Shawn WebbThat moment when someone markets their Xen-ified Linux-based operating system as secure: https://lwn.net/Articles/727425/
Folks, adding a hypervisor doesn't increase security--it does the opposite.
Alexander Bochmann@lattera From what I understand, Qubes uses the hypervisor as a defense-in-depth mechanism. When you design your environment in such a way that overall attack surface is reduced (by creating compartments for different activities, for example), it can absolutely increase security of the complete system.
Same as Firewall systems have their own attack surface, but they still make the network they protect more secure (when properly configured etc.).
Same as Firewall systems have their own attack surface, but they still make the network they protect more secure (when properly configured etc.).
@galaxis Qubes doesn't decrease attack surface. It does the opposite by using a hypervisor with a rather large surface area: Xen.
@lattera I don't see where Xen is particularly heavyweight compared to other hypervisors (to the contrary, really).
I'm roughly aware of their security track record, but the number of VM escape exploits (which would be most relevant for the Qubes use case) has been limited.
I'm roughly aware of their security track record, but the number of VM escape exploits (which would be most relevant for the Qubes use case) has been limited.
@galaxis If an attacker had only to attack the hypervisor software, then maybe. But adding millions of lines of code does not make one more secure.
@lattera I don't think I understand what you are trying to say.
From my POV: Primary attack vector is software being used inside one of the Qubes compartments (for example, during internet access). Assuming a successful attack on that level - as long as the attacker can't compromise additional components outside of the compartment (which would require some form of VM escape), the system is a win. I'd say a user is almost always better off with Qubes, than without.
From my POV: Primary attack vector is software being used inside one of the Qubes compartments (for example, during internet access). Assuming a successful attack on that level - as long as the attacker can't compromise additional components outside of the compartment (which would require some form of VM escape), the system is a win. I'd say a user is almost always better off with Qubes, than without.