Security-Focused Operating Systems

April 12, 2023 — Jt Spratley
OpenBSD and Qubes OS logos

The world has reached a point where the frequency of cyber attacks is gradually influencing people to choose security over convenience and bleeding edge technology. Many are switching from Android smartphones to iPhones or basic flip phones, sometimes referred to as "feature phones." Some are replacing Windows personal computers (PCs) with Apple MacBooks. Individuals more serious about cybersecurity are migrating to Unix-based operating systems (OSes). The reason why is simple. Windows is attacked at a significantly higher rate than macOS, Linux, and other Unix-based OSes combined because it is most prominent in homes and corporate offices. According to DistroWatch.com, there are over three hundred BSD and Linux OSes, but few are built specifically with the goal of increased high security and privacy [1]. Two of the most interesting security-focused OSes in active development today: OpenBSD and Qubes OS.

Before comparing the two Unix-like OSes, I should explain my definition of a security-focused OS versus a secured OS. I consider a secured OS to have been significantly hardened to address expected cyber threats for its environment. That includes removing bloatware and unnecessary kernel modules. This is manually done by the end user, or system administrator (sysadmin) in a business setting, hopefully in a practical manner that does not encourage users to bypass those security measures. A secure OS ships with much of this work already done as it is developed with focus on security and proper coding, not the convenience of extra software included to satisfy multiple user personas (e.g, tech novice, power user, and multimedia editor).

Since 1996, OpenBSD has been developed with "emphasis on correctness, security, standardization, and portability" [2]. This is a major stray from the most popular BSD OS, FreeBSD [3], which is built for multiple use cases including fault-tolerant data storage and PCs [4]. OpenBSD's maintainers have a long list of software developed to harden the base OS, kernel, and memory management against cyber attacks [5]. They regularly audit software packages for bugs and even maintain their own hardened versions of many applications [6]. OS installation is user-friendly and completes in under five minutes with the default settings. It can be prepared for the average user by installing a desktop environment (DE), web browser, and office suite in the terminal: "pkg_add xfce xfce-extras firefox nano libreoffice" [7].

Linux-based Qubes OS began in 2012 with the idea of isolating applications and connected devices in virtual machines (VMs) of varying security levels using the Xen hypervisor [8]. By default, the self-claimed "trusted OS" deploys with a Fedora VM, a popular OS for software developers wanting cutting edge and sometimes unstable updates [9]. However, there is an official variant that replaces the Fedora VM with Debian, which is known for being stable and minimal. These two options are sensible because most official Linux distributions, or "distros," available are based on Fedora or Debian. Native Whonix integration allows users to run Tor with greater security [10]. Because of unique hardware requirements, Qubes OS must be installed on a system or tested as a live image, since it is incompatible with virtualization software such as VirtualBox [11].

Similarities between the two OSes are obvious once there is a question about how to do something. Neither is commonly used in production systems or discussed in free open-source software (FOSS) communities. Official documentation is in-depth, but often not simplified for novices. User community content about each OS is scarce, usually only covering frequently asked questions (FAQs) such as how to configure popular software. Neither is unlikely to have unpopular software available in their official repository (repo). This forces users to sandbox incompatible software in a VM instance, research how to compile it from source, dual-boot a secondary OS on the system, or replace the application.

Their differences are just as overt. OpenBSD, its kernel, and installed packages are hardened from the start. If the user wishes to import FreeBSD repos for software not hardened by the developers, it must be done manually. Qubes OS is somewhat of a hypervisor platform, allowing you to apply different, stable distros at will. Qubes OS must pull updates from Fedora or Debian. Initially, one could assume that the Linux kernel is the weakest link for infiltration. However, the Qubes security bulletins (QSBs) page indicates that most reported vulnerabilities were related to their Xen hypervisor package [12]. Furthermore, Linux runs most websites [13] and most supercomputers [14]. Because BSD is rarely seen anywhere, including the pfSense firewall application, OpenBSD would likely be vulnerable due to user configuration issues. Finally, there are unofficial forums dedicated to both. OpenBSD has registered user groups in various countries, but their official community support method is a mailing list. The Qubes OS project maintains an active official forum.

OpenBSD aligns most with my idea of what it means to be a secure OS. Most packages installed are required for the OS to run. Whatever you install from the official repos is already hardened to save you time, if security is your primary goal. You're in the command-line interface (CLI) until you install a DE or minimal window manager like i3.

In summary, both OSes serve as evidence that high security comes at a cost: inconvenience. Both have communities willing to assist with troubleshooting. The common user can quickly surf the web and edit office documents with either OS. Anything further would justify trying Qubes OS as Debian and Fedora repos are more accessible with more packages. OpenBSD is best staged in a VM before the user has learned how to fulfill their requirements. But it will satisfy the tech-savvy, security-conscious user without the need for niche software. One should not conduct online activity with arrogance on either OS since it may affect your actions on other devices. Phishing statistics [15] command a constant state of caution. A secure OS will not protect your login credentials for email providers, banks, and other websites. For the regular user that needs to be able to do more at times, Qubes OS is easier. But if your primary goal is cyber defense, OpenBSD is the best choice.

References

[1] "Search Distributions." DistroWatch.com. [Online]. Available: https://distrowatch.com/search.php?ostype=All&category=Security&origin=All&basedon=All¬basedon=None&desktop=All&architecture=All&package=All&rolling=All&isosize=All&netinstall=All&language=All&defaultinit=All&status=Active#simple [Nov. 1, 2022].
[2] "OpenBSD FAQ - Introduction to OpenBSD." OpenBSD. [Online]. Available: https://www.openbsd.org/faq/faq1.html [Oct. 1, 2022].
[3] M. Varmazyar. "FreeBsd Vs OpenBsd." Unixmen. [Online]. Available: https://www.unixmen.com/freebsd-vs-openbsd/ [Oct. 10, 2022].
[4] "Choosing between OpenBSD and FreeBSD." unixsheikh.com, Feb. 7, 2020. [Online]. Available: https://unixsheikh.com/articles/choosing-between-openbsd-and-freebsd.html [Oct. 10, 2022].
[5] "OpenBSD Innovations." OpenBSD. [Online]. Available: https://www.openbsd.org/innovations.html [Oct. 10, 2022].
[6] "Index of /pub/OpenBSD/7.2/packages/amd64/." [Online]. Available: https://cdn.openbsd.org/pub/OpenBSD/7.2/packages/amd64/ [Oct. 10, 2022].
[7] "OpenBSD 7 Xfce Desktop." Birkey Consulting, Jan. 29, 2022. [Online]. Available: https://www.birkey.co/2022-01-29-openbsd-7-xfce-desktop.html [Oct. 10, 2022].
[8] N. McAllister. "Qubes OS bakes in virty system-level security." The Register, Sep. 5, 2012. [Online]. Available: https://www.theregister.com/2012/09/05/qubes_secure_os_released/ [Oct. 11, 2022].
[9] "What is Qubes OS?" Qubes OS. [Online]. Available: https://www.qubes-os.org/intro/ [Oct. 1, 2022].
[10] "Qubes-Whonix ™ Overview." Whonix. [Online]. Available: https://www.whonix.org/wiki/Qubes [Oct. 11, 2022].
[11] "Introduction." Qubes OS. [Online]. Available: https://www.qubes-os.org/doc/installation-guide/ [Oct. 10, 2022].
[12] "Qubes security bulletins (QSBs)." Qubes OS. [Online]. Available: https://www.qubes-os.org/security/qsb/ [Oct. 11, 2022].
[13] "Comparison of the usage statistics of Linux vs. Windows for websites." W3Techs, Oct. 12, 2022. [Online]. Available: https://w3techs.com/technologies/comparison/os-linux,os-windows [Oct. 12, 2022].
[14] "The Operating Systems Most Used by Supercomputers." ITIGIC, Jan. 17, 2020. [Online]. Available: https://itigic.com/operating-systems-most-used-by-supercomputers/ [Oct. 11, 2022].
[15] "Summary of Findings." Verizon. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/2022/summary-of-findings/ [Oct. 10, 2022].

Tags: cybersecurity, IT, open-source, linux

Comments? Tweet