Open Source OS Featuring "Throw Away" VMs Could Solve Your Security Problems
A new open source operating system features instant, disposable virtual machines could greatly lower the risk of malware to you
By Alan Shimel on Fri, 06/04/10 - 1:49pm.
A new open source operating system based on Linux and Xen is bringing a new approach to the malware and security issue. Using on the fly, disposable virtual machines, you can view photos, docs, music or other files in an isolated virtual machine that will prevent it from infecting your actual device.
The OS is called Qubes and is being developed by Invisible Things Lab and Joanna Rutkowska, perhaps most famous for developing the Blue Pill rootkit. Based on Linux and the Xen virtual machines, Qubes is aimed at those looking for a superior security solution in their OS.
Qubes is based on the security by isolation approach. Meaning even if there is something you download or click on, because the environment you are working in is isolated and there are no critical assets that can be reached via it, the potential damage is minimized. According to the FAQ at Qubes, there are two other approaches to security:
1. Security by Correctness
2. Security by Obscurity
Invisible Things Labs does not believe either of those two can provide the security needed in todays dynamic environments and that security by isolation is the only method that offers a chance of success.
The idea behind the disposable VM as detailed in Rutkowska's blog post this past week, is that when you have an attachment to an email, a video, music file or a web site to visit, you just start a disposable VM that would fire up in less than a second. This instant on VM would not have the ability to permanently store any data or access resources not specifically allowed in the throw away virtualized instance. On the other hand though this would prevent it from infecting or spreading any malware to you and others.
The throw away VM is not all there is to Qubes. It will make use of VM technology to run mulitple VMs with different levels of access and trust. It is due out later this year, but you can access early versions, the FAQ and Wiki at http://www.qubes-os.org
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise