How big the exposed surface of the sys-* VM templates
55 views
Skip to first unread message
David Shleifman
Dec 27, 2016, 3:02:29 PM12/27/16
to qubes...@googlegroups.com
One of the great things about Qubes OS is the reduction of the surface
exposed to attacks [1]. The road to achieve this is discussed elsewhere [2].
Individual virtual machines such as sys-net, sys-firewall, and sys-usb
indeed limit the exposed surface. In Qubes 3.2 they are based on the
Fedora template. The exposed surface of this template is most likely
bigger than the exposed surface of the Fedora-minimal template [3].
What are the driving factors behind the decision to stick to the Fedora
template as opposed to the Fedora-minimal template? Has a template
with a smaller kernel ever been considered?
References
----------
[1] How is Qubes different from other security solutions? https://www.qubes-os.org/doc/user-faq/#how-is-qubes-different-from-other-security-solutions
[2] See for instance, Software compartmentalization vs. physical separation. http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
[3] Fedora - minimal. https://www.qubes-os.org/doc/templates/fedora-minimal/
exposed to attacks [1]. The road to achieve this is discussed elsewhere [2].
Individual virtual machines such as sys-net, sys-firewall, and sys-usb
indeed limit the exposed surface. In Qubes 3.2 they are based on the
Fedora template. The exposed surface of this template is most likely
bigger than the exposed surface of the Fedora-minimal template [3].
What are the driving factors behind the decision to stick to the Fedora
template as opposed to the Fedora-minimal template? Has a template
with a smaller kernel ever been considered?
References
----------
[1] How is Qubes different from other security solutions? https://www.qubes-os.org/doc/user-faq/#how-is-qubes-different-from-other-security-solutions
[2] See for instance, Software compartmentalization vs. physical separation. http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
[3] Fedora - minimal. https://www.qubes-os.org/doc/templates/fedora-minimal/
Andrew David Wong
Dec 28, 2016, 2:31:45 AM12/28/16
to David Shleifman, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
(*Please* do not create duplicate threads. Copying my reply below.)
On 2016-12-27 12:02, 'David Shleifman' via qubes-devel wrote:
> One of the great things about Qubes OS is the reduction of the surface
> exposed to attacks [1]. The road to achieve this is discussed elsewhere [2].
>
> Individual virtual machines such as sys-net, sys-firewall, and sys-usb
> indeed limit the exposed surface. In Qubes 3.2 they are based on the
> Fedora template. The exposed surface of this template is most likely
> bigger than the exposed surface of the Fedora-minimal template [3].
> What are the driving factors behind the decision to stick to the Fedora
> template as opposed to the Fedora-minimal template? Has a template
> with a smaller kernel ever been considered?
>
We haven't decided to stick to the Fedora template as opposed to the
Fedora-minimal template. We offer both. The Fedora-minimal template is
only appropriate for users who are willing and able to install many
programs on their own. It is not suitable as a general use template or
as a default template since it does not contain any of the programs that
the vast majority of users expect to be able to use.
In short, it would be a UX and support nightmare to set the
Fedora-minimal template as the default. Many users would be confused and
frustrated about why even basic things like 'sudo' and 'vi' aren't
available.
On the other hand, more advanced users find the ability to have a blank
slate to work with very appealing for innumerable purposes. The
Fedora-minimal template is meant for these users.
>
> References
> ----------
>
> [1] How is Qubes different from other security solutions? https://www.qubes-os.org/doc/user-faq/#how-is-qubes-different-from-other-security-solutions
> [2] See for instance, Software compartmentalization vs. physical separation. http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
> [3] Fedora - minimal. https://www.qubes-os.org/doc/templates/fedora-minimal/
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYY2pTAAoJENtN07w5UDAwdIgP/2C7Zky76env6hw/LUOW+4se
vZVxsGtwaqt1bId6W5NFn2bHbFb2a1jlz6AiPB6KV1pwWI3prajEgyi0Zj7DOeVm
ux2jn2g0rRnoT35KQBWucWUk4hioeV5un4FmLhrWpJ+G1bLjODoXyWSma43sVTby
YTlIWP0UOEPXAfbFwSZQRWNmbqoNMGNfVUsjyIooRB9BjnLzq8NDynxhBZ6NtX3j
ZJA564XyfO9ASlqALKWAPprXTzOkmFpkI5/ELovLBpp9sEB7pAVE+mxpFJRUT97T
S+ZSajIAm6sZxJNfTacNRX+APv/gg8KAMzzFQUvIdM1XaJ80VtwXukDVzQva/Ad+
xOdo+2IWy94ivl+Sim1rFBE+fzl/5e701GlulWn6AAOyM2cnuA2IpMtqxW/zQE2u
dZ1EAXCmHU/39N7pqui1OwjwSSUyOqn7gpFHyHhWv5y4km09RKuXssX0LLrapPBg
oMTJVSM5cgnGZvLYrXQAAwbSwQTnCqBViWiRYy+NrMDd4mpYKVk8KHdWaucJPjZD
9NyJNKA5GyMIWGgPeSjWcxdymmJZBR3wqMkNManc0L/pEvtxSTQ+1CU5D2XDm6o8
6Fybt6SWNbrGrQoBsJ16MyEQg1q00Z33ozG1RhZA89CQZt7PTSB8VKKjRjf1XozD
5u1+umy/orjfDx3Ip+Ti
=uWmH
-----END PGP SIGNATURE-----
Hash: SHA512
(*Please* do not create duplicate threads. Copying my reply below.)
On 2016-12-27 12:02, 'David Shleifman' via qubes-devel wrote:
> One of the great things about Qubes OS is the reduction of the surface
> exposed to attacks [1]. The road to achieve this is discussed elsewhere [2].
>
> Individual virtual machines such as sys-net, sys-firewall, and sys-usb
> indeed limit the exposed surface. In Qubes 3.2 they are based on the
> Fedora template. The exposed surface of this template is most likely
> bigger than the exposed surface of the Fedora-minimal template [3].
> What are the driving factors behind the decision to stick to the Fedora
> template as opposed to the Fedora-minimal template? Has a template
> with a smaller kernel ever been considered?
>
Fedora-minimal template. We offer both. The Fedora-minimal template is
only appropriate for users who are willing and able to install many
programs on their own. It is not suitable as a general use template or
as a default template since it does not contain any of the programs that
the vast majority of users expect to be able to use.
In short, it would be a UX and support nightmare to set the
Fedora-minimal template as the default. Many users would be confused and
frustrated about why even basic things like 'sudo' and 'vi' aren't
available.
On the other hand, more advanced users find the ability to have a blank
slate to work with very appealing for innumerable purposes. The
Fedora-minimal template is meant for these users.
>
> References
> ----------
>
> [1] How is Qubes different from other security solutions? https://www.qubes-os.org/doc/user-faq/#how-is-qubes-different-from-other-security-solutions
> [2] See for instance, Software compartmentalization vs. physical separation. http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
> [3] Fedora - minimal. https://www.qubes-os.org/doc/templates/fedora-minimal/
>
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYY2pTAAoJENtN07w5UDAwdIgP/2C7Zky76env6hw/LUOW+4se
vZVxsGtwaqt1bId6W5NFn2bHbFb2a1jlz6AiPB6KV1pwWI3prajEgyi0Zj7DOeVm
ux2jn2g0rRnoT35KQBWucWUk4hioeV5un4FmLhrWpJ+G1bLjODoXyWSma43sVTby
YTlIWP0UOEPXAfbFwSZQRWNmbqoNMGNfVUsjyIooRB9BjnLzq8NDynxhBZ6NtX3j
ZJA564XyfO9ASlqALKWAPprXTzOkmFpkI5/ELovLBpp9sEB7pAVE+mxpFJRUT97T
S+ZSajIAm6sZxJNfTacNRX+APv/gg8KAMzzFQUvIdM1XaJ80VtwXukDVzQva/Ad+
xOdo+2IWy94ivl+Sim1rFBE+fzl/5e701GlulWn6AAOyM2cnuA2IpMtqxW/zQE2u
dZ1EAXCmHU/39N7pqui1OwjwSSUyOqn7gpFHyHhWv5y4km09RKuXssX0LLrapPBg
oMTJVSM5cgnGZvLYrXQAAwbSwQTnCqBViWiRYy+NrMDd4mpYKVk8KHdWaucJPjZD
9NyJNKA5GyMIWGgPeSjWcxdymmJZBR3wqMkNManc0L/pEvtxSTQ+1CU5D2XDm6o8
6Fybt6SWNbrGrQoBsJ16MyEQg1q00Z33ozG1RhZA89CQZt7PTSB8VKKjRjf1XozD
5u1+umy/orjfDx3Ip+Ti
=uWmH
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages