Qubes: security and privacy by isolation

Orde Saunders' avatar Published: by Orde Saunders

Recently I've been using Qubes OS and figuring out how to get my VPN set up was a light bulb moment on how it fits together. By isolating different areas of concern it is possible to gain a level of security and privacy that would be hard to achieve with a traditional - monolithic - operating system.

(I've deliberately simplified things for this explanation, in reality there is a lot more going on than this but it's not really needed to understand the concept.)

The key principle behind Qubes is that everything is a virtual machine (VM). Running a Xen hypervisor on the bare metal, Qubes manages everything above this providing a seamless desktop environment and abstracting away all but the most complex configuration.

Setup

Probably the easiest to understand is the application VMs, out of the box these are stand alone Linux instances but it is possible to run other operating systems. For the sake of simplicity in this explanation let's say we have one trusted and one untrusted application VM:

  • In the trusted VM we do things that we want to be relatively secure like email, document editing, online banking &c.
  • In the untrusted VM we do things like general web browsing and social media.

As these are two separate VMs if our untrusted VM gets compromised it won't have access to anything in our secure VM and vice versa.

In addition to this there are the service VMs - again these are stand alone Linux instances but they're slimmed down to a minimal set of components.

  • The main one we're concerned with is the network VM. This is the only VM that has a direct connection to the outside world - as far as the rest of the world is concerned it's interacting with this machine.
  • There is a VPN VM, this is firewalled so it can only talk to the VPN end point - once the VPN is up then the only place traffic can go is down this "tunnel".
  • There is a TOR gateway VM that routes all traffic to the TOR network.

The trusted VM is then connected to the VPN VM. As it's an 'internal' VM↔VM network connection handled by Qubes, the app VM thinks it's talking directly to the outside world so has no knowledge that a VPN exists or that all the traffic is being routed via it.

In a similar manner, the untrusted VM is connected to the TOR VM so doesn't have any knowledge of TOR or that all traffic is being routed via it.

At the other end of the chain, the network VM is dumbly routing traffic from the VPN and TOR VMs to the external network. In the case of the VPN tunnel it will be aware that it is routing all traffic from one 'internal' source to a single external source (the VPN end point) but, as it has no access to the tunnel entrance in the VPN VM, the network VM has no way of knowing what's inside the tunnel.

Overview of Qubes networking showing tunneling

Security

The obvious advantage of this set up is security, by isolating each later into its own VM it makes it very hard (but not impossible) for a compromised system to access information in another VM.

Outside in

As the network VM is the only point of contact with the outside world this is where we're vulnerable to an external attack. However, as traffic enters secure tunnels before it is routed through the network VM it cannot be be inspected and, as the tunnel entry points are in separate VMs, they aren't accessible.

Inside out

In this scenario one of the app VMs (hopefully the untrusted VM!) is compromised via a browser bug or some malware. However, as far as this VM is concerned it has a direct connection to the network - it has no knowledge of the tunnel entry point in the intermediate VM. It is also completely isolated from our other app VM, both at the inter-VM level by Qubes itself and at the network level as the traffic is isolated in secure tunnels.

Privacy

The second advantage this set up has is privacy, as all traffic from the app VMs is routed through a tunnel there is no opportunity for leakage - either round the edges of the tunnel or out to the network before the tunnel can be established. This means that none of our traffic appear to exit from the network the network VM is connected to, all applications and services we interact with will see our traffic as exiting from either a TOR exit node or from our VPN exit point.

Conclusion

Whilst there's no such thing as guaranteed security or privacy, by using Qubes in this way it does systemically mitigate a number of vulnerabilities that would be present if running this set up on a traditional, monolithic, operating system.