I Hate Lockdown Browser
Recently I’ve been working off of my Linux laptop for most things, because having a terminal around that isn’t running Windows or macOS is fun and useful.
That got me wondering if I could take one of my courses’ exams on the machine, since it used Respondus’s Lockdown Browser, an exam-focused browser that locks you out of all other apps for the duration of the exam.
Long story short: you can’t. But if you want to follow along, then you can see how terrible Lockdown Browser is, and the insanity that students have to deal with nowadays.
Is there a Linux client?
First thing I checked. No.
Does it run under a VM?
Yes, it runs. It shows you this error message:
And quits.
But we’re Linux nerds, so we’ll dig a little deeper.
Tricking Lockdown Browser
We need to hide the fact that we’re running LDB inside a VM, from LDB.
First order of business is to pass through the SMBIOS information from the host machine to the virtual machine, by editing QEMU’s XML. Add the following lines between the <os> </os> XML tags:
<os>
<!-- Some other lines... -->
<smbios mode="host" />
</os>
Next, we need to disguise the CPU. By default, QEMU reports to the virtual machine that it is being virtualized, and that the vCPU is not a physical CPU. We need to tell QEMU to not be so honest, and to pass in the CPU information directly. Find the <cpu> tag, and if it is enclosed, create a closing tag and paste in the following:
<cpu ...>
<topology sockets="1" dies="1" cores="1" threads="2"/>
<feature policy="disable" name="hypervisor"/>
</cpu>
You will need to edit the CPU topology to match your vCPU configuration, or else it will either not apply, or your VM will crash.
By disabling the hypervisor, we’re lying to the VM and telling it that it is not actually virtualized. The VM will now think the CPU has virtualization capabilities, not that it is being virtualized. Check using Task Manager inside the guest OS – if you see something like “Virtual Machine: yes”, then it didn’t work properly. It should say something like “Virtualization: Enabled”.
Finally, the last thing we have to do is to hide device names from LDB. Boot into the virtual machine, fire up regedit, and navigate to the following path:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Find each virtual drive device, and change the FriendlyName to something like Samsung HDD 500 GB ATA or LG SuperDrive 20x CD-ROM. (You may need to grant yourself permissions if regedit complains.)
Once you’ve done all that, LDB should now launch.
Very briefly.
There’s a second lockout?
Unfortunately, LDB has a second lockout to lull you into a false sense of security. Once you start the exam, after a couple of seconds, you will see this screen:
This probably uses some other VM detection technique. If you’re curious, there’s a repository named pafish that goes over some of them.
I could probably also find a workaround for this given enough time. But the exam is next week, and I really can’t be bothered, and if this happens on the actual exam I don’t want to get suspected of cheating when I only wanted to take the test on my Linux laptop. I can just take it on another computer.
And therein lies the problem.
What is Lockdown Browser trying to prevent again?
Lockdown Browser tries to prevent cheating by locking you out of the computer you’re taking the test on and disallowing you from opening other applications, like browsers.
Only, of course, on the computer you’re taking the test on.
So what prevents a student from… using two computers? Or heck, a phone? Everybody has a phone right? Do you guys not have phones?
Our professor actually recommended students to use one of the campus computers if we used our personal computers to take notes on, since the exam was (and the upcoming exams will be) open notes. What’s the point of using Lockdown Browser, then?
And some reasons why you should avoid installing Lockdown Browser…
While testing out the VM techniques, I noticed that Lockdown Browser was causing the virtualized OS to act erratically. At one point, Task Manager refused to run, despite not having Lockdown Browser open. I had to restore a snapshot to get everything going again.
That’s not all. If you search “Lockdown Browser broke my computer”, you will see a ton of testimonials:
- https://www.reddit.com/r/KSU/comments/sq1qrr/lockdown_browser_crashed_my_dell_desktop/
- https://www.reddit.com/r/jmu/comments/zqysg0/does_lockdown_browser_damage_anyone_elses_computer/
- https://www.reddit.com/r/utarlington/comments/jx6teg/respondus_lockdown_browser_keeps_messing_up_my/
Which is not surprising. Lockdown Browser messes with Windows’s Group Policy, the Registry, and Power Options, to prevent other applications from opening, take full control of your computer, and prevent it from going to sleep. And sometimes the shoddy code of LDB means that your computer might not be the same state as before taking the exam, after the exam is over.
And what better things do students have to do, than reinstall their operating system on their laptop and set up literally every single program that they need for their coursework, in the middle of the semester, and then do it all over again during finals week? Nothing, that’s what. I’m sure everyone cheers at the Windows/macOS setup wizard screen.
Any alternatives?
There is another project that utilizes Windows Sandbox, that actually works. (I’m guessing this is because Windows Sandbox utilizes Hyper-V, which is significantly harder to detect as it’s in Microsoft’s best interests to make it rock-solid for enterprise users and for preventing Xbox exploits.) However, the project was recently placed into Respondus’s bug tracker, suggesting that this will be patched out soon.
So what now?
Once this blog post goes up, I’ll be emailing my professor a link so that hopefully the use of Lockdown Browser is reconsidered. If your school or college also utilizes Lockdown Browser, I suggest linking your instructor this blog post to hopefully convince them not to use Lockdown Browser.
Some might think that LDB is working because I was unable to get the VM detection evasion working. No, it’s not. My whole point is that LDB is unnecessary and just makes students lives more complicated because it messes up your computer for no good reason, while cheaters can just cheat away using other devices they have at their disposal while never ever triggering LDB’s mechanisms – because it is impossible to detect that someone is using another device to cheat. Simply put, LDB punishes students, especially poorer ones that cannot afford multiple computers, while letting cheaters get away scot-free. (I think there might be some social commentary quip that’s appropriate but it’s midnight as I write this and I’m tired so please feel free to come up with one with your own imagination.)
In the meantime, I guess I’ll go find a library computer or something to install this malware-esque examination program on. Because hell if I’m installing this on my personal computer, even if it’s possible on Linux in the first place.
Update
I actually got a reply from my professor today, and it seems like the Lockdown Browser requirement will be removed going forward! (Thank you professor if you’re reading this!)
If your institution requires the use of Lockdown Browser, consider sending them this blog post to show them how ineffective it is. And if they change their mind, post about it somewhere! The more we speak out against this piece of shit software the more normalized it would be to not use it.