access to your banking credentials or personal files since you store those on different VMs. Qubes even provides disposable VMs: one-time-use VMs that are deleted completely from disk after the application closes.

How Qubes Works

Although you certainly could use any of the virtual machine technologies out there to set up multiple VMs on your regular Linux desktop, that kind of arrangement can end up being pretty clunky, especially if you don't want multiple desktop environments running inside their own windows. There also are all kinds of mistakes you could make with that kind of set up that would eliminate any security benefits you might get. For instance, how should you share files or copy and paste between VMs securely, and how do you keep all of those VMs up to date with security patches?

Where a traditional Linux distribution made it easy for you to get all of the software you wanted to use without having to download and compile it all, Qubes provides a number of extra tools that makes it easy to manage a desktop full of different virtual machines all with different levels of trust. Qubes also approaches all aspects of the desktop with security at the forefront and uses secure defaults throughout the OS. In doing so, Qubes makes it more difficult (but not impossible) for you to shoot yourself in the foot.

Qubes uses Xen to provide all of its virtualization (if you want to know why Qubes chose that over other technologies, see the FAQ on the Qubes site). Instead of each VM having its own complete desktop environment, Qubes uses the more-privileged dom0 Xen VM as a host for the desktop environment (currently Qubes gives you the choice of KDE or XFCE, although the community has contributed others), and the other VMs display individual application windows within dom0's desktop environment.

So, launching Firefox in Qubes behaves much like you would expect in any other desktop distribution. The main difference, however, is that Qubes lets you color-code each of your VMs based on level of trust ranging from red (untrusted) to black (ultimately trusted) with a number of different rainbow colors in between.

When you launch an application from an application VM (appVM, in Qubes parlance), the VM starts up if it wasn't started before, then the application appears with a window border that is colorized based on the color you assigned its appVM. So, if you have two instances of Firefox on your desktop at the same time, you can tell your untrusted Web browser from your banking Web browser, because the untrusted one might be colored red while your banking browser might be colored green. Figure 1 provides a screenshot from Qubes' documentation that demonstrates the point.

Figure 1. Multiple Windows with Different Colors

Since the dom0 VM has privileged access to data about the other VMs in Xen, Qubes goes to extra lengths to protect it by having only the desktop environment run from it and by removing all network access from dom0. You are encouraged to do as little as possible in dom0, and instead, you should use appVMs for any applications you want to run. Qubes even intentionally makes it more difficult to copy files to or from dom0 compared to copying them between appVMs. In the dom0 desktop environment's application menu, each VM has its own submenu where you can launch each of its applications (Figure 2). Qubes provides tools so all of those submenus don't become too unwieldy, and you can select which applications appear under which appVM's menu.

Figure 2. Qubes Application Menu


Kyle Rankin is Chief Security Officer at Purism, a company focused on computers that respect your privacy, security, and freedom. He is the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu