Starting applications in different AppVMs is just as easy as usual.
In this example, the word processor runs in the “work” AppVM, which has assigned “green” label, and is fully isolated from other AppVMs: the “random” AppVM (“red” label) used for random Web browsing, news reading, etc, and from “shopping” AppVM that is used for online shopping, buying hotel reservations, etc. Apps from different AppVMs have different X servers, filesystems, etc. Notice the different color frames (labels), and VM names in the titlebar -- these are drawn by the trusted Window Manager running in Dom0 and apps cannot overwrite the frame color or their VM name.
Qubes uses very light weight VMs and allows to run many at the same time even on machines with small amount of DRAM memory. A typical AppVM consumes between 200-400 MB of RAM, and still can run Firefox, Thunderbird, and Open Office at the same time. This is possible, because there isn’t any desktop environment running in an AppVM, like KDE or GNOME, and only very small X server with a dummy driver.
Qubes supports secure copy-and-paste operations between AppVMs. Only the user can initiate a copy and paste operation using a special key combination (Ctrl-Shift-C/V). Other AppVMs have no access to the clipboard buffer, so they cannot steal data from the clipboard. Only the user decides which AppVM should be given access to the clipboard (this is done by selecting the destination AppVM’s window and pressing Ctrl-Shift-V combination).
Qubes also supports secure file copying between AppVMs. The screenshots above illustrate the steps a user would take to copy her files from a “work” AppVM to a “vault” AppVM (here the “vault” VM is a special secure storage VM with no networking access, used to keep various important documents that are no longer needed on a daily basis, e.g old, completed projects).
Qubes AppVMs (and Service VMs) do not consume much CPU when they are idle...
All the networking runs in a special, unprivileged NetVM (notice the red frame around the NetworkManager dialog box on the screen above). Thanks to this, a potential compromise of your network card driver, or WiFi stack, or DHCP client, would not affect the integrity of the rest of the system! This feature requires Intel VT-d hardware (e.g. Centrino 2 laptop, or Core i5/i7 system).
It is always clearly visible to which AppVM a given window belongs. Here it’s immediately clear that the passphrase-prompting window belongs to some AppVM with “green” label. Then, when we look at the titlebar, we see “[work]”, which is the name of the actual AppVM. Theoretically, the untrusted application (here, the “red” Firefox) beneath the prompt window could draw a similarly looking window within its contents. In practice this would be very hard, because it doesn’t know e.g. the exact decoration style that is in use. However, if that is a concern, the user can simply try to move the more trusted window onto some empty space on the desktop, i.e. so that no other window was present beneath it. A malicious application from untrusted AppVM cannot spoof the whole desktop, because the trusted Window Manager will never let any AppVM to “own” the whole screen -- its titlebar will always be visible.
Qubes lets you update all the software in all the AppVMs all at once, in a centralized way. This is possible thanks to Qubes unique Template VM technology.
Copyright (c) 2010 Invisible Things Lab. All rights reserved.