Browser

Invincea Browser Protection: Using the power of virtualization to combat malware

Invincea is a small Virginia company that may have found a solution that protects computers from web-borne threats, and it's transparent to the user. That's a win-win situation.

Invincea is a small Virginia company that may have found a solution that protects computers from web-borne threats, and it's transparent to the user. That's a win-win situation.

-----------------------------------------------------------------------------------

Invincea's research team is led by founder Dr. Anup Ghosh, a highly-respected Internet security analyst. Their goal is to stop web browsers from being malware conduits -- something we really need.

Browser Protection is their answer. It protects the host computer by isolating the web browser. If I understand correctly, the web browser uses a different operating system. That, along with additional innovations by the Invincea development team allows Browser Protection to deliver:

  • Effective protection: When Browser Protection detects a malware threat, the user is informed and the virtual environment is shut down. A new virtual environment is started within seconds, removing the threat and minimizing user interruption.
  • Signature-free detection: Malware-definition signatures are not required. Neither is user input. Browser Protection spots malware based on unusual behavior in the virtual environment.
  • No impact to users: The virtual web browser looks identical to the standard package.
  • Forensic database: The data collected during a malware attack is sent to Invincea data servers where it is analyzed and used to enhance the collective intelligence of Browser Protection clients.

I tend to gravitate to outside-the-box thinking and, on the surface, Browser Protection has a lot of that going on. It's also why I have many questions. Is the browser in an intelligent sandbox? How are they able to sense malware without using signature files?

Fortunately, the people at Invincea were more than willing to answer every one of my questions. Here is what they had to say:

TechRepublic: It appears that Invincea emanated from two prestigious institutions, DARPA and George Mason University Center for Secure Information Systems. Could you give a brief history of how Invincea came into being? Invincea: Invincea, Inc. (formerly known as Secure Command, Inc.) was started in 2006 by Dr. Anup Ghosh after completing a 4-year Program Manager appointment at DARPA. At that time, Dr. Ghosh also took a faculty position within GMU's Center for Secure Information Systems. One of his research areas dealt with using virtualization technology to prevent un-trusted content from gaining access to users' desktops.

To Dr. Ghosh's credit, DARPA funded an early prototype of this idea. After getting traction and interest from potential customers, Invincea raised venture capital to develop a commercial product based on the original prototype. In April 2010, Invincea launched its enterprise-grade product, Browser Protection.

TechRepublic: While watching the Invincea online demonstration I read the quote, "Browsers are the shortest route to money for cybercriminals today." Could you explain why that is? Invincea: This is marketing speak for saying two things: First, web browsers are the primary-infection vector for most malware today. Second, most malware writers and distributors spread adware, spam bots, tracking malware, and banking crimeware for purely financial reasons.

Users get infected by these agents when they go online with their browsers. One approach is to use web sites containing drive-by download exploits that specifically target web-browser vulnerabilities. More often, software will auto-download when visiting a site, and the user will mistakenly give it permission to install and run.

Depending on its design, the installed malware can do many things: relay spam, present advertising, track users' online behavior, capture online credentials, and even schedule financial transactions. So if you are in the business of stealing money, you have the scalability of the Internet rather than targeting a victim in a parking lot, and an extremely low likelihood of getting caught. In other words, this is an ideal situation for criminal enterprise.

TechRepublic: A virtual web browser is an interesting concept. Could you please explain what that means? Invincea: Web browsers are very complex pieces of software (over 1 million lines of source code) with open interfaces for ever-expanding application extensions (via third party software components such as plug-ins). Additionally, web browsers operate in a dynamic and interactive mode, constantly delivering new content.

From a security perspective, it is difficult to lock down web browsers against attacks from malicious-online content without limiting user access and functionality. The idea behind virtualizing the browser is to run the browser with all of its add-ons in a locked down virtual environment.

This way, when the web browser gets exploited by a drive-by download attack, or the user gets tricked into installing malicious software, the only thing corrupted is a disposable virtual appliance.

TechRepublic: How is Invincea's virtual web browser different from locating the web browser in a sandboxed environment, for instance isolating Firefox with Sandboxie? Invincea: There are two differences between Invincea and normal sandboxing technology. First, Invincea uses true-hardware virtualization to run the web browser non-natively in a virtual appliance.

In sandboxing solutions, the web browser runs natively in the operating system. A monitor attempts to determine if the web browser is making a valid file-system call (for example to a system file or registry key). At that point; the sandbox either allows a file-system write to happen, re-directs the file system call to a "virtual" registry, or asks the user what action to take. It's often the latter. While a sandbox is incrementally better than no sandbox, it will not protect against many types of attacks and it requires users to make security decisions.

A second key Invincea differentiator is that we are able to automatically detect malicious actions and behaviors without prior knowledge of the malware. With malware strains growing exponentially, it is critical to identify the presence of malware and take actions to move the computer back to a pristine state while protecting the user's applications, documents, and data.

TechRepublic: I read in the application's white paper that Invincea Browser Protection "detects malware without requiring signatures." Is that accomplished by using heuristics or behavioral-pattern recognition? Better yet, could you explain how the detection process works? Invincea: Indeed, Invincea detects malware focused on web browsers by utilizing proprietary sensors. A unique aspect of our approach is that the virtual-browser appliance always starts in a pristine state. After which, we monitor for changes from that pristine condition.

We are performing real-time behavioral analysis of the events in the operating system and can tell from these observations when our environment has been corrupted. This allows us to detect attacks, even zero-day malware without signatures libraries. Once it's determined that the virtual environment is corrupted, we restore it back to a pristine state, offering maximum protection to end users while they are browsing the Internet.

TechRepublic: Uploading malware analysis to your servers sounds similar to Panda's Cloud Antivirus. Does the uploaded information get pushed out to subscribers? That also seems similar in that the more subscribers, the more accurate and up-to-date the database is. Is that correct? Invincea: To protect users, cloud-based anti-virus solutions rely on Internet-based shared lists of "known bad" files, sites, or heuristics. Identification of new malware comes from vendor research or end-user actions. Both of which are random, undeterministic, and require human interaction. Our approach is different. We collect forensic data on all non-benign changes to the system and send it to a threat-analyst database for our enterprise customers who use this information to better understand their adversary and to harden security devices they have in their network (firewalls, web gateways, etc). For instance, we collect information about:
  • Malware source locations
  • How it attacked a specific user
  • What actions the malware undertook
  • Location of Internet command and control servers

By design, Invincea inherently detects malware without signatures and therefore we do not need to push this information out to our customers to protect them. In other words, Invincea enables IT departments to utilize our malware data to proactively secure other parts of the enterprise.

TechRepublic: I understand that your product only works with Internet Explorer currently. Is there a timeline for releasing versions for the other major browsers? Invincea: Today we support Internet Explorer v6, v7 and v8. Invincea will offer Firefox support soon and plans to expand that list as customer demand dictates. TechRepublic: I also understand that Browser Protection is not being released to the general public yet. When do you think it will become available? Invincea: The consumer market opens up a potential great opportunity for Invincea to expand dramatically. Right now, we're evaluating our market-entry strategy, but have not finalized our timing as to when we'll proceed.

Final thoughts

There are two aspects of Browser Protection that I find enticing. Users are not overly impacted and malware detection does not require after-the-fact signature files. Add to that, the automatic rebuilding of infected web-browser environments and it sounds like we are getting somewhere.

I would like to thank Dr. Anup Ghosh, Founder and Chief Scientist and Jim Geary, President and CEO of Invincea for their help in answering my questions.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

97 comments
AnsuGisalas
AnsuGisalas

is that it's a layer unto itself. It's not a feature in a suite, which has weaknesses not it's own. And it's a dedicated app for just the browser, it's not trying to know what all kinds of executables try to do, only what a browsing session should look like, and specifically what it shouldn't look like. And there's behaviour monitoring that's intrinsic to the browser, and the users own behaviour blocker should be able to run parallel to this, uncompromised even should the browser protection somehow fail. And again, the potential for harvesting exploit info, even malware samples perhaps from a very large number of computers world wide... that's a weapon of mass destruction like we knew we're going to need. This is the first sign that we might be getting one!

Ocie3
Ocie3

Quote: [i]".... A monitor attempts to determine if the web browser is making a valid file-system call (for example to a system file or registry key). At that point; the sandbox either allows a file-system write to happen, re-directs the file system call to a 'virtual' registry, or asks the user what action to take. It's often the latter. While a sandbox is incrementally better than no sandbox, it will not protect against many types of attacks and it requires users to make security decisions."[/i] I've been using Ronen Tzur's Sandboxie since November 2008 and it has [i]never[/i] queried me for a "security decision" (or about anything else, for that matter). As far as I know, it is not designed to do that. Occasionally Sandboxie displays an error message, or, much more likely, one that informs me that a certain program has tried to access the Internet. If I want to grant such access, then I edit the Sandboxie configuration file. Which is to say that all "security decisions" by the user are basically expressed by configuring the sandbox(es) that the user creates. For example, I have chosen to allow Firefox, while it runs in one sandbox, to directly access one or more directories, such as one in which I want it to store almost all downloaded files. Doing that is accepting an increased risk insofar as a malicious process could conceivably use that access, [i]via[/i] the browser, but it is also more convenient to allow Firefox to have direct access. The biggest risk of all that I've encountered is a betrayal of trust. For example, I use the NoScript extension to control whether Firefox executes JavaScript while it renders a web page. If I trust "the web site" and JavaScript is required to access and use its features and services, then I instruct NoScript to allow Firefox to execute JavaScript on pages from that web site. If malware is installed, then that is an implicit betrayal of trust, if only my hope and trust in the web site operator's ability to secure the site so that it will not distribute malware. As with anything else, some web site operators are probably considerably less concerned about that possibility than other operators are. It would be interesting to know more about the "attacks" to which traditional sandboxing is vulnerable. It would also be interesting to have a clearer idea as to how the Invincea virtual environment in which a browser such as I.E. runs is implemented, especially with respect to how downloaded files and content from web pages, such as images, are passed from the virtual environment to the actual hardware on which it runs. Some things that we get from the web, we want to keep. ;-)

Michael Kassner
Michael Kassner

I received an email from a member who had a great question. I passed the information on to Dr. Ghosh, who kindly answered. Here is the question: "With Invincea's browser, since they automate they preservation of favorites, what if malware creates favorites? Second,(and worse) what if malware alters current favorites? I have never seen this done, but if they can create favorites, they should be able to change the webpage a favorite points at without changing the name." Here is the answer: "This is a good question. His point is that malware can change the personalization data such as bookmarks to point to another site. This is correct. We provide a couple of defenses today against this and there's a standard third defense. First the standard defense is to check certificates of sites to see if they are authentic. However, few people actually do this, so it isn't that useful in practice. Our primary defense against this is we do not sync back any changes to the personalizations (including changes or new additions to bookmarks) when the browser gets corrupted. For instance, if malware downloads and executes, or a buffer overflow exploit is executed against the browser, we detect these behaviors, notify the user and restore the browser to its pristine state. We will not sync back any changes to the personalization data anytime there is an infection because this data may have gotten corrupted. Our second defense is the Privacy Mode. When the user toggles our Privacy Mode, he or she starts the browser session without any personalization data imported into the VM. From a privacy perspective, no sites will have any personal data about the user. Likewise, on termination, all data about the session is eliminated, leaving no residual data on the host, to protect other prying eyes on the computer from seeing where you've been. Since no data is imported or exported from the host (nor can it be), no bookmarks or data can be corrupted. So, if you want to explore malicious sites in our browser (and you should feel free to), you can, but we recommend you do it with Privacy Mode toggled for all of these reasons. Finally, we have an upcoming version that provides even stronger assurance to protect users from being fooled into visiting spoofed sites using a technique we call Secure Bookmarks. We'll disclose that feature when we release it. "

AnsuGisalas
AnsuGisalas

For one: This gives protection for the individual, and at the same time it's also a huge, nay HUGE virtual honeypot lab-cloud, with automatic extraction of exploit forensics... maybe even samples? The mind boggles at the opportunities. Something like this should have a free version - that would guarantee the forensic payoffs coming in nice and diversified, with millions of free versions home users. Does it have a free version yet?

dknichol
dknichol

My breath has never been soooo bated.

johnam
johnam

I refer to "Web Geek's guide to Google Chrome"Chapter 6.where Jerri Ledford and Yvette Davis explains how "Sandboxing" make Google Chrome a safe browser on a threatening Web. So what is new! John Muller, Cape Town

AnsuGisalas
AnsuGisalas

But the ones I've seen are all "normal" virtualization (run by the normal OS), and they don't collect malware data specifically, nor do they necessarily notice behaviour change within the browser itself. I have zonealarm forcefield which does something like this too, but I doubt it's on the same level as invincea says their product is.

Michael Kassner
Michael Kassner

Thanks for pointing it out. It's a different approach, but seems to have merit.

JCitizen
JCitizen

I will reserve judgment for testing. I hope it will have a 30 day, or similar trial period. Even then, I may never understand it; but then being a code junkie was never my forte.

Michael Kassner
Michael Kassner

The logic behing Browser Protection is quite good IMO.

JCitizen
JCitizen

are on my mind in this article as well. It is implied that this solution is resistant to this, if I understand correctly. Apparently the usual tips that virtualization are in vogue, are not present in an Invincea session.(?)

santeewelding
santeewelding

You like any here are not able to say a word without fallback to a given. Have you (Ocie) ever played in your mind with the idea that all crime, of whatever sort, is "betrayal of trust"? Nevermind the standby of "intent", the one in common law that oh-so importantly delineates misdemeanants from felons. Mind instead, I'm saying, the status of mind in the rest of us, with respect to any one of us, that holds us all to act with respect to a one of us. There are like standards in other systems of "law" that hold all to some version of, "affront to God". I read and see that such systems affront Western sensibilities. Are we different? If, indeed, all crime of whatever sort betrays our trust -- the rest of us; indistinguishable from God -- then what are you saying, Ocie, aside from your picayune technical aspects?

Ocie3
Ocie3

Thank-you for passing those remarks on to us, Michael. Browser Protection is something to which I look forward with interest. About Browser Protection's Privacy Mode, he says, in part: [i]".... From a privacy perspective, no sites will have any personal data about the user."[/i] Michael, you should point him to Panopticlick (https://panopticlick.eff.org ) and What's My User Agent ( http://whatsmyuseragent.com ). ;-) Panopticlick says that my browser's signature is unique among the 1,148,639 that have been tested so far. And with Comcast, the unique IP address that is assigned by their DHCP server never changes, even when I power-cycle the "cable modem". Privacy? What is privacy? Long ago, I thought that I knew. As far as I know, they have not found a way for a web site to read my mind, yet.

phstacker
phstacker

Since VM in any form is a bit new to me in practice, I would like to know how the VM data on the disk drive is handled. In other words, could one pull the hard drive and see the data on the disk where the VM resided? Or do VM programs encrypt this data?

Michael Kassner
Michael Kassner

The product is supposed to be released to the public soon.

Michael Kassner
Michael Kassner

There areother products, but none as sophisticated as Invincea.

JCitizen
JCitizen

or whatever you call it; was what I saw on a client PC in a school system I visited regularly. She had Win98 on the PC, but used the Novell "shell"(for lack of better term), to get any work done on the internet or with the local school LAN. This more or less isolated her from the rest of the world, and she could do local office support work on the PC. All our software was Windows based and we hadn't upgraded her machine to XP yet. This was all way back in 2005, so everything may have changed there by now. This desktop would shut Win98 down, for all intents and purposes, and take over the browsing session. It really worked well, and we had no malware issues at that office. I believe we updated her OS over dialup, in a separate connection.

AnsuGisalas
AnsuGisalas

J, I'm a linguist, not a code junkie :) What I understand may be different from what is meant, so if you say more about what's giving you problems, maybe one or both of us will learn something :D As I understand it the browser runs on a hardware VM (i.e. it's not a VM that's running under the OS, because that's then subject to a triple weakness set - rather than just the hardware's and it's own *EDIT-> and if it fails then the bad stuff is inside the city walls already), and the program monitors what the browser does to it's virtual machine, judging what's a proper behaviour and what's not. If it notices something improper coming from the browser, it kills the VM - dissecting the corruption data and sending it off to the mothership, before starting a new VM with a new clean browser. It's actually as good as the "cloud of virtual troys" idea I once asked about, but better still because it's built into an application for widespread use that has a real benefit to users too, and not just a honeypot cloud. It's a two-fer.

Michael Kassner
Michael Kassner

Invincea what they have in mind regarding the introduction of Browser Protection.

Ocie3
Ocie3

Let's say that your boss hands to you a satchel containing $200,000 cash, which he instructs you to immediately deliver to an escrow company to pay for the purchase of some real estate. Did he give it to [i]you[/i] because he trusts you, or because he believes that you are either too dumb to figure out how to steal it without going to prison, or too timid to just take the money and run? Or maybe he figures that you won't bother to steal $200,000, but you would steal $500,000 or $1,000,000, which is to say that he believes that you are a thief who has a price. By default, NoScript prevents Firefox from executing any JavaScript unless and until I instruct NoScript to permit it. So it should be understood that I do not initially [i]trust[/i] any stranger's web site. NoScript also serves as a hedge against accidentally fetching a malicious page from one that was created by criminals. But perhaps I digress. [i]"You like any here are not able to say a word without fallback to a given."[/i] All security is ultimately founded upon trust and respect. We both know that, whether others do. Certainly, as a youth I recognized that the betrayal of trust and/or the lack of respect for a person by another person [b]is[/b] the crime. Whether the act is burglary, robbery, fraud, or murder is just the recognition of how trust was betrayed and disrepect was evinced. Certainly, murder is most foul, but theft can deprive the victim of the means to sustain their life, too. Whether an act was an accident, and/or the consequences were not intended by the perpetrator, [i]are[/i] pertinent to ascertain whether, and to what extent, the perpetrator should be punished for their deed. I doubt that the cooks at the U. Mass. Boston Student Union cafe [i]intended[/i] to kill the young woman who died from anaphylactic shock because they included peanut butter in their recipe for [i]chili[/i]. Clearly they [i]neglected[/i] to consider all potential consequences of doing so. Regardless, they betrayed the trust which the young woman implicitly placed in them, and she is just as dead as she would be if they had intended to poison her. (I don't know whether anyone was prosecuted for causing her death.) Someone once observed that there are just two criminal acts. One is assault and the other is theft. But they forgot that there are crimes against society, such as treason. May I aver that trust and respect are the twin foundations of love? One may respect someone whom they do not trust, or trust someone whom they do not respect, but no one can love someone whom they do not both trust and respect. Unfortunately, in our society today, too many people love and worship Security, Power, and Prestige, the unholy trinity of the secularist ethos and of corporatist ideologies. They will betray anyone and everyone, even themselves, for the sake of money, influence, and celebrity. And too many have no respect for anyone lacking all of those three. [i]"There are like standards in other systems of 'law' that hold all to some version of, 'affront to God'. I read and see that such systems affront Western sensibilities."[/i] Quite often, those whose sensibilities are expressed in their law as an "affront to God" perceive that we of the West have few, if any, sensibilities. In their eyes, we are infidels who worship idols. In truth, though, we often share many more sensibilities in common than is commonly believed, aside from the fact that many of our sensibilities are no longer incorporated into Western law. Unfortunately, some secular values which [i]are[/i] incorporated into Western law are often the wellspring of "lawful evil". [i]"Are we different? If, indeed, all crime of whatever sort betrays our trust -- the rest of us; indistinguishable from God -- then what are you saying, Ocie, aside from your picayune technical aspects?"[/i] If I have not answered those questions in my remarks thus far, then I hope that you find no offense in my quotations of yours. It is unlikely that we can change the moral character of those who use the Internet for robbery and fraud. The best that we can do is to modify the systems, hardware, and software that we use, and adopt the "best practices" to minimize the likelihood that they will find ways to continue their rampage that is, so far, unchecked. But we do know, I hope, that technological responses are not enough. We must also recognize our adversaries for who they are as well as what they do. Which is to say, we need to vastly improve the detection and investigation of their criminal acts in order to identify the perpetrators, then isolate them to prevent them from engaging in further crimes, and hope to discourage others from following in their footsteps. The struggle with those who reject the social compact is as everlasting as the one with those who undermine it, whether lawfully.

AnsuGisalas
AnsuGisalas

A unique IP is certainly a direct link to the user, but it can be "anonymized" i.e. overlayed with another non-unique one, can't it? As for the uniqueness of a browser signature, that in no way constitutes a direct link to the user; it could in theory be used in forensics, but it's not something that leads to an index where the users ID is available, or any other kind of index for that matter. Ultimately I guess both can be fixed with a distributed service, a virtualized shadow clone of the users internet connection, but cleansed of identifiables or provided with false run-of-the-mill identifiables.

Michael Kassner
Michael Kassner

I thought about the same thing when I read that. It might be interesting to see what Dr. Ghosh thought.

bendict101
bendict101

Malware protection sux. Instead Install VM Player Use a linux (centos?) firefox browser only image. Cut and paste seems to work mostly between VM and Windows, or use a google docs as a clipboard. Google docs updates in time it takes to flip OS's. Uses about 315MB Memory.

JCitizen
JCitizen

at our organization; it finally died on the vine, from lack of use.(Citrix that is) Of course the Novel "thin-client" or whatever, was a feature at a school system where one of my clients, worked.

AnsuGisalas
AnsuGisalas

Could it mean (and I know that guesstimating is really beside the point in this, but to me it's a fun game :) ) that the Hardware runs two things; it's normal OS and the VM, which in turn runs it's special OS which runs the browser... then "non-natively" would mean in this context that the browser isn't running on the Machine's OS (it's not native), but it's UI is being taken in just like a program offa the cloud's UI is available to the client computer? Ow. That sentence makes even my brain hurt, and I was the one writing it. If I try to simplify it; using cloud computing as a parallel : Machine A uses a clouded app X running on Machine C somewhere, and Machine C's OS will never be exactly the same as machine A's so there's some non-nativeness going on. With invincea the parallel would be; there's machine B uses the Invincea browser which is running on Machine VD (virtual D) which definitely has a different OS than Machine A's so that it's always going to be non-native. That's how I understood it first, but explained trying to adapt the clarification of terms you provided, Ocie3. That's the only way I could make it make sense, so I'm glad there's at least some overlap with how the terms are sometimes used. That's the Buzz effect, distorting meanings of terms in use... in a way it's just the normal meaning shift, but turbo-charged on account of the many very different niches of IT all using some of the same terms with slightly different meanings; eventually the meaning reduces to least common denominator, and that's when it's time to make new terms.

JCitizen
JCitizen

As usual we owe you a debt of gratitude Ocie3!! The Greg Pfister link rang my memory bell in what I have been understanding as "hardware" virtualization. Every time I see the term "non-native" - to me, that means not Microsoft.

Ocie3
Ocie3

[i]"...true-hardware virtualization to run the web browser non-natively in a virtual appliance."[/i] does not make much sense to me. So I Googled "true hardware virtualization". (1) Bob Netherton's Weblog (http://blogs.sun.com/bobn/entry/true_virtualization) has an interesting commentary which reveals "true virtualization" to be a VMWare buzzword, [i]i.e.,[/i] the VMWare folks regard their approach to virtualization as the only "true" virtualization. So maybe Invincea's Browser Protection is created with VMWare? (2) A Microsoft Knowledge Base article refers to "hardware virtualization" for Microsoft Exchange 2010 and lists the system requirements for implementing it (http://technet.microsoft.com/en-us/library/aa996719.aspx). (3) Wikipedia has an interesting list of the uses of the term "virtualization" with links to articles for each use (http://en.wikipedia.org/wiki/Virtualization). (4) It appears that Greg Pfister is an expert in the matter: "How Hardware Virtualization Works (Part 1)" is at http://perilsofparallel.blogspot.com/2010/06/how-hardware-virtualization-works-part.html . He starts by discussing Virtualization and Cloud Computing, and his remarks are clear, well-written, and generally easily understood. Most of these results, and others too, at least mention, and may discuss in some detail, the virtualization features of various CPUs made by Intel, by AMD, and/or by others, respectively. They typically work in conjunction with the software that produces a virtual machine, whether also with the OS that runs the software which produces the Virtual Machine. That said, it does sometimes seem, while reading the articles and comments, that the virtualization software runs on the hardware [i]without an OS[/i] such as Windows or Linux. But there are just as many other contexts where it is clear than an OS is required, at least one running on the VM if not also on the actual hardware as well. It also is not clear to me what "non-natively" means in the way that it is used in the quotation. After searching for a while, I couldn't find a definitive meaning for usage of the term as IT jargon. In my own experience, it typically means that software has been "ported" to run with an operating system with which it was [i]not[/i] developed, so that makes it "foreign" software or "non-native" software when it runs on a different OS.

JCitizen
JCitizen

this new VM relies on hardware features in supported CPUs to totally separate the VM from the main OS? I wonder if the Invincea uses a separate partition to load the VM, or does it come from the cloud? Doing it from the cloud sounds like a smashingly good idea! That was one thing I liked about Chrome OS, as well.

AnsuGisalas
AnsuGisalas

"Invincea uses true-hardware virtualization to run the web browser non-natively in a virtual appliance" I take from that, that it's not a vm under the OS.

Ocie3
Ocie3

Quote: [i]"As I understand it the browser runs on a hardware VM (i.e. it's not a VM that's running under the OS, ..."[/i] Well, as I have understood it, you have (a) hardware, which needs OS software to run it, and (b) a Virtual Machine, which is actually software that is executed by the OS on the actual hardware, and (c) the VM also has its own OS software, which may be either the same as or different from the OS that is running the actual machine. The OS running on the VM executes software -- such as a browser -- which can do, virtually, anything that it could ordinarily do on an actual machine. So, in which particular(s) does Browser Protection differ from that arrangement?? Also, since B.P. focuses on the browser, what happens when I click on a mailto: link on a page that it is displaying, which would ordinarily launch my e-mail client so that I can compose a message (or just add that address to the address book)?? This is an implicit problem with Sandboxie, insofar as it is most secure to run each program in its own sandbox. But I've learned from experience that it really is not operationally feasible to separate the browser and the e-mail client. Those two, at least, I configure Sandboxie to run in the same sandbox, although both are not necessarily launched "simultaneously".

JCitizen
JCitizen

I could have made this more pleasant for folks. :(

AnsuGisalas
AnsuGisalas

So, it's in the jar, trying to escape, and you can watch it gleaming eyes, seeing what it does... it's two way research then, an infosec dialogue.

JCitizen
JCitizen

under the new assaults by sophisticated malcode that seems to be coming more prevalent. Not all properly setup VMs, but some of them - how long will this last? From what I've read in the recent past, VM aware malcode changes behavior after sensing the VM and dedicates the rest of the session in defeating this security feature.

Ocie3
Ocie3

What you want is a footprint that is the same as at least several thousand other browsers which are the same, which have the same User Agent string, and the same packet header which is sent to initiate a connection ([i]i.e.,[/i] only the IP address and MAC address in it are unique). You want all of the data which a web site can obtain about your computer to be the same as the data for as many other computers as possible. You do not want the browser and its headers to be unique, but that is actually difficult to avoid! Alternatively, you can use the Firefox extension User Agent Switcher to change its User Agent string to match the string that is commonly used by other browsers or by other software such as the Google "web crawlers". In effect, you try to masquerade as another browser with some false data. Your browser still might be unique, but if you randomly change the User Agent string consistently, whatever other data that a web site might obtain will be associated with a set of random User Agent strings, which serve as the primary "identifier" for the browser, or the principal component of the "footprint". The challenge in altering a browser's "footprint" is that the User Agent String and other data that is in the packet headers were not created to identify the browser or its user. They were created to disclose significant data to web sites so that the web sites will know the capabilities and limitations of the browser, and adjust their interactions with the browser accordingly. The IP address was not created to identify the user, any more than the number and street name in your home's street address were created to identify who you are. They were created so that you can communicate with others, either by e-mail or by postal mail. Or so that a guest can find your home after you've invited them, without the guest otherwise knowing its location. The only way that anyone can [i]confidently[/i] identify your computer uniquely is by obtaining the CPU serial number. Intel CPUs have an instruction which, when it is executed, loads the serial number into a register, from which it can be written to storage. Which is to say that a utility program which has the appropriate instructions must be run to obtain the CPU serial number, and after that, the number can be recorded for future reference. I don't know whether that is true for AMD CPUs or for others, such as the ones in cellphones. There are some security systems that obtain and use the CPU serial number for authentication, and it is routinely obtained by many forensic applications. But I don't know of any general-purpose browser or e-mail client which obtains it and discloses the CPU serial number to other software.

AnsuGisalas
AnsuGisalas

Is it more or less unique to accept all cookies? Is it more or less unique to run all code? What I think is, that if there is an app that allows a true zero footprint, then the zero will very quickly become very un-unique, for all intents and purposes. All it will communicate is "this person uses AppX", which has this many million copies being operated around the world.

JCitizen
JCitizen

which I thought Michael wrote; and came to the conclusion that besides unique browser ID, that there would be other cross reference information that could be combined to help an attacker gather more information than one would care to give out. The unique information helps gain an overview of the target IP. We thought up all kinds of other ways to add this do the pool and gain even more about a hapless target victim. The more unique you appear to the web; the easier it is to take the data and throw away unneeded information; this makes the job of the attacker easier to implement. Eventually this could be used to cross reference the victim to other information gained and make the ID of the target solidify. This is just what we don't want of course. However, I take this with a grain of salt, as my ID is always going to look unique because of all the protections I have on the system. This is why I don't block all cookies using the browser controls, because this just makes me easier to weed out from all the other targets. I can always use AS solutions to get rid of bad cookies, and CCleaner to follow up.

Ocie3
Ocie3

As far as I know, an IP address itself cannot be "anonymized" [i]per se[/i]. However, a person associated with the IP address can use a proxy. And I can also use the Firefox extension "User Agent Switcher" that will alter that part of the browser's signature (though the UAS had best be used wisely). For example, proxies are common with dial-up ISP services, insofar as each customer is identified by IP address only to the ISP. If a web site page or file which the customer wants is not present in the ISP server's cache, then it connects to the source with its own IP address in the packet headers. Googling "anonymizer" returns not only anonymizer.com but also anonymouse.com, hidemyass.com, and numerous other proxy services. I use Scroogle to stop Google from acquiring data about me when I want to search the Internet. (Unfortunately, Moxie Marlinspike's Google Sharing service has been disabled for quite a while, and I don't know what is going on with it.) Another type of proxy is one that we can use to avoid disclosing some financial data, such as PayPal. I'm not familiar with any others, but credit-card issuers sometimes offer unique "credit card numbers", each of which can be used for just one transaction. The uniqueness of a browser signature does not constitute "a direct link to the user", but very little data does. Albeit, the distinction between Personally Identifying Information (PII) and data which is not "personally identifying" has become moot. With computerized databases, it has become easy to associate data such as a browser signature with other data. All you need to associate one record with another record is one or more fields in common which contain the same data. One is enough if the data is a Social Security Number (USA). That plus the same date of birth, and the same gender (if known), is ordinarily solid. If I visit a merchant's web site and buy something, they have, at a minimum, the IP address which my computer was using to access the Internet at the time; my first name and last name, and perhaps the initial letter of my middle name; the credit card account number, issuer, and expiration date, etc.; the billing address for the credit card; the delivery address for the merchandise; a telephone number for each address, and maybe a cellphone number; and, perhaps, a signature for the browser that I was using. The merchant also knows what I bought, how much I paid, and probably knows which pages of their web site were fetched by the browser that I was using. Using a debit card instead of a credit card might or might not allow the customer to avoid revealing the "billing address", and for some transactions, the customer might avoid supplying a "delivery address". But the merchant still obtains the data that is necessary to effect the transaction and, in some respects, identify the customer. Just about any and all of the transaction data in the merchant's record can be compared to the data which someone else has on their record, and by association of the data, the third party can acquire more data about me than they have, such as the PII which the merchant has. But even if I used a proxy, I still must disclose a lot of data to any merchant with whom I do business. It isn't necessary to have an IP address and/or browser signature to make associations between data records. They are just two more data items which can be used for that purpose, and they provide some enhancements to the value of other data and access to data that otherwise might not be made available if they were not available to associate data records. It's that "association" process which implicitly violates the personal privacy of the people to whom the data pertains. Add "behavioral tracking" and "geolocation", and the violation increases exponentially.

Michael Kassner
Michael Kassner

But, reimaging everytime you have a problem seems like avoiding the issue.

bendict101
bendict101

If I'm doing online banking as a business, it would be worth my time to ensure computer isn't taken over. (It takes very little expertise to install wm player, and it is free to try) Our home system is setup as dual boot to Win/Linux wubi install so we don't get viruses. Again, a simple install. Kids don't mind, and it is faster browsing with linux. Are businesses less smart than kids? As more business apps are written for browser, maybe windows lock-in, the registry, and this malware plague will just fade away?

Michael Kassner
Michael Kassner

To see if you were around and paying attention. Kudos.

Michael Kassner
Michael Kassner

I suspect most users would be adverse to that approach, especially business users.