Browser Protection: The Next Generation

Browser Protection: The Next Generation

Summary: The Web Browsers and ISP's of the future will behave like the "Deflector Shields" of Star Trek, protecting our computers against malware and scripting attacks.

TOPICS: Browser

The Web Browsers and ISPs of the future will behave like the "Deflector Shields" of Star Trek, protecting our computers against malware and scripting attacks.

This week, I wrote about how I decided to firewall off my entire Windows installation from my main desktop computer system, due to my concerns about the current state of Internet security and the increasing level of sophistication of malware and scripting/phishing attacks that can compromise users systems.

Click on the "Read the rest of this entry" link below for more.

A bunch of people who left TalkBacks to this post believed that this announcement that I will primarily be running Windows in a virtualized mode -- by using Linux as my primary OS -- was either a

* Calculated attack and proof of my long standing hatred of Windows and Microsoft and showing my spots an an Open Source weenie

* A form of shilling promotion for Ubuntu Linux's pending Lucid Lynx release (Note to Mr. Shuttleworth, I'm still waiting on my $50,000 check)

* Or a flat-out overreaction to what might not have been a direct system compromise at all. Indeed, it may have been FaceBook, not my PC, that was compromised directly.

Get Over It

I'd like to state that the first of the two accusations is absolutely false. I do not hate Microsoft or Windows and have no intention of abandoning either.

In fact, I use and deploy Microsoft products heavily in both my personal and professional life and there are many pieces of software which run on Windows that I am dependent on which will not have viable Linux equivalents for a long time to come. As for the second accusation -- I told everyone already that I was a multiplatformist. You either accept this statement at face value or you can continue to believe whatever the hell you want.

My server hypervisor of choice at home is Hyper-V and Windows Server 2008R2, and I'd like to see it get much greater adoption in the enterprise because I think it's an excellent and highly cost effective solution for server consolidation, particularly for Microsoft-centric environments that are reliant on SQL Server and Exchange.

As to the third complaint -- my reaction to segregating Windows off from my browsing and Internet experience was motivated entirely by security concerns. I consider myself a "high value target" and am no longer willing to manage the risks or sink the time investment associated by using Windows as my base platform.

Whether it was FaceBook itself that was the culprit and not malware doesn't really matter from my perspective. I'm mad as hell and I'm not going to take it anymore. Don't agree with this? Tough noogies.

Vulnerabilities Start with the Browser and Work their Way into the OS

We can debate to the ends of the earth of whether or not Windows is more or less secure than Linux -- but few security experts will disagree that Windows represents a much larger target of opportunity than Linux for exploits on end-user systems and a very large list of unpatched vulnerabilities still exist in the OS.

I believe we can also agree that with the increased shift towards Internet-centric activities, such as using FaceBook and other complex Web 2.0 sites, that more and more efforts will be centered on browsers as the means to gain unauthorized entry to end-user systems and accounts (as with sophisticated malware such as Koobface) or to hijack browser sessions with cross-site scripting exploits to gain access to cloud-based user information.

With this in mind, the browsers and the desktop OSes of the future need to provide us a much broader and much more comprehensive level of protection than the average user enjoys today. To use a geeky analogy, they need the PC equivalent of the "Internet Deflector Shield" from Star Trek. And to give this "Deflector Shield" to end users we need to seriously re-think how browsers are architected and run on end-user systems.

Isolation Being the First Step Towards Better Protection

Two years ago, back in April 2008, shortly after joining ZDNet I wrote an article named "If I were to design Windows 7". Primarily, this was a reaction and a proposed solution to the compatibility problems that Windows Vista was dealing with at the time.

My key recommendation to solving those compatibility problems was to provide Windows 7 with a built-in hypervisor. While this recommendation was largely dismissed at the time -- including by Microsoft and also our own resident Windows expert, Ed Bott, it eventually did turn out that some versions of Windows 7 finally shipped with built-in virtualization technology -- Windows XP Mode.

How many users actually use Windows XP mode to run legacy apps in Windows 7 is unknown, as there's never been any kind of study or quantitative report by Microsoft as to what the deployment totals are, and it's also unknown how many people still are using older legacy apps on Windows 7 without having upgraded to new versions. Still, the technology is valid -- it allows XP to run in a completely isolated process from the rest of the system.

Much in the same way Windows XP mode functions, it would also be possible to "Jail" Internet Explorer or any other browser within Windows using any number of virtualization technologies and to isolate it from the core OS so that malware could not leave that jail and propagate to the rest of the system.

This "Jail" or VM container would be the basis for the proposed "Browser Deflector Shield".

Building the Deflector Shield with Microsoft Virtualization Technologies

There are a number of approaches which would permit this isolation. Current technologies at Microsoft's disposal include MED-V, which is based on the Type 2 hypervisor Virtual PC technology that Windows XP mode uses.

A minimized Windows kernel with "Just enough OS" (JeOS) combined with Internet Explorer running on MED-V or full port of Hyper-V with proactive antimalware and running on a virtual hard disk file (VHD) for quarantined file downloads might make up a solution that could be brought to market within a year.

Microsoft also has APP-V, which is more of an enterprise, server-based virtualization technology for presenting applications to remote desktops, and would allow the browser to run on the server using enterprise-grade security controls and methods. This could very well be provided as a service from the ISP within the cloud, or within a corporate managed environment.

From a future Windows software architecture perspective, Windows 8 could be designed so that the entire OS boots and runs off of a hypervisor, such as a desktop implementation of Hyper-V, Microsoft's Type 1 hypervisor, wherein various system components could be maintained in a modular fashion and would talk to each other over a secure communications bus.

One of those system components could be a managed microkernel such as Midori, with simply Internet Explorer or even the thin Gazelle browser running within this protected space.

What about Alien Technology?

In addition to Microsoft's solutions, Google itself could issue a Windows version of Chrome OS, which would include a Type 2 Hypervisor (such as a run-time version of VirtualBox) and run entirely in virtual disk.

But Microsoft and Google are not the only entities that could provide this browser isolation. This functionality could also be addressed by companies like Parallels, which owns the Virtuozzo OS virtualization product that runs on Windows and Linux.

Unlike the previously described solutions that use hypervisors, Virtuozzo (and its open source project for Linux, OpenVZ) uses containers, so it doesn't create new kernel and full OS instances within each virtual machine. Instead, it partitions out resources within a unified kernel instance to perform the isolation.

Using this method, a browser such as Internet Explorer, Chrome or Firefox could be set to run within within a fully isolated container. The advantage of this method over a Type 1 or Type 2 hypervisor is that it uses far less CPU and memory overhead, and thus could be used even on systems with relatively weak processors and relatively small amounts of RAM or those that lack hardware virtualization capability, such as Intel's Atom on netbooks.

Currently, Parallels Virtuozzo Containers is only marketed for use on servers thru the reseller channel and is too price prohibitive to be used on a Windows desktop, but there is no technical reason why the company could not produce a desktop version for Windows that had stripped down functionality to act as the basis for the isolation in the "Deflector Shield". Note to Parallels: PLEASE MAKE THIS PRODUCT.

From the perspective of the end-user, all of these solutions would just look like a browser icon on the desktop. The isolation and virtualization techniques described above would all happen in the background.

The virtual container running the browser and the quarantined download area (which would also behind a NAT firewall) could also be combined with an integrated virus checker and antispyware to monitor the health of the environment.

If malware is detected, the supervisory program would notify the user, and then prompt them to wipe the container -- as if it were formatting the hard disk on a physical system -- and re-initialize a completely new container. From the perspective of the malware, you just did a FORMAT C:

Reinitialization of the browser container would allow the user to quickly contain the threat, and if necessary -- to quote Ripley from Aliens, to

"nuke the entire site from orbit. It's the only way to be sure."

Lt. Worf: Unified Threat Management for Consumers

The isolation provides the basic deflector shield to protect the core of your system from being compromised, but to have a complete solution, we're also going to need to figure out how to bring Unified Threat Management (UTM) with Deep Packet Inspection (DPI), to every single end-user.

For the layman, think of UTM/DPI as Lieutenant Worf presiding over your network connection. He's your security officer, vigilantly watching the long and short range scanners for signs of enemy Romulans or weird energy readings. He's a sophisticated hardware-based firewall that looks at everything coming into your network at the deep packet level.

If he sees something he doesn't like, and he gets pissed off, he blasts it out of the sky with the phasers or photon torpedoes and stops it cold. Doesn't matter if it's a virus, a phishing site, a hacker trying to directly penetrate your machine and intrude on your network, incoming spam, cross-site scripting or even content you don't want your family to see, such as pornography.

Currently, UTM with DPI is an enterprise level solution for large businesses or SMBs. Companies purchase it in the form of appliances, such as those made by Sonicwall, Checkpoint, Cisco and Juniper and they start at about $1000.00 with yearly services going for about $100-$200 depending on what security modules are licensed and how many users are attached.

Additionally, unlike traditional SPI (Stateful Packet Inspection) firewalls, because the inspection is happening at the deep packet level, the wire-line speeds of your broadband are going to be degraded due to the overhead, from anywhere between 20 and 40 percent, depending which inspection and filtering services are running.

Ideally, we need to figure out how to get this from the enterprise down to Joe average cable modem or DSL user, let alone the FiOS customer. ISP's should provide UTM and DPI as a value added service which residential customers could subscribe to as SaaS and self-provision in the $50-$100 a year range.

Consumer UTM, when combined with the Internet "Deflector Shield", will finally give Windows, Mac, Linux, and web-enabled device users true peace of mind. Until then, I'm sticking with my current solution -- full OS isolation.

Are you in the market for the "Internet Deflector Shield" and Consumer UTM? Talk Back and Let Me Know.

Topic: Browser


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Enable your Ubuntu Linux Firefox Browser sandbox by typing...

    [b]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/b]

    Shields Up!

    Be safe TODAY with Ubuntu Linux and AppArmor.

    Dietrich T. Schmitz
    Linux Advocate
    Dietrich T. Schmitz, Your Linux Advocate
    • And spend hours upon hours trying to configure it!

      I can't see people going for that solution. Too time consuming.
      Loverock Davidson
      • It's a one-time command. Copy/paste to a terminal window. 5 seconds.

        Dietrich T. Schmitz, Your Linux Advocate
        • Less than that...and I typed it..

          i JUST ran that command and it took all of 5 seconds typing it out AND typing my password...
          • And there you have it Folks. Thanks JT82! :)

            Dietrich T. Schmitz, Your Linux Advocate
    • Needs point and click.

      That's nice, but it should be point and click and
      available for Windows.
      • Windows has no analog for Linux Security Modules AppArmor

        But yes, a GUI [x] checkbox at install or post-install in System->Administration is needed.
        Dietrich T. Schmitz, Your Linux Advocate
        • We've been over this before. Yes it has.

          It's just built better and integrated into the
          OS permission system.

          Security should not be bolted on as an
          afterthought as apparmor is. The OS should
          provide security without relying on dangerous
          out-of-kernel hooks.

          Windows has service hardening. Look it up. More
          services than compared to Linux daemons can run
          with less privileges. And Windows services get
          an <i>account</i> per service under which they
          run. This way privileges can be tightly

          Windows has integrity levels, protecting the
          user and the OS from bugs in low integrity
          processes, such as Internet Explorer and

          It may not have a text config file like
          apparmor for you to spend hours and days
          tweaking. But that's because it's just
          integrated properly into the OS permission

          And then go read about the horrible (horrible!)
          idea called setuid and setgid in Linux. Big,
          bad ugly patches to make up for the fact that
          Linux permission system is insufficient and too
          coarse grained. Setuid is an even worse idea
          than ActiveX for website extensions.
          • LSM isn't an afterthought. It's designed into the Linux Kernel.

            [i]"It's just built better and integrated into the
            OS permission system"[/i]

            Google software engineers say otherwise.



            "The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

            In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."[/b]

            Read more about Ubuntu Linux security features <a href="">here</a>.

            Note FS Capabilities (Access Control Lists) is present in Linux.

            Windows simply is not safe and the increasing volume of security issues has not abated.
            Dietrich T. Schmitz, Your Linux Advocate
        • Just saying we need one.

          Just saying we need one. Having it on an OS that's
          struggling to get any market share isn't gonna cut

          Although there are some third party options like
          Sandboxie that are available.
          • I understand, but

            read this article,

            and I would suspect there will be a common set incredulous reaction:

            "How can this possibly be happening?"
            "Why does my O/S allow this to happen?"
            "That's it. This is the last straw"
            "Time for change."

            And when you read Dancho's solution. That is really is rich.

            That article is one BIG flashing neon sign warning readers to 'run away from Windows as fast as you can'.

            Criminals are having a hay day with it--like shooting fish in a barrel.

            It is totally outrageous and unacceptable.

            But, yes, Linux has a small market share. You got me there.
            Dietrich T. Schmitz, Your Linux Advocate
          • Yes, and small it will stay...

            As long as people with your attitudes are
            promoting it. Do you realize that whether or not
            you are factually correct it is the way you word
            your comments that makes people react?
    • More info on using AppArmor with FireFox

      Thanks Dietrich, that's an excellent setting.

      The link below describes the setting, and how to
      [enable|edit|disable] AppArmor's profile for
  • RE: Browser Protection: The Next Generation

    [i]Whether it was FaceBook itself that was the culprite and not malware doesn?t really matter.[/i]

    It does matter. If it was Facebook then you are susceptible to the same exploits as you were previously, so all your days of virtualizing Microsoft Windows was for nothing.

    Internet Explorer already offers a great level of security in its browser. You can use the security zones to adjust what you want the browser to do on pages. It really is customizable. Another added bonus is the content advisor that you can set up to only allow you to browse trusted websites. I'm not so sure if we need to start virtualizing the browser and slow it down given the security methods I just mentioned.
    Loverock Davidson
    • That doesn't work

      as proved by the many attacks that successfully exploit MSIE to find their way into windows.

      In fact that's happening right now all over the world.
      Great Kahuna
  • Virtualized Browser

    They've had this for several years. I abandoned it quite a while back only because it hasn't been updated in a long time. You need to have VMware player installed first - then, just create a shortcut to the vmx file and double-click. For downloading files, save to an external drive or USB key. Of course thoroughly scan any files downloaded before using them in Windows. I'd probably use it again if it was updated to Ubuntu 10.04 and Firefox 3.x with NoScript and SiteAdvisor.
    • Just download a copy of WUBI

      No VmWare required. Install to your Windows Desktop
      Dietrich T. Schmitz, Your Linux Advocate
  • thoughts

    "Currently, UTM with DPI is an enterprise level
    solution for large businesses or SMBs. Companies
    purchase it in the form of appliances, such as those
    made by Sonicwall, Checkpoint, Cisco and Juniper and
    they start at about $1000.00"

    Humm, Astaro used to offer a software version of their
    UTM for free to install on any PC, but right now it's
    hidden behind a stupid request form.

    A more effective solution, however, would be something
    at the application level: Either in the application
    itself or just below it, there would be an extra layer
    of verification that ensures all XML, CSS, JavaScript,
    etc is well formed and doesn't have any crazy long
    strings that could trigger a buffer overflow.

    One possible issue with a hardware appliance is that
    the appliance is unlikely to have access to encrypted
    data - and with SSL certificates being pretty easy to
    get, it probably wouldn't take much for a hacker to
    hide the data from a hardware router.

    However - right after the data is decrypted, and
    before the rest of the application sees it, there's a
    chance to inspect the data. That could turn out to be
    best opportunity to check the data and make sure it's
  • RE: Browser Protection: The Next Generation

    Jason, glad you are "joining" me as a multi-platformist ... joining? Hay, weren't we both multi-platformist back when we met in 1994? Oh. Guess we were. Haw!

    I learned a long time ago that people who want to believe negative things about us will choose to ignore the burning sensation in their backsides if we try to tell them their pants are on fire! But that is (ouch) their problem!
  • but yesterdays title and picture implied you were leaving windows

    But today you tell people to "get over it".

    Whats going on over there at ZDnet with all these flashy headlines but no content?

    Big Hat. No Cattle!