Safe browsing using browser in VM
We often searching something desperately clicking to all kinds of links that a search engine brings up. And who knows what scripts or worms are going to be executed in our browser. To make this surfing process safer I've decided to run browser executable in a VM (virtual machine) and enjoy only "picture and sound" here on my workstation. VM can be easily restored from a snapshot if something bad happen and it got corrupted by something evil from The Net.
I use my local browser for browsing safe sites (email, banking etc). For other potentially unsafe browsing I use browser in VM.
How I've made the thing?
I use Linux and I've installed KVM on it so it can run VMs.
I've created a VM with like 2GB RAM and 2 core CPU, it should be enough.
Then some little Linux has been installed - Lubuntu. In that Lubuntu I've installed SSH and Firefox. Done. I can run Firefox in X window via ssh with the command:
ssh -X lubuntu firefox
It works well, but there is no sound. :(
In Linux, sound can be streamed from one machine to another different ways, but the most convenient one is to use PulseAudio because it is already here. However it does not communicate via TCP by default. It has to be configured. Following modules should be included into your local ~/.pulse/default.pa file at host machine to allow PulseAudio listen on TCP port (4713):
load-module module-native-protocol-tcp
load-module module-x11-publish
then restart your pulseaudio by killing it it will restart automatically then
killall pulseaudio
Check if pulseaudio listens on TCP port 4713
xprop -root | grep PULSE_SERVER
PULSE_SERVER(STRING) = "{32615b6567257d71581bac8751245653}unix:/run/user/1000/pulse/native tcp:ustudio.localhost:4713 tcp6:ustudio.localhost:4713"
Copy file ~/.pulse-cookie to the VM to user's home.
scp ~/.pulse-cookie user@lubuntu:~/
Note that starting from version 1.6 pulseaudio stores cookie in
~/.config/pulse/cookie
Check now if you can hear file played in VM
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost paplay /usr/share/sounds/alsa/Front_Center.wav"
You should hear it, if everything is OK.
Check same way ALSA. (By default ALSA is streamed to PulseAudio. Flash and other programs may use ALSA not PulseAudio).
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost aplay /usr/share/sounds/alsa/Front_Center.wav"
If both work, there should not be problems with running a browser.
Lets test.
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost firefox http://www.youtube.com"
Play some video there. You should hear its sound.
Please note - the browser works in VM (as X client). Here, on your host machine, it is only its visualization and sound. Well, also the window where it is visualized (X server) gets your mouse and keyboard and sends it to X client - the actual browser that runs in VM. (Please read about X basics if my explanation is not clear :) )
But it looks seamless! The only difference you see - is addition "Mozilla Firefox (on lubuntu)" in header of the window.
You can create little script MySafeBrowser.sh that starts the VM (if it is not yet started) and starts the browser in it.
virsh start Lubuntu
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost firefox"
Done!
Do not forget to take snapshot of the VM.
I use my local browser for browsing safe sites (email, banking etc). For other potentially unsafe browsing I use browser in VM.
How I've made the thing?
I use Linux and I've installed KVM on it so it can run VMs.
I've created a VM with like 2GB RAM and 2 core CPU, it should be enough.
Then some little Linux has been installed - Lubuntu. In that Lubuntu I've installed SSH and Firefox. Done. I can run Firefox in X window via ssh with the command:
ssh -X lubuntu firefox
It works well, but there is no sound. :(
In Linux, sound can be streamed from one machine to another different ways, but the most convenient one is to use PulseAudio because it is already here. However it does not communicate via TCP by default. It has to be configured. Following modules should be included into your local ~/.pulse/default.pa file at host machine to allow PulseAudio listen on TCP port (4713):
load-module module-native-protocol-tcp
load-module module-x11-publish
then restart your pulseaudio by killing it it will restart automatically then
killall pulseaudio
Check if pulseaudio listens on TCP port 4713
xprop -root | grep PULSE_SERVER
PULSE_SERVER(STRING) = "{32615b6567257d71581bac8751245653}unix:/run/user/1000/pulse/native tcp:ustudio.localhost:4713 tcp6:ustudio.localhost:4713"
Copy file ~/.pulse-cookie to the VM to user's home.
scp ~/.pulse-cookie user@lubuntu:~/
Note that starting from version 1.6 pulseaudio stores cookie in
~/.config/pulse/cookie
Check now if you can hear file played in VM
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost paplay /usr/share/sounds/alsa/Front_Center.wav"
You should hear it, if everything is OK.
Check same way ALSA. (By default ALSA is streamed to PulseAudio. Flash and other programs may use ALSA not PulseAudio).
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost aplay /usr/share/sounds/alsa/Front_Center.wav"
If both work, there should not be problems with running a browser.
Lets test.
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost firefox http://www.youtube.com"
Play some video there. You should hear its sound.
Please note - the browser works in VM (as X client). Here, on your host machine, it is only its visualization and sound. Well, also the window where it is visualized (X server) gets your mouse and keyboard and sends it to X client - the actual browser that runs in VM. (Please read about X basics if my explanation is not clear :) )
But it looks seamless! The only difference you see - is addition "Mozilla Firefox (on lubuntu)" in header of the window.
You can create little script MySafeBrowser.sh that starts the VM (if it is not yet started) and starts the browser in it.
virsh start Lubuntu
ssh -Y user@lubuntu -R 4713:localhost:4713 "PULSE_SERVER=localhost firefox"
Done!
Do not forget to take snapshot of the VM.
posted by Mark Malakanov at 5:28 PM
3 comments
