Tag: virtual machine

Implementing Multi Level Security in Windows 7 with VirtualBox and VMLite

garoComputers / Security

I’ve been experimenting with a Multi Level Security implementation in Windows 7 using VirtualBox and VMLite to run Chrome and other browsers inside a virtual machine (guest system) and to use this browser as the default browser for the entire computer (host system) for additional security. This setup allows to click any HTTP link inside pretty much any running program and make that url to load itself into a browser running inside the virtual machine.

This gives us an extra layer of security besides the normal Chrome sandboxing. Also all other usual VM features like snapshotting, reverting to a snapshot, clipboard between host and guest operation system, seamless mode, networking etc are all available. In practice the software running inside VM can’t be easily tell apart from non virtualized programs.

VMLite Workstation is a software built upon VirtualBox which allows to run a Windows XP instance in Seamless mode over a host operating system (Windows 7 in this case). You need a Windows XP license which is available at least with Windows 7 Professional version. This guide shows how to install Windows XP Mode which comes with Windows 7 Professional into a virtual machine and to configure a Chrome browser inside the VM to act as the default browser for the host operating system.

Installation Instructions for VMLites and the Windows XP virtual image:

  1. Download Virtual XP Mode from http://www.microsoft.com/windows/virtual-pc/download.aspx and install it with the default settings.
  2. Download VMLite Workstation from http://www.vmlite.com/index.php/products/vmlite-workstation
  3. Create new Virtual Image inside the VMLite workstation and give it  the installation location of the Virtual XP Mode.
  4. Now you should be able to boot the Virtual XP Mode within VMLite and install Chrome and other softwares which you feel you might need. Here’s a list for ideas which you should do:
    • Change Chrome theme to something else so you can tell apart the Chrome which runs inside the guest vm and the Chrome which runs in your host system.
    • Edit the VM settings to disable full read/write access to the shared folders and drivers and instead just give one predefined directory which you use to transfer files between the guest and the host operating systems.
  5. Remember to take a snapshot from the VM after you have setup your environment. This acts as a restore point in time so you can always reset your VM into this state if you do something stupid or think that the VM is compromised.

Making the Chrome inside VM to be the default browser for everything.

VMLite comes with a “Internet Explorer (secure)” shortcut with green borders which is installed onto your desktop. This shortcut starts Internet Explorer inside the VM. We’ll use this trick to pass Chrome.exe calls from the host system into the guest (VM) system with a .bat file and then making this .bat file the default browser program for the host system.

  1. First create a multilevel-security-browser.bat file by modifying these sources into some good location (I’ve placed it into F:\Users\Garo\VMLites\multilevel-security-browser.bat) 
    @echo off
pushd "C:\Program Files\VMLite\VMLite Workstation\"
set path="C:\Program Files\VMLite\VMLite Workstation\";%path%
vmlitectl run "VMLite XP Mode" "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" "%*"
popd

    Notice few things: The path line should have the VMLite installation directory inside the host system, the “VMLite XP Mode” should be the name of your VM and the chrome.exe path is the browser path inside the guest vm.

  2. Then create a multilevel-security-browser.reg file based on these sources: 
    Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\MultilevelSecurityBrowser]
@="MultilevelSecurityBrowser"
"URL Protocol"=""

[HKEY_CLASSES_ROOT\MultilevelSecurityBrowser\DefaultIcon]
@="C:\\Users\\garo\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe,0"

[HKEY_CLASSES_ROOT\MultilevelSecurityBrowser\shell]

[HKEY_CLASSES_ROOT\MultilevelSecurityBrowser\shell\open]

[HKEY_CLASSES_ROOT\MultilevelSecurityBrowser\shell\open\command]
@="\"f:\\Users\\garo\\VMLites\\multilevel-security-browser.bat\" -- \"%1\""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="MultilevelSecurityBrowser"

    and set the path for chrome.bat to the path where you created your multilevel-security-browser.bat. Notice that we use the chrome.exe as the source of our DefaultIcon which assumes that you have Chrome also installed into your host operating system.

  3. Save the multilevel-security-browser.reg file and click to Merge its contents with the Windows 7 registry. UAC will ask for a confirmation which you need to allow.
  4. We’re pretty much done here. You can now try to click some http url and if everything went correctly a black shell window will appear for a moment and the VM is started (if it isn’t already running) and the url should be opened inside Chrome in the guest vm.

I’ve used this setup only for a day now and so far it has worked nicely. the VMLite can be turned into Seamless mode and the Windows XP taskbar can be moved on the top of the screen and set it to Auto-Hide the taskbar.

Hosting virtual machines on Solaris

garoComputers

Hosting virtual machines inside an OpenSolaris box is very easy with VirtualBox. Here’s a quick tutorial how to install an ubuntu into a virtual machine:

  1. Download VirtualBox from here.
  2. Open the manual into a tab from here.
  3. Follow the installation manual at chapter 2.4. The installation scripts will install VirtualBox under /opt, so if you want, you can now create a new zfs filesystem for /opt so that it wont pollute your root installation partition.
    Note: If you are using Nexenta, you need to use /usr/sun/sbin/pkgadd instead of simply pkgadd.

    Note:If you receivere this error:

    ## Waiting for up to <300> seconds for package administration commands to become available (another user is administering packages)
pkgadd: ERROR: Unable to acquire package administration lock for this system; try again later
pkgadd: ERROR: Unable to lock this zone for administration

    The sollution is to “cp /usr/sun/bin/pkgadm /usr/bin” and repeat the step.

  4. After these steps the VirtualBox host environment is installed.

So, you have now installed the server stuff, now it’s time to install the ubuntu into a virtual machine. If you are using Windows as your desktop follow the steps in chapter 7.4. Otherwise consult the manual to find a proper installation way. The chapter 7.4 guides you to use the headless installation where you connect to the virtual machine using windows remote desktop (which is quite nice). You can download the 32-bit ubuntu iso from here, or use some other cd/dvd image to boot up your system.

If you don’t want to use nat for your virtual machine and prefer a direct ip instead, replace step

VBoxManage modifyvm "Windows XP" -memory "256MB" -acpi on -boot1 dvd -nic1 nat

with

/usr/lib/vna e1000g0 0:0:0:0:10:01
ifconfig vnic0 plumb
ifconfig vnic0 dhcp
VBoxManage modifyvm "Windows XP" -memory "256MB" -acpi on -boot1 dvd -nic1 hostif -hostifdev1 vnic0

where e1000g0is the name of your physical network interface (use <em>ifconfig -a</em> to look it up) and0:0:0:0:10:01is an unique MAC address you invented from your hat. The VRDP (remote desktop server) will be binded to the ip of vnic0 interface which you can check with "ifconfig vnic0".

After setting up the VM you can finally start it by typing “VBoxHeadless -s <vm name>” and then connecting into it using remote desktop. Notice that the guest operating system might have different IP, so you need to check the guest IP after installation if you wish to connect into the guest with SSH.