On 20 July 2010, Dell KACE introduced a free “sandboxed” version of Firefox for download by anyone. Using its Kontainer application virtualization technology, Dell KACE isolates attacks on the browser from infecting the rest of the system.
The idea of isolating the activities of a potentially harmful application (sandboxing) isn’t new. Isolation via virtualization/sandboxing of OS resources has been used for years in the various host-based intrusion prevention solutions I research – for example McAfee HIPS, Symantec Critical System Protection, Cisco CSA, Trustware, ForceField and others
With the Dell KACE solution, the technique of isolation is applied to the browser, but this isn’t new either. One vendor providing this, GreenBorder, was acquired by Google back in 2007.
Essentially, attacks on the browser are isolated from the rest of the OS. Straightforward enough, but there are some issues. The act of virtualizing the browser also means that “good” changes to the browser are also isolated (say a user adds their own plug in). If and when you need to reset the browser container back to a known good state, all of the legitimate changes are thrown out as well, frustrating users. Likewise, administrators may want to propagate out a change to all virtualized browsers and there needs to be management infrastructure to make these types of changes “permanent”. Also, attacks that target the user (not the OS) are remain a risk – we haven’t virtualized the user (yet!). Finally, you still have the challenge of detecting when an attack has been successful and that the virtualized browser indeed needs to be reset. This is complicated by the fact that traditional OS-based security products running outside of the virtualized browser may or may not see into the virtualized container.
The best deployment scenario for this type of solution will be environments which are reset back to a known good state after each session – enterprise classrooms and training facilities, call centers and educational institutions.