The Qubes high-security operating system gains traction in the enterprise
- 02 February, 2018 22:00
When nation-state adversaries frolic and gambol across your corporate network, playing hide-and-go-seek, sysadmins become central points of compromise. Savvy attackers know that if they can own sysadmins, they can own the network.
"I hunt sysadmins," an NSA operator brags in a slide leaked by Edward Snowden. Regardless of what one may think of Snowden, we may conclude that this is how the NSA, and other nation-state predators, think of their prey. Blessed with the keys to the kingdom, sysadmins are sitting ducks.
So how do you defend your enterprise — your intellectual property, the integrity of your customers' data, control of your systems — against such threats?
The high-security Qubes OS can be an effective part of a defense-in-depth solution. "Assume breach and compartmentalize" are wise words for both your network and for operating system design, and Qubes OS has been driving secure operating system innovation with little fanfare for the past eight years.
Founded by security researcher Joanna Rutkowska of "Blue Pill" fame, Qubes is built on a hypervisor, currently Xen, and enables users to compartmentalize their work into multiple virtual machines that map to multiple security domains. This makes it possible to segregate high- and low-security tasks on the same machine. Qubes currently supports Linux and Windows virtual machines.
"Qubes is especially valuable in industries where sensitive data has to be securely segregated, such as finance and health," says Andrew David Wong, chief communications officer for Invisible Things Lab, the developers of Qubes, "and it's particularly suited to knowledge workers who require access to untrusted resources while creating valuable intellectual property."
Qubes takes the segregation idea and runs with it, even going so far as to partition networking into a separate, untrusted virtual machine. USB drivers are also banished to their own virtual machine (VM) to reduce the risk of USB-based malware. Networkless "vault" VMs are ideal for storing code signing keys, a password manager, cryptocurrency wallets, and other sensitive data likely of interest to a persistent attacker. Disposable VMs reduce the risk of viewing a poisoned website, and Qubes's pioneering "convert to trusted PDF" feature is now apparently being used by recruiters to defend against malware-laced job applications.
Until now, however, Qubes has seen limited adoption in the enterprise, in part due to a lack of automated deployment and remote administration capabilities. That's set to change with the imminent release of Qubes 4.0, at release candidate 4 at the time of this writing.
Qubes: right for the enterprise?
Qubes 4.0 will offer enterprises the flexibility to deploy and manage a fleet of hardened Qubes laptops while retaining the strong endpoint security properties that make the operating system valuable. This makes it easy for sysadmins to offer stronger endpoint security to tech-savvy users like software developers, security researchers and geekier executives in their organizations.
"This is an important milestone for Qubes, and Joanna and team just keep crushing it," Kenn White, a director of the Open Crypto Audit Project, says. "While there are no silver bullets in security, the hardware-based micro VMs and segmented workspace architecture solves a lot whole class of common vulnerabilities."
"In a modern business environment, there's no getting around the need to manage email attachments, PDFs from untrusted sources, and [Microsoft] Office documents, all of which are attackers' favored paths for compromise," he adds.
Two key components of Qubes are specifically designed with enterprise users in mind. Qubes Salt stack integration, included in Qubes since 3.2, makes it easy to spin up new laptops preconfigured to suit the needs of the user. The new Qubes Admin API, currently available in Qubes 4.0-rc3, makes remote administration possible without the risk of full system compromise.
"While most operating systems can be remotely managed, doing so typically requires significant trade-offs in security and privacy," Wong, says. "The remote administrator typically has fundamental control over managed systems, especially in corporate contexts. By contrast, the new Qubes Admin AIP allows Qubes installations to be remotely managed without compromising the status of the installation as a secure endpoint (i.e., without access to dom0)."
The trick lies in the novel idea of a non-privileged admin who has permissions to manage and provision virtual machines on a user's laptop remotely, but without the ability to read the user's data. Such a design choice, the Qubes documentation suggests, also addresses concerns about admins having unlimited power over users and the legal lability that could create for admins or their organizations.
Qubes is especially useful to software developers working in an enterprise environment, Wong suggests. "Software developers tend to be especially fond of Qubes, since it allows them to maintain separate build environments and easily test untrusted code in a secure way."
"Too often, companies and employees resort to mixing trusted and untrusted activities on the same machine for the sake of efficiency," Wong adds. "Qubes solves this problem elegantly by delivering the security of unlimited isolated containers in the efficiency of a single physical machine."
Bonus: Qubes is (mostly) effective against Meltdown, especially the new 4.0 release.
Qubes effective against Meltdown
One of the frustrations the Qubes team has experienced in developing a new, security-focused operating system is the fundamental inability to trust software and hardware lower down the stack. Securing the hypervisor at Ring -1 does little good if Intel ME runs a full-blown Minix operating system, including a web server, at Ring -3, or if the hardware itself is vulnerable to attacks like Meltdown and the two Spectre variants.
As it turns out, Qubes 4.0 fully virtualized VMs prevent the Meltdown attack, the most powerful of the three exploits revealed earlier this month that affect most modern processors. Rather than congratulate themselves on this good fortune, the Qubes developers are instead looking for ways to create trustworthy end points that don't rely on the underlying hardware.
"About hardware untrustworthiness," Joanna Rutkowska, founder of Qubes OS, says. "That's precisely one of the problems that we intend to solve with Qubes Air."
Qubes Air: The future of secure, distributed computing?
The widespread "move to the cloud" trend prompted the Qubes team to rethink endpoint security. What does endpoint security mean at a time when data may just as likely be in transit or at rest on a cloud instance than at rest on a user's device?
"Readers who are allergic to the notion of having their private computations running in the (untrusted) cloud should not give up reading just yet," Rutkowska writes in a blog post announcing Qubes Air. "The essence of Qubes does not rest in the Xen hypervisor, or even in the simple notion of 'isolation,' but rather in the careful decomposition of various workflows, devices, apps across securely compartmentalized containers," she writes. "We can easily imagine Qubes running on top of VMs that are hosted in some cloud, such as Amazon EC2, Microsoft Azure, Google Compute Engine, or even a decentralized computing network, such as Golem."
Qubes Air, announced last week, remains vaporware, but given the Qubes developers' singular dedication to innovating better endpoint security for so many years, their eventual success seems inevitable. "Now owners (or admins) will be able to distribute their payloads across multiple platforms (PCs, cloud VMs, separate computers such as Raspberry Pis or USB Armory, etc), almost seamlessly, working around the problem of treating one hardware platform as a single point of failure," Rutkowska says, "which is what Qubes has always really been about."
Qubes OS is free software and recommended by many well-known experts. The project estimates there are currently around 30 thousand users. Some gotchas: Hardware support can be finicky and requires VT-x and VT-d to take advantage of Qubes' security features. Most users will want plenty of RAM. Sysadmins, software developers, and geekier users will find Qubes OS easy to master, but the user interface may not be ready for non-technical end users.