One of my favorite jokes about security people is that you can divide them into two types: Builders and Breakers. Builders like to make things, like web applications or identity management infrastructures. Breakers like to find holes in things. They tinker and hack. Usually, you gravitate towards one skillset or the other; it is extremely rare to find someone who does both well. It\u2019s like running: you either sprint, or run marathons.\n\nSo it was with great curiosity that I read about the announcement of the Qubes OS by Invisible Things\u2019 Joanna Rutkowska. Joanna is best known as the b\u00eate noire of the virtualization world; her \u201cBlue Pill\u201d hypervisor-breaking software was widely noted, even by us. Her Black Hat speeches are legend. She is clearly in the Breaker camp, and one of the best ones too.\n\nQubes is a new operating system based on Linux and Xen that divides up the operating system into multiple isolated VMs that work together. It allows arbitrary portions of the operating system, such as the web browser, to run in one VM while other portions run in other VMs. Certain functions, like networking and storage, run in their own VMs. The VMs share a GUI (again, compartmentalized from the other VMs) and can exchange files. I won\u2019t attempt to describe it in detail \u2014 the architecture document does that well enough:\n\nVirtual Machines (VMs) are the primarily building blocks for the system. Qubes architecture optimizes disk (and in the future also memory) usage, so that it?s possible to run many VMs in the system, without wasting precious disk resources. E.g. file system sharing mechanisms allow to reuse most of the filesystem between VMs, without degrading security isolation properties. Intel VT-d and TXT technology allows for creating safe driver domains, that minimize system attack surface... One can divide the VMs used by the system into two broad categories: the AppVMs, that are used to host various user applications, such as email clients, web browsers, etc, and the SystemVMs (or ServiceVMs) that are special in that they are used to provide system-wide services, e.g. networking or disk storage.\n\nQubes is interesting, at the very least, because of who is building it: someone who is better known for breaking stuff. But it is also interesting because it continues a line of thought that has been bubbling along for several years: the use of virtualization and virtualization-like technologies to isolate processes and divide operating environments into security domains. Other operating systems that share some of these same concepts include:\n\nTypical features with all of these operating systems is process isolation (sandboxing), file system abstraction and (usually) trusted bootloaders to ensure OS integrity at boot-time. It is where operating systems are headed, and in the future, most reasonably-complex devices that are not PCs will sport a design that includes one or more of these elements.\n\nI call this the \u201cBento\u201d security model. It does for operating system security what the Japanese have done for lunch: divide stuff up into nice, neat compartments.\n\nWe will have more to say about Bento security later this year. But in the meantime, check out Qubes. It is not ready for prime time. But it is a very interesting experiment that bears observing.