I should add that this still wouldn’t eliminate all risk, because many security flaws are, in fact, design flaws. Even a system that does only what it was designed to do can still be problematic if its design allows for outcomes that the designers did not intend or failed to foresee. Consider Nick Bostrom’s classic example:
Suppose we have an AI whose only goal is to make as many paper clips as possible. The AI will realize quickly that it would be much better if there were no humans because humans might decide to switch it off. Because if humans do so, there would be fewer paper clips. Also, human bodies contain a lot of atoms that could be made into paper clips. The future that the AI would be trying to gear towards would be one in which there were a lot of paper clips but no humans.
The paperclip-maximizing AI perfectly satisfies your condition: It is a system that will not do anything besides the purpose it was built to do (namely, make as many paperclips as possible). But, as you can see, being built for a good (or even a seemingly-innocuous) purpose does not guarantee that the system will function the way we intended or that the outcome will be desirable.
Security by isolation can limit the damage bugs can cause in the programs but not if the bugs are in the virtualization software itself (or in the mechanism that ensures the communication between containers - see qrexec-daemon memory corruption bug above).
By breaking functionality into parts small enough that unintended behaviour is near impossible and isolating all the parts from each other maybe we can limit the bugs only to the complex software running inside the app containers.
This is really a philosophical discussion. Yes, one can make it harder and more costly to exploit but never impossible. I think that’s ultimately also what you want and are looking for. Unless you can find a perfect human, writing perfect code compiled by perfect tools running on a perfect machine … it’s all a question of degrees.
I believe the guys at seL4 micro-kernel are trying this with varying degrees of success.
Also by having all vms memory and cpu registers encrypted with a different key per vm should protect processes from malicious hardware access.
Combining this with Qubes in theory would achieve the goal of preventing most 0days.
Time to surface.
Actually, I’m still here but outta further attempts to use Qubes OS, but I will continue to lurk because Qubes is just too good to stay away from. I was installing on each of two NVMe’s, a Samsung T7 SSD, and one WD 7200rpm. Those have been retired to a box waiting to be revisited one day when the temptation hits me again.
Aren’t all the security-critical software components planned to be rewritten in Rust anyway? Rewrites in Rust, which enforces some correctness, would pretty much eliminate any potential for memory corruption vulnerabilities.
CPU flaws like Downfall that violate x86_64’s security model are more of a concern than the vulnerability pointed out by @vog
@adw I know someone who worked at a defense contractor where colleagues were total glowies and there was a culture of spying on employees. And she and I were spending a decent bit of time together when she was working there. I am not saying “they” are, but they totally would.
There is a device that turns street lights on when it gets dark outside, used by most cities.
It works like this: as long as light shines on the device a diode provides power to a resistor that heats up a piece of metal. As long as the metal is warm a contact keeps the lights off. As night sets in the metal is not heated and cools off. When it cools off completely the contact turns on street lights.
So basically this is a device that can only store a number (as temperature in a metal block) and turn on lights when that number is below a threshold.
This could be replaced by a raspberry pi running a script but the pi also has a wireless adapter that can not be removed and an arm cpu that can run all sorts of programs.
It is trivial for a trained hacker to take control of the pi.
Can a determined attacker control the electrical device? Of course: he can place a device that remotely connects to the gsm network and heats the metal when needed but I never heard of such incident.
An encrypted VM could in theory emulate the electrical device while not allowing modifications to it, but this is just how I would try to do it.
@vog not sure if you’re trolling. - what are you using now to communicate to the internet? brainwaves?.. your expectations are unrealistic and even if anything you wish for existed, then qubes wouldnt be necessary. this operating system mitigates the flaws of real hardware and software design to an archivable minimum. so i wonder why would you come along and question this mission while demanding to fulfill something different. even to make this point feels like a waste to your and my time
I understand that Qubes objectives are to use existing software to achieve a minimum of hardware and software security with the limited resources and manpower available but I wished they would divert at least some resources to integrate more security options from other projects (like they did with whonix) and extend their goals.
I am grateful for what is available already and I am frustrated with the lack of progress in the field of software security in general: I guess regular people off the street are just not interested in being secure online and I can’t point to something and tell them use this and you’ll be secure.
There’s probably a forum of car safety enthusiasts out there who are similarly frustrated that normal people don’t care more about car safety, and they’re frustrated that they can’t point to any particular model of car and say, “Drive this, and you’ll never be hurt in a crash.”
There’s probably also a forum of body armor enthusiasts out there who are similarly frustrated that normal people don’t care more about not being fatally shot or stabbed, and they’re frustrated that they can’t point to any particular model of ballistic armor and say, “Wear this, and you’ll never die from a gunshot or stab wound.”
From this perspective, computer security is just like everything else in life: no perfect solutions, no guarantees, and lots of trade-offs.
In reality, most people are interested in car safety, personal safety, and computer security, but those are only a few values among many. Competing values include cost, comfort, and convenience. Many people are willing to sacrifice other values for the sake of safety and security, but only up to a point. Many people aren’t willing to pay twice as much for a car with better safety features. Almost no one is willing to wear a bulky, heavy, uncomfortable, attention-grabbing bulletproof vest around all day, unless it’s part of their job. Likewise, few people are willing to learn and switch to a new operating system so long as they believe their current setup is good enough for their needs.
Every once in a while I’m running malware in a dispVM deliberately.
Does this carry the risk for my QubesOS to be hacked? In a targeted attack of course it does.
However, there are ways to further harden your dispVMs. You can play that game until your dispVM becomes barely useable. “Hardening VMs” might actually be an interesting discussion thread on its own.
You can never make a system 100% secure unless you unplug the machine from all networks, turn it off, lock it in a safe, smother it in concrete and never use it. [1]
Furthermore I would argue that a paper notebook in a safe is “hackable” as well. I.e. remotely by social engineering. With physical access to the safe the attacker’s tools need to be reasonable sized.
Impossible to have no vulnerabilities. I think the purpose of Qubes is the understanding of that. I have a windows gaming machine and a qubes machine for everything else. I taught my mother to even use qubes its really not much different than windows. I posted for help here for the first time in a few years now, for a minor issue of not being able to load firefox from the appmenu after switching to the new fedora 38 vm today. Though it didn’t stop me from loading it from the terminal and doing what I had to do, granted my Mother wouldn’t have known to do that if I didn’t tell her.
I wouldn’t say we are power users doing anything advanced, but I haven’t run into anything I couldn’t do on Qubes yet unless it requires advanced gpu function. Its a pretty easy to use O/S that would suit most people fine once they learn how to use it. I basically just read Joanna’s article describing how she compartmentalizes her life and different tasks on the qubes to understand it when I first tried it. And was amazed how easy the gui was and common sense it is to use. I think you are giving off the wrong impression.
Maybe what you are trying to say is that even Qubes security is based mostly on user error? But that is also not something we can get around. I am also not one to ever blame the victim though nor claim something is victimless. That has fostered a terrible barbaric culture and all we can do is educate people and help the digital realm evolve into maturity imo.
