Comment by fsflover
4 years ago
The only practical security is security through isolation, like what Qubes OS provides. Security through correctness is impossible.
4 years ago
The only practical security is security through isolation, like what Qubes OS provides. Security through correctness is impossible.
With Qubes you are depending on the correctness of the VM and whatever hardware it is running on. Modern chips are really complex.
The only perfectly secure computer is one that is off. Security is always about probabilities and trade offs. As you approach perfection cost approaches infinity. It’s similar to adding “nines” to your uptime.
A good security policy balances cost with security and also has plans in place for what to do if security is compromised.
More security nihilism.
I'm not saying security is impossible, just that there are trade offs especially as you try to approach some mythical "perfection."
Stupid question: how do you know your isolation is correct?
Not stupid question at all. Nothing is 100% correct. Instead, you look at the attack surface, which for Qubes is extremely small: no network in AdminVM, only 100k lines of code in Xen supervisor, hardware virtualization with extremely low number of discovered escapes and so on.
Xen is bloated and has a security hole history. This also ignores the size of the Linux acting as dom0, that is.
The only correct answer is formal reasoning, as successfully executed by seL4.
2 replies →
You test for it with rigor and incorporate new learning, just like every other engineering discipline.
There have been Qubes-breaking bugs in Xen before, and it wouldn't be surprising to see more.
You seem to have missed the point of the article completely.
We can’t achieve perfect security (there’s no such thing). What we can achieve is raising the bar for attackers. Simple things like using memory-safe languages for handling untrusted inputs, least-privilege design, defense in depth, etc.
Memory-safe languages are good, but decreasing the attack surface through compartmentalization is much more reliable I think.