CROSBY That’s absolutely wrong. If your browser is attacked and the operating system is compromised, you’re done for.

GUSTAV What I’m suggesting is that the browser captures the changes made during the session and, post-session, gives the user the option of making those changes go away. This amounts to having an embedded hypervisor in the browser and presenting the user with the option of maintaining or erasing state upon exit.

CROSBY And you know what? It wrote to the hard disk. No matter what that application does, I will go to the hard disk and find it. This is one of the first security flaws Amazon found with EC2. Reset at the application level is ineffective, because if I can get to the hard disk, I will find stuff anyway. People see that information goes to the hard disk and will look to see what is there.

Amazon thought it solved the problem in EC2 by writing to a virtual hard disk, but it’s actually stored on some

 

spinning plate of aluminum. The next time I go into the EC2 virtual machine, I can search through that virtual hard disk and find proprietary information. Resetting at the application level is not going to help. You really do need to think about security throughout the entire architectural stack.

Application-layer virtualization does provide some help. We have an isolation layer along with VMware and Microsoft. Because the application is not installed in the operating system, it is invisible to the registry and the file system. As a result, changes made by the application do not reach the layer below.

GUSTAV I actually wasn’t saying that you should reset at the application level. I was saying that a hypervisor will

be embedded in the binary for the browser that you run. CROSBY But even that wouldn’t satisfy the guys at the NSA (National Security Agency) who want you to write zeroes to every sector on every disk. It won’t solve the problem, which is that you actually wrote real blocks of storage to some real disk somewhere. BISHOP Probably the most innovative solution I’ve ever seen is from the LCRA (Lower Colorado River Authority; http://www.lcra.org), an organization based in Austin, Texas, that manages dams. Here is how it solves this problem: when you come into work in the morning you are handed a laptop that has all the applications you want in a base disk image; you may do anything you want during working hours, and at the end of the day you give the laptop back; overnight the disk is wiped and a new disk image is blasted back onto the laptop; the next day, you come in and start over with a new base image. CROSBY At Citrix we have a model within Xen Desktop where all VMs boot off the same operating-system golden image and all have the same base applications. To deliver a user-specific model, user-specific applications are streamed into the VM based on the user’s roaming profile. This approach minimizes the number of operating-system images and VMs that need to be stored. Anything that’s written to disk by an executing VM is cached locally in the VM and never written back to the hard drive, and all changes are discarded on every reboot. For certain classes of users, such as call-center operators, this approach works very well. BISHOP The only state that persists is well defined through the set of applications. CROSBY That’s right. BOURNE Should IT managers care about people who are accessing the Internet through desktops in their shop? Should they be considering VMs to protect the internal networks of their organizations? CREEGER Virtualization introduces too much complexity to effectively encapsulate all the operating restrictions on a general desktop, because at the end of the day, general desktops are still about applications, writing to the disk, and network transmission to other intelligent entities. Virtualization is just another layer of abstraction; it doesn’t change the functional levels at which problems occur. GUSTAV Several vendors have streaming desktop products that allow a desktop to be streamed from a server to a client machine. The desktop can be cached—on a USB key, for example—or not cached at all. Desktop streaming