Warning: Use of undefined constant _FILE_ - assumed '_FILE_' (this will throw an Error in a future version of PHP) in /membri/eeepc901/blog/wp-content/plugins/easygravatars/easygravatars.php on line 14
Qubes OS 3.2 | Blog di eeepc901
Crea sito
RSS

Qubes OS 3.2

8 Ottobre 2016

Qubes OS

Qubes OS

Qubes OS è una distribuzione Linux per desktop basata su Fedora e orientata alla sicurezza. La distribuzione utilizza una leggera  macchina virtuale Xen per attuare un isolamento tramite domini.

Versione 3.2

Questa versione contiene (in Inglese):

This is an incremental improvement over the 3.1 version that we released earlier this year. A lot of work went into making this release more polished, more stable and easier to use than our previous releases.

One major feature that we’ve improved upon in this release is our integrated management infrastructure, which was introduced in Qubes 3.1. Whereas before it was only possible to manage whole VMs, it is now possible to manage the insides of VMs as well.

The principal challenge we faced was how to allow such a tight integration of the management stack (for which we use Salt) with potentially untrusted VMs without opening a large attack surface on the (complex) management code. We believe we found an elegant solution to this problem, which we’ve implemented in Qubes 3.2.

We now use this management functionality for basic system setup during installation, for preparing our automatic tests, and for applying various custom configurations. In the future, we envision a simple GUI application allowing users to download ready-to-use Salt recipes for setting up various things, for example:

  • Pre-configured apps optimized to take advantage of Qubes’ compartmentalization, such as Thunderbird with Qubes Split GPG
  • UI and system-wide customizations for specific use cases
  • Corporate remote management and integration

These features are planned for the upcoming Qubes 4.x releases.

In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes!

Qubes has supported the sandboxing of USB devices since the very beginning (2010), but the catch has always been that all the USB devices connected to the same USB controller had to be assigned to the same VM. This limitation was due to the underlying hardware architecture (specifically, PCIe and VT-d technologies).

We can now get around this limitation by using software backends. The price we pay for this, however, is increased attack surface on the backend, which is important in the event that several USB devices of different security contexts are connected to a single controller. Sadly, on laptops this is almost always the case. Another potential security problem is that USB virtualization does not prevent a potentially malicious USB device from attacking the VM to which it is connected.

These problems are not inherent to Qubes OS. In fact, they pose an even greater threat to traditional, monolithic operating systems. In the case of Qubes, it has at least been possible to isolate all USB devices from the user’s AppVMs. The new USB passthrough feature gives the user more fine-grained control over the management of USB devices while still maintaining this isolation. Nonetheless, it’s very important for users to realize that there are no “automagical” solutions to malicious USB problems. Users should plan their compartmentalization with this in mind.

We should also mention that Qubes has long supported the secure virtualization of a certain class of USB devices, specifically mass storage devices (such as flash drives and external hard drives) and, more recently, USB mice. Please note that it is always preferable to use these special, security-optimized protocols when available rather than generic USB passthrough.

Eye-candy-wise, we have switched from KDE to Xfce4 as the default desktop environment in dom0. The reasons for the switch are stability, performance, and aesthetics, as explained here. While we hope the new default desktop environment will provide a better experience for all users, Qubes 3.2 also supports KDE, awesome, and i3 window managers.

Risorse

La distribuzione può essere scaricata da:

Il sito web della distribuzione è: http://qubes-os.org/

Screenshot

Qubes OS 3.0

Qubes OS 3.0

Conclusioni

Si può aggiornare dalla versione precedente anche se una reinstallazione è raccomandata.

Subscribe

Subscribe to our e-mail newsletter to receive updates.

No comments yet.

Leave a Reply