Communications - December 2008

Gustav: I think you will see the browser itself evolve into a VM architecture. Ultimately the browser will offer the option of either resetting or keeping state.

simon cRosBy: That’s absolutely wrong. If your browser is attacked and the OS is compromised you’re done for.

Gustav: What I’m suggesting is that the browser captures the changes made during the session and, post session, gives the user the option of making those changes go away. This amounts to having an embedded hypervisor in the browser and presenting the user with the option of maintaining or erasing state upon exit.

simon cRosBy: And you know what?

It wrote to the hard disk. No matter what that application does, I will go to the hard disk and find it. This is one of the first security flaws Amazon found with EC2. Reset at the application level is ineffective, because if I can get to the hard disk, I will find stuff anyway. People see that information goes to the hard disk and will look to see what is there.

Amazon thought they solved it in EC2 by writing to a virtual hard disk, but it’s actually stored on some spinning plate of aluminum. The next time I go into the EC2 virtual machine, I can go and search through that virtual hard disk and I will find proprietary information. Resetting at the application level is not going to help. You really do need to think about security throughout the entire architectural stack.

Application-layer virtualization does provide some help. We have an isolation layer along with VMware and Microsoft. Because the application is not installed in the OS it is invisible to the registry and the file system. As a result, changes made by the application do not reach the layer below.

Gustav: I actually wasn’t saying resetting at the application level. I was saying that that a hypervisor will be embedded in the binary for the browser that you run.

simon cRosBy: But even that wouldn’t satisfy the guys at the NSA who want you to go and write zeroes to every sector on every disk. It won’t solve the problem, which is that you actually wrote real blocks of storage to some real disk somewhere.

tom BishoP: Probably the most innovative solution I’ve ever seen is from

the Lower Colorado River Authority^e(LCRA). They are an organization based
in Austin, TX that manages dams. The
way they solve this problem is when you
come into work in the morning they
give you a laptop that has all the appli-
cations you want in a base disk image.
You may do anything you want during
working hours, and at the end of the
day you give the laptop back. Overnight
the disk is wiped and a new disk image
is blasted back onto the laptop. The
next day, you come in and start over
with a new base image.
simon cRosBy: At Citrix we have a
model within Xen Desktop where all
VMs boot off the same OS golden im-
age and all have the same base applica-
tions. To deliver a user-specific model,
user-specific applications are streamed
into the VM based on the user’s roam-
ing profile. This approach minimizes
the number of OS images and VMs
that need to be stored. Anything that’s
written to disk by an executing VM is
cached locally in the VM and never
written back to the hard drive, and all
changes are discarded on every reboot.
For certain classes of users, such as call
center operators, this approach works
very well.
tom BishoP: The only state that per-
sists is well defined through the set of
applications.
simon cRosBy: That’s right.
steve BouRne: Should IT managers
care about people who are accessing
the Internet through desktops in their
shop? Should they be considering VMs
to protect the internal networks of their
organizations?

mache cReeGeR: Virtualization introduces too much complexity to effectively encapsulate all the operating restrictions on a general desktop, because at the end of the day, general desktops are still about applications, writing to the disk, and network transmission to other intelligent entities. Virtualization is just another layer of abstraction; it doesn’t change the functional levels at which problems occur.

Gustav: Several vendors have streaming desktop products that allow a desktop to be streamed from a server to a client machine. The desktop can be cached—on a USB key, for example—or not cached at all. Desktop streaming is

e http://www.lcra.org/.

useful when I want a client machine to be my desktop for now, but afterward I never want to use it again.

One place you might use this is where you want zero footprint. This would include cases where what you have is known to be good but you want to run it on an environment known to be suspect, such as at an airport kiosk or on people’s home machines.

mache cReeGeR: Looking at the example that Simon suggested earlier, can we define sessions in desktop environments so that at some point you can throw everything away and reauthorize the session with a complete blank slate? Wouldn’t that solve a lot of security issues?

tom BishoP: Yes, but not independent of the application.

simon cRosBy: The key question is whether the virtual hard disk itself is stateful or not. Where does the state that I want to keep live? Is it part of the thing that boots?

Gustav: Is it persistent state or is it transitory/disposable state?

simon cRosBy: Where does my persistent state live and where does the transient state live?

mache cReeGeR: You have to define “session” and that’s a hard thing to define.

tom BishoP: Because it varies from application to application.

simon cRosBy: And from user category to user category. In my world, I have VMs on my laptop and each of my VMs is independently snapshotted and stored in S3.^f However, the VMs are simply runtime entities. My personal and work data are held separately, mapped into the runtime upon boot, and independently backed up, block for block onto S3. If I lose my laptop on any day, the hard disk is locked and the machine is of no use to anyone else. I purchase a new laptop, and within download time everything I have is back.

I also use Citrix WAN optimization technology to ensure that no block of data ever gets sent over the wire twice. A 24MB Powerpoint file with just a few changes takes less than a second to back up because 99% of the blocks are already backed up and only the differences are sent over the wire.