Thu, 19 Jun 2008 10:14:16 GMT
by pdp

Please don't take this post as a rant towards all the virtualization hackers out there. You are doing a great job and there is no doubt about that. My sole purpose is to get to the bottom of a problem which I believe is widely ignored when it comes to the purpose of virtualizations.

In Krakow I had a very interesting discussion with Joanna Rutkowska, the famous rootkit security researcher (if you don't know her, google her work, it is a good read). My main objection was that virtualization technologies will never be used by the the end-users the way information security researchers are envisioning it today.

According to Joana and several other folks, the basic idea of virtualization as a security solution is:

Segmenting your laptop into several virtualized machines increases the overall security because hacking into one of the machines wont lead to a complete compromise since, the critical data is spread out into some other segments of the same computer. For example, each user will have several operating systems running simultaneously. Each operating system will be associated with a specific purpose, i.e. a secure linux distro with a default secure browser setup will be used only for banking while a different virtual image running windows xp will be used for random surfing.

This is an interesting idea but it will hardly ever work unless you are a geek, imho. The reasons for this are very simple and straightforward:

Administrative Overhead

It is needless to say that if your corporate laptop has more then one operating system this will mean that it will be harder for you or your sysadmin to maintain it. It is hard enough to keep up with the latest patches for a single operation system. If you are running 4 of them this would mean that you really have to spend some decent amount of time per day just to maintain some basic level of security.

User-level Bridges

Keep in mind that that most users are not geeks and their primary goal of the day is to get their work done not to mess around with finding a clever and secure way of moving their recently stored bookmarks from the "random surfing" machine to their "corporate environment" machine. Of course, because none of the machines share disk space, the users will end up using the ingenious Windows sharing features or even some other auto syncing software such as "Live Mesh". Virtualization technologies do not make your life easier and every bridge that is used to enable users to do basic tasks will be used against them when one of the guest machines is compromised.

Environment Considerations

Although the virtualized OS instances are insulated from each other on a machine level, this is hardly the case on much higher level. Disk space may not be shared but users are still using the same network to access the Internet. What about USBs, Discs and Memsticks? A USB drive will work across all operating systems I presume. Therefore, it is a bridge which completely defeats the purpose of having a virtualized insulation on first place. What about the Web. Some websites will be allowed for access across all virtual machines, therefore the Web is acting as a bridge between different machines.


Introducing unnecessary complexity is always a bad decision!


In conclusion, virtualization technologies are good for certain things but let's not overestimate them. Hosting gazillions of VPS or installing an invisible rootkit are probably among the things virtualization technology is actually good for. Anything else is probably a call for a disaster.

Archived Comments

c wilsonc wilson
A refreshing perspective. Sometimes security researchers get so lost in the bits & bytes that they forget about practicality, usability and use profiles. In the rush to further research as well as corporate profits, research sometimes slides into the impractical realm and is overhyped for the sake of hype, getting attention and making money. This is not to say that the research is not interesting or that they should stop, but I think it's wise to consider the bigger picture sometimes.
Bob McArdleBob McArdle
Unfortunately its normally a case that Usability∝1/Security It easy to make a perfectly secure system. As long as there is no way to ever interact with the system in any way, and it was in a secure state at the start - it should remain secure. Problem is its completely useless. Thats where the challange in all of this security industry lies. People want to know that their machines are secure, but ideally they would not want to ever be bothered by their security solution. As security researchers we can lose track of that.
The best idea I have heard for VM is to give corporate Users a VM on their work machine for personal use. Steps could be taken to limit threats while plugged into a managed network.
I don't believe that security is a prime driver in any decision by organizations. Generally other considerations, including business needs are the decision driver.
There are methods to stop usb drives mem sticks and discs being used within any operating system. eg disable mounting of external drives, group policy config in windows. In my opinion (feel free to criticise this) the best thing they could do would be to: Restrict the one for browsing the Internet down to literally just browsing the internet, any files can be transferred through webmail based clients through the organisations (antivirus) email, (yes you have added one extra step but if you set your mail server up correctly this should not be too much of an issue.) This could then be picked up (after already having been scanned for viruses) via your organisations email client on the system where the files are stored. In most environments that are managed, the end user would not typically be allowed to download any executable files anyway, OR You may set up a network share point that disallows execute commands and can only be written to by logging in as an upload/download user which does not correspond to anything else on employees computers (ie no autologin to network shares with credentials stored on employees computer. Obviously permissions would have to be setup as normal on the servers but functionality in virtualised environments does not have to be annihilated only learned. If everyone expects windows users to convert to linux and the argument is you'll get used to it, then why is the attitude not the same when something as important as confidentiality is concerned. (If only the Office of National Statistics (uk) operated in such a secure way....) If something is weird for long enough it becomes normal.
There is no silver bullet for Security.It all boils down to profit. it takes money to do research and if the research cannot be used to make money or save lives, then it is wasted. Virtualisation is a welcomed technology. It can allow me run one Os and emulate another. say for example, running openbsd and emulating windows so, so its good only depends on how you make use of it. big up to those making it happen and are leading the way and I follow the path of enlightment.
The VMs are welcome technology. I have several non persistent VMs. I use them to test new software before I install it on my PCs. Especially software downloaded from the Internet. I have also VM for my personal tasks in order to protect my corporate network. But as PDP says I am a geek. Most of the end-users have tough time understanding the VM technology. Some of them have really tough time understanding the Terminal Connections (as RDP and VNC). One promising development is that you can run VM on the background. The application appears as normal windows on your desktop, but in fact is running in the 'sand box'. But it is up to me as admin to set it up for the user. And again the user remains the weakest link. If he/she is not trained and understand the security nothing will work. We can try to fix the technology, but we can't fix the users. We only can show them how, and hope that they are willing to learn. And my personal experience is not very promising. There are whole generation of early computer adopters that have the arrogance to think that they know everything about the computers and they just keep arguing with me. Those type of users are the biggest problem right now.