Monday, September 03, 2012

Introducing Qubes 1.0!

After nearly three years of work, I have a pleasure to announce that Qubes 1.0 has finally been released! To see the installation instructions and to get an ISO, please go to this page.

I would like to thank all the developers who have worked on this project. Creating Qubes OS has been a great challenge, especially for such a small team as ours, but ultimately, I'm very glad with the final outcome – it really is a stable and reasonably secure desktop OS. In fact I cannot think of any more secure alternative...

I use the term “reasonably secure”, because when it comes to defensive security it's difficult to use definite statements (“secure”, “unbreakable”, etc), unless one can formally prove the whole design and implementation to be 100% secure.

Unfortunately, contrary to common belief, there are no general purpose, desktop OSes, that would be formally proven to be secure. At the very best, there are some parts that are formally verified, such as some microkernels, but not whole OSes. And what good is saying that our microkernel is formally verified, if we continue to use a bloated and buggy X server as our GUI subsystem? After all, a GUI subsystem has access to all the user inputs and output, thus it is as much security sensitive, as is the the microkernel! Or power management subsystem, or filesystem server, or trusted boot scheme, or ... a dozens of other elements, which just cannot be forgotten if one wants to talk about a truly secure OS. As said before, I know of no general-purpose desktop OS that would be formally proven, and thus that could be called “secure”. You can also read more about challenges with formal verification microkernels in this article, and especially in this comment from the seL4 project leader.

In Qubes OS we took a practical approach and we have tried to focus on all those sensitive parts of the OS, and to make them reasonably secure. And, of course, in the first place, we tried to minimize the amount of those trusted parts, in which Qubes really stands out, I think.

So, we believe Qubes OS represents a reasonably secure OS. In fact I'm not aware of any other solution currently on the market that would come close when it comes to secure desktop environment. But then again, I'm biased, of course ;)

I wouldn't call Qubes OS “safe”, however, at least not at this stage. By “safe” I mean a product that is “safe to use”, which also implies “easy to use”, “not requiring special skills”, and thus harmless in the hands of an inexperienced user. I think that Apple iOS is a good example of such a “safe” OS – it automatically puts each application into its own sandbox, essentially not relaying on the user to make any security decisions. However, the isolation that each such sandbox provides is far from being secure, as various practical attacks have proven, and which is mostly a result of exposing too fat APIs to each sandbox, as I understand. In Qubes OS, it's the user that is responsible for making all the security decisions – how to partition her digital life into security domains, what network and other permissions each domain might have, whether to open a given document in a Disposable VM, etc. This provides for great flexibility for more advanced users, but the price to pay is that Qubes OS requires some skills and thinking to actually make the user's data more secure.

Generally Qubes OS is an advanced tool for implementing Security by Isolation approach on your desktop, using domains implemented as lightweight Xen VMs. It tries to marry two contradictory goals: how to make the isolation between domains as strong as possible, mainly due to clever architecture that minimizes the amount of trusted code, and how to make this isolation as seamless and easy as possible. Again, how the user is going to take advantage of this isolation is totally left up to the user. I realize this might be a tricky part for some users and some usage scenarios, yet, on the other hand, this seems to be the most flexible and powerful approach we could provide.

Thus people should realize that by mere fact of using Qubes OS they won't become automatically more secure – it's how they are going to use it might make them significantly more secure. A hypothetical exploit for your favourite web browser would work against Firefox running inside one of the Qubes VMs just as well as it worked for the same browser running on normal Linux. The difference that Qubes makes, is that this attacked browser might be just your for-personal-use-only browser which is isolated from your for-work-use-only-browser, and for-banking-use-only-browser.

Finally, even though Qubes has been created by a reasonably skilled team of people, it should not be considered bug free. In fact, over the last 3 years we already found 3 serious bugs/attacks affecting Qubes OS – one of them in the very code we created, and two other in Intel hardware. Again, we tried as much as possible to limit the amount of code that is security sensitive in the first place, yet we are just humans ;) So, I'm very curious to see others' attempts to break Qubes – I think it might make for a very interesting research. A good starting point for such research might be this page. And I know there are individuals out there who apparently only been waiting for Qubes 1.0 to come out, to get some glory (yet, it's not clear to me why to attack qemu, which is not part of the TCB in Qubes, but I guess great minds have their own mysteries ;)

In other words, please enjoy Qubes OS 1.0, hopefully it could make your digital life safer!

Please send all the technical questions regarding Qubes to the qubes-devel mailing list. Do not send them to me directly, nor post them in this blog's comments.

52 comments:

vizzdoom said...

Great, this is important milestone for this project. Congratulations!

Anonymous said...

I am not able to visit this URL for download - http://wiki.qubes-os.org/trac/wiki/InstallationGuide.

Can you give me direct link for download please?

Anonymous said...

Congrats!

Anonymous said...

Congratulations with your project.

Greetings Dhyan

Black said...

Wow! This release sure is great news! Unlike previous versions, can we now see how this works as a virtual machine?

Joanna Rutkowska said...

Seems like our Wiki server got a little bit overloaded ;)

Here are the direct URLs to the ISO and the signature:

http://qubes-os.s3.amazonaws.com/iso/Qubes-R1-x86_64-DVD.iso

http://qubes-os.s3.amazonaws.com/iso/Qubes-R1-x86_64-DVD.iso.asc

Also, if you can, please use the bit torrent link instead:

http://qubes-os.s3.amazonaws.com/iso/Qubes-R1-x86_64-DVD.iso?torrent

Gi0 said...

Congrats to you Joanna and to everyone that helped!
Please consider creating a Twitter account.

Joanna Rutkowska said...

@Gi0: interesting request -- what kind of info would you expect me to share on my twitter account, beyond what I already do on my blog?

Felix said...

Congratulations. I hope the project has a bright, and open, future.

Anthony Mills said...

Great work guys. I look forward to downloading and trying out this release.

Anonymous said...

The "contrary to common believe" should be "contrary to common belief".

Saurabh Shah said...

You sound just like I'd like to sound when I express thoughts!

Anonymous said...

@ Joanna Rutkowska

Not everyone is going to check your blog every day. Many people check twitter every day.

Anonymous said...

This is great news!!! Congrats!

Rafael Romo Mulas said...

Hello, I've been a lurker here through OSNews, always interested in this project and now I definitely want to try it out myself. I was reading again your "Partitioning my digital life into security domains" and something occurred to me about the problem of transferring untrusted raster images to secure domains, but being no security expert (nor IT expert for that matter), I wanted to ask if it was silly or not. And the question is this: wouldn't it be completely secure to "convert" the image by doing a screenshot and then cutting the interested image out? In case it would, maybe you could create a simple tool to use this method even on images larger than the screen resolution, by doing a composite of screenshots. With some serious text recognition software, this could also work for copy-pasting text. Basically, a tool for copy-pasting ONLY what you see on screen. I guess it's not that easy as I think, or you would have thought about it yourself. :)
Congrats for the project, I hope it gets a lot of visibility with this milestone.

Damian said...

After 8 years of following your research work / blog posting I cannot say anithing less than a big "Congratulations ITL! keep rocking!"

BTW, any plans for doing a server version of Qubes ?

jjbarrows said...

Thankyou! I've .been hoping an is with disposable VMs would come along, and now it has

Chdslv said...

Gratulacje!!!

wander said...

I'm gonna check on some vm asap!
I'm happy you reached this stage, finally something new in the clogged os panorama.

Victor said...

Good job, Qubes OS team! Thanks the work that you are doing!

Are there any plans for supporting hardware-accelerated graphics in virtual machines? Would it be possible at some point to get the same kind of user experience as the majority of desktop users are currently having on Windows / Mac OS? How does it fit into your vision of a 'safe' OS as you describe it in you post?

Anonymous said...

hello

Congratulations on qubies release

2 questions i have to ask are there any live DVD also how ease of use it is for average linux user who is no CLI ninja

Anonymous said...

Thank you and congratulations.

Anonymous said...

Hi Joanna,

congratulations to you and your team. Great to see that some people do care about computer security!!

I just downloaded the iso by torrent in order to test qubes.

I also downloaded the .asc file to check file integrity.

But I can not find the public key to check file integrity. Those keys I found have already expired.

Could you help??

Thanks!

Anonymous said...

If Rafal left for Bromium, that means Bromium must be headed along a similar "reasonably secure" path, musn't it?

Anonymous said...

Or Bromium is more generous with money hats ;)

Gi0 said...

@Joanna
It's not just the info you may provide,obviously 160 characters cannot be compared to a blog post of yours.
It's your comments on subjects that may trigger your attention. Let's say the 0day selling thing that got Charlie Miller, EFF and others debating recently.
It's a link to paper on something you may find interesting and you wouldn't write a full blog post for.
Also, people you would consider following i'd follow too, assuming you won't use your account for saying hi to your niece every morning.
The only con is that you'll probably have to be persuaded that all of this isn't a time wasting activity:)

Anonymous said...

Silent lurker here,

I deply admire your technical skills. Intel will have vt-d capable Atom chips in a few years. Qubes-Embedded would be quite useful by then...

Hat off. Keep the good work.

Portaro said...

Amazing work you have, but finally is here, congratulations for your big Distro! To the top of security distros.

Anonymous said...

Big congrats! Lots happening in the vm world lately.

Any thoughts on the recent page-map Xen privilege escalation?

http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php

How does Qubes mitigate this sort of attack?

Cheers!

Anonymous said...

Congratulations!

Joanna Rutkowska said...

@Anonymous: the SYSRET attack (or page-map attack on Xen, as you call it) has been known for quite a while and been patched accordingly. This is one of those two hardware attacks against Xen/Qubes I mentioned in the blog article.

https://groups.google.com/d/msg/qubes-devel/JIpZoQUP6dQ/g6TvtpUHzBQJ

Tom said...

Website is woefully out of date and downloads are not working ... congrats.

Sergei Chudakov said...

Good job, Joanna!

Jiří Hanzelka said...

Great informations and probably hard work too thank you.

Anonymous said...

thanks for sharing this project with the community..& keep on the good work!
Greetings from Spainstan

Anonymous said...

Very promising project! Congrats to the team for the huge work.

Question: Is it technically possible to run Qubes as VM inside VMware Workstation for testing? I tested but unfortunately it does not work.

Anonymous said...

Virtualbox and Fusion also doesn't seem to work.

jsbenson said...

Hi, I'll second the question about support for running Qubes inside Vmware Workstation version 8. I'd like to run your system inside vmware for a while to get used to it first. I've got a Core i7 laptop with 8G of RAM specifically for this kind of experiment.

Elias Bachaalany said...

Great job. I have been using Qubes since the early betas. Keep it up.

Anonymous said...

Congratulations,
Both on figuring out what is and is not a truly secure OS (and being truthful about it) and incorporating light-weight, fast-boot VM's. Now that's what I call isolation!
- v0xCAB

Anonymous said...

Hi,

I'm feel very interested by your linux distro qubes.

That made me go trying to download it through the links of your trac wiki.

Unfortunately the direct link no amazon doesnt work when clicked it, i had an xml file from amazon telling me about the endpoint updated.

Here after the link i rebuilded myself and used to get the iso file https://qubes-os.s3.amazonaws.com/iso/Qubes-R1-x86_64-DVD.iso

Hope this will help somes O:)

Thanks of your distro :)

Elias Bachaalany said...

@Anon: I had luck w/ beta 3 and VMware.

Latest builds don't work but would love to try them first in VMware.

Andrew Cunningham said...

I remember you demonstrating an early version of Qubes on your virtualization course at Black Hat Europe in 2010 and being very impressed. Glad to see the progress made on the project and I'm looking forward to having a good play with it. Congratulations.

kareldjag said...

Nice and interesting project.
Could also be noticed SafeOS, French dormant project, evaluated by Loic Duflot, and designed for online taxes payment http://safe-os.lri.fr/
http://translate.google.com/translate?hl=fr&ie=UTF8&prev=_t&sl=fr&tl=en&u=http://www.agence-nationale-recherche.fr/magazine/actualites/detail/resultats-du-defi-sec-si-systeme-d-exploitation-cloisonne-securise-pour-l-internaute/

Similar architecture already available on critical environment (Desktop or embedded)
Polyxene http://www.polyxene.com/secure-operating-system.aspx

LynuxWorks OSs http://www.lynuxworks.com/
GreenHill OS http://www.ghs.com/products/rtos/integrity_virtualization.html

Open Kernel Labs mobile solutions
http://www.ok-labs.com/products/overview

Well i like the terminology "raisonably" far from the terminolgy "Indetectable" devoted to BluePill...
Then with or without Charles KILLER, it is up to the Qubes team to get an EAL 5 (i guess) certification
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

Like LiveCD or any other secure or exotic OS, it of course still vulnerable to client/server side attacks (network or web application based): if we can control what occurs on the local host, it is impossible in practise to circumscribe what happens on the server sides.
Best whish for your Baby...

Antonio said...

Joanna and ITL folks,

Thank you for this great project and congrats on your latest achievement!

Joanna, would you ever consider moving from KDE to Cinnamon? It's a beautiful work, user-friendly, elegant and stable(from my 2 months experience) and I absolutely want to see it on Quebes.

Again congrats and keep up the great work!

Antonio

Alexey said...

Joanna,

It seems the Amazon BT tracker has died or something -- I was seeding the R1 .iso for a while but now there is "Tracker error HTTP 400 Bad Request".

Joanna Rutkowska said...

@Antonio: why not consider integrating Cinamon yourself and then send us the patches?

@Alexey: as indicated on the Installation page, we switched to a different provider to serve ISOs (SF.net) in order to reduce the costs.

Gary said...

Congratulations to you and your team. Qubes is a brilliant idea and a huge step forward for computer security. Thank you for your passion and hard work.
Cheers!
Gary

Toka Fondo said...

Hello, congratulations and my compliments for all your work and the team behind Qubes. Now if it gets NSCA Certified, then it will be *THE* secure OS.

I think some kind of contest could be created, in the future, to test Qubes security -- that was a suggestion and not a way of lowering the value of your work.

Keep the good work.

Anonymous said...

Those security levels reminds me of Trusted Solaris. The logic seems exactly the same.

Nick P said...

Congratulations to the Qubes team! I know you've all worked hard to get this far. Funny that the release ends up on my birthday. The interface is nice compared to CMW's, good usability & I definitely plan to try using it day-to-day in near future to see what that's like.

Good luck on future efforts!

Anonymous said...

Congratulations to you and your team.

Especially for travelling with a notebook I find your setup very interesting.

Unfortunately your hardware requirements are too high for my notebook to run smoothly.

Is there a way to lighten the load?
E.g. which steps should I take to switch from KDE with a lighter DE?

Any pointer would be welcome.

Thank you in advance