Glenn Faden's Blog

  • January 17, 2009

3D Accelerated Virtualized World Tours

Guest Author

The latest VirtualBox 2.1 release includes a new experimental\* high performance XGL driver for Windows guests. This makes it possible to run 3D applications like Google Earth in virtualized environments with excellent performance. I've previously blogged about running VirtualBox guests in labeled zones. But the new 3D capability is so amazing that you have to see it to believe it. Now I've made my first YouTube video, showing the system performance on my Toshiba M9 with 4GB of RAM. An instance of VirtualBox is running in each labeled zone, and an instance of Microsoft Vista is running in each VirtualBox. Each Vista instance is running Google Earth, at high speed using the virtual XGL driver included in the VirtualBox Guest Additions. 

I also uploaded a QuickTime version of this video to Sun's MediaCast web site which provides higher resolution than YouTube.

Since this is a security blog, it is important to mention that the network isolation provided by Trusted Extensions extends only as far as the Vista guests. The PUBLIC instance is connected to the public Internet, and the CONFIDENTIAL : INTERNAL USE ONLY instance in connected to Sun's Wide Area Network (SWAN) via the Cisco 3000 VPN. Although the remote VPN endpoint has been labeled CONFIDENTIAL : INTERNAL USE ONLY, neither the Cisco VPN server nor SWAN are label-aware, so the network isolation enforced by Trusted Extensions doesn't extend outside of SWAN. That's why the internal zone instance of Google Earth can connect to the PUBLIC  Google servers. The Windows VPN hides this traffic from the Solaris kernel.  In a classified environment, this would not be permitted.

For those trying this at home, I pulled out all the stops the get the best performance. I used UNIX domain sockets instead of TCP for X11, and I ran the demo several times to get the images into the cache. Otherwise this ran on the official releases of OpenSolaris 2008.11 and VirtualBox 2.1.

\* see user manual, chapter 4.8, Hardware 3D acceleration (OpenGL), page 66)

Join the discussion

Comments ( 2 )
  • Chris Bull Wednesday, May 13, 2009


    Very interesting entry on using MAC with openGL.

    Could you comment on whether the path for data used by the openGL transport would be in violation of the security target used EAL4+ status of solaris with trusted extensions.

    Also, would this in principle work with Sun Shared Visualization server, to allow remote openGL acceleration of windows hosts.



  • Glenn Faden Saturday, September 26, 2009

    The path used for openGL is consistent with the EAL4+ evaluation. The X11 server correctly manages shared memory segments from labeled zones, and prevents rendering or viewing into pixmaps owned by clients in other zones or with other user IDs.

    Shared Visualization is more complex is is not included in the evaluation.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.