Deployment Guide

How to install Isolated Execution?

All the steps must be followed in the order shown on this list.

1) Download Isolated Execution repository in some local directory (from now on [WORKING_DIR])
svn co https://isolated-exec.svn.sourceforge.net/svnroot/isolated-exec isolated-exe
2) Download Xen 3.1.0 from its repository : http://xenbits.xensource.com/
3) Install Dev86 Linux package that can be downloaded from http://homepage.ntlworld.com/robert.debath/. Unpack the file and follow the instructions in the README file
4) Install the SDL development package as well as the packages required by XEN (listed in Xen’s README)
5) Compile and install Xen. Using make world is enough to compile and install Xen. For more detailed instructions refer to the README file inside the Xen directory.
Note: You must add the lines in your boot loader by hand in order to boot your Xen hypervisor.
6) Create the user VM. For that, create a disk image for the virtual machine’s primary disk in [WORKING_DIR]/vm-images/:
dd if=/dev/zero of=[WORKING_DIR]/vm-images/UserVM.img bs=1M count=4096
7) Generate an iso image from a Windows XP installation file. Save the image at [WORKING_DIR]/vm-images/WindowsXP-SP2.iso
8) Create a Xen machine Configuration file for the user VM(/etc/xen/UserVM.cfg) like this.
kernel = '/usr/lib/xen/boot/hvmloader'
builder = 'hvm'
memory = '384'
device_model='/usr/lib/xen/bin/qemu-dm'
# Disks
disk = [ 'file:[WORKING_DIR]/vm-images/UserVM.img,ioemu:hda,w',
'file:[WORKING_DIR]/vm-images/WindowsXP-SP2.iso,ioemu:hdc:cdrom,r' ]
# Networking
vif = ['ip=192.168.0.1,type=ioemu, bridge=xenbr0, mac=aa:00:00:50:02:f0']
#Behaviour
boot='dc'
sdl=1
serial = 'pty'
# Hostname
name = 'UserVM'
9) To install the user VM run
xm create UserVM.cfg
10) Configure the user VM network with the following values
IP= 192.168.0.1
GW= 192.168.0.254
11)Create the user delegator with the password delegator in the user VM. This user must have Administrator rights.
12)Shutdown the user VM, shutdown Xen (xend stop) and down the bridge (/etc/xen/scripts/network-bridge stop)
13)Configure Xen to use a NAT configuration. This is configured in the file /etc/xen/xend-config.sxp.
The following lines must be commented
#(network-script network-bridge)
#(vif-script vif-bridge)
And these other ones have to be uncommented
(network-script network-nat)
(vif-script vif-nat)
14)Restart Xen: (xend start)
15)Start the user VM again (xm create UserVM.cfg)
16)Unpack isolated-execution-0.0.1.tar.bz2, compile and install it in Domain 0:
./configure
make
make install
17)Run the script vmpool-setup-network-xen-guest.sh in Domain 0 to configure the user VM network. Use the following line:
vmpool-setup-network-xen-guest.sh 192.168.0.1
The script should be installed in the /usr/local/bin directory in the previous step. You can test the internet connection for the user VM now.
18)Create a sandbox virtual machine.
    Create the disk image:
    dd if=/dev/zero of=[WORKING_DIR]/vm-images/Sandbox01.img bs=1M count=4096

    Create a VM config file for the sandbox VM with the following configuration. This file has to be created in the /etc/xen/ directory with the Sandbox01.cfg name

    kernel = '/usr/lib/xen/boot/hvmloader'
    builder = 'hvm'
    memory = '384'
    device_model='/usr/lib/xen/bin/qemu-dm'
    # Hostname
    name = 'Sandbox01'
    # Disks
    disk = ['file: [WORKING_DIR]/vm-images/Sandbox01.img,ioemu:hda,w']
    # Networking
    vif = ['ip=192.168.0.2,type=ioemu, bridge=xenbr0,mac=aa:00:00:50:02:f1']
    # Behaviour
    boot='dc'
    sdl='1'
    serial = 'pty'

    Run the Sandbox01 VM

    xm create Sandbox01.cfg

    19)Configure the Sandbox01 VM network with the following values
    IP= 192.168.0.2
    GW= 192.168.0.254
    20)Install Delegation Module in the user VM:
    a. Install isolated-execution-delegation-module-win32.exe
    b. Logged in as delegator, go to Start->Run, type sendto in the text box and click enter.
    c. Copy a shortcut to the IEDelegationModule.exe file in the SendTo folder. (This file should be installed in Program Files\Intel\Isolated Execution\Delegation Module\)
    d. Rename the shortcut to Sandbox VM.
    e. Change the associated icon: Right click on the icon->Properties->Change Icon (choice the Recycled Bin icon)
    21)Create the delegator user with password delegator in Domain 0.
    22)Install the ssh server in Domain 0.
    23)Create the /home/delegator/.ssh/ directory in Domain 0. Change its permissions to 700.
    24)Download and unpack the Delegation Module source (isolated-execution-delegation-module-source-0.0.1.zip) code at [WORKING_DIR]
    25)Copy the [WORKING_DIR]/isolated-execution-delegation-module-source-0.0.1/DelegationModule/authorized_keys in /home/delegator/.ssh/ in Domain 0. Change its permissions to 600.
    26)Start the sandox VM network running the command ./vmpool-setup-network-xen-guest.sh 192.168.0.2 in Domain 0.
    27)Install cygwin and opensshd in the sandbox VM. Follow the instructions in this page http://pigtail.net/LRP/printsrv/cygwin-sshd.html
    28)Set the delegator user in the sandbox VM as the default user.
    a. In the sandbox VM, set Windows XP to auto logon with the delegator user without requesting its password:
    Click Start and then click Run
    In the "Open" box, type control userpasswords2, and then click OK.
    Select the user "delegator"
    Clear the check box for Users must enter a user name and password to use this computer, and then click Apply.
    An "Automatically Log On" window will appear. In the dialog box, type the password for delegator user in the Password box, and then retype the password in the Confirm Password box.
    Click OK to close the "Automatically Log On" window, and then click OK to close the "User Accounts" window.
    29)Install the Domain 0 delegator user public key in the sandbox cygwin environment; in this way no password is requested when login. Follow the instructions in this page http://sial.org/howto/openssh/publickey-auth/ or:
    [delegator@dom0]$ pwd
    /home/delegator
    [delegator@dom0]$ ssh-keygen –q –f ~/.ssh/id_rsa –t rsa
    [delegator@dom0]$ chmod go-w ~/
    [delegator@dom0]$ chmod go-rwx ~/.ssh/*
    [delegator@dom0]$ scp ~/.ssh/id_rsa.pub delegator@192.168.0.2:~
    (type delegator’s password)

    Now, in the sandbox VM enter to cygwin’s shell.

    [delegator@Sandbox01]$ pwd
    /home/delegator
    [delegator@ Sandbox01]$ mkdir ~/.ssh
    [delegator@ Sandbox01]$ chmod 700 ~/.ssh
    [delegator@ Sandbox01]$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
    [delegator@ Sandbox01]$ rm ~/id_rsa.pub
    30)Copy the vmpool.cfg file from [WORKING_DIR]/isolated-execution-0.0.1/samples/vmpool/xen to /etc
    31)Copy the ie.conf file from [WORKING_DIR]/isolated-exec/trunk/src/main/linux/samples/ie.conf to /etc
    32)Install the Migration Module (isolation-execution-migration-module-win32.exe) in the sandbox VM. The Migration Module service has to be configured to start automatically when the VM is booted (Go to Control Panel->Administrative Tools->Services and change the Startup Type of the IEMigrationModule to Automatic).
    33) Add a shortcut to IeLauncher.exe in the Startup delegator’s account in the sandbox VM. The IeLauncher.exe should be located at Program Files\Intel\Isolation Execution\Migration Module. (To add the shortcut go to Start->All Programs->Startup).
    34) Shutdown both virtual machines.
35)Run ie in the Domain 0.

These command will start both virtual machines and it will pause the Sandbox VM (putting it on the pool of virtual machines). In Once Sandbox VM is paused and the User VM is ready, open in a sandbox any file, for instance, NOTEPAD.EXE (Right click on the file, Sendto->Sandbox VM). The File should be opened in the Sandbox VM. When you close the delegated application, the Sandbox VM should be restarted and put it back to the pool