Linux / Firefox inside windows... still vulnerable?

[J Tiers]

Have run the Linux that Evan suggested, operating inside windoze from a thumb drive. it works, although it is pretty slow.

A question:

because it is operating inside windows (actually I suppose it is operating in a DOS window) does it still have ANY of the windoze vulnerabilities?

It appears to access the internet through windoze facilities, or at least it is still going through Zonealarm, which asked if it should be granted access. That would "seem" to indicate that some windoze vulnerabilities could still exist, although obviously nothing IE specific would work.

How "protected" is the use of Linux in this way?

[lazlo]

OS Virtualization is very similar to Virtual x86 Mode - you can open multiple DOS (real-mode) windows on your machine, and each thinks it's a real DOS machine, when it's actually a real-mode (DOS) container, and the OS is intercepting the DOS windows directly poking at the hardware so they don't collide with each other.

Virtualizing the operating system, in this case, both Windows and Linux, involves inserting a layer of code (the "Hypervisor") underneath Windows and Linux that puts the two operating systems in modularized containers ("virtual machines"). The Hypervisor intercepts the calls they make to the physical hardware, moves memory around, tickles the clock, and re translates the hardware calls so the OSes don't collide with each other.

Every time Linux or Windows tries to write to memory, or talk to the graphics or network cards, the Hypervisor intercepts the call and re-translates it so that Windows and Linux both think that they are the only OS talking to the hardware. That's the reason for the slowness you're seeing.

The OS's are subject to the same security vulnerabilities as when they weren't virtualized, but the idea is that they are in separate virtual machine containers, so if one of the OS's is infected, you can just destroy the container, wipe the image, and re-install it.

The real danger is if someone attacks the Hypervisor itself (the underlying virtualization software). There have been several sophisticated Hypervisor attacks that have been demonstrated in the techical press (Google "Blue Pill"), but AFAIK, there have been no widespread attacks in the wild.

[J Tiers]

What is the practical meaning of what you wrote? I confess to not being familiar with the jargon.....

The plain questions I suppose are:

1) is it basically proof against anything other than a Linux virus?

2) is it basically proof against a virus penetrating the Linux to the windows?

3) How "invisible" is the underlying windows OS? It seems that the box is still a windows box, and that should be in some way evident, regardless of what "program" is operating under windows.

4) I am not yet quite clear what happens if a file is downloaded...... is it stored in a windows format, or in a Linux format?


The matter is confusing, because apparently all machine functions are still provided through windows, as evidenced by zonealarm asking questions about allowing the Linux to access the internet and "protected zone".

[dp]

If you install a virtual machine running Linux as a guest in a Windows host and establish a shared filespace between the two operating systems such that Windows can create files in the Linux file space then I guarantee I can write a virus that will execute code in your Linux VM and destroy that VM. However that is too much work as all I have to do is destroy your Windows machine and that is both easier and more complete.

On the other hand - if you use Linux as your host OS and create a Windows OS in a virtual machine then things become far more difficult. It is still a bad idea to share file space.

[J Tiers]

I have zero idea if it shares any file space, at least whether it shares it bidirectionally and real-time. I don't know yet what, if any, write capability it has (or knows it has) off its home drive, which is a thumb drive.

However, obviously the Windows OS "owns" the thumb drive as a USB device, so windows can get to it. I don't know if the Linux can get to any otehr drives.

DP seems to be confirming my thought.

DP... are you saying that the windows machine is very visible even through Linux, and can be directly operated on?

I'd like to "leave out" of this discussion any contamination via downloaded files. Intentionally downloaded ones, like PDF, jpg, or exe etc. obviously they are presistent and can carry malware.

"Incidental" downloads, like web pages etc, that are basic to the operation, are obviously fair game. I would suppose that the web page might carry an "injector" that automatically dumps a virus kernel onto the drive. Whether that stuff is persistent after the session I believe is selectable.

And, I don't know if the windows automatic device "connection" would allow that kernel to proceed into the windows OS..... it seems that usually some "social engineering" is required to coax you into reacting to it........ pushing any button normally acts as a trigger then.

But even then, whether that would get past Linux into windows is my question. It only 'exists" inside teh Linux imaginary machine..........

And it seems unduly complicated to assume the writer would assume that Linux was operating inside windows and write a specific attack to handle that case.

Evan is the one who brought this up originally and recommended it, maybe he has a reason which is specific to this implementation.

it is "DSL", "Damn Small Linux", running apparently within a DOS window under Windows as the actual machine OS.

[dp]

virtualBox is free and less clunky than it was just 6 months ago. It's still not as mature as VMware's product (Player) but it does allow creating new virtual machines from DVD or iso. They need a bit more time to work out the rough edges.

If any readers have a Mac and want to try Fusion there's a new beta out at http://communities.vmware.com/community/beta/fusion. Or you can get a free 30-day preview of the full product.

They make a full Windows desktop product too, and it will allow creating new virtual machines from scratch. https://www.vmware.com/tryvmware/?p=workstation&lp=1

As for not understanding what you're doing, don't feel bad - this is all pretty new stuff for Joe Sixpack to be getting involved in. Like so much that we take for granted now, a lot of this stuff was the bleeding edge in data centers not that long ago. If you think you're going to stay at this virtualization then hit the help screens and focus on the language of virtualization and then the features.

[lazlo]

1) is it basically proof against anything other than a Linux virus?

You're running FireFox in a virtual machine running Linux. It's the same level of vulnerability as running a standalone Linux box.

is it basically proof against a virus penetrating the Linux to the windows?

Yes, as long as the Hypervisor isn't hacked (which would require a very high level of sophistication).

How "invisible" is the underlying windows OS?

It's completely invisible. Like any virtualized system, the OS (Linux) doesn't know it's virtualized and doesn't know about the Windows OS.

4) I am not yet quite clear what happens if a file is downloaded...... is it stored in a windows format, or in a Linux format?

Short answer: the files are downloaded to the Linux filesystem. To transfer files between the Linux OS and the Windows OS, you have to create a virtual hard drive that's shared between both OS's, or create a virtual Samba network.

Longer answer: there are two popular ways of running Damn Small Lunix -- you either boot off the thumbdrive, and use Qemu to virtualize both OSes (Windows and Linux), or you run Linux in Qemu emulation window, which was the link Evan posted.

In either case, the Linux installation is completely isolated from the Windows OS.

Here's how to install DSL with Qemu virtualizing both Windows and Linux:
http://www.pendrivelinux.com/all-in-one-usb-dsl/

...and how to install DSL in a Qemu virtualized window inside Windows:
http://www.pendrivelinux.com/run-dam...ux-in-windows/

In either case, it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security. I haven't had any security issues/exploits running Firefox on either CentOS, Windows or Jaguar.

[MTNGUN]

it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security.

I suspect Evan suggested this approach because it is a painless, low-risk way to introduce people to Linux.

My Linux journey began by trying a LInux CD. Unlike Windoze, most Linux distributions can boot and run on the CD, without installing on the hard drive.

Next, I installed Linux on a 2nd partition, and the Grub bootloader gave me the option of booting into either Linux or Windoze. I could play with Linux and get to know it better, but if I got stuck -- and I often got stuck -- then I could reboot into Windoze. This went on for about 6 months before I felt ready to say goodby to Windoze.

Now I am 99% Linux. The dual boot option is still there, but about the only thing I still use Windoze for is TurboCad.

Linux malware does exist, but it's not very common. For the most part, the Linux user can simply forget about malware.

[J Tiers]

In either case, it's a slegehammer approach to security: you're paying a high performance overhead to virtualize the OS in return for running FireFox on a Linux platform for security. I haven't had any security issues/exploits running Firefox on either CentOS, Windows or Jaguar.

That's true...

But even with the linux overlay, it is not as slow as the PM server..... I have found that the PM adserver will stall even after 20 or 25 access attempts... And an hour later will be speedy..

The Linux is better than that.... barely.

[lazlo]

I suspect Evan suggested this approach because it is a painless, low-risk way to introduce people to Linux.

My Linux journey began by trying a LInux CD. Unlike Windoze, most Linux distributions can boot and run on the CD, without installing on the hard drive.

Now I am 99% Linux. The dual boot option is still there, but about the only thing I still use Windoze for is TurboCad.

Linux malware does exist, but it's not very common. For the most part, the Linux user can simply forget about malware.

That's a great story -- I'm glad the Linux path worked out for you I agree, of course, with the threat level associated with Linux versus Windows...

If your aim is to test the Linux waters without a total commitment, I'd suggest a simpler path than running Linux in a Virtual Machine on top of Windows: just install Linux on a thumb drive, and boot off of it. When you get stuck, just remove the thumb drive, reboot your machine, and you're back in Windows.

That's the first half of the first tutorial I posted. If you don't want/need to switch between Linux and Windows on the same desktop, skip the Qemu virtualization software, and Linux/Firefox will run faster than if you virtualize the operating system.

Here's how to install DSL with Qemu virtualizing both Windows and Linux:
http://www.pendrivelinux.com/all-in-one-usb-dsl/