Shawn WebbThat moment when someone markets their Xen-ified Linux-based operating system as secure: https://lwn.net/Articles/727425/
Folks, adding a hypervisor doesn't increase security--it does the opposite.
Queer Supervillainess@lattera That's one of my big issues with Qubes.
Virtualization somewhat makes sense when it comes to isolating the drivers & hardware, but that specific need would be better served by other techniques like having a microkernel (SeL4, anyone?) and using that to isolate the drivers from one another (and from userspace).
Virtualization as the mechanism for isolating bits of the userspace has high overhead and large attack surface (Xen hypercalls, X11 protocol, ...).
Alexander Bochmann@lattera From what I understand, Qubes uses the hypervisor as a defense-in-depth mechanism. When you design your environment in such a way that overall attack surface is reduced (by creating compartments for different activities, for example), it can absolutely increase security of the complete system.
Same as Firewall systems have their own attack surface, but they still make the network they protect more secure (when properly configured etc.).
Same as Firewall systems have their own attack surface, but they still make the network they protect more secure (when properly configured etc.).
@galaxis Qubes doesn't decrease attack surface. It does the opposite by using a hypervisor with a rather large surface area: Xen.
@lattera I don't see where Xen is particularly heavyweight compared to other hypervisors (to the contrary, really).
I'm roughly aware of their security track record, but the number of VM escape exploits (which would be most relevant for the Qubes use case) has been limited.
I'm roughly aware of their security track record, but the number of VM escape exploits (which would be most relevant for the Qubes use case) has been limited.
@galaxis If an attacker had only to attack the hypervisor software, then maybe. But adding millions of lines of code does not make one more secure.
@lattera I don't think I understand what you are trying to say.
From my POV: Primary attack vector is software being used inside one of the Qubes compartments (for example, during internet access). Assuming a successful attack on that level - as long as the attacker can't compromise additional components outside of the compartment (which would require some form of VM escape), the system is a win. I'd say a user is almost always better off with Qubes, than without.
From my POV: Primary attack vector is software being used inside one of the Qubes compartments (for example, during internet access). Assuming a successful attack on that level - as long as the attacker can't compromise additional components outside of the compartment (which would require some form of VM escape), the system is a win. I'd say a user is almost always better off with Qubes, than without.
kaniini@lattera not exactly. hypervisors can increase overall security by containment of applications. the PS3's security model is a good example of this (except for the part where sony signed everything with the same nonce this making the whole thing pointless)
@kaniini How does the hypervisor prevent the application from being exploited?
@lattera it's not about prevention but mitigation: when the app is exploited they only get access to that single VM.
@kaniini In the immediate, sure...
@lattera this is of course not to mean that qubes itself is any good, mind. i consider that more to be proof of concept. X11 to tie it all together for example means it will never be secure