Gustav: I think you will see the browser itself evolve into a VM architecture.
Ultimately the browser will offer the option of either resetting or keeping state.
simon cRosBy: That’s absolutely
wrong. If your browser is attacked and
the OS is compromised you’re done for.
Gustav: What I’m suggesting is that
the browser captures the changes made
during the session and, post session,
gives the user the option of making
those changes go away. This amounts
to having an embedded hypervisor in
the browser and presenting the user
with the option of maintaining or erasing state upon exit.
simon cRosBy: And you know what?
It wrote to the hard disk. No matter
what that application does, I will go to
the hard disk and find it. This is one of
the first security flaws Amazon found
with EC2. Reset at the application level
is ineffective, because if I can get to
the hard disk, I will find stuff anyway.
People see that information goes to
the hard disk and will look to see what
is there.
Amazon thought they solved it in
EC2 by writing to a virtual hard disk,
but it’s actually stored on some spinning plate of aluminum. The next time
I go into the EC2 virtual machine, I
can go and search through that virtual
hard disk and I will find proprietary information. Resetting at the application
level is not going to help. You really do
need to think about security throughout the entire architectural stack.
Application-layer virtualization
does provide some help. We have an
isolation layer along with VMware and
Microsoft. Because the application is
not installed in the OS it is invisible to
the registry and the file system. As a result, changes made by the application
do not reach the layer below.
Gustav: I actually wasn’t saying resetting at the application level. I was
saying that that a hypervisor will be
embedded in the binary for the browser that you run.
simon cRosBy: But even that wouldn’t
satisfy the guys at the NSA who want
you to go and write zeroes to every sector on every disk. It won’t solve the
problem, which is that you actually
wrote real blocks of storage to some
real disk somewhere.
tom BishoP: Probably the most innovative solution I’ve ever seen is from
the Lower Colorado River Authoritye
(LCRA). They are an organization based
in Austin, TX that manages dams. The
way they solve this problem is when you
come into work in the morning they
give you a laptop that has all the appli-
cations you want in a base disk image.
You may do anything you want during
working hours, and at the end of the
day you give the laptop back. Overnight
the disk is wiped and a new disk image
is blasted back onto the laptop. The
next day, you come in and start over
with a new base image.
simon cRosBy: At Citrix we have a
model within Xen Desktop where all
VMs boot off the same OS golden im-
age and all have the same base applica-
tions. To deliver a user-specific model,
user-specific applications are streamed
into the VM based on the user’s roam-
ing profile. This approach minimizes
the number of OS images and VMs
that need to be stored. Anything that’s
written to disk by an executing VM is
cached locally in the VM and never
written back to the hard drive, and all
changes are discarded on every reboot.
For certain classes of users, such as call
center operators, this approach works
very well.
tom BishoP: The only state that per-
sists is well defined through the set of
applications.
simon cRosBy: That’s right.
steve BouRne: Should IT managers
care about people who are accessing
the Internet through desktops in their
shop? Should they be considering VMs
to protect the internal networks of their
organizations?
mache cReeGeR: Virtualization introduces too much complexity to effectively encapsulate all the operating restrictions on a general desktop, because at
the end of the day, general desktops
are still about applications, writing to
the disk, and network transmission to
other intelligent entities. Virtualization is just another layer of abstraction;
it doesn’t change the functional levels
at which problems occur.
Gustav: Several vendors have streaming desktop products that allow a desktop to be streamed from a server to a
client machine. The desktop can be
cached—on a USB key, for example—or
not cached at all. Desktop streaming is
e http://www.lcra.org/.
useful when I want a client machine to
be my desktop for now, but afterward I
never want to use it again.
One place you might use this is
where you want zero footprint. This
would include cases where what you
have is known to be good but you want
to run it on an environment known to
be suspect, such as at an airport kiosk
or on people’s home machines.
mache cReeGeR: Looking at the example that Simon suggested earlier,
can we define sessions in desktop environments so that at some point you
can throw everything away and reauthorize the session with a complete
blank slate? Wouldn’t that solve a lot of
security issues?
tom BishoP: Yes, but not independent
of the application.
simon cRosBy: The key question is
whether the virtual hard disk itself is
stateful or not. Where does the state
that I want to keep live? Is it part of the
thing that boots?
Gustav: Is it persistent state or is it
transitory/disposable state?
simon cRosBy: Where does my persistent state live and where does the transient state live?
mache cReeGeR: You have to define
“session” and that’s a hard thing to define.
tom BishoP: Because it varies from
application to application.
simon cRosBy: And from user category to user category. In my world, I
have VMs on my laptop and each of my
VMs is independently snapshotted and
stored in S3.f However, the VMs are simply runtime entities. My personal and
work data are held separately, mapped
into the runtime upon boot, and independently backed up, block for block
onto S3. If I lose my laptop on any day,
the hard disk is locked and the machine
is of no use to anyone else. I purchase a
new laptop, and within download time
everything I have is back.
I also use Citrix WAN optimization
technology to ensure that no block of
data ever gets sent over the wire twice.
A 24MB Powerpoint file with just a few
changes takes less than a second to
back up because 99% of the blocks are
already backed up and only the differences are sent over the wire.
f Amazon’s Simple Storage Service—http://aws.
amazon.com/s3/.