Jump to content

  • Log In with Google      Sign In   
  • Create Account


application virtualization - how is it done?


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
12 replies to this topic

#1 jwezorek   Crossbones+   -  Reputation: 1606

Posted 15 January 2011 - 04:28 PM

I was fooling around with spoon.net today and am trying to figure out how they are doing what they are doing.

Reading some old discussions of their previous product xenocode virtualization -- which, I think, is what the newer spoon.net site is on top of -- it seems like they are running actual windows executables in a sand box but changing the runtime environment such that some call that is supposed to, say, modify the registry will just modify the sand box version of the registry, etc. What I don't understand is how this could be done. Are they hooking the win32 API or is there some more clever way?

Sponsor:

#2 trzy   Members   -  Reputation: 100

Posted 15 January 2011 - 06:57 PM

It can be done a number of ways. One way is through emulation, where either each instruction is interpreted or translated into X86 code with augmentation that traps memory and privileged operations, passing them on to a handler function.

It's been years since I've looked at how X86 protected mode works but I think tasks on modern operating systems are each assigned their own page tables, with only the pages they are allowed to access marked as usable. Illegal accesses will cause an exception. Presumably, there is some access to this level of control within the Windows API, at the system-level, and I imagine that virtualization software uses this. They probably create a task in which the pages normally containing system (Windows) API hooks are marked as restricted, allowing them to trap any such operation (as well as any privileged operations).
----Bart

#3 ddn3   Members   -  Reputation: 1249

Posted 16 January 2011 - 01:49 AM

The old method, probably do it the same way hackers did it to run the root kits outside of the OS.. it patches all the calls to the OS and runs the OS in a sandbox while it runs at a higher privilege level. There are virtualization instruction sets now supported at the CPU level which allows a host program to run a slave program within a sandbox at the hardware instruction level.. It's much faster than the old methods and all the new virtulazation software supports it.. That's what the Cloud is built upon.. virtualized software running in a sandbox at the hardware level.. They write emulated device drivers which limit access to the real hardware and pipe it to a realtime compressor which then streams it too u, ie Onlive and Gankai ..

see :

http://en.wikipedia.org/wiki/X86_virtualization

-ddn

#4 jwezorek   Crossbones+   -  Reputation: 1606

Posted 16 January 2011 - 04:55 PM

it patches all the calls to the OS and runs the OS in a sandbox while it runs at a higher privilege level.

When you have a program running that you have downloaded/streamed (or whatever) from spoon.net there is a process running that is called something like spoon-sandbox or something like that. So that would be their fake version of Windows? -- wouldn't that process then have to be gigantic?

I don't know maybe I'm naive but all these low-level rootkit-like explanations seem a little heavy-weight for this website that is deploying stuff via a firefox plugin to be using...

#5 dwarfsoft   Moderators   -  Reputation: 1210

Posted 16 January 2011 - 06:08 PM

Think of it more like their Wrapper for the app. It isn't a fake windows but acts more like a firewall between windows system calls and the application. It keeps "changes" made to the system within its own Wrapper application and returns those values whenever requested be the child application. It's more like a firewall between an application and Files/Registry than a "fake windows".

#6 ddn3   Members   -  Reputation: 1249

Posted 16 January 2011 - 08:44 PM

I was describing the method people used 5 years ago, that method is hopelessly out of date with the advent of the virtualized instruction set supported by hardware. Now its all done in a cloud configuration remotely and streamed too you.. Spoon.net likely has instances running on a cloud then using proprietary graphics drivers intercept and encode the low level UI command and send then to their clients aka like Remote Desktop. This is a cheaper solution than what Onlive and Gankai does which is fast hardware accelerated encoding turning it all into a video stream.. Maybe they do run a process on your side but i doubt it, its probably just nothing more than a thin client to decode GUI commands..

-ddn

#7 dwarfsoft   Moderators   -  Reputation: 1210

Posted 16 January 2011 - 08:52 PM

Ah, you are right. It's probably a similar process in which applications get distributed via Citrix Metaframe. The applications run server side on a Windows Server box, but the client has a video interpretation of the application on their local machine. Each application user has their own application state stored on the server. It's like remote desktop, except without the desktop. The application windows are remotely projected to the client.

Edit: Also, originally I was envisioning Application Virtualization like VMWare ThinApp. This basically encapsulates an application installation into a single .exe. The .exe runs in a sandboxed state on any machine, but allows you to do things like running IE6, IE7, IE8 and IE9 concurrently (or at least this is how it was demonstrated to me during the training sessions). This runs more like the Sandboxed client I was referring to in the earlier post, acting as a firewall between the app and the system.

#8 jwezorek   Crossbones+   -  Reputation: 1606

Posted 16 January 2011 - 09:58 PM

Spoon.net likely has instances running on a cloud then using proprietary graphics drivers intercept and encode the low level UI command and send then to their clients aka like Remote Desktop.

the client has a video interpretation of the application on their local machine. Each application user has their own application state stored on the server. It's like remote desktop, except without the desktop. The application windows are remotely projected to the client.


I'm pretty sure that this is not what they are doing because (1) There's no latency, (2) I haven't tested this but I get the feeling you could run the spoon.net virtualized apps without a live internet connection, and (3) if you examine the spoon.net virtualized apps with Spy++ you will see that they are composed of real win32 child windows, real win32 listviews and edit controls etc.

It seems to me that they are running actual Win32 exe's on the client that are altered such that when a system call occurs that would interact with or modify some global OS asset it somehow gets diverted to only modify the sandbox. I think that the only thing the browser plugin is doing is serving as basically a download manager for the apps and that this is basically a re-packaging of the xenocode virtualization stuff that they released a few years ago -- they're just re-branding themselves to look all Web-2.0-ish.

#9 dwarfsoft   Moderators   -  Reputation: 1210

Posted 16 January 2011 - 10:43 PM

In which case I would go back to my Firewall description. It is basically working to interpret system calls but replacing "changes" to the system with a changes to a table within the firewall/virtualization app. Basically it is a buffer between the OS and the sandboxed app. This way the Virtualization client basically lets calls to create windows go through the standard System DLLs and any changes to registry or file system go to an app specific table in the Virtualization Client. This way it does not need to reimplement Windows, but only stop changes being made to the existing system. Having not implemented something like this myself I can't say exactly how it works, but it sounds very much like VMWare ThinApp or a Sandboxie type setup.

#10 ddn3   Members   -  Reputation: 1249

Posted 17 January 2011 - 03:04 AM

I've read further on their tech on their dev site. It does what I've said but also allows you to run those virtualized bundled app locally as well (maybe that's what your running, however i would be weary of anything which downloads and runs arbitrary executables no matter how secure they think it is). They are using the same techniques all virtualziation software is using, use the virtualized instruction set, run the sandbox client program in a host program, hook the calls to low level devices and services to make the exe thinks its running on clean native windows install (they do this so they don't have to buy a license of windows for each instance?) etc.. with an added boost they decouple the UI from the executable core so its easy to do remote execution, ie their intranet /internet deploy schemes, upload to their cloud etc... All the calls to windows and runtime libraries can be hooked and overridden to make the app thinks its running inside windows but in reality its running inside a sandbox.. Probably analyze the exe and patch up the system calls to their on Spoon OS as they call it..

Here is their docs link

http://spoon.net/Studio/Spoon-Studio-User-Guide.pdf

The claim hardware virtulziation is slower that their method, that hasn't been my experience between the 2 methods, when they can show modern DX games running near full framerate in their VM i'll be impressed :)



-ddn

#11 Katie   Members   -  Reputation: 1283

Posted 17 January 2011 - 03:21 AM

"It is basically working to interpret system calls"

Generally virtualisation works by using memory/IO protection structures. When an app, (possibly via its OS layer) tries to write to memory or IO it ought not to be allowed to, then there's an exception. Either to the OS (in the case of app virtualisation) or to the hypervisor if you're doing OS virtualisation.

This actually allows you to run unmodified systems. You can either pass through monitored access to the real hardware or provide "simulated" hardware. The former is more useful for performance (since you can give a guest direct access to something like a video card). The latter is more useful for cloud systems (since you can arrange for all hosts to provide the same emulated hardware regardless of their real physical config -- meaning you can migrate VMs around your hosts).

There is an option of "paravirtualisation". This is where the drivers know they're on a VM. Instead of prodding at memory or setting up DMA to do things, their code marshalls stuff up into neater packages and passes it in one go to the driver system. This is generally much more efficient.

XenDesktop/XenApp (I believe[1]) run paravirtualised graphics drivers which render the window contents to memory and then send the memory contents over the network. There are some options to end up with more of the app running locally but I don't know quite how that works (IIRC it relies on the client being Windows as well). Those virtualised systems live on top of XenServer. XenServer uses the Xen hypervisor to run the machine, and a privileged version of linux provides all the emulated hardware interfaces.


" if you examine the spoon.net virtualized apps with Spy++ you will see that they are composed of real win32 child windows, real win32 listviews and edit controls etc."

This would seem entirely reasonable in Windows client system -- the emulated win32 systems simply sanity check the inputs and then throw the request at the hosts win32.



[1] I have some contact with them, but I don't work directly with them.

#12 trzy   Members   -  Reputation: 100

Posted 19 January 2011 - 01:53 AM

I've read further on their tech on their dev site. It does what I've said but also allows you to run those virtualized bundled app locally as well (maybe that's what your running, however i would be weary of anything which downloads and runs arbitrary executables no matter how secure they think it is). They are using the same techniques all virtualziation software is using, use the virtualized instruction set, run the sandbox client program in a host program, hook the calls to low level devices and services to make the exe thinks its running on clean native windows install (they do this so they don't have to buy a license of windows for each instance?) etc.. with an added boost they decouple the UI from the executable core so its easy to do remote execution, ie their intranet /internet deploy schemes, upload to their cloud etc... All the calls to windows and runtime libraries can be hooked and overridden to make the app thinks its running inside windows but in reality its running inside a sandbox.. Probably analyze the exe and patch up the system calls to their on Spoon OS as they call it..


You can't analyze .exe files and expect to catch everything. It has to be done at run-time, which means it either uses virtualization instructions (but I thought these were not standardized between Intel and AMD and were unavailable on most desktop X86 machines), Windows device-level APIs that allow manipulation of the page table (I don't know if these exist), or, most likely, dynamic binary translation (because I think even the page table technique cannot trap everything that needs to be trapped -- namely certain instructions) which would allow them to analyze the code as it runs and trap everything.

Remember the Google plug-in that allowed X86 code to be used in web pages? I think this is basically the same idea.
----Bart

#13 cameyo   Members   -  Reputation: 100

Posted 31 January 2011 - 06:02 PM

I was fooling around with spoon.net today and am trying to figure out how they are doing what they are doing.

Reading some old discussions of their previous product xenocode virtualization -- which, I think, is what the newer spoon.net site is on top of -- it seems like they are running actual windows executables in a sand box but changing the runtime environment such that some call that is supposed to, say, modify the registry will just modify the sand box version of the registry, etc. What I don't understand is how this could be done. Are they hooking the win32 API or is there some more clever way?


Yes, the APIs are hooked indeed. In a very short description: resources required by the application (mostly files and registry keys) are redirected to and from a separate folder, provided by the virtual package.
Free app virtualization can be found on our website: www.cameyo.com

Regards






Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS