RSSBrowser Virtualization Secures Firefox
By Scott M. Fulton, III | Published September 19, 2006, 12:30 PM
A company that has already made some headway with security-conscious consumers with a freeware/commercial combo of browser virtualization software for Internet Explorer, today released a new edition exclusively for Firefox users on Windows systems. GreenBorder uses what it describes as "just-in-time virtualization" to build an extensible operating environment around the browser, separating its session from that of the operating system.
The purpose of this virtual wrapper is to disable any active content downloaded and run through the browser from having any kind of direct and unwarranted access to the operating system. With GreenBorder active, Firefox is launched within a virtual session, which is marked on the screen with, literally, a green border around the browser window.
Any new windows spawned through the browser also exist within this virtual session. As a result, remote procedure calls intended to make changes to system settings are separated by a single layer of indirection, through which malware should not be able to pass.
Furthermore, using GreenBorder Pro -- available as a subscription-based upgrade -- files downloaded through the browser can be opened within the isolated environment, using their native software while preventing direct access to such vulnerable areas as the system registry or the directory table.
Since GreenBorder does not virtualize the Windows operating system, some could argue that the company isn't using the term properly. In March 2005, security consultant KeyLabs was commissioned by GreenBorder to make an assessment of its software, which at that time was directed toward IE.
KeyLabs made perhaps the most technically accurate explanation of GreenBorder's technology we've found: "GreenBorder's design is based upon the partitioning of a single system into separate logical domains with the ability to apply access restrictions inside domains. This strategy is unrelated to 'virtual machine' environments such as VMware and Microsoft / Connectix Virtual PC products, where a completely separate virtual system is maintained with its own corresponding virtual hardware, memory, drive image(s), and operating system instance."
As KeyLabs explained, GreenBorder creates a level of indirection, where processes running under an isolated environment receive limited access to system services, the degree of limitation being controlled by policy. Conceptually, at least, this is similar to the kind of access control mechanism that Microsoft is integrating into Windows Vista, so it will be interesting to find out whether GreenBorder and Vista can co-exist.
KeyLabs also took issue with GreenBorder's characterization -- which continues today -- that the software is 100% effective against malware, citing some buffer overflow exploits as continuing to be a risk even with a level of indirection in place. Still, it found the software to be a very effective complement to a broader security suite, which would continue to include firewalls, anti-virus, and vigorous anti-malware programs.
Arguably, a system which would give malware a view of a user's computer that states the files it's looking for don't exist could be as useful as a software-based firewall that blocks responses to port scans, making it appear to network-based attackers that IP ports don't exist.
Borrowing a page from ZoneAlarm's playbook, GreenBorder is available for a free download, with options such as SafeFiles -- continuous protection for any downloaded files -- available for a $14.95 USD per year subscription, and GreenBorder Pro available for $49.95 USD per year.
Another similar product is Altiris SVS (Software Virtualization Solution).
Free for personal use.
http://juice.altiris.com/page/86/get-svs-here-now
Score: 0
|If you want the free version just download
buffer zone....
http://www.trustware.com
Score: 0
|Good to know. Thanx for the news. Good thing for schools and public places, anyway.
Score: 0
|In terms of virtualization and sandbox software, have a look at Sandboxie - http://sandboxie.com
It's free, light and works well with almost all applications.
Score: 0
|Thanx for this info. gonna try it, too.
Score: 0
|I used to preach one of the greatest flaws in all MS's os's was the fact that their os's were designed to run system level apps in the same part of the memory that general apps used.. allowing for obvious security and stability issues..
The Java "sandbox" sounded real appealing but never really delivered what one expected
IBM made os/2 that ran all system in one place and for each app, created a "virtual machine" for just that app, cloning all required aspects of the os needed bty that app.. when the user closed the window there went all unsaved work.. i liked that idea, but OS/2 had other problems (the SIQ was the greatest), that with poor marketing, poor sales and poor support.
why is it so hard to grasp the concept to make the core of your os safe... behind a lockbox or something? i know it isnt THAT hard as it was done decades ago by IBM..
Score: 0
|That's what Trusted Computing Platform is going to fix. That's what BitLocker is going to do.
Score: 0
|True on the trusted computing, but BitLocker is just whole disk encryption that's easier to use than MS's previous offerings.
I'm curious to see if they do a good job of securing video. So far it's still been a weakness of most systems.
Score: 0
|Well there goes one of microsoft's "features" of vista. Running the browser in protected mode. Although that is only ie, does firefox need this though? I would never use it but im sure someone who is insanely worried about the integrity of their system would happily pay that price for it.
Score: 0
|How is this any better than running your browser through a VMPlayer package?
*Hint; it's not, as VMPlayer is free and has a bit more functionality and usefulness.
Score: 0
|Well with VMware, you're virtualizing a full operating system, which is surely much slower than simply running Firefox in a separate RPC layer. Who wants to go through the hassle of running a virtual machine just to use a Web browser?
Score: 0
|Agreed.
Score: 0
|Point.
Still, is it worth $50 a year?
Throw a small linux VMPlayer in your start-up. Loads in 20 seconds and you can switch to it any time to browse the net.
Free.
*shrug* It is possible, of course, that I am simply too cheap to even consider the possibility of forking out dough for this, but it just doesn't seem to me to make a great deal of sense.
The bonus, of course, is total net security, IRC, USENET, IM, etc...with the VMPlayer. Securing *only* the browser isn't going to last long.
Score: 0
|The fact is people who know how to set that up also know how to avoid malware & viruses. I don't run AV for that reason - I'm not stupid enough to download and install a virus.
I do like the idea though. Firefox is already very effective at minimising spyware infections, and this just pushes it a little bit further.
Score: 0
|"The bonus, of course, is total net security, IRC, USENET, IM, etc...with the VMPlayer. Securing *only* the browser isn't going to last long."
Agreed, it would be really interesting if someone could tailor a version of DSL within VMPlayer to handle all this for the common folk. Make it a nice, easy installer and 99.5% Net protection.
Although, the only problem is the fundamental look-n-feel difference between *nix and Windows. Common users would certainly complain about that. When it comes to the balance between useability and "good looks", "good looks" still win hands down, which, imho, is really stupid. Still, it would make for a highly useable package.
~dnc
Score: 0
|Does not work with 8.3 file naming disabled.....sorry.
Score: 0
|And why is this such a big deal? Who besides you actually goes into the Windows registry to disable 8.3 file names?
Score: 0
|You give him too much credit. I'm sure it was via some windows tweaking program. ;)
(Just playin', trebor)
Score: 0
|Computersinmotion.com do a technically better solution and it works for IE. I also believe it is now free for up to 3 licences. Their product is called SafePods
Score: 0
|QUOTE:
"Pricing
Retail price is only $29.95 per copy! No subscription or additional costs!
A separate copy must be purchased for each computer."
That's from their website - computersinmotion.
Score: 0
|