Exploring the Qubes OS secure operating system

Small Is Beautiful

Besides good hardware abstraction and encapsulation, another positive feature of Qubes OS is the microkernel architecture: Programs classified as secure should have fewer than 0.5 bugs per 1000 lines of code; the average for typical programs is three to five bugs [7]. Not all bugs are related to safety; many are just plain annoying. However, most of the currently exploited vulnerabilities are caused by typical programming errors.

As the total number of errors decreases, so does the number of security-related bugs. Because a microkernel has fewer lines of code, it has fewer errors, and thus fewer vulnerabilities. Vulnerabilities in the kernel are especially dangerous, so avoiding kernel vulnerabilities is especially critical.

Platform Independent

Thanks to templates for the app VMs, Qubes OS is quite easy to configure; a new VM is quickly set up. The default template in Qubes R2 Beta 2 is based on Fedora 18 (64-bit); initially, the user can choose from three color-coded app VMs – work, personal, and random. The many tips on the website also help users get started.

Qubes OS users are not restricted to one operating system because of the underlying Xen hypervisor and the virtualization technology. Different systems can run on different app VMs.

The wiki for exchanging information with colleagues on the intranet could be based on OpenBSD, for example, for security reasons. MS Office files mailed to you no longer need a viewer: You can read them natively in a Windows app VM. This design creates a high degree of flexibility and security.

Substantial Test Overhead

If you want to quickly try out Qubes OS R2, you'll have to navigate one major obstacle: The hardware compatibility list [8] is very short. No virtualization environment (Parallels, VirtualBox, VMware Fusion) on the test system I initially used under OS X 10.7.5 was willing to cooperate with Qubes.

The problems with virtualization are underlined by a charming note on the Qubes website, asking users to refrain from posting further requests to the developer team relating to running Qubes in a virtual environment – because it simply does not work. Individual reports on various websites [9] of purportedly succeeding in running Qubes OS in a nested virtualization environment tend to contradict this dire warning, but unfortunately, clear information on the conditions is missing in all cases.

Ultimately, I turned to an old laptop for the test; Qubes was downloaded [10] and burned on a DVD in the old-fashioned way. After a nearly a three-hour-long installation, the test team at least managed to add a new device to the compatibility list: a Macbook Pro from 2007.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News