Security Discussion on Virtual Machine Penetration

Hello everyone, I am a qubes user from France, qubes claims to be a safe distribution, so I thought of a question, in the case of a virtual machine operating system in qubes being attacked, will it be better than others? The virtual machine created by the distro is more impenetrable? It only discusses the difficulty and security of a virtual machine being penetrated when it encounters penetration, and does not discuss the loss caused by successful penetration.

Broadly, for cross-VM and host protection:

  1. Xen is thought to have significantly less of an attack surface than something like KVM or VMWare.

  2. Qubes uses a subset of Xen features, reducing that attack surface even further.

  3. PVH is thought to have less attack surface than PV or HVM, and is the default VM type in Qubes.

  4. HVM in Qubes, used for non-PV aware OSes and for VMs that need PCI devices attached, uses an additional “device model” VM to provide the QEMU hardware emulation when needed, protecting the host from the larger than Xen attack surface of QEMU.

In VM and inter-VM protections:

  1. Qubes, by default, conserves only the user data of an AppVM on shutdown and writes to the system/root partition are discarded. This tends to discard most malware (but not all) on shutdown.

  2. Qubes, by default, does not allow sibling VMs to inter-network with each other, though they may share an upstream firewall or network connection. This tends to reduce opportunistic lateral movement by malware.

  3. Qubes host (dom0) is generally configured to avoid processing data (which could be risky) stored in VMs and only provide user-approved connections between VMs, such as file transfers, by connecting them together with a simple protocol.


  1. Qubes UI is designed to assist users in deaggregating their identity/identities into separate VMs such that the loss of one VM’s privacy does not propagated further than the accounts used by it/the data stored in it.


In these, and other ways, Qubes tends to be safer to use, even if one VM is permanently or temporarily compromised. Because it can be discarded and the chances are low that the malware/attack has progressed further than that.

For some users that is not enough and they may want to perform a new install and then import their backups (safely) for inspection and recovery onto a new install. For others, this (above) level of protection may be all they want.