Results 1 to 6 of 6

Thread: Virtualization and Security..

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Question Virtualization and Security..

    Are we there yet? As virtualization starts becoming more and more used (and well, because I've got some heavy ties into it now ) I wonder if virtualization has reached a point where security becomes an issue.

    From my experience most security issues for virtualization have rested on the "hosted" variants (that is, those that require a Windows or Linux OS underneath the virtualization application) -- like Redpill, scooby_doo and NoPill attacks. Along with those are the general issues that come with the hosted OS. On the other hand, with bare-metal hypervisors we're not seeing as many attacks.

    Is this just a frontier waiting to happen? Or is it secure as it is? or what?

    Thoughts, comments?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Hmmm I've been wondering about that myself (yes I to have heavy ties into it ).

    For the moment (I say with my tongue in cheek) I think we're still reasonable safe, it takes a whole other thinking to start attacking at hardware level, and I think there aren't alot of people going there right now.

    This doesn't mean it can't happen, there's a reason that Symantec and Intel are joining forces to develop chips with hardcoded security measures in them. Sure it's part Marketing and salestricks, but then again ...

    As long as I don't see proof of the opposite (and I mean real proof, not the ifs and whens) that hopping between virtual switches that aren't connected is NOT possible, I'll be installing a firewall on bare metal ...
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    I dont see it how it would be any less or more secure except that you may not have physical access to the host since it could be running on something like ESX and you may only have access to the VMs.

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    I think that the hypervisor approach is still too young to tell... As it is VMWare / Virtual (PC|Server) have been around for some time, and it was really only this year that we saw nasty remote exploits for both of them.... There's definitely an issue of having an underlying OS... it doesn't work in the long term... not when you are thinking security. It's fine to use "traditional" Virtualization for development purposes... but for consolidation it just doesn't work.

    For consolidation, the hypervisor will be the only way to go... and we'll have to wait and see.. it's too early to tell if the attacks will become predominant... and if host segregation will be adequate... Attacking the host is fine, but what happens when one of the guests is compromised and someone discovers that the guests can, with relative easy, jump between themselves... That opens the door to other problems...

    Virtualization, as it currently stands, only has one road... and currently it's the road to being less secure... The guest os has the same level of security and below it you are introducing more complex code... you won't see increased security... at least not for a while... (if ever).

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    HT, yer a thread killer!

    Quote Originally Posted by HTRegz
    I think that the hypervisor approach is still too young to tell... As it is VMWare / Virtual (PC|Server) have been around for some time, and it was really only this year that we saw nasty remote exploits for both of them.... There's definitely an issue of having an underlying OS... it doesn't work in the long term... not when you are thinking security. It's fine to use "traditional" Virtualization for development purposes... but for consolidation it just doesn't work.

    For consolidation, the hypervisor will be the only way to go... and we'll have to wait and see.. it's too early to tell if the attacks will become predominant... and if host segregation will be adequate... Attacking the host is fine, but what happens when one of the guests is compromised and someone discovers that the guests can, with relative easy, jump between themselves... That opens the door to other problems...

    Virtualization, as it currently stands, only has one road... and currently it's the road to being less secure... The guest os has the same level of security and below it you are introducing more complex code... you won't see increased security... at least not for a while... (if ever).
    Hrmm.. so EAL4+ certification for 3.0.1 (I think that's what they submitted for common criteria) won't help much? What security do you think it's lacking (from your post you seem to be suggesting, from my view point, that a hypervisor is insecure)? What things will virtualization have to include to ensure security?

    Then again, what system is ever truly secure?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by MsMittens
    HT, yer a thread killer!



    Hrmm.. so EAL4+ certification for 3.0.1 (I think that's what they submitted for common criteria) won't help much? What security do you think it's lacking (from your post you seem to be suggesting, from my view point, that a hypervisor is insecure)? What things will virtualization have to include to ensure security?

    Then again, what system is ever truly secure?
    I've often thought I should be ThreadKiller but the name was taken...

    I don't know that EAL4+ is sufficient... I don't know that security is necessarily lacking from the hypervisor... as you write in security you bloat the product... which isn't what you want from a hypervisor... I think it's inherent security risks that are the problem... some problems have to go away... regardless of how minor the hardware is...

    Cemetric had a great example... the security of virtual switches... Going further... the hardware is being shared... something is controlling that hardware sharing... that control is at risk.. especially (for example ) at the network level...

    Will hypervisors make systems more insecure... not necessarily... will they increase security... not a chance.

Similar Threads

  1. AO - Max security for a connected world
    By dinowuff in forum Site Feedback/Questions/Suggestions
    Replies: 260
    Last Post: March 25th, 2008, 07:39 PM
  2. VMware to develop Secure Systems for NSA
    By MrLinus in forum Security News
    Replies: 7
    Last Post: August 30th, 2007, 05:06 PM
  3. Researchers Explore Scrapping the Internet
    By gbrowne40 in forum Web Security
    Replies: 3
    Last Post: April 19th, 2007, 12:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •