Introduction to Qubes OS

Slide 1

Slide 1 text

Qubes OS A reasonably secure operating system Qubes OS // 2017-03-02 1

Slide 2

Slide 2 text

Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. “ “ Qubes OS // 2017-03-02 2

Slide 3

Slide 3 text

Life before Qubes OS Qubes OS // 2017-03-02 3

Slide 4

Slide 4 text

Qubes allows separating concerns into VMs Limit harm from rogue processes Limit what data they have access to Strict control over network access Strict control on sharing of data between VMs Identify which domain a process belongs to More practical than physical isolation Security++ and Privacy++ Qubes OS // 2017-03-02 4

Slide 5

Slide 5 text

Life with Qubes OS Qubes OS // 2017-03-02 5

Slide 6

Slide 6 text

Qubes OS // 2017-03-02 6

Slide 7

Slide 7 text

Security Features Xen hypervisor on the bare metal Single User Full drive encryption required Tamper resistance - TPMs & Anti-Evil-Maid Separate concerns by isolating them in VMs Management domain (dom0) handles VM management & window decorations. Risky hardware interactions banished to dedicated VMs Qubes OS // 2017-03-02 7

Slide 8

Slide 8 text

You can't use "beef stew" as a password Qubes OS // 2017-03-02 8

Slide 9

Slide 9 text

You can't use "beef stew" as a password It's not stroganoff Qubes OS // 2017-03-02 9

Slide 10

Slide 10 text

VM Types Concerns (or domains) are separated into VMs. AppVMs run applications and own data TemplateVMs base image for AppVMs (owns apps) SysVMs provide services to AppVMs NetVMs / ProxyVMs provide network access to AppVMs (or other NetVMs) USB VM special VM to handle USB devices DisposableVMs temporary VMs for unsafe ops Qubes OS // 2017-03-02 10

Slide 11

Slide 11 text

Management Tool Qubes OS // 2017-03-02 11

Slide 12

Slide 12 text

Window Decorations Windows from all AppVMs on a common desktop. How do you know which VM a window comes from? dom0 owns the window manager each VM assigned a color (red, green, black, ...) every window is tagged with VM name and color no full-screen applications! Qubes OS // 2017-03-02 12

Slide 13

Slide 13 text

Moving Data between AppVMs Qubes OS // 2017-03-02 13

Slide 14

Slide 14 text

Qubes OS // 2017-03-02 14

Slide 15

Slide 15 text

The clipboard Obviously the clipboard can leak information! so... 1. Each AppVM has its own private clipboard. 2. Manually move data between local clipboard and system clipboard. + + c copies local clipboard to system clipboard + + v copies system clipboard to local clipboard Qubes OS // 2017-03-02 15

Slide 16

Slide 16 text

Copying les between Qubes An AppVM can request a le be transferred to another VM Graphical or CLI All les placed in /home/user/QubesIncoming/[source] Always triggers dom0 prompt! qvm-copy-to-vm vault file.txt Qubes OS // 2017-03-02 16

Slide 17

Slide 17 text

Qubes OS // 2017-03-02 17

Slide 18

Slide 18 text

Networking Qubes OS // 2017-03-02 18

Slide 19

Slide 19 text

Networking Each AppVM can be assigned a single NetVM sys-net - unpriv VM with raw network sys- rewall - VM with rewall rules sys-whonix - proxy all traf c through Tor custom VPN - proxy traf c through VPN Each AppVM has its own set of rewall rules If no net VM is assigned the AppVM has no network access! Qubes OS // 2017-03-02 19

Slide 20

Slide 20 text

Qubes OS // 2017-03-02 20

Slide 21

Slide 21 text

Networking - Firewall Qubes OS // 2017-03-02 21

Slide 22

Slide 22 text

TemplateVMs Qubes OS // 2017-03-02 22

Slide 23

Slide 23 text

Templates Save space by sharing base images (OS and Apps) between AppVMs Qubes OS // 2017-03-02 23

Slide 24

Slide 24 text

Templates with Windows?! Is this even allowed by Windows licensing? Qubes OS // 2017-03-02 24

Slide 25

Slide 25 text

Templates and Updates Templates usually own the applications and base system Updates are run against the template. Not each AppVM! Updates through Tor: Prevent targetted attacks denying updates Prevent leak of meta-data about packages being used Updates through special update proxy service Templates have no direct network access! Qubes OS // 2017-03-02 25

Slide 26

Slide 26 text

Hardware Access Qubes OS // 2017-03-02 26

Slide 27

Slide 27 text

Hardware can be dangerous Autorun? Malicious USB rmware with BadUSB OS reads partition tables automatically USB stack parses USB device information on insertion DMA devices can swipe in-memory encryption keys (Qubes doesn't help with this) Qubes OS // 2017-03-02 27

Slide 28

Slide 28 text

USB & PCI USB controller owned by unprivileged USB VM isolating USB stack GUI support for: feeding block devices to speci c AppVMs microphones and cameras (Skype!) Experimental USB passthrough support If hardware supports (VT-d) allows PCI device passthrough for other hardware Qubes OS // 2017-03-02 28

Slide 29

Slide 29 text

Demo Qubes OS // 2017-03-02 29

Slide 30

Slide 30 text

Qubes Sweet Spot - The Road Warrior Securely carry different facets of your life on a single machine Need to access company resources Need to communicate with home (personal email / Skype) Open sketchy attachments from email or USB stick Install sketchy presentation software (cough.. WebEx... cough) Connecting through sketchy wireless hotspots Accidentally revealing personal information during demos Need to conduct personal business while away (banking, ...) Qubes OS // 2017-03-02 30