Browser Protection: The Next Generation

The Web Browsers and ISPs of the future will behave like the “Deflector Shields” of Star Trek, protecting our computers against malware and scripting attacks.

This week, I wrote about how I decided to firewall off my entire Windows installation from my main desktop computer system, due to my concerns about the current state of Internet security and the increasing level of sophistication of malware and scripting/phishing attacks that can compromise users systems.

Click on the “Read the rest of this entry” link below for more.

A bunch of people who left TalkBacks to this post believed that this announcement that I will primarily be running Windows in a virtualized mode — by using Linux as my primary OS — was either a

* Calculated attack and proof of my long standing hatred of Windows and Microsoft and showing my spots an an Open Source weenie

* A form of shilling promotion for Ubuntu Linux’s pending Lucid Lynx release (Note to Mr. Shuttleworth, I’m still waiting on my $50,000 check)

* Or a flat-out overreaction to what might not have been a direct system compromise at all. Indeed, it may have been FaceBook, not my PC, that was compromised directly.

Get Over It

I’d like to state that the first of the two accusations is absolutely false. I do not hate Microsoft or Windows and have no intention of abandoning either.

In fact, I use and deploy Microsoft products heavily in both my personal and professional life and there are many pieces of software which run on Windows that I am dependent on which will not have viable Linux equivalents for a long time to come. As for the second accusation — I told everyone already that I was a multiplatformist. You either accept this statement at face value or you can continue to believe whatever the hell you want.

My server hypervisor of choice at home is Hyper-V and Windows Server 2008R2, and I’d like to see it get much greater adoption in the enterprise because I think it’s an excellent and highly cost effective solution for server consolidation, particularly for Microsoft-centric environments that are reliant on SQL Server and Exchange.

As to the third complaint — my reaction to segregating Windows off from my browsing and Internet experience was motivated entirely by security concerns. I consider myself a “high value target” and am no longer willing to manage the risks or sink the time investment associated by using Windows as my base platform.

Whether it was FaceBook itself that was the culprit and not malware doesn’t really matter from my perspective. I’m mad as hell and I’m not going to take it anymore. Don’t agree with this? Tough noogies.

Vulnerabilities Start with the Browser and Work their Way into the OS

We can debate to the ends of the earth of whether or not Windows is more or less secure than Linux — but few security experts will disagree that Windows represents a much larger target of opportunity than Linux for exploits on end-user systems and a very large list of unpatched vulnerabilities still exist in the OS.

I believe we can also agree that with the increased shift towards Internet-centric activities, such as using FaceBook and other complex Web 2.0 sites, that more and more efforts will be centered on browsers as the means to gain unauthorized entry to end-user systems and accounts (as with sophisticated malware such as Koobface) or to hijack browser sessions with cross-site scripting exploits to gain access to cloud-based user information.

With this in mind, the browsers and the desktop OSes of the future need to provide us a much broader and much more comprehensive level of protection than the average user enjoys today. To use a geeky analogy, they need the PC equivalent of the “Internet Deflector Shield” from Star Trek. And to give this “Deflector Shield” to end users we need to seriously re-think how browsers are architected and run on end-user systems.

Isolation Being the First Step Towards Better Protection

Two years ago, back in April 2008, shortly after joining ZDNet I wrote an article named “If I were to design Windows 7“. Primarily, this was a reaction and a proposed solution to the compatibility problems that Windows Vista was dealing with at the time.

My key recommendation to solving those compatibility problems was to provide Windows 7 with a built-in hypervisor. While this recommendation was largely dismissed at the time — including by Microsoft and also our own resident Windows expert, Ed Bott, it eventually did turn out that some versions of Windows 7 finally shipped with built-in virtualization technology — Windows XP Mode.

How many users actually use Windows XP mode to run legacy apps in Windows 7 is unknown, as there’s never been any kind of study or quantitative report by Microsoft as to what the deployment totals are, and it’s also unknown how many people still are using older legacy apps on Windows 7 without having upgraded to new versions. Still, the technology is valid — it allows XP to run in a completely isolated process from the rest of the system.

Much in the same way Windows XP mode functions, it would also be possible to “Jail” Internet Explorer or any other browser within Windows using any number of virtualization technologies and to isolate it from the core OS so that malware could not leave that jail and propagate to the rest of the system.

This “Jail” or VM container would be the basis for the proposed “Browser Deflector Shield”.

Building the Deflector Shield with Microsoft Virtualization Technologies

There are a number of approaches which would permit this isolation. Current technologies at Microsoft’s disposal include MED-V, which is based on the Type 2 hypervisor Virtual PC technology that Windows XP mode uses.

A minimized Windows kernel with “Just enough OS” (JeOS) combined with Internet Explorer running on MED-V or full port of Hyper-V with proactive antimalware and running on a virtual hard disk file (VHD) for quarantined file downloads might make up a solution that could be brought to market within a year.

Microsoft also has APP-V, which is more of an enterprise, server-based virtualization technology for presenting applications to remote desktops, and would allow the browser to run on the server using enterprise-grade security controls and methods. This could very well be provided as a service from the ISP within the cloud, or within a corporate managed environment.

From a future Windows software architecture perspective, Windows 8 could be designed so that the entire OS boots and runs off of a hypervisor, such as a desktop implementation of Hyper-V, Microsoft’s Type 1 hypervisor, wherein various system components could be maintained in a modular fashion and would talk to each other over a secure communications bus.

One of those system components could be a managed microkernel such as Midori, with simply Internet Explorer or even the thin Gazelle browser running within this protected space.

What about Alien Technology?

In addition to Microsoft’s solutions, Google itself could issue a Windows version of Chrome OS, which would include a Type 2 Hypervisor (such as a run-time version of VirtualBox) and run entirely in virtual disk.

But Microsoft and Google are not the only entities that could provide this browser isolation. This functionality could also be addressed by companies like Parallels, which owns the Virtuozzo OS virtualization product that runs on Windows and Linux.

Unlike the previously described solutions that use hypervisors, Virtuozzo (and its open source project for Linux, OpenVZ) uses containers, so it doesn’t create new kernel and full OS instances within each virtual machine. Instead, it partitions out resources within a unified kernel instance to perform the isolation.

Using this method, a browser such as Internet Explorer, Chrome or Firefox could be set to run within within a fully isolated container. The advantage of this method over a Type 1 or Type 2 hypervisor is that it uses far less CPU and memory overhead, and thus could be used even on systems with relatively weak processors and relatively small amounts of RAM or those that lack hardware virtualization capability, such as Intel’s Atom on netbooks.

Currently, Parallels Virtuozzo Containers is only marketed for use on servers thru the reseller channel and is too price prohibitive to be used on a Windows desktop, but there is no technical reason why the company could not produce a desktop version for Windows that had stripped down functionality to act as the basis for the isolation in the “Deflector Shield”. Note to Parallels: PLEASE MAKE THIS PRODUCT.

From the perspective of the end-user, all of these solutions would just look like a browser icon on the desktop. The isolation and virtualization techniques described above would all happen in the background.

The virtual container running the browser and the quarantined download area (which would also behind a NAT firewall) could also be combined with an integrated virus checker and antispyware to monitor the health of the environment.

If malware is detected, the supervisory program would notify the user, and then prompt them to wipe the container — as if it were formatting the hard disk on a physical system — and re-initialize a completely new container. From the perspective of the malware, you just did a FORMAT C:

Reinitialization of the browser container would allow the user to quickly contain the threat, and if necessary — to quote Ripley from Aliens, to

“nuke the entire site from orbit. It’s the only way to be sure.”

Lt. Worf: Unified Threat Management for Consumers

The isolation provides the basic deflector shield to protect the core of your system from being compromised, but to have a complete solution, we’re also going to need to figure out how to bring Unified Threat Management (UTM) with Deep Packet Inspection (DPI), to every single end-user.

For the layman, think of UTM/DPI as Lieutenant Worf presiding over your network connection. He’s your security officer, vigilantly watching the long and short range scanners for signs of enemy Romulans or weird energy readings. He’s a sophisticated hardware-based firewall that looks at everything coming into your network at the deep packet level.

If he sees something he doesn’t like, and he gets pissed off, he blasts it out of the sky with the phasers or photon torpedoes and stops it cold. Doesn’t matter if it’s a virus, a phishing site, a hacker trying to directly penetrate your machine and intrude on your network, incoming spam, cross-site scripting or even content you don’t want your family to see, such as pornography.

Currently, UTM with DPI is an enterprise level solution for large businesses or SMBs. Companies purchase it in the form of appliances, such as those made by Sonicwall, Checkpoint, Cisco and Juniper and they start at about $1000.00 with yearly services going for about $100-$200 depending on what security modules are licensed and how many users are attached.

Additionally, unlike traditional SPI (Stateful Packet Inspection) firewalls, because the inspection is happening at the deep packet level, the wire-line speeds of your broadband are going to be degraded due to the overhead, from anywhere between 20 and 40 percent, depending which inspection and filtering services are running.

Ideally, we need to figure out how to get this from the enterprise down to Joe average cable modem or DSL user, let alone the FiOS customer. ISP’s should provide UTM and DPI as a value added service which residential customers could subscribe to as SaaS and self-provision in the $50-$100 a year range.

Consumer UTM, when combined with the Internet “Deflector Shield”, will finally give Windows, Mac, Linux, and web-enabled device users true peace of mind. Until then, I’m sticking with my current solution — full OS isolation.

Are you in the market for the “Internet Deflector Shield” and Consumer UTM? Talk Back and Let Me Know.