Most secure sandboxing/light virtualization in linux or windows xp

For old hardware that is not fast enough for full-blown virtualisation like vmware or virtualbox, which is the most secure virtualization I know in linux, what are the most secure options for sandboxing or light virtualization in linux?

What about windows XP?

 

I don't have XP anymore, but Sandboxie always worked well in it. Payed SBIE with forced folders feature for external media.

Another recommended XP stay route from me is the combo of free Sandboxie and AppGuard.
http://www.appguardus.com/support/products/AG4/AppGuard Protection for XP 3.pdf

Do disable also Java and other possible vulnerabilities in perhaps uninstalling unnecessary software.

 

Shadow Defender + sandboxie = invincible combo

 

Tried installing shadow defender but it did not complete. Should I re-install xp at the first primary partition so it gets drive C: as the system and boot drive? Currently xp is on drive E: in the extended partition and boot.ini is in the first primary partition which used to work as w98, maybe s.d. is not happy with this?

What about linux (ubuntu)?

 

Sandboxing: on Linux it's less a matter of "secure" than "practical" IMO. SELinux is theoretically much more secure than AppArmor or Tomoyo 2, but also much easier to mess up with. I would just take a look at custom policies using AppArmor, since almost every major distro ships with it. Don't use distro default policies for desktop applications though, they usually are too lenient.

Light virtualization/kiosk software: set up a bash script to clear out your home directory, and other user writable areas, on reboot. (And store any important data on another partition.) You're not going to get any better than that. I'm completely serious; if a nasty installs to your home directory, it will just get removed on reboot. And if it installs to your system as root, you have much bigger problems than any kiosk software will ever be able to deal with. Also, with this setup (unlike an actual live or kiosk system) you can apply updates without any trouble.

IMHO "light virtualization", or whatever you want to call it, is not a good security policy. It has advantages for privacy, and for ease of maintenance in some settings, but in terms of security it offers too little at too much cost.

 

BTW, if you want to run a "disposable" Linux system on top of your main install, you could try
- chroot sandbox
- LXC
- User mode Linux

chroot is the simplest to set up by far. LXC is more secure and more versatile, but more complicated to set up. UML is probably the most secure, and (IMO) less annoying to deal with than LXC; but it's also somewhat slower and (IMO) less reliable, and networking is a pain to set up on it.

 

While not compatible with Linux, our new Quietzone is compatible with Windows XP (SP2) through Windows 8.1. It is the 4th generation of our disk level virtualization technology with a light footprint that should work well with older, resource challenged systems.

Kind regards
Mike

 

If all that is wanted is to prevent permanent changes to a windows partition while running linux, then is chroot just as secure as LXC, User Mode Linux, SELinux, AppArmor and Tomoyo 2 for this particular task?

 

Another issue is that only slackware-based vectorlinux 6 runs decently on this old hardware and is user-friendly. Limited to this distro, is chroot the only easy option for the particular task above?

 

Don't use Vector 6. It's a dangerously obsolete version of a dangerously shoddy distro (i.e. security does not compare favorably to Windows).

If you're comfortable running Vector, you should probably try Debian Wheezy; it works quite well on anything newer than a Pentium III.

 

And the browser that comes with debian wheezy works usably fast on a Celeron at 533 MHz?

All those linux sandboxing/light virtualization have far more features than seem to be needed here and the simplicity of Shadow Defender has no learning curve and no known rootkit that can defeat it. Nothing as simple and robust in linux?

Why is lxc more secure than chroot if we are happy with everything getting read and written by the malware?

 

Ah, okay, ignore that last. Please don't use Debian. It doesn't come with a browser by default, and requires some manual setup. I didn't realize you were new to Linux, sorry.

Edit: re the hardware, how much RAM does the machine have? A slow CPU like that celeron will be... slow, but RAM is more often the bottleneck on old computers.

Nothing as simple to use, no. I'd hesitate to call any of these tools less robust, but they basically fulfill different roles.

Light virtualization is security through denial of persistence. This works for dealing with most ITW malware.

Policy sandboxing (like AppArmor) on the other hand tells the system specifically what a given program can or cannot do, in order to limit the scope of an attack.

LXC and other container mechanisms are closer in nature to lightweight virtualization, but instead of creating a shallow copy of the OS, they let a sacrificial guest userspace run on top of the same kernel.

The last two are not mutually exclusive BTW. You can run a program under AppArmor in an LXC container.

We're not happy with everything getting read and written by malware. If malware tampers with a privileged process, with kernel memory, or with the boot sector, it will bypass any defense.

(That also applies to light virtualization on Windows - Returnil IIRC prevents drivers from loading while it runs, in order to prevent that kind of tampering.)

On that note, LXC is more secure (in theory!) because it provides more ways of isolating the container. e.g. you can control network access, not just filesystem access.

The thing to realize here, IMO, is that a typical Linux system faces a completely different set of threats than a typical Windows system. Windows malware is often designed to install automatically. Linux malware is more often designed to be installed directly by an attacker, to maintain their access to a system and help cover their tracks. Rootkits were a big deal on Linux long before they came in vogue on Windows.

 

384 MB. Any debian derivative that runs a current browser usably on a Celeron at 533 MHz?

Wait, the malware THINKS it tampers with all those areas but instead Shadow Defender intercepts all disk access and writes changes to reserved ram initially and reserved disk areas later, with a view to disposing them at the next reboot. Can't believe no one thought of this simple scheme for linux.

 

Oy! That's going to be difficult. With bottlenecks on both RAM and CPU, you will have problems. There are Linux distros that can run well on such old machines, and there are ones that are user friendly. But there is almost no overlap between those two categories.

I really wish I could offer more help on this front...

Because it's not really that simple - not in concept and especially not in implementation. And it could be bypassed anyway by anyone with root privileges. Linux is a different OS, and typically faces a different set of threats.

e.g. On Windows, the "true" administrator is the SYSTEM account. On Linux, root is all-powerful, and you can actually log in as root; but faking your way to root on Linux is (usually) harder than faking your way to SYSTEM on Windows.

 

If the SYSTEM account can bypass shadow defender, how come no rootkit is known for shadow defender?

 

Because Shadow Defender presumably makes it quite a bit harder to get SYSTEM privileges. If you can't load drivers even as admin, it becomes harder to mess with the kernel. Likewise writing to the boot sector, which SD prevents admins from doing.

"No known rootkit" is is a lot better than most security software. That doesn't mean it's invulnerable though; especially when dealing with a skilled human attacker.

Edit: especially on Windows XP, which is really bad at protecting the SYSTEM account. From my (admittedly limited) experimentation, it looks to me like a lot of products are much less effective on XP than on Windows 7 (on which they can take advantage of integrity levels, memory protection, and overall improved design).

 

When you install shadow defender you are one of the administrators, and you disable certain driver installation. But malware running as administrator cannot undo this disable? Something more obscure than this must be going on. How about this: shadow defender is a rootkit.

 

... No no no. Shadow Defender is not a rootkit. It probably employs some techniques similar to what rootkits do, in order to protect itself from being easily disabled (because on XP most people run as admin, and getting SYSTEM access is normally way too easy).

Let me see if I can explain this:

An x86 CPU has four physical modes, usually called "rings." The most privileged is ring 0. The least is ring 3. On a normal OS like Windows, the kernel runs (mostly) in ring 0, and user applications in ring 3. Rings 1 and 2 can be used, but AFAIK are usually not.

Since Shadow Defender uses a Windows driver, it (or the part that does the work anyway) runs in ring 0. But applications - all applications, including those running in an admin account - run in ring 3.

As admin, you gave SD control on the level of ring 0 first. The driver, running in ring 0, has privileges over even admin applications. So if some exploit kit makes Firefox run a nasty, the malware will be running in ring 3, and SD in ring 0 will have control over what it can do.

Edit: BTW please understand that the above may be wrong in some details. I'm by no means an expert on low-level hardware and OS design.

 

Thanks. I'll give antix a go (lightweight debian derivative that "should run on most computers, ranging from 64MB old PII 266 systems with ... 128MB RAM recommended") and see how current chrome runs. Hopefully they have simplified installation.

Then maybe try basic lxc on it. Hopefully complete instructions can be found for creating a debian container with chrome in it.

 

Debian wheezy as antix runs ok but its firefox (iceweasel) is much too slow. The chrome package does not work at all. Manually downloading the current chromium and running it produces an "illegal instruction" error, caused by SSE2 instructions not supported by my 533 MHz Celeron.

Where can I find a binary for chromium that has SSE2 disabled?