Jams, Cans, and Qubes
Kyle Rankin
VP of Engineering Operations
Final, Inc.
Agenda
- Introduction
- Preserving Against Infection
- Jams: Before Compartments
- Cans: Military-grade Security
- Qubes: Personal Preservation
- Proper Labeling
- Changing Recipes
- Disposable Security
- Advanced Persistent Threats
- Self-Preservation
- Questions?
Introduction
- Security feels like a modern topic...
- But security is nothing new
- Computer security borrows metaphors all the time
- We can learn a lot about computer security from other disciplines
- One of the most fundamental: food
- This talk: apply how we protect food from infection to computers
- Specifically: Security by compartmentalization with canning and Qubes.
Preserving Against Infection
- Computer and culinary history are the stories of a war against infection
- Tools and techniques have advanced with technology
- General idea:
- Kill existing infection
- Identify new infection
- Block/slow down new infection
- Countermeasures have historically been crude:
- Cooking, curing, cooling, using senses
- Passwords, anti-virus/IDS, firewalls
- Sometimes you can use one infection to stop another:
- Fermenting, cultures
- Honeypots.
Jams: Before Compartments
- Traditional desktops put everything in one compartment
- Jams predate canning:
- Jams were used until infected, then replaced
- Like Windows desktops
- Infections spread easily when everything is together
- Infection becomes a fact of life, and a matter of time.
Cans: Military-grade Security
- Napoleon's 12,000 franc DARPA challenge: preserve large amounts of food, cheap
- Nicolas Appert discovered food cooked in jars and sealed, didn't spoil
- Army started using cans to transport food
- No one knew why it worked for 50 more years
- Military networks have long been compartmentalized
- Classified networks isolated from riskier, untrusted networks
- Both still required more technology than people had at home.
Qubes: Personal Preservation
- Home canning jars brought preservation to everyone
- Boiling water used to sterilize jar, create vacuum
- Protects from infection until opened
- Infections are contained to individual jars
- Qubes uses Xen VMs to same effect on the Desktop
- Assign files/applications to different VMs (appVMs)
- VM Application windows appear all on central desktop
- Network isolation/firewalling via netVMs
- Compromises limited to files on infected VM.
Proper Labeling
- When compartmentalizing, labeling becomes important
- What is this?
- Color provides a clue
- With Qubes you often have multiple browsers open at once
- Qubes lets you assign VMs colors based on levels of trust
- Windows colorized with trust level, labeled with VM name
- Gives visual cues to stop from pasting secrets into untrusted VMs
- More difficult for untrusted VMs to spoof trusted dialogs.
Changing Recipes
- Canning preserves contents from time of canning
- Jam from same batch should taste the same in every jar
- To change contents, change recipe and make a new batch
- Qubes appVM only persist /home, /usr/local, /rw
- Root fs based on powered-off TemplateVM
- Most services (like cron) off by default
- Makes it hard for malicious applications to persist
- To install/update app, install in template, then reboot appVM
- Standalone VMs allow persistent root.
Single Serving Security
- Sometimes risk of infection is too high to reuse a jar
- Communal jam at a restaurant gets infected fast
- Single-serving jam lets you throw it away when you are done
- Qubes disposable VMs are single-use, throwaway VMs for risky activity
- Can open files from appVM into dispVM with CLI/GUI
- File is copied, opened in dispVM, any changes can be saved back to appVM
- When window closes, VM contents are erased
- Ideal for opening email attachments, visiting questionable websites
- Some Qubes users do everything within dispVMs.
Advanced Persistent Threats
- Some infection risks require extra countermeasures
- Botulism spores don't need air, survive boiling water temps
- Killed by high acidity in jams, pickles
- Otherwise must use pressure cooker to raise temp high enough
- Qubes provides trusted "vault" appVM w/ no network
- Store GPG keys, password vaults, bitcoin wallets there
- Qubes's split-GPG turns it into poor man's HSM
- usbVM grabs all USB controllers, prompts to share input devices
- Protects against malicious USB keys.
Self-Preservation
- Untrusted appVM for normal web browsing
- Separate appVM for authenticated web browsing
- Use vault, usbVM, dispVM for email attachments
- "Finance" VM for online banking
- appVM for Facebook over Tor
- proxyVMs to VPN to dev/prod environments
- dev/prod appVMs with separate SSH keys
- Use restrictive firewall rules for most VMs
- When in doubt, use dispVM.
Questions?
Additional Resources