Qubes: security by virtualization

Posted May 6, 2010 13:02 UTC (Thu) by pcampe (guest, #28223)
Parent article: Qubes: security by virtualization

The article fails to explain why (if) Qubes is better than KVM+SELinux, i.e. SVirt (http://selinuxproject.org/page/SVirt). Anyone has a clearer picture?

to post comments

Qubes: security by virtualization

Posted May 6, 2010 15:04 UTC (Thu) by davecb (subscriber, #1574) [Link] (1 responses)

It's an independent reinvention of MAC, implemented by virtualization. Which is amusing, as the Solaris "zones" virtualization is derived from Trusted Solaris MAC (;-))

I expect two things
- additional similar reinventions both v->m and m->v
- a later realization that they're the same problem

and just perhaps
- a push from Linus to make MAC and KVM converge (;-))

--dave

Qubes: security by virtualization

Posted May 6, 2010 15:24 UTC (Thu) by davecb (subscriber, #1574) [Link]

Whoop! My error, you're already *doing* the combination.

--dave

Qubes: security by virtualization

Posted May 7, 2010 1:49 UTC (Fri) by jamesmrh (guest, #31622) [Link] (1 responses)

sVirt can't protect against a kernel bug in the host -- if a guest breaks out and exploit a host kernel bug, then it's game over.

We are looking at ways to help mitigate this.

Qubes: security by virtualization

Posted May 7, 2010 7:50 UTC (Fri) by pcampe (guest, #28223) [Link]

Partially correct, because a MAC could protect against such attack if the MAC function in the kernel is working properly and the policy has no black holes (of course, you could have some kernel bugs that prevent MAC from enforcing the defined security policy when complex interactions between host and guests happen).

Otherwise, you'd better have an hypervisor with a minimal footprint, which at least reduces the attack surface; but Qubes it's using Xen, so it could exposes the same target with the same (known or latent) vulnerabilities.