Review: Qubes OS 4.0
The long-awaited release of Edward Snowden's favourite operating system is here
Yesterday saw the long-awaited release of Qubes OS 4.0. The new version of Edward Snowden's favourite operating system is the product of some fundamental re-engineering including some major changes to the underlying architecture, hence the long wait since the last official release, version 3.2 in 2016.
There has been a complete rewrite of the core stack to allow Qubes OS to be much more modular, with the eventual aim of eventually expanding its scope from the current single-user single-machine model to take in multi-user, server-based and even (whisper it) cloud-based deployment. The redesign is also intended to make things simpler for developers of Qubes-specific apps and services.
Before proceeding with this review, here's a declaration of interest. I like Qubes. It's a maverick among increasingly similar Linux distros (arguably it's not even a Linux distro at all, but rather a Xen distro). I like the audacity of the project, following the logic of security rather than shiny things. I like the spiky Twitter persona of lead developer, renowned security engineer Joanna Rutkowska, who seems to inhabit the description "doesn't suffer fools gladly" with relish (I've never met her in person) - which is exactly what you want in a cryptologist, I'd argue. I like what a small team of developers has achieved since 2010 in creating "a reasonably secure operating system", and I approve of the modesty and realism of that strapline: you're not going to find a more secure general purpose operating system than Qubes, but at the same time it's only as safe as the underlying hardware it runs on (Intel ME, Spectre) and software of which it is comprised (Xen bugs, Linux flaws) allows it to be.
So trust nothing, least of all this review. That's the whole Qubes message. Trust nothing and assume you've already been breached. Now, how can you limit the damage your attacker can do?
What is Qubes OS?
Rather than a collection of services built around a single kernel in the conventional way, Qubes OS is actually made up of multiple virtualised OSs atop a hypervisor. It's an amalgam of many interconnected parts that's designed in such a way that no one part need ultimately trust any other more than is absolutely necessary for the system to work: so-called ‘security by isolation'. If any one part is compromised by an attacker, the rest of the system should remain secure.
The base layer, AdminVM, of Qubes OS is currently Xen, the open source hypervisor. It controls all the virtual machines (VMs) that make up the system but is locked down, with no direct connection to the Internet.
On top of AdminVM sit a couple of Fedora-based VMs (called qubes in version 4.0) that take care of networking and firewall duties. Then there are Template qubes which are Fedora 26 and Debian 9 VMs on which applications are installed. Coloured black by default, the Templates are connected via the networking and firewall qubes to their respective software repositories but not, by default, to the Internet more generally.
Generated from these Templates are the AppVM qubes which provide the colour-coded user interfaces for day-to-day use. Importantly, software installed on these AppVMs is ephemeral; it will not survive a reboot unless specifically installed in the user's home or /rw directory. That includes any malware or other nasties inadvertently downloaded from the web which is banished as soon as the AppVM is shut down. Only software installed on the Template qubes is persistent.
So if you want to use LibreOffice, say, assuming you wish to use it next time you reboot you install it on a Template qube. Thereafter any AppVM qubes based on that Template will be able to use LibreOffice with no risk of corrupting the original installation - security by isolation again. Plus, only one qube need be updated each time.
In essence, Qubes OS users run multiple machines on the same physical device and are able to copy files and text securely between them. Each AppVM qube is isolated from the other AppVM qubes and the Templates and it is only by "breaking out" of a qube that an attacker can hope to take control of the system as a whole by compromising the AdminVM - and this is an eventuality that Qubes OS makes as difficult as possible.
Sounds complicated? Well it is, and that's just scratching the surface. We haven't yet touched on the Whonix qubes that route all traffic through Tor, or the disposable one-use-only AppVM qubes, but that's the basic picture.
The real marvel of Qubes OS, though, is that it doesn't feel that complex in use. Delivering cutting-edge security with usability is what Qubes OS really brings to the table.
There is a learning curve though. Windows users hoping for a secure drop-in
replacement will be disappointed (unless they want to install Windows in a qube - yes, it can be done!). We're talking Linux after all, and at the no-frills bleeding edge end too. So you'll need to resort to the command line at some stage, such as when installing or updating software. There are some other idiosyncrasies too such as the hot key sequences ctrl-C shift-ctrl-C and shift-ctrl-V ctrl-V to copy and paste test between qubes (qubes do not share a clipboard) which takes a bit of getting used to, and copying files between qubes has its own procedure. Overall though, for anyone already familiar with Linux using Qubes OS is not really that much of a leap.
Review: Qubes OS 4.0
The long-awaited release of Edward Snowden's favourite operating system is here
Installation
Perhaps the biggest problem Qubes faces is that it is one hell of a diva when it comes to the hardware it will tolerate. Like Mariah Carey on a bad hair day, it is exceptionally demanding. Get something wrong and it will simply refuse to perform. CPU doesn't support virtualisation (Intel Vt-d or AMD-v)? Forget about it. No IOMMU? Who are you kidding? Microsoft secure boot? You can turn that off for a start. Less than 16 gigs of RAM? Get out of my face. Running a gaming GPU? Prepare for a major strop.
Qubes OS's legendary fussiness is down to it being a combination of Xen and two flavours of Linux and the lack of open source drivers for some hardware. Installation woes are behind many of the posts to the qubes-users forum. Many Linux distros suffer compatibility problems, but, explains Joanna Rutkowska: "In the case of Qubes OS, these problems are significantly more pronounced due to the aggressive use of virtualisation technology to isolate not just apps, but also devices, as well as incompatibilities between Linux drivers and modern hardware."
Indeed, the new architecture underpinning release 4.0 is a first step away from some of these problems.
Provided it's happy with the hardware (Qubes OS maintains a list of compatible hardware although finding up-to-date information is not so easy) Qubes OS installation is reasonably straightforward following the instructions provided. It's not recommended to dual boot Qubes with another operating system, so I installed it on 128 GB USB 3 stick plugged into a Core i7 PC with 16 GB of RAM, and the process took about an hour.
A USB stick is certainly not an optimal choice for performance, precludes the use of a dedicated secure USB qube and leads to occasional freeze, but it's is a tried and trusted combo for me and most of the times things ticked along pretty nicely.
The default install provides a couple of Template qubes (Fedora 26 and Debian 9), the Whonix Tor qubes, and a selection of four colour-coded AppVMs labelled Work, Personal, Untrusted and Vault.
These colours are another part of security by isolation, this time to give the user a mental cue as to where they are in the system. A blue border signifies a trusted area. If you need to do something that is risky then you should move to a qube with a red border. These colours can be changed to suit of course.
Vault (black) is, by default, air-gapped with no connection to the web, making it an ideal home for passwords, encryption keys, sensitive IP and the like. Untrusted (red) is the qube you might want to use to visit sites of dubious quality or test out new software in the knowledge that any compromise won't affect your Work (blue). There are also disposable qubes which you can spark up for some task - say to open a PDF of unknown provenance which might have a zero-day exploit embedded. Qubes OS offers a useful safe PDF converter for this purpose, a feature very popular with the legal profession.
In use
Qubes OS boots to a functional but austere grey XFCE desktop with few clues about what to do next. The Qube Manager (see below) is now hidden away in the System Tools sub-menu, accessed by clicking the Q icon at the top left of the screen. The various qubes can be booted up from the start menu located in the same place.
The ethos of Qubes OS is very much security first looks, well, last. On the functional-beautiful spectrum, Qubes OS is the professor with tousled hair and 10 pens in his lab coat pocket rather than the svelte supermodel. Those looking for eye candy are in the wrong shop. Being Linux it can be customised of course, if you know what you're doing, but out-of-the-box pretty it ain't. As the team looks to take Qubes OS to a wider market paying some attention to the UI will be essential. Perhaps offering a wider range of colours would be a start.
Review: Qubes OS 4.0
The long-awaited release of Edward Snowden's favourite operating system is here
Creating a new AppVM qube is simplicity itself. You can spin up as many qubes as you need (up to 255), colour code them as you like, run them through Tor, air-gap them or change their underlying template. A Banking qube reserved for sensitive financial transactions is an obvious choice, but really you are only limited by your imagination - oh and your RAM. As far as memory is concerned, the more the merrier. Qubes OS will run with 8GB, just about, but only with a limited number of qubes open at one time.
Starting and stopping VMs is achieved using the dropdown Start menu in the top left corner or through the Qube Manager. This is a dashboard that the Qubes team originally dropped in earlier release candidates as part of the move to a more modular architecture but reinstated after users complained. Having an overview of all the VMs is hugely useful, particularly for newcomers, and I'm glad they chose to keep it for now. In use it's a bit shaky though and as the developers are unlikely to spend much time improving it, it should be considered a stopgap. A much less detailed overview of the VMs that are running is available via a new widget in the top right of the screen but it is limited compared to the Qube Manager and feels like a step backwards in terms of user experience.
On a day-to-day basis, the issue that causes most irritation is the fact that all the application icons in an AppVM qube are the same colour. There is a good reason for this, to do with minimising the use of precious system resources, but it's a pain to have to carefully eyeball each one before opening.
Other niggles include screenshots. I wanted to take some pics of the menus and other features for this review but the screenshot tool wouldn't work with those things displayed.
Anything requiring Flash is pretty much a non-starter unless you install Google Chrome, which comes with a reasonably safe version of the video software, but which of course brings issues of its own regarding privacy. You could always use Chrome in a qube of its own though, perhaps routing through a VPN qube to get round geolocation restrictions. Similarly, with its layers of virtualisation and everything on lockdown, Qubes OS is never going to be the gamer's platform of choice.
Then again, it's horses for courses. You wouldn't use an armoured car for grocery shopping.
Qubes OS 4.0 should really be seen as a stepping stone towards a much more flexible operating system capable of meeting modern business needs. Almost all the changes under the hood are invisible to the end user, and version 4.0 looks and feels, for better or worse, very much like its predecessor - although there are plenty of enhancements already planned.
The Qubes team is keen to increase adoption by business, and the modular approach is a way of achieving this, breaking away from the dependency on Xen and allowing for new deployment models. That journey starts here.
Use cases
So who would use such a Frankenstein's monster of an operating system apart from geeks, paranoiacs, spies, journalists and other non-mutually exclusive categories of oddball?
Activists working in repressive regimes for sure. Also if I were a businessman crossing a border with sensitive IP, I would definitely consider it. One very useful feature of Qubes OS is that you can swiftly and securely backup individual qubes with a couple of clicks. So very sensitive information can be stored out of harm's way, and quickly reinstated when needed.
If I were a sysadmin likely to be targeted for to my access to sensitive corporate systems, I would definitely use Qubes OS. If I were a Linux-savvy lawyer or someone who handles sensitive client data, I would certainly consider it too.
Developers wanting to test their code securely in different environments on the same machine are another potential set of users.
Given what we know about the vulnerability of IT systems and what can happen to our data, there is certainly a case for more everyday users to check it out too. It's a general purpose operating system, not a specialst security platform. Once you're used to its idiosyncrasies, it's perfectly possible to be as productive on Qubes OS as it is on any other operating system and of course it's much more secure and confidence inspiring.
Security expert and actavist Micah Lee puts it this way. "When I use Qubes I feel like a god. Software thinks that it's in control, that it can do what it wants? It can't. I'm in control."