J_K9 @ Linux

Virtual Environments - Extra Security?

January 21, 2006 on 1:55 pm | In Linux |

I have been thinking about this since I woke up this morning - an added layer of security which I’m pretty sure has not been attempted yet.

Basically, it involves an application. This application doesn’t really emulate your natural desktop - it’s like looking down at your desktop through a pane of glass. It could also be described as screenshots from your desktop being pasted into the application’s window. For the purpose of this article, we shall call this a Virtual Environment (VE).

In this VE you can do everything as normal - open folders, browse the Internet, create documents and everything else, but there are some differences. First of all, as soon as the VE is started, there is nothing ‘inside’ it - only an image of your desktop. Then, once you initiate an application, the VE copies the application’s files onto it for access. Once the application is closed, the VE forbids access to the application which has been copied to it, although it is still available on the VE.

So, let’s say we have an Open Document (.odt) on our real desktop called “Foo.odt”. Then, you begin the VE, and you see Foo.odt (as normal) on your desktop. You double-click on it - the VE copies both the file and the application required to run it (OpenOffice.org 2.0 in this case), but nothing else that is on your computer. The application is run andyou can work normally on the file, but once you close it the VE will not be allowed access to Foo.odt or OpenOffice.org - although they will remain within the VE.
Also, an application or file can only be opened from mouse input - this automatically stops the use of scripts, terminal commands or the like.

I’m not sure if this is possible or if it would work at all, but I think it would be an added bonus for any security-conscious user. This is why:

1. While the user can visually see any icons on his desktop within the VE and any other objects within any folders, they are not actually within the VE. This stops the issue of random applications (particularly adware) sending personal information to external sources
2. If the user downloads any files, these are placed within the VE and not on the desktop. Mouse-only access to files and applications means that any downloaded scripts or malware would not be able to delete these files, access them or modify them - and they wouldn’t be able to see the native ones because those are ‘invisible’ (see 1).
3. Any caught viruses or malware would only infect the VE and the applications/documents copied to it - but the originals would remain unharmed. The VE could then be reset and it would return to default - no viruses, documents or applications within the VE.
4. There would be an option on the VE application whether or not a modified file/application is allowed to modify the original too - in order to keep both synchronised. This would give the VE write access to the copied file/application’s original source only, and not to the rest of the computer.

Another option would be to allow read access only to all of the computer from the VE, with write and execute access being granted only to the objects selected via mouse input.

Just a wacky thought! Although I can already see the problems this application could face - but it’s only an idea for now….