 Thanks for coming Can I get my slides? Yeah, the cubes OS is the project we've been working on for some time It's a reasonably secure desktop OS. It's supposed to be a reasonable reason. I'll be secure desktop OS and it implements security by compartmentalization approach It's important to realize that cubes is not really a hypervisor It just is a user of a hypervisor or VMM, which currently happens to be Zen It's also not a Linux distro. If you really want to call it a distro, it's a Zen distro in that case So why we do it? We do it because we really need secure client systems and when I say client I mean phone desktop tablet laptop I'll be using a desktop in this presentation desktop client all means the same to me So we really need secure client systems It's because client systems are really our eyes, ears and fingertips because if our client system is compromised Then really there is no security however secure your Cloud your crypto your network protocols might be If your client system is compromised It's just the game over because the client system and the malware that is there can see your screen Can simulate your keyboard so your actions, etc so we really need secure client systems and the problem we have is that Present client systems are not really secure or totally insecure actually some problems that we have today and Those problems are not going away attacks coming to Otherwise decent applications such as web browsers or PDF readers To an exploit so we open a malicious PDF that exploits some buffer overflowing PDF reader or Microsoft Office or Libre Office or whatever and you get owned Attacks coming to malicious applications that we just accidentally installed some spyware backdoors, whatever Attacks coming to USB devices Which might be untrusted because they might be having a Phi system with malformed metadata or maybe malformed partition table Which just happens to be exploiting some hypothetical back in kernel Phi system module or maybe they have a malicious firmware even as some some recent Proof of concepts shown shown this year Attacks coming through networking stacks. So all the Wi-Fi drivers and stacks DHCP client like a few weeks ago Paschal EPS The HCP client exploit probably many of you were worrying about this problem It's not like the problem suddenly appeared just two weeks ago It's been here for years and it is here to stay Attacks coming to That they just said Phi system metadata volume metadata lack of GUI isolation Whether it's linux xorg Whether it's macOS 10 whether it's windows. There's essentially no GUI isolation. So if I have a stupid Tetris game running alongside my Email client where I which I use for my sensitive encrypted email the stupid Tetris application Can just request to see the screenshot of the content of my email client window. This is just wrong so these are Fundamental problems that we see on desktop systems and There is really no good protection against those probably it should be obvious to you that Patching or trying to find all the bugs in kernel or the Phi systems or the drivers such or the applications is just not feasible It's also important to realize that security challenges with Related with desktop systems are quite different from those on servers It's my impression that lots of people doing security, especially on linux. They still have this kind of server oriented thinking and One important problem is that monolithic systems are generally hard to secure Especially desktop systems Monolithic kernel is bad for security because when we think about it why all these things Why Wi-Fi drivers stacks, bloated drivers stacks, USB drivers stacks All the various exotic APIs and subsystems why all these things should be part of the TCB. I mean why I Really come from a different background. I'm coming from security not from open source background. So When I look at this, of course, it's not linux specific the same windows the same OS 10 It's a myth that OS 10 is a micro kernel from security point of view. It is not So that's pretty concerning The monolithic is not only about the kernel It's also about the rest of the system. So I use the term monolithic system GUI server Again another monolithic creation x orc with its x protocol and it's a whole code base It's I can bet full of exploitable bugs And you don't really need a bug because as just previously said there is no effective GUI isolation So it's perfectly Legal for an application to request a screenshot of other applications various other systems services Especially on a desktop system and it by the way it is Irrelevant whether for example our X server is rootless Because Whether it's part of the system tcb or not is not so relevant when we do when we consider a user data point of view The X orc might be running not as wrote still has access to all the application window contents so monolithic for me from the security point of view means bloated complex difficult to understand and Manage manage so to decide which parts of the system can communicate with which ones and which should not because some of them are trusted Some of them are not okay, so how do we how do we solve those those problems? Security by compartmentalization as I just mentioned That's an obligatory cubes architecture slide So we have a some thin hypervisor which actually happens to be then We have Appvm's where user applications and data are and we have some system service domains For example for net networking stocks and usb stocks, so it's net vm usb vm And we have secure admin and GUI domain so there is So yes, we use virtualization to isolate domains. That's a very good question to ask Why would virtualization why would VMs be any better isolated from each other than normal processes Is there something wrong with with good old? Memory management unit with ring 3 ring 0 separation. Have you ever heard about an exploit that would be exploiting ring 3 to ring 0 Escalation on Intel processors. They have not and obviously if we think about us then we can have a We can conclude that perhaps a virtualization is not the best thing to do because just adding another layer layer of complexity Does not it's not going to solve any problem, right? However virtualization offers two important properties First of all it allows to reduce the interfaces Especially the VM hypervisor the VM TCP interface So instead of implementing all the exotic APIs instead of exposing all those drivers all those having all those five system modules and God knows what else in the in the TCP. We don't have them the hypervisor. Just just the CPU memory device maybe virtualization And a few other things That's like almost nothing At the same time virtualization allow us to preserve legacy compatibility with legacy apps and drivers And that's extremely important because if we are going to change The system API nobody is going to use our system So these are two key properties of of why we use virtualization But before we get too excited about how great virtualization is It's important to realize realize that the VM hypervisor interface that we are shrinking or reducing It is not the only interface of concern So here is a simple example Let's say we have two VMs and they are so well separated using hardware and forced virtualization right very strong isolation Very thin hypervisor Then or maybe some micro kernel or separation kernel, whatever now imagine that we are adding some Intervm service Oh, because perhaps somebody wanted to do file sharing and edit SMB server there or maybe it's a Graphics virtualization Maybe this this thing that the rectangle complex input processing code. Maybe this is the GPU back-end Or maybe that's even storage back-end. That is just smart and does all kinds of Copy and write and other optimizations whatever That's a typical picture on many virtualization systems We add some complex back-end or code and expose it through a complex protocol to other VMs So now if it happens to be that there is some malware on the Orange VM It might just exploit some hypothetical Software bug like buffer overflow in this complex input processing code Totally regardless of whether this is running under Zen Micro kernel whatever and of course This means that The separation is no longer so strong. That's pretty weak So the lesson from this is that we should not get too excited about hardware virtualization Because again virtualization is really nothing magic when it comes to security Besides that it reduces interfaces and preserves compatibility except for IMMU, which I discussed later and Where we should really be careful about it what we should really be careful about are the inter VM interfaces and The code that handles Inter VM services or communication There are some questions you might ask your virtualization Solution vendor how they do device emulation. What is QMU? Is it part of the TCB? How is networking storage virtualization done? Are are the back-ends part of the TCB or not part of the TCB? They should not be Usb virtualization the same GUI virtualization. Well, if you see a GPU or especially OpenGL or DirectX being exposed to untrusted VMs Chances are high that this totally negates today negates the isolation Generally, how is the inter VM communication framework done? How is for example file copy done between VMs? Does it require running? NFS or SMB between two VMs or is it done smarter? So I just said the virtualization is nothing special. It's just practical However, there is one One important technology that I should mention That has been it's not really virtualization per se, but has been introduced together with virtualization extensions on on Intel and AMD and that is of course IOMMU Which on Intel is called VTD. It is important not to confuse VTD with VTX VTX is just a CPU virtualization So it allows for truly the privileged driver domains and Zen was probably pioneer in Probably still is in in using driver domains using IOMMU Allows us to have net VMs and usb VMs and by the way There's been a debate about Micro kernels some years ago whether micro kernels or monolithic kernels Micro kernels without IOMMU makes no sense From the security point of view because without IOMMU you cannot have Truly untrusted driver domains or processes So net VM That's what we have in cubes by default you put all your Wi-Fi and other stocks in a you know the privileged networking domain and This makes you feel good when you use a Wi-Fi at airport or in the hotel or at the conference Because you don't have to worry about all the potential attacks there DHCP client for example a recent attack Similarly we can have a USB VM in cubes. There's just a few clicks and you can have it If that USB makes you feel uneasy that's a nice solution So the picture just shows it We have some extremes we have a monolithic system on the left or Everything essentially runs as the same proof at the same privilege again I'm talking about monolithic system not just the kernel On the right extreme we see Powered down air gaps the totally useless Fault experiment right just turned off machines, but they are very secure and somewhere in the middle We try to position cubes. We try to find a good balance between security and usability and cubes really offers lots of flexibility in in it allows to Gees slide you to treat it as a slider somehow and just move it from one extreme to the other So quickly about the status release one 2010 2012 release two Just released last month release three is coming Release two implements everything we just talked about you can go to cubes OS that are all a cubes OS the torque and and and read lots of dogs and Go to mailing list and and download the eyes either We use Fedora 20 as a primary template We also have Debbie and our clean oaks templates for those of you who who don't like Fedora Our dom zero is currently based on Fedora 20 But it should really be irrelevant to you because there are there are really no user apps or data in dom zero Dom zero in our case is just a dump in terminal We also have support for Windows 7 base VMs But of course you must install windows and provide licensing key so it's a Besides just being a collection of VMs Where really cubes strength can show off is in when you Write an application specifically for cubes. For example, we have pretty nicely implemented integrated Tor VM Since 2012 and right now there is another work going on by the Hoonig's people who are porting Hoonig's to cubes OS It's very nice because you can You can get some advantages of isolation and at the same about at the same time From our very simple and we think a very secure inter VM communication framework Same securing email. It's also another example. For example, we have attachments that allows plugins that allows you to Open attachments in disposable VMs We can we have a little plug in Application for split GPG where you can put your private keys in an offline VM Etc. Our Release tree is what is coming soon. We already started working on it last year the primary new feature there is the introduction of hyper hypervisor abstraction layer Which will allow you to easily Switch then for KVM Linux containers perhaps even if you really want that for performance or perhaps Microsoft HyperV even Perhaps we're gonna do some commercial spin-offs Or perhaps some academic exotic micro kernel for elimination of already reduction of cooperative cover channels or side channels We also have reworked architecture so There's the website there's the master key fingerprint. There's this video video tape So it's an evidence. There's the fingerprint and also if you're interested we have a session at this afternoon to our introduction to cubes where we show Various practical things life and how to set up different things and also intro for developers were cubes Okay, thank you very much