Browser Virtualization Secures Firefox
A company that has already made some headway with security-conscious consumers with a freeware/commercial combo of browser virtualization software for Internet Explorer, today released a new edition exclusively for Firefox users on Windows systems. GreenBorder uses what it describes as "just-in-time virtualization" to build an extensible operating environment around the browser, separating its session from that of the operating system.
The purpose of this virtual wrapper is to disable any active content downloaded and run through the browser from having any kind of direct and unwarranted access to the operating system. With GreenBorder active, Firefox is launched within a virtual session, which is marked on the screen with, literally, a green border around the browser window.
Any new windows spawned through the browser also exist within this virtual session. As a result, remote procedure calls intended to make changes to system settings are separated by a single layer of indirection, through which malware should not be able to pass.
Furthermore, using GreenBorder Pro -- available as a subscription-based upgrade -- files downloaded through the browser can be opened within the isolated environment, using their native software while preventing direct access to such vulnerable areas as the system registry or the directory table.
Since GreenBorder does not virtualize the Windows operating system, some could argue that the company isn't using the term properly. In March 2005, security consultant KeyLabs was commissioned by GreenBorder to make an assessment of its software, which at that time was directed toward IE.
KeyLabs made perhaps the most technically accurate explanation of GreenBorder's technology we've found: "GreenBorder's design is based upon the partitioning of a single system into separate logical domains with the ability to apply access restrictions inside domains. This strategy is unrelated to 'virtual machine' environments such as VMware and Microsoft / Connectix Virtual PC products, where a completely separate virtual system is maintained with its own corresponding virtual hardware, memory, drive image(s), and operating system instance."
As KeyLabs explained, GreenBorder creates a level of indirection, where processes running under an isolated environment receive limited access to system services, the degree of limitation being controlled by policy. Conceptually, at least, this is similar to the kind of access control mechanism that Microsoft is integrating into Windows Vista, so it will be interesting to find out whether GreenBorder and Vista can co-exist.
KeyLabs also took issue with GreenBorder's characterization -- which continues today -- that the software is 100% effective against malware, citing some buffer overflow exploits as continuing to be a risk even with a level of indirection in place. Still, it found the software to be a very effective complement to a broader security suite, which would continue to include firewalls, anti-virus, and vigorous anti-malware programs.
Arguably, a system which would give malware a view of a user's computer that states the files it's looking for don't exist could be as useful as a software-based firewall that blocks responses to port scans, making it appear to network-based attackers that IP ports don't exist.
Borrowing a page from ZoneAlarm's playbook, GreenBorder is available for a free download, with options such as SafeFiles -- continuous protection for any downloaded files -- available for a $14.95 USD per year subscription, and GreenBorder Pro available for $49.95 USD per year.