Linked by Thom Holwerda on Tue 30th Aug 2011 17:29 UTC, submitted by Dale Smoker
OSNews, Generic OSes "What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security."
Order by: Score:
OSNews?
by gedmurphy on Tue 30th Aug 2011 19:14 UTC
gedmurphy
Member since:
2005-12-23

What's going on?

We get actual operating system news and it gets 3 lines on the second page.
We get patent news and it gets force fed to everyone.

Maybe it's time for a name change to PatentNews.com
:)

Reply Score: 3

RE: OSNews?
by Bill Shooter of Bul on Tue 30th Aug 2011 19:46 UTC in reply to "OSNews?"
Bill Shooter of Bul Member since:
2006-07-14

Well your content-less comment certainly helped prove just how much regular readers are engaged by Serious OS news.

I, for one, would be interested to play with Qubes. From the article, it would seem to mean that Qubes would really perform poorly when compared to other operating systems. Instead of just one operating system, you'd be running 3-6. Most of that would be duplicate processing and duplicate memory usage. Also while you data may be secure due to the isolation of the virtual machines, a bot net would be more than happy to just inhabit one of them and continue attacking other systems, sending spam, and/or burrowing further into your network. Maybe it raises the bar a bit, but is the marginal security improvement worth the complexity? The more separated the virtual machines are, the more difficult it would be to interact with them. The less separated, the less secure. I think SeLinux is just now starting to be worth it for me.

Reply Score: 6

RE[2]: OSNews?
by joshv on Tue 30th Aug 2011 23:59 UTC in reply to "RE: OSNews?"
joshv Member since:
2006-03-18

Meh, 4 GB is min now, 8GB will be standard soon.

Sure your browsing instance could get infected and become a bot, but at least it's not going to spread to the base OS or the other VMs. And it's also very very easy to re-image a suspect VM with a known safe image.

Reply Score: 1

RE[3]: OSNews?
by Bill Shooter of Bul on Wed 31st Aug 2011 16:44 UTC in reply to "RE[2]: OSNews?"
Bill Shooter of Bul Member since:
2006-07-14

Meh, 4 GB is min now, 8GB will be standard soon.


Yeah, there are always tradeoffs to be made. In this case you'd be trading memory ( and maybe speed) for security. As I said before, maybe its worth it for some people. I just get sick of marketing material that promises a great improvement in X, while completely ignoring the accompanying regression in Y. Its always best to present all the info up front so people can evaluate technologies quickly and easily as possible.

Sure your browsing instance could get infected and become a bot


I think that's the primary goal of bot writers. So maybe the best approach for system admins is to regularly reimage the browsing vm to disrupt botnets and malware.

Reply Score: 2

Joanna Rutkowska
by fran on Tue 30th Aug 2011 23:00 UTC
fran
Member since:
2010-08-06

She's hot too. She can totally secure my PC.

Reply Score: 2

RE: Joanna Rutkowska
by Gullible Jones on Tue 30th Aug 2011 23:13 UTC in reply to "Joanna Rutkowska"
Gullible Jones Member since:
2006-05-23

I was going to post something insulting here, but eventually I realized a polite refutation would probably be more useful. So...

Rutkowska is a world-renowned security expert. I'm not sure what your credentials are - for all I know they might be quite impressive - but you've basically gone and indicated that her skills take a back seat to her looks. Which is pretty insulting.

Think about it. If you were a legit genius, and people said stuff like that about you, I'm betting you'd get pretty tired of it pretty fast.

Edited 2011-08-30 23:13 UTC

Reply Score: 1

RE[2]: Joanna Rutkowska
by RshPL on Tue 30th Aug 2011 23:31 UTC in reply to "RE: Joanna Rutkowska"
RshPL Member since:
2009-03-13

Oh, come on. To say that a woman is pretty, it is quite a compliment. To ignore her qualities as a woman, that would be insulting IMHO. ;) Smart, pretty, and world-known expert - guys must have quite a hard nut to crack, or she may already have a happy personal life, so good for her! Loosen up. ;)

Reply Score: 4

v RE[3]: Joanna Rutkowska
by mdupont on Wed 31st Aug 2011 08:50 UTC in reply to "RE[2]: Joanna Rutkowska"
RE[4]: Joanna Rutkowska
by Thom_Holwerda on Wed 31st Aug 2011 10:51 UTC in reply to "RE[3]: Joanna Rutkowska"
Thom_Holwerda Member since:
2005-06-29

No. This sexist kind of behavior makes me think of http://xkcd.com/322/


Really. The only sexist behaviour in this thread are the men assuming this lady needs protecting. Saying a girl is pretty is not sexist - it's a compliment, and I can assure you, most girls perceive it that way.

I happen to be one of those guys who has always preferred hanging out with women, and I can assure you: women are no different. They talk about us guys in the exact same way, and they sure as hell don't need men "sticking up for them" whenever a guy calls them pretty.

So, I'll just be upfront about it: she indeed looks quite attractive, and there's nothing wrong with stating as such.

Edited 2011-08-31 10:52 UTC

Reply Score: 2

RE[2]: Joanna Rutkowska
by Soulbender on Wed 31st Aug 2011 14:32 UTC in reply to "RE: Joanna Rutkowska"
Soulbender Member since:
2005-08-18

Maybe an actual woman could chime in on this rather than men thinking they defend women.
If I say I don't think she's hot is that an insult or a compliment?

Reply Score: 4

RE: Joanna Rutkowska
by Radio on Tue 30th Aug 2011 23:13 UTC in reply to "Joanna Rutkowska"
Radio Member since:
2009-06-20

Too bad she'll never read your ILOVEYOU email.

Reply Score: 4

RE: Joanna Rutkowska
by bugmenot on Wed 31st Aug 2011 08:28 UTC in reply to "Joanna Rutkowska"
bugmenot Member since:
2006-02-26

There is some people saying that she used to be a .. he.
(source: http://www.rutkowska.yoyo.pl )

:P

Reply Score: 3

RE[2]: Joanna Rutkowska
by Morgan on Wed 31st Aug 2011 10:49 UTC in reply to "RE: Joanna Rutkowska"
Morgan Member since:
2005-06-29

And...what's your point? Have we not, as rational thinkers, far exceeded the point where the person's sexual orientation takes a back seat to their accomplishments?

Guy, girl, transgender, natural sex, it doesn't matter! Whether you agree with someone's research or not, personal attacks -- especially of a sexual nature -- are not only childish but really have no place here. I'd expect this kind of pedantry on Slashdot but I thought the OSNews readership had grown up some.

And I do realize you weren't making an accusation yourself, rather just bringing up the topic. But my point is, who the hell cares? I certainly don't, and my opinion of the person's research is not affected in the least by the question of her sexuality.

Reply Score: 3

RE[3]: Joanna Rutkowska
by bugmenot on Wed 31st Aug 2011 11:29 UTC in reply to "RE[2]: Joanna Rutkowska"
bugmenot Member since:
2006-02-26

I was just pointing that information to people saying that "she is hot" because maybe they don't know about this.

My opinion of her research is not affected in anyway.

Reply Score: 2

RE[2]: Joanna Rutkowska
by bannor99 on Thu 1st Sep 2011 19:34 UTC in reply to "RE: Joanna Rutkowska"
bannor99 Member since:
2005-09-15

<span>There is some people saying that she used to be a .. he.
(source: http://www.rutkowska.yoyo.pl" http://www.rutkowska.yoyo.pl</... )

:P</span>


I was going to dismiss this out of hand but after taking a closer look, it's slightly plausible.
First off, she's only "hot" if you haven't seen an attractive woman in a while. I'm not saying ugly but definitely not hot.
Regarding her gender, she does have man-hands and is very slim-hipped but there doesn't seem to be any trace of an Adam's apple. She also has good-sized breasts, although hormones or implants can easily provide those.
So I think she's just a woman with a few manly characterstics.

Reply Score: 2

Comment by orestes
by orestes on Tue 30th Aug 2011 23:04 UTC
orestes
Member since:
2005-07-06

Interesting concept, but one does wonder how difficult it will end up being to set up and maintain properly in real environments? It's not enough to be secure, it has to be usable from an administrative standpoint too.

Edited 2011-08-30 23:05 UTC

Reply Score: 2

Secure OS?
by Nicram on Wed 31st Aug 2011 08:31 UTC
Nicram
Member since:
2006-01-31

"What would an operating system look like it if were redesigned with security in mind?"

It would be OpenBSD then, that i use:)
KISS, great code quality and best manuals ever. Linux based distro is just... another Linux based distro, nothing more ;)

Reply Score: 3

RE: Secure OS?
by renox on Wed 31st Aug 2011 09:01 UTC in reply to "Secure OS?"
renox Member since:
2005-07-06

"What would an operating system look like it if were redesigned with security in mind?"

It would be OpenBSD then, that i use:)


Not really: OpenBSD doesn't have capabilities, doesn't use "safe" languages such as Ada, etc.

Reply Score: 4

RE[2]: Secure OS?
by moondevil on Wed 31st Aug 2011 10:35 UTC in reply to "RE: Secure OS?"
moondevil Member since:
2005-07-08

An operating system coded in a mix of C and Assembly, without capabilities and which relies on pure code review as security measures is by definition not secure.

I am a firm believer in the use of safe languages for system programming. A few examples do exist, but they take years before the status quo of current systems do change.

In a way we have to thank all the kids exploiting bad coded applications out there. They have raised the awareness that sometimes safety is better than raw speed and made easier to get research grants for OS development with safe system programming languages.

Reply Score: 2

RE[3]: Secure OS?
by joshv on Wed 31st Aug 2011 11:41 UTC in reply to "RE[2]: Secure OS?"
joshv Member since:
2006-03-18

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?

Reply Score: 2

RE[4]: Secure OS?
by renox on Wed 31st Aug 2011 11:53 UTC in reply to "RE[3]: Secure OS?"
renox Member since:
2005-07-06

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits.

Note that the JVM isn't coded in Java..
So JVM exploits doesn't count as Java's vulnerabilities.

Anyway, I agree with you that "safe" languages don't really exist, but "safer" languages (i.e safer than C) do exist.

Reply Score: 2

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:22 UTC in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

Safe languages are languages that do the following:

- Bound check validation of arrays;
- Use proper string data types;
- No direct port IO;
- No pointer arithmetic;
- GC enabled if possible;
- Force initialization of variables before use;
- No direct conversion between data types

Ada, Oberon, Modula-3, D, Spec# are a few examples of safe system programming languages with real OS written in them (except D).

Usually you can always do the same dirty tricks as C and C++ allow, but only via unsafe mechanisms. Which you do have to call explicitly and is is very easy to constrain its usage to specific modules. Whereas in unsafe languages they can happen anywhere on your code.

Plus, in very performance critical code it is possible to disable some of the security checks if you so wish, but then you are at your own risk.

Reply Score: 3

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:43 UTC in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?


Those exploits take advantage that most JVMs are written in a mixture of C, C++ and assembly. So they exploit buffer overruns in the JVM, by providing invalid .class files or the native methods that do image manipulation for example.

That is why there are a few research JVMs written in Java itself with minimal amount of C and assembly, like the Squawk and JikesRVM ones.

Reply Score: 3

RE[5]: Secure OS?
by joshv on Wed 31st Aug 2011 13:11 UTC in reply to "RE[4]: Secure OS?"
joshv Member since:
2006-03-18

Ah interesting, so a self-hosting VM based "safe" language could be considered to be safer than those that are hosted in a VM written in an unsafe language. Makes sense. Though I imagine there have to be some performance issues.

Reply Score: 2

RE[6]: Secure OS?
by moondevil on Wed 31st Aug 2011 15:17 UTC in reply to "RE[5]: Secure OS?"
moondevil Member since:
2005-07-08

It all depends on how everything is compiled in the end.

You might find this information interesting,

http://jikesrvm.org/Presentations
http://labs.oracle.com/projects/dashboard.php?id=155

Please note that Oracle labs are currently down.

Reply Score: 2

RE[7]: Secure OS?
by joshv on Wed 31st Aug 2011 16:37 UTC in reply to "RE[6]: Secure OS?"
joshv Member since:
2006-03-18

Yeah, I guess either you are stuck running your safe VM inside of a VM written in an unsafe language, or somehow creating a native compile of the VM from the safe language source - but then you have to worry about the safety of the compiler and the resulting object code.

Reply Score: 2

RE[3]: Secure OS?
by sakeniwefu on Thu 1st Sep 2011 15:20 UTC in reply to "RE[2]: Secure OS?"
sakeniwefu Member since:
2008-02-26

There is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them.

Saying that C isn't secure because of buffer overflows is a bit silly nowadays.

Memory corruption attacks are going the way of the dodo. The few still working, rely on lazy implementations of exploit prevention technologies or evil designs such as self-modifying-code and custom memory management. All high level management decisions which can be fixed, or not far away from C level.

Most security bugs being talked about in OpenBSD misc@ and tech@ lists nowadays are logic bugs. Most actual exploits for other systems in the wild, exploit logic bugs.

Your hash function drops every other bit because of some logic error and anyone can login as root in about ten attempts? Your web server code uploads any file to a user-specified path, and has permissions for everything? A race condition in your file locks?
No problem, just use Haskell. Oh, wait...

Please tell me how your safe languages will help me.

About proofs, Donald Knuth had this to say.

"Beware of bugs in the above code; I have only proved it correct, not tried it."


It's easy to make something work as designed. It's harder to design something right, especially if you think you don't need to worry about security.

Edited 2011-09-01 15:22 UTC

Reply Score: 3

RE[4]: Secure OS?
by Alfman on Fri 2nd Sep 2011 19:26 UTC in reply to "RE[3]: Secure OS?"
Alfman Member since:
2011-01-28

sakeniwefu,

"There is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them."

I say this as a knowledgeable C developer...it is far easier to corrupt the process in C than many of the other languages around.

Even though I code very defensively, I sometimes end up writing bugs. These can be as "harmless" as following the wrong code path and functions returning wrong answers (these errors will happen in any language), or they can corrupt the heap and stack (these errors would have been prevented/caught with safe languages).

"Saying that C isn't secure because of buffer overflows is a bit silly nowadays."

C doesn't imply the existence of buffer overflows, however many languages do imply the non-existence of them.

I often prefer C never-the-less, but it takes a great deal of effort to make it safe under all conceivable conditions.

Reply Score: 2

RE[2]: Secure OS?
by pfgbsd on Wed 31st Aug 2011 19:27 UTC in reply to "RE: Secure OS?"
pfgbsd Member since:
2011-03-12

""What would an operating system look like it if were redesigned with security in mind?"

It would be OpenBSD then, that i use:)


Not really: OpenBSD doesn't have capabilities, doesn't use "safe" languages such as Ada, etc.
"

Capabilities or "safe languages" don't necessarily imply security. That said there are capabilities and safe languages implemented for OpenBSD but few people know about them.

Reply Score: 1

v RE: Secure OS?
by Phucked on Wed 31st Aug 2011 10:37 UTC in reply to "Secure OS?"
RE: Secure OS?
by said1 on Wed 31st Aug 2011 13:47 UTC in reply to "Secure OS?"
said1 Member since:
2011-08-31

Talking of Unix like OSes as "Designed for Security" is a true oxymoron. Sandboxing and in depth code reviews a la OpenBSD don't help you very much when you have millions of lines of code running in kernel mode.
A far better choice would be a formally verified microkernel like seL4, where you don't even need that heavy sandboxing to properly isolate applications.

Reply Score: 1

RE[2]: Secure OS?
by renox on Wed 31st Aug 2011 14:20 UTC in reply to "RE: Secure OS?"
renox Member since:
2005-07-06

I agree with you, but 'better' is too strong, as don't forget that seL4 has quite a few drawbacks too:
1- the formally verified seL4 is much younger than OpenBSD.
2- it is proprietary: its source code isn't available.
3- to properly isolate applications on seL4, you don't need "heavy sandboxing" ok but I think that you need to use "capabilities" APIs: the number of applications which use such APIs is much smaller than POSIX/OpenBSD applications.

Reply Score: 2

RE[3]: Secure OS?
by said1 on Wed 31st Aug 2011 21:11 UTC in reply to "RE[2]: Secure OS?"
said1 Member since:
2011-08-31

I agree with you, but 'better' is too strong, as don't forget that seL4 has quite a few drawbacks too


Sure, and it have far more drawbacks, even if you can build something similar on top of "vanilla" (ehm... pistacchio) and open source L4, whose, even if not formally verified, security affinity is light years from monolithic kernels, it dramatically lacks of whatsoever is needed from a barely usable OS.
It is a matter of concept, Linux, *BSD, with all the security enabled bells and whistles as PaX, W^X, SELinux and so on... I'd rather name them all "Adapted for Security" rather of "Designed".

Reply Score: 1

Comment by yoshi314@gmail.com
by yoshi314@gmail.com on Wed 31st Aug 2011 10:58 UTC
yoshi314@gmail.com
Member since:
2009-12-14

it is a nice concept but it won't protect against exploits limited to a single application. especially the browser.

if someone exploits your browser into revealing your passwords, or tells it to wipe clean your home directory - it's possible it will succeed.

it won't escalate outside of application's vm, but it's still a problem.

filesystem damage can be alleviated with vm mechanism or filesystem snapshots, private data leaks cannot.

it gets more interesting if you want to share a directory between two apps that are on different security level and ensure that they can exchange the files, and protect against potential data damage in case each app is compromised/unstable.

Reply Score: 1

Which exactly OS is going to be reused?
by Temcat on Wed 31st Aug 2011 14:28 UTC
Temcat
Member since:
2005-10-18

A quote from Rutkowska: "So, in short, virtualization doesn't bring any security advantage by itself, but it allows for a brave redesign of the OS and yet to reuse all the applications and drivers in this radically-changed design. And this is exactly what we do in Qubes."

What I don't get so far is which exactly OS Qubes is based on so we can reuse its applications and drivers. Is it Windows, Linux, BSD? She does say that Qubes desktop will be "as easy to use as Windows desktop", but this is different from saying that Qubes is based o Windows.

Reply Score: 2

Temcat Member since:
2005-10-18

OK, to answer to myself: Qubes is based on Linux, the official site is your friend :-)

Reply Score: 3

What would it look like ...
by pfgbsd on Wed 31st Aug 2011 19:23 UTC
pfgbsd
Member since:
2011-03-12

What would an operating system look like it if were redesigned with security in mind?


OpenBSD.

Reply Score: 0

RE: What would it look like ...
by pfgbsd on Wed 31st Aug 2011 19:29 UTC in reply to "What would it look like ..."
pfgbsd Member since:
2011-03-12

"What would an operating system look like it if were redesigned with security in mind?


OpenBSD.
"

Replying to my own comment .. the issue is that really secure Operating Systems don't do much: part of the security in OpenBSD consists of turning off anything that is not strictly necessary.

Reply Score: 2

RE: What would it look like ...
by bannor99 on Thu 1st Sep 2011 23:35 UTC in reply to "What would it look like ..."
bannor99 Member since:
2005-09-15

I don't think so. OpenBSD is secure mostly because the code is audited, which is tedious, and they try to adhere to best practices of coding for an insecure languages.
IMO, redesigned for security means from the ground up.
It's the difference between a maximum-security prison and a fenced stockade with dogs and frequent prisoner checks.

In short, designed for security means it should be hard for you to accidentally create a security hole while still being completely functional.

Reply Score: 2

RE[2]: What would it look like ...
by Alfman on Fri 2nd Sep 2011 20:05 UTC in reply to "RE: What would it look like ..."
Alfman Member since:
2011-01-28

bannor99,

"I don't think so. OpenBSD is secure mostly because the code is audited, which is tedious, and they try to adhere to best practices of coding for an insecure languages."

I tend to agree that sometimes this is the best we can do, but security problems also stem from failure to keep a handle on complexity. Complexity is the enemy of security. How does OpenBSD stand next to linux in terms of complexity?


The ideal solution (in terms of security) would be for all components to be isolated and communicate through well defined (and enforced) IPC - essentially a microkernel.

"IMO, redesigned for security means from the ground up."

I put forward some ideas a while back while discussing Neolander's work. Starting with a safe language, we could build components who's isolation is enforced through the compiler instead of through MMU/CPU protection hardware. This would eliminate all the overhead traditionally associated with microkernel IPC. One component would pass around object references as efficiently as calling a local function. The compiler would be responsible for ensuring a buggy component couldn't corrupt another component in the same memory space. Since the references are isolated, variables are type safe, and arrays are bounds checked, even a malicious programmer is unable to mess with other components except through the well defined interfaces. And even those could be secured through policy.



Oh how I wish I could earn a living building it.

Reply Score: 2

bannor99 Member since:
2005-09-15

QNX seems to have been able to build a true microkernel OS that performs very well - how did they do it?

Complexity may be the enemy of security but you cannot do away with it completely so you must have safe designs, tools, languages, etc.

I think we chose the wrong path decades ago and we may never fully switch. What i mean was that the monolithic design prevailed because of its performance and we had to live with the bugs, security risks, crashes and system restarts.
The $100 billion question - would we have been better of to go microkernel and try to mitigate the performance deficit ( which would improve quickly over time as hardware sped up by leaps and bounds every few years ) or did we do right by choosing performance and having to live with the downsides of the monolithic design?

Reply Score: 2

Alfman Member since:
2011-01-28

bannor99,

"QNX seems to have been able to build a true microkernel OS that performs very well - how did they do it?"

I'm not very familiar with it at all, so I can't really say.


"Complexity may be the enemy of security but you cannot do away with it completely so you must have safe designs, tools, languages, etc."

Yea I know, but linux is an obvious example of where too much has gone into the kernel. Now every developer compiling the kernel has to weed through the most esoteric hardware in existence - and the self documentation doesn't even make clear who needs it - anyone who's compiled linux will recognize this problem.

They throw way too much into the kernel for the sake of it, not because of performance or because it makes any sense. Of course alot of this is Linus' fault for steadfastly refusing to adopt a steady ABI/API which would allow devs to compile/distribute drivers outside of the kernel (even when they get linked back in during run time).

"I think we chose the wrong path decades ago and we may never fully switch. ... The $100 billion question - would we have been better of to go microkernel and try to mitigate the performance deficit"

I concur. The inefficiencies of a microkernel approach would have been worked out in hardware, but the complexity/insecurity of a macrokernel cannot be.

Reply Score: 2