Everything's Virtual

Compartmentalization has always been a basic principle of security. For instance, limiting what can be done with a regular user account confines the damage that can be done by malware to the current user account. However, Qubes OS [1] takes compartmentalization to an extreme, running each window in its own Xen hypervisor [2]. The result is one of the most innovative desktop environments available, as well as what the project understatedly calls a "reasonably secure operating system."

Qubes is not the first distribution to emphasize security. A popular practice is to sandbox [3] questionable applications, often running them in virtual machines. In the last few years, the security-focused Tails [4] distribution has also become popular. However, as the Qubes documentation points out, virtual machines are only as secure as the host operating system. Similarly, Tails, while providing a strong measure of security, because it is designed to be run off a flash drive, is still monolithic, which means that if any part of it is cracked, the whole system is likely to be as well.

As for anti-virus applications and firewalls, they are at best a partial solution, because malware today is often concealed in legitimate applications. By contrast, so-called "bare metal" hypervisors like Xen do not run from the host operating system, making them more difficult to crack, whereas compartmentalization limits any potential damage and makes Qubes highly customizable as well.

[...]