September 05, 2012, 12:02 PM — The first stable version of Qubes OS, an open source desktop operating system designed to provide a greater level of security by isolating programs inside virtual machines with different permissions, was released Monday by Polish security firm Invisible Things Lab (ITL).
The ITL team led by CEO Joanna Rutkowska, a security researcher best known for her work in the area of low-level system security, has been developing Qubes OS for the past three years. Since Monday, version 1.0 of the operating system can be downloaded from the project's website.
Qubes OS follows a "security by isolation" design principle. Applications can be configured to run inside different "security domains" defined by the user and which are implemented as lightweight virtual machines (VMs) with separate security policies.
For example, a user could run separate instances of the same browser in their personal domain, work domain, online banking domain, each with different permissions and access to different data.
This doesn't make the browser less vulnerable to known exploits, but it can limit what attackers can do if they compromise it.
"A hypothetical exploit for your favourite web browser would work against Firefox running inside one of the Qubes VMs just as well as it worked for the same browser running on normal Linux," Rutkowska said Monday in a blog post. "The difference that Qubes makes, is that this attacked browser might be just your for-personal-use-only browser which is isolated from your for-work-use-only-browser, and for-banking-use-only-browser."
Files and text can be copied between different security domains, but these operations were implemented in a way that requires user confirmation in order to limit what an attacker can do with a compromised domain.
Users can also create so-called "disposable VMs" for opening files from untrusted sources or performing other one-time tasks that might pose security risks.
The Qubes security model is somewhat similar to that of iOS or Android, operating systems that also isolate applications inside a sandbox and ask users to grant them different permissions.
However, Qubes offers more flexibility and doesn't rely as much on security choices made by its developers. Because of this, users are expected to be able to take security decisions on their own, like what security domains to create, what restrictions to apply to them and what applications to run inside each of them.