Paranoid web browsing

Are you paranoiac enough?

Bugs in web-browsers and web-browser plugins can expose your computer to mis-use. For example, in an Adobe security advisory we are warned that there is a security loophole in their flash player plugin. Now, they promise to plug the loophole by 30^th July 2009. But there was some flash I was interested in, so I wanted a way of viewing flash before that date without exposing anything sensitive to the exploit.

One approach to this would be to run a web browser in a chroot environment, but there are difficulties doing it that way. Since I’ve been playing with qemu-kvm, the obvious choice is to run the web browser in a virtual machine with no attached storage.This way, to do anything to your real machine, an attacker would have to take control of the virtual machine and then break through either the virtualisation system or the firewall(s) between your real and virtual machines. This is considerably more difficult than explointing bugs in browser plugins.

How to knock together a virtualised web browser

On Fedora 11

1. Install some rpms

   You’ll need

   • livecd-tools
   • spin-kickstarts
   • qemu-kvm
   • libvirt
   • virt-manager

2. Make a kickstart file that includes flash-plugin

   Make yourself a directory to work in and change to it;let’s call it $PWD, and copy the kickstart file for a lightweight window manager and the kickstart file it includes:

   cp /usr/share/spin-kickstarts/fedora-livecd-xfce.ks .
   cp /usr/share/spin-kickstarts/fedora-live-base.ks .
   

   Now edit fedora-live-base.ks to include the adobe repository as a source for rpms; before the %packages line insert this:

   repo --name='Adobe Systems Incorporated' --baseurl=http://linuxdownload.adobe.com/linux/i386/
   

   (you might want to take the opportunity to adjust the lang, keyboard and timezone liness to match your personal circumstances). Next edit fedora-livecd-xfce.ks and add

   flash-plugin
   

   on a line on its own in the %packages section — after firefox would be a sensible place.

3. Build the livecd

   mkdir -p RPM-cache
   livecd-creator --config fedora-livecd-xfce.ks --cache RPM-cache -f fedora-livecd-xfce
   

   That’ll take a little while, but you should end up with fedora-livecd-xfce.iso

4. Define that as a virtual machine

   1. Start virt-manager
   2. click on New (bottom right)
   3. enter a name for the virtual machine in question (an identifier, ie no spaces), lets say “Gaol”
   4. leave “Local install media” selected
   5. click Forward
   6. leave “Use iso image” selected and enter the absolute path to fedora-livecd-xfce.iso
   7. leave os type and version both as generic
   8. click Forward
   9. Select enough RAM to run the OS in
   10. click Forward
   11. untick “Enable storage for this machine” — we don’t need to allocate any disc space
   12. click Forward
   13. click Finish; a window should come up titled “Gaol”

5. Add a more convenient pointing device

   The default pointing device assigned by libvirt is a mouse, presumably because they are supported in most operating systems, but because of it’s relative motion action, it’s awkward to use in a virtual machine window. Since the fedora livecd we’ve just built can cope with an absolute tablet, it will be easier to use if we add one:

   1. Click on the Details tab of the “Fremsley” window.At this point under “Overview” it should say Status: Shutoff.
   2. Click on “+ Add hardware” (bottom left)
   3. Select Hardware Type => Input
   4. Click Forward
   5. Select EvTouch USB Tablet
   6. Click Forward
   7. Click Finish

6. Start the virtual machine

   Select the console tab, and click run in the toolbar above it. It’ll go through the normal boot process, and you can log in as liveuser (which is the default login). Now you can start firefox in the normal way, and browse away, looking at whatever flash you fancy.

No sound?

Unfortunately, at time of writing there is a problem with virt-manager on Fedora 11: it doesn’t attach a sound card to the virtual machine. This makes flash and such like rather disappointing, so we want to work round that. Given that I’m assuming that both the real and virtual are running Fedora 11, they’ll both be running pulseaudio (unless you’ve diabled it, in which case you’ll have to run some other sound daemon). On the virtual machine this is a waste of time, since it just sends everything to a null device, so we want to arrange that firefox sends any sound output to the pulseaudio server on the host machine. That is fairly straightforward, except that the host server will be listening on a socket, but we need to connect it to a network port. Here’s what I did:

1. On the guest machine, poke just a teensy hole in its firewall.

   1. From the “f” menu in the taskbar on the guest machine, select Administration⇒Firewall
   2. Close the warning window.
   3. Click “Other ports”
   4. Click the “+ Add” button
   5. Select “User defined”
   6. Enter the number of a tcp port you’re not using. Something bigger than 50000 might be a reasonable choice, let’s say 50001 for the sake of argument
   7. Click OK
   8. Click “Apply” in the toolbar of the “Firewall Configuration” window and then close the window.

2. Now open a terminal window, and enter

   coproc NC (nc -lk $GUESTIP 50001) 
   nc -lk localhost 50001 </dev/fd/${NC[0]} >/dev/fd/${NC[1]}
   

   Where $GUESTIP is the IP address of the guest machine on the virtual network. You can discover this by typing ifconfig eth0 into a console on the guest machine. The business with coproc is so that, although we’re communicating from the guest machine to the host machine, we want to do it through an incoming connexion, in order not to have to poke holes in the firewall on the host machine. The “-l” options to nc mean that it is listening on both the internal and external interfaces.

3. Now do something similar at the other end. This time we want to connect the port to our pulsaudio socket, but this time we’re sending rather than listening. Into a console on the host:

   coproc NC (nc -U ~/.pulse/*:runtime/native)
   nc $GUESTIP 50001 </dev/fd/${NC[0]} >/dev/fd/${NC[1]}
   

   2010-07-10 — newer versions of pulsaudio use a different name (Fedora 12 onwards?), replace the “:” with a “-”

   ie

   coproc NC (nc -U ~/.pulse/*-runtime/native)
   nc $GUESTIP 50001 </dev/fd/${NC[0]} >/dev/fd/${NC[1]}
   

4. Now we are in a position to test. In the console window on the guest machine, type

   PULSE_SERVER=tcp:localhost:50001 paplay /usr/share/sounds/alsa/Front_Center.wav
   

   and you should here some sound coming out of the speakers connected to your host machine

5. Finally, we can start firefox and have it talk to the sound server on the host machine

   PULSE_SERVER=tcp:localhost:50001 firefox
   

   but watch out — some viewer applets can crank the volume right up.

Recorded: 2009-08-05 (this version uploaded 2016-10-20)

home