PDA

View Full Version : Linux / Firefox inside windows... still vulnerable?



J Tiers
03-14-2010, 08:36 PM
Have run the Linux that Evan suggested, operating inside windoze from a thumb drive. it works, although it is pretty slow.

A question:

because it is operating inside windows (actually I suppose it is operating in a DOS window) does it still have ANY of the windoze vulnerabilities?

It appears to access the internet through windoze facilities, or at least it is still going through Zonealarm, which asked if it should be granted access. That would "seem" to indicate that some windoze vulnerabilities could still exist, although obviously nothing IE specific would work.

How "protected" is the use of Linux in this way?

lazlo
03-15-2010, 10:58 AM
OS Virtualization is very similar to Virtual x86 Mode - you can open multiple DOS (real-mode) windows on your machine, and each thinks it's a real DOS machine, when it's actually a real-mode (DOS) container, and the OS is intercepting the DOS windows directly poking at the hardware so they don't collide with each other.

Virtualizing the operating system, in this case, both Windows and Linux, involves inserting a layer of code (the "Hypervisor") underneath Windows and Linux that puts the two operating systems in modularized containers ("virtual machines"). The Hypervisor intercepts the calls they make to the physical hardware, moves memory around, tickles the clock, and re translates the hardware calls so the OSes don't collide with each other.

Every time Linux or Windows tries to write to memory, or talk to the graphics or network cards, the Hypervisor intercepts the call and re-translates it so that Windows and Linux both think that they are the only OS talking to the hardware. That's the reason for the slowness you're seeing.

The OS's are subject to the same security vulnerabilities as when they weren't virtualized, but the idea is that they are in separate virtual machine containers, so if one of the OS's is infected, you can just destroy the container, wipe the image, and re-install it.

The real danger is if someone attacks the Hypervisor itself (the underlying virtualization software). There have been several sophisticated Hypervisor attacks that have been demonstrated in the techical press (Google "Blue Pill"), but AFAIK, there have been no widespread attacks in the wild.

J Tiers
03-15-2010, 10:22 PM
What is the practical meaning of what you wrote? I confess to not being familiar with the jargon.....

The plain questions I suppose are:

1) is it basically proof against anything other than a Linux virus?

2) is it basically proof against a virus penetrating the Linux to the windows?

3) How "invisible" is the underlying windows OS? It seems that the box is still a windows box, and that should be in some way evident, regardless of what "program" is operating under windows.

4) I am not yet quite clear what happens if a file is downloaded...... is it stored in a windows format, or in a Linux format?


The matter is confusing, because apparently all machine functions are still provided through windows, as evidenced by zonealarm asking questions about allowing the Linux to access the internet and "protected zone".

dp
03-15-2010, 10:28 PM
If you install a virtual machine running Linux as a guest in a Windows host and establish a shared filespace between the two operating systems such that Windows can create files in the Linux file space then I guarantee I can write a virus that will execute code in your Linux VM and destroy that VM. However that is too much work as all I have to do is destroy your Windows machine and that is both easier and more complete.

On the other hand - if you use Linux as your host OS and create a Windows OS in a virtual machine then things become far more difficult. It is still a bad idea to share file space.

J Tiers
03-15-2010, 11:31 PM
I have zero idea if it shares any file space, at least whether it shares it bidirectionally and real-time. I don't know yet what, if any, write capability it has (or knows it has) off its home drive, which is a thumb drive.

However, obviously the Windows OS "owns" the thumb drive as a USB device, so windows can get to it. I don't know if the Linux can get to any otehr drives.

DP seems to be confirming my thought.

DP... are you saying that the windows machine is very visible even through Linux, and can be directly operated on?

I'd like to "leave out" of this discussion any contamination via downloaded files. Intentionally downloaded ones, like PDF, jpg, or exe etc. obviously they are presistent and can carry malware.

"Incidental" downloads, like web pages etc, that are basic to the operation, are obviously fair game. I would suppose that the web page might carry an "injector" that automatically dumps a virus kernel onto the drive. Whether that stuff is persistent after the session I believe is selectable.

And, I don't know if the windows automatic device "connection" would allow that kernel to proceed into the windows OS..... it seems that usually some "social engineering" is required to coax you into reacting to it........ pushing any button normally acts as a trigger then.

But even then, whether that would get past Linux into windows is my question. It only 'exists" inside teh Linux imaginary machine..........

And it seems unduly complicated to assume the writer would assume that Linux was operating inside windows and write a specific attack to handle that case.

Evan is the one who brought this up originally and recommended it, maybe he has a reason which is specific to this implementation.

it is "DSL", "Damn Small Linux", running apparently within a DOS window under Windows as the actual machine OS.

dp
03-16-2010, 12:13 AM
virtualBox is free and less clunky than it was just 6 months ago. It's still not as mature as VMware's product (Player) but it does allow creating new virtual machines from DVD or iso. They need a bit more time to work out the rough edges.

If any readers have a Mac and want to try Fusion there's a new beta out at http://communities.vmware.com/community/beta/fusion. Or you can get a free 30-day preview of the full product.

They make a full Windows desktop product too, and it will allow creating new virtual machines from scratch. https://www.vmware.com/tryvmware/?p=workstation&lp=1

As for not understanding what you're doing, don't feel bad - this is all pretty new stuff for Joe Sixpack to be getting involved in. Like so much that we take for granted now, a lot of this stuff was the bleeding edge in data centers not that long ago. If you think you're going to stay at this virtualization then hit the help screens and focus on the language of virtualization and then the features.

lazlo
03-16-2010, 12:26 AM
1) is it basically proof against anything other than a Linux virus?

You're running FireFox in a virtual machine running Linux. It's the same level of vulnerability as running a standalone Linux box.


is it basically proof against a virus penetrating the Linux to the windows?

Yes, as long as the Hypervisor isn't hacked (which would require a very high level of sophistication).


How "invisible" is the underlying windows OS?

It's completely invisible. Like any virtualized system, the OS (Linux) doesn't know it's virtualized and doesn't know about the Windows OS.


4) I am not yet quite clear what happens if a file is downloaded...... is it stored in a windows format, or in a Linux format?

Short answer: the files are downloaded to the Linux filesystem. To transfer files between the Linux OS and the Windows OS, you have to create a virtual hard drive that's shared between both OS's, or create a virtual Samba network.

Longer answer: there are two popular ways of running Damn Small Lunix -- you either boot off the thumbdrive, and use Qemu to virtualize both OSes (Windows and Linux), or you run Linux in Qemu emulation window, which was the link Evan posted.

In either case, the Linux installation is completely isolated from the Windows OS.

Here's how to install DSL with Qemu virtualizing both Windows and Linux:
http://www.pendrivelinux.com/all-in-one-usb-dsl/

...and how to install DSL in a Qemu virtualized window inside Windows:
http://www.pendrivelinux.com/run-damn-small-linux-in-windows/

In either case, it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security. I haven't had any security issues/exploits running Firefox on either CentOS, Windows or Jaguar.

MTNGUN
03-16-2010, 02:03 AM
it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security.
I suspect Evan suggested this approach because it is a painless, low-risk way to introduce people to Linux.

My Linux journey began by trying a LInux CD. Unlike Windoze, most Linux distributions can boot and run on the CD, without installing on the hard drive.

Next, I installed Linux on a 2nd partition, and the Grub bootloader gave me the option of booting into either Linux or Windoze. I could play with Linux and get to know it better, but if I got stuck -- and I often got stuck -- then I could reboot into Windoze. This went on for about 6 months before I felt ready to say goodby to Windoze.

Now I am 99% Linux. The dual boot option is still there, but about the only thing I still use Windoze for is TurboCad.

Linux malware does exist, but it's not very common. For the most part, the Linux user can simply forget about malware.

J Tiers
03-16-2010, 08:18 AM
In either case, it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security. I haven't had any security issues/exploits running Firefox on either CentOS, Windows or Jaguar.

That's true...

But even with the linux overlay, it is not as slow as the PM server..... I have found that the PM adserver will stall even after 20 or 25 access attempts... And an hour later will be speedy..

The Linux is better than that.... barely.

lazlo
03-16-2010, 09:18 AM
I suspect Evan suggested this approach because it is a painless, low-risk way to introduce people to Linux.

My Linux journey began by trying a LInux CD. Unlike Windoze, most Linux distributions can boot and run on the CD, without installing on the hard drive.

Now I am 99% Linux. The dual boot option is still there, but about the only thing I still use Windoze for is TurboCad.

Linux malware does exist, but it's not very common. For the most part, the Linux user can simply forget about malware.

That's a great story -- I'm glad the Linux path worked out for you :) I agree, of course, with the threat level associated with Linux versus Windows...

If your aim is to test the Linux waters without a total commitment, I'd suggest a simpler path than running Linux in a Virtual Machine on top of Windows: just install Linux on a thumb drive, and boot off of it. When you get stuck, just remove the thumb drive, reboot your machine, and you're back in Windows.

That's the first half of the first tutorial I posted. If you don't want/need to switch between Linux and Windows on the same desktop, skip the Qemu virtualization software, and Linux/Firefox will run faster than if you virtualize the operating system.


Here's how to install DSL with Qemu virtualizing both Windows and Linux:
http://www.pendrivelinux.com/all-in-one-usb-dsl/

lunkenheimer
03-16-2010, 04:31 PM
I have found that there can be a huge difference in speed for various thumbdrives. Not so much a problem just storing files but for 'live' uses it makes a big difference. I learned this trying to use firefox portable. A 16G sandisk was pretty slow and a 4G sandisk was decently usable. Search for speed tests, you might have a fast one laying around.

MrSleepy
03-16-2010, 10:51 PM
If you boot from the Knoppix cd ,you will get full speed linux...the knoppix cd comes with Firefox etc and allows you to save sessions , favourites , cookies etc onto a usb drive if needed..

Rob

dp
03-16-2010, 11:28 PM
I have found that there can be a huge difference in speed for various thumbdrives. Not so much a problem just storing files but for 'live' uses it makes a big difference. I learned this trying to use firefox portable. A 16G sandisk was pretty slow and a 4G sandisk was decently usable. Search for speed tests, you might have a fast one laying around.

The good live CD's implementations use some form of UnionFS to attach critical file systems (swap, /tmp, $HOME) to the physical disk to speed things up. Same with thumb drives - web browsers need some place besides memory to cache things as does the OS. UnionFS joins name space of the CD/thumb drive with the physical drive to solve the problem of cache/swap.

The sound solution is to run a true self-contained virtual machine. If there is concern about passing malware between the host and guest then 99% of the opportunity can be removed by avoiding shared drives, and by not installing the "tools" each vendor provides to make the VM experience relatively seamless. In this case the mouse and keyboard are captured by the guest OS until you hit a release key sequence. Annoying but safer.

The worst possible implementation of host and guest with virtual machines is when you take full advantage of the "tools" and allow associations between the two systems. Click on a .doc file in Mac OS X and it will launch Word in Windows. Click on a .mov file in Windows and QuickTime for Mac will launch. The sacred line in the logical sand is gone and the entire system of host/guest is only as safe as the weakest link and that, as you might surmise, is still Windows.

Great virtualizing products:
Fusion for Mac
VMware Workstation for Windows
Player for Windows/Linux (free)
VMware Server (free)

Virtualizing products made by crazee Russians:
Parallels

Virtualizing products that are open source:
VirtualBox (Oracle/Sun, based on Xen)
Xen

Crappy products:
Microsoft virtual PC

Emulators (these products make your cpu, say Intel's pride of the fleet, the 386SX, look like a PowerPC cpu):
qemu
valgrind

OS emulator:
WINE (Library level compatibility - guaranteed to disappoint)

J Tiers
03-17-2010, 08:32 AM
The DSL version from the pendrive "has" the machine until, you exit from it......

The mouse won't go outside the window, which means you have to size it FIRST, since the sizing tools are not accessible once the Linux is started.... I found this out running it in a rather small window....

That suggests that the cross-linkages are minimal, and may not be "live"...... .

Lodsb
03-17-2010, 10:00 AM
No, Windows still owns the machine, hardware wise. Everything you do has to go to Windows sooner or later.

Another thought for you - when you go onto the internet, you are effectively announcing your IP addy. Any bad guy listening can then probe your Windows for open ports, and the Windows malware can still communicate with them. Your Zonealarm is proving this. Running Linux the way you are protects nothing. You'd be better off running Linux with Windows in the emulator. DSL is just a demo, it really offers nothing else. Get rid of Windows and be rid of these problems.

http://goodbye-windows.com

Farbmeister
03-17-2010, 10:41 AM
VMWARE sucks.

I used it for hosting Windows and the newer 2.0 way (access the terminal via the web browser) sucks, slow, and has all kinds of issues. VMWare also needs patches to even compile modules on non-vendor-released installs.

VirtualBox is *MUCH* easier, faster, and simpler to install/maintain. Seamless mode is da bomb yo!

I don't think there are many guest-os specific attacks in the wild... but *any* misconfigured system can be exploited once compromised.

If you don't want viruses or malware on your PC then *DON'T* connect it to the interwebz, or install any programs, or even turn it on.

lazlo
03-17-2010, 10:53 AM
No, Windows still owns the machine, hardware wise. Everything you do has to go to Windows sooner or later.

If you launch the virtual machine from Windows, that's true. But if you boot off the DSL thumb drive, then you're virtualizing Linux and Windows. Then both are slow :p


Emulators (these products make your cpu, say Intel's pride of the fleet, the 386SX, look like a PowerPC cpu):
qemu

QEMU (the virtualization engine in Evan's DSL link) is a true virtual machine like Xen, VirtualBox and VMWare. In fact, QEMU release support for 64-bit hosts and guests before VMWare did.

VirtualBox, Xen and QEMU are free, VMWare is not.

J Tiers
03-18-2010, 12:15 AM
Any bad guy listening can then probe your Windows for open ports, and the Windows malware can still communicate with them. Your Zonealarm is proving this. Running Linux the way you are protects nothing.

I'd definitely say you are off-base there...... Running Linux that way makes the user internet access through the Linux..... so bad sites have no visible/accessible windows to exploit. Most of the malware simply bounces, since it has nothing it understands to exploit. Even if it did pounce on Firefox, the whole thing goes away when shut down.....

But I see your point, of course, in fact I brought it up to begin with.

of course, if there IS no windows, there is nothing to exploit.

Zonealarm shuts off EVERYTHING that isn't specifically allowed. If you also shut off messaging etc, then all ports except the ones allowed are closed. And messages must be requested.

According to the tests you can run at Gibson research, my windows computer with zonealarm is invisible from outside....no open ports to see or access.

J Tiers
03-18-2010, 12:16 AM
Any bad guy listening can then probe your Windows for open ports, and the Windows malware can still communicate with them. Your Zonealarm is proving this. Running Linux the way you are protects nothing.

I'd definitely say you are off-base there...... Running Linux that way makes the user internet access through the Linux..... so bad sites have no visible/accessible windows system to exploit, unless written specifically to target virtualized Linux. Most of the malware simply bounces, since it has nothing it understands to exploit. Even if it did pounce on Firefox, the whole thing goes away when shut down..... so....

But I see your point, of course, in fact I brought it up to begin with.

of course, if there IS no windows, there is nothing to exploit.

Zonealarm shuts off EVERYTHING that isn't specifically allowed. If you also shut off messaging etc, then all ports except the ones allowed are closed. And messages must be requested.

According to the tests you can run at Gibson research, my windows computer with zonealarm is invisible from outside....no open ports to see or access.

Lodsb
03-18-2010, 08:55 AM
Keep thinkin - it'll come to ya. :)

There's a bit of network translation going on. The Linux side is actually connecting to your Windows, and then Windows passes it out to the internet on a newly created port. Data coming back, Windows looks to see what app owns that port and says, "here, Mr linux, is your data". To and fro is goes. Honest.

The user interface appears to be confined, but it's only in appearance.

Lodsb
03-18-2010, 09:16 AM
If you launch the virtual machine from Windows, that's true. But if you boot off the DSL thumb drive, then you're virtualizing Linux and Windows. Then both are slow :p


Pretty sure that's because of access speeds of the thumbdrive. Break off a chuck of drivespace and (while booted in linux) format and copy the contents of the thumbdrive to it, then remount it as a loopback device. I would expect Linux to run at full speed. Why would they be virtualizing the Linux stuff?