Virtualization for Practical Local Security
josephedward
Posted on October 14, 2019
Wikipedia:
In computing, virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms, storage devices, and computer network resources.
Writ large, virtualization is too wide of a subject to discuss within this article, so for our purposes I relegate my arguments to personal use cases. Type-1 virtual machine hosts such as Xen are referred to as native or bare-metal hypervisors because they do not live on top of the operating system and run at the hardware level. Type 1 Hypervisors are the purview of the tech behemoths; they are how the 'cloud' was created. This discussion is about Type-2 Hypervisors or hosted virtual machine monitors, which require an operating system to run on.
I think most developers (not just the paranoid security people) have a use case for a virtual machine, but many are too lazy to admit it. Virtualizing an operating system is the best way, that I am aware of, to create a portable workspace that allows you to save the exact state of you work. Tabs open, apps running, services started. This creates improvements in modularity, security, and research. More generally, virtualizing gives you the ability to treat an operating system as a canvas to experiment upon.
Efficiency
This is my personal go-to use case. I was first inspired by my email client to start using virtual machines. Random emails would pop up constantly, and even with tools and tricks to manage, they had a way of stealing cycles from what I was working on. There was no certainty they weren’t phishing attacks stealing information, or were literally stealing cycles (i.e. mining attacks). Of course, you can set a time to respond to emails, or disable your internet connection while you write responses. Simpler is to create a layer that requires deliberate action to view your mail. A virtualized OS adds another login to access, adds boot time, et cetera. Reply from your phone if you need to shoot your emails from the hip.
Security
Most notably you will see virtualization in the security world. It is highly common to see pentesters using a Kali Linux VM to provide a place to keep a toolkit that otherwise would be cumbersome to install and maintain on their day-to-day machines. It is also common to see Metasploitable VMs used for pen testing tutorials and examples as an intentionally vulnerable OS instance.
Privacy
You don’t know what you don’t know. You can never be entirely certain that you are working within a 100% secure system. Virtualization helps put layers in between your information and potential attacks. Nothing is foolproof, (I’m sure there are attacks designed for this specifically) but it is more unlikely that an attack cannot replicate itself through two layers or operating systems, particularly if they are of different architectures. Of course, each layer can have it’s own encryption, too. I think it is most typical to encrypt your host and leave the guest machines un-modulo'ed. Tails is the move if you think you’re sneaky.
Research
No one knows exactly how every single piece of software they install will act on their system. A virtual OS allows you to install carefree; if something breaks, your worst case scenario is deleting the machine. If you get caught in an infinite loop, you can just reboot. Important files in the host's RAM will not be lost. You will not lose the ability to google while rebooting. You won't have to worry about what services are, or are not, still running on your base machine. And if you think you got hit with malware, remove the machine! Or keep it for quarantine, weirdo.
Virtualization gives you options. Perhaps you've tested your app in multiple browsers, but have you tested it in multiple browsers across multiple operating systems? Shouldn't have an effect, but does it? I don't know. What about a native app? Don't you want to see how your Spring Boot app looks running in Windows/MacOS/Linux? With virtual machines, you can just go ahead and try it. Want to boot an offbeat operating system like FreeBSD or ReactOS? Here's your chance to do it without bricking your hardware. This article is not of the requisite scope to cover FreeBSD jail virtualization, or the entirely different subject of containerization (again, this discussion is about general-purpose user enablement).
Backup
It is also very simple to backup virtual machines. Just clone the VM. Again, this can be with browser tabs open, apps running, and services started. Most host virtualization applications automatically create snapshots. Virtual machines can be configured to be cross-platform, so that you can move your VM across different types of host operating systems.
Set Up
You should consider the go-to solution for virtualization to be Oracle's VirtualBox. Here's roughly the basic steps and parameters:
- Download VirtualBox onto your Host machine.
- Download the bootable .iso live disk image of the OS for your Guest machine.
- Allocate memory - more than what VirtualBox recommends, but not the max - depending on:
- Number of simultaneous VMs you plan to run.
- What you plan on running on these machines.
- Allocate number of processors - probably not worth it to use <2 cores as per modern hardware conventions.
- Determine the size of the virtual disk storage.
- Dynamic vs. Fixed: choose fixed for performance, especially if you know you are going to need a certain amount of storage.
- Attach the operating system as live install CD.
- Make sure you have a .iso file.
- Set it as your IDE controller.
- Settings -> Storage -> Attributes -> Optical Drive -> Live CD/DVD (pictured below)
- Go through operating system install as you would on hardware.
- Install the Guest Additions disk image in the VirtualBox menu bar for added functionality.
- If you don't want to enable bidirectional drag-and-drop for security reasons, you can always create a shared folder between guest and host VM by navigating to the 'shared folders' tab.
Ubuntu
Ubuntu is my go-to distro for virtualization. Ubuntu Linux is open source, lightweight, general purpose, widely supported, secure by default, and has a diverse ecosystem. Current long term release is Bionic Beaver.
Windows
Windows is another option for a virtual OS. Windows is useful for gaming and many proprietary applications (although I wouldn't run a game in a VM without considerable compute power). I think these days, Microsoft will let you use Windows for free, without a licensing key. The catch is that Windows has a built in RAT that phones home and displays a warning popup, if you proceed without entering a key. It's nothing unmanageable though, and there are cheap enough options for purchasing the operating system through educational memberships.
MacOS
This is a tricky one. You can have a MacOS VM with paid solutions via Parallels and VMware hosts. However, I found a repo that offers a free QEMU image for MacOS. It was finicky but worked well enough, I was able to get a High Sierra VM running with a little time and effort. You will have to create the virtual disk image with terminal commands. I am not liable if Apple ninja lawyers rappel into your living room, when you go the free route. QEMU is an open source virtualization host that I've been toying with, it has a variety of fascinating operating modes (of which we also can't really discuss adequately here), and supports a wider range of processor architectures than VirtualBox. It is admittedly less configurable out-of-the-box for new users, and is generally intended for more advanced kernel developers.
Challenges
There are a few problems inherent to the use of hosted virtual machines. Processing power can be an issue, and using VMs on thinner machines can get buggy, often not being worth the effort. You will have to dial in your configuration some, based upon memory, processor cores, and other performance factors. Adding an additional core to your VM is usually enough to make a significant difference in functionality, but using too much of your machine's compute power can make the host crash on rare occasions. Another recurrent issue is resizing. It is very typical to get warnings about space running out on your machine's storage. You will need to get familiar with detaching your storage disk, resizing in megabytes with terminal commands, and reattaching when you start to run out of space:
C:\Users\User1\VirtualBox VMs\Windows 7\Windows 7.vdi” --resize 81920
You will also need to extend the logical partition inside of your guest vm if you want to incorporate the additional space into your initial virtual drive that the operating system is installed upon, instead of just using it as an auxiliary drive inside the guest.
(2023 Update)
How to Virtualize on an M1 ARM-based Mac
Apple's M1 ARM-based Macs are a new generation of computers that are incredibly powerful and efficient. However, they also present some new challenges for users who need to virtualize.
Two Ways to Virtualize on an M1 Mac
There are two main ways to virtualize on an M1 Mac:
Use a Type 1 Hypervisor: A Type 1 hypervisor runs directly on the hardware, without the need for an operating system. This provides the best performance, but it can be more complex to set up and manage.
Use a Type 2 Hypervisor: A Type 2 hypervisor runs on top of an operating system. This is easier to set up and manage, but it can have a negative impact on performance.
Using a Type 1 Hypervisor on an M1 Mac
There are currently two Type 1 hypervisors that support M1 Macs:
- UTM: UTM is a free and open-source hypervisor that is available for macOS, Linux, and Windows.
- Parallels Desktop Pro: Parallels Desktop Pro is a commercial hypervisor that is available for macOS.
To use a Type 1 hypervisor on an M1 Mac, you will need to install it on a USB drive. Once you have installed the hypervisor, you can create a new VM and install the operating system of your choice.
Using a Type 2 Hypervisor on an M1 Mac
There are currently two Type 2 hypervisors that support M1 Macs:
- VirtualBox: VirtualBox is a free and open-source hypervisor that is available for macOS, Linux, and Windows.
- VMware Fusion: VMware Fusion is a commercial hypervisor that is available for macOS.
To use a Type 2 hypervisor on an M1 Mac, you will need to install it on your Mac. Once you have installed the hypervisor, you can create a new VM and install the operating system of your choice.
Which Method Should You Use?
The best method for you will depend on your needs and requirements. If you need the best performance, then you should use a Type 1 hypervisor. However, if you are new to virtualization or you need a simpler solution, then you should use a Type 2 hypervisor.
Virtualizing on an M1 Mac can be a bit more challenging than virtualizing on an Intel Mac, but it is definitely possible. By following the tips above, you can ensure that your VMs run smoothly and efficiently.
Posted on October 14, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.