You might have seen this scene during the climactic shoot-out in any number of movies and television shows—the hunted character lures his hunters into a room full of mirrors, who fire their weapons at the reflections, mistaking them for the real person. Like most of what we see on the screen, this probably isn’t a very plausible scenario in real life (who gets so confused by a reflection, besides my cat?). But it is an apt metaphor when we think about using PC virtualization to add a layer of defense against malware and other types of security compromises.
The most popular, and ballyhooed, type of virtualization today is known as OS virtualization—wherein an entire operating system is encapsulated in a self-contained running environment atop a “real” operating system. You can use virtualization to run a full copy of Windows 7 inside a window on an Ubuntu Linux desktop. Or you could run Ubuntu Linux inside a window on Windows 7. You could run Windows XP on Windows 7, or, again, vice versa.
There are numerous reasons why virtualization has taken off. One is that today’s computers are so powerful that they often have processor cycles and memory to spare, giving them the horsepower to drive multiple operating systems at the same time. Another is that virtual operating systems are easier to deploy, backup, and restore than “real” operating systems. You can quite simply take “snapshots” of a virtual OS, preserving its exact state. Virtualization can make more efficient use of computing resources—for example, running a virtualized Linux-based server on a Windows desktop lets one physical machine serve different kinds of uses simultaneously.
When considering security, the greatest benefit of virtualization is that it runs in a “sandbox.” Think of a sandbox as a walled space, isolated from the real (often called “host”) operating system installed on the physical computer. They say that “whatever happens in Vegas stays in Vegas”—well, the same is (usually) true for a sandbox.
Many eggs, one basket
Consider the typical desktop security scenario: your computer probably contains lots of important information. You might have files with sensitive data, such as passwords, or work in various stages of maturity, which is important to preserve. Configuring your desktop machine the way you want is itself a kind of sensitive data—look at how much time is lost when you have to setup a brand new machine and re-install all your software.
You already know about “safe computing” practices, like not opening e-mail attachments from unknown senders. You already run anti-malware software to catch viruses and spyware before infection. But it might not be enough. Although these defenses are important and useful, they aren’t perfect.
An effective way to further protect your desktop is to run your “riskiest” online activities inside a sandbox. Using a virtual OS makes this easy.
Keep ‘em separated
First you’ll need to choose a virtualization solution. Some, like VMware Workstation and Parallels, are commercial products with a price tag. Others, like VMware Player and VirtualBox, are free. To run a virtual OS, you must use a virtual image—a file (or set of files), which contains the installed and configured operating system along with any additional software.
The free VMware Player can be used to “play” (launch) pre-rolled virtual images, sometimes known as “virtual appliances.” The other virtualization products can either play existing virtual images or create new ones. To create a new virtual OS, you’ll need the install disc for the OS of your choice—either a physical CD/DVD or a digital disc in iso format. You can get started with virtualization without spending a dime using VirtualBox and downloading a disc image of a popular Linux distribution, like Ubuntu or SUSE.
A full walkthrough for setting up a virtual OS is beyond the scope of this article (there are many tutorials online), but let’s consider how you might use a virtual OS to enhance security:
- Run a virtualized install of Windows XP to support legacy software. Both Windows Vista and especially Windows 7 are more secure than Windows XP, but sometimes you need to use a piece of software that only runs in XP.
- Similarly, use a virtualized Windows XP to run Internet Explorer 6, which—sadly—is still needed to access many proprietary corporate intranet services. Doing this will protect your valuable desktop OS from the notorious security holes in IE6.
- Run a virtualized Linux distribution to surf the Web, using a browser, such as Firefox. Sure, you can use Firefox on your primary desktop, but if your primary OS is Windows, it still may not be fully secure against “drive-by” downloads and infected advertising, which can appear on legitimate Web sites.
- For the ultra-paranoid, setup your virtual OS so that it is the only way to access the Internet from your machine. You can do this using a USB network adapter for either a wired or wireless network. The USB adapter can be assigned to the virtual OS, allowing it to connect to the Internet even if your primary OS has no network connection at all.
Using a virtual OS to sandbox Internet access can have some drawbacks. One is resource usage—the virtual machine will be consuming memory on top of your “real” desktop. If you’re simply using the virtual OS to browse the Web, this can be a resource-heavy way to enhance security. One alternative is to build a lightweight virtual OS, one that has only the minimally necessary components to run a browser.
If the prospect of building any virtual OS is beyond your comfort zone, you can download pre-made images already tailored to certain types of use—such as a turnkey image that runs Google’s Chrome browser right out of the box.
Shedding the OS
To be fair, if all you hope to accomplish is safer Web browsing (or securing other specific applications), running an entire virtual OS can be overkill. There is an emerging alternative, known as “application virtualization.”
Using application virtualization, the principle behind the sandbox is applied only to a specific program. The program itself continues to run within your main desktop, but anytime that program tries to write data back to the system, these transactions are captured and redirected within the sandbox.
For example, consider how applications function in Windows. The typical Web browser will store data received from the Internet, such as cookies and cached files like images and flash objects. Typically this data is stored in locations created by Windows, but this also means that malicious software could potentially access other files in Windows.
The same browser run within an application virtualization environment will only “see” a false Windows environment. It will save the same data, but the sandbox will intercept it. As far as the browser is concerned, everything is functioning normally—but when you close the application, the sandbox is destroyed, along with everything it accumulated during your session.
Besides using fewer resources than a full virtual OS, running a virtualized application can be much simpler to get going. Windows users can download a free copy of Sandboxie. Once installed, you can launch any program either normally or inside its own sandbox. It is a simple solution that lets you easily run regular and sandboxed applications side-by-side.
A more advanced approach to application virtualization is VMware ThinApp. Using ThinApp, you actually install a Windows application inside a virtualized environment. The result is an installed “application image,” which is not only securely ensconced inside a sandbox, but also portable. Because the virtual environment wrapped around the application simulates the Windows repositories where software normally keeps settings and other data, you can copy a ThinApp image to another PC, or onto a thumb drive, and launch it on any other Windows machine without requiring a formal install.
Virtualization technology will continue to mature. It could still be easier to use, even though it’s worth it. There is a small performance penalty when you virtualize applications, especially if they are graphically intensive and involve high frame-rate video.
Aaron Weiss is a networking expert based in upstate New York.