LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-23-2009, 05:07 PM   #1
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Rep: Reputation: 16
Virtualizing OS for browsing


It seems web browsing is becoming one of the most prevalent vectors of attack so I was contemplating the idea of running Fedora on Virtual Box for all my web browsing needs. The plan would be to have a snapshot of Fedora and Firefox with all my settings in place. When I'm done browsing I'd simply destroy the VM and reload from the known safe snapshot for future browsing. This would ensure that any disease Fedora or Firefox picked up during any session could not perpetuate itself beyond a single VM session.

Obviously VirtualBox is not a perfect solution because its feasible that an attack could go through my VM to the OS running VirtualBox. However, I think for the time being this "security by obscurity" would work.

Any comments/suggestions?
 
Old 07-23-2009, 05:24 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by scourge99 View Post
It seems web browsing is becoming one of the most prevalent vectors of attack so I was contemplating the idea of running Fedora on Virtual Box for all my web browsing needs. The plan would be to have a snapshot of Fedora and Firefox with all my settings in place. When I'm done browsing I'd simply destroy the VM and reload from the known safe snapshot for future browsing. This would ensure that any disease Fedora or Firefox picked up during any session could not perpetuate itself beyond a single VM session.

Obviously VirtualBox is not a perfect solution because its feasible that an attack could go through my VM to the OS running VirtualBox. However, I think for the time being this "security by obscurity" would work.

Any comments/suggestions?
This wouldn't be considered security through obscurity. In fact, it would be the exact opposite of that. Isolation is a tried and true security methodology. If you want some inspiration for your endeavour, I encourage you to read the recent interview with Joanna Rutkowska, who is a highly-respected security researcher. Here's a snippet from the interview:
Quote:
I use different virtual machines to host various types of browsers that I use for different kind of activities. So, I use a "Red" VM to do daily browsing, something totally non-sensitive like news reading, Googling, etc. I use a "Yellow" machine to do some semi-sensitive tasks, like online shopping, updating my blog on Blogger, etc. Finally, I have a "Green" machine to access my bank's account.
EDIT: Of course, you should not get sloppy with your security within the virtual environment. Notice how even though Joanna Rutkowska is running browsers in virtual machines, she still takes traditional security precautions inside each of them.

Last edited by win32sux; 07-23-2009 at 05:44 PM.
 
Old 07-23-2009, 09:04 PM   #3
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by win32sux View Post
This wouldn't be considered security through obscurity. In fact, it would be the exact opposite of that.
Its security through obscurity because virtualization technology is still an emerging technology and most likely the means by which to attack them are not very well known.

Quote:
Originally Posted by win32sux View Post
Isolation is a tried and true security methodology. If you want some inspiration for your endeavour, I encourage you to read the recent interview with Joanna Rutkowska, who is a highly-respected security researcher. Here's a snippet from the interview:

EDIT: Of course, you should not get sloppy with your security within the virtual environment. Notice how even though Joanna Rutkowska is running browsers in virtual machines, she still takes traditional security precautions inside each of them.
There are a few potential attack methods I've pondered: For example, unless the virtualizing software takes measures to protect other memory areas a pointer can be used to attack ANYWHERE in memory, including your host machine. Protection can be achieved by restricting memory access via hardware such as the IOMMU but last time I checked no virtualization developers were touting "security".

You could also access device memory or DMA abilities. I don't believe the IOMMU would even be able to stop that.

I believer there is work being done to develop secure virtualization technology at greenhills but I don't think that the other technologies are secure, its merely obscure, which is fine for me for now.
 
Old 07-23-2009, 09:14 PM   #4
linus72
LQ Guru
 
Registered: Jan 2009
Location: Gordonsville-AKA Mayberry-Virginia
Distribution: Slack14.2/Many
Posts: 5,573

Rep: Reputation: 470Reputation: 470Reputation: 470Reputation: 470Reputation: 470
What about Portable-Qemu?
It runs from a usb drive, any type

it's only real connection is to the net

Is it still insecure also?
 
Old 07-23-2009, 09:50 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by scourge99 View Post
Its security through obscurity because virtualization technology is still an emerging technology and most likely the means by which to attack them are not very well known.

There are a few potential attack methods I've pondered: For example, unless the virtualizing software takes measures to protect other memory areas a pointer can be used to attack ANYWHERE in memory, including your host machine. Protection can be achieved by restricting memory access via hardware such as the IOMMU but last time I checked no virtualization developers were touting "security".

You could also access device memory or DMA abilities. I don't believe the IOMMU would even be able to stop that.

I believer there is work being done to develop secure virtualization technology at greenhills but I don't think that the other technologies are secure, its merely obscure, which is fine for me for now.
Please keep in mind that security is a never-ending process. It's not a product that you can go and buy from a software manufacturer. There's absolutely nothing wrong with deploying virtual machines as an integral part of your approach to risk management. As you can see in the interview I linked for you, even some of the brightest minds in the industry do it.

Last edited by win32sux; 07-23-2009 at 10:02 PM.
 
Old 07-24-2009, 12:04 PM   #6
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
Two words for you bluepill. Now adays even your virtual servers can get rootkited with little to no notification.
 
Old 07-24-2009, 12:14 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by tekhead2 View Post
Two words for you bluepill.
Yes, as the author of Blue Pill, she's very familiar with the territory. Her knowledge in this arena does lend more weight to the isolation technique she uses for her own Web browsers, doesn't it?

Last edited by win32sux; 07-24-2009 at 03:25 PM.
 
Old 07-24-2009, 04:05 PM   #8
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
If you read you will see the machine specs she working with, and its a HUGE machine, I mean I've got servers running with less power than that thing. She needs every bit of it if she's going to run VM container on top of VM container. I wondering what type of VM she's using, I've never really used Xen or KVM but I am currently using VMware and Virtualbox extensively. It appears that the bluepill is geared more towards modern virtualization software that utilizes hypervisors like Xen and VMware ESX. We are talking about moving our entire infrastructure at work into a virtual one.. so this stuff is very interesting to me.
 
Old 07-24-2009, 04:47 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by tekhead2 View Post
It appears that the bluepill is geared more towards modern virtualization software that utilizes hypervisors like Xen and VMware ESX.
Yes, Blue Pill uses a bare-metal hypervisor (like the two examples you've provided). Your native OS becomes a guest on this virtual machine, while leaving you clueless about it (much like most people in The Matrix had no idea about their true circumstances). That said, we seem to be drifting off-topic here. Let's get back to the running of Web browsers in virtual machines. Virtualization-based malware is a separate topic which I encourage you to open a new thread for instead.

Last edited by win32sux; 07-24-2009 at 06:31 PM.
 
Old 07-24-2009, 05:21 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by tekhead2 View Post
If you read you will see the machine specs she working with, and its a HUGE machine, I mean I've got servers running with less power than that thing. She needs every bit of it if she's going to run VM container on top of VM container. I wondering what type of VM she's using, I've never really used Xen or KVM but I am currently using VMware and Virtualbox extensively.
She talks about it on page six:
Quote:
To run all of my virtual machines, I use a type II hypervisor (VMWare Fusion), which is a fat application running on my host. From the theoretical point of view, there is no good reason to believe that it would be harder to find a bug in the type II hypervisor than it would be to find a bug in the OS kernel itself. Both are big and fat, and have many drivers inside them. But practically, it seems that it is more difficult. The attacker must first find a way to execute code in the guest's kernel. Remember that the attack starts from being able to execute code in the browser only, then he or she must find a way to attack the VMM (hypervisor). So, to break out of the VM and finally do something reasonable in the host's kernel, which might be a totally different OS then the guest's kernel (I use Windows in my guests and Mac OS X on the host).

Last edited by win32sux; 07-24-2009 at 05:22 PM.
 
Old 07-24-2009, 06:49 PM   #11
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by win32sux View Post
Please keep in mind that security is a never-ending process.
I'm well aware but thank you.

Quote:
Originally Posted by win32sux View Post
It's not a product that you can go and buy from a software manufacturer. There's absolutely nothing wrong with deploying virtual machines as an integral part of your approach to risk management. As you can see in the interview I linked for you, even some of the brightest minds in the industry do it.
The overarching goal of my post was to ping others who are also familiar with security to get their opinion on whether or not this was worthwhile approach. What are the risks, vulnerabilities, and perhaps some better alternatives.

So far Bluepill has been mentioned. I'll have to look into it.
 
Old 07-25-2009, 11:19 AM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by scourge99 View Post
So far Bluepill has been mentioned.
Which strikes me as a rather strange thing to mention, considering that Blue Pill represents a threat to everything running on your VT-x/SVM-capable CPU. Blue Pill is virtualization-based malware, it's not malware which targets virtualization.

Last edited by win32sux; 07-25-2009 at 12:34 PM.
 
Old 07-27-2009, 11:59 AM   #13
scourge99
LQ Newbie
 
Registered: Jun 2009
Posts: 24

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by win32sux View Post
Which strikes me as a rather strange thing to mention, considering that Blue Pill represents a threat to everything running on your VT-x/SVM-capable CPU. Blue Pill is virtualization-based malware, it's not malware which targets virtualization.
From my quick-read of that article I was under the impression that the Bluepill was some type of virtualization technology, not malware.

"So let’s talk about "Ring -1" exploits and your “blue pill.""

"I wrote BluePill in 2006 to demonstrated how this hardware virtualization technology can be abused by malware to create a stealthy hypervisor and move, on the fly, the running OS into a virtual machine, controlled by this stealthy hypervisor."

"Another unique feature of BluePill, which has made it truly one of its kind, is its support for nested virtualization--one can load BluePill, and then, inside the virtual machine created by BluePill, start a normal hypervisor like Xen or Virtual PC (that itself makes use of VT-x/AMD-v). You can even load several instances of BluePills inside each other. I'm actually quite proud of this nested virtualization support!"

Thanks for catching that for me.
 
Old 07-28-2009, 05:32 AM   #14
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
Quote:
Originally Posted by scourge99 View Post
From my quick-read of that article I was under the impression that the Bluepill was some type of virtualization technology, not malware.
It's both. It is proof of concept code that can insert itself into 'ring -1' and virtualize the previous host (or only) OS without the OS or the user being any the wiser. Once this happens, all bets are off, as the virtualized OS is no longer in control of the machine. The ultimate rootkit, if you will.
 
Old 08-05-2009, 04:59 PM   #15
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
Back to the subject of the post, Our good friend Linus72 here on LQ has developed a simple QEMU script with a disk image thats running Puppy linux browser edition. I've used it myself personally and I've found it very useful for tracking down malware and for accessing sites that I know have malware and other attacks embedded. If I'm not mistaken it's runnnig Seamonkey, which will do just about anything Firefox will do, plugin wise.

You can find the original post here
http://www.linuxquestions.org/questi...orm-os-736043/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtualizing FreeBSD in qemu on an opensuse host inspiron_Droid *BSD 1 04-16-2008 03:55 PM
virtualizing my router mattsoftnet Linux - Networking 7 12-26-2007 05:32 PM
how many of you are virtualizing your client desktops? netlogic Linux - Enterprise 1 10-04-2007 02:03 AM
LXer: Getting around Windows Activation when Virtualizing LXer Syndicated Linux News 0 07-12-2007 02:46 PM
LXer: Virtualizing LXer Syndicated Linux News 0 04-25-2006 11:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration