mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-26 15:59:24 -05:00
Merge branch 'luzeal-patch-2'
This commit is contained in:
commit
9eb146a5a6
@ -17,6 +17,160 @@ redirect_from:
|
||||
|
||||
## General & Security
|
||||
|
||||
### What is Qubes OS?
|
||||
|
||||
Qubes OS is a security-oriented operating system (OS). The OS is the software
|
||||
that runs all the other programs on a computer. Some examples of popular
|
||||
OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and
|
||||
open-source software (FOSS). This means that everyone is free to use, copy,
|
||||
and change the software in any way. It also means that the source code is
|
||||
openly available so others can contribute to and audit it.
|
||||
|
||||
### Why is OS security important?
|
||||
|
||||
Most people use an operating system like Windows or OS X on their desktop
|
||||
and laptop computers. These OSes are popular because they tend to be easy
|
||||
to use and usually come pre-installed on the computers people buy. However,
|
||||
they present problems when it comes to security. For example, you might
|
||||
open an innocent-looking email attachment or website, not realizing that
|
||||
you're actually allowing malware (malicious software) to run on your
|
||||
computer. Depending on what kind of malware it is, it might do anything
|
||||
from showing you unwanted advertisements to logging your keystrokes to
|
||||
taking over your entire computer. This could jeopardize all the information
|
||||
stored on or accessed by this computer, such as health records, confidential
|
||||
communications, or thoughts written in a private journal. Malware can also
|
||||
interfere with the activities you perform with your computer. For example,
|
||||
if you use your computer to conduct financial transactions, the malware
|
||||
might allow its creator to make fraudulent transactions in your name.
|
||||
|
||||
### Aren't antivirus programs and firewalls enough?
|
||||
|
||||
Unfortunately, conventional security approaches like antivirus programs
|
||||
and (software and/or hardware) firewalls are no longer enough to keep out
|
||||
sophisticated attackers. For example, nowadays it's common for malware
|
||||
creators to check to see if their malware is recognized by any signature-based
|
||||
antivirus programs. If it's recognized, they scramble their code until it's
|
||||
no longer recognizable by the antivirus programs, then send it out. The
|
||||
best of these programs will subsequently get updated once the antivirus
|
||||
programmers discover the new threat, but this usually occurs at least a
|
||||
few days after the new attacks start to appear in the wild. By then, it's
|
||||
too late for those who have already been compromised. More advanced antivirus
|
||||
software may perform better in this regard, but it's still limited to a
|
||||
detection-based approach. New zero-day vulnerabilities are constantly being
|
||||
discovered in the common software we all use, such as our web browsers, and no
|
||||
antivirus program or firewall can prevent all of these vulnerabilities from
|
||||
being exploited.
|
||||
|
||||
### How does Qubes OS provide security?
|
||||
|
||||
Qubes takes an approach called **security by compartmentalization**, which
|
||||
allows you to compartmentalize the various parts of your digital life into
|
||||
securely isolated compartments called *qubes*.
|
||||
|
||||
This approach allows you to keep the different things you do on your computer
|
||||
securely separated from each other in isolated qubes so that one qube getting
|
||||
compromised won't affect the others. For example, you might have one qube for
|
||||
visiting untrusted websites and a different qube for doing online banking. This
|
||||
way, if your untrusted browsing qube gets compromised by a malware-laden
|
||||
website, your online banking activities won't be at risk. Similarly, if
|
||||
you're concerned about malicious email attachments, Qubes can make it so
|
||||
that every attachment gets opened in its own single-use [disposable
|
||||
qube]. In this way, Qubes allows you to do everything on the same physical
|
||||
computer without having to worry about a single successful cyberattack taking
|
||||
down your entire digital life in one fell swoop.
|
||||
|
||||
Moreover, all of these isolated qubes are integrated into a single, usable
|
||||
system. Programs are isolated in their own separate qubes, but all windows are
|
||||
displayed in a single, unified desktop environment with [unforgeable colored
|
||||
window borders][getting started] so that you can easily identify windows from
|
||||
different security levels. Common attack vectors like network cards and USB
|
||||
controllers are isolated in their own hardware qubes while their functionality
|
||||
is preserved through secure [networking], [firewalls], and [USB device
|
||||
management][USB]. Integrated [file] and [clipboard] copy and paste operations
|
||||
make it easy to work across various qubes without compromising security. The
|
||||
innovative [Template] system separates software installation from software use,
|
||||
allowing qubes to share a root filesystem without sacrificing security (and
|
||||
saving disk space, to boot). Qubes even allows you to sanitize PDFs and images
|
||||
in a few clicks. Users concerned about privacy will appreciate the
|
||||
[integration][Qubes-Whonix] of [Whonix] with Qubes, which makes it easy to use
|
||||
[Tor] securely, while those concerned about physical hardware attacks will
|
||||
benefit from [Anti Evil Maid].
|
||||
|
||||
### How does Qubes OS compare to using a "live CD" OS?
|
||||
|
||||
Booting your computer from a live CD (or DVD) when you need to perform
|
||||
sensitive activities can certainly be more secure than simply using your main
|
||||
OS, but this method still preserves many of the risks of conventional OSes. For
|
||||
example, popular live OSes (such as [Tails] and other Linux distributions)
|
||||
are still **monolithic** in the sense that all software is still running in
|
||||
the same OS. This means, once again, that if your session is compromised,
|
||||
then all the data and activities performed within that same session are also
|
||||
potentially compromised.
|
||||
|
||||
### How does Qubes OS compare to running VMs in a conventional OS?
|
||||
|
||||
Not all virtual machine software is equal when it comes to security. You may
|
||||
have used or heard of VMs in relation to software like VirtualBox or VMware
|
||||
Workstation. These are known as "Type 2" or "hosted" hypervisors. (The
|
||||
**hypervisor** is the software, firmware, or hardware that creates and
|
||||
runs virtual machines.) These programs are popular because they're designed
|
||||
primarily to be easy to use and run under popular OSes like Windows (which
|
||||
is called the **host** OS, since it "hosts" the VMs). However, the fact
|
||||
that Type 2 hypervisors run under the host OS means that they're really
|
||||
only as secure as the host OS itself. If the host OS is ever compromised,
|
||||
then any VMs it hosts are also effectively compromised.
|
||||
|
||||
By contrast, Qubes uses a "Type 1" or "bare metal" hypervisor called
|
||||
[Xen]. Instead of running inside an OS, Type 1 hypervisors run directly on the
|
||||
"bare metal" of the hardware. This means that an attacker must be capable of
|
||||
subverting the hypervisor itself in order to compromise the entire system,
|
||||
which is vastly more difficult.
|
||||
|
||||
Qubes makes it so that multiple VMs running under a Type 1 hypervisor can be
|
||||
securely used as an integrated OS. For example, it puts all of your application
|
||||
windows on the same desktop with special colored borders indicating the
|
||||
trust levels of their respective VMs. It also allows for things like secure
|
||||
copy/paste operations between VMs, securely copying and transferring files
|
||||
between VMs, and secure networking between VMs and the Internet.
|
||||
|
||||
### How does Qubes OS compare to using a separate physical machine?
|
||||
|
||||
Using a separate physical computer for sensitive activities can certainly be
|
||||
more secure than using one computer with a conventional OS for everything,
|
||||
but there are still risks to consider. Briefly, here are some of the main
|
||||
pros and cons of this approach relative to Qubes:
|
||||
|
||||
<div class="focus">
|
||||
<i class="fa fa-check"></i> <strong>Pros</strong>
|
||||
</div>
|
||||
|
||||
* Physical separation doesn't rely on a hypervisor. (It's very unlikely
|
||||
that an attacker will break out of Qubes' hypervisor, but if one were to
|
||||
manage to do so, one could potentially gain control over the entire system.)
|
||||
* Physical separation can be a natural complement to physical security. (For
|
||||
example, you might find it natural to lock your secure laptop in a safe
|
||||
when you take your unsecure laptop out with you.)
|
||||
|
||||
<div class="focus">
|
||||
<i class="fa fa-times"></i> <strong>Cons</strong>
|
||||
</div>
|
||||
|
||||
* Physical separation can be cumbersome and expensive, since we may have to
|
||||
obtain and set up a separate physical machine for each security level we
|
||||
need.
|
||||
* There's generally no secure way to transfer data between physically
|
||||
separate computers running conventional OSes. (Qubes has a secure inter-VM
|
||||
file transfer system to handle this.)
|
||||
* Physically separate computers running conventional OSes are still
|
||||
independently vulnerable to most conventional attacks due to their monolithic
|
||||
nature.
|
||||
* Malware which can bridge air gaps has existed for several years now and
|
||||
is becoming increasingly common.
|
||||
|
||||
(For more on this topic, please see the paper
|
||||
[Software compartmentalization vs. physical separation][paper-compart].)
|
||||
|
||||
|
||||
### What is the main concept behind Qubes?
|
||||
|
||||
To build security on the "Security by Compartmentalization (or Isolation)" principle.
|
||||
@ -590,3 +744,5 @@ Yes, Qubes natively supports automation via [Salt (SaltStack)](/doc/salt/).
|
||||
There is also the unofficial [ansible-qubes toolkit](https://github.com/Rudd-O/ansible-qubes).
|
||||
(**Warning:** Since this is an external project that has not been reviewed or endorsed by the Qubes team, [allowing it to manage dom0 may be a security risk](/doc/security-guidelines/#dom0-precautions).)
|
||||
|
||||
[paper-compart]: https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user