|What If Home | Product Overview | Intel® TM ABI specification | Technical Requirements|
FAQ | Primary Technology Contacts | Discussion Forum | Blog
Isolated Execution is a software reference implementation of the security through isolation concept. It is not targeted at stopping malware from running or avoiding its insertion in the user’s machine; it rather provides a contained environment where malware can run without affecting the whole system.
Isolated Execution allows handling of a pool of such contained environments or sandboxes “ready to use” for running unknown or untrusted applications or opening suspicious files or programs from unverified third parties. The user decides whether to open a file depending on the confidence the user has in the file's origin. Using the “Send to sandbox VM” option from the context menu, the file will be copied and opened in an isolated environment for its use. All the damage caused by this file, if any, will be limited to the sandbox scope. After closing the application, the sandbox will be restarted and back to the pool without affecting the user environment.
Main benefits of Isolated Execution:
- Limit the scope: Limit the damage caused by malware through sandboxing
- Delay an attack: Limit speed and propagation of worms and virus distribution due to containment
- Assist the user: Decrease the likelihood of human error initiating an attack
- Better detection: Allows for a more thorough and efficient detection capability
Even though the theory behind security through isolation is very complex and there is no implementation widely used nowadays, Isolated Execution tries to take advantage of the virtualization hardware technology available today in most platforms and apply it to solve some common problems that users have every day when they use the computer. For instance, zero day attacks could be managed by Isolated Execution, opening the file containing the exploit in a sandbox. We want to emphasize that this is only a proof of concept of the idea; we aim to collect feedback and discuss the pros and cons of this approach sharing with the community some interesting modules that Isolated Execution provides.
Isolated Execution is also an active project posted to SourceForge.
Please report bugs on the SourceForge site.
How to install Isolated Execution
All the steps must be followed in the order shown on this list.
1)Download Isolated Execution repository in some local directory (from now on [WORKING_DIR])
[shell]svn co https://isolated-exec.svn.sourceforge.net/svnroot/isolated-exec isolated-exe[/shell]
2)Download Xen 3.1.0 from its repository : http://xenbits.xensource.com/
3)Install Dev86 Linux package that can be downloaded from http://homepage.ntlworld.com/robert.debath/. Unpack the file and follow the instructions in the README file
4)Install the SDL development package as well as the packages required by XEN (listed in Xen’s README)
5)Compile and install Xen. Using make world is enough to compile and install Xen. For more detailed instructions refer to the README file inside the Xen directory.
Note: You must add the lines in your boot loader by hand in order to boot your Xen hypervisor.
6)Create the user VM. For that, create a disk image for the virtual machine’s primary disk in [WORKING_DIR]/vm-images/:
dd if=/dev/zero of=[WORKING_DIR]/vm-images/UserVM.img bs=1M count=4096
7)Generate an iso image from a Windows XP installation file. Save the image at [WORKING_DIR]/vm-images/WindowsXP-SP2.iso
8)Create a Xen machine Configuration file for the user VM(/etc/xen/UserVM.cfg) like this.
kernel = '/usr/lib/xen/boot/hvmloader' builder = 'hvm' memory = '384' device_model='/usr/lib/xen/bin/qemu-dm' # Disks disk = [ 'file:[WORKING_DIR]/vm-images/UserVM.img,ioemu:hda,w', 'file:[WORKING_DIR]/vm-images/WindowsXP-SP2.iso,ioemu:hdc:cdrom,r' ] # Networking vif = ['ip=192.168.0.1,type=ioemu, bridge=xenbr0, mac=aa:00:00:50:02:f0'] #Behaviour boot='dc' sdl=1 serial = 'pty' # Hostname name = 'UserVM'
9)To install the user VM run
xm create UserVM.cfg
10) Configure the user VM network with the following values
IP= 192.168.0.1 GW= 192.168.0.254
11)Create the user delegator with the password delegator in the user VM. This user must have Administrator rights.
12)Shutdown the user VM, shutdown Xen (xend stop) and down the bridge (/etc/xen/scripts/network-bridge stop)
13)Configure Xen to use a NAT configuration. This is configured in the file /etc/xen/xend-config.sxp.
The following lines must be commented
#(network-script network-bridge) #(vif-script vif-bridge) And these other ones have to be uncommented (network-script network-nat) (vif-script vif-nat)
14)Restart Xen: (xend start)
15)Start the user VM again (xm create UserVM.cfg)
16)Unpack isolated-execution-0.0.1.tar.bz2, compile and install it in Domain 0:
./configure make make install
17)Run the script vmpool-setup-network-xen-guest.sh in Domain 0 to configure the user VM network. Use the following line:
The script should be installed in the /usr/local/bin directory in the previous step. You can test the Internet connection for the user VM now.
18)Create a sandbox virtual machine.
Create the disk image:
dd if=/dev/zero of=[WORKING_DIR]/vm-images/Sandbox01.img bs=1M count=4096
Create a VM config file for the sandbox VM with the following configuration. This file has to be created in the /etc/xen/ directory with the name
kernel = '/usr/lib/xen/boot/hvmloader' builder = 'hvm' memory = '384' device_model='/usr/lib/xen/bin/qemu-dm' # Hostname name = 'Sandbox01' # Disks disk = ['file: [WORKING_DIR]/vm-images/Sandbox01.img,ioemu:hda,w'] # Networking vif = ['ip=192.168.0.2,type=ioemu, bridge=xenbr0,mac=aa:00:00:50:02:f1'] # Behaviour boot='dc' sdl='1' serial = 'pty'
Run the Sandbox01 VM
xm create Sandbox01.cfg
19)Configure the Sandbox01 VM network with the following values
IP= 192.168.0.2 GW= 192.168.0.254
20)Install Delegation Module in the user VM:
- Install isolated-execution-delegation-module-win32.exe
- Logged in as delegator, go to Start->Run, type sendto in the text box and click enter.
- Copy a shortcut to the IEDelegationModule.exe file in the SendTo folder. (This file should be installed in Program Files\Intel\Isolated Execution\Delegation Module\)
- Rename the shortcut to Sandbox VM.
- Change the associated icon: Right click on the icon->Properties->Change Icon (choice the Recycled Bin icon)
21)Create the delegator user with password delegator in Domain 0.
22)Install the ssh server in Domain 0.
23)Create the /home/delegator/.ssh/ directory in Domain 0. Change its permissions to 700.
24)Download and unpack the Delegation Module source (isolated-execution-delegation-module-source-0.0.1.zip) code at [WORKING_DIR]
25)Copy the [WORKING_DIR]/isolated-execution-delegation-module-source-0.0.1/DelegationModule/authorized_keys in /home/delegator/.ssh/ in Domain 0. Change its permissions to 600.
26)Start the sandox VM network running the command ./vmpool-setup-network-xen-guest.sh 192.168.0.2 in Domain 0.
27)Install cygwin and opensshd in the sandbox VM. Follow the instructions in this page http://pigtail.net/LRP/printsrv/cygwin-sshd.html
28)Set the delegator user in the sandbox VM as the default user.
a.In the sandbox VM, set Windows XP to auto logon with the delegator user without requesting its password:
Click Start and then click Run
In the "Open" box, type control userpasswords2, and then click OK.
Select the user "delegator"
Clear the check box for Users must enter a user name and password to use this computer, and then click Apply.
An "Automatically Log On" window will appear. In the dialog box, type the password for delegator user in the Password box, and then retype the password in the Confirm Password box.
Click OK to close the "Automatically Log On" window, and then click OK to close the "User Accounts" window.
29)Install the Domain 0 delegator user public key in the sandbox cygwin environment; in this way no password is requested when login. Follow the instructions in this page http://sial.org/howto/openssh/publickey-auth/ or:
[delegator@dom0]$ pwd /home/delegator [delegator@dom0]$ ssh-keygen –q –f ~/.ssh/id_rsa –t rsa [delegator@dom0]$ chmod go-w ~/ [delegator@dom0]$ chmod go-rwx ~/.ssh/* [delegator@dom0]$ scp ~/.ssh/id_rsa.pub email@example.com:~
(type delegator’s password)
Now, in the sandbox VM enter to cygwin’s shell.
[delegator@Sandbox01]$ pwd /home/delegator [delegator@ Sandbox01]$ mkdir ~/.ssh [delegator@ Sandbox01]$ chmod 700 ~/.ssh [delegator@ Sandbox01]$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys [delegator@ Sandbox01]$ rm ~/id_rsa.pub
30)Copy the vmpool.cfg file from [WORKING_DIR]/isolated-execution-0.0.1/samples/vmpool/xen to /etc
31)Copy the ie.conf file from [WORKING_DIR]/isolated-exec/trunk/src/main/linux/samples/ie.conf to /etc
32)Install the Migration Module (isolation-execution-migration-module-win32.exe) in the sandbox VM. The Migration Module service has to be configured to start automatically when the VM is booted (Go to Control Panel->Administrative Tools->Services and change the Startup Type of the IEMigrationModule to Automatic).
33) Add a shortcut to IeLauncher.exe in the Startup delegator’s account in the sandbox VM. The IeLauncher.exe should be located at Program Files\Intel\Isolation Execution\Migration Module. (To add the shortcut go to Start->All Programs->Startup).
34) Shut down both virtual machines.
35)Run ie in the Domain 0.
This command will start both virtual machines and it will pause the Sandbox VM (putting it in the pool of virtual machines). Once Sandbox VM is paused and the User VM is ready, open any file in a sandbox, for instance, NOTEPAD.EXE (Right click on the file, Sendto->Sandbox VM). The file should be opened in the Sandbox VM. When you close the delegated application, the Sandbox VM should be restarted and put back into the pool.
What is Security through Isolation?
Isolated Execution refers to Security through Isolation by providing clean sandbox environments (Virtual Machines) where suspicious applications or files can be opened. If this file is malware, then the affected environment will be the sandbox. Since the sandbox is disposable, next time that the sandbox is opened, the original clean image is utilized and any damage caused by the malware is removed.
What is a Sandbox Virtual Machine?
A sandbox is a security mechanism for safely running programs. It is often used to execute untested code, or programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources in which guest programs can run.
In Isolated Execution, the sandbox is provided in a Virtual Machine which contains a complete and clean operating system.
How do you use Virtualization Technology?
Isolated Execution is hypervisor agnostic, but the hypervisor configuration utilizes Virtualization Technology to allow for unmodified operating systems in the user environment as well as in the sandbox virtual machines.
Is Isolated Execution a complete product?
Isolated Execution is a reference implementation, so it is not a complete product.
What remains pending to create a product?
Isolated Execution provides the core functionality to delegate the execution of files in sandbox virtual machines; so depending on the usage you may want to resolve you may consider:
User Interface: currently the implementation uses different windows for different virtual machines, a better approach would be to provide all windows in a unified desktop.
Deltas between VMs: after verifying that the suspicious file opened was not harmful, a mechanism would be needed to migrate the file into the main environment.
Where do I download Isolated Execution?
The files have been made available on the Isolated Execution download page.
How do I report application bugs?
We have a bug tracker. Please visit the site and submit your bug.
You can also post questions to our Isolated Execution discussion forum.
Pablo Passera is a Senior Software Engineer in the Argentina Software Pathfinding and Innovation group. Prior to joining Intel in 2007, he worked for Motorola in the software development group mainly involved in projects related with communications technologies. He has a degree in Electronic Engineering and a strong formation in Software Engineering. His expertise areas include Operating Systems, Distributed Operating Systems, Embedded, Virtualization, Networking and low level programming in general.
Gisela Giusti joined Intel in 2006. She got her bachelor degree in computer science during her first year at Intel and she has been working in security related projects since then. In 2007 she joined the Software Pathfinding and Innovation group, and she was part of the Isolated Execution project from its beginnings. During the last two years she has been mainly working in virtualization related topics. Currently Gisela’s interests are computer security, virtualization and operating systems.
Guillermo Colsani joined the Intel Argentina Software Development Center in April 2007, and since then has worked in software products innovation. A team builder, he enjoys working in challenging projects seeking to leverage creativity. After more than 10 years of software development, he initiated his path in business analysis and development, where he found a strong complimentary tool as an IT professional. Out of work is not so different: challenges are to climb the highest mountain, ride the roughest mountains, hike with his kids to the nicest places, and enjoy nature with his family.
Duilio Protti is a software engineer at Intel Corporation. He has worked in a team specialized in virtualization technology and currently is developing prototypes for Intel® Atom™ processor -based platforms. Before joining Intel in 2007, Duilio held testing specialist and security analyst positions in two Argentinean firms. He has also written LibCMT, a library for Composable Memory Transactions, and has contributed to various open source projects, including Nmap and Libvisual, among others.-->