processes Limit what data they have access to Strict control over network access Strict control on sharing of data between VMs Identify which domain a process belongs to More practical than physical isolation Security++ and Privacy++ Qubes OS // 2017-03-02 4
Full drive encryption required Tamper resistance - TPMs & Anti-Evil-Maid Separate concerns by isolating them in VMs Management domain (dom0) handles VM management & window decorations. Risky hardware interactions banished to dedicated VMs Qubes OS // 2017-03-02 7
run applications and own data TemplateVMs base image for AppVMs (owns apps) SysVMs provide services to AppVMs NetVMs / ProxyVMs provide network access to AppVMs (or other NetVMs) USB VM special VM to handle USB devices DisposableVMs temporary VMs for unsafe ops Qubes OS // 2017-03-02 10
How do you know which VM a window comes from? dom0 owns the window manager each VM assigned a color (red, green, black, ...) every window is tagged with VM name and color no full-screen applications! Qubes OS // 2017-03-02 12
Each AppVM has its own private clipboard. 2. Manually move data between local clipboard and system clipboard. <ctrl> + <shift> + c copies local clipboard to system clipboard <ctrl> + <shift> + v copies system clipboard to local clipboard Qubes OS // 2017-03-02 15
be transferred to another VM Graphical or CLI All les placed in /home/user/QubesIncoming/[source] Always triggers dom0 prompt! qvm-copy-to-vm vault file.txt Qubes OS // 2017-03-02 16
- unpriv VM with raw network sys- rewall - VM with rewall rules sys-whonix - proxy all traf c through Tor custom VPN - proxy traf c through VPN Each AppVM has its own set of rewall rules If no net VM is assigned the AppVM has no network access! Qubes OS // 2017-03-02 19
system Updates are run against the template. Not each AppVM! Updates through Tor: Prevent targetted attacks denying updates Prevent leak of meta-data about packages being used Updates through special update proxy service Templates have no direct network access! Qubes OS // 2017-03-02 25
OS reads partition tables automatically USB stack parses USB device information on insertion DMA devices can swipe in-memory encryption keys (Qubes doesn't help with this) Qubes OS // 2017-03-02 27
isolating USB stack GUI support for: feeding block devices to speci c AppVMs microphones and cameras (Skype!) Experimental USB passthrough support If hardware supports (VT-d) allows PCI device passthrough for other hardware Qubes OS // 2017-03-02 28
facets of your life on a single machine Need to access company resources Need to communicate with home (personal email / Skype) Open sketchy attachments from email or USB stick Install sketchy presentation software (cough.. WebEx... cough) Connecting through sketchy wireless hotspots Accidentally revealing personal information during demos Need to conduct personal business while away (banking, ...) Qubes OS // 2017-03-02 30
itkr2305
gaqzi
riz3f7
tamaiyutaro
gappy50
sashimimochi
yukiafronia
yuyatakeyama
leichteckig
takuyay0ne
ymd65536
ttyi2
irinanazarova
lara
wjessup
sferik
csswizardry
maggiecrowley
pauljervisheath
shpigford
notwaldorf
jlugia
mraible
addyosmani
