[muyuu]

"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

Theo de Raadt, 2007

[hershel]

The idea behind qubes is to use the security properties of virtualization layers to enable a secure , easy to use system. Given that virtualization layers are relatively small ,code wise ,that's a good place to start.

Given that amazon uses xen in the EC2 platform(as many others), we're not only talking only about "worldwide collection of software engineers " but also of some serious commercial interests in it's security.

And XEN might not be the end point of that approach. There has been some research on formally verified hypervisors.While it's not 100% foolproof since you still have to depend on hardware security, which is a unknown(does intel cooperate with NSA?), that could give great assurances for system security.

[progman]

> does intel cooperate with NSA?

Intel and NSA are not the problem. The real problem are hackers who want to steal our bank accounts, or the commercial providers who want to have all our private data to sell it secretely. For such daily problems I consider Qubes a very good protection. It's very nice to be able to do banking or web browsing in isolated VMs. It's also nice to have insecure OS like Windows run almost securely in a VM.

[throwaway2048]

xen is over 100k lines of code, not counting the kind of interfaces software exposes using its APIs, and stuff like drivers.

its not small

[hershel]

You don't need to review all that code. From the qubes architecture document:

"it is possible to move all the drivers and driver backends out of Dom0. The same is true for moving the IO Device Emulator (ioemu) out of Dom0."

[throwaway7767]

Did anyone claim qubes does not have security holes? The point of qubes is not to "solve security", it's to make a useable everyday OS that offers better security than other general-purpose OSs. It does this by isolation and minimizing attack surfaces between moving parts.

EDIT: Here is some documentation that describes the security stance of the Qubes OS project. As you will see, being security-bug-free is not a goal, and in fact, the guiding principle is that all code has security bugs, hence everything is isolated to prevent escalation. http://files.qubes-os.org/files/doc/arch-spec-0.3.pdf http://qubes-os.org/trac/wiki/SecurityCriticalCode

[cottonseed]

I agree. Formal methods is the best technology I know of that has a hope of eliminating a large class of security vunerabilities. Projects like seL4 have a lot of promise: small, formally verified kernels or virtualization layers that provide separation and provable security guarantees.